Despite international law already applying to cyberspace, as approved by the UN Group of Governmental Experts (UN-GGE) in 2013, international regulation has seen little improvement, and transposing existing standards to the digital space and its specificities is no longer enough.
This issue was central at FIC 2019 (the International Cybersecurity Forum) in Lille, France, jointly organised by the Department of the National Gendarmerie and CEIS, with the support of the Regional Council of Hauts-de-France, where Europe was placed at the heart of security and privacy in the digital realm.
Underpinning the entire event was the realisation that our digital world is now a diplomatic matter which belongs at the core of international relations. Information Age heard from a host of experts in this area, who expanded on the key challenges around developing multilateral regulations for cyberspace, and learnt why incremental change will always beat ambitious failure.
The state of legislation
France is no stranger to these issues, in recent times, it emerged as one of the leading nations currently calling for new regulations relating to cyberspace.
On November 12th 2018, French President Emmanuel Macron unveiled the Paris Call for Trust and Security in Cyberspace, at the UNESCO Internet Governance Forum, held in Paris. This set out a range of principles and commitments for countries to abide by; such as to fight against election interference, to defend individuals and critical infrastructure from cyber attacks, and deter the proliferation of malicious cyber tools.
Dispatches from Davos — Tuesday Afternoon: Cyber takes centre stage
Fifty-one countries, 130 private sector groups and 90 charitable groups and universities signed and supported the document, but neither the United States, Russia or China signed up.
Despite these notable exemptions, the Paris Call reinvigorated debate around the importance of multilateral regulation in cyberspace and identified the challenges.
Before the Paris Call, the UN-GGE also made notable progress in the effort to develop universal norms and accountability to states around cyber stability. This group has constituted five times and will again in 2019. However, while the GGE’s 2013 and 2015 reports made progress, the fifth constitution broke down due to Russia, Cuba and China opposing a number of principles.
If we are ever to make progress, we first need to get to grips with the complexity of the issue.
Cyber threats: moving goalposts
Speaking at a panel discussion at FIC 2019, Michael Daniel, president and CEO of Cyber Threat Alliance, argued that any form of diplomacy is going to be difficult because the threat is always changing.
“Cyberspace does not operate to the same rules that we are used to in the physical world. The physics and the maths in cyberspace are very different; the concepts of proximity, distance and time are not applicable.
“Also, this is a relatively new area. Many of the regulations that you see in other areas of international relations, be it freedom of navigation or international water laws, all took decades or even centuries to develop.
“On top of being young, cyberspace is always growing too — I heard 500 new devices join a network every hour — so every day there is new territory, be it a car, a Fitbit of machinery, that needs to be defended. At the same time, more threat actors are getting into the game. The incentives to use cyberspace, whether you’re a criminal organisation, a terrorist or a nation-state, are huge. Threat actors are also more willing to take destructive action. Ten years ago I’d be talking about website defacement, but now it’s NotPetya and WannaCry, things that cause immense destruction.”
Cyber security best practice
The geopolitical challenges around developing multilateral regulations for cyberspace
“Furthermore, we’ve collectively treated cybercrime as a technical problem but this is only the tip of the iceberg,” said Daniel. “It’s a psychological problem; it’s an economic problem; it’s a security problem and, importantly, it’s an international problem.”
Here lays a big issue: reaching international consensus on areas such as these is difficult.
There is a persistent attitude commonly found among some nations states that they want to protect their network but hold everybody else’s at risk —North Korea even harbours hackers.
For example, when NATO or the United States propose legalisation, there’s usually strong opposition from Russia and China, it becomes apparent that legislators are still dealing with a sort of ‘Cold War’ divide.
Trying to build any form of consensus here is, naturally, going to be difficult.
The value of incremental change
Issac Newton once said: “Tact is the knack of making a point without making an enemy,” but Theodore Roosevelt had a quite different philosophy, he said: “If you’ve got them by the balls, their hearts and minds will follow.” The former (incremental change) the latter (brute force) both have their pros and cons in the world of diplomacy; but what works best for cyberspace?
Well, Frédérick Douzet, professor of geopolitics at the University of Paris 8 and director of the centre of Geopolitics of the Datasphere (GEODE), thinks an incremental change will always beat ambitious failure.
She may have a point. Collectively speaking, we’ve been successfully managing similar geopolitical problems for centuries, such as nuclear weapons, through incremental legislation. Drawing inspiration from how policies can be shaped around issues like this ones gives us hope as it had very similar hurdles — the US wanted nuclear weapons but didn’t want the adversaries having them too. Legislators around nuclear disarmament had their big successes when their proposals were realistic and tied in with how we operate between governments.
Jean Heilbronn, Diplomat with the French Ministry for Europe and Foreign Affairs, agrees with Douzet, he said: “World peace would be nice but stability is realistic.”
He thinks it’s easy to get stuck in a mode of thinking that is obsessed with having one revolutionary piece of legislation that will change everything for the better, but all we really have to do is find the things we already agree on and work from there.
He said: “As the Paris Call shows us, countries are already happy to move forward in many areas; recovery of stolen data, trade secrets, more accountability over the management of personal data.
“Unfortunately, I think it’s going to get worse before it gets better,” claimed Douzet. “There is tremendous distrust in international systems at the moment and multilateral institutions are being weakened. We also have the President Trump situation which is creating a lot of uncertainty. We have also observed a number of great powers becoming more assertive in this context, in recent years.
“The perception of cybercrime being a geopolitical threat prevails over the perception of being a systematic one. But at some point, we may have had enough incidents and we will concede that systematic risk is more dangerous. So it’s very important that when this happens we have done all the work beforehand so we can come up with good and realistic policies.
Is the EU’s data privacy regulation having an international impact?
Matt Lock, Director of Solutions Engineers at Varonis, explores, in Information Age, how the California Consumer Privacy Act has been influenced by the GDPR and whether it could act as a catalyst for other US states to follow suit?
For both Douzet and Heilbronn, we can find, through research and dialogue, ways to establish new norms and obligations. It’s all about exploring political wills and finding common ground.
Negotiations take time, legislators in this area have to deal with balances of power, intrinsic tensions between certain nations and the fears that might come with imbalances between countries.
Naturally, it’s going to need tact.