Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
a wider context. <strong>Cybersecurity</strong> must be about protect<strong>in</strong>g freedom <strong>in</strong> cyberspace, about<br />
protect<strong>in</strong>g its openness, availability <strong>and</strong> <strong>in</strong>tegrity as a resource. In this sense freedom <strong>and</strong><br />
security are <strong>in</strong>separable tw<strong>in</strong>s. Freedom needs security to flourish; security needs freedom,<br />
otherwise it becomes an <strong>in</strong>strument of oppression.<br />
S<strong>in</strong>ce cyberspace is by def<strong>in</strong>ition global, <strong>in</strong>ternational action is needed to protect our<br />
<strong>in</strong>ternational data networks. The rapid rise <strong>in</strong> cases of abuse of <strong>and</strong> attacks on data networks –<br />
particularly <strong>in</strong> the form of sophisticated computer worms such as Stuxnet – has driven home to<br />
us how dependent we are on <strong>in</strong>ternational cooperation. S<strong>in</strong>ce we cannot protect ourselves<br />
completely from such attacks or discover who is beh<strong>in</strong>d them, we need someth<strong>in</strong>g like cyber<br />
diplomacy. The primary aim of this k<strong>in</strong>d of diplomacy is to negotiate <strong>in</strong>ternationally accepted<br />
safeguards, rules of conduct based on legal norms, <strong>and</strong> st<strong>and</strong>ards. Our national Cyber Security<br />
Strategy rightly speaks of the need to develop an “<strong>in</strong>ternational cyber policy” – a whole new<br />
challenge for our foreign <strong>and</strong> security policy.<br />
Four parameters will guide our efforts here:<br />
1. Our approach is <strong>in</strong>cremental <strong>and</strong> pragmatic. There is no po<strong>in</strong>t <strong>in</strong> look<strong>in</strong>g for a silver bullet.<br />
What we want is to explore common ground with a group of like-m<strong>in</strong>ded stakeholders <strong>and</strong><br />
make progress where we can.<br />
2. Cyber diplomacy is already under way <strong>in</strong> a wide range of <strong>in</strong>ternational forums <strong>and</strong><br />
organizations. Given the complexity of the challenge, that is the right approach. We want<br />
to see a division of labor between the different forums; it is important to def<strong>in</strong>e as clearly<br />
as possible who does what.<br />
3. We see maximum transparency <strong>and</strong> active confidence-build<strong>in</strong>g as the best way to guard<br />
aga<strong>in</strong>st offensive – <strong>in</strong>clud<strong>in</strong>g military – uses of cyberspace.<br />
4. We believe currently applicable <strong>in</strong>ternational law provides by <strong>and</strong> large a sufficient basis<br />
for develop<strong>in</strong>g new norms <strong>in</strong> the area of cybersecurity. The important th<strong>in</strong>g now is to br<strong>in</strong>g<br />
different <strong>in</strong>terpretations <strong>and</strong> st<strong>and</strong>po<strong>in</strong>ts more closely <strong>in</strong>to l<strong>in</strong>e with a view to reach<strong>in</strong>g a<br />
common consensus.<br />
Let me now look at these four po<strong>in</strong>ts <strong>in</strong> greater detail.<br />
In recent years we have seen a major <strong>in</strong>crease <strong>in</strong> <strong>in</strong>ternational efforts to strengthen<br />
cybersecurity. The Council of Europe drew up its Convention on Cybercrime (2001) at a very<br />
early stage. It is regrettable that the Convention’s broad-based approach, which entails notably<br />
some necessary <strong>in</strong>fr<strong>in</strong>gement of national sovereignty <strong>in</strong> connection with the collection of<br />
evidence <strong>and</strong> the track<strong>in</strong>g down of cybercrime suspects, has prevented many countries from<br />
sign<strong>in</strong>g up to it.<br />
That is why it makes little sense – at least at the moment – to try to draw up comprehensive<br />
conventions <strong>and</strong> rule books. Here, too, gr<strong>and</strong> strategies tend to be the enemies of progress. For<br />
this reason we argue for an <strong>in</strong>cremental approach on the basis of soft law – <strong>in</strong> other words,<br />
politically b<strong>in</strong>d<strong>in</strong>g rules of conduct that help to build trust.<br />
That means we should focus on those areas where the desire for <strong>in</strong>ternational cooperation is<br />
strongest. Apart from the fight aga<strong>in</strong>st crime, I believe there is considerable <strong>in</strong>ternational<br />
<strong>in</strong>terest <strong>in</strong> agree<strong>in</strong>g measures to protect critical <strong>in</strong>frastructure, for example, give hospitals a<br />
special security status <strong>and</strong> enhance the security of submar<strong>in</strong>e cables – which are amaz<strong>in</strong>gly few<br />
<strong>in</strong> number – <strong>and</strong> their network nodal po<strong>in</strong>ts.<br />
The more we strive <strong>in</strong> these <strong>and</strong> other fields to build trust <strong>and</strong> promote good governance, the<br />
more stakeholders will come to trust one another. That lays the groundwork for further advances<br />
<strong>in</strong> <strong>in</strong>ternational cybersecurity.<br />
Our <strong>in</strong>cremental approach enables us, moreover, <strong>in</strong> ad hoc coalitions to reach agreements with<br />
other governments whose <strong>in</strong>terests <strong>and</strong> positions we share. In l<strong>in</strong>e with our pragmatic approach,<br />
we believe some countries could also set an example by agree<strong>in</strong>g on st<strong>and</strong>ards <strong>and</strong> rules of<br />
conduct. Accord<strong>in</strong>gly, the G8’s Deauville Declaration <strong>and</strong> the results of the London conference<br />
<strong>in</strong> this area could help promote consensus-build<strong>in</strong>g <strong>and</strong> <strong>in</strong>tergovernmental agreements <strong>in</strong> the<br />
field of cybersecurity.<br />
25