Still initializing: Global laws against malicious online activity
By Amit Roy Choudhury
A Digital Geneva Convention with the private sector playing a stronger role would mark an important step forward, writes Amit Roy Choudhury.
While there is hope that a cure for Covid-19 will soon be found, the same cannot be said about online criminal activity, which has gone up exponentially over the past decade.
Multilateral efforts under the United Nations (UN) auspices have been going on for almost 20 years to finalise international norms and laws against cyber-crime. However, there is still no light at the end of the tunnel, even as the world becomes hyper-connected.
The menace of online criminal activity is evident even during the current pandemic. According to a recent study by INTERPOL, cybercriminals have made a significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure during this Covid-19 period.
INTERPOL also notes that with organisations deploying remote systems and networks to support staff working from home, cybercriminals are taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.
Even before the pandemic, cyber-attacks have become increasingly sophisticated, frequent and dangerous. In 2017, the WannaCry and NotPetya ransomware attacks affected millions of computers and brought many organisations to a standstill. WannaCry, for example, shut down as many as 16 hospitals in the United Kingdom; almost bring the public healthcare system of that country on its knees. Apart from these two high-profile attacks, networks of some of the largest companies in the world have been breached and valuable data stolen.
An estimate by Cybersecurity Ventures peg the losses from cybercrime at US$6 trillion annually by 2021, up from US$3 trillion in 2015. That would make cybercrime more profitable than the global trade of all major illegal drugs combined.
Reactive defence
While cyberattacks have grown in sophistication, the quality of network defence has also gone up significantly, especially with the use of artificial intelligence (AI) and cloud-based cybersecurity. However, the point that is often overlooked is that even with the best network defence, companies and even countries are just in a reactive mode.
Cybercriminals, some even backed by governments, can probe network defences as many times as they want without fear of consequences. The defenders have to thwart every single attack. Hackers need to get luck only once while the cyber-defence has to have a 100 per cent success record. This is virtually impossible to achieve which is why the news cycle is full of reports of highly regarded companies and, in one recent case, even the US military, having their networks breached.
Multilateral agreements backed by a legal framework that ensures the perpetrators are caught and punished irrespective of which country they are operating from is the only deterrent that will work in curbing cybercrime. Unfortunately, it has almost become like a Waiting for Godot moment for such an agreement to be signed.
It is not that efforts have not been made to develop a broad consensus and protocols of responsible online behaviour. The UN Group of Governmental Experts (GGE), for example, was set up to establish agreed norms of responsible state behaviour in cyberspace by consensus. The GGE has met three times, in 2010, 2013, and 2015.
Separately and in principle, all countries at the UN have agreed to 11 broad norms of cyber behaviour. The norms are meant to complement international law and include things like states should not attack critical infrastructure of another country using Infocomm Technology (ICT). There is also a pledge that nations would not knowingly allow their territory to be used for internationally wrongful acts using ICTs.
An agreement on first principles is always easy to achieve, and these 11 norms are nothing but that. The GGE meetings ran into problems when efforts were made to codify acceptable state behaviour. That is because the issue goes much beyond just a law and order.
The dirty little secret of the cyber world is that it is not only criminals who use ICT to cause harm and steal information. Increasingly, the cyber domain is a place where countries are contesting for dominance. This has led to a domino effect and all nations have strengthen their cyber capabilities for both defence as well as offence. For example, Singapore has recognised the cyber domain as a possible future arena for warfare just like land, air and water. The Republic is not the only country which has done so.
Causing more damage
In any hyper-connected world, cyber attacks can cause more damage than warships and fighter plane. Crippling critical infrastructure of another country, like public utilities, even for a short while can cause social unrest and chaos and paralyse governments. The targeted spreading of fake news through social media can also cause unrest and even riots in certain nations.
ICT has become a powerful tool in the hands of governments. Many use these tools for espionage and for the stealing of Intellectual Property (IP). This makes it hard to set up a binding multi-lateral agreement which is the intent of the UN negotiations.
Efforts to take forward the work done by GGE up to 2015 did not make any headway when it was convened again in 2016-2017. The major stumbling block was that countries differed on what was the relationship between cyber conflict and the well-established laws of armed conflict.
One group of nations wanted to concentrate the GGE work on the rules around cyber operations in the context of laws of armed conflict while another group wanted to concentrate on developing rules that prevented a cyber-conflict in the first place.
At first glance it would seem that both approaches are reasonable and sound and should not be a cause for disagreement. However, the fact that this was a stumbling block, illustrates the difficulty in developing a multilateral convention of cyber-behaviour similar to, say, the Law of the Seas Convention (LOSC). As the digital economy grows, each country or grouping is trying to ensure that what they think are their core interests are not compromised by any binding treaty.
It’s not just the UN which has been trying to build a multilateral agreement on cyber-behaviour. The private sector has also come forward with a number of initiatives. One of them is the call by Microsoft President, Brad Smith, for a Digital Geneva Convention in 2017.
Such a convention, if established, would mark an important step in the fight against cyber-crime. Under such a convention private sector companies would take a stronger role in defining matters of human rights and humanitarian protection in the digital age.
There is no guarantee of when or if a broad multi-lateral framework of responsible cyber behaviour will be developed. Till such time, the only recourse for countries is to strengthen cyber defence and increase cooperation with like-minded nations.
Capacity building is important and the Asean-Singapore Cyber Centre of Excellence, is a good example of multi-lateral cooperation. The ASCCE is an extension of the ASEAN Cyber Capacity Programme (ACCP) launched in 2016. Singapore also has signed bilateral agreements on cybersecurity cooperation with a number of countries. As the nation with the best cybersecurity expertise in the region, Singapore is doing its best to share its expertise with other countries.
While such cooperation helps, particularly for those nations with limited expertise in cyber-defence it does not solve the larger issue of curbing malicious cyber-activity. A solution needs to be found fast as otherwise the nature of the Internet could change and there has already been talk of like-minded countries erecting barriers within the worldwide web (WWW) to keep those that are perceived to be “bad actors”.
It will indeed be unfortunate if firewalls and physical barriers come up in the Internet. However, there is also a limit to patience with annual losses in the region US$6 trillion due to cyber-crime. This figure will only grow larger as time goes by.
Waiting for Godot is not an option for global cyber laws.
Amit Roy Choudhury, a media consultant, and senior journalist, writes about technology for GovInsider.