Increasingly worried about criminal hacking and state-on-state electronic warfare, governments are rushing to come up with cyber security strategies.
But with the Internet crossing borders and empowering non-state groups from criminals to activists, nation states appear to be inherently stuck behind the curve.
Policymakers acknowledge to a greater degree that existing legal and government structures are struggling to keep up with the information revolution and need more international agreement that also wraps in the private sector, Reuters reports.
In recent weeks, a string of major companies including Sony, Google, Nintendo, Lockheed Martin and now Citigroup have come under hacking attacks, some believed to be criminal and others tentatively linked to government intelligence agencies.
But since tracing the attacks definitively is all but impossible, framing a policy response is difficult.
“The nature of cyberspace is borderless and anonymous,” Shri R. Chandrasekhara, secretary of India’s telecommunications department, told a cyber security conference in London last week organised by a U.S.-based think tank, the EastWest Institute. “Governments, countries and law — all are linked to territory. There is a fundamental contradiction.”
Other speakers at the event also agreed their countries were only just beginning to think through the implications.
“We are feeling our way in what is largely new and unknown territory,” said Tim Dowse, director of cyber policy at Britain’s Foreign and Commonwealth Office.
So far, the United States, Britain and several other countries have published national strategies on cyber security and are channelling billions of dollars into both offensive and defensive technology. Some experts talk of a cyber arms race that could end with a devastating conflict in which countries attacked each other’s essential systems.
There are a host of complexities. If cyber attacks and hacking attempt to pass through multiple countries — as they almost invariably do, which government and jurisdiction is responsible for investigating, if any?
WHAT ABOUT COMPANIES?
Private companies — often multinationals over which governments may have particularly limited influence — control most of the systems that run the Internet.
They also run much of the critical infrastructure that could be targeted in the sort of cyber sabotage apparently seen against Iran’s nuclear programme last year. Many firms complain that current, nationally-based systems are simply not enough.
They want broad global standards to regulate data storage and theft, provide sanction against cyber criminals and perhaps even constrain the activity of states.
“The current range of national strategies and policies doesn’t really help international companies,” said Martin Sutherland, CEO of BAe (BAES.L) subsidiary Detica. “We want airline-style international standards.” Exactly what an international system might look like is far from clear. Some countries and groups want sweeping international agreements along the lines of nuclear or biological weapon treaties — but that could take years.
The priority, the United States says, is to build some international consensus relatively quickly.
That could mean setting down some basic principles, such as that countries are legally responsible for investigating attacks that appear to have come through their territory.
But some believe governments and legal systems themselves may be on the brink of losing what limited control they have over information and systems even on their own territory.
Last month, several British celebrities who had taken out expensive London court “superinjunctions” to gag media outlets reporting certain aspects of their private lives found themselves identified anyway on Twitter.
CYBER PEACE TREATY?
Thousands of users were openly flouting the court orders, making it impossible to take action against them all. Meanwhile, file-sharing websites that disseminate free music and videos regardless of copyright undermine intellectual property law.
Despite its “great firewall,” China has also struggled to prevent online dissent littering website and message boards.
As ousted Egyptian President Hosni Mubarak found to his cost, even shutting down the Internet can be too little, too late — and comes with colossal political, economic and diplomatic costs.
Thrown into the mix are a handful of non-state groups — such as Anonymous, which targeted websites such as MasterCard they believed were implicated in attempts to block WikiLeaks — willing to mount their own cyber attacks. Analysts say militant groups such as Al Qaeda may adopt similar tactics.
Then there are semi-independent hackers in Russia or China who security experts believe state authorities may ignore, providing they only attack abroad and occasionally help the state obtain information or target adversaries.
The nightmare scenario is that a damaging cyber attack by a non-state actor — for example, one that hit essential systems such as water or air traffic control — might be misidentified as coming from a state — and sparks armed conflict.
“It gets talked about a lot and in fairness I think it is a risk,” the U.S. State Department coordinator for cyber issues, Christopher Painter, told Reuters last week. “The way to make sure that never happens is to make sure the countries have close relationships and connections in place. I think those structures need to be improved and we are working on that.”
But to really safeguard cyberspace — if such a goal is even feasible, which many doubt — may require going well beyond national agreements. While it might be years or more away, some envisage a truly inclusive “cyber peace treaty.”
“We all know if there is another world war it will take place in cyberspace,” said Hamadoun Toure, secretary general of the International Telecommunications Union. “A cyber peace treaty would be one of its kind. It would have to bring governments, the private sector and even individuals.”