Richard A. Clarke is chairman of Good Harbor Security Risk Management. He was special adviser to the president for cybersecurity in the George W. Bush administration.
While Vice President Biden and Russian Foreign Minister Sergey Lavrov were dealing with Syrian rebels and other conflicts, some at the recent Munich Security Conference were focused on a topic with much greater implications for global security: cyberthreats. Unfortunately, those conversations revealed how strikingly little has been done to create international norms of behavior in cyberspace and the means to punish those who would deviate from them.
At the World Conference on International Telecommunications in Dubai last year, global regulations concerning cyberspace were also discussed, but the two major culprits of malicious cyber-activity were at the table dominating the meeting. The conference largely turned out to be an attempt by China and Russia to establish more control of cyberspace through the United Nations-sponsored International Telecommunications Union. Yet it is the Chinese and, to a lesser extent, the Russians who are behind much of the pandemic of online espionage and crime that costs Americans and Europeans hundreds of billions of dollars a year.
In Munich, discussions included the concept of like-minded nations creating a set of standards for dealing with international cybercrime and cyber-espionage on a multilateral basis.
To date, the only significant agreement on cybercrime is the nine-year-old Budapest Convention, but that treaty does not set up international operational mechanisms to hunt down and arrest cybercriminals. Nor does it do anything significant to stop the multibillion-dollar-a-year criminal enterprises that prey on the United States and Europe from many nations of the former Soviet Union. As one participant in Munich noted, there is good reason to believe that Russia’s internal security service, the FSB, is in collusion with these cybergangs, with the understanding that the gangs will not target Russian companies and that they are available as an auxiliary “cyber-army” for the Kremlin.
There are, nevertheless, significant opportunities to develop international collaborations to reduce the impact of cybercrime. An international cybercrime center could aggressively go after and disconnect computer networks used to steal credit card information and other personal data. The center could have “fly-away teams” of experts who could move to and assist a country with a cybercrime problem. The center could also document the failure of certain countries to assist investigations or successfully prosecute cybercriminals. Senior government leaders then would have to decide what to do about those de facto sanctuaries, beginning with multilateral diplomatic approaches.
Tackling cyber-espionage and disruptive or destructive cyberattacks is more complicated than addressing cybercrime, but progress is possible. In Munich, I proposed that we begin with some “baby steps” on norms regarding the exploitation, disruption or destruction of certain information networks. For instance, nations ought to be able to agree on something they all appear to practice already: forswearing cyberattacks that alter or destroy the networks of financial institutions. If nations played cybergames with banking or stock market records, trust in the international financial system would be shot. Since every nation has a stake in the trustworthiness of markets and banks, it is in no country’s interest to launch or tolerate such attacks.
Like-minded nations also ought to be able to agree to forswear attacks on the infrastructure that enables cyberspace: the series of routers, servers and databases that issue digital certificates used to identify trusted parties in online interactions, run domain-name addresses and manage multi-factor authentication systems. As with the international financial system, the trusted systems that make the Internet and cyberspace work must be protected. Unfortunately, in the 2011 attacks on the Internet security company RSA that compromised a cryptography algorithm relied upon by millions, the 2012 “Flame” attack that compromised Microsoft’s digital certificate authority and other recent activity, some nations appear to have targeted the infrastructure itself as a part of sophisticated espionage campaign. This is dangerously shortsighted and undermines global commerce.
Like-minded nations should also agree that governments should not steal data from private corporations and then give that information to competing companies, as the government of China has been doing on a massive scale. The victims of Chinese economic espionage should seek to establish clear guidelines and penalties within the World Trade Organization system or, if China blocks that, victim states should seek to develop countermeasures and sanctions outside of that structure. The necessary initial steps, however, are agreeing on international norms governing online economic espionage and telling China about them.
Or, we could just continue to do nothing while Russian cybercriminals and Chinese cyber-spies steal from us without any risk or penalty.
There has been an enormous rush in the United States and abroad to create an army of cyberwarriors. Nations would be wise to consider a new cadre of cyber-diplomats, too.