Cybersecurity Deficits and International Norms by Derek S. Reveron

(June 6th, 2016) International security for the last 30 years has been characterized by security deficits, which I define as a government’s inability to meet its national security obligations without external support. (1)  In the terrestrial world, intra-state, transnational, and regional actors challenge governments’ ability to provide a secure environment for their citizens.

Logo

 

cybersecurity011_16x9

This means Iraq struggles against ISIS, the United States struggles against transnational organized crime, and Ukraine struggles against Russia. While these conflicts are isolated in particular places of the world, the effect of security deficits are felt throughout entire regions. G7 countries have been at the forefront of peace efforts to alleviate problems created by international crises like these. They also provide development and security assistance to weakened governments in an effort to improve stability, strengthen institutions, and protect vulnerable populations. The rationale to assist countries in overcoming their security deficits has been based on the assumption that instability breeds chaos, which would make it more likely that the international community would face pressure to intervene in the future, often at a higher cost in lives and resources.The same is true in the cyber world. Transnational organized criminal groups harness the power of the internet to steal identities and conduct financial crimes; terrorist organizations use cyberspace to recruit fighters and promote their destructive deeds; and countries employ cyber tools for espionage while laying the ground work for military operations in cyberspace. Cyber challenges like these cut across all dimensions where we live and are simultaneously political, economic, and social. More than ever, citizens, regardless of nationality, are exposed to risks created by cyber insecurity. Reinforced by intelligence assessments, polling in the United States places cyber insecurity as a pressing national security challenge.

With persistent vulnerabilities in the software we use and the relative impunity with which states, groups, and individuals operate in cyberspace, we will continue to experience data breaches leading to fraud and intellectual property theft undercutting innovation. Governments, organizations, companies, and individuals can be vermatched by malicious actors. Cybersecurity deficits undercut the benefits citizens derive from the technology we enjoy, and directly affect individuals in ways that past conflicts in distant parts of the world have not affected G7 countries.

At the same time, disclosures about governments’ roles in cyberspace undermine trust and challenge credibility. Information technology companies are pressured to enable governments special access to their products, all the while attempting to comply with different national regulations. Citizens are stuck in the middle feeling that the promises of an open, transparent, and secure cyberspace look bleak.

At the national security level, governments are concerned with Cybergeddon scenarios against critical public infrastructure disabling electricity, telecommunications, and financial services. While Cybergeddon is not inevitable (and represents a wake-up call about cyber insecurity rather than an existential threat), critical sectors have huge incentives to secure their infrastructure. However, as we have seen in other areas, security becomes a cat and mouse game where malicious actors improve rapidly, often outpacing governments abilities to adapt or defend against emerging threats.

This shared insecurity need not be paralyzing, but can be a basis for international cooperation in which G7 governments have important roles to play. Building on the norms that my colleague John Savage outlined, the next steps to improve cybersecurity include:

  1. Convening sub-regional summits to outline the scope of cybersecurity challenges andimprove multilateral efforts to promulgate norms.
  1. Establishing information sharing centers where governments can share threat information, coordinate cybersecurity policies, and implement best practices forgovernments, organizations, companies, and individuals.
  1. Assisting governments in developing countries to strengthen their government networks,improve protection of critical public infrastructure, and educate citizens to raise their security posture improving human capital. There are no borders in cyberspace, and our networks are only as strong as the weakest access point. By promoting cybersecurity norms, enabling cooperation among G7 countries, and assisting developing countries, we all become more secure from actors that place individuals at the forefront of the cybersecurity threat. When thinking about improving security in cyberspace, we should look at how international partners contribute to security in the terrestrial space through cooperative military operations, peacekeeping, and international assistance. These are important norms to replicate in cyberspace as there is a common responsibility to guarantee our citizens a minimal level of cybersecurity.

Since cyberspace is a reflection of G7 countries’ values and corporations in G7 countries dominate the information technology space, G7 countries are well placed to lead the world on establishing cyber norms to improve cybersecurity.

Derek S. Reveron (2)  May 9, 2016

U.S. Naval War College and Belfer Center for Science and International Affairs

(1) Derek S. Reveron, Exporting Security: International Engagement, Security Cooperation, and the Changing Face of the US Military, Second Edition (Washington, DC: Georgetown University Press, 2016).

(2) The views expressed here are the author’s alone and do not represent the official position of the Department of the Navy, the Department of Defense or the U.S. government.