This is a translation of an article originally published in Dutch in the International Spectator. Please find the Dutch version here.
It is impossible to follow the news without being confronted with ‘cyber’ related issues. Cybercrime, cyber police, cyber-attack, cyber war, cyber terrorism, cyber Monday, cyber punk, cyber party, cybersex and cyberspace are only a few of a long list of words that have joined our vocabulary in recent years. Everything seems to be ‘cyber’.
Though so far, cyber-attacks have not lead to immediate deaths or large-scale destruction, when talking about cyber security, it is important to know what it is we seek to defend: digital freedoms and our open societies. We need to defend democratic principles not only against outside attacks, but also against erosion from within. Too often freedom is compromised for alleged security or by a focus on a misperceived threat.
Digital freedoms and fundamental rights need to be enforced, and not eroded in the face of vulnerabilities, attacks, and repression. In order to do so, essential and difficult questions on the implementation of the rule of law, historically place-bound by jurisdiction rooted in the nation-state, in the context of a globally connected world, need to be addressed. This is a matter for the EU as a global player, and should involve all of society.
The good news is that we don’t need ‘cyber democracy’ to guarantee ‘cyber security’. In most cases the foundations for resilience are already in our existing laws and regulations. Technologies are an essential part of our daily lives, businesses, education, cultural experiences and political engagement. As a result, resilience and defense need to be integrated and mainstreamed to strengthen both freedom and security.
Today people’s digital freedoms and the open internet are under threat. This is a truly global trend, though its manifestations differ. Repression and human rights violations have a growing technological component. We not only face concrete cybercrime/threats, in many countries, governments’ desire to control and repress have moved online. In other places it is rather their inaction and unbridled privatisation of the web and the essential, critical functions or use related to the internet and technologies. There is also the risk that well-intended cyber security measures have disproportionate collateral impact on our digital freedoms.
To prevent fear, hype and incident-driven policies and practices, knowledge, transparency and accountability are needed. Let us not make ‘cyber’ into something completely different, alien or spacy. But rather, let us focus on integrating technological developments in a way that allows us to preserve core (constitutional) principles, democratic oversight, and digital freedoms as essentials in our open societies.
This is not the trend at the moment.
Race to the bottom
Former U.S. Defense Secretary Panetta voiced the danger of a ‘cyber Pearl Harbour’, I have also heard references to a cyber-Cold War. Such metaphors are used to justify on-going efforts in the Pentagon and defense ministries around the globe to tailor existing doctrines on the definition of ‘acts of war’ to cyber-attacks. Such rhetoric may also be used to legitimise the strongest means to respond. A NATO commissioned study, the “Tallinn Manual” suggests dozens of very concrete applications of traditional international- and martial law online.
A cyber arms race is looming. In such a spiral, the means and ends are quickly confused and perspectives are lost. Aggressors and defenders may become the same thing. Online, this is more complicated than in the offline world as questions of attribution remain largely wide open. Even a defense minded organisation like NATO has focused on defending its own infrastructure, rather than burning its fingers on deciding whether article 5 (an attack on one is an attack on all) also applies for cyber-attacks or acts of cyber war.
Stuxnet is informally attributed to American-Israeli sources, and attacked Iran’s nuclear facilities. Retaliation is a risk that should not be underestimated. Many countries now have ‘electronic armies’, acting both domestically against dissidents and as enforcers of surveillance and censorship, as well as internationally, often to advance espionage.
Especially as governments rely increasingly on private actors to secure, manage and develop critical ICT infrastructures and services, incentives and responsibilities need to be carefully thought out, from a long term perspective. Though interdependent, governments and private actors each play a different role. Priorities need to be set, and clarity over ultimate responsibility needs to be transparent and unambiguous. Depending on private actors for security and critical infrastructures may well lead to more vulnerability.
Companies have an important role to play in society and in ensuring security. And they are now also confronted with challenges that traditionally were dealt with by diplomats or politicians. The commotion around the ‘The Innocence of Muslims’ clips are a case in point. Companies also face requests by governments to delete content, block access or provide personal user data. This pressure is likely to increase.
The shifting reality between state sovereignty and online ´borderlessness´ can offer both challenges and opportunities:
Seen from our perspective, it offers opportunities to help, for example, Iranian people access information. Seen from an Iranian government’s perspective, the availability of access to the World Wide Web, has been the incentive to build a national internet. Which serves as an intranet: highly censored and centrally monitored.
Clearly, the interests of governments and companies do not always overlap. Companies are accountable to their shareholders, and seek to make profit. This can be in sharp contrast with the public interest which governments need to consider and safeguard.
Security software companies may see sales increase when fears rise. Are the software systems in our cars really at risk? And what methods are used to come to the widely reported figures on threat levels coming from industry players? In the public interest, threat assessments should be evidence based when feeding into policy making.
Some companies have a reputation to lose. Therefore, reporting software vulnerabilities or security breaches may not be attractive. In the public interest notification or reporting obligations make sense. To avoid headlines each time a breach is reported, we should consider allowing reporting in a confidential environment. In a globally interconnected world where privately owned critical ICT infrastructure and software used by millions, companies have the responsibility to report when our societies are at risk. Given the fact that the large majority of vulnerabilities is related to software made in the United States, reporting standards and transparency would be an improvement in US regulation.
Not all companies have a reputation to lose among consumers in our own markets. There are European and American companies selling to third country governments that may have commercial interests going directly against our own political interests. One of the most prominent examples, which need to be addressed for the sake of preserving digital freedoms as well as our strategic interest, is the export of digital arms.
Mass surveillance, mass censorship, tracking and tracing systems, as well as hacking tools and vulnerabilities can be used to harm people as well as our own security in Europe. Though overregulation of the internet should never be a goal in and of itself, regulation of this dark sector is much needed to align our values and interests in a digital and hyper-connected world. There are many European examples. FinFisher software, made by UK’s Gamma Group was used in Egypt while the EU condemned human rights violations by the Mubarak regime. Its spread to 25 countries is a reminder that proliferation of digital arms is inevitable.
Vupen is perhaps best labelled as an anti-security company in France that sells software vulnerabilities to governments, police forces and others who want to use them to build (malicious) software that allows infiltrating in people’s or government’s computers.
It is unclear which governments are operating on this unregulated market, but it is clear that the risk of creating a Pandora’s box is huge if nothing is done to regulate this trade by adopting reporting obligations. US government has stated that American made, lawful intercept technologies, have come back as a boomerang when they were used against US interests by actors in third countries.
Other companies, such as Area Spa from Italy designed a monitoring centre, and had people on the ground in Syria helping the Assad government succeed in anti-democratic or even criminal behaviour by helping the crackdown against peaceful dissidents and demonstrators.
These companies may well be complicit in grave human rights violations. A criminal case against a French company for exactly this business behaviour is now under consideration of a Paris court and could set an important precedent for others. Can we hold companies and their executives accountable for complicity in human rights violations and creating security threats by knowingly selling digital arms to repressive regimes?
European and American companies are among the top sellers of technologies that are used for mass surveillance, monitoring and censoring of people from Iran to Syria, from China to Bahrain. If governments are condemning human rights abuses on a political level while permitting companies to sell repressive technologies to the same regimes, this hurts our credibility and stores up all manner of problems for the future. We need to bring proper scrutiny and international agreement to stop this digital arms trade. That discussion should not only be dealt with in relation to human rights, but also to ensure our strategic interests are not undermined.
Draft legislation by the Dutch Minister of Justice, allowing the police to ‘hack back’, and to develop tools to that end, seems not to have been assessed from an international perspective.
To understand how technologies could impact people, assessing varying contexts is increasingly important. Legal and technical concepts do not necessarily apply equally in a different context: how legitimate is it to sell technologies designed for lawful interception, to countries where the rule of law does not exist? Technological standards do not exist in a vacuum and yet they are almost impossible to contain in one place. EU and US regulations for instance require so-called back doors in telecom infrastructures in order to allow for law enforcement authorities to access information and communications, (ideally) subject to prior approval by an independent court, if necessary to solve crimes. Imagine how these technological abilities play out in countries like Iran or Syria. How lawful can interception be without the rule of law?
Assessments of potential damage to human rights and cyber security should be done in the R&D phase. We must work according to human rights and security by design principles to ensure public and strategic interests.
In the discussions about ‘cyber’, governments risk losing credibility, either by inadequately protecting the public, or by overreaching in offensive actions.
To avoid a slippery slope, clear distinctions between various crimes and threats are needed. Economic damage as a result of criminal activity should render a different response than a state-led attack posing national security threats. Yet, at the moment, at least in the public debate, the distinction between various cyber threats is very unclear. Uncertainly can make people feel vulnerable, while it is internet users and citizens that need to be informed and empowered. We need to build resilient and educated societies instead of installing fear.
States also need to prioritise in their partnerships, and look for consistency of actions by different government departments. Recently, the United States chose to sign a bilateral agreement with Russia on combatting Intellectual Property Rights infringements. The agreed cooperation seems in direct contradiction with objectives of the State Department in the field of internet freedom. In Russia, a newly adopted law gives the state the authority to use Deep Packet Inspections in internet traffic.
The implications of the use of technologies in a specific country will be more and more difficult to confine to the territory of that same country. The extraterritorial impact of laws, related to the World Wide Web, will become increasingly sensitive in the next years.
With the growing availability of cloud services, liability and security questions are complex. The Patriot Act, a far reaching and controversial American law adopted after 9/11, would apply to all data in the cloud. There are new, equally controversial proposals on the table constantly, in many places in the world.
For economic reasons, IPR enforcement is pushed across borders, and the configuration of the web and the terms of service of popular online platforms, facilitate global reach for American prosecutors.
Can an ‘internet public’ find ways to hold new power brokers to account? The fights against the Stop Online Piracy Act, the Protect Intellectual Property Act and against the Anti-Counterfeiting Trade Agreement suggest global constituents can successfully rally online. In The Netherlands the parliament pushed to enshrine net neutrality in law, and I am hopeful this will become European law as well.
In the anticipated US-EU free trade agreement, standard setting and cooperation in the field of the digital economy and cyber security will certainly come up again and cause controversy.
Governance in a borderless world
In a globally connected world, traditional borders of land and jurisdiction have lost their exclusive ability to govern and structure international relations.
There is a growing tension between our legal and political structures. While borders play a role of little importance online, our mandates as politicians and lawmakers are enshrined in law and legitimised by democratic elections, creating jurisdictions still inextricably connected to the nation state. Confederations, international organisations or political unions, with their respective bodies of laws and regulations are established by treaties or international agreements. Their founding was a political act. The global borderless digital sphere lacks such foundations and evolves day by day, organically and sometimes in confrontation.
Governments, legal experts and politicians are only at the beginning of the process of redefining their position in relation to the territorially based laws and the borderless internet that is mostly in private hands.
In their response a tendency to re-territorialize can be observed. States pass national laws bringing the internet under their control, or push for international agreements that re-instate top down control. The EU needs to play a strong role in internet governance fora, where arguments of increasing cyber security are used to nationalise the internet, hurting its open character, as well as the rights and freedoms of people using it.
The EU needs to be aware of its own dependence on others, both private actors and private actors coming from 3rd countries. Outsourcing of security, police and law enforcement responsibilities to private companies worryingly bypasses democratic oversight, judicial oversight and protection as well other checks and balances, constitutionally available to citizens and businesses.
Instead of looking for a silver bullet we need to work on a case-by-case basis in a constantly dynamic environment, by analysing as it were snapshots or X-rays of aspects of our ICT ecology or global cyberspace. That way the various layers and actors can be identified. Cyber threat assessments and proportionate responses should be assessed in a wider geopolitical context.
Breaches of SSL certificates for example require a different set of actors and solutions than massive DDoS-attacks or addressing the market for zero day exploits or the risks to consumer data in the online cloud. Scenario studies should help us to identify threats and to train adequate responses.
A raster of threats, indexed by importance or their possible impact should be drawn and matched with flexible clusters of companies, scientists and officials to timely ensure maximum security, freedom and effectiveness in our responses. Chains of command as well as accountability need to be clear.
If the range of ballistic missiles or the number of fighter jets traditionally where the standards to measure a country’s power or strength it is the sophistication and distribution of its ICT security policies and the effectiveness of intrusion detection mechanisms that from now on will determine a country’s resilience, security and defense capabilities. While the image of a ‘cyber Pearl Harbour’ successfully created a sense of urgency it wrongly pulled cyber security policies into military headquarters.
Instead of choosing a narrow defense angle, it takes politicians, watchdogs, researchers, activists, citizens and regulators to make sure that security and digital freedoms are properly included in the development and trade of new technologies, to protect citizens and consumers.
The strength of an open society is tested especially when it comes under (perceived) threat.
Given the nature and multiplicity of actors in the cyber-ecosystem a comprehensive and civil approach is necessary. We need an integrated and mainstreamed strategy. Cyber security belongs in parliaments and homes rather than exclusively in military headquarters or specialised units.
Lawmakers should engage in cross-border dialogues to assess the impact of increased divergence between territorial jurisdiction and online services, behaviour and accountability.
They should do so with their roots in democratic principles in mind, without those, what is there to defend? The EU, as a community of values, and as a trading block, should have the ambition to lead in pushing for trust, security and digital freedoms.