BF-FieldManual-FEB13 -3.pdf - Bertelsmann Foundation

socialized, i.e. there is a tacit expectationthat the government will cover the cost ofthe fallout from an attack.c) Inculcate a multi-stakeholdergovernance approach: The governancerole once dominated by state actorsis shared by the private sector online.A multi-stakeholder environmentmakes treaty enforcement difficult. Thedecentralized governance of the Internetmeans that governments are but oneactor at the table determining the law ofthe cyber frontier.The culture of shared governancebetween US and EU authorities on theone hand and the ecosystem of industry,NGOs and hacker communities on theother should be improved, particularlyat the multilateral level. While the USand most European member states havewell-worn consultation with the privatesector, universities and NGOs relevant tocyber security policy, NATO and the EU,in particular, remain weak in these areas.Many of the major private-sector entitiessusceptible to attack are essentiallytrans-Atlantic in nature. And while theUS and Europe will never develop thekind of quasi-paramilitary relationshipwith their hacker communities that someauthoritarian governments have, it isimportant for both to be aware of thehuman capital that could be of use in acyber attack. In particular, the US shouldencourage the EU to take stock at both thenational and European levels and reachout to these informal networks for theirown defense and resilience purposes.The setting and enforcing of high “cyberhygiene” standards is paramount. Sincedue diligence and avoiding individualhuman error play such an important rolein protecting against attack, efforts toraise threat awareness must penetrate tothe most grassroots level of businessesand local communities.The US and EU should work togetherwith the private sector across the boardto negotiate appropriate intermediaryroles for industry, focusing on disclosureand data protection. These discussionsshould be nuanced and recognizedifferences across sectors. A mix ofcompulsory and voluntary protocols andbest practices, including clearly definedbenchmarks, could lower liability risk andcreate an active two-way partnership.2. Maintain an open, inclusive anduser-responsible environment forshaping governance norms:The playing field of Internet governanceis shifting rapidly. Europe is increasinglyrecognizing that maintaining a multistakeholdermodel for Internetgovernance centered at the InternetCorporation for Assigned Names andNumbers (ICANN) will yield more open,transparent and democratic outcomesthan alternative models centered atthe UN. Since its inception, ICANN hasbeen a custodian of IP numbers, theDNA of the Web. It has continued to be arespectable steward, taking advantage ofthe relatively open and entrenched legaltradition in the US and well-establishednorms for its activity. The US andEurope should promote an active role byICANN’s Government Advisory Council(GAC) and look for ways to get vestedstate, civil society and private-sectoractors involved.The US should continue to make thecase that an outcome-centric model fordomain issuance remains best servedby ICANN’s current governance andoversight structure. That said, the USand Europe should jointly bolster theconsultative role of the GAC and theUN’s Internet Governance Forum (IGF),especially to include non-state actorsfrom underrepresented and repressivestates as well as looking to the normativeshaping role that the Council of Europe,OECD and OSCE can play.3. Recast the discussionon attribution:The US and Europe should shift awayfrom attribution at the granular level andinstead reframe informal internationaldiscussions about states’ responsibilityfor massive cyber attacks conductedby non-state actors originating fromtheir sovereign territory. The challengesof attribution make attempts atestablishing the source of an attack oflittle value when shaping policy. The EU,in particular, has been slow to accept itsrole in defending against state-based or-sponsored attacks.While attribution continues to beproblematic, especially given thecircuitous nature of botnets used todeploy attacks, monitoring of ISPs andpacket sniffing is standard in manycountries from whose territory cyberincidents. In Russia, for instance, SORMlegislation already gives the statesweeping authority to monitor onlineactivity. When an attack occurs, a state’srelation to it usually falls into one ofthree broad categories: ignorance or apermissive environment, an abettingenvironment or active participation. 21Together the US and Europe should openup discussions on norms centered aroundgradations of responsibility. States thatallow their cyber territory to be usedas a safe haven for malicious activities(cyber crime, espionage or attack) shouldbe held accountable in the same waythey are expected to prevent physicalterritory from serving as a safe haven forterrorists. 22 Given the available regulatoryand law enforcement instruments withwhich to police it, cyber space cannotbe seen as a vacuum for which states arenot responsible.At the same time, the US and Europeshould make clear that they will notaccept the pretense of action againstcyber attackers and criminals as ajustification for crackdowns on Internetfreedom. 23 As is often the case withanti-terrorism policy, regimes inChina and Russia, among others, havetried to equate criminal activity—online property theft, disruption anddestruction—with political speech andgovernment opposition.4. Encourage the EU and memberstates to develop cohesive cyberpolicy coordination and clearinternational representation:In recent years, responsibility for USpolicy in the three areas outlined here hasbecome more clearly defined. Classicalcyber offensive and military defensivecapability is centered at the Pentagon.Cyber Security 4 7