By PATRICK STEPHENSON
BRUSSELS – The movement for global norms and rules in cyberspace is gaining ground. On 14 February, Microsoft’s President and Chief Legal Officer, Brad Smith, delivered an urgent speech at the annual RSA Conference in San Francisco. His message: the threat has changed. Seventy-four percent of the world’s businesses expect to be hacked in 2017, and the economic loss to cybercrime will reach $3 trillion by 2020, he said.
But the primary source of danger, once confined to hacking enthusiasts and financial thieves, is moving on to nation-state governments themselves, with a corresponding rise in the threat’s sophistication. Against the backdrop of a PowerPoint slide of the Democratic National Committee’s offices – the target of Russian hacking during the last US presidential election – Smith pointed to a powerful paradox. Whereas international law prohibits militaries from attacking civilians in times of war, he said, nation-states now practice warfare “against civilians in times of peace.” His proposed solution is a new “digital Geneva Convention”, enforced and monitored by a new international organisation modelled on the International Atomic Energy Agency. The new institution would detect a cyberattack, and identify the attackers.
Four days later at the Munich Security Conference, the Netherlands announced, in partnership with Microsoft and several non-governmental organisations, the establishment of a Global Commission on the Stability of Cyberspace (GCSC). The entity’s purpose is to propose norms and rules for cyber-security, and help build momentum towards the new convention that Smith proposed.
Intrigued by these events, SECURITY EUROPE sat down with Jan Neutze, director of cybersecurity policy at the Microsoft Center in Brussels.
“Cyber is where security meets economic policy, and there’s a tension there,” he said. “The militarisation of cyber-space has already happened. That’s a fact. So, how can we come to some level of acceptable norms of behaviour among governments? How do you agree on what the norms should be, while holding norm violators accountable?”
Echoing Smith’s comments in San Francisco, he said nation-states dominated previous domains of warfare — on land, sea and air. The global cloud, however, is largely owned and operated by the corporations that regulate and police it, including Microsoft. So when nation-states attack, their powerful cyber-weapons are often aimed not at other governments, but at the private sector itself.
“This is all hugely concerning to us,” he said. “We’re up against an increasing set of governments targeting our infrastructure. We spend a billion dollars a year on cybersecurity. That’s a lot. But when you have 40 governments investing in cyber-offense, they have a lot more money to spend.”
The value of a digitally focused international organisation resembling the IAEA, he said, would be its legitimacy as an objective arbiter.
“We need something that has a peer review mechanism so that we can examine significant attacks for attribution, and come up with a consensus opinion on whether a nation-state attacked, and what we think that means,” Neutze said. “If you had a consensus around the technical aspect among a broad, geographically diverse peer-reviewed group, that could be a game-changer.”
Regarding Europe’s cyber-security, Neutze said the first priority was to transpose the EU’s NIS directive on network and information system security that entered into force in August 2016. The member states have 21 months to transpose it into national law. Crafting the directive over several years entailed a constant back-and-forth between industry and the Commission. “It was a robust discussion,” he said. “From the start, we’ve been supportive of a regulatory approach to cyber. But it has to be an approach that’s smart and effective.”
When the directive was first proposed in 2013, Neutze said, the text tried to do too much. “Before, people thought we needed to secure everything out there against every threat and issue. If you do that, you’re lost from the start. Instead, we needed a prioritized list of things that were at the greatest risk from the most significant threats.”
The directive’s current version, he believes, strikes a better balance by covering digital service providers in a harmonised framework rather than in the fragmented approach that is sometimes typical of European rule-making. “We now have one set of rules for digital companies,” he said. “We like that.”
The area of critical infrastructure remains, however, heavily fragmented under the directive. EU member states still think of critical infrastructure as an element of national security, an area they jealously guard as a preserve for national action. This fragmentation is pernicious, in part, because EU member states have widely differing assets for cyber-defence.
“Some countries have lots of cyber-security abilities,” Neutze said. “Some haven’t invested a lot of resources. On the thought-leadership side, what we’ve come out and said is, ‘Look guys: if you’re now implementing this directive, let’s try and bridge this fragmented approach by taking existing international best practices on cyber, and implementing a common baseline on cyber here in Europe.’”
One possible model is the National Institute for Standards and Technology (NIST) cybersecurity framework recently adopted in the United States. “It’s very easy to understand and implement, and it scales across differently sized organisations,” Neutze said. “We’ve started conversations with people here in Europe about this being one good international practice to adopt. Let’s not re-invent the wheel.”
But despite these misgivings, anything that throws light upon nebulous nation-state activities in the cyber-realm deserves to be pursued. Here’s hoping that governments come together soon to create both a cyber-IAEA and a digital Geneva Convention.