French President Emmanuel Macron launched an initiative during the Paris Peace Forum last November calling for international standards on cybersecurity and cyber warfare. More than 50 nations signed the Paris Call for Trust and Security in Cyberspace, but with a number of key players refusing to participate the endeavour has been called into question.
We asked international cybersecurity experts if such an agreement could be meaningful if it is not legally binding. And if not, what can nations and major tech companies do to contribute to better global cybersecurity?
RUSI: bridging the East-West gap
There is a disconnect between what are broadly conceptualised as the West and the East in how we should manage cybersecurity issues in the future. The western view is we have international humanitarian law, which deals with conflict and that should be a sufficient prism through which we can deal with issues surrounding cyberspace.
The problem with that is Russia and China don’t accept that. The interpretation of international humanitarian law through the Tallinn Manual [an academic, non-binding study on how international law applies to cyber conflicts and cyber warfare] is that it is effectively produced by NATO. That leads the Russians to say: well you would say that, wouldn’t you? Therefore you have this Russian – and supported by the Chinese and others – cry for a new approach.
If we could get the UN Group of Governmental Experts (GGE), back engaged, that would be really good. In 2017 GGE reached an impasse because Russia and China put a proposal in for an international treaty and the US and the UK, in particular, refused to have a conversation about it.
We have got to find mechanisms by which we talk, agree and sign. Even if those agreements don’t bring about instant results, it’s about our understanding of what we find acceptable and unacceptable and the establishment then of norms of behaviour, from which you have the potential to starting binding legal agreements and understandings.
Ewan Lawson, senior research fellow for military influence at the Royal United Services Institute
Airbus: start with your neighbours
Although this and other UN initiatives could take years to come to fruition, the balance of risks vs rewards is steadily tipping towards a system of rules for at least some nations, especially if this had geopolitical advantages mirrored in other economic and military ties.
A formal cybersecurity treaty of this kind would rest as much on its political and symbolic capital as its technical detail.
States needs to advocate the need for cyber cooperation instead of cyber warfare. Indeed, states have an obligation to work towards such a treaty to make this happen to prevent harmful cyberattack. 2019 could be the year for such an agreement for neighbouring countries.
Markus Braendle, head of cybersecurity at Airbus
Encode: start in your own organisation
I’ve seen the [Paris Call] referred to as a type of cyber Geneva Convention, but it’s more like a worldwide entente cordiale; it’s a good starting point but that’s all it is. These nations – China, US, Russia, etc. – are amongst the most aggressive in cyber warfare and rely heavily on their offensive capabilities, so it’s beneficial for them to maintain the status quo.
Prevention technology only raises the bar on infiltration or exfiltration for cyber criminals and state-sponsored threat actors. Organisations typically have weak or no incident remediation and response plans or lack the capability to respond effectively. A good place to begin that process is red teaming: testing their own capabilities against adversary attacks.
Matt Atkinson, VP of EMEA at Encode
XM Cyber: it lacks teeth
In my mind, this is analogous to declaring a new pact in the automotive industry that excludes Germany, US, Japan, Italy and South Korea. Furthermore, the agreement lacks any real teeth in terms of enforcement or sanctions on members of the pact that will be found in breach of its core principles. I do not believe this agreement will have any significant impact on the cyber activities of nation states and will serve only as a declarative document.
[What would improve global cybersecurity is] an international agreement for either extradition or prosecution of individuals globally for cyber activities, alongside minimum penalties that can assist in deterring such activities. To be effective, it would have to include countries that are many times that source of cyber-attacks and should be legally binding such that private organisations in involved countries shall be obligated to share materials required for an investigation.
Adi Ashkenazy, VP of product at XM Cyber
Vectra: it won’t work with US, Russia and China
Any pact on cybersecurity simply cannot work without the participation and commitment from the countries with the most highly developed cyber warfare operations like the US, Russia, and China.
The fact that the countries where most cyberattacks originate from globally haven’t signed up shows that nowadays advanced economies have cyber as part of their arsenal. Of course, there are differences in how these cyber capabilities are used: From the pursuit of legitimate – or at least generally widely-tolerated – nation goals, to more economically motivated attacks often attributed to eastern geographies as state-sponsored, or from a well-established, motivated cybercriminal.
Whilst ethical behaviour and the acceptance of operating norms are important, as an ever-morphing challenge, cybersecurity is best addressed through innovation and education. People need to be helped and empowered to identify cyber risks and respond appropriately. That holds true for governments, businesses, and individuals alike.
Matt Walmsley, EMEA director at Vectra
Virtru: data protection is a human right
Even though it is not formally binding, the Paris Call is extremely important as it outlines global cyber norms – rules of the road for appropriate behaviour in cyberspace – that are compatible with democratic values. At a time when digital authoritarianism continues to spread and is adopted by both state and non-state actors, the Paris Call offers an alternative narrative that aims to decrease escalation of conflict and other destabilising activities such as hacking back and digital election interference.
The Paris Call is aspirational and part of a growing global movement for data privacy, and in that regard it does have teeth. For instance, Cisco wrote a blog noting their advocacy of a US federal data privacy regulation which would provide the incentives to protect data, and outlines data protection and privacy as human right.
This framing of data protection as a human right – as advocated by democracies – in contrast to the authoritarian framework of government control of data will shape the future of the internet, and tech companies must advocate through their governments to ensure the impending wave of data privacy regulation also promotes innovation and provides the necessary incentives and capabilities for individuals and organisations to counter the growing threat to data privacy and cybersecurity.
Andrea Little Limbago, PhD, chief social scientist at Virtru
Outpost 24: defending against digital espionage
The political value is that we start acknowledging these actions as disruptive and not an accepted peace-time action against other nations. The traditional espionage is now moving to a “new” arena with a decreased risk to operatives. It is cost-efficient and it will not stop for the foreseeable future.
We will not get rid of the problem with paperwork. What we can do is to keep building defence in depth and begin setting a foundation for applying political pressure when hostile actions are detected.
Security comes not from asking an enemy not to strike. Instead, it comes from being prepared while designing stable, robust and maintained systems and infrastructure. It is a very strange situation where, on the one hand, we are talking about a truce, while on the other, security is so lax that default passwords printed in the manual gets you into military or critical infrastructure systems.
While the discussion to formulate a truce to stop government-state actors from carrying out hostile actions continues, the very least we can do is ensure that the most basic protection for our digital assets is carried out.
Martin Jartelius, CSO at Outpost 24
NETSCOUT: private sector cooperation is key
Something can be meaningful and not legally binding. What strikes me about this agreement isn’t the absence of some countries, so much as the presence of several large tech companies. The internet is mostly private-sector owned and operated, especially in the west, so their participation is very important.
I’d like to see the participants focus more on education and basic cyber hygiene. If we could get people to stop clicking on phishing emails or to install MFA everywhere, we’d be exponentially more secure.
Michael McNerney, product manager for cyber threat intelligence at NETSCOUT, and former cyber policy advisor to the US Office of the Secretary of Defense
Gowling WLG: everyone must take responsibility
Whilst a pact that is not legally binding may not seem quite as compelling – given the potential issues around enforcement – the fact that there are still influential members within the agreement means that their endorsement may encourage others to follow suit and make genuine efforts to improve their domestic cybersecurity efforts. In addition to this, there is at least some pressure on those willing to sign up to the pact to demonstrate improvements in this area.
However, cybersecurity is truly an international issue, given the ability of cybercriminals to operate across borders and infiltrate systems globally, and this creates limitations to the overall effectiveness of a pact not signed by all countries.
The pact in its current state represents some progress, but the onus remains nations and major tech companies to take genuine responsibility to reduce digital risks. Resilient firewall protection is a given but a whole host of other measures such as appropriate data storage methods that meet legal requirements, and maintaining a robust digital infrastructure, also need to be considered.
In addition, wider potential weakness points, such as the potential for human error, also need to be guarded against through effective training in quickly recognising the signs of a potential attack.
Helen Davenport, director at Gowling WLG
WatchGuard Technologies: it needs to come from the UN
I suspect a non-legally binding multinational agreement that does not include three of the biggest players – US, China and Russia – will be unlikely to carry much weight, other than exert some pressure from the rest of the world for the ‘big players’ to join the table in cybersecurity negotiations.
That said I believe it is worth other nations coming together, specifically to pressure all parties into agreeing the cyber rules of engagement. In fact, WatchGuard’s Threat Lab team made a prediction that the UN would pass a cybersecurity treaty covering rules of engagement in 2019. Until such a treaty comes from the UN – with the biggest nations signing up – I don’t think an agreement or treaty will have teeth. For these agreements to have impact, a group of the top nations must agree so strongly to the rules that they’re willing to sanction countries that break them.
We need a multinational cybersecurity agreement no matter what it takes. Incidents like WannaCry and NotPetya have proven that state-sponsored cyber-attacks can have civilian implications and ‘collateral damage’. If the leaders of the world don’t come up with a set of agreed rules of engagement, we could easily find ourselves in a kinetic war. Even if these individual efforts don’t have any immediate teeth, I believe that smaller nations should continue to pressure, goad and embarrass the top three players into joining a cyber-agreement. At the very least, the publicity of these efforts could help get the citizens of reluctant countries to stand up and take notice.
Corey Nachreiner, CTO at WatchGuard Technologies
Read more about the feasibility of the Paris Call initiative here.