“[Cybersecurity is] the preservation of the availability, confidentiality, and integrity of information and its underlying infrastructure, so as to preserve the security of networks and ultimately people.”
The world is increasingly interconnected and dependent upon the Internet for the provision of goods and services, yet the Internet remains inconsistently governed, rendering individuals, businesses, and governments vulnerable to attack. In light of this reality, the third panel of the New Frontiers in International Affairs: A Conversation on the Arctic, Space, and Cybersecurity – Views from the Puget Sound and the Potomac conference consisted of academic and industry experts speaking about the establishment of international cybersecurity norms. This panel discussed recommendations for the creation of a sound international cybersecurity environment rooted in strong cybersecurity practices.
Several key themes emerged from the panel discussion. First, given the ubiquity of the Internet, cybersecurity is a critical concern within and between nation-states, as well as for almost all aspects of human life. Consequently, arriving at shared cybersecurity norms will take a multi-sector approach and collaboration among numerous stakeholders. Second, what is considered to be a pressing cybersecurity threat may differ across sectors, with states more concerned about cyberwar and individuals more concerned about their personal data. Critically, understanding the nature of cybersecurity threats across sectors is poorly understood and there are poorly developed norms with regards to sharing information about cybersecurity breaches. This limitation contributes to a third theme identified by all of the panelists and the audience, namely, there is a lack of situational awareness that prevents stakeholders from developing the norms that can safeguard society.
Dr. Sara Curran, panel moderator and Henry M. Jackson School Professor, introduced the Jackson School’s new International Policy Institute and discussed the focus of its Cybersecurity Initiative. The Cybersecurity Initiative will serve as a multi-sector platform in which diverse actors from government, business, civil society, and academia will collaborate in the establishment of international cybersecurity norms. The collaboration will be a vital step to identifying, addressing, and strategically solving pressing and varied cybersecurity issues—while taking into account all perspectives involved.
David Gompert, a Senior Fellow at the RAND Corporation, began the panel discussion with the international situation surrounding cybersecurity and cyberwar. He proposed that the international community begin to regard cyberwarfare in the same way it regards conventional warfare because standardized terminology would lay the foundation for the development of international cybersecurity norms and stress the gravity of cyberattacks. Mr. Gompert argued that this might then even discourage the employment of cyberattacks in warfare. His proposed framework would produce an environment that Mr. Gompert described as a “dual regime,” where maximum cybersecurity could be achieved because it was based on a set of international norms. These international norms would dictate that states had the option to exercise cyberwarfare in certain ways in the case of war. However, Mr. Gompert also acknowledged the significant obstacles to the adoption of his proposed framework. He asserted that the United States currently views cyberwar as an alternative to conventional warfare rather than war itself, and the U.S.’s cybersecurity policies—which stress maximum defensive cybersecurity, while simultaneously being able to conduct cyberattacks—make it increasingly difficult to align U.S. national interests with a potential set of shared international norms.
Scott Godwin, General Manager in the National Security Directorate at the Pacific Northwest National Laboratory Center (PNNL), shifted the conversation toward current challenges in sound cybersecurity practices. Mr. Godwin argued that the fundamental issue impeding strong cybersecurity is lack of situational awareness, a problem that PNNL seeks to close with its Cybersecurity Risk Information Sharing Program (CRISP). CRISP is co-funded by the U.S. Department of Energy and industry partners. This public-private partnership is meant to share threat information (classified and unclassified) and develop tools to protect key infrastructure. Mr. Godwin then highlighted three other areas of focus where this situational awareness deficit might be closed. First, cybersecurity situational awareness needs to be promoted through cross-sector, multi-sector, and public-private initiatives. Second, public-private information sharing must be improved in a way that allows for effective use of data while still protecting critical U.S. infrastructure. Finally, international coordination on cybersecurity policy and research must be promoted.
Paul Nicholas, Senior Director of Trustworthy Computing at Microsoft, focused on the role of industry in cybersecurity challenges. He stated that cybersecurity involves a multitude of actors, including individuals, private enterprise, and the public sphere, and asserted that the creation of cybersecurity norms must reflect this diversity. He illustrated the startling growth of the Internet since 2005, showing that the number of individuals, businesses, and governments online have grown exponentially across the world in a short period of time. Mr. Nicholas argued that this growth also brings about new cybersecurity risks, particularly as governments move their critical data online and into the Cloud. Cybercriminals now have the ability to destroy or steal so much information that it could pose an extraordinary loss to a nation-state with a high recovery cost. Mr. Nicholas suggested two ways to combat these risks. First, norms must be created to reduce risk and create a level of predictability. Second, norms that limit conflict are needed to contain escalation and limit the consequences following a cyberattack. Additionally, the establishment of these proposed cybersecurity norms must involve all stakeholders—individuals, the private sector, government, and academia. Mr. Nicholas asserted that governments should have an open dialogue with the private sector.
Dr. Jessica Beyer, cybersecurity postdoctoral fellow in the University of Washington’s Jackson School of International Studies, discussed the difficulties in creating shared cybersecurity norms at the international level. Dr. Beyer argued that four major barriers exist to creating shared cybersecurity norms. First, countries do not agree about what form the Internet should take domestically, which creates problems for creating shared international Internet governance. Some countries, such as the U.S., have allowed the Internet to grow somewhat organically and characterized by openness. Others, such as China, have closely controlled the Internet. Second, there is a debate over the form that international Internet governance should take. This debate is both between countries such as the U.S. and Russia, which disagree about the form the Internet should take domestically, as well as between the U.S. and countries, such as Brazil, that are concerned about U.S. hegemony in this sphere, particularly in the wake of the Snowden revelations. Third, developing international cybersecurity norms around cyberwar will require countries with tense relations to voluntarily cease to use cyberwarfare tactics. Finally, Dr. Beyer argued that while much of the conversation around international cybersecurity norms focuses on state-to-state agreements, the majority of Internet users are not states but individuals for whom industry creates and maintains technology. Dr. Beyer stated that because of this, a multi-stakeholder approach to addressing cybersecurity challenges was key, as industry is currently responsible for the vast majority of Internet users.
By Minnie Ray Chaudhury, Stacia Lee, and Skye Terebey