Why a cybersecurity treaty is a pipe dream
October 27th, 2011
02:01 PM ET

Why a cybersecurity treaty is a pipe dream

Editor's Note: Adam Segal is the Ira A. Lipman Senior Fellow for Counterterrorism and National Security Studies at the Council on Foreign Relations. Matthew Waxman, also a fellow at the Council on Foreign Relations, is Associate Professor at Columbia Law School and member of the Hoover Institution Task Force on National Security and Law.

By Adam Segal and Matthew Waxman - Special to CNN

With companies and governments seemingly incapable of defending themselves from sophisticated cyber attacks and infiltration, there is almost universal belief that any durable cybersecurity solution must be transnational. The hacker – a government, a lone individual, a non-state group – stealing valuable intellectual property or exploring infrastructure control systems could be sitting in Romania, China, or Nigeria, and the assault could transit networks across several continents. Calls are therefore growing for a global treaty to help protect against cyber threats.

As a step in that direction, the British government is convening next week the London Conference on Cyberspace to promote new norms of cybersecurity and the free flow of information via digital networks. International diplomacy like this among states and private stakeholders is important and will bring needed attention to these issues. But the London summit is also likely to expose major fault lines, not consensus, on the hardest and most significant problems. The idea of ultimately negotiating a worldwide, comprehensive cybersecurity treaty is a pipe dream.

Different interests among powerful states – stemming from different strategic priorities, internal politics, public-private relationships and vulnerabilities – will continue to pull them apart on how cyberspace should be used, regulated, and secured. With the United States and European democracies at one end and China and Russia at another, states disagree sharply over such issues as whether international laws of war and self-defense should apply to cyber attacks, the right to block information from citizens, and the roles that private or quasi-private actors should play in Internet governance. Many emerging Internet powers and developing states lie between these poles, while others are choosing sides.

One of the most contentious divergences concerns the definition of cybersecurity itself. While the United States, United Kingdom and their like-minded allies emphasize the protection of computer networks from damage and theft, Russia, China and their partners emphasize information security, which to them means controlling content and communication or social networking tools that may threaten regime stability. Last month, as delegates prepared to discuss Internet freedom at the London Conference, representatives of China, Russia, Tajikistan, and Uzbekistan proposed to the U.N. Secretary-General an International Code of Conduct for Information Security, which addresses cyber security but also calls on states to curb the dissemination of information which “undermines other countries' political, economic and social stability, as well as their spiritual and cultural environment.”

Although the United States should participate actively in forums like the London Conference, it should not expect a global consensus or worldwide treaties on the toughest issues to emerge from them. The United States should prepare instead for deep international divides over cyber-security norms, emphasizing four components of its strategy.

First, Washington must continue to cultivate allies and like-minded partners through joint policy declarations, recognizing that Beijing and Moscow are doing likewise. In June 2011, NATO defense ministers agreed to a collective vision of cyber defense, and the United States and Australia recently announced that their mutual defense treaty extends to cyberspace. Moving forward, it will be especially important to engage growing Internet powers like Brazil, South Africa and India as they move between the poles of cyber and information security.

Second, the United States should accept that it will be operating in some legal gray zones. The United States and some allies believe that they may have the right to respond militarily in self-defense under the laws of war to sufficiently severe cyber-attacks, whereas other powerful states want to legally separate cyber-security from traditional security concerns. Meanwhile, the distinctions in cyber-space between espionage (traditionally tolerated under international law) and offensive “attacks” are muddied. Planners need to think about how they will defend their actions diplomatically, especially when facts may be hard to prove or disclose.

Third, dialogue with China, Russia and others should focus not on reaching legal agreement but on communicating redlines and developing confidence-building measures, recognizing that it may be difficult to determine immediately the source of attacks. States should be willing to exchange ideas about the offensive and defensive use of cyber-weapons as well as how to develop points of contact and hotlines that can be used in the midst of a cyber crisis.

Fourth, success in shaping international norms depends in part on cultivating technical partnerships with developing states, both as a means of aligning their interests with the United States’ and countering similar efforts by China to secure their loyalty. Cyber security expertise is lacking in Latin America, Africa and Southeast Asia and governments will turn to whoever can provide it.

Diplomatic summitry like the upcoming London Conference is important for promoting a vision of cyber security and freedom. For the foreseeable future, progress toward that vision will be incremental, though, and achieved through multiple arrangements hammered out with a wide array of state and private actors rather than through a global accord.

The views expressed in this article are solely those of Adam Segal and Matthew Waxman.

Post by: ,
Topics: Internet • Security

soundoff (18 Responses)
  1. Occupado

    Cybersecurity? Are you serious? There is no such thing.

    October 27, 2011 at 2:30 pm | Reply
  2. Matthew S.

    China literally has a cyber firewall around the entire country. It is no secret that China has armies of cyberspies hacking the US and other Western countries, for military, technology and ... to probe for weaknesses in preparation for the big off switch. As well, most know that 'social engineering' is the easiest way to hack a system ... but the US's H-1B program pretty much gives all other countries a free pass to plant moles. All electronics engineering companies nowadays are predominantly filled with foreigners. As well, nearly all have international operations, and daily have data and communications links to remote sites. Given this one-way scenario, the ONLY hope for the US is to build un-hackable systems. For example, the Intel-Mcafee Deepsafe technology ... and assume that the threat is already inside your network ... hiding in some control server.

    October 30, 2011 at 3:59 am | Reply

Post a comment


CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.