By AVA KHAVARI, with BROOKS TIGNER
BRUSSELS – Discussions around cybersecurity here have been picking up steam at a rate comparable to the rise of the threat itself. EU lawmakers and researchers are scrambling to commit the time, effort and necessary resources define and combat the problem.
One set of ideas that fall along the more creative end of the response spectrum were aired during a 28 June event organised by the Brussels office of the German Marshall Fund (GMF). It, along with Microsoft, used the occasion to launch a joint report containing some interesting recommendations on how to address the rising threat of cyber-attacks.
Of the document’s eight suggestions, two stood out and would warrant exploration for solutions they could engender regarding internet security.
The first proposes to create an independent NGO with the sole task of attributing cyber-attacks. Though its stance would be reactive in practice, the ultimate aim would be to deter state-sponsored cyber crime. However, its efficacy would be tested immediately, given the scale of the problem. Thus, it would require legitimising support – probably lots of it – in its early stages regarding information exchanges and forensic support from the international community.
“It is critical that an NGO for cyberspace [would] initially rely on the assistance of a coalition
of willing nations states,” observes the report, authored by GMF’s Peter Chase and Bruno Lété.
Yet generating that support could easily become an uphill battle. For example, the UN-sponsored Group of Governmental Experts tried for more than a decade to establish internationally recognised norms in cyber-space and an agreed set of good practices. It got nowhere due to the opposition from a few powerful countries and finally gave up the ghost in June 2017.
The problem, of course, is that the opposing nations are those that would stand to lose the most from supporting any collective fight against cyber-stealth; they don’t want a multilateral collaborative approach. The states from whose territory cyber-attacks emanate the most are namely Russia and China, and they blocked the Group of Governmental Experts.
“We should be aware that attribution is very central to the national security and sovereignty of states. This is the prerogative of national states,” Marek Szcygiel, ambassador and the Polish Ministry of Foreign Affairs’ international cyber security policy coordinator, told the event. “I’m afraid that governments would be rather reluctant to give up this prerogative, especially political attribution, which is extremely sensitive and will remain in the confidence of the national states.”
The second recommendation, which seems the most pragmatic and attainable, calls on alternative multilateral organisations such as the Organisation for Security and cooperation in Europe and the OECD (Organisation for Economic Cooperation and Development) to take on the role of addressing cybersecurity among their respective member states.
According to the GMF/Microsoft report, such organizations are well equipped to launch dialogue and produce binding measures since they are more flexible and possess “a credible level of expertise” and experience in working with public-private entities. They also carry enough heft to negotiate “on an equal footing” with China or with large institutions such as the UN or the G20 forum, notes the report.
In 2016, for example, OSCE member states agreed on a set of measures to “reduce the risk of tensions arising from cyber activities”. Notably, Russia was one of the states that agreed.
The OSCE should build on this by expanding its efforts with member states to establish a long-term solution. If a more comprehensive and binding set of confidence-building measures were implemented under its auspices, then this might pave the way towards the creation of a regulatory body sanctioned by the UN or perhaps one that builds on the “attribution NGO”, whose authority could be expanded over time.
Whether it’s the UN, a regional organisation or the NGO, someone will have to carry forward the work that the GGE had to abandon in 2017.