By Alix Lawson & Sam Denney
Lacking a central governing authority and seemingly beyond the reach of international law, cyberspace has become an untamable beast in an increasingly interconnected and competitive world. The current model in which government regulation and academic theory lag distinctly behind private sector innovation has produced an environment in which no clear rules exist governing the behavior of state and non-state actors in cyberspace. The European Union has taken the lead in attempting to place limits on cyberspace, through attempts to regulate Amazon and stricter privacy legislation. Yet such an aggressive approach could stifle innovation.
Instead, the proper model is not one in which government, industry, or civil society takes the lead in creating cyber-guidelines, but instead one in which all three collaborate to effectively govern cyberspace while ensuring ethical and sustainable growth and innovation. Crucially, in an era of heightened geopolitical competition, what constitutes an act of war in cyberspace remains unanswered, and humanity remains unprepared for the second order effects of the Fourth Industrial Revolution.
Although new technologies can enable greater civic participation for the ordinary citizen, holding governments accountable for malign activity has also become more challenging. Currently, this amounts to either non-actionable engagement in a multilateral sphere or engagement on a country to country level, which can leave even larger states with decidedly less leverage. China’s 2015 hack of the U.S. Office of Personnel Management exposed the personal information of more than 21 million federal employees, contractors, and their families. In response to the attack, the U.S. government signed what was seen as one of the first arms control agreements for cyberspace to stop the hacking and theft of intellectual property. Yet this deal has not held, and Chinese hacking accelerated soon after President Trump’s inauguration, with a focus on American commercial and industrial technology. In this case and others, a country to country cyber interaction has no method of recourse or reconciliation outside the realm of discussing military action.
Non-state actors can take advantage of pre-existing structures and pre-existing conditions on social media and in cyberspace. Facebook’s worldwide growth has provided the company access to massive amounts of personal information. Russian disinformation operations weaponized the same features originally intended to promote consumer goods to spread highly targeted disinformation. An already balkanized social media space, homophily, and humans’ tendency towards confirmation bias allowed this content to spread like wildfire. Facebook and the U.S. political system are still coming to terms with the damage done by Russian disinformation campaigns. The lack of rules governing the behavior of states online and reluctance to grapple with political responsibilities that exist for companies operating in cyberspace leave the U.S. unprepared for the next iteration of cyberwarfare.
Yet the private sector has begun to indicate a willingness to see rules created in cyberspace. One example can be found in the Microsoft Cybersecurity Policy team’s recent release of a brief addressing the need for a Digital Geneva Convention. Despite a willingness on behalf of the digital community to address these issues, without state investment, the conventions hold no weight. In the cyber community, non-state actors ranging from terrorist organizations to private citizens have the capacity to achieve the same results as a state. While Russia and China are consistent perpetrators of state-sponsored cyberattacks, non-state actors are as well. Creating a charter or convention for the internet requires much larger buy-in, on a more granular level. Enforcing accountability only on a state level would not only be an unreasonable deterrent for non-state actors and private citizens and would penalize states that may not have the tools or capacity to address the cyber-attacks occurring within their own borders.
To effectively protect states, corporations, and individuals from malign activity resulting from the exploitation of new technologies in cyberspace, government, industry, and civil society groups must hold each other accountable on a level playing field. Sovereign states, civil society, and private companies must fashion a more effective partnership, to create norms, ensure accountability, and punish violations. Civil society organizations have long sought to create responsible frameworks for company, individual, and government decision-making in supporting safe, but free expression and the right to data privacy. The intent by the creators of these organizations (eg. AccessNow, Global Network Initiative, Amnesty International) is to hold stakeholders accountable. With government presiding over the process of implementing these charters, there is a larger potential for better management and more effective engagement with those seeking to violate these policies. As the world becomes smaller, the traditional barriers between the state, private corporations, and citizens have blurred with regards to national security in a way not seen in the 20th century. A unified approach ensures larger buy-in and minimizes bias in both creating and implementing rules and regulations for a global society. Solving the future requires ever closer cooperation, not a further balkanization along sectoral lines.