Twenty-first century electronic capabilities pose dangers exceeding the current provisions of the UN Charter and the NATO Treaty, these legal instruments need urgently to be updated. Governments, the private sector, and multinational organizations — principally those in the Euro-Atlantic region — must begin an international dialogue focused on enhancing technical and military capabilities, legal frameworks, and collective action adequate to the challenge.
Cyber security has not only been a critical topic on the Douville G-8 summit agenda, but also one of the topics of day, discussed in innumerable forums and diplomatic settings. Whether it is being well- or adequately-discussed is another matter. In large part this stems from the shapeless, elusive character of the subject. Cyber security covers everything from cyber crime to cyber warfare; everything from the mischief an adolescent hacker can do to your and my computer to the risk that skilled individuals — and they need not be many — could from cyber space bring down a country’s power grid, air-control systems, or critical government communications. Ways of dealing with the threat are equally amorphous, including attempts by governments to control what flows over the internet. Many of these create derivative threats — some of them intended. Hence, the problem posed both for civil rights and intellectual property rights. On the latter score, I think the Obama administration is correct to push for international standards intended to mitigate these dangers, and it will be for Russia and China to decide how much government control they are willing to trade off against a stronger, cooperative international regime.
Equally or more serious, however, is the state-to-state dimension of the problem. Here it is crucial that the United States and Russia (and China) take the lead in addressing the threat to critical infrastructure from cyber attack and do so not the least by openly acknowledging the adversarial element inherent in the problem.
There are two sides to the threat at the state-to-state level--that of espionage and that of destruction, and where one blurs into the other is difficult to determine. The first dimension of the problem — espionage — is further complicated by the fact that the same capabilities allowing one state to penetrate the secrets of another are also essential capabilities needed by states to track and penetrate terrorist information networks. Since all three governments are seriously engaged in using cyber space for espionage, it is important that they engage one another on ways to limit and manage trends toward the destructive use of cyber space.
Hence, because twenty-first century electronic capabilities pose dangers exceeding the current provisions of the UN Charter and the NATO Treaty, these legal instruments need urgently to be updated.
Governments, the private sector, and multinational organizations — principally those in the Euro-Atlantic region — must begin an international dialogue focused on enhancing technical and military capabilities, legal frameworks, and collective action adequate to the challenge.
More specifically, what is needed is a more urgent and energetic collaborative effort:
• To develop common definitions of what constitutes an act of warfare and the legitimate use of cyber space for self-defense.
• To standardize criminal legislation within the context of a strengthened Council of Europe Convention on Cyber Crime. Here national legislation needs to be modernized (to address the new level and forms of threat), strengthened (to make penalties proportionate to the threat), and standardized (to create a uniform regime within the Euro-Atlantic region, which in turn can serve as the core of and model for an international regime under UN auspices).
• To encourage the empowerment of an international organization (such as the International Telecommunications Union or an invented institution) with oversight authority to:
o - Promote mechanisms able to provide early warning information, sometimes referred to as “computer emergency response teams,” and then to share this information in real time with all other Euro-Atlantic states.
o - Create an international agency for collecting and disseminating comprehensive information on “best practices” in protecting critical infrastructure, monitoring threats, developing an incidents record, and improving forensic and investigation capabilities.
o -Develop a network of national agencies willing and capable of sharing research and innovation for enhancing the resilience of key internet protocols, particularly, the Border Gateway Protocol, safeguarding the Domain Name System, and improving the security of the router system.
Finally, it would be useful if the new Emerging Security Challenges Division within NATO, as it consolidates its functions, would promote a broader structure by which non-NATO Euro-Atlantic states can join in its work and benefit from region-wide cooperation in this area. As the first step in this direction there should be close cooperation between this agency and the NATO-Russia Council.
