Global security and stability are increasingly dependent on digital security and stability. The scope of threats is growing. Cyber capabilities are developing, becoming more targeted, more impactful on physical systems and more insidious at undermining societal trust.
“Cyber attacks” and “massive data fraud and threat” have ranked for two years in a row among the top five global risks listed by the World Economic Forum (WEF).152 More than 80% of the experts consulted in the WEF’s latest annual survey expected the risks of “cyber-attacks: theft of data/money” and “cyber-attacks: disruption of operations and infrastructure” to increase yearly.153
Three recent examples illustrate the concern. In 2016, hackers stole $81 million from the Bangladesh Central Bank by manipulating the SWIFT global payments network.154 In 2017, malware called “NotPetya” caused widespread havoc – shipping firm Maersk alone lost an estimated $250 million.155 In 2018, by one estimate, cybercriminals stole $1.5 trillion – an amount comparable to the national income of Spain.156
Accurate figures are hard to come by as victims may prefer to keep quiet. But often it is only publicity about a major incident that prompts the necessary investments in security. Short-term incentives generally prioritise launching new products over making systems more robust.157
The range of targets for cyber-attacks is increasing quickly. New internet users typically have low awareness of digital hygiene.158 Already over half of attacks are directed at “things” on the Internet of Things, which connects everything from smart TVs to baby monitors to thermostats.159 Fast 5G networks will further integrate the internet with physical infrastructure, likely creating new vulnerabilities.160
The potential for cyber-attacks to take down critical infrastructure has been clear since Stuxnet was found to have penetrated an Iranian nuclear facility in 2010.161 More recently concerns have widened to the potential risks and impact of misinformation campaigns and online efforts by foreign governments to influence democratic elections, including the 2016 Brexit vote and the American presidential election.162
Other existing initiatives on digital security
The Paris Call for Trust and Security in Cyberspace is a multi-stakeholder initiative launched in November 2018 and joined by 65 countries, 334 companies – including Microsoft, Facebook, Google and IBM – and 138 universities and non-profit organisations. It calls for measures including coordinated disclosure of technical vulnerabilities. Many leading technology powers, such as the USA, Russia, China, Israel and India – have not signed up.173
The Global Commission on Stability in Cyberspace, an independent multi-stakeholder platform, is developing proposals for norms and policies to enhance international security and stability in cyberspace. The commission has introduced a series of norms, including calls for agreement not to attack critical infrastructure and non-interference in elections, and is currently discussing accountability and the future of cybersecurity.
The Global Conference on Cyberspace, also known as the ‘London Process’, are ad hoc multi-stakeholder conferences held so far in London (2011), Budapest (2012), Seoul (2013), The Hague (2015) and New Delhi (2017). The Global Forum on Cyber Expertise, established after the 2015 Conference, is a platform for identifying best practices and providing support to states, the private sector and organisations in developing cybersecurity frameworks, policies and skills.
The Geneva Dialogue on Responsible Behaviour in Cyberspace provides another forum for multi-stakeholder consultation.
The Cybersecurity Tech Accord and the Charter of Trust are examples of industry-led voluntary initiatives to identify guiding principles for trust and security, strengthen security of supply chains and improve training of employees in cybersecurity.174
Compared to physical attacks, it can be much harder to prove from which jurisdiction a cyber-attack originated. This makes it difficult to attribute responsibility or use mechanisms to cooperate on law enforcement.163
Perceptions of digital vulnerability and unfair cyber advantage are contributing to trade, investment and strategic tensions.164 Numerous countries have set up cyber commands within their militaries.165 Nearly 60 states are known to be pursuing offensive capabilities.166 This increases the risks for all as cyber weapons, once released, can be used to attack others – including the original developer of the weapon.167
As artificial intelligence advances, the tactics and tools of cyber-attacks will become more sophisticated and difficult to predict – including more able to pursue highly customised objectives, and to adapt in real time.168
Many governments and companies are aware of the need to strengthen digital cooperation by agreeing on and implementing international norms for responsible behaviour, and important progress has been made especially in meetings of groups of governmental experts at the UN.169
The UN Groups of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security have been set up by resolutions of the UN General Assembly at regular intervals since 1998. Decisions by the GGE are made on the basis of consensus, including the decision on the final report.170 The 2013 GGE on Developments in the Field of Information and Telecommunications in the Context of International Security agreed in its report that international law applies to cyberspace (see text box).171 This view was reaffirmed by the subsequent 2015 GGE, which also proposed eleven voluntary and non-binding norms for states.172 The UN General Assembly welcomed the 2015 report and called on member states to be guided by it in their use of information and communications technologies. This marks an important step forward in building cooperation and agreement in this increasingly salient arena.
DIGITAL COOPERATION ON CYBERSECURITY
The pace of cyber-attacks is quickening. Currently fragmented efforts need rapidly to coalesce into a comprehensive set of common principles to align action and facilitate cooperation that raises the costs for malicious actors.175
Private sector involvement is especially important to evolving a common approach to tracing cyber-attacks: assessing evidence, context, attenuating circumstances and damage. We are encouraged that the 2019 UN GGE176 and the new Open-Ended Working Group (OEWG)177 which deal with behaviour of states and international law, while primarily a forum for inter-governmental consultations, do provide for consultations with stakeholders other than governments, mainly regional organisations.
In our Recommendation 4, we call for a multi-stakeholder Global Commitment on Digital Trust and Security to bolster these existing efforts. It could provide support in the implementation of agreed norms, rules and principles of responsible behaviour and present a shared vision on digital trust and security. It could also propose priorities for further action on capacity development for governments and other stakeholders and international cooperation.
The Global Commitment should coordinate with ongoing and emerging efforts to implement norms in practice by assisting victims of cyber-attacks and assessing impact. It may not yet be feasible to envisage a single global forum to house such capabilities, but there would be value in strengthening cooperation among existing initiatives.
Another priority should be to deepen cooperation and information sharing among the experts who comprise national governments’ Computer Emergency Response Teams (CERTs). Examples to build on here include the Oman-ITU Arab Regional Cybersecurity Centre for 22 Arab League countries,178 the EU’s Computer Security Incident Response Team (CSIRT)s Network,179 and Israel’s Cyber Net, in which public and private teams work together. Collaborative platforms hosted by neutral third parties such as the Forum of Incident Response and Security Teams (FIRST) can help build trust and the exchange of best practices and tools.
Digital cooperation among the private sector, governments and international organisations should seek to improve transparency and quality in the development of software, components and devices.180 While many best practices and standards exist, they often address only narrow parts of a vast and diverse universe that ranges from talking toys to industrial control systems.181 Gaps exist in awareness and application. Beyond encouraging a broader focus on security among developers, digital cooperation should address the critical need to train more experts specifically in cybersecurity:182 by one estimate, the shortfall will be 3.5 million by 2021.183