The past few decades have seen unparalleled technological advances that are being rapidly integrated into every aspect of our lives. We have access to a global information network at the tip of our fingers, from smart devices like our phones, TVs, and cars to Internet of Things devices like baby monitors, smart trash cans, or street lamps. However, with this integration and increased connectivity, cybersecurity has become a rapidly growing global issue. We share so much information online: our names, birthdays, federal identification, location, health information, bank information, pictures, and passwords, among other things. All this data, can be accessible. And, thanks to the global characteristics of the internet, bad actors can come from anywhere in the world.
For the international community, cybersecurity has become one of the most pressing issues in recent decades and has proven to be one of the most complex global issues to address. As individuals risk their data being stolen, shared, or ransomed and their systems being hacked or spied on, so do governments and organizations. However, for governments, these cybersecurity risks often come from other governments or state-sponsored actors. Cyberattacks and cybersecurity risks from other governments can be catastrophic, compromising national security, international stability, and impacting millions of civilians. The threat of cyberwarfare has become a legitimate concern as nation-states blur the lines of acceptable state behavior. The issue of cybersecurity, specifically as it relates to state behavior, goes beyond hacking, cyberattacks, and other forms of cybercrime. Disagreement about how the internet relates to established international law, like human rights, war, and espionage, has impacted efforts to establish international laws and norms that regulate state behavior in cyberspace.
There is consensus that a general need for cooperation around international cybersecurity exists; as demonstrated by section 95 of the 2021 UN Group of Governmental Experts report which concludes with the identification of areas for further development in cybersecurity including, cooperation, dialogue, international capacity-building, and multi-stakeholder engagement mechanisms, amongst others.[1] Ultimately, there has been much discussion and little agreement on regulations and norms for global cybersecurity. While cybersecurity issues have persisted and increased at an alarming rate, the international community’s ability to address them has remained relatively stagnant. Three significant problems have impeded the international community’s ability to establish effective global governance in cybersecurity: collaboration, attribution, and enforcement.
- Collaboration mechanisms that enable and encourage inter-state collaboration are virtually non-existent.
- Attribution methods leave enough margin of error to frustrate accountability, and there is no standardization process across nations.
- Enforcement mechanisms for enforcing obligations under agreements are few and far between.
Collaboration mechanisms, attribution methods, and enforcement mechanisms sit at the foundation of the international community’s ability to address international issues. However, establishing and defining them has been especially difficult in cybersecurity. For cybersecurity issues, collaboration between governments can be challenging, with alliances, treaties, national values, or current events influencing a government’s willingness to partner with another. Attribution is complicated for issues that occur in cyberspace. For example, it is much easier to attribute a bombing campaign to a particular government than a data breach. Finally, enforcement mechanisms are virtually impossible without trustworthy attribution methods and established laws and regulations.
To better understand how to address these three issues and establish international norms and regulations for cybersecurity, it is prudent to look at how these issues have been handled in other global issue areas that share similar characteristics with cybersecurity–one of which is environmentalism. Like cyberspace, the environment does not adhere to human-made boundaries. Forests and rivers span vast quantities of land, crossing national and regional borders. The externalities of unsustainable practices and environmental destruction are not contained within the communities, regions, and nations from which they originate; similarly, the consequences of cyberattacks between nation-state actors often fall on innocent third parties such as civilians. As our planet has careened toward irreversible damage, the global community has taken a more significant stance against climate change.
While the global community has yet to effectively address the dangers of unregulated cyberspace, we have seen a greater emphasis on environmental policy from international entities like the European Union (EU) and the United Nations (UN). The greater success in environmentalism implies that something is happening in this arena that is not happening related to international cybersecurity. The success of environmentalism lies in the mechanisms used to address issues of collaboration, attribution, and enforcement. I will explore how these issues are addressed in international environmentalism and what mechanisms can be used to build a better global cybersecurity governance framework. Specifically, I ask what mechanisms for collaboration, attribution, and enforcement in environmentalism and sustainability can be applied to cybersecurity governance.
Collaboration Mechanisms
Collaboration mechanisms are necessary for solving any global issue. Collaboration has remained a stumbling block for countries related to international cybersecurity, but countries have managed to address this issue in the area of the environment.
Collaboration Mechanisms in Cybersecurity
Due to the broad nature of cybersecurity, collaboration challenges are broken down into specific, smaller issues. When discussing global cyberspace, Enneken and Kerttunen argue that there are five main topics of interest: information security, human rights, cyberspace governance, sovereignty, and the use of force.[2] Differing political structures within these spaces have made it challenging to foster collaboration. Information security refers to tools, procedures, and other mechanisms to protect information from misuse.[3] Nations have different policies for information security; for example, the European Union has extensive regulations, one of the most important being the 2018 General Data Protection Regulation. Other nations like Mexico have weak and vague rules, while some have none. These regulation differences impact the government’s ability to conduct business or investigations.
Human rights present a newer issue in cyberspace, but it has begun to reach the forefront of cyber politics. One of the big debates concerns whether cybersecurity discussions should focus on information infrastructure alone or also include information itself. This debate then centers questions of free speech and surveillance on the internet, with democratic and authoritarian governments usually at odds. With human rights being a major international issue, how the internet fits into current international law can be a source of tension between governments and affect their ability to collaborate.
In spite of these challenges, cybersecurity governance has become increasingly important in the international theater. Cybersecurity governance illustrates the need for national and global accountability and merging internet governance and cybersecurity dialogue.[4] Internet governance refers to how the internet should be governed. The US, China, and Russia are three of the most prominent players in cyberspace, and they represent the two leading global opinions in internet governance, the multi-stakeholder model and internet sovereignty (or multilateral), respectively. The multi-stakeholder model argues that the internet should be an international space free from extensive government interference and where stakeholders on all levels should have a say. The internet sovereignty model argues that the internet should be a domestic arena controlled by governments.
Finally, whether nations have a right to use physical force in retaliation to war or whether cyberattacks constitute a declaration of war is a heavily debated issue. A prominent example of the blurring of this line was the 2007 Estonia distributed denial of service (DDoS) attack. After the government took down a Soviet-era monument, Russia-based actors responded with a three-week barrage of DDoS attacks targeting public and private services, including banks, government websites, and news outlets.[5] This incident was the catalyst for questions surrounding physical retaliation and cyberwarfare.
Addressing these issues is no small feat and is an international effort; however, the global community has struggled to accomplish consensus. At many levels, we see some dialogue and discussion. The United Nations established the Governmental Group of Experts (GGE) and the Open-Ended Working Group (OEWG). These two forums were set up to facilitate dialogue and develop international norms, but neither has succeeded. Beyond acknowledging general issues in cyberspace and the need for cooperation and norms, neither have made headway in establishing them. The EU has been more successful in establishing privacy laws and setting standards for information and communication technologies (ICT) through agencies like ENISA. However, the EU’s institutions only govern its members. Ultimately, while the world is starting to see dialogue and discussion for global governance, it has not been very successful or effective in establishing norms and regulations or deciding what issues should be considered within cyberspace.
Collaboration Mechanisms in Environmentalism
Like cybersecurity, collaboration in international environmentalism is complicated. While environmentalism is not usually considered to be an element of national security, it is heavily impacted by national interest. National interests often conflict and can be a source of tension inhibiting collaboration. However, we have seen successful international action addressing environmental destruction and unsustainable practices, far more so than cybersecurity. While the overall success of international environmental efforts can be debated, there is no denying the plethora of mechanisms encouraging collaboration, such as central entities, resource sharing, and trade agreements. The following section will explore examples of these three mechanisms in international environmentalism and their potential to address the same issue in cybersecurity governance.
Central Entities in Environmental Collaboration
Central entities have proven to be one of the most efficient avenues for organizing effective collaboration in environmentalism. Established in 1972, the United Nations Environment Programme (UNEP) is the global environmental authority;[6] it is just one of the many collaboration mechanisms within the United Nations (UN). The UNEP oversees seven sub-programs: Climate Action, Chemicals and Pollutions Action, Nature Action, Science Policy, Environmental Governance, Finance and Economic Transformation, and Digital Transformation.[7] These programs help to further the UNEP’s goals to crack down on the root causes of climate change, nature and biodiversity loss, and pollution and waste.[8] They work with all 193 UN member states and various private and public stakeholders through the UN Environmental Assembly to address these environmental issues.[9] The UNEP focuses on building solutions, overseeing projects, and helping to create enforcement policies for environmental law at the regional, national, and international levels.[10]
On March 2, 2022, in Nairobi, Kenya, the UNEP held the 5th UN Environment Assembly and concluded with 14 new resolutions.[11] Those resolutions included an agreement to establish the Intergovernmental Negotiating Committee, whose first effort would be to establish a legally binding, multilateral agreement to end plastic pollution, a major step forward for international collaboration.[12] The UN Conference on Environment and Development (UNCED) took place in 1992 and is another example of international collaboration for sustainability.[13] Attended by nearly every world leader, the “Earth Summit” officially established sustainable development as an economic goal and a part of international law; the attendees also came up with three major treaties and a 500-page guideline for sustainable development.[14] An international gathering of this magnitude is an important mechanism for facilitating discussion and has resulted in almost universal acceptance of the principles outlined in the Summit.[15]
The UNEP is a central facilitator for international efforts, cooperation, and dialogue, a major mechanism for enabling collaboration. It lacks mechanisms for addressing the issues of attribution and enforcement; those mechanisms fall more on individual agreements or member-states. The UNEP is an umbrella under which various agreements, projects, and other collaborative efforts for sustainability and environmentalism can occur simultaneously. This umbrella structure has proven successful for organization, efficiency, and effectiveness. In cybersecurity, there is no central international entity like the UNEP. Some smaller organizations focus on specific parts of cyberspace, but even under the UN, no global cybersecurity authority exists. Establishing an organization like the UNEP is one step the global community could take to address deficiencies in international collaboration for cybersecurity.
Resource Sharing in Environmental Collaboration
Resource sharing is an effective mechanism for encouraging productive collaboration and it can be broken down into three general types: material, financial, and information resources. This mechanism is particularly useful for effecting global change. The following sections detail the UN Framework Convention on Climate Change (UNFCCC), the Kyoto Protocol, the Montreal Protocol, and the Paris Agreement as prominent examples of resource-sharing mechanisms in environmentalism.
Financial and Material Resources
Global issues such as cybersecurity and environmentalism require global participation in implementing the changes necessary to address the issue. A party’s lack of the right resources can greatly impact their ability to participate, and thus sharing financial and material resources is crucial. There are many environmental initiatives that utilize these mechanisms, one being the UN Framework Convention on Climate Change (UNFCCC) was established in 1992,[16] and took effect in 1994.[17] The convention intended to stabilize greenhouse gas emissions (GHG) to prevent further environmental damage and allow ecosystems to adapt to climate change for continued sustainable economic development.[18] It puts pressure on higher-resource nations that contribute the most GHG emissions to increase environmental policy and sustainable practices and increase their financial support for lower-resource nations.[19]
Another example is The Kyoto Protocol which was established in 1997 but did not take effect until 2005.[20] It is the “how” for the UNFCCC, committing participating parties to limit GHG emissions through an individual GHG emission target system.[21] It essentially creates an economic market for GHG emissions by allowing participating parties only a certain level of emissions broken down into units called AAUs; parties can meet their target AAU levels through internal emissions trading, clean development mechanisms, and joint implementations.[22] International emissions trading allows parties to sell their “unused” AAUs to parties exceeding their AAU target, commoditizing GHG emissions.[23] Clean development mechanisms allow for parties assigned AAU targets (Annex B) to be credited for creating emission reduction projects in lower-resource countries.[24] Joint implementation also allows one Annex B party to receive AAU credit through joint emission reduction/removal projects with another Annex B party.[25]
The UNFCCC and subsequent Kyoto Protocol utilize resource sharing to encourage collaboration. They acknowledge the responsibility of higher-resource nations to aid lower-resource nations in their efforts to combat the effects of climate change, as many have contributed more to environmental degradation. More importantly, they have the economic and financial capabilities to better address the resulting consequences of unsustainable practices and environmental destruction. Ultimately, they acknowledge that not all nations have equal infrastructure to implement changes, and nations with the infrastructure should aid those who do not. The playing field is similarly split in cybersecurity because not all players are on equal footing in cybersecurity infrastructure. Higher-resource nations have more economic and financial resources to invest in infrastructure than lower-resource nations. The Internet and networks that cybersecurity has come out of are built with physical infrastructure, and thus, increasing cyber resilience requires all nations to have adequate cybersecurity infrastructure.
Information Sharing
Resources also include intangible things, like ideas and processes—information. Information is perhaps the most powerful resource that parties can share, whether it’s academic, technical, or “personal” information. The Montreal Protocol utilizes “personal” information given freely by parties with great success. Considered to be the greatest success for international environmental treaties[26] the 1987 Montreal Protocol was the first UN agreement to achieve universal participation.[27] It perfectly exemplifies how collaboration, attribution, and enforcement mechanisms foster effective global governance. The agreement aimed to protect and repair the ozone layer by phasing out the production and consumption of various ozone-depleting substances (ODS).[28] The Protocol allows nations a limited consumption of ODS, calculated as a decreasing percentage of the parties’ past ODS levels for specified periods. [29]
The Montreal Protocol has phased out nearly 99% of ODS since it was enacted.[30] It is estimated to prevent a 2.5℃ increase within this century, with the ozone layer expected to recover almost completely by the mid-21st century.[31] In 2016, the Kigali amendment was introduced; the parties agreed to decrease the production and consumption of super GHG hydrofluorocarbons by more than 80% within the next 30 years, preventing the equivalent of 80 gigatons of CO2—the same as a global reduction by up to an extra 0.5ºC within the century.[32] Information sharing is the core collaborative mechanism that has led to such results. Parties must provide statistical data for the production, importation, exportation, consumption, and destruction of all ODS levels from 1986 to the UN Secretariat.[33]
Another example, which utilizes multiple kinds of information, is the Paris Agreement. In 2015, the UN Climate Change Conference was held, and during this conference, the legally binding Paris Agreement was signed.[34] It outlined long-term goals for all participating nations to reduce GHG emissions to keep the temperature increase of this century below 2℃ but to keep it below 1.5℃.[35] It requires a review every five years of the progress and commitments made by the nations.[36] It provides financial support to lower-resource countries to help them combat the effects of climate change, strengthen resilience, and encourage parties to adapt to climate change.[37] The Paris Agreement recognizes the need for collaboration amongst the parties in sharing information and scientific knowledge, strengthening institutional arrangements, and assisting lower-resource nations in planning, implementation, enforcement, and evaluation.[38] The Paris Rulebook was finalized at the 2021 UN Climate Change Conference (COP26) in Glasgow, Scotland.[39] The Rulebook operationalizes the agreements outlined in the Paris Agreement.[40] It includes rules for outlining transparency, accounting, reporting, finance, and compliance, and all signatories must maintain and update their nationally determined contributions (NDC).[41] The agreement requires that parties provide any information relevant to their NDC as needed.[42]
Information sharing is not only critical for collaboration, but it is the foundation for successful attribution methods and enforcement policies. It is arguably the most important resource a nation can share; information is power. Information sharing encourages nations to be transparent and builds trust between parties. Information sharing in cybersecurity is virtually non-existent due to its connection to national security. While the application for cybersecurity is more complex, a system for information-sharing would help build and determine the progress and success of cyber hygiene and resilience efforts. We are starting to see some organizations helping governments work on cyber hygiene and resilience. However, government-to-government cooperation is still limited. Ultimately, having an information-sharing system would be a critical mechanism for addressing the lack of collaboration in cybersecurity.
Trade Agreements
Trade agreements have been another source of collaboration in environmentalism. They’re a simpler method of collaboration, because they can be as small as two parties, which makes them a good basis for establishing collaborative mechanisms. The United States-Mexico-Canada Agreement (USMCA), which aims to decrease barriers to trade between the three countries, is a good example of how trade agreements can be utilized to encourage collaboration.[43] This agreement includes an environmental agreement, the Environmental Cooperation Agreement (ECA), which includes commitments to protecting the ozone layer and the marine environment and encouraging conservation and sustainable practices to preserve biodiversity.[44] The USMCA outlines a process for dispute settlement if any party is suspected of failing to enforce the agreed-upon environmental laws.[45] It also allows non-government organizations or people to act as whistleblowers and report parties not adhering to environmental agreements.[46]
Each party has the sovereign right to the execution, prioritization, and modification of the laws under the agreement.[47] Parties have the sovereign right to decide on the execution and policies surrounding investigations, prosecutions, regulations, and compliance.[48] However, they cannot weaken, reduce, or waive environmental laws to incentivize trade and investment between parties.[49] Parties must make information regarding the implementation, enforcement, and compliance procedures accessible[50] and have fair and transparent dealings for violations in the investigation process through the court decision.[51] Participating parties must be transparent and cooperative, share information regarding topics of mutual interest with other parties, and fulfill obligations in line with seven separate agreements, one of which is the Montreal Protocol.[52]
With the rapid globalization within the last few decades, environmental impacts are important considerations in any international agreement. International trade specifically has had massive impacts on the environment. Cybersecurity has also been affected by globalization and has a role in international agreements, from trade to weaponry to humanitarian aid. Most regional cybersecurity agreements or alliances are independent of other topics. However, as the environment is included alongside these regional agreements, so should cybersecurity. Nations should consider the impact their agreements or lack thereof will have on their cybersecurity infrastructure and capacity building and include this as a point of discussion. This would be another mechanism that could help encourage collaboration.
Attribution Methods
Attribution methods are necessary for holding actors responsible for their actions, including any deviation from norms of behavior and international agreements. Attribution is one of the core challenges for international cybersecurity, but it is also an issue in the area of the global environment–and steps forward have been made in this arena.
Attribution Methods in Cybersecurity
Attribution is a common challenge in many global issues, but it is especially complex in cybersecurity. Attribution in cybersecurity refers to assigning responsibility for a cyberattack, breach, crime, or another form of behavior. It can be broken down into three levels: technical, legal, and political.[53] Technical attribution uses IT forensics to understand the “how” of an attack, gathering information about the perpetrators’ tools, tactics, and procedures (TTP).[54] Cybercriminals and nation-state actors often have a “signature” style that makes it easier to attribute attacks.[55] During technical attribution, experts compare TTP to past incidents and look for similarities that may indicate a nation or cybercrime group of origin; however, these TTPs can be purposefully misleading.[56]
Political attribution is the “naming and shaming” of the attacker, privately or publicly.[57] The purpose of political attribution is to discourage the perpetrator from partaking in continued activity by threatening to expose them.[58] This act requires careful consideration of factors such as diplomatic relations and power dynamics and must not be taken lightly; a state that politically attributes an act may have to deal with political action from the accused.[59] Legal attribution is the policy response to the cyber incident, assigning criminal blame to individuals or states.[60] First and foremost, it requires the distinct classification of the incident as a cybercrime or cyberattack, violation of international law, or espionage, among other things.[61] These classifications have no set definitions, adding another layer of difficulty for international attribution.
As complicated as attribution is, it is made even more so because there is no standard international procedure. Even EU nations, who would be the most likely to have a more standardized approach, struggle with this problem. Attribution is considered the sovereign act of each EU member-state; the lack of a cohesive attribution framework and information transparency across member states has led the EU to pursue a different course of action.[62]
There are several forums and organizations where we see discussion happening. The Russian Federation set forth a UN GGE to study relevant threats to the international community and explore cooperative measures.[63] It comprises 15-25 rotating UN member-states, always including the five permanent members of the Security Council.[64] The third GGE in 2013 mentions attribution as an issue for global governance in cyberspace and mentions the need to create international norms to address this issue better.[65]
Five Eyes, an intelligence alliance between Canada, Australia, the United States, the United Kingdom, and New Zealand, hints at how collaboration and attribution go hand in hand. The Five Eyes emphasize backing each other’s attribution claims and have thus taken a political attribution approach.[66] The United Kingdom’s government stated that this method is utilized to establish boundaries and norms, call out undesirable or irresponsible behavior, and ultimately increase transparency in cybersecurity.[67]
In NATO’s Tallinn Papers, authors emphasize the importance of proper attribution methods that are standardized by international law, as it is the basis for lawful countermeasures.[68] However, the Tallinn Papers also state that no international laws standardize the attribution process, leaving it up to the discretion of national sovereignty, which they claim is impractical and disorderly.[69]
Attribution Methods in Environmentalism
Attribution is a challenge for many international issues not confined to national borders, including environmentalism. In international environmentalism, rising PH levels in the ocean, increasing global temperatures, a damaged ozone layer, loss of biodiversity, and excessive waste are hard to attribute to one nation. However, international agreements for environmental protection and sustainability efforts have figured out how to attribute the actions of nations to their overall footprint on these larger issues through internal attribution. Internal attribution refers to nations reporting the actions they have taken that have caused a certain outcome. The following section will describe how international agreements utilize the internal attribution method and how it can be applied to cybersecurity.
The Montreal Protocol utilizes internal attribution to determine how much ODS nations need to phase out and monitor their progress. Parties must provide the UN Secretariat with information regarding the production, importation, exportation, consumption, and destruction of all ODS levels for each new base year.[70] While sharing information is a collaborative mechanism, gathering and formulating the report is an internal attribution method. The UNFCCC is another agreement that utilizes internal attribution. Industrialized and higher-resource nations (Annex 1 parties) must report their efforts in establishing climate change policies and measures, including those outlined by the Kyoto Protocol (which comes out of the UNFCCC), and submit a report on their inventory of GHG emissions.[71]
The Paris Agreement is a good example of how the internal attribution method is standardized to ensure equitable attribution methods. The Intergovernmental Panel on Climate Change (IPCC)’s Guidelines for National Greenhouse Gas Inventories establishes a methodology for calculating a nation’s GHG inventories.[72] If using a different methodology, they must justify their methodology in comparison.[73] The Rulebook carefully outlines the process of reporting, which requires a biennial transparency report (BTR) that provides accounting information and tracks the progress of a party’s NDC.[74]
Further requirements include establishing progress indicators and providing information on regulatory efforts and expected and current emission reduction achievements.[75] Additionally, members must include statistics or some other indicator of their progress and information on their policy and legislative action and the estimated emissions reduction.[76] The Rulebook requires that BTRs be reviewed by technical experts and peer-reviewed.[77] The technical experts analyze the report for consistency with the IPCC guidelines and identify areas of improvement and capacity-building needs.[78] The peer review report examines implementation and achievement and facilitates inquisitive dialogue.[79]
Internal attribution allows the international entity to easily understand how much individual parties’ actions contribute to the environmental issue. Due to the national security nature of cybersecurity, using an internal attribution method would likely only work in analyzing positive outcomes. Specifically, in regards to what actions parties are taking that result in specific positive outcomes that could be used to aid in furthering global governance for cybersecurity. The methodology used by the Paris Agreement to ensure that parties are standardizing their attribution and reporting process should also be considered. Having a governing body or unbiased group of experts to regulate a party’s attribution processes would help solve the major issue of unstandardized attribution methods across parties. It is worth mentioning that legal attribution methods utilizing international judicial systems are more common and effective in environmentalism. However, legal attribution methods are not as relevant without concrete laws and regulations for cybersecurity.
Enforcement Mechanisms
Enforcement mechanisms are needed to guarantee that members of the international community adhere to agreements. Enforcement is another area where those attempting to tackle international cybersecurity issues can look to the environment for lessons.
Enforcement in Cybersecurity
Enforcement in international law is crucial to its success. Without mechanisms to ensure that nations adhere to the agreements, policies, and regulations they have committed to, there is nothing to incentivize nations to keep those commitments if they no longer further their interests. Due to the lack of general cooperation in cybersecurity, agreements and especially those that utilize enforcement mechanisms, are virtually non-existent. It is especially important that agreements that target cybercrime utilize enforcement mechanisms; however, what little agreements there are leave much to be desired, for example, the Wassenaar Arrangement and the Budapest Convention.
The Wassenaar Arrangement is an important multilateral agreement for export controls on weapons and dual-use technologies.[80] Within the past few years, members have added digital surveillance tools and other actions affecting networks or network devices to the list for export controls—a step in addressing cybersecurity issues.[81] However, the Wassenaar Arrangement is voluntary—non-binding, which means that members have no legal obligation to follow the principles of the Arrangement. A forum like this cannot be as effective without an enforcement mechanism. Enforcement mechanisms also build trust; when both parties have something to gain or lose, they’re more likely to adhere to the terms of the agreement.
There is only one legally binding agreement for cybersecurity—The Budapest Convention. The Budapest Convention on Cybercrime came out of the Council of Europe to combat the criminal misuse of computers and networks.[82] The Convention outlines the obligations of signatories, like introducing laws and regulations for issues on data, privacy, and cybercrime, as well as setting intentions for international cooperation through extradition, mutual assistance, and information sharing.[83] However, the document does not outline any consequences for not fulfilling the obligations in the Convention. For effective cooperation, mechanisms must be implemented to encourage nations to uphold their end of the agreement.
Enforcement Mechanisms in Environmentalism
In environmentalism, there are more binding agreements, laws, and regulations that parties are privy to. This makes enforcement mechanisms much easier to implement. Central entities in environmentalism, like the United Nations and the European Union, make it feasible to implement economic and financial incentives and penalties.
The European Union utilizes financial and economic enforcement mechanisms, although they pertain to all issues, not just environmental issues. If a member state fails to implement or properly implement the directives, the Commission can launch a formal investigation through the infringement procedure.[84] The formal infringement procedure starts with a formal letter of notice and request for information sent to the violating member state.[85] If it is concluded that the member-state is failing to comply with EU law, it may send a formal request for compliance and information on what measures have been taken.[86] If the member-state still does not comply, the Commission will refer the case to the Court of Justice, and it may ask the Court to impose penalties.[87] If the Court rules that a breach of EU law has occurred, national authorities must comply with the judgment, and if a member state still does not comply, the Commission will refer to the Court with a request for financial penalty.[88]
The EU is the most prominent economic union in the world and showcases a tremendous collaborative effort between member states. The mechanisms of attribution and enforcement go through a central power independent of any one member—eliminating a major conflict of interest in exonerating or condemning defendants. The enforcement mechanisms for the EU are very different in that the member states are also financially tied together, making financial enforcement mechanisms more effective. Financial penalties in cybersecurity would be difficult to implement unless parties were willing to submit to a global entity completely. With the current cybersecurity governance landscape, attributing a party to an act with enough certainty to enact financial penalties is not very likely. Even with the ability to do so accurately, financial penalties alone aren’t enough to enforce regulations and laws. Economic incentives to participate in the agreement, like the benefits of being a part of the European Union, are likely more effective. If under some central governing body for cybersecurity, there are incentives (such as access to technology resources and information), an enforcement policy suspending parties who have bad actions attributed to them may successfully encourage nations to hold to cybersecurity laws and regulations. This would require a central entity, resource-sharing mechanisms, and attribution methods to be better established.
An example of some other enforcement mechanisms can be observed in the Kyoto Protocol. The Kyoto Protocol enforces compliance through the Compliance Committee, which is comprised of the facilitative and enforcement branch.[89] The facilitative branch acts as an advising party to promote compliance, and the enforcement branch determines the penalty for non-compliance.[90] Non-compliance is organized into three categories: GHG emission targets, GHG inventory reporting methodology, and eligibility requirements.[91] One consequence of non-compliance with emission targets is assigning the excess amount to the next period plus an additional 30% deduction.[92] Parties must also submit a compliance action plan or be suspended from internal emissions trading.[93] In all cases of non-compliance, the offending party and their consequence will be made publicly known.[94]
Public shaming is another way of disincentivizing nations from violating compliance rules. Environmentalism is a widely publicized global issue with much involvement from individuals and organizations, so public shaming, although not nearly as effective as economic incentives or financial penalties, can sometimes work. Cybersecurity, especially intergovernmental actions in cyberspace, is unknown to the public. If attribution methods were to be more efficient and accurate, public shaming could be useful for keeping democratic nations like the United States in check. For example, if civilians learn that their tax dollars are being used to fund cyberattacks against a small country, public disapproval and outrage may be cumbersome enough for the government to be less inclined to do so. However, as the current cyber landscape stands, it is not an effective enforcement mechanism.
Insights and Conclusions
The lack of collaboration mechanisms, inefficient and unstandardized attribution methods, and no enforcement mechanism have inhibited successful international governance in cybersecurity. However, mechanisms for addressing these issues in environmentalism provide potential solutions. A separate central entity under the United Nations that could manage all international agreements relating to cybersecurity, like the United Nations Environment Program, would help organize and manage international efforts to address interstate cybersecurity issues. It would provide a platform for building international regulations and norms, monitored by an impartial elected board. International projects like the Montreal Protocol, Kyoto Protocol, UNFCCC, and the Paris Agreement prove that resource sharing, especially information, creates transparency and trust and is the foundation for building international resilience and effective action. Higher resource nations, specifically their governments, should provide economic, financial, and information resources to lower-resource nations to help build their cybersecurity infrastructure. This would ultimately increase overall global resilience and promote collaboration. As environmentalism plays a role in trade agreements, encouraging smaller collaborative partnerships, so does cybersecurity. Including cyber issues like information security and interstate behavior in trade agreements would be a more manageable form of collaboration.
Internal attribution is a prominent attribution method in environmentalism and provides insight into how it can help agreements succeed. Attribution requires information sharing, and due to the nature of international relations, sharing information regarding cybersecurity issues can be seen as a disadvantage and a national security threat. However, internal attribution can attribute legislation, policies, and regulations to good cyber hygiene and increase cyber resilience. This information could be shared with party members through a central entity to aid in their efforts and ensure that parties’ actions align with cybersecurity laws, norms, and regulations. The Paris Agreement carefully outlines methodologies and procedures for internal attribution but may allow nations to have their methodology approved by the heads of these agreements. As noted, standardization for cybersecurity attribution is a very complex issue. However, utilizing the technical and peer analysis method from the Paris Agreement, a central entity could vet attribution processes that would allow for easier collaboration. This would ensure that nations can still choose their attribution methodologies, but there would be some similarities across the board, making information sharing easier.
Enforcement mechanisms in environmentalism are made easier by the existence of environmental laws and regulations. Entities like the European Union can enact financial penalties that parties are willing to be subjected to due to the perceived economic benefits of being a part of the union. An economic incentive benefit may be created under a central entity where parties are privy to technological resources and cybersecurity information. Parties with cybercrimes, attacks, or other violations of international cybersecurity law could be suspended from the right to access these resources and information. This could be utilized as a standalone enforcement mechanism or used alongside a financial fee to have their rights restored. The Kyoto Protocol also utilizes public shaming as a deterrent, which could work under a public central entity, allowing civilians access to information regarding how states engage in cyberspace. However, all these enforcement systems would only be effective if a central entity is established and collaboration mechanisms and attribution methods are developed.
Despite these potential solutions, global collaboration in cybersecurity may not be feasible. In that case, it is better to take the approach of the USMCA and create regional agreements or smaller agreements in general. It may be more doable (and beneficial) if nations with similar internet governance values create their own cyberspace agreements. This would also require nations to refrain from interfering with the agreements and norms established between countries supporting a different Internet governance model. Through representatives, these smaller groups could pursue strategic international policies instead of collaborative policies to maintain international peace in cyberspace. Regardless, the issue of global cyberspace governance is complex, but by exploring the mechanisms of other international issues, we may find a solution.
Endnotes
[1] United Nations General Assembly. (2021, July 14). Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, 22-23. https://documents-dds-ny.un.org/doc/UNDOC/GEN/N21/075/86/PDF/N2107586.pdf?OpenElement
[2] Eneken, T., & Kerttunen, M. (2020). Routledge Handbook of International Cybersecurity, p.1. Routledge.https://ebookcentral.proquest.com/lib/washington/detail.action?docID=6029024
[3] Microsoft (n.d.). What is information security (InfoSec). Retrieved May 15, 2023, from https://www.microsoft.com/en-us/security/business/security-101/what-is-information-security-infosec
[4] Eneken, T., & Kerttunen, M. (2020). Routledge Handbook of International Cybersecurity, p.2. Routledge.https://ebookcentral.proquest.com/lib/washington/detail.action?docID=6029024
[5] Traynor, I. (2007, May 16). Russia accused of unleashing cyberwar to disable Estonia. The Guardian. https://www.theguardian.com/world/2007/may/17/topstories3.russia
[6] UN Environment Programme. (n.d.). About UN Environment Programme. Retrieved April 14, 2023, from https://www.unep.org/about-un-environment
[7] UN Environment Programme. (2021, February 17). For people and planet: the UNEP strategy for 2022-2025. Retrieved April 14, 2023, from https://www.unep.org/resources/people-and-planet-unep-strategy-2022-2025.
[8] UN Environment Programme. (n.d.). About UN Environment Programme. Retrieved April 14, 2023, from https://www.unep.org/about-un-environment.
[9] Ibid.
[10] Ibid.
[11] UN Environment Programme. (2022, March 2). UN Environment Assembly concludes with 14 resolutions to curb pollution, protect and restore nature worldwide. https://www.unep.org/news-and-stories/press-release/un-environment-assembly-concludes-14-resolutions-curb-pollution
[12] Ibid.
[13] Hunter, D. (2021, January 5). International Environmental Law: International treaties and principles protect the environment and guard against climate change. American Bar Association. https://www.americanbar.org/groups/public_education/publications/insights-on-law-and-society/volume-19/insights-vol–19—issue-1/international-environmental-law/
[14] Ibid.
[15] Ibid.
[16] United Nations Climate Change. (n.d.). History of the Convention. Retrieved April 18, 2023, from https://unfccc.int/process/the-convention/history-of-the-convention#Essential-background
[17] United Nations Climate Change. (n.d.). What is the United Nations Framework Convention on Climate Change? Retrieved April 18, 2023, from https://unfccc.int/process-and-meetings/what-is-the-united-nations-framework-convention-on-climate-change
[18] Ibid.
[19] Ibid.
[20] United Nations Climate Change. (n.d.). What is the Kyoto Protocol? Retrieved April 18, 2023, from https://unfccc.int/kyoto_protocol
[21] Ibid.
[22] Ibid.
[23] United Nations Climate Change. (n.d.). Mechanisms under the Kyoto Protocol: Emission Trading. Retrieved April 18, 2023, from https://unfccc.int/process/the-kyoto-protocol/mechanisms/emissions-trading
[24] United Nations Climate Change. (n.d.). Mechanisms under the Kyoto Protocol: The Clean Development Mechanism. Retrieved April 18, 2023, from https://unfccc.int/process-and-meetings/the-kyoto-protocol/mechanisms-under-the-kyoto-protocol/the-clean-development-mechanism.
[25] United Nations Climate Change. (n.d.). Mechanisms under the Kyoto Protocol: Joint Implementation. Retrieved April 18, 2023, from https://unfccc.int/process/the-kyoto-protocol/mechanisms/joint-implementation
[26] IISD. (2017, September 19). Montreal Protocol: Successful Ozone and Climate Agreement Turns 30. http://sdg.iisd.org/news/montreal-protocol-successful-ozone-and-climate-agreement-turns-30/
[27] US Department of State. (n.d.). Office of Environmental Quality: The Montreal Protocol on Substances that Deplete the Ozone Layer. Retrieved April 15, 2023, from https://www.state.gov/key-topics-office-of-environmental-quality-and-transboundary-issues/the-montreal-protocol-on-substances-that-deplete-the-ozone-layer/
[28] Ibid.
[29] UN Environment Programme: Ozone Secretariat. (n.d.). The Montreal Protocol on Substances that Deplete the Ozone Layer: Article 2A: CFCs. Retrieved from April 15, 2023, from https://ozone.unep.org/treaties/montreal-protocol/articles/article-2a-cfcs
[30] IISD. (2017, September 19). Montreal Protocol: Successful Ozone and Climate Agreement Turns 30. http://sdg.iisd.org/news/montreal-protocol-successful-ozone-and-climate-agreement-turns-30/
[31] US Department of State. (n.d.). Office of Environmental Quality: The Montreal Protocol on Substances that Deplete the Ozone Layer. Retrieved April 15, 2023, from https://www.state.gov/key-topics-office-of-environmental-quality-and-transboundary-issues/the-montreal-protocol-on-substances-that-deplete-the-ozone-layer/
[32] IISD. (2017, September 19). Montreal Protocol: Successful Ozone and Climate Agreement Turns 30. http://sdg.iisd.org/news/montreal-protocol-successful-ozone-and-climate-agreement-turns-30/
[33] UN Environment Programme: Ozone Secretariat. (n.d.). The Montreal Protocol on Substances that Deplete the Ozone Layer: Article 2: Control Measures. Retrieved from April 15, 2023, from https://ozone.unep.org/treaties/montreal-protocol/articles/article-2-control-measures
[34] United Nations. (n.d.). The Paris Agreement. Retrieved April 21, 2023, from https://www.un.org/en/climatechange/paris-agreement
[35] Ibid.
[36] Ibd.
[37] Ibid.
[38] United Nations Climate Change (2015). Paris Agreement, 9-11. https://unfccc.int/files/essential_background/convention/application/pdf/english_paris_agreement.pdf.
[39] United Nations. (n.d.). The Paris Agreement. Retrieved April 21, 2023, from https://www.un.org/en/climatechange/paris-agreement
[40] Ibid.
[41] Huang, J. (2019, June). A Brief Guide to the Paris Agreement and ‘Rulebook, 1-3. Center for Climate and Energy Solutions. https://www.c2es.org/wp-content/uploads/2019/06/paris-agreement-and-rulebook-guide.pdf
[42] Ibid.
[43] EPA. (n.d.). International Cooperation: U.S. Trade and Investment Agreements. Retrieved April 24, 2023, from https://www.epa.gov/international-cooperation/us-trade-and-investment-agreements.
[44] Ibid.
[45] Ibid.
[46] Ibid.
[47] USMCA Environmental Chapter, 2. (n.d.). Environmental Protection Agency. Retrieved April 14, 2023, from https://ustr.gov/sites/default/files/IssueAreas/Environment/USMCA_Environment_Chapter_24.pdf
[48] Ibid. 3
[49] Ibid. 3
[50] Ibid. 3
[51] Ibid. 4
[52] Ibid. 6
[53] Bendiek, A., & Schulze, M. (2021). Attribution: A Major Challenge for EU Cyber Sanctions. Stiftung Wissenschaft und Politik, 8-11. doi:10.18449/2021RP11
[54] Ibid. 10
[55] Ibid. 10
[56] Ibid. 10
[57] Ibid. 10
[58] Ibid. 10
[59] Ibid. 10
[60] Ibid. 11
[61] Ibid. 11
[62] Ibid. 8
[63] Tiirmaa-Klaar, H. (2021, December). The Evolution of the UN Group of Governmental Experts on Cyber Issues from a Marginal Group to a Major Internal Security Norm-Setting Body, 3. The Hague Centre for Strategic Studies. https://hcss.nl/wp-content/uploads/2021/12/Klaar.pdf
[64] Efrony, D. (2021, July 16). The UN Cyber Groups, GGE and OEWG — A Consensus is Optimal, But Time is of the Essence. Just Security. https://www.justsecurity.org/77480/the-un-cyber-groups-gge-and-oewg-a-consensus-is-optimal-but-time-is-of-the-essence/
[65] United Nations General Assembly. (2013, June 24). Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, 2. https://documents-dds-ny.un.org/doc/UNDOC/GEN/N13/371/66/PDF/N1337166.pdf?OpenElement
[66] Egloff, F.J. (2020) Public attribution of cyber intrusions. Journal of Cybersecurity, 6(1), 8. https://doi.org/10.1093/cybsec/tyaa012
[67] Ibid.
[68] Davis, J.K. (2022). Developing Applicable Standards of Proof for Peacetime Cyber Attribution, 16. NATO CCDCOE. https://ccdcoe.org/uploads/2022/03/Jeremy-K.-Davis-Standards_of_Attribution.pdf.
[69] Ibid.
[70] UN Environment Programme: Ozone Secretariat. (n.d.). The Montreal Protocol on Substances that Deplete the Ozone Layer: Article 2: Control Measures. Retrieved from April 15, 2023, from https://ozone.unep.org/treaties/montreal-protocol/articles/article-2-control-measures
[71] United Nations Climate Change. (n.d.). What is the United Nations Framework Convention on Climate Change? Retrieved April 18, 2023, from https://unfccc.int/process-and-meetings/what-is-the-united-nations-framework-convention-on-climate-change
[72] Huang, J. (2019, June). A Brief Guide to the Paris Agreement and ‘Rulebook‘, 2. Center for Climate and Energy Solutions. https://www.c2es.org/wp-content/uploads/2019/06/paris-agreement-and-rulebook-guide.pdf
[73] Ibid 2.
[74] Ibid 2.
[75] Ibid 2.
[76] Ibid 2.
[77] Ibid 3.
[78] Ibid 3.
[79] Ibid 3.
[80] The Wassenaar Arrangement. (n.d.). About us. Retrieved April 22, 2023, from, https://www.wassenaar.org/about-us/#about-us
[81] WhiteHouse. (2023, March 27). FACT SHEET: President Biden Signs Executive Order to Prohibit U.S. Government Use of Commercial Spyware that Poses Risks to National Security. https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/27/fact-sheet-president-biden-signs-executive-order-to-prohibit-u-s-government-use-of-commercial-spyware-that-poses-risks-to-national-security/
[82] Council of Europe. (2001). Convention on Cybercrime 1. https://rm.coe.int/1680081561
[83] Ibid.
[84] European Commission. (n.d.). Application of EU Law: Infringement procedure. Retrieved April 22, 2023, from https://commission.europa.eu/law/application-eu-law/role-member-states-and-commission/infringement-procedure_en
[85] Ibid.
[86] Ibid.
[87] Ibid.
[88] Ibid.
[89] United Nations Climate Change. (n.d.). Compliance under the Kyoto Protocol: Introduction. Retrieved April 18, 2023, from https://unfccc.int/process-and-meetings/the-kyoto-protocol/compliance-under-the-kyoto-protocol/introduction
[90] Ibid.
[91] Ibid.
[92] Ibid.
[93] Ibid.
[94] Ibid.