Cybersecurity continues to be vitally important, with the ever-increasing global reliance on computer systems, the internet, and digital transactions. Cybersecurity also remains one of the top areas of concern for most companies’ boards of directors.1
The need for an open and secure internet raises questions over what role the international community should play in establishing cybersecurity standards. Is there a need for a new treaty (a so-called “Digital Geneva Convention”)?2 Should current international law simply be interpreted and applied to the digital realm? If so, how should it be enforced?
Matthew A. Koch,
U.W. 1998, is vice president of Corporate and Legal Affairs and general counsel for Direct Supply, Inc., Milwaukee, where he has advised and assisted in setting up offices and subsidiaries in Asia.
Kelly Krause, is student at Marquette University Law School and a legal intern at Direct Supply, Inc., Milwaukee.
This article explores the current context of international cybersecurity considerations and options in the conversation of international stakeholders to address the future of global digital security.
The Prevalent and Growing Need for Cybersecurity
As the internet has become the principal source of information and communication in the developed world,3 new services enabled by the internet, like cryptocurrencies and social networking, affect how people and businesses interact and operate. And as the use of computer networks has increased, so have the threats against them.
Viruses and other malicious software programs that infiltrate and modify systems began as annoyances created by hobbyists. Now they cause billions of dollars’ worth of economic damage each year4, and operate on a global scale.
The ability of organized criminal gangs, terrorists, and even nation-states to manipulate financial, utility, aviation, corporate, medical, and government systems presents a threat to the security of people everywhere. Cybersecurity is essential to confronting these threats and keeping the internet open, free, and secure.
National and Private Sector Cybersecurity Regulatory Efforts
Firewalls, anti-virus software, and other technical safeguards work to protect networks, but they cannot prosecute those behind attacks. This has prompted a discussion of whether there is the need for more government action in what was once a traditionally regulation-free cyberspace.
In the U.S., the Computer Fraud and Abuse Act, passed in 1986, is one piece of key legislation on cybercrime domestically.5 The law prohibits unauthorized access or damage to protected computers. A number of agencies, including the Department of Homeland Security, Federal Bureau of Investigation, and Department of Justice, are responsible for protecting networks, investigating computer crime, and prosecuting cybercriminals.
Elsewhere, cybersecurity is also being addressed. Most developed countries have a multifaceted strategy of preventative, responsive, and offensive actions. For example, Canada emphasizes public awareness to confront cybercrime. In 2012, the Canadian government partnered with nonprofit organizations and private sector companies to create a robust public awareness campaign on cyber security called “Get Cyber Safe.”6 China, in contrast, has a large decision-making apparatus to address cybersecurity concerns. The Central Cyberspace Affairs Commission is headed by President Xi Jinping himself and influences both security and policy.7
International governmental and nongovernmental organizations exist for cybersecurity as well such as the European Network and Information Security Agency (ENISA)8 and Forum of Incident Response and Security Teams (FIRST)9.
The private sector also plays an important role. For example, in April 2018, 34 global technology and security companies signed the Cybersecurity Tech Accord. The companies pledged to use their resources and platforms to create stronger defenses, oppose cyberattacks, empower users to protect themselves, and partner with each other to minimize threats.10
Examples of Multinational Cybersecurity Initiatives
Despite the international organizations and private sector coalitions, no comprehensive international law on cybersecurity has been universally adopted.
In 2001, the Convention on Cybercrime, also known as the Budapest Convention, produced the first treaty seeking to address cybercrime.11 The treaty defines cyber offenses, and promotes international cooperation to investigate, collect evidence on, and prosecute cybercrime.
As of today, 57 states have ratified the convention, including the U.S. However, important cyber leaders like Russia, China, Brazil, and India have so far declined to do so. The elusiveness of cybercriminals presumably necessitates the participation of all major powers for a treaty to be effective.
This poses a problem because cybercrimes are usually multinational.12 Computer viruses and their creators can originate in one jurisdiction and quickly move to another when threatened. Taking advantage of the lack of global standards, cybercriminals can elude domestic authorities. When cybercriminals are located, authorities often cannot prosecute them because of jurisdiction concerns and inadequate local laws.13
For these reasons, some in the computer security community protest the lack of global standards to judge and punish cybercriminals. Cybersecurity expert Mikko Hypponen in 2011 described the global failure to police cybercrime as comparable to “giving free plane tickets to all the online criminals of the world.”14
In 2013, there was a U.N. report that seemed to work from a consensus assumption that international law applied to cyberspace matters. However, the report was limited to “recommendations on voluntary measures to build trust, transparency and confidence, as well as international cooperation to build capacity for ICT [Information and Communication Technologies] security especially in developing countries.”15
There appears to be a common understanding that a global cybersecurity standard is needed, but coalescing around what that framework might exactly entail and how it would be enforced at a multinational level continues to be an evolving process.
A Digital Geneva Convention?
So, what should international laws on cybersecurity look like? Some call for what Microsoft president Brad Smith describes as a “Digital Geneva Convention,” to draft a body of law addressing the issue.16 Others, like Canada’s U.N. ambassador Rosemary McCarney, argue that existing international law is robust and can be applied to these threats.17
Recent proposals include amendments to the Budapest Convention, a U.N. General Assembly mandated convention, and the creation of an international cyber court or similar body.18
No matter the solution, the complexities of international law will be confronted, including the implications of balancing security and sovereignty in maintaining an internet and global commerce that is both open and secure.
Endnotes
1 EY Center for Board Matters, “Top Priorities for US Boards in 2018.”
2 Meredith, Sam, “Microsoft Calls for ‘New Digital Geneva Convention’ After Spate of High-profile Cyberattacks,” CNBC, as found on June 25, 2018.
3 International Telecommunication Union, “ICT Facts and Figures 2017.”
4 “Viruses That Can Cost You,” Symantec Corporation
5 18 USC § 1030
6 Public Safety Canada, “Government of Canada Launches Cyber Security Awareness Month With New Public Awareness Campaign Partnership,” Market Wired
7 Xinhua, “Xi Outlines Blueprint to Develop China’s Strength in Cyberspace.”
8 European Union Agency for Network and Information Security (ENISA)
9 Forum of Incident Response and Security Teams (FIRST)
10 Cybersecurity Tech Accord
11 Budapest Convention, Council of Europe
12 Mikko Hypponen, “Fighting Viruses, Defending the Net,” TEDGlobal 2011
13 Id.
14Id.
15 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, U.N. General Assembly, “Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security,” 2013
16 Brad Smith, “34 Companies Stand Up for Cybersecurity with a Tech Accord,” Microsoft
17 Yves Faguy, “The Risk of Negoiating New Cyber Norms in International Law,” National Magazine
18 Elena Chernenko, Oleg Demidov, and Fyodor Lukyanov, “Increasing International Cooperation in Cybersecurity and Adapting Cyber Norms,” Council on Foreign Relations