Cybersecurity and the Governance Gap: A Role for Multilateral Institutions?

The Internet is inherently global. It exists within and beyond national borders, capable of connecting people all over the world for communication, business, finance, and other collaborative opportunities. In this increasingly interconnected and globalised world, however, the scale of scope of cybersecurity threats continues to intensify. Government operations, communication technologies, military weapons and satellites, and global financial markets have all become dependent on Internet networks and technologies. There are many different cybersecurity risks, ranging from criminal activities like pharming and phishing that use websites and emails to enable identity theft, to hacking and distributed-denial-of-services (DDoS) attacks that are capable of disrupting the information and communication technology services of governments, businesses, and international organisations around the world. These cybersecurity risks, as well as the rising threats of ‘cyber war’ and ‘cyber terrorism’, strengthen the argument for developing a clear international framework for cybersecurity.

Yet, very little ‘universal’ cybersecurity legislation and regulation exists. The economic and security-based concerns of cyber threats have inspired some states to devise targeted strategies and come to terms with a fuller range of cybersecurity risks. For now, though, these approaches remain largely state-centric, often prioritising ‘cyber sovereignty’ and national interests over collective action. Indeed, there is a high degree of global fragmentation and limited consensus about establishing more comprehensive cybersecurity measures. While most states continue to resist efforts for greater cooperation on cybersecurity issues, a select group of regional and international organisations have made significant contributions to these on-going discussions, each presenting a unique understanding of cybersecurity threats and proposing different recommendations for crafting a more effective international framework. How successful can fragmented, state-centric responses ultimately be? And what, if anything, might these regional and international institutions offer to the future of cybersecurity?

United Nations (UN)

The UN has been an outspoken advocate for global Internet governance and cybersecurity. One of the more significant UN cybersecurity initiatives was launched in 2010, when a group of cybersecurity specialists and diplomats agreed on a set of recommendations for the UN Secretary General for negotiations on an international computer security treaty. The group was initially established in 2005 to explore problems in international cybersecurity, and offered five recommendations for improvements in international cybersecurity and cooperation. These recommendations included discussions on how nations view and protect their computer networks, assessing the use of computer and communication technology during warfare, sharing national approaches on computer security legislation, finding ways to improve the Internet capacities of less developed countries, and working to establish common terminology to improve communication about computers and cybersecurity. Many of the world’s most prominent cyber powers accepted the recommendations, including the United States, Belarus, Brazil, Britain, China, France, Germany, India, Israel, Italy, Qatar, Russia, South Africa, and South Korea. While there have been indications of consensus among member states, the United Nations has struggled to move beyond recommendations for cybersecurity and present more comprehensive resolutions before the UN General Assembly. Among the obstacles, many member nations have different outlooks on the issue. Russia, for example, has advocated for Internet policy that is similar to chemical weapons agreements, whereas the United States has emphasised the importance of cooperation between international law enforcement agencies, especially those of China and Russia. Their diverging outlooks on cybersecurity and how it should be treated, has interfered with the capacities of the UN to adopt resolutions and craft a more comprehensive framework.

Yuri Samoilov

Image courtesy of Yuri Samoilov, © 2014, some rights reserved.

European Union (EU)

The EU serves as a powerful regional organisation, with the ability to shape norms and regional policies for cybersecurity. The European Commission and High Representative’s 2013 Cyber Security Strategy was the EU’s first comprehensive international cyberspace policy document. The policy values freedom, openness, and stresses that EU laws, norms, and core values apply in cyberspace just as they do in the physical world. The EU also values fostering international cooperation in cyberspace, and feels that preserving free and secure cyberspace is a global challenge. In July 2016, the EU passed extensive cybersecurity measures, adopting the Directive on security of network and information systems (the NIS Directive), which will be the main instrument supporting Europe’s ‘cyber resilience’. This new NIS Directive provides legal measures to improve the overall level of EU cybersecurity through measures that require member nations properly equip and prepare themselves through programs like a Computer Security Incident Response Team (CSRIT) and a component national NIS authority. Other elements of the Directive include facilitating member cooperation and information exchange, and creating a culture of security across economic and social sectors that rely on information and communication technology by having these businesses take appropriate security measures and notify national authorities of any serious incidents. As the EU’s first extensive cybersecurity rules, the NIS Directive could potentially (as the EU hopes it will) help prevent cybersecurity attacks on Europe’s interconnected infrastructure.

North Atlantic Treaty Organization (NATO)

NATO has crafted various agreements with members of the private sector, the European Union, the United Nations, and the Organisation for Security and Cooperation in Europe (OSCE), among others, as it attempts to define its cybersecurity strategy. The 2014 Wales Summit outlines NATO’s enhanced cyber policy and action plan, which emphasises protecting communication systems, increasing education initiatives, the importance of cooperating with industry, and upholding international law in cyberspace. Cyber defence is part of NATO’s core ‘collective defence‘ task, and in July 2016 NATO recognised cyberspace as a domain of operations in need of effective defending, like that used for land, air, and sea fronts. Among other primary contributions made by NATO, the Tallinn Manual represents a leading effort in international cyber law research and education. The Tallinn Manual is an academic study on how international law applies to cyberwarfare and conflicts, and clearly defines many important relevant terms relating to cyberwarfare. Following the EU and US, NATO Allies are committed to improving information-sharing and mutual assistance to prevent, mitigate, and recover from cyber-attacks.

World Bank

The World Bank’s interest in cybersecurity comes from a financial standpoint, as economies are dependent on information and communication technology, and are therefore more vulnerable to network attacks. Significant cybersecurity risks threaten ‘the functioning of critical information infrastructures,’ like those for financial services, and public trust in electronic networks affects industrial economies as well as potential foreign direct investment in developing countries. The organisation believes good cybersecurity policy should foster ‘stable economic growth and open, transparent, just, and vibrant societies.‘ It supports a ‘network model‘ emphasising the processes and procedures on information flow between groups, and wants more collaborative analysis, since the Internet itself is not limited by institutional or international boundaries.

International Committee of the Red Cross (ICRC)

The ICRC participated as an observer in the process of publishing the Tallinn Manual, and is concerned about cyberwarfare because the vulnerability of cyber networks could lead to potential humanitarian costs of cyberattacks. Interfering with state networks could impact the ability of civilians to access basic needs like drinking water, medical care, and electricity. Additionally, GPS systems, dams, power plants, and aircraft control systems all depend on computers, and their failure could also endanger lives. Following the mandate of the Geneva Conventions, the ICRC reiterates the importance of protecting civilians and non-combatants – both in cyber and physical warfare, and stresses that military operations and attacks should not affect civilian objects or infrastructure.

Looking Ahead

Each regional and international actor considered has a different understanding about why cybersecurity matters globally and how greater consensus can be achieved. Organisations like the EU and NATO have an interest in fostering communication and collaboration to strengthen network securities among allied nations whereas the UN struggles to bring together member states with different outlooks on how to handle cyber policy. Other organisations like the World Bank and the ICRC have very specific thematic objectives for cybersecurity that are based upon principles such as global finance or humanitarian safety, among others. While these actors and institutions all present distinctive approaches, there is a common emphasis on cooperation as a means to strengthen global network security. Indeed, these approaches collectively demonstrate that the dominant state-centric model is not the future of cybersecurity. Conventional strategies that place cyber sovereignty above international cooperation fail to recognise the interconnected nature of cybersecurity risks. Global Internet threats require a truly global strategy for improved effectiveness. On this basis, it seems likely that regional and international institutions will have to play a significant role in bridging the divide in cybersecurity governance in the years to come.