I come from Estonia, a country that is known for Skype and the NATO Cooperative Cyber Defense Center of Excellence, as well as for being the first country in the world to introduce e-government, e-taxation, e-voting and a thousand other e-services. These are all part of what we call our e-lifestyle.
In 2007, Estonia was also the first sovereign state in the world to be subjected to politically motivated cyberattacks supported by another state. We learned that our e-lifestyle also entails e-challenges and e-responsibilities. We knew then — and know even better now — that no services are completely secure, whether online or offline. But we can, and must, face these challenges by taking appropriate steps to minimize risks.
Over the past decade, cyber incidents have grown in severity and number. Distributed Denial of Service (DDoS) attacks have become increasingly commonplace while new threats have emerged. 2017 was replete with cyber-related headlines, many of which spoke to different facets of an increasingly complex challenge. The WannaCry and NotPetya malware worms were at the forefront of a new wave of ransomware attacks. The growth of the Internet of Things (IoT) helped fuel a nearly twofold rise in the number of DDoS attacks in 2017 compared with 2016, while a frightening number of botnets now lie dormant, waiting for an unknown purpose. Meanwhile, incidents of “hacking democracy” continue.
Even as the nature of the cyberthreat has grown and evolved, the need to enhance international cooperation and adopt a multistakeholder approach has not changed; in fact, these have to be accepted as the foundation of an effective global approach to ensuring cybersecurity. Why?
Firstly, while the cyber domain has become accepted as an integral element of any approach to national security, it is not one that states can effectively manage alone. Given that the cyber realm does not have borders, international cooperation is of utmost importance.
Unfortunately, attempts to foster such cooperation at an intergovernmental level seem to have reached an impasse. The failure of governmental expert discussions (UN GGE — United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security) and stalemates in other diplomatic fora show that the ideological divide on the use of information and communications technologies (ICTs) is too deep, and governments do not have enough political will to reach agreement in the near future.
While regrettable, this does not mean that discussions will — or should — come to an end. Talks have to continue under the auspices of the U.N. as well as in other frameworks. Hopefully, all states will find the courage and determination to return to constructive negotiations — ideally, sooner than later.
Secondly, despite states’ traditional dominance over all questions related to international peace and security, their role within the overall ecosystem of cyberspace is central but limited. Governments alone simply cannot dictate all aspects of a domain in which civil society writes much of the key code, the private sector owns nearly all the digital and physical assets, academia analyzes the complex issues of applicability of international law to cyberspace, and the IT community has the best technical expertise. Given this complex landscape, it is clear that a multistakeholder approach to cybersecurity is the only effective way forward — one in which all stakeholders have a unique role, including developing norms of responsible behavior.
Cyberspace is not a jungle and should not be governed by the laws of the jungle. A predictable and stable cyberspace needs clear laws and rules that minimize “gray zones” in which it is unclear which norms apply — and what the consequences are if they are broken.
The members of the United Nations agreed as early as 2013 that international law applies to cyberspace. Now we need concrete answers from governments as to how it applies. Otherwise, some states will continue to exploit gray zones where the applicability of international law is not certain, e.g., about sovereignty in the case of the Democratic National Committee hacks or about protecting critical voting infrastructure in the case of other attempts at interfering in elections.
In addition to legally binding norms of international law that can be adopted and applied by states, there are also nonbinding voluntary (political) norms. Non-state actors should also play an important role in developing the latter. Here are just a few examples.
As the Chair of the Global Commission on the Stability of Cyberspace (GCSC) (https://cyberstability.org), I am proud to introduce a norm that was launched in November 2017 — the Call to Protect the Public Core of the Internet. It is an appeal for a new global norm to apply to both state and non-state actors to refrain from activity that intentionally and substantially damages the general accessibility or integrity of the Internet itself. The Carnegie Endowment has proposed a norm to protect financial stability against cyberthreats, while Microsoft is working on a technical accord — a proposal by the technology sector to protect people in cyberspace. States should review and seriously consider these proposals while engaging constructively with other stakeholders. Public-private partnership should not only be a political concept, but a standard operating practice adopted by governments and the private sector. These could be very clear and substantial steps on the road to cyber stability.
It is time for states and non-state actors who share democratic values and who believe in an open and secure cyber future to come together and to act together — globally, decisively and boldly — to protect a free, safe, stable, accessible and available Internet while fostering the continued growth and development of the use of ICTs.