Stasis or Flux? Assessing Progress in Cyberspace Governance

Technicians work at the Recovery Key Laboratory of Sichuan Province after the WannaCry cyber attack. Chengdu, China, May 15, 2017 (Associated Press)

Last month, the United Nations Group of Governmental Experts (GGE) charged with elaborating international norms for the cyber domain concluded their latest meeting. The outcome augurs poorly for those interested in the development, through this multilateral forum, of a broadly accepted, rules-based framework for a still emerging and rapidly evolving sphere.

Discussions broke down when key stakeholders and participants could not reach agreement regarding the applicability of international law to the use by state actors of information and communications technologies, as laid out in “draft paragraph 34” of the group’s report. This agreement was intended to be tendered to the UN General Assembly and failed despite earlier GGE meetings affirming that international law does indeed apply to cyberspace.

With the breakdown of the GGE talks, the United States has made clear that it will move forward nevertheless, working through bilateral channels and “likeminded partners” to build support for parameters of action and standards of behavior in cyberspace. Through this approach, the US aims to raise and impose costs on actors who pose cyber threats. This goal is shared internationally, as patience with the continuing impunity in this arena wears ever-thinner among a significant number of countries. While the suggestion of a US-Russia “cybersecurity partnership” floated after the Donald Trump-Vladimir Putin meeting on the margins of the G-20 summit earlier this month presents a new wrinkle, both that idea and its timing have been derided.

Other governments and entities are also forging ahead in an attempt to come to grips with the prevailing cyber threat ecosystem. The European Union, for instance, is in the process of reviewing its cyber strategy. This exercise has so far pointed to the need for improvement in important respects, such as fostering resilience and countering cybercrime. At NATO, moreover, a multibillion-dollar “tech upgrade” is in the works, to serve multiple purposes including bolstering cyber defense. Individual nation states, too, continue to build their capabilities and update their legislation to reflect cyber exigencies. Canada, for one, has just introduced a bill to this effect.

Cybersecurity is thus clearly entrenched on the global agenda, yet coordinated action remains elusive. In an article published recently in Harvard Business Review—aptly titled “Why is Cybersecurity So Hard?”—Cyber Threat Alliance (a practitioner-driven, threat intelligence-sharing organization) President Michael Daniel identifies multiple responses to the question posed. These include a range of technical and non-technical problems and the underdeveloped nature of surrounding “law, policy, and practice…”

Adding another layer of complexity is the fact that technology may cut both ways, being, at once, the source of both solution and problem. For example, the advent of blockchain technology—which “verifies” and thereby builds “trustworthiness” into transactions—has been heralded as a tremendous advance that can help further cybersecurity in a wide range of critical contexts, from financial services to healthcare to the US national security industrial base. On the other hand, advances in the field of quantum computing—and the associated ability to “subvert…cryptographic algorithms”—are already calling into question the potential for maintaining the integrity of blockchain as a cybersecurity mechanism.

Developments in artificial intelligence (AI) offer another illustration of the “advance but undercut” theme: While AI may exponentially improve the defender’s ability to detect, respond, and deter, it may also be exploited to serve the attacker’s ends as well. For instance, just as AI may help quickly identify and remedy “anomalies” (threat actor activity), it can also be harnessed to make malware “smarter” and more effective in breaching its target’s defenses.

Not everything that undermines or furthers cybersecurity is inherently sophisticated. Basic “cyber hygiene,” if practiced more widely and more consistently, would allow significant progress, with limited resources able to be focused on countering the highest-end threats. This is easy to declare, but apparently not so easy to put into effect, as the recent WannaCry ransomware attack demonstrated. In this case hackers invoked “a hodgepodge of older attack techniques targeted at unpatched systems.” Nevertheless, the May 2017 attack managed to hit hard, “crippling transportation and hospitals globally.”

There will always be intractable cyber threat actors. The challenge is to generate adaptive and effective responses that are infused with the ingenuity and persistence to match, meet, and defeat similarly adaptive and committed adversaries. The requisite attributes may reside in the technology/its application or in a novel approach to a longstanding problem that has migrated from the physical world into cyberspace. The latter is exemplified by Estonia’s (and the world’s) first “data embassy,” which is intended to assure “digital continuity” of the country by means of a bilateral backup agreement with Luxembourg.

The cyber realm is simultaneously marked by both stasis and flux. Even in areas of deadlock, however, workarounds to problems are often in train. And new ways of thinking about ongoing difficulties continue to appear. Consider, for example, a recent proposal put forth by the RAND Corporation to address the challenge of attributing responsibility for attacks through the establishment of a “credible and transparent” international authority. Attribution is an elemental precursor to attaching accountability to the perpetrators of malicious cyber activity.

In short, the iterative nature of developments in the cyber domain is likely to continue to keep both allies and adversaries on their toes moving forward. Bilateral steps, taken cumulatively, can ultimately bring within reach the same ends as would multilateral means. Investing in a careful, patient, and determined effort on this front is the prudent course and should yield dividends, even if they take time to materialize, as matters of governance of the cyber domain will only become more pressing as technology continues to evolve.

Sharon L. Cardash is Associate Director of the George Washington University Center for Cyber and Homeland Security and previously served as Security Policy Advisor to Canada’s Minister of Foreign Affairs.