Asia-Pacific Cyber Insights

The ASPI Asia-Pacific Cyber Insights aims to bring the Asia-Pacific experience and perspective to the key themes and questions of the Global Conference on Cyberspace 2015 (GCCS) taking place this week.

As a key region in the global Internet space with almost half of global netizens, Asia-Pacific represents diverse, dynamic, and important perspectives on international cyber issues.

The themes to be discussed at GCCS and highlighted in the publication include:

  • International peace and security
  • A secure place for business and people
  • Global Forum on Cyber Expertise: A global platform for cyber capacity building
  • Fast forward, economic growth and development in cyberspace
  • Privacy

The publication highlights three key general takeaways from the Asia-Pacific experience: clarity, capacity, and responsibility.

Clarity

To strengthen cybersecurity and build confidence governments need to be clearer about the governance structure of the Internet as well as their intentions in cyberspace. Publication of policies, strategies, and doctrines, clearer definitions and terminology, and the establishment of national points of contact can all help reduce the risk of miscommunication and conflict.

Capacity

The Asia-Pacific region is home to several least developed and developing countries that have, and will continue to, benefit the most from technical, policy, legislative, organisational and law enforcement capacity building efforts. Nevertheless, as ICT continues to play an increasingly important role in both developing and developed countries there is a need to build expertise and invest in knowledge transfer on the global level as well.

Accountability

Internet issues and cybersecurity are rarely straightforward. Complex relationships between governments, international organisations, civil society, network operators, service providers, and individuals make it challenging to understand who is responsible for what in what circumstances. In order to build trust and confidence in the global cyber environment accountability is a key challenge. All actors need to be clear what they are responsible for and what can be expected from them in order to successfully avoid, mitigate, and resolve cyber issues.

The whole publication is well worth a read if you would like to know more about the current cyber situation in the Asia-Pacific and it is available for download here.

 

CFR Launches the Cyber Brief Series

The Council on Foreign Relations recently launched their new Cyber Briefs series through the Digital and Cyberspace Policy Program. The Cyber Briefs are short memos that offer concrete recommendations on topics such as cybersecurity, Internet governance, and online privacy that will be published bimonthly on the CFR website.

The first brief in the series titled ‘Promoting Norms for Cyberspace‘ is written by Henry Farrell, associate professor of political science and international affairs at George Washington University. Mr. Farrell has also provided some additional thoughts on the topic at the Washington Post.

Mr. Farrell makes the case that norms matter for (US) cybersecurity due to four reasons:

  1. The US is vulnerable to cyberattacks and this weakness is difficult to address using conventional tools of military statecraft.
  2. It is difficult to ensure that complex information systems are fully defended, since they may have subtle technical weaknesses.
  3. Classical deterrence is not easy in a world where it is often challenging to identify sophisticated attackers, or even to know when an attack has taken place.
  4. Treaties are hard to enforce because it is so difficult to verify compliance – particularly in cyberspace, where weapons are software, not missiles.

He further argues that it will be difficult for the U.S. to shape norms without making major changes to other aspects of their policy. His main recommendations for this policy alignment are to:

  1. Reform U.S. intelligence activities to make them more consistent with the publicly expressed norms of Internet openness that the United States is trying to establish.
  2. Disclose more convincing evidence when trying to shame actors that do not abide by cybersecurity norms.
  3. Encourage other states and civil society actors to take a leading role in norm promotion—even when this cuts against U.S. interests. To develop legitimate norms, the U.S. should let some of its partners take the lead. New norms will not be seen as legitimate if they are perceived to be solely a projection of U.S. interests.

Overall, Mr. Farell provides some important points in his brief but I think his comments in the Washington Post most succinctly summarises the challenges ahead:

When actors have many shared values, norm building is easier. When actors have few shared values, then norm building is hard. Furthermore, if you want to persuade others to accept norms, you will have a hard time unless you are obviously and sincerely committed to those norms yourself.

It is clear that the Snowden revelations have tarnished the U.S. reputation as a proponent for a free, open, and democratic Internet but perhaps more importantly it has also tarnished its reputation with key allies such as Germany and other European countries. Mr. Farrell correctly highlights that the US needs to work both on aligning its intelligence activities to its Internet policy and include other non-government actors such as the EFF in its norm advocacy. However, as with many policy suggestions in the cybersecurity arena they are easier said than done.

As long as the creation of common global cybersecurity norms will be challenging to develop, and they will be for a long time, the US will be faced with the decision of what will be most rewarding between NSA intelligence operations and their alignment with open Internet norms. My guess is that wide scale intelligence gathering will continue to hold the upper hand for some time to come.

Further, rebuilding the US reputation with key cybersecurity allies has and will continue to be a policy priority for the White House moving forward but the main challenge will be to build common norms with countries outside the American sphere of influence. In the Washington Post Mr. Farrell notes while the US has promoted an open and robust Internet, other important (authoritarian and semi-authoritarian) countries may view this as a threat to the stability of their governments.

There is a significant divide between the position for a free and open Internet, typically led by the US and the EU, and a more restricted, nation-state controlled, Internet, typically led by Russia, China, and supported by a majority of developing countries. For the creation of common Internet norms that will have a significant impact on the global level of cybersecurity, I believe this to be a fundamental challenge. The main challenges and cybersecurity threats that the US faces do not originate from its allies but from countries like Russia and China and it will be imperative that the US will be able to reach a common understanding about what is acceptable behaviour in cyberspace in order to reduce these risks.

And while there has been significant development in the last ten years with ICANN reform and dialogues like NetMundial there is still a huge divide to overcome, a divide that will be incredibly complex and difficult to solve. But I agree with Mr. Farrell that if the US is seriously committed to building norms in cyberspace, it is going to have to start thinking about how to do this.