UN’s cybercrime ‘law’ helps dictators and criminals, not their victims
The expansion of global cybercrime, perhaps seen most prominently in the dramatic rise of ransomware attacks, recently led a key committee of the United Nations to adopt a resolution backing a new global agreement on cybercrime that purportedly would set serious limits on the use of technology for criminal purposes. Given the near-daily impact of cybercrime on the lives of ordinary people around the globe, one might be forgiven for thinking the adoption of this resolution was a good thing for citizens and consumers worldwide. Unfortunately, that’s just wrong.
The resolution — led by Russia and China, and supported by a motley crew including Cuba, Iran, North Korea, Nicaragua, Syria and Venezuela — does little to contain or limit cybercrime, instead employing significantly vague language ostensibly aimed at this global plague but in reality focused on reinforcing tools that authoritarian regimes can use to suppress domestic dissent, silence democracy activists, muzzle journalists and target human rights groups. The resolution — which a majority of members either opposed or abstained from voting on — nevertheless passed the committee in part because of an increasingly felt need for governments and international institutions to take action — any action — to address this issue. This remains true notwithstanding the fact that the Budapest Convention on Cybercrime has been in place for over 15 years and has been ratified by more than a third of all countries.
The biggest purveyors of cybercrime are among those who backed the resolution. The Russian government and the criminal enterprises that it allows to thrive and prosper are among the most active thieves of financial resources globally. The Chinese government likewise is known for its brazen, decades-long effort to steal core intellectual property from the United States and other Western nations in order to buttress its own global economic ambitions. And one need only look at the various schemes and heists concocted by the North Korean government to obtain hard currency, or by the Iranian government to evade sanctions, to know that those who found this resolution beneficial weren’t doing so out of concern for the economic well-being of the global community.
Unfortunately, while we all know that it is critical to establish a core international baseline of appropriate behavior when it comes to this domain, we’ve repeatedly seen that getting broad consensus on cyberspace issues is a nearly insurmountable challenge. Indeed, look no further than the competing groups at the U.N. — the U.S.-led Group of Governmental Experts and the Russia- and China-supported Open-Ended Working Group — to identify the key fault lines between those who argue for cybersecurity in order to undergird the personal and economic freedom of their citizens and those who would use the bugaboo of cyber threats to control their populations and shape their domestic political environments. We should not accept a world in which authoritarian nation-states are able to assert their will and create a false consensus in international bodies by fear-mongering about a threat they are largely responsible for creating.
If consensus can’t be achieved, we need to evaluate what can be done to address — or even encourage — appropriate nation-state behavior. In other contexts, such as the need to respond to Iranian aggression or to Russian and Chinese cyber activities, the best solution is deterrence through assured response. That is, if a nation wants to be safe(r) when it comes to cyber threats, it cannot continuously refuse to respond to cyber attacks. To the contrary, if a nation regularly fails to respond, it should not be surprised when others seek to take advantage. Given this, it seems clear that the best way to deal with continued cyber threats — at least at the nation-state level — is to maintain (and be prepared to use) the capability to deliver a swift, robust response.
There is evidence that such an approach might gain the support of at least a plurality of nations. This year at the U.N. General Assembly session in New York, the United States successfully convinced a strong (and growing) group of nation-states to adopt a statement on responsible behavior in cyberspace that, among other things, forthrightly called out states and others that “target critical infrastructure and our citizens, undermine democracies and international institutions and organizations, and undercut fair competition in [the] global economy by stealing ideas when they cannot create them.”
The statement commits the signatories to “working together to hold states accountable when they act contrary to [the rule-based international order], including by taking measures that are transparent and consistent with international law” and notes that “[t]here must be consequences for bad behavior in cyberspace.”
While this all may be good for nation-states, it still leaves open the question of what private-sector actors should do. The answer here is fairly straightforward: While private-sector actors may not (and likely should not) be able to respond, they can take protective actions to better defend themselves. And this should not be expensive — although, today, the common view is that to defend themselves, companies need to spend tons of money. To the contrary, employing collective defense capabilities — joining with other companies across multiple industries to identify threats — can allow companies to leverage the investment and knowledge of others to defend themselves; indeed, a relatively small investment in collective capabilities can offer scale and growth for cybersecurity teams across large, medium and small enterprises. The government can contribute here too, by prioritizing the collection of threats against industry and sharing that information with industry in real time.
In an era when global cyber threats are on the rise and international consensus increasingly is difficult to achieve, the best defense may not be at the United Nations but, rather, building serious offensive capabilities and joining with allies and partners to create a serious collective defense policy and capability.
Gen. (Ret.) Keith B. Alexander is the former director of the U.S. National Security Agency and the founding commander of United States Cyber Command. He currently serves as chairman and co-CEO of IronNet Cybersecurity, a startup technology company focused on network threat analytics and collective defense.
Jamil N. Jaffer is the former chief counsel of the Senate Foreign Relations Committee and a former associate counsel to President George W. Bush. He currently serves as vice president for strategy, partnerships and corporate development at IronNet Cybersecurity.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.