The Wednesday’s indictment of Russian hackers, including from Russia’s Federal Security Service, over cyberthefts against Yahoo and the continuing controversy around cyberattacks by Russia against the Democratic National Committee have highlighted the challenge of internet vulnerability.
In France, too, the campaign of the leading independent candidate is subject to extensive cyber intrusions. In Germany, the parliament has been attacked and the intelligence services have warned of potential impacts on the upcoming election.
The problem is hardly limited to government: Last year, cyberattacks disrupted service for Twitter, Spotify, CNN, Yelp, Amazon, Netflix, The New York Times, PayPal and others. These attacks succeeded by focusing on a key internet infrastructure provider, but their breadth underscored what prior intrusions into the Office of Personnel Management, Yahoo and Target, as well as similar attacks in Europe on France’s TV5, the telephone systems of Poland and Norway and Ukraine’s electric grid had already shown: The threat to the internet is serious and escalating.
As challenging as such attacks are, they can be met if the United States and like-minded countries undertake to do so. The first step would be to organize properly, working across national jurisdictions to ensure the stability of the global internet system. An International Cyber Stability Board of highly cyber capable nations consisting initially of the United States, Canada, France, Germany, the United Kingdom, Japan, the Republic of Korea and Australia could join together to create international standards, protect infrastructures and undertake common approaches to develop a more resilient future internet. Such an approach could both go far beyond what current institutions can do, but also build on and make enforceable standards and other actions undertaken by existing entities. The key is combined efforts by like-minded nations across international borders, rather than reliance on narrowly focused expert groups – an approach which the attacks noted above demonstrate has been an abject failure.
There is precedent to such a broad-based international effort. The Financial Stability Board, initially established in an earlier form by the leading industrial, or G7, countries in 1999, promotes regulatory standards that ensure the systemic stability of the international financial system. Board-proposed standards are adopted at the national level on a voluntary basis, while the board encourages implementation with a “peer review” program of its members. The Proliferation Security Initiative, initially begun with 11 core states, undertakes to limit actions affecting nuclear proliferation.
As these efforts show, acting in concert beyond national boundaries strengthens the ability of like-minded nations to enhance global stability. Cyberactivity has the obvious characteristic of simultaneous operations across multiple national boundaries, with the potential of cascading global impact. An International Cyber Stability Board, similar to the Financial Stability Board and the Proliferation Security Initiative, could have the same value of coordinating cross-sovereignty considerations. The board would work best by focusing on three areas.
First, the board could protect the critical infrastructure backbone of the internet – those entities that are systemically important to internet stability. Attacks last year on Dyn, a U.S.-based company whose role is central in routing internet traffic, and SWIFT, a Belgium-based corporation that links over 9,000 different financial institutions in over 209 countries to securely send and receive information related to money transfers, illustrate the vulnerabilities in critical infrastructure that exist.
Attacks like these create systemic risk in the global internet network. To counter this, the Board could help establish, or adopt from existing expert groups, appropriate controls to create significant resilience for such crucial infrastructures. It could likewise support contingency planning for cross-border crisis management during or in response to future attacks. Such actions are beyond the capacity of a single business or single government, and no expert group operating narrowly has the capacity for an international enforceable approach such as contingency planning.
Second, the board could establish an enforceable set of standards for the rapidly emerging so-called internet of things. As last year’s cyberattacks, cameras, baby monitors and other ordinary devices have demonstrated, the intenet of things – connecting machines to computers and linking them through the internet – is already upon us. In the next decade, the internet of things will expand by orders of magnitude, connecting all manners of items, from cars to health devices to buildings and more. While such connectivity comes with promises of better living standards, greater efficiencies and lower costs, the recent attacks reveal the potential of the internet of things to be exploited to further cybercrime, increase personal vulnerabilities and cause structural failures of critical infrastructures ranging from transportation to food chains and health care. Such downsides could be significantly mitigated, however, if proper controls for connected devices were required, including software designed only to operate in specific ways without the ability to be modified.
The board could rely on expert groups for guidance, but enforceability will require agreement among like-minded governments. Certainly, there would be costs, as there are costs associated with seat belts, air bags and other safety devices for cars, but the social benefits would far outweigh that price. Moreover, if all manufacturers across like-minded nations were required to adopt them, there would be no loss of competitive advantage.
Third, the national members of the proposed board have all been subject to cyber espionage, politically motivated intrusions and criminal activity. The board could help coordinate international responses to these activities, including the sharing of data, analysis and tools, and undertaking coordinated campaigns and responses. A multinational effort coordinated by the board to utilize intelligence, cyber capability, financial, law enforcement and other powers to disrupt the actions of malicious actors would have significant impact. For the board to be fully effective, it should go beyond the establishment of information-sharing standards and to undertake a coordinated operational approach. There have been some useful actions taken by groups like Interpol but, as the prevalence of botnets and other malicious malware demonstrates, a much more effective effort is needed.
The board will necessarily have to establish working arrangements with key private entities both for creating and enforcing controls and undertaking operations, and, as noted above, for working with existing expert groups and institutions. It is worth recognizing, however, that the broad set of activities proposed for the board are not something that can be done through existing institutions.
For example, the North Atlantic Treaty Organization can have an effective role in defending its members against high-end cyberattacks, but the organization does not oversee electric power, telecommunications or financial institutions. The European Union does not include the United States or the key like-minded countries of the Asia-Pacific and it has only limited authority over cyber activities. Neither organization can effectively organize private entities to meet operational cyber challenges in a meaningful way. Likewise, narrowly focused expert groups cannot have the impact that a multigovernmental approach of like-minded nations would have.
The board would be uniquely situated to organize public and private capabilities to meet challenges that cut across existing bureaucratic lines. One important task for the board would be to establish a network of strategic decision-makers – including from the private sector – comprised of individuals with specific area expertise, identified in advance to manage cyberattacks of significant consequence, such as attacks on critical infrastructure. This organized mechanism with established procedures would be of far greater value than the current ad hoc approach to such significant challenges.
Cyber capability has become an integral part of modern life, and modern institutions are necessary to safeguard it. Currently, no entity has the information or the capacity to formulate an assessment broader than one based solely on a nationwide or sector-specific basis of the evolving risks to the stability of the internet. An International Cyber Stability Board could help to ensure that national and international authorities, relevant international supervisory bodies and expert groups can effectively promote international internet stability and reduce systemic risk.
