For more than 20 years, countries have been struggling to introduce a set of rules of conduct and liability requirements for digital space users. Progress in designing a code of cyber conduct is all the more relevant since digitalization is sweeping the planet at breakneck speed, creating new risks along with new opportunities. Businesses that are confronted with new challenges and threats in the digital space are putting forward their own initiatives, thereby pressing governments to speed up the process of adopting an international cyber code.
Why is the business community interested in setting rules in the cyber environment? There are many reasons for this.
Firstly, the quantity and quality of hacker attacks on the private sector increase every year. Hackers target any enterprises — whether they are small enterprises or technological giants. Attacked by the NotPetya virus, the world largest container carrier Maersk sustained $300 million damage and had to shell out nearly $1 billion for restoration. In total, according to Sberbank’s estimates, the damage to the global economy from hacker attacks in 2019 can reach about $2.5 trillion, and by 2022 — as much as $8–10 trillion.
Secondly, many technology-oriented companies, facing a lack of trust on the part of government agencies, experience severe difficulties in promoting their business projects abroad. At present, the UK, Norway, Poland, and other countries are involved in a debate about whether Huawei should be allowed to build fifth-generation mobile communication networks (5G). Huawei is suspected of stealing intellectual property and espionage. The US, Australia, New Zealand have introduced a ban on the use of 5G equipment from Huawei.
Not only Chinese companies face distrust. Google, Apple, Microsoft, Kaspersky Lab, and many others are often accused of illegally spying on people.
Thirdly, IT companies are forced to pay huge sums to protect their customers against hacker attacks and guarantee information security. Microsoft allocates more than $1 billion for this purpose yearly.
In the absence of a political solution to ensure international information security, private companies, which are keen to safeguard themselves and their customers, have chosen to conduct negotiations with each other on information security cooperation and are launching their own initiatives. Thus, coming into existence is a business information security track running parallel to the government.
In February 2017, Microsoft’s President Brad Smith launched the Digital Geneva Convention initiative. The Convention is expected to oblige governments not to take cyber attacks on private sector companies or the critical infrastructure of other states, and not to use hacker attacks to steal intellectual property.
Overall, the document formulates six basic principles of international cybersecurity:
- No targeting of tech companies, private sector, or critical infrastructure.
- Assist private sector efforts to detect, contain, respond to, and recover from events.
- Report vulnerabilities to vendors rather than to stockpile, sell, or exploit them.
- Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise, and not reusable.
- Commit to non-proliferation activities to cyber weapons.
- Limit offensive operation to avoid a mass event.
However, while the Digital Geneva Convention is still on paper, 34 technology companies, including Microsoft, without waiting for decisions at the government level, signed the Cybersecurity Tech Accord in April 2018. Thus, the largest ever group of companies have become committed to protecting customers around the world from cybercriminals.
Cybersecurity Tech Accord members have called for a ban on any agreements on non-disclosure of vulnerabilities between governments and contractors, brokers, or cybersecurity experts; they also call for more funding for vulnerability detection and research.
Besides, signatories of the agreement have come up with a series of recommendations to strengthen confidence-building measures, which are based on the proposals of the UN and OSCE.
Such measures include:
-Develop shared positions and interpretations of key cybersecurity issues and concepts, which will facilitate productive dialogue and enhance mutual understanding of cyberspace and its characteristics.
-Encourage governments to develop and engage in dialogue around cyber warfare doctrines.
-Develop a list of facilities that are off-limits for cyber-attacks, such as nuclear power plants, air traffic control systems, banking sectors, and so forth.
-Establish mechanisms and channels of communication to respond to requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts (organizing, i.e. tabletop exercises).
By now, Cybersecurity Tech Accord has been signed by 90 companies, including Microsoft, Facebook, Cisco, Panasonic, Dell, Hitachi, and others.
Another initiative was presented in 2018 by Siemens, which came up with the Charter of Trust. The Charter, which was signed by 16 companies, including IBM, AIRBUS, NXP, and Total, urges companies to set up strict rules and standards to foster trust in ICT and contribute to further development of digitalization.
Facebook has become part of the process too. In late March 2019, Mark Zuckerberg — the founder and CEO of Facebook — urged governments to become more actively involved in regulating the Internet. In particular, Zuckerberg spoke in favor of introducing new standards related to the Internet and social networks. These standards would come useful to guarantee the protection of personal data, prevent attempts to influence elections or disseminate unwanted information, and would assist in providing a solution to the problem of data portability.
Another initiative worth mentioning is the creation in 2014 of the Industrial Internet Consortium TM, IIC, which was founded on the initiative of AT & T, Cisco, GE, IBM, and Intel. This is a non-profit open-membership group that seeks to remove barriers between different technologies in order to maximize access to big data and promote the integration of physical and digital environment.
Some initiatives are coming from the Russian private sector. In particular, since 2017, Norilsk Nickel has been active on the international scene promoting the Information Security Charter of critical industrial facilities. The Charter’s main provisions include condemnation of the use of ICT for criminal, terrorist, military purposes; supporting efforts to create warning and detection systems, and assist in the aftermath of network attacks; and sharing best practices in information security.
In turn, Sberbank has launched an initiative to hold the world’s largest International Cybersecurity Congress. Last year, such a congress took place with the participation of 681 companies from 51 countries. The second such Congress is scheduled for this June. The Forum serves as an inter-sectoral platform that promotes global dialogue on the most pressing issues of ensuring information security in the context of globalization and digitalization.
Most business initiatives hinge on the fact that they all call for developing confidence-building measures and rules of conduct in the digital space. Besides, the business community welcomes the need to adjust international law to the new realities of the digital economy.
Private sector initiatives can perfectly be streamlined with initiatives put forward by countries within the framework of the UN. After all, by and large, governments pursue the same goals as business in this area. The use of ICT for peaceful purposes, confidence-building measures, the supply of information about vulnerabilities — all this is significant both for business and for most states.
Fortunately, the global discussion under the aegis of the UN on issues related to International Information Security is getting back on track after a pause of about one year. From now on, it will be attended by representatives of the private sector. According to the resolution (A/RES/73/27), the mandate of the future Open-Ended Working Group (OEWG) allows for the possibility of holding inter-session consultative meetings with representatives of businesses, non-governmental organizations and the scientific community to exchange opinions on issues within the group’s mandate. The first inter-sessional meeting with representatives of global business is scheduled for November 2019.
In conclusion, we would like to remark that the issue of information security is dynamic and for this reason, it can be adequately addressed only with the close cooperation of governments and technology companies, since it is the latter that keep pace with the development of technologies and are the drivers of the digital economy. Governments should keep a close eye on the initiatives of non-state actors and put the most useful proposals on the agenda of discussions at international forums. Moreover, once adopted and approved at the government level, these standards and regulations should have a legal force, rather than be recommendatory — this is the only way to guarantee the order in the cyber environment.
First published in our partner RIAC