We live in one of the most dramatic periods in human history. In a remarkably brief span of years, the Internet, mobile devices, and other digital innovations have revolutionized how we create and analyze information, solve problems, and run organizations. That alone would be enough to cause substantial socio-economic change; however, the uncertainty experienced by many has been deepened by a profound shift in global geopolitics. And when technology and geopolitics come together to revolutionize nation-state conflict that uncertainty has the potential to evolve into a catastrophe.
Examples abound. While attacks such as WannaCry or those related to the United States 2016 elections, grabbed the spotlight, the Asia-Pacific region has had its share of worrying activity in that same period. It has been reported that the Philippines has been subject to cyber espionage operations, organizations in Vietnam have had their operations affected, and India and Pakistan have had their websites defaced. And there are numerous examples where damage has ranged from disruptive to destabilizing to increasingly scary. No wonder everyone feels uncertain.
In response, governments are investing in cybersecurity defenses, working to close the skills gap in this space, establishing cybersecurity frameworks and standards, and seeking to deepen cooperation in this critical area – as we see in Singapore this week. These are all important and worthwhile efforts and need to be worked on in partnership with the industry to ensure they are as effective as possible. The Singapore Cybersecurity Week is a wonderful example of an effort to bridge distrust, understand the gaps that need to be addressed in cyberspace, and built a more secure path forward.
However, at the same time governments are also developing offensive cyber attack capabilities and stockpiling vulnerabilities in commercial software, thereby weaponizing technology we all use. If a few years ago we talked about just a few cyber powers, the number is now well into the double digits, and is likely to hit triple digits before long. Sometimes these investments come at the expense of defensive capability and are as such not only going to dismantle the very trust countries are seeking to build, but actively damage the stability of cyberspace.
The fundamental question we therefore need to answer is: What can we do to encourage responsible nation-state behavior and restraint in cyberspace?
Microsoft’s answer has been to encourage governments to work on developing a Digital Geneva Convention that protects civilians in times of peace by committing governments to restraint when it comes to developing and deploying cyber weapons. However, the process to reach an international agreement is going to be long and require a combination of political will, cooperation, and commitment from global leaders. And while we could until recently point to an established, although not by any means perfect, process to guide those discussions, that is no longer possible.
The fact that the United Nations Group of Governmental Experts on Information Security (UNGGE) stumbled in answering this crucial question, even though they were previously able to reach agreement around critical issues, as such application of international law to cyberspace, underlines the size of the challenge before us. But we have no choice but to press ahead. Alternative venues need to be identified, both outside the United Nations processes and within, and different stakeholders engaged, bringing together governments, civil society and industry experts.
Regional efforts that have proven to deliver results in other areas, such as the draft framework of a code of conduct delivered by ASEAN and China on the issue of South China Sea earlier this summer, will have an important role to play in this regard. Indeed, the ASEAN cybersecurity capacity building efforts announced during the Singapore Cybersecurity Week 2016 could and should serve not only as a platform for dialogue on confidence building measures, but as a forum to contribute to international cybersecurity norms that could advance regional and global security.
As indicated, that work should include not solely developing new norms, but clarifying and specifying what has been agreed in other fora, such as the UNGGE 2015 report. The lack of clear definitions has given countries some leeway when it comes to interpreting their commitments. Issues such as what actually constitutes a cyber attack, is there a common agreement what falls under the definition of critical infrastructure, and what the threshold levels required when it comes to attribution are, all need addressing before a Digital Geneva Convention can be conceived. We won’t get there tomorrow but although it will be a journey through many iterations and staging posts, the destination of a stable and secure cyberspace will be worth the effort of everyone involved.
Paul Nicholas is Senior Director of Global Security Strategy and Diplomacy for Microsoft.