(March 21st) The G7 nations have a big stake in creating a stable and secure cyberspace, in the public and private spheres. Accordingly, The Boston Global Forum, as part of its BGF-G7 Summit Initiative, proposes
I. That the G7 nations encourage adoption of norms set forth by the G20, the United Nations’ Group of Government Experts (GGE) and The Boston Global Forum’s Ethics Code of Conduct for Cybersecurity (ECCC).
- Key G20 norms:
- Nation-state conduct in cyberspace should conform to international law, including the U.N. Charter.
- No country should conduct or support cyber-enabled intellectual-property theft.
2. Key GGE norms:
- No country should intentionally damage the critical infrastructure of another state or otherwise impair infrastructure that serves the public and the damage to which would undermine rights guaranteed by the U.N. Declaration of Human Rights.
- No country should impede the response of Computer Security Incident Response Teams (CSIRTs) to cyberincidents, and nor should CSIRTs be used to create cyberincidents.
- Countries should cooperate with requests from other nations to investigate cybercrimes and mitigate malicious activity coming from their territories.
3 .Key ECCC norms:
- Countries should not establish or support policies or actions harmful to a safe cyberspace.
- Countries should not engage in the unlawful taking of the assets, including confidential information, of private individuals or organizations.
- Nations should not use cyberspace to wrongly damage the reputation of other nations, organizations or individuals.
II. G7 nations should engage hardware and software vendors to develop cybernorms, following the six guidelines in the Microsoft report titled “International Cyber-Security Norms: Reducing Conflict in an Internet-Dependent World.”
- Countries should not target information and communications technology (ICT) companies to insert vulnerabilities (“backdoors’’) or take action that would undermine public trust in products and services.
- Countries should have a clear principle-based policy for reporting product and service vulnerabilities that includes a strong mandate to report them to vendors rather than keeping them secret for possible future aggressive or mercenary purposes.
- Countries should exercise restraint in developing cyberweapons and should ensure that any that are developed are limited, precise and not reusable by a third party.
- Countries should commit to nonproliferation of cyberweapons.
- Countries should limit their engagement in cyberoffensive operations to avoid creating very dangerous mass events.
- Countries should assist private-sector efforts to detect, contain, respond to and recover from events in cyberspace.
III. The G7 nations should develop these cyber risk-reduction measures:
- Create domestic threat-reduction centers equipped with secure communications with other such national centers.
- Assess and improve the cybersecurity of national critical infrastructures.
- Take steps to reduce the number of domestic compromised computers, particularly those that have been marshalled into botnets.
- Improve domestic cybersecurity through advisory and legislative measures.
IV. The G7 nations should identify, publish and promote these “best practices” in cybersecurity:
- Transitioning from username/password for user access to more secure methods, such as biometrics and/or two-factor authentication.
- Establishing structures that are more secure than those of open architecture networks, such as compartmentalized-data networks and “zero-trust” networks.
- Creating regulations that incentivize standard-setting organizations to strengthen cyberdefenses and promote safe practices. The weakest links in the cybernetworks of G7 countries are people operating with inadequate information, understanding and discipline.
- Developing regulations to impose quality standards on the fast-growing cyberinsurance industry. Some firms in this area are marketing products and services that offer far less than the claimed level of protection
V. The G7 nations should support cybersecurity capacity building in developing countries.
Secure networks would let developing countries become economically and socially successful more quickly and efficiently by reducing costs resulting from cybercrime, including cyberespionage.
- Bloom, Les and John E. Savage. “On Cyber Peace.” The Atlantic Council, August 2011, Accessed 3/4/16. http://www.atlanticcouncil.org/images/files/publication_pdfs/403/080811_ACUS_OnCyberPeace.PDF
- Boston Global Forum. “Ethics Code of Conduct for Cyber Peace and Security,” 12/02/15, accessed 3/14/16. https://bostonglobalforum.org/2015/11/the-ethics-code-of-conduct-for-cyber-peace-and-security-eccc-version-1-0/
- Nicholas, Paul. “Six Proposed Norms to Reduce Conflict in Cyberspace.” 1/20/15, accessed 3/4/16. http://blogs.microsoft.com/cybertrust/2015/01/20/six-proposed-norms/
- Painter, Christopher. “G20: Growing International Consensus on Stability in Cyberspace.” State.gov, 12/3/15, accessed 3/5/16. https://blogs.state.gov/stories/2015/12/03/g20-growing-international-consensus-stability-cyberspace
- Valeriano, Brandon and Ryan C. Maness. “The Coming Cyberpeace: The Normative Argument against Cyberwarfare.” Foreign Affairs. 5/13/15, accessed 3/3/16. https://www.foreignaffairs.com/articles/2015-05-13/coming-cyberpeace