The land, sea and sky are public spaces, in theory, free to be enjoyed by all. Many of these gifts from Mother Nature, however, have been divided and parcelled – with borders marked out to establish ownership of these spaces. This instils within nations a sense of responsibility, giving them something to defend and secure to ensure continued access to the resources within their borders.

The internet, on the other hand, is more ambiguous. Man-made though it is, the internet has developed a life of its own. Private organisations like cloud providers may each own a slice of the pie. Individual developers who build sites too may call these domains their own. Yet, the sum of its parts is free for all to access, belonging to no one and everyone all at once.

And unlike the land, sea and sky, the jury is still out on how the digital commons writ large is to be defended.

“We cannot defend what we do not hold. Conversely, what we do not own, we feel no obligation to protect,” said Deputy Chief Executive of the Cyber Security Agency of Singapore (CSA), Gaurav Keerthi, during his keynote speech at the Asia Tech x Singapore event in June this year.

Therein lies the question – who is responsible for defending cyberspace?

An international responsibility

International organisations must govern the Internet’s norms, Keerthi said. “Organisations like the United Nations must push for clarity on the norm of international behaviour,” he added.

Countries coming together to jointly manage a common resource is not a new phenomenon. The United Nations Convention on the Law of the Sea (UNCLOS), for instance, is an international agreement detailing the legal framework for all marine and maritime activities. UNCLOS sets the boundaries for sea territories and establishes regulations for key issues like the protection of the marine environment.

Such examples are proof that nations are able to come together as a collective to define the shared responsibility for a safer and more stable cyberspace, Keerthi said.

Work has started to establish voluntary, non-binding norms of responsible behaviour in cyberspace. In 2021, the United Nations’ (UN) General Assembly established an Open-ended Working Group on security of and in the use of information and communication technologies. Since then, the Group has met thrice to discuss how nations and different stakeholders can work together to establish how international law applies in cyberspace.

Topics of discussion included whether there was a need to develop norms governing the responsible use of digital resources as well as the exploration of possible cooperative measures to counter existing and future cyber threats.

But while these norms are in the midst of being implemented and accepted by individual countries, they need to be translated into local laws to be effective.

Security as a national policy

“A lot of the work that we do internationally is only possible because of how seriously we take it domestically,” Keerthi told GovInsider in a separate interview, using Singapore as an example.

Just last year, Singapore launched the Singapore Cybersecurity Strategy 2021, outlining the country’s goals to “actively defend our cyberspace, cybersecurity for end-users, and promote the development of international cyber norms and standards.”

Singapore’s Cybersecurity Labelling Scheme, for instance, serves as a stamp of approval to indicate when a consumer smart device has met basic cybersecurity requirements. Devices eligible for the label will receive one to four stars depending on the level of security they incorporate.

“Consumers are quick to pick the four-star devices over the one-star ones, and avoid zero-star devices,” Keerthi explained. Security becomes a desirable feature, incentivising companies to take the necessary security measures to appeal to consumers.

Such national initiatives can become the foundations for international collaboration and mutually agreed upon cybersecurity standards. Singapore and Finland have entered a partnership to mutually recognise these labels issued by the CSA and the Transport and Communications Agency of Finland.

This doesn’t mean that the government is fully responsible, however. “Just like in the physical world, the police patrol the streets and help to keep it safe. But individual homeowners still have to lock their doors,” Keerthi said.

The role of organisations

“Companies that own tangible assets of the internet should feel responsible and be held responsible for the protection of those products,” Keerthi said.

Yet, many organisations still view cybersecurity as a cost, resorting to spending the least minimum amount of money possible to comply with government regulations.

In reality, the cost is far higher if organisations fail to bolster their defences. The overall cost of ransomware attacks in 2021 was estimated to have exceeded US$20 billion, according to cybercrime magazine Cybersecurity Ventures.

And just as the internet and technology is manmade, it too can be phased out. If systems aren’t sufficiently secure and users lose trust in the technology, it will inevitably fall out of use, costing corporations more in the form of lost customers.

“When people lose trust in those technologies due to safety or security concerns, the digital future that all of us are working hard to create will actually collapse,” Keerthi warned.

In answering the question of who is responsible for securing the internet, Keerthi suggested looking at the net as a patchwork quilt. Today, the quilt has been stitched together somewhat chaotically and was built for functionality rather than security, he said.

To strengthen the quilt, different parties need to play their respective roles. International governing bodies like the UN can design the blueprint, individual nations play the role of tailors, while organisations do their part to ensure each thread and stitch is strong.