You are here

Cyber-Security: International Controls and Standards

Commentary, 8 March 2011
Domestic Security, Global Security Issues, International Institutions, Technology
William Hague's speech at the Munich Security Conference highlighted the importance of cyber-security in international relations, and raised questions of an appropriate international response to the increasingly viable threat

William Hague's speech at the Munich Security Conference highlighted the importance of cyber-security in international relations, and raised questions of an appropriate international response to the increasingly viable threat

By John Bassett and David Smart for RUSI.org

Cyber Monitoring
US Navy Information Systems Tech. 2nd Class Ryan Allshouse uses the intrusion detection system (IDS) to monitor unclassified network activity from the automated data processing workspace aboard aircraft carrier USS Ronald Reagan. Courtesy of the US Department of Defense.

The emergence of international and supranational bodies and the evolution of informal international standards through commercial dominance notwithstanding, it is likely that the nation-state will remain the central organizing unit for international governance across the early decades of the twenty-first century. There are several reasons why governments would want to establish effective international norms for cyber-security:

  • To promote a rules-based approach to global problem-solving;
  • To ensure that international norms are representative, balanced and effective;
  • To enhance operational effectiveness, for example by near-real-time sharing of situational awareness information to improve network defence.

The range of fora through which international norms might be established is extensive:

  • The UN and associated arms control bodies, such as the Conference on Disarmament;
  • The UN and associated technical authorities, such as the International Telecommunications Union;
  • International leadership fora such as the G20 and G8;
  • Regional alliances and partnerships such as NATO and the EU;
  • Security partnerships such as the UKUSA Agreement between the US, the UK, Australia, Canada and New Zealand;
  • Law enforcement bodies such as Interpol and the Financial Action Task Force.

It is helpful to consider the areas for potential agreement as broadly divided into two tiers:

  • The cyber-warfare tier, covering both strategic arms control and also arrangements for shared operational effectiveness. This tier is primarily about states agreeing the ground rules for how these technological developments will affect the way they interact.
  • Shared standards of governance. This tier is about states' common handling of individuals and organisations within their own jurisdiction. These standards have important strategic implications, for example for the security of critical national infrastructure.

Cyber-Warfare Agreements and Control

Cyber-warfare and the development of related weapons might provide two discrete opportunities for agreement in the areas of arms control and shared operational effectiveness. In our view, cyber-warfare control regimes should not be considered as fundamentally different from other control regimes for weapons of mass effect. Cyber-warfare may now be considered new and complex, but so once were all new weapons systems. Other arms controls arrangements, for example nuclear, suggest that cyber-warfare negotiations may be characterized by a series of limited agreements achieved over a considerable period of time, rather than a single, all-encompassing solution. There is a need to accept that even partial success is worthwhile.

Given the expected rapid evolution of future cyber-warfare systems, it may make best sense to focus negotiations on limiting collateral damage and humanitarian impact between international signatories rather than attempting to regulate weapons systems internals. A real challenge for advocates of cyber-arms control lies in confidence-building. Traditional arms control regimes rely on inspection for verification and the possibility of punitive sanctions for transgressors. The ease with which cyber-weaponisation could be concealed and the problems of dual use form a significant challenge to verification. Furthermore, the difficulties of reliable attribution might well hamper the application of punitive sanctions. In such an environment an incremental approach emphasizing gradual, small-scale agreements may the best way to build confidence.

The prospects for early progress in the implementation of co-operative measures across existing regional and security alliances appears encouraging, particularly where effective existing arrangements such as the NATO alliance and the UKUSA Agreement form the basis for co-operation on cyber. Other potential areas for co-operation may include:

  • Information-sharing, to gain improved situational awareness for network defence, for example within an alliance such as NATO;
  • Evolution of a joint approach to concepts and doctrine;
  • Better crisis management capability and resilience arrangements across security and regional alliances.

International Governance and Standards

Turning to our second tier, the possibility of shared standards of governance, areas for agreement could include:

  • Fighting the activities of criminals and terrorists in cyberspace, ranging from work against botnets to preventing a terrorist cyber-attack on critical national infrastructure;
  • Preventing industrial espionage of the kind Hague described in his speech, whether state-sponsored or otherwise;
  • Creating a healthy and ethical international environment for online business;
  • Supporting the commitment of all UN member-states to freedom of speech and civil liberties. This may sound idealistic, but it is worth bearing in mind the Helsinki accords, which resulted in improved conditions for individuals and acted as a catalyst for strategic change.

The important thing is to start with what is currently achievable. One potential model for implementation is that of the Financial Action Task Force in the area of financial crime. Characteristics of this model include:

  • Agreement of like-minded founding states;
  • Preferable arrangements within or sponsored by an existing framework such as the G20;
  • Implementation of agreed standards resulting in accreditation that demonstrates the state is a responsible member of the global community;
  • Non-member states see accreditation as desirable because of the political and particularly economic and commercial advantages.

Measures that might be mandated as part of an agreement include:

  • Criminalisation of certain behaviours;
  • Creation of civil liabilities;
  • Protection of rights and liberties of individuals and organisations;
  • Most importantly, the removal of legal and administrative obstacles to effective action, both by government and the private sector.

In summary there are, in our view, good prospects for early progress in agreeing common standards of behaviour within signatory jurisdictions that uphold civil liberties, promote healthy and ethical online business and work effectively against e-crime.  Likewise, where existing security structures such as NATO are used, there can be quick and effective progress to enhance operational effectiveness in areas such as network defence.  Progress on strategic arms control of cyber weapons will be more difficult, and agreements may be hard-won, but now is the time to begin.

John Bassett OBE is Associate Fellow for Cyber-Security at RUSI

David Smart is an independent consultant specialising in financial and e-crime

Subscribe to our Newsletter

Support Rusi Research