In 2019, the book «India’s strategic options in a changing cyberspace» written by Cherian Samuel and Munich Charma was published. (New Delhi, Pentagon Press LLP in association with Institute for Defence Studies and Analyses, 2019). In their work, the authors examine the general concept of cyberspace, while extrapolating it to India’s cyberspace dimension.
Cybersecurity problems are tightly included in the new agenda of international relations, which stresses the importance of their comprehensive study, now more relevant than ever. The work raises several issues that appear to be important for a modern understanding of cyberspace. Among the issues raised, we find cyber deterrence, the regulatory framework for cyberspace, the protection of the critical state infrastructure, Active Cyber Defense knowledge, and its attendant legal and ethical issues.
To begin with, the authors illustrate the reasons why the decided to start the book. Firstly, due to the constant change in threats and actors, cyber policy is said to be a moving target. The second problematic lies on the fact that the development of adequate measures becomes difficult for governments, especially international organizations.
The first problem identified by the authors refers to an instrumental nature — namely a lack of technical knowledge, a sophisticated conceptual framework. Trying to analyze the meaning of cyberspace, cybersecurity, cyber warfare, cyber weapons, deterrence in cyberspace, and critical information infrastructure, the authors conclude that each actor understands them in their own way. For example, the concept of “Cybersecurity” is developed in the West. It focuses mainly on the technical side of security. Conversely, the “International Information Security” concept is widespread in China and the CIS and focuses on its political and instrumental use, as well as the compromise “Security in the field of information and security, communication technologies and their use.”
The second problem refers to the lack of access to source data, the presence of conflicting versions of events. According to the authors, the problem would arise due to the lack of the ability to formulate a full-fledged unambiguous conclusion based on the available data. Cyberspace often becomes part of military strategies and doctrines of states. The authors tried to provide the reader with a complete picture of the different countries’ and organizations’ versions, having worked out each of them qualitatively.
The third problem relates to the high politicization of the topic. In the beginning, cyberspace was characterized as common property; its regulation was possible within the framework of international institutions and forums established over the years. Among the more prominent ones we list the United Nations Group of Governmental Experts (UNGGE) and the Internet Governance Forum (IGF). Examples of NGOs’ participation and think tanks are the Global Conference on Cyber Space (GCCS), the Global Commission on the Stability of Cyberspace, and the World Internet Conference.
Over time, however, the tendency to diversify measures to regulate cyberspace has emerged. Only the general trend developed by the Western community remained — to keep cyberspace “open, secure, stable and free.” By declaring Western centricity, the authors refer to the fact that the development and implementation of the latest infrastructure took place from the global West to the East. If the issue of development and implementation has long ceased to be exclusively Western and acquired the outlines of a network structure, now the politicization of the topic lies in ideologically loaded terms. This is expressed in well-established clichés according to which the best hackers who can influence the election results are Russians or Chinese.
Issue number four refers to the fact that the topic of cyberspace is very voluminous. It includes the aspect of global governance in cyberspace, the level of militarization, the legal obligations of each of the parties, and the right to self-defense of the country and the individual. In their book, authors focused on specific areas of cyberspace, like for instance the concept of Active Cyber Defense. After analyzing the approaches of different countries, the authors conclude that the strategy is moving from offensive to defensive, a tendency that intensified after the World War II. Nation-states trying to protect their interests, undertake actions that need to be declared. Any response thereafter is made in accordance with calculations of political benefit, economic leverage, or purely self-defense. In this regard, the authors compared the development of concepts for nuclear weapons and cyber weapons. The development of atomic weapons after the Second World War and artificial intelligence and quantum calculus today depends entirely on the development of technology. Despite some similarities, cyberspace appear to be more complicated due to the inability to establish the source of the attack and the consequences of asymmetrical response.
And, finally, the fifth identified problem is the lack of a clear international legal framework. The author highlights the concepts of different states, from the USA to China and from Russia to the UK. There are two block approaches to the regulation of cyberspace. The first — tentatively referred to as “Western” — assume that in general, the existing body of international law, humanitarian law in particular, already covers cyberspace. It can be applied to issues related to emerging information technology. This approach was most clearly developed in the Tallinn Guidelines for Cyber Warfare and Cyber Operations (developed in two points by the NATO Joint Center for Excellence in Cyber Defense).
The second approach, the Russian one, suggests that although relevant international law applies to cyberspace, the formation of an additional base of legally binding documents is necessary. The Russian approach focuses more on how to prevent information wars, while the Tallinn leadership regulates the rules of war itself. Therefore, the domestic approach does not accept the method of the North Atlantic Alliance, perceiving it as already de facto legalizing cyber warfare. The key document refers to the 2011 Convention on International Information Security, which aims to prevent the misuse of information and communication technologies for political, military, terrorist, and criminal purposes.
Furthermore, the authors devote special attention to a very crucial document, now taken as a kind of consensus between the two designated approaches — the Report of the UN Group of Government Experts (UN GGE) 2015, stating that:
- States will not attack each other’s critical infrastructure
- they will no longer insert malicious “bookmarks” into their IT products.
- refrain from indiscriminately accusing each other of cyber attacks.
- make efforts in the fight against hackers carrying out computer sabotage from or through their territory.
Per contra, cyber-norms have already dramatically influenced social norms. The role of « norm entrepreneurs » consists in persuasion through the organizational platform.
Going forward, while many States still perceive the evolving norms with a sense of unity, the focus seems to have shifted from negotiations norms among adversaries to shaping patterns with like-minded countries, setting the norm of competition in cyberspace.
At the level of national states, the confidentiality issue arises due to mass surveillance, that is when a democratic state enters a polemic with civil society over the legality of access to encrypted data (for example, a terrorist). Beyond the identity, attribution also extends to figuring out the motivations and intentions of the attacker, and whether he/she is acting alone or on behalf of a state or an entity. The vulnerability of critical infrastructure further exacerbates the situation. Cyberattacks are the equivalent of natural disasters. And to eliminate these disasters and preventive responses, cyberspace offers unprecedented opportunities for public-private partnerships. This would ideally be achieved through more cooperation between government outsourcing their responsibility of being overarching security provider to private companies or acquiescing to private sector demands. Nevertheless, the approaches and laws for data protection have subjective applicability and relevance, like the requirements, digitization, and technology maturity vary across every nation-state.
In the ratio of information security and communication in cyberspace, the author calls encryption a possible key to solving the problem.
Having made cybersecurity one of the priority areas of action, India appears as a flagship cybersecurity country. Critical infrastructure is now much more dependent on cyberspace, and trade-offs can be detrimental. Higher confidence in attribution can justify punishment and strengthen deterrent capability by setting a precedence that threat actors, including nation-states, will have to pay as a response for any hostility. Cybersecurity, as a non-traditional security domain, would require a non-traditional approach to problem-solving and public-private partnerships. Something that, in this case, could help provide solutions to many problems.
If we trace the logic of the authors’ thoughts, we can see that the line moves from the level of international organizations to the individual level, which is of interest. Cyberspace, like nothing else, shows the entry into the world stage of new actors. These actors appear due to objective necessity. States are no longer the only guarantors of personal security. The network system of interaction of actors partly erases state borders. However, boundaries appear as soon as the actor crosses the established red line, the permitted boundary of actions. At the same time, for each actor, this red line remains individual. The combination of the tangible physical world of the infrastructural and virtual world remains too voluminous for operationalization. However, the apparent shrink of the cyber universe is observed.
Dr. Cherian Samuel is Research Fellow in the Strategic Technologies Centre at the Manohar Parrikar Institute for Defence Studies and Analyses. He has written on various cybersecurity issues, including critical infrastructure protection, cyber resilience, cybercrime, and internet governance. Munish Sharma is a Consultant in the Strategic Technologies Centre at the Manohar Parrikar Institute for Defence Studies and Analyses. His research interests include cybersecurity, critical information infrastructure protection, space security, and geopolitical aspects of emerging technologies.
From our partner RIAC
First Quantum Computing Guidelines Launched as Investment Booms
National governments have invested over $25 billion into quantum computing research and over $1 billion in venture capital deals have closed in the past year – more than the past three years combined. Quantum computing promises to disrupt the future of business, science, government, and society itself, but an equitable framework is crucial to address future risks.
A new Insight Report released today at the World Economic Forum Annual Meeting 2022 provides a roadmap for these emerging opportunities across public and private sectors. The principles have been co-designed by a global multistakeholder community composed of quantum experts, emerging technology ethics and law experts, decision makers and policy makers, social scientists and academics.
“The critical opportunity at the dawn of this historic transformation is to address ethical, societal and legal concerns well before commercialization,” said Kay Firth-Butterfield, Head of Artificial Intelligence and Machine Learning at the World Economic Forum. “This report represents an early intervention and the beginning of a multi-disciplinary, global conversation that will guide the development of quantum computing to the benefit of all society.”
“Quantum computing holds the potential to help solve some of society’s greatest challenges, and IBM has been at the forefront of bringing quantum hardware and software to communities of discovery worldwide,” said Dr. Heike Riel, IBM Fellow, Head of Science and Technology and Lead, Quantum, IBM Research Europe. “This report is a key step in initiating the discussion around how quantum computing should be shaped and governed, for the benefit of all.”
Professor Bronwyn Fox, Chief Scientist at CSIRO, Australia’s science national agency said, “the Principles reflect conversations CSIRO’s scientists have had with partners from around the world who share an ambition for a responsible quantum future. Embedding responsible innovation in quantum computing is key to its successful deployment and uptake for generations to come. CSIRO is committed to ensuring these Principles are used to support a strong quantum industry in Australia and generate significant social and public good.”
In adapting to the coming hybrid model of classical, multi-cloud, and soon quantum computing, the Forum’s framework establishes best-practice principles and core values. These guidelines set the foundation and give rise to a new information-processing paradigm while ensuring stakeholder equity, risk mitigation, and consumer benefit.
The governance principles are grouped into nine themes and underpinned by a set of seven core values. Themes and respective goals defining the principles:
1. Transformative capabilities: Harness the transformative capabilities of this technology and the applications for the good of humanity while managing the risks appropriately.
2. Access to hardware infrastructure: Ensure wide access to quantum computing hardware.
3. Open innovation: Encourage collaboration and a precompetitive environment, enabling faster development of the technology and the realization of its applications.
4. Creating awareness: Ensure the general population and quantum computing stakeholders are aware, engaged and sufficiently informed to enable ongoing responsible dialogue and communication; stakeholders with oversight and authority should be able to make informed decisions about quantum computing in their respective domains.
5. Workforce development and capability-building: Build and sustain a quantum-ready workforce.
6. Cybersecurity: Ensure the transition to a quantum-secure digital world.
7. Privacy: Mitigate potential data-privacy violations through theft and processing by quantum computers.
8. Standardization: Promote standards and road-mapping mechanisms to accelerate the development of the technology.
9. Sustainability: Develop a sustainable future with and for quantum computing technology
Quantum computing core values that hold across the themes and principles:
Common good: The transformative capabilities of quantum computing and its applications are harnessed to ensure they will be used to benefit humanity.
Accountability: Use of quantum computing in any context has mechanisms in place to ensure human accountability, both in its design and in its uses and outcomes. All stakeholders in the quantum computing community are responsible for ensuring that the intentional misuse of quantum computing for harmful purposes is not accepted or inadvertently positively sanctioned.
Inclusiveness: In the development of quantum computing, insofar as possible, a broad and truly diverse range of stakeholder perspectives are engaged in meaningful dialogue to avoid narrow definitions of what may be considered a harmful or beneficial use of the technology.
Equitability: Quantum computing developers and users ensure that the technology is equitable by design, and that quantum computing-based technologies are fairly and evenly distributed insofar as possible. Particular consideration is given to any specific needs of vulnerable populations to ensure equitability.
Non-maleficence: All stakeholders use quantum computing in a safe, ethical and responsible manner. Furthermore, all stakeholders ensure quantum computing does not put humans at risk of harm, either in the intended or unintended outcomes of its use, and that it is not used for nefarious purposes.
Accessibility: Quantum computing technology and knowledge are actively made widely accessible. This includes the development, deployment and use of the technology. The aim is to cultivate a general ability among the population, societal actors, corporations and governments to understand the main principles of quantum computing, the ways in which it differs from classical computing and the potential it brings.
Transparency: Users, developers and regulators are transparent about their purpose and intentions with regard to quantum computing.
“Governments and industries are accelerating their investments in quantum computing research and development worldwide,” said Derek O’Halloran, Head of Digital Economy, World Economic Forum. “This report starts the conversation that will help us understand the opportunities, set the premise for ethical guidelines, and pre-empt socioeconomic, political and legal risks well ahead of global deployment.”
The Quantum Computing Governance Principles is an initiative of the World Economic Forum’s Quantum Computing Network, a multi-stakeholder initiative focused on accelerating responsible quantum computing.
Next steps for the Quantum Computing Governance Initiative will be to work with wider stakeholder groups to adopt these principles as part of broader governance frameworks and policy approaches. With this framework, business and investment communities along with policy makers and academia will be better equipped to adopt to the coming paradigm shift. Ultimately, everyone will be better prepared to harness the transformative capabilities of quantum sciences – perhaps the most exciting emergent technologies of the 21st Century.
Closing the Cyber Gap: Business and Security Leaders at Crossroads as Cybercrime Spikes
The global digital economy has surged off the back of the COVID-19 pandemic, but so has cybercrime – ransomware attacks rose 151% in 2021. There were on average 270 cyberattacks per organization during 2021, a 31% increase on 2020, with each successful cyber breach costing a company $3.6m. After a breach becomes public, the average share price of the hacked company underperforms the NASDAQ by -3% even six months after the event.
According to the World Economic Forum’s new annual report, The Global Cybersecurity Outlook 2022, 80% of cyber leaders now consider ransomware a “danger” and “threat” to public safety and there is a large perception gap between business executives who think their companies are secure and security leaders who disagree.
Some 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk-management strategies, only 55% of cyber leaders surveyed agree. This gap between leaders can leave firms vulnerable to attacks as a direct result of incongruous security priorities and policies.
Even after a threat is detected, our survey, written in collaboration with Accenture, found nearly two-thirds would find it challenging to respond to a cybersecurity incident due to the shortage of skills within their team. Perhaps even more troubling is the growing trend that companies need 280 days on average to identify and respond to a cyberattack. To put this into perspective, an incident which occurs on 1 January may not be fully contained until 8 October.
“Companies must now embrace cyber resilience – not only defending against cyberattacks but also preparing for swift and timely incident response and recovery when an attack does occur,” said Jeremy Jurgens, Managing Director at the World Economic Forum.
“Organizations need to work more closely with ecosystem partners and other third parties to make cybersecurity part of an organization’s ecosystem DNA, so they can be resilient and promote customer trust,” said Julie Sweet, Chair and CEO, Accenture. “This report underscores key challenges leaders face – collaborating with ecosystem partners and retaining and recruiting talent. We are proud to work with the World Economic Forum on this important topic because cybersecurity impacts every organization at all levels.”
Chief Cybersecurity Officers kept up at night by three things
Less than one-fifth of cyber leaders feel confident their organizations are cyber resilient. Three major concerns keep them awake at night:
– They don’t feel consulted on business decisions, and they struggle to gain the support of decision-makers in prioritizing cyber risks – 7 in 10 see cyber resilience featuring prominently in corporate risk management
– Recruiting and retaining the right talent is their greatest concern – 6 in 10 think it would be challenging to respond to a cybersecurity incident because they lack the skills within their team
– Nearly 9 in 10 see SMEs as the weakest link in the supply chain – 40% of respondents have been negatively affected by a supply chain cybersecurity incident
Training and closing the cyber gap are key solutions
Solutions include employee cyber training, offline backups, cyber insurance and platform-based cybersecurity solutions that stop known ransomware threats across all attack vectors.
Above all, there is an urgent need to close the gap of understanding between business and security leaders. It is impossible to attain complete cybersecurity, so the key objective must be to reinforce cyber resilience.
Including cyber leaders into the corporate governance process will help close this gap.
Ethical aspects relating to cyberspace: Self-regulation and codes of conduct
Virtual interaction processes must be controlled in one way or another. But how, within what limits and, above all, on the basis of what principles? The proponents of the official viewpoint – supported by the strength of state structures – argue that since the Internet has a significant and not always positive impact not only on its users, but also on society as a whole, all areas of virtual interaction need to be clearly regulated through the enactment of appropriate legislation.
In practice, however, the various attempts to legislate on virtual communication face great difficulties due to the imperfection of modern information law. Moreover, considering that the Internet community is based on an internal “anarchist” ideology, it shows significant resistance to government regulations, believing that in a cross-border environment – which is the global network – the only effective regulator can be the voluntarily and consciously accepted intranet ethics based on the awareness of the individual person’s moral responsibility for what happens in cyberspace.
At the same time, the significance of moral self-regulation lies not only in the fact that it makes it possible to control the areas that are insufficiently covered, but also in other regulatory provisions at political, legal, technical or economic levels. It is up to ethics to check the meaning, lawfulness and legitimacy of the remaining regulatory means. The legal provisions themselves, supported by the force of state influence, are developed or – at least, ideally – should be implemented on the basis of moral rules. It should be noted that, although compliance with law provisions is regarded as the minimum requirement of morality, in reality this is not always the case – at least until an “ideal” legislation is devised that does not contradict morality in any way. Therefore, an ethical justification and an equal scrutiny of legislative and disciplinary acts in relation to both IT and computer technology are necessary.
In accordance with the deontological approach to justifying web ethics, the ethical foundation of information law is based on the human rights of information. Although these rights are enshrined in various national and international legal instruments, in practice their protection is often not guaranteed by anyone. This enables several state structures to introduce various restrictions on information, justifying them with noble aims such as the need to implement the concept of national security.
It should be stressed that information legislation (like any other in general) is of a conventional nature, i.e. it is a sort of temporary compromise reached by the representatives of the various social groups. Therefore, there are no unshakable principles in this sphere: legality and illegality are defined by a dynamic balance between the desire for freedom of information, on the one hand, and the attempts at restricting this freedom in one way or another.
Therefore, several subjects have extremely contradictory requirements with regard to modern information law, which are not so easy to reconcile. Information law should simultaneously protect the right to free reception of information and the right to information security, as well as ensure privacy and prevent cybercrime. It should also promote again the public accessibility of the information created, and protect copyright – even if this impinges on the universal principle of knowledge sharing.
The principle of a reasonable balance of these often diametrically opposed aspirations, with unconditional respect for fundamental human rights, should be the basis of the international information law system.
Various national and international public organisations, professionals and voluntary users’ associations define their own operation principles in a virtual environment. These principles are very often formalised in codes of conduct, aimed at minimising the potentially dangerous moral and social consequences of the use of information technologies and thus at achieving a certain degree of web community’s autonomy, at least when it comes to purely internal problematic issues. The names of these codes do not always hint at ethics, but this does not change their essence. After all, they have not the status of law provisions, which means that they cannot serve as a basis for imposing disciplinary, administrative or any other liability measures on offenders. They are therefore enforced by the community members who have adopted them solely with goodwill, as a result of free expression based on recognition and sharing of the values and rules enshrined in them. These codes therefore act as one of the moral self-regulating mechanisms of the web community.
The cyberspace codes of ethics provide the basic moral guidelines that should guide information activities. They specify the principles of general theoretical ethics and are reflected in a virtual environment. They contain criteria enabling to recognise a given act as ethical or unethical. They finally provide specific recommendations on how to behave in certain situations. The rules enshrined in the codes of ethics under the form of provisions, authorisations, bans, etc., represent in many respects the formalisation and systematisation of unwritten rules and requirements that have developed spontaneously in the process of virtual interaction over the last thirty years of the Internet.
Conversely, the provisions of codes of ethics must be thoroughly considered and judged – by their very nature, code of ethics are conventional and hence they are always the result of a mutual agreement of the relevant members of a given social group – as otherwise they are simply reduced to a formal and sectorial statement, divorced from life and not rule-bound.
Despite their multidirectionality due to the variety of net functional abilities and the heterogeneity of its audience, a comparison of the most significant codes of ethics on the Internet shows a number of common principles. Apparently, these principles are in one way or another shared by all the Internet community members. This means that they underpin the ethos of cyberspace. They include the principle of accessibility, confidentiality and quality of information; the principle of inviolability of intellectual property; the principle of no harm, and the principle of limiting the excessive use of net resources. As can be seen, this list echoes the four deontological principles of information ethics (“PAPA: Privacy, Accuracy, Property and Accessibility”) formulated by Richard Mason in his article Four Ethical Issues of the Information Age. (“MIS Quarterly”, March 1986).
The presence of a very well-written code of ethics cannot obviously ensure that all group members will act in accordance with it, because – for a person – the most reliable guarantees against unethical behaviour are his/her conscience and duties, which are not always respected. The importance of codes should therefore not be overestimated: the principles and actual morals proclaimed by codes may diverge decisively from one another. The codes of ethics, however, perform a number of extremely important functions on the Internet: firstly, they can induce Internet users to moral reflection by instilling the idea of the need to evaluate their actions accordingly (in this case, it is not so much a ready-made code that is useful, but the very experience of its development and discussion). Secondly, they can form a healthy public in a virtual environment, and also provide it with uniform and reasonable criteria for moral evaluation. Thirdly they can become the basis for the future creation of international information law, adapted to the realities of the electronic age.
How UNEP is helping education systems go green
The world is facing a three-pronged environmental crisis of climate change, nature and biodiversity loss, and pollution and waste. To...
South Africa’s Covid-19 Response Gets a $750 Million Boost
The World Bank Group Board of Executive Directors today approved South Africa’s request for a $750 million development policy loan...
Urgent action needed to protect Vietnamese workers trafficked to Serbia
Urgent action is required to assist and protect some 400 Vietnamese migrant workers who were allegedly trafficked to Serbia, experts...
Introducing India’s first ever diving grant
Mumbai-based Vidhi Bubna, the founder of ‘Coral Warriors’, India’s first ever diving grant, is a keen humanitarian and is passionate...
Tactical Retreat: Madrid Makes Concessions to Catalonia and the Basque Country
The November 2019 general parliamentary elections in Spain resulted in none of the parties getting an absolute majority needed to...
West Africa: Extreme poverty rises nearly 3 per cent due to COVID-19
Extreme poverty in West Africa rose by nearly three per cent in 2020, another fallout from the COVID-19 pandemic, a...
UAE schoolbooks earn high marks for cultural tolerance, even if that means praising China
An Israeli NGO gives the United Arab Emirates high marks for mandating schoolbooks that teach tolerance, peaceful coexistence, and engagement...
Defense4 days ago
Spotlight on the Russia-Ukraine situation
Economy4 days ago
2022: Small Medium Business & Economic Development Errors
Crypto Insights4 days ago
The First Crypto Mortgage: Bitcoin Continues to Rapidly Expand Across the US Markets
Eastern Europe4 days ago
Lithuania is left in the dust
Middle East4 days ago
Iraq: Three Years of Drastic Changes (2019-2022)
Defense3 days ago
In 2022, military rivalry between powers will be increasingly intense
South Asia2 days ago
India is in big trouble as UK stands for Kashmiris
Crypto Insights3 days ago
The Subtle Dominance of Stablecoins: A Ruse of Stability