We have stepped into an era of new, invisible and boundless conflicts
I believe that you all have had a chance to watch at least one movie recently in which modern computer technology led the world or an individual country to the brink of extinction. Lately, a lot of time is being spent discussing the technological aspects of cyber threats and cyber security. To me, this seems absolutely essential, as today we are all part of a digital revolution that results in fundamental changes to every aspect of our daily lives.
The facts speak for themselves: over 2.5 billion active users on the internet with the potential for this to grow beyond 3 billion over the next few years; total digitalization of rather ordinary and modest equipment and services (today we can control our cars, our homes and the devices in it via the internet; and the rapid digitalization of the public sector.
At the same time, we have witnessed a process of accelerated convergence between the physical world and cyber space over the last decade. In many cases the borderlines between the ‘real’ and the ‘cyber’ worlds are already fuzzy. This creates a fundamental and close interdependence between global security issues and cyber security.
Ten years ago cyber security was mostly a technical issue. However today, with globalization and computer technologies used so widely within the economy and our daily lives, its reach extends deep into the political landscape both at national and European levels. Cyber tech runs the global economy and it can be used to reach large amounts of the population in a given country, in Europe or even globally. At the same time, cyber space can be used to commit crimes and it can be turned into a weapon. Therefore, today’s cyber world affects national security, and therefore the very core of nations. It has a direct impact on public interest and hence attracts political attention.
To better understand the present and future developments of cyber threats, we need to take a broader look beyond the technical details. A look at past evolutions, current policies as well as trends at the national and European level at the very least.
In the 19th century, the industrial revolution started a process that led to tremendous progress in Europe, allowing it to overtake the rest of the world economically, technologically and politically. However, the same progress created sophisticated military technologies and tools that were successfully used both in World War I and II. The same logic can be applied to the internet and cyber space today. Therefore, this example clearly shows that any technology, regardless of its original purpose, has strategic, political and moral aspects that must always be considered. This is especially valid in the context of today’s globalized world. These specific aspects are particularly important when discussing national and global policies regarding cyberspace and its future evolution.
The key characteristic of cyberspace is that it is a publicly available resource. At present there are no limitations in its use. For this reason I would say cyber space is a dual-use resource. On one hand, it is a platform for economic development, market expansion and the exchange of ideas and information. On the other, cyberspace is also used for far less respectable purposes. It is a means for terrorist organizations to coordinate their activities and to attract new followers. The recent example of ISIS is a very clear demonstration of this. Cyber space is used by non-democratic regimes to gather information about the outside world, technology and knowledge, or as a platform to influence or attack individual companies or entire countries. One of the clearest demonstrations of the power offered by cyberspace as a platform to influence and interfere in the politics and internal affairs of an independent state is what happened in 2007 in Estonia. The technical and information infrastructure of the country was subjected to targeted cyber-attacks aimed at the destabilization of state institutions and the creation of chaos across the nation. Another equally extreme example: A company that invested hundreds of millions in developing a new product sees all its investment disappear in seconds, as a result of theft committed by cyber criminals working for a competitor.
The bottom line is clear. Regardless of whether we are ready or not, regardless of whether we like it or not, today the world has entered a new era of contrasts between economic systems, states and military alliances. The boundaries of the clashes are invisible and the conflicts are silent. Yet the line of confrontation has not changed. The opponents are basically the same – modern democracies on the one hand, authoritarian regimes and terrorist organizations on the other. Only the place has shifted from the physical world to the cyber world.
It is obvious that the modern dimensions of cyber security go far beyond the ordinary IT infrastructure protection or the protection of certain objects within sensitive national infrastructures. They involve particular economic and political considerations, since modern societies are based on and driven by knowledge and information as well as research and development. For that reason, cyber threats cannot be ignored or neglected. The “it cannot happen to us” stance is useless today; cyber threats are global and no country is immune neither can it provide an adequate response in isolation.
In the 17th century Thomas Hobbes described anarchy as ‘war of everyone against everyone’. In its worst form cyberspace fully matches that definition today, since national and international institutions fail to prevent the increasing presence of crime (organized or not), terrorism and cross-border attacks in cyberspace. In fact, cyberspace today is in a power vacuum. There is, however, a logical explanation for this. Cyberspace has no physical boundaries; it does not impose restrictions on the use of its resources. This creates quite a logical conflict with the classical definition of a country, driven by policies and laws, and having armies able to restrain unacceptable and hostile acts. For this reason, no one country can address the cyber security challenge alone, which is global today. I can make the analogy that the need to protect sensitive systems and information from malicious acts is today’s equivalent of securing freedom of navigation across the world’s oceans. Just as nations came together to protect the seas, they should do the same to make cyber space more secure.
As far as I am concerned, there are at least two ways to change the current ‘anarchic’ model of governance in cyberspace to counter the contemporary cyber threats. The first means imposing all-embracing regulations that will completely change its nature. It will largely transform cyberspace into a digital reflection of the classical organization of nations. At the same time it will result in the complete loss of almost all of the unique features and advantages that make cyber space one of the driving forces of modern economic and social development.
The second approach is to change our world and ourselves, the way that we treat cyberspace and respond to cyber threats. My personal choice would be the second option. The world does not need more power, but more rational use of that which already exists.
What does this second approach mean in practical terms?
First, prioritizing cyber security as a national and European issue
We need to acknowledge the fact that the state, as we know it, based on paper and bureaucracy, is already a thing of the past. Today, in many European countries, most contacts and interactions with public administrations can be done online. The use of cyberspace for this creates new risks and threats. Their neutralization cannot be performed by a single government nor by governments alone. An effective response requires a coordinated effort between both public and private sectors, establishing common standards, platforms and policies for the use of cyberspace and protection from attacks. In this regard, Europe should reinforce the revision and implementation of its cyber security strategy. The challenges to achieving this goal are not technical but political and economic.
Second, forging public-private partnerships
An adequate response to present and future cyber threats doesn’t only call for cooperation among countries – it also demands close cooperation between governments and the private sector. After all, the expertise needed to drive down cyber threats exists within both public and private entities, and therefore in order to provide a maximum level of protection, both public and private sectors need to cooperate closely.
Third, reinforcing and improving information sharing
There are necessary walls that exist between the private sector and governments, as well as between different types of industries. However, in today’s globalized world, and considering the very nature of cyberspace, it is clear that any response to the present cyber threats would be incomplete without transparency and information sharing––sharing between national institutions and the private sector; sharing between EU countries and the rest of the world.
Information sharing is the key to the development of strong and timely responses to present and future cyber threats. For example, the benefit of detailed studies on the mechanism of damage by the Stuxnet has little value if marked TOP SECRET and other potential targets cannot identify the threat before it is too late. Transparency is the biggest strength democratic societies have and this should be used to counteract cyber threats.
At the same time, we should be pragmatic and learn from our mistakes. One of the most important lessons after 9/11 is that our response to any threat, whether terrorist or cyber, is only possible though common, focused and coordinated actions between organizations and the countries involved. This implies broad and transparent information sharing.
Transposing real world experience into cyberspace would also require the creation of new (or transforming existing) organizations, policies and structures at national and European level, including the necessary expertise, practical experience and skills needed to coordinate responses to cyber threats. Good examples in this respect are the European Network and Information Security Agency (ENISA) and The European Cybercrime Centre (EC3) at Europol.
Fourth, strengthening international collaboration
One of the key reasons why cyber criminals have achieved such success in recent years is that they’ve been able to step beyond national borders and operate on an international scale. This trend is only expected to evolve further in the coming years. Adequate responses thereto, in deep contrast, have often been marred by a lack of coordination between the countries involved in its development.
To some extent, a severe lack of progress in international cooperation is due to the fact that most countries consider cyber security only as an element of their own overall national defence strategy. This is not necessarily the wrong approach, but certainly imposes additional barriers and restrictions on inter-institutional and international cooperation. However it is clear that cyber threats and their effects are beyond the scope of individual national military doctrines, and the response to them is most effective when performed by the international community.
At the same time we should not leave international collaboration only to the national governments as well as government and EU agencies. The key to effective and efficient cyber defence is in embedding these capabilities in civil society. To achieve this we need to further reinforce developments at national and European level in the information society. The most effective response to cyber threats is to raise public awareness and the public’s ability to respond given that one of the primary goals of cyber-attacks is to undermine confidence in governments.
International cooperation, information sharing and public-private partnerships should not just be wishful thinking though. They should be the true and solid foundation of our response to modern cyber threats since the stakes for cyber security have never been higher. With the increased concentration of data in remote data centres, expanding reliance on cloud computing, the exponential boom of the Internet of Things and the continuous growth of cybercrime, cyber security can be addressed only through close and open collaboration between governments, industry and civil society. We should always remember that today countries, companies and citizens – all of these – are part of a broad network that operates in cyberspace, using physical information networks and software. Therefore, the response to modern cyber security threats can only be developed through collaboration in novel ways that might seem difficult given the deficit of trust in today’s security ecosystem.
However, if we cannot get this level of collaboration and openness to function, and instead continue to raise barriers against information sharing at national and European levels, we will give up the most powerful weapon in the fight against cyber threats. If we give it up, we are likely to lose it.
This article has been published in cooperation with the European Commission’s Representation in Estonia.