In my first essay of this series, I described cyberspace as one of the most unique and complex environments ever to exist. I then argued that deterrence in cyberspace is fundamentally an issue that is distributed among the private and public sectors within and between nations. Therefore, I offered that deterrence solutions must be multi-faceted and include multi-party participation. Since the private sector owns, operates and maintains the vast majority of the cyberspace environment, industry should be one of the most important participants in the deterrence discussion. However, most of the discussion focuses on the role that governments play, while industry’s role is often an afterthought and its participation extremely limited.
This essay series focuses on the role of the private sector and how industry can contribute to governmental efforts in deterring cyberthreats. My first essay in the series discussed the growing role of the private sector in cyberthreat intelligence and information sharing. This second essay discusses the role of industry in the development of norms of responsible behavior in cyberspace and how this supports deterrence.
Component Elements of an Effective Cyber Deterrence Policy – a Refresher from My First Essay of the Series
As a reminder, my first essay of this series described the basic components of an effective cyber deterrence policy as incorporating these components:
- A description of what types of activities the policy seeks to deter
- Deterrence by denial
- Deterrence by cost imposition
- Activities that support deterrence
It’s within the last component – activities that support deterrence – that I’m focusing my effort to describe why I believe industry can become a more effective partner to governments in contributing to deterrence in cyberspace.
Activities That Support Deterrence – Industry’s Role in Norms of Responsible Behavior in Cyberspace
Most of the discussion about establishing norms of responsible behavior in cyberspace has been about activities and issues between nations. Not surprisingly, the majority of this discussion has occurred within purely governmental forums, the most well-known of which have been the United Nation Group of Government Experts (UNGGE) and the G20 Forum.
These forums have been about gaining greater international acceptance that, during peacetime, nations:
- Should not conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide services to the public.
- Should not conduct or knowingly support activity intended to prevent national computer security incident response teams (CSIRTs) from responding to cyber incidents.
- Should not conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantage to its companies or commercial actors.
- Should cooperate, in a manner consistent with domestic law and international obligations, in requests for assistance from other states investigating cybercrimes, collecting electronic evidence, and mitigating malicious cyber activity emanating from its territory.1
However, norms of responsible behavior in cyberspace should not be limited to governmental interaction. The private sector has significant interest to get involved because it can be directly impacted by norms from a global business perspective. The Australian Strategic Policy Institute has done some research on the potential impact, and some of examples include “intellectual property theft, data retention obligations, the preservation of the free flow of information, supply chain management, critical infrastructure protection and compliance with information control regimes.2
Additionally, private sector participation and influence can help to “be a key ally and ‘norm champion’ in the push to embed positive behaviours … and can assist with the establishment, socialisation and implementation of norms among … customers, other companies and governments.”3 As previously mentioned, the distributed cyberspace environment demands multi-party solutions to today’s challenges, and the issue of deterring cyberthreats through establishing and implementing norms of responsible cyberspace behavior is no exception.
There are currently several high-profile and contentious issues which would benefit from greater private sector engagement, including the free flow of information across borders, mandatory insertion of “backdoors” into information technology products, the use of information security concerns as a pretext for trade restrictions, private sector responsibilities in controlling its own supply chain management, and even the right of businesses to “hack back.”4
These issues should be included in the heretofore government-only global norms forums and industry’s inclusion in the discussion will guarantee better, more practical and more sustainable outcomes for each issue.
Conclusion and Practical Example of How This Can Work
There should be clear recognition that industry has an increasingly important role to play in informing the discussion, supporting the establishment and enforcing the implementation of norms of responsible behavior in cyberspace. Moreover, governments should not only recognize this, but encourage private sector participation and perhaps even creatively incentivize implementation enforcement of the norms throughout industry to strengthen acceptance and scale the effects globally.
I’m certain one of the governmental concerns about including the private sector in the norms formulation process is the sheer complexity and confusion resulting from adding even more voices to an already overcrowded forum. One way to deal with this challenge is to establish a participatory structure and process through manageable stages. An excellent example of how to do this was led by the U.S. Commerce Department in the formulation of the National Institute of Standards and Technology (NIST) Cybersecurity Framework,5 a brilliant model of public-private partnership with extremely effective industry inclusion.
There’s no need to start at square one either. Both Microsoft6 and Symantec7 have already shown leadership and initiated discussion about private sector norms, demonstrating industry interest and showing that this can be done. However, there has been little integration between these initial industry-led efforts and those of the governmental forums previously described.
Additionally, it may prove more manageable to begin with one issue that is common to both public and private sector interests. Starting small, learning lessons, making adjustments and then expanding the effort has obvious advantages when it comes to complex efforts involving multiple interested parties. In this vein, the Carnegie Endowment for International Peace has already called for a similar approach in a recently published white paper titled “Toward A Global Norm Against Manipulating the Integrity of Financial Data.”8 This effort is about aligning a global financial sector concern directly under the UNGGE and G20 approved norm against attacks on critical civilian infrastructure during peacetime.
Using this approach, the U.S. government could follow the same basic NIST framework process model to set an example of industry inclusion and encourage the development of complementary government and industry norms that can be showcased to garner support from the rest of the international community.
Next month in my final essay of this series, I’ll discuss the need for a greater industry role in research, development and implementation of technical solutions to more effectively defend against modern cyberthreats.
1 http://federalnewsradio.com/cybersecurity/2015/12/white-house-finally-acquiesces-congress-cyber-deterrence-policy/ See embedded policy document link in article, 17.
2 Pamphlet published in 2016 by the Australian Strategic Policy Institute (ASPI), International Cyber Policy Centre, “Cyber Norms and the Australian Private Sector,” 9.
3 Ibid., 10.
4 Ibid., 17.
6 Nicholas P 2016. “Cybersecurity norms: From concept to implementation, Microsoft Secure Blog, 8 February, https://blogs.microsoft.com/cybertrust/2016/02/08/cybersecurity-norms-from-concept-to-implementation/
7 International Cyber Norms: Legal, Policy & Industry Perspectives, NATO CCD COE, https://ccdcoe.org/multimedia/international-cyber-norms-legal-policy-industry-perspectives.html.
8Tim Maurer, Ariel (Eli) Levite, and George Perkovich 2017. “Toward A Global Norm Against Manipulating the Integrity of Financial Data,” Carnegie Endowment for International Peace white paper, https://www.lawfareblog.com/toward-global-norm-against-manipulating-integrity-financial-data