In little more than a generation, the Internet has become a vital substrate for economic, social and political interactions, and it has unlocked enormous gains.
However, along with greater interdependence come vulnerability and conflict. Attacks by states and non-state actors have increased, threatening the stability of cyberspace.
At the Paris Peace Forum last month, the Global Commission on the Stability of Cyberspace (GCSC) issued its report on how to provide an overarching cyberstability framework.
Originally convened by the Dutch government three years ago, the multi-stakeholder GCSC (of which I was a member) had cochairs from Estonia, India and the US, and comprised former government officials, experts from civil society and academics from 16 nations.
Over the years, there have been numerous calls for laws and norms to manage the new international insecurity created by information technology, starting with Russian proposals at the UN two decades ago calling for a binding treaty. Unfortunately, given the nature of cyberweapons and the volatility of the technology, such a treaty would not be verifiable and would quickly become obsolete.
Instead, the UN set up a group of governmental experts, which produced a non-binding set of norms in 2013 and 2015. That group was unable to issue a report in 2017, but its work continues with an expanded membership, and an open-ended working group, in which about 80 states participated in September, has joined it at the UN.
In addition, UN Secretary-General Antonio Guterres has established a high-level group, which issued a report looking forward to a broader discussion at the UN next year.
The GCSC defines cyberstability as a condition in which individuals and institutions can be reasonably confident in their ability to use cyberservices safely and securely, change is managed in relative peace, and tensions are resolved without escalation.
Stability is based on existing international law, which, as the 2013 and 2015 reports affirmed, applies to cyberspace, but a binding international legal treaty would be premature as the next step.
Norms of expected behavior can provide a flexible middle ground between rigid treaties and taking no action at all. As GCSC co-chair and former US secretary of homeland security Michael Chertoff has explained, norms can exist in parallel with laws, but are more dynamic in the face of rapidly changing technology.
The GCSC proposed eight norms to address gaps in previously declared principles and focused on technical issues that are fundamental to cyberstability. Such norms can be seen as common points of reference in the evolving political discussions.
The first is non-interference with the public core of the Internet.
While authoritarian and democratic states might disagree about free speech or regulation of online content, they can agree not to interfere with core features such as the domain name system, without which there would be no predictable interconnection among the network of networks that comprise the Internet.
Second, state and non-state actors must not support cyberoperations intended to disrupt the technical infrastructure essential to elections, referendums or plebiscites. While this norm does not prevent all interference such as what happened in the US elections in 2016, it sets some bright lines around technical features.
Third, state and non-state actors should not tamper with goods and services in development or production if doing so may substantially impair the stability of cyberspace. Insecure supply chains present an important threat to stability.
Fourth, state and non-state actors should not commandeer the public’s resources for use as “botnets” (robots based on others’ machines, but commanded without their knowledge or consent).
Fifth, states should create procedurally transparent frameworks to assess whether and when to disclose to the public vulnerabilities or flaws in information systems or technology.
Such flaws are often the basis of cyberweapons. Hoarding such vulnerabilities for possible use in the future poses a risk to all. The presumption should be in favor of disclosure and patching.
Sixth, developers and producers of goods and services on which the stability of cyberspace depends should emphasize security, take reasonable steps to ensure that their wares are free from significant vulnerabilities, mitigate flaws when they are discovered and be transparent about the process.
All actors have a duty to share information on vulnerabilities to help mitigate malicious cyberactivity.
Seventh, states should enact appropriate measures, including laws and regulations, to ensure basic cyberhygiene. Just like vaccinations prevent communicable diseases such as measles, so basic cyberhygiene can go a long way toward removing the low-hanging fruit that attract malefactors.
Lastly, non-state actors should not engage in offensive cyberoperations, while state actors should prevent such activities or respond if they occur.
Sometimes called “hack-back,” private vigilantism might escalate and pose a major threat to cyberstability. In the past, states once condoned and even supported privateers upon the high seas, but then discovered that the risks of escalation and unwanted conflict were too high. The same could be said for stability in cyberspace.
These eight norms alone do not ensure stability in cyberspace, but combined with norms, principles and confidence-building measures suggested by others, they could provide a start.
In the long term, states observe norms of behavior to improve coordination, manage uncertainty, preserve their reputations or in response to internal pressures. The world is a long way from such a normative regime for cyberspace, but the GCSC has helped to nudge the process forward.
Joseph Nye Jr is a professor at Harvard University.
Copyright: Project Syndicate
In the event of a war with China, Taiwan has some surprisingly tough defenses that could make it as difficult to tackle as a porcupine: A shoreline dotted with swamps, rocks and concrete barriers; conscription for all adult men; highways and airports that are built to double as hardened combat facilities. This porcupine has a soft underbelly, though, and the war in Iran is exposing it: energy. About 39,000 ships dock at Taiwan’s ports each year, more than the 30,000 that transit the Strait of Hormuz. About one-fifth of their inbound tonnage is coal, oil, refined fuels and liquefied natural gas (LNG),
On Monday, the day before Chinese Nationalist Party (KMT) Chairwoman Cheng Li-wun (鄭麗文) departed on her visit to China, the party released a promotional video titled “Only with peace can we ‘lie flat’” to highlight its desire to have peace across the Taiwan Strait. However, its use of the expression “lie flat” (tang ping, 躺平) drew sarcastic comments, with critics saying it sounded as if the party was “bowing down” to the Chinese Communist Party (CCP). Amid the controversy over the opposition parties blocking proposed defense budgets, Cheng departed for China after receiving an invitation from the CCP, with a meeting with
Chinese Nationalist Party (KMT) Chairwoman Cheng Li-wun (鄭麗文) is leading a delegation to China through Sunday. She is expected to meet with Chinese President Xi Jinping (習近平) in Beijing tomorrow. That date coincides with the anniversary of the signing of the Taiwan Relations Act (TRA), which marked a cornerstone of Taiwan-US relations. Staging their meeting on this date makes it clear that the Chinese Communist Party (CCP) intends to challenge the US and demonstrate its “authority” over Taiwan. Since the US severed official diplomatic relations with Taiwan in 1979, it has relied on the TRA as a legal basis for all
To counter the CCP’s escalating threats, Taiwan must build a national consensus and demonstrate the capability and the will to fight. The Chinese Communist Party (CCP) often leans on a seductive mantra to soften its threats, such as “Chinese do not kill Chinese.” The slogan is designed to frame territorial conquest (annexation) as a domestic family matter. A look at the historical ledger reveals a different truth. For the CCP, being labeled “family” has never been a guarantee of safety; it has been the primary prerequisite for state-sanctioned slaughter. From the forced starvation of 150,000 civilians at the Siege of Changchun
RSS