Cyberspace Security: a New Global Agenda

By Liang Ping

?

Cyberspace Security: a New Global Agenda

By Liang Ping

World Economic and Political Institute, CASS

Recent years have witnessed rapid development of the Internet in the world. Having pushed on the world economic, political, cultural and social development, cyber networks have also created new security problems. Cyber-crime, cyber-terrorism, hackers attacks and cyber warfare have highlighted threats to national security and Internet also played a role in fueling the changing situation in West Asia and North Africa. Since cyber networks are concealed, fast and difficult to track, so they can easily cross traditional national borders, and easily launch intrusion into a cyber network of important sectors of a country, but it is difficult to track the source of the threat, which brings great threats to national security. Cyberspace as a new global governance issue, to reach global international norms in the future faces many difficulties and challenges.

Overview

The cyber networks have changed the traditional means of warfare and organization, but also have brought new shocks and threats to national security. However, before the 1990s, cyber security had never been an important international security issue until the outbreak of the Gulf War in 1991 after the end of the Cold War. This operation is viewed by the U.S. military strategists as an important watershed in modern warfare, supreme military power is no longer the only magic weapon to win in battlefield, and more important is to have capabilities to win war in information warfare and to ensure information dominance. In 1993, the U.S. Rand Corporation's two researchers John Arquilla and David Ronfeldt in a research report warned first the "coming cyber warfare".1For a time, there occur rampant debates on computer, national security and cyberspace, so cyber warfare becomes the most popular buzzword.

The year 2007 is the turning point for cyber security to be integrated into the national security agenda, because cyber warfare since then has again and again become a reality. In April 2007, Estonia suffered massive cyber intrusion from unknown sources, the entire economic and social order completely paralyzed, and which is the first cyber attacks launched against an entire country in the international community. Technically, this cyber intrusion had no new innovation, but the unprecedented phenomenon is attack rhythm, volume and duration never seen before. It has deepened the U.S. awareness of cyberspace threats, so cyber warfare has caught the vision of entire international community.

It is after Iran’s incident that cyberspace security actually starts to produce high-level vigilance and attention by national security decision-makers. Many strategists believe that pre-emptive cyberspace has emerged, and "cyberwar" Pandora's box has been opened.2Joseph Nye argues that people just begin to see the way cyber warfare operates, non-state actors are more likely to launch cyber attacks compared with state actors, the repetition of "Cyber 9/11" threat may be more likely to occur than the "Cyber Pearl Harbor", and now it is high time for various countries to sit down and discuss how to guard against cyber threats and maintain world peace.3

II. Cyberspace Threats to National Security

Compared with sea, land, air, and outer space, security threats of cyberspace also has its unmatched features. Firstly, despite high mountains, deep sea and traditional national borders, it can launch instantaneous attacks on targets from distant place rather than confronting an enemy on battlefield. Secondly, the Internet has a strong concealed factor, cyber attackers can launch cyber intrusion hiding in an unknown place on Earth, without leaving any traces of being tracked. Thirdly, its targets are more extensive, can cover a country's infrastructure, finance and banking sectors, logistics and transportation systems, national data centers and others, which traditional military operations find it difficult. Fourthly, cyberspace security for military and civilian facilities is mutually integrated, and it is difficult to completely separate the one from the other. Fifthly, once a cyber-weapon ( such as a virus) is invented, it is very easy to spread and duplicate, so the threshold to launch cyber intrusion is much lower than launching an armed operation.

In accordance with different actors, the author classifies cyberspace threats to national security as hackers attacks, organized cyber-crime, cyber-terrorism and state-supported cyber-warfare. Generally, from individuals to non-state actors, to acts of state, their posed threat to national security level is incremental. As a source of threats, their potential damages should not be underestimated to national security.

III. The Global Cyberspace Governance

Cyberspace has no geographical boundaries, so its extension can be infinite world-wide. Cyber security has become a global threat, so a global problem requires global joint responses. Global cyberspace governance is mainly reflected in national, multilateral mechanisms aspects. Up to now, an international treaty specifically on cyberspace governance is still absent in international law, and vigorously pushed by the EU and relevant United Nations agencies, global cyberspace negotiations is brewing.

A. National responses

(1). The United States

The United States, as the Western power with the strongest comprehensive national strength, technological and military strength in the world, is the earliest to have developed the world first national cyberspace security strategy. In February 2003, the United States issued the, which clearly states that presently, commercial transactions, government operation as well as national defense have changed their way of operation, and these activities seriously depend on interdependent cyber networks between information technology and infrastructure, namely cyberspace, so with increasing number of cyber security threats, the United States should actively respond to these threats.4As a result, it requires the federal government, local government, and private sector and U.S. citizens to collaborate to jointly cope with this extraordinary challenge.

In the year 2009, after taking charge of the White House, Obama has basically inherited the existing cyber security strategy. However, with the emerging cyber attacks, the U.S. cyber security strategy still reflects two major changes: Firstly, the U.S. Government is ready to fight a cyber war. Secondly, the focus of the U.S. cyber security strategy has been shifting from home to overseas. In May 2011, U.S. Secretary of State Hillary Clinton announced the U.S. cyberspace international strategy, emphasizing importance of cyberspace security for foreign affairs, defense and economic affairs. In line with this new strategy and seeking to cooperate with other countries, the United States will encourage a culture of responsibility, and support cyberspace international legislation in order to advance and build safe and free global information networks.5

In collaboration with implementation of the new strategy, the United States is prepared to introduce a new comprehensive cyber security strategy. It is reported that the new strategy has a unique vision and is innovative indeed. In April 2010, the U.S. Cyber Command Keith Alexander proposed strengthening of three cooperation in cyber security defense, information sharing among various departments and strengthening cooperation in the Internet cyber systems and business-governmental cooperation.6In November 2011, the United States adopted a new "which states that once the United States is met with a major cyber attack against its economy, government or military, the United States has the right to retaliate militarily.7In September 2012, the U.S. State Department chief legal adviser Harold Koh specifies ten U.S. legal principles applicable to cyber warfare, and unambiguously states that international laws are applicable to cyberspace .8

2. The European Union

After the United States, some EU countries are also increasingly concerned about the security of national information facilities. Germany in 2005 formulated the "" (NPSI), and Sweden in 2006 adopted the. It is until the year 2007 after Estonia suffered massive cyber intrusion that the EU countries have incorporated the cyberspace security into the national security agenda. Currently, 10 EU Member States (Estonia, Finland, Slovakia, the Czech Republic, France, Germany, Lithuania, Luxembourg, the Netherlands and the United Kingdom) have developed and published their national cyberspace security strategies .

In June 2009, the British Government officially adopted the, which stresses just as the 19thcentury Ocean-based and the 20thcentury the Air-based national security and prosperity, the 21stcentury national security is based on the cyberspace security. The Strategy identifies four strategic objectives, and decides to strengthen the institutionalization of cross-sector cooperation, and cooperation between the Government, public sectors, private companies and international partners. Regarding its organizational structure, the British government sets up two new divisions: a cyber security operations center and a cyber security office. The former is responsible for coordinating protection and security of governmental and private computer systems while the latter for co-coordinating cyber security plan of the governmental departments. In November 2011, the British Government published a new, and further proposed practical plans and programs based on giving high priority on cyber security.9

In the year 2009, the French government adopted a cyber defense strategy, the strategic objective of which is to seek playing a leading role as a global power in information system security and global governance. France not only emphasizes to strengthen the security of information network through technical means, but also attaches great importance to combating cyber crime and to establish a cyber defense system.10To this end, France has set up a special", led by the Minister of the Department of Homeland Security and composed of ministers for the Foreign Affairs, Intelligence Bureau, the Department of Defense and others. The committee’s main task is to develop details of the French information security strategy to guide the ANSSI specific work.

Taking initiatives similar to that of France, Germany has also specially set up a national committee and a cyber defense center. In February 2011, the German government adopted the", designed to enhance the protection of German critical infrastructure and IT systems against cyber intrusion.11German Interior Minister Thomas de Maiziere has stated that the Internet has become a critical infrastructure, and now almost every day cyber intrusion against the government that may come overseas is reported. According to this strategy, Germany plans to set up a national cyber defense center, led by German Federal IT Security Bureau and involving experts of the Federal Constitutional Protection Agency and the Federal Bureau of Civil Protection and Disaster Relief. Regaining foreign cooperation, the German government not only actively promotes cooperation between government and civilian sectors, but also emphasizes effective cooperation in Europe and world-wide.

3. Russia

Russia so far has not issued specifically a national cyber security strategy, the current relevant policies focus on two aspects of information security and cybercrime. In June 2000, a "National Information Security Doctrine" signed by Russian President Vladimir Putin after taking office is Russia's first officially promulgated important document for the relevant national information security. According to this document, to crack down on theft of information resources, and to protect communication and information network security of the government, financial, military and other agencies become an important part of the Russia national interests. This document shows that Russia has elevated the information security to the high level of national strategy, which lays down the foundation for Russia to set up a national information policies building in the future, and is seen as an important measure to strengthen information security.12

Senior Fellow Evseev of Institute of World Economy and International Relations of Russian Academy of Sciences argues that development of technology and extensive use of the Internet has enabled to comprehensively paralyze government, transportation, financial, military operations and other systems through cyber attacks, but Russia has not yet established effective legal mechanisms to maintain information cyber security of Internet as well as the national key sectors. Given the fact that a number of countries are actively using the Internet technology to undermine important strategic targets of other countries in order to achieve military and political goals, Russia should consider to establish an appropriate agency in the military departments responsible for using the Internet to conduct military and political actions.13

(II) Multilateral mechanisms

In addition to state sovereignty, the cyberspace security in recent years has become an important issue and content of multilateral security cooperation. Currently, international or regional organizations such as the United Nations, the European Union, NATO, the Group 8, the OECD, the Shanghai Cooperation Organization, etc. have strengthened cooperation on cybersecurity issues among member states, and established relevant institutions in order to promote the development of a common code of conducts.

Cyberspace governance is an important non-traditional security issue within the United Nations Framework, and is usually included in the UN Security Council resolutions on combating terrorism, and the Counter-Terrorism Committee under the Security Council is responsible for resolution discussions. In the year 2002 during the UN General Assembly debate, the General Assembly stressed the importance of cyber security issues, noted that it is inadequate to only rely on international law to strengthen cyberspace security, preventive measures and social support are critical and it is necessary to create a cyber security awareness and culture in the process of application and use of information technology.14In May 2006, then UN Secretary-General Kofi Annan in a speech reiterated the building of a global cybersecurity culture is an important way to solve the problem of cyber security.15In the year 2007, ITU launched the "Global CyberSecurity Agenda" in order to promote international cooperation in this field.16In September 2008, ITU and IMPACT worked together to locate the "Global CyberSecurity Agenda" in the organization's headquarters in Malaysia .

In the year 2012, the UN Governmental Experts Group submitted a report on developments in the field of information and telecommunications entitled "".17The report says that the existing and potential threats in information security is one of the most serious challenges in the 21st century, such a threat has a variety of sources, its destructive activities are targeted at individuals, businesses, national infrastructure and government and its result is to bring significant danger to the public safety, national security and stability of the entire world-linked international community. On the one hand, some countries are developing communication technology into war and intelligence tools, and use it for political purposes; on the other hand, cybercrimes become intensified, and cyberterrorism may increase in the future. The report calls for strengthening broad international cooperation between Member States and the collaboration among State, private sectors and civil society.

Up to new, the EU has not yet adopted an overall strategy for cyberspace security, but has already done a lot of preparatory work in cyberspace governance. In the year 2004, in response to the increasing serious network and information security challenges, the EU established the European Network and Information Security Administration (ENISA) to coordinate actions of the EU member states and to strengthen cooperation and information exchange in the field of network and information security. In May 2011, the OSCE held a cybersecurity conference, decided to refine measures in the political and military aspects and stressed that the OSCE will apply its expertise of the "confidence-building measures" and "security- and confidence-building measures" to the field of cyber networks security. In September 2011, the European Commission issued a "European Internet Governance Contract", put forward principles and guidance for maintaining European Internet activity and stability in the Information Infrastructure Protection Action Plan, i.e. the COMPACT principles, covering civic responsibility, a network, multi-stakeholders sharing, promoting democracy, structuring rationally, enhancing trust and transparency governance.18In the year 2012, the European Commission put forward the Strategic European Initiative, and plans to develop a strategy for the whole European Internet security in order to better respond to global security challenges including network security.

As a political-military organization, NATO is not unfamiliar with electronic warfare and cyber warfare. In November 2002 at Prague Summit, NATO adopted a resolution on strengthening the defense capabilities of cyber intrusion, and launched a new network defense plan.19In April 2008, NATO Summit in Bucharest announced the "cyber defense policy", emphasizing that NATO and its member states should, in accordance with their respective responsibilities, protect critical information systems, share best practices and provide support to allies when needed to respond to cyber intrusion. To this end, NATO has set up a Cyber-Defense Management Authority and a Co-operative Cyber Defense Centre of Excellence, the former is responsible for policy implementation and coordination, the latter for strategic task of technology research and development.20

Currently, NATO identifies the cyber security as one of the emerging key security challenges. In November 2010 at the NATO summit held in Lisbon, NATO member countries adopted the document of "active participation in the modern defense", proposing a new strategic concept that cyber attacks ...... can reach a threshold threat to national and European - Atlantic prosperity, security and stability. In March 2011, NATO defense ministers proposed a "cyber defense" concept, through the development of common principles and standards to ensure a minimum network defense for all members countries and to achieve cyber system security of NATO and NATO-related nations. To reduce global risks from cyberspace, NATO will carry out cooperation with international institutions, the private sector and academia such as partner countries, the United Nations and the European Union and others.21

Organization for Economic Cooperation and Development (OECD) as early as 1992 drafted the "Information System Security Standards", but never adopted. On July 25, 2002, OECD approved the OECD Information Systems and Cyber Security Guidelines: Developing a Safety Culture. It believes that only an approach to give due consideration to interests of all participants as well as nature of systems, networks and related services can ensure effective safety; Each participant has an important role in ensuring safety, and promoting a safety culture requires both leadership roles and also broad participation. This Standards have now been ratified by the OECD 19 member countries, and become an important reference document for other countries and organizations to develop a cyber security policy.

The G-8 main contribution to cyber security governance is its high-tech group in fighting against cybercrime. This group's objectives are initially to enhance G-8 members capabilities in preventing, investigating and prosecuting computer and cybercrimes, and later its functions are also extended to combating cyber-terrorism and protecting critical information facilities. It creates a 24/7 cyber contacts for high-tech crime and international Critical Information Infrastructure Protection Catalog (CIIPC) as well as threat assessment practices and guidelines for computer and network security, which provides a big help for international cybersecurity governance. In the year 2011, the G-8 summit in Deauville, France, put forward cyber regulatory principles including openness, freedom and transparency.

Besides, the Shanghai Cooperation Organization (SCO) also includes cyber security in its cooperation agenda. In June 2011, the SCO Tenth Anniversary Astana Declaration states to strengthen cooperation in the field cyber security. And China and Russia and other countries on 12 September 2011 submitted to the United Nations the "International Code of Conduct on Cyber Security", which calls for further discussions on this subject within the UN framework. In April 2012 held in Beijing, SCO Security Secretaries seventh meeting unanimously stressed that the destruction of transnational organized crimes and cyber crimes on regional security and stability has expanded, some organizations or individuals use the cyber networks and target cyber networks to engage in terrorist activities, cyber-terrorism has become a new security threat. SCO is to create the "Internet police agency" in order to strengthen security cooperation, and to establish more effective mechanisms to prevent and combat .22

( III) International norms

Currently, there is no specifically applicable international law for cyberspace governance in the international community, only the international humanitarian law and Budapest Convention on Cybercrime can be invoked. The International humanitarian law is for minimizing an armed conflict impact within a certain scope, which is significantly different with cyber warfare although cyber warfare can be seen as another type of armed conflict, so that the international humanitarian law has considerable limitations on cyber warfare. As a result, the Budapest "Convention on Cybercrime"23was an international convention jointly signed by 30 countries’ government officials in November 2001 by EU member states of the European Council, the United States, Canada, Japan and South Africa, in Budapest, but is so far an only international convention against cyber crime. However, due to its jurisdiction mainly for cybercrime laws and cooperative coordination between countries, which is inadequate to cope with many cyberspace threats and challenges.

ITU Under the framework of the UN has been actively promoting to reach an international treaty on the cyberspace governance. In February 2010, ITU President called on Member States to step up efforts for cyberspace security international treaty negotiations before the advent of cyber warfare. In July, the United Nations developed a draft treaty aimed at reducing the computer network risks, 15 member states including the United States, China and Russia signed the agreement. The agreement recommends to the United Nations to draft a code of conduct in cyberspace; member countries exchange their cyberspace legislation and security strategy information; to strengthen LDCs ability to protect computer systems.24Currently, China, the United States, Russia have submitted the relevant documents to the United Nations.

However, because a few major powers have different views on nature and implementation of the draft treaty, whose progress is very slow. Russia hopes to prevent a new arms race through an international treaty, takes the cyberspace as a source of attack, and restricts and monitors it like weapons of mass destruction. America's position is completely different, opposes the establishment of a separate agency to limit cyber warfare and argues that conclusion of a special international treaty does not make sense. United States believes that a more effective way is through the effective inter-governmental cooperation and international law. The United States as a major power with an absolute advantage in cyberspace, considers more its cyber technology superiority not to be restrained rather than how to prevent cyber attacks.

In contrast, the EU is very positive in promoting global cyberspace governance negotiations, and will incorporate potential factors into the framework of global negotiations, which is undoubtedly its realistic option. By vigorously promoting global negotiations, the EU hopes to play a leading role in future global cyberspace governance. On 1 November 2011, the "London Cyber Conference" organized by the British Ministry of Foreign Affairs, was attended by representatives of more than 60 countries and regions. It is true that the Conference reached no consensus on concluding an international treaty, but it presents the global cyber governance agenda, thus, kicking off the international dialogue and cooperation process.

IV. A Long Way to Go to Develop New International Cyber Rules

Some scholars take current cyberspace vacuum as an analogy of airpower building.25In both WWI and WWII, airpower became an important strategic component in battlefield. Similarly, the emergence of cyberspace is the result of scientific and technological progress, which gradually develops into the national security from the information realm. Its emergence will also revolutionize the military thinking and actions, and its potential impact on national security and international relations may be more far-reaching than the aircraft entering war.

However, taking into account the special nature of cyberspace, sensitivity of cyber security and the different positions between the major powers, the issue still faces many challenges to continuing to move forward. Firstly, from a technical perspective, the international negotiations on cyber security is still lack of the necessary basis and common language, and many definitions of key terms are not unified, and difficulties to trace cyber attacks also make it hard to identify opponents. Secondly, cyberspace governance covers a wide range, not only related to state actors, but also more to non-state actors such as businesses, individuals and others, so it is uneasy task to incorporate overall arrangements into governance framework. Thirdly, cyberspace governance involves cutting-edge information technology, various countries field research largely shrouded in secrecy, and technical cooperation and sharing between countries are very limited. Finally, the issue is certainly very important and urgent for major powers in the international political and economic dominance, but for a lot of developing countries with relatively backward information technology, development issue is more important.

At the International Telecommunications World Conference in December 2012 in Dubai, the ITU, with 200 member countries, presented the new draft treaty related to monitoring and controlling recommendations, which were rejected and resisted by 20 countries including the United States, Canada, Britain and Australia, etc., besides, Google, Cisco and some other well-known IT giants even sent representatives to lobby. In this special "battlefield", not only governments, but also non-governmental organizations and tycoons of cyber networks, and other related industries and business struggle hard. It is easier said than done to develop international rules accepted by stakeholders, so there is still a long way to go.

1.John Arquilla and David f. Ronfeldt, “Cyberwar is Coming!”,, Vol. 12, No.2 (Spring 1993), pp141-165.

2.Mariam Dunn Cavelty, “Unveiling the Stuxnet Effect: of Much Persistence and Little Change in the Cyber Threats Debate,”, Vol,3, No.3 (December 2011).

3. Joseph S Nye, Jr., “Cyber War and Peace,”, April 10, 2012.

4. The White House, “The National Strategy for Cyberspace,” February 2003.

5.The White House, “International Strategy for Cyberspace,” May 2011, http//www.whitehouse.

Gov/sites/default/files/rss_viewer/_International_Strategy_for_Cyberspace.pdf.

6. “Advance Questions for Lieutenant General Keith Alexander,” USA Nominee for Commander, United States for Cyber Command, U.S. Senate, Committee on Armed Services, Washington, D.C., April 15, 2010.

7. “DoD Report Cyber Attacks Could Elicit Military Response,” 16 November 2011,

http//www.infosecisland.com/blogview/18218- DoD-Report-Cyber-Attacks-Could-Elicit-Military-Response.html.

8.”US Cyber Law,” Security and Defense Agenda, 19 September 2010,

http//www.securitydefenceagenda.org/contentavigatio/library/libraryview/tabid/1299/articleType/Article View/

articled/3240/US-cyber-law.aspx.

9.“The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World,” November 2011, http//www.cabinetoffice.gov.uk/sites/default/files/resources/The%20UK%20Cyber%20Security%20Straegy-%20web%20ver.pdf.

10.“The French Strategy for Information System Security,” the website of the Agence Nationale de la Securitedes Systems d’Information (ANSSI).

11. http//news.xinhuanet.com/2011-02/24/c_211120088.htm.

12. Ma Haiqun and Fan Liping, “Russian Legislative System for Information Security and its Enlightenment”,， No3,2011, pp.9-26.

13. http//world.people.com.cn/GB/157278/17048857.html.

14. UN General Assembly, “Creation of a Global Culture of Cybersecurity,”A/RES/57/239/,20thDecember2002.

15. “Message for World Information Society Day: Secretary General Calls for International Countermeasure to Enhance Cybersecurity,” 17 May 2006, http//www.un.org./New/Press/docs/2006sgsm10433.doc.html.

16. “Global Security Agenda Strategic Pillars and Goals”,

http//www.itu.itn/osg/csd/cybersecurity/gca/pillars-goals/index.html.

17. A Look at Information and Telecommunication from International Security Perspective, UN Disarmament, UN Disarmament Affairs,

http//www.un.org./disarmament/homepage/ODApublications/disamamentstudiesseries.

18. ENISA, “EU National Cyber Security Strategies,” May 2012.

19. NATO Communication and Information System Services Agency,

http//www.ncsa.nato.itn/topics/combating-cyber-terrorism.htm.

20. NATO, Bucharest Summit Declaration, Art. 47. 3 April 2008,

http//www.nato.itn/topics/docu/pr/2008/p08-049e. htm.

21. A Look at Information and Telecommunication from International Security Perspective, UN Disarmament, UN Disarmament Affairs.

22. http//news.sina.com.cn/2012-04-13/061124265009.shtml.

23. China is in observer status to the Treaty, Russia is not.

24. Ellen Nakashma, “15 Nations Agree to Start Working together to Reduce Cyberwarfare Threats,”17 July 2010.

25.Shmul Even and David Siman-Tov,” Cyber Warfare: Concepts and Strategic Trends.”