Cyberspace as Global Commons

Cyberspace is similar to the early ungoverned sea domain - the great 'Cyber Sea', with 2 mutually exclusive scenarios for governance. One - international agreements to access cyberspace commons are worked out, and it is used for economic benefits of nations. But if the international community is unable to develop rules regulating the cyberspace, countries are likely to use it for cyberwarfare, including causing harm to civilians through disruption of critical infrastructure.

If cyberspace becomes more anarchic, the second scenario likely will be the governance mode. Economic benefits from innovation, and free flow of information will get undermined, and cybercrimes will expand with criminals forming syndicates, and lending out their services for a fee. States will struggle to balance privacy and law enforcement in their attempts to control cyber crimes. This also will have implications for liberty, justice, or free expression. War and control: Deterrence and arms control in cyberspace.

The Approaches

There are competing approaches to managing access to the cyber commons that are differentiated by unique ethnographic and cultural attitudes. For example, several national governments are seeking to keep a tight control on the expansion and use of the internet throughout their populations (Middle East, China). Authoritarian economies are trying to impose direct information censorship in order to regulate trade in information based services (China).

While the Arab countries recently witnessed widespread use of cyberspace in mobilizing citizens for democracy, governments are fast catching up to use the same tool to their advantage. Is the Arab spring short-lived? No other mode of communication in human history has facilitated the democratization of communication as the internet (tweets grew from 500,000 in 2007 to more than 4 bn in Q1 of 2010).

Governments, in attempts not to lose control, are seeking to impose new rules and regulations. Many of them are trying to control it through the UN. Working Group on Internet Governance (WGIG) as a multistakeholder group initiated after the 2003 WSIS, 'to investigate and make proposal for action, as appropriate, on the governance of internet by 2005'. It was tasked with developing a working definition of the internet governance, and to identify the public policy issues that are relevant to internet governance.

The group was to develop a common understanding of the respective roles and responsibilities of governments, existing international organizations, and other forums as well as the private sector and civil society from both developing and developed countries. The existing institutions like the ICANN and IETF are responsible for developing standards and for smooth operations of the internet on a global scale. Can these functions work under a UN entity?

The world requires effective and efficient operations, even while innovations in cyberspace continue. The record of UN doesn't inspire confidence that such an important communications infrastructure can be transferred to it. There is a growing impression that countries requiring 'equal' say in internet governance are actually wanting to conduct censorship or monitor citizens. There's also fear that increased 'governance' is likely to bring more regulation, and make access more expensive? Moreover governmentfocused 'top-down' philosophy, is seen to be incompatible with the current 'bottomup' structure of the internet.

The US government, on the other hand has reiterated that ICANN and IETF will continue to govern the internet, and the former will 'maintain its historic role in authorizing changes or modifications to the authoritative root zone file'. The US is flexible on the principle of global involvement, and strong on the principle of multi-stakeholder participation.

But it appears to be inflexible on the need for the US control to remain for the foreseeable future in order to ensure the 'security and stability of the internet'. Governments will have a larger role in the management of their ccTLDs, and there will be no change to the management or control of the root zone file.

Governance of cyberspace commons addresses only part of the problem for access and stability. We can argue whether the existing control of the US is legitimate. But there is no denying that the internet operates effectively, and efficiently. However the use of cyberspace for attacks against national assets in various countries, cannot be prevented without global cooperation.

Global Problems

Securing cyberspace, or cybersecurity is a global problem that has to be addressed globally by all governments jointly. No government can fight cybercrime or secure its cyberspace in isolation. Cybersecurity is not a technology problem that can be 'solved'. Yet another characteristic is as follows: The infrastructures are owned and operated by the private sector, and cyberspace passes through various legal jurisdictions all over the world.

Each government has to engage in supporting its private sector for cybersecurity through effective public-private partnership (PPP) models, with clearly-defined roles for government and industry. Because cyberspace is relatively new, legal concepts for 'standards of care' do not exist. Should governments create incentives to generate collective action?

For example, they could reduce liability in exchange for improved security, or introduce tax incentives, new regulatory requirements, and compliance mechanisms. Nations have to take appropriate steps in their respective jurisdictions to create necessary laws, promote the implementation of reasonable security practices, incident management, and information sharing mechanisms, and continuously educate both corporate and home users about cybersecurity.

As we have observed earlier, attribution is a major problem in cyberspace; determining responsibility for a cyberattack is extremely difficult. It was not possible for Estonia, for example, to pinpoint the attackers; nor did it get any help in tracking down the true source of the botnets because existing agreements and treaties lack mandatory enforcement mechanisms.

What are the options for legal analysis of a cyber attack? Is it possible to analyze a cyberattack based on the present notions related to 'use of force' and 'armed attack'? Should these be judged primarily by the mode of attacks as in the physical world, or by both the direct and indirect effects of the attacks?

The principles of the Law of Armed Conflict (LOAC) and the Charter of the United Nations, including both laws governing the legality of going to war (jus ad bellum), and laws governing behavior during war (jus in bello), should apply to cyberattacks.

But the international community needs to debate to how these principles should apply to cyber weapons, particularly, how they relate to traditional notions of territorial integrity. Espionage through cyberspace will have to be suitably accommodated, since it is largely an accepted phenomenon in the physical world. But it may be difficult to define the boundaries of cyberespionage and cyberattack.

• International cooperation is clearly essential to securing cyberspace. When it comes to tracking cybercriminals, it is not only the laws dealing with cybercrimes that must exist in various countries, but the collection of appropriate cyber forensics data in various jurisdictions and their presentation in courts of law, which are essential to bring criminals to justice in sovereign countries. The term 'cybersecurity' depends upon international cooperation at the following levels:
• National nodal centers on information infrastructure, based on public-private partnerships, to cooperate.
• Global service providers such as Google, Microsoft, Twitter, Yahoo, and Facebook to cooperate with law enforcement agencies (LEAs) in all countries and respond to their requests for investigations.
• Computer Emergency Response Teams (CERTs) to exchange threats and vulnerabilities data in an open way to build an early-watch-and-warning system.
• Incident management and sharing of information with a view to building an international incident response system.
• Critical-infrastructure Protection: Establishment of an international clearing house for critical-infrastructure protection to share threats, vulnerabilities, and attack vectors.
• Sharing and deployment of best practices for cybersecurity.
• Creation of continued awareness on cyber threats, and international coordination as part of early-watch-and-warning system.
• Acceptable legal norms for dealing with cybercrimes regarding territorial jurisdiction, sovereign responsibility, and use of force to reconcile differing national laws concerning the investigation and prosecution of cybercrimes, data preservation, protection, and privacy. Address the problem of existing cyber laws that do not carry enforcement provisions.
• Incident response and transnational cooperation, including establishment of appropriate mechanisms for cooperation. Such measures must include provisions to respond to counter cyber terrorism, including acts of sabotage of critical infrastructure and cyberespionage through Information Warfare (IW).
• Law Enforcement Agencies (LEA) to investigate cases, collect forensic evidence at the behest of other countries, and prosecute cybercriminals to bring them to justice. Will countries engaged in cyberwarfare, directly or through non-state actors, cooperate in collecting and parting with cyberforensic evidence to their adversaries?
• Cyberwarfare: Clear definitions of attacks, attribution, and applicability of LOAC will be a good start, though it'll be extremely difficult to say when the war began, and who did it, and whether it has ceased.

Conclusion

Cyberspace is both a global commons and a national asset. To protect national assets, rules of the road are required for the cyberspace commons, because the cyberspace spans the globe seamlessly. It is a man-made global commons; its size continues to increase as broadband is added, and more applications are mediated through it. It is a global commons where each piece of the assets are owned by individuals or organizations. More and more critical infrastructures are owned and operated by the private sector.

Hence cybersecurity is intimately linked to national security. While governments are responsible for national security, cybersecurity requires active partnership of the private sector to protect national assets. Further, attribution difficulties in tracing an attacker promote anonymity in cyberspace. Finally, non-state actors play a significant role in cyberattacks, and can work hand-in-glove with nation-states in cyberespionage and cyberwarfare without getting identified.

Governments and private sector have to work together to evolve rules of behavior. Public and private partnership is critical. Traditional law enforcement is inadequate because evidence may span over global servers and networks in various jurisdictions; cyber investigations require international cooperation. In the case of state-sponsored attacks, law enforcement cooperation is very difficult.

Since distinction between cyberattacks and cyberwarfare is thin (same attack vectors can lead to different outcomes), there is need to define under which condition is a computer network attack and 'act of war'? Will LOAC be applicable in case of cyberwar? Are states responsible for computer network attacks and espionage that originate in their territory, even if they are not directing those acts? Does the concept of cyberarms control or a cyberspace treaty have any merits?

Cyberspace commons stands at very early stage of development; and very immature state of understanding. Countries are trying weigh their options - whether it's the right time to have a treaty, or they'll be disadvantaged compared to others. Cyberweapons are being developed by all countries - over 100 countries are engaged in cyberwarfare. Will this domain be used to gain supremacy in traditional military warfare?

Given the dependence of countries on cyberspace for their economic growth and development, their stakes in its access and stability are high. The international community should engage at all levels - governments, private sector, track II - to create rules of behavior in cyberspace, to protect it as a commons so that it is not used by criminals and non-state actors to launch attacks national assets of countries.

(This is the second in a two-part series)

Dr KAMLESH BAJAJ
The author is CEO, Data Security
Council of India
(The views expressed here are his
personal ones)
maildqindia@cybermedia.co.in