Tangled Web

Cybersecurity Strategies Raise Hopes of International Cooperation

By Neil Robinson

Neil Robinson is an information scientist at RAND Europe.

Attacks against national and private interests in the borderless realm of cyberspace over the past few years have spurred international efforts to defend critical information infrastructures. Some of the triggering events have included the "denial-of-service" attacks against Estonia in 2007, growing concerns about the "digital espionage" capability of certain nations, and the online targeting of corporate intellectual property, classified government information, and the financial interests of companies and individuals alike.

In many European and North American countries, cybersecurity strategies have widely become viewed as increasingly important mechanisms for addressing these risks. However, the bodies in charge of leading or coordinating cyber-security policy across the countries vary from cabinet offices to interior ministries to defense or national security directorates — an unevenness that could hinder international cooperation.

Proliferating Cyberspace Perils

Cyber threats include those actors or adversaries exhibiting the willingness and capability to exploit cyberspace to harm life, information, operations, the environment, or property. Among these actors or adversaries could be disgruntled insiders, organized crime groups, identity thieves, terrorist or activist groups, and hostile states or their proxies.

Recent history offers several examples. The aforementioned denial-of-service attacks against Estonia shut down the websites of several government ministries and that of the prime minister's political party; some experts attribute the attacks to Russia or hackers sympathetic to Russia. In Sweden in 2011, hackers breached the security of Blogtoppen, a prominent blog, causing its users to lose vast amounts of personal information. Later that year, a cyberattack on the French Ministry for the Economy and Finance targeted files for the G-20 summit, which was hosted in Paris in February 2012; French investigators concluded that the attack had probably originated from Chinese computers.

In France, China has been suspected of posing a particularly formidable threat.

In France, China has been suspected of posing a particularly formidable threat. One concern among French officials is that electronics imported from China could be implanted with "logic bombs," trap doors, and Trojan horses, all of which could be remotely activated on command. The Netherlands, meanwhile, has singled out digital espionage by China, Iran, Russia, and other hostile states, as well as attacks perpetrated by professional criminals, as the most pressing cyber threats.

The United States has also named China as a specific culprit. In a May 2013 report, the Pentagon accused the Chinese government and military of mounting attacks on U.S. government computer systems and defense contractors in an effort to steal intellectual property and to gain strategic advantage. The report adds urgency to talks expected to begin in July between the United States and China about cyber issues.

In Germany, the government considers data security "the central common challenge for state, business, and society." As a nation that uses highly industrialized, complex technologies and that relies on sophisticated organizational structures more intensively than do many others, Germany is especially vulnerable to critical infrastructure attacks.

Emerging Cyberdefense Collaborations

Supranational cyberdefense initiatives have begun to emerge within NATO and, to a lesser extent, the European Union. One key difference between these two organizations is that NATO "owns" its own cyberdefense infrastructure (command, control, communications, computers, and information systems), whereas the responsibilities for cybersecurity (as well as national security) across the European Union generally remain the prerogative of national governments within the union.

Bulgaria, Estonia, Poland, Slovakia, Turkey, the United Kingdom, and the United States have signed agreements with NATO to cooperate in the event of a cyberattack. NATO is also strengthening the Cooperative Cyber Defence Centre of Excellence, established in 2007. Based in Tallinn, Estonia, the center constitutes a joint effort among Estonia, Germany, Hungary, Italy, Latvia, Lithuania, Poland, Slovakia, Spain, the Netherlands, and the United States to improve cyberdefense interoperability. Turkey intends to join the effort, and NATO has shown interest in extending membership to Iceland. Ukraine is also part of a NATO working group on cyber and military reform.

Nonetheless, there are limits to NATO's influence over the cyber systems of its 28 members. Although the majority of NATO nations agree that cybersecurity is a matter of increasing concern, not all of them share the same threat perceptions or strategic priorities. Such divergent perspectives could limit the scope of NATO action. Furthermore, NATO does not have the mandate to exercise authority over civilian or private-sector infrastructures. This issue is especially important, given the way in which cyberspace and cyberdefense cross the boundaries of the public and private sectors.

In the multinational context of cyberspace, one is only as strong as one's weakest, well, hyperlink.

The European Union has no single approach to cybersecurity comparable to that of NATO, but the European Union does have a policy responsibility covering areas of civilian cybersecurity, cybercrime, and police and criminal justice cooperation in cyberspace. Again, however, these responsibilities across the European Union remain the prerogative of national governments.

Different national governments, as well as NATO and the European Union, have taken different approaches concerning the lead responding authorities for cybersecurity. The United States Cyber Command directs the operations and defense of specified U.S. Department of Defense networks, while the U.S. Department of Homeland Security is the primary agency responsible for defending other U.S. government networks. The United Kingdom and Canada have a central coordinating body. Estonia, France, the Netherlands, and NATO have departments or ministries specifically for cybersecurity. Finland has a highly distributed model, while in Denmark, the Danish Security and Intelligence Service takes the lead but assigns other departments responsibility over certain sectors. The European Union has an even more complex arrangement, with separate mandates covering industrial policy, cybercrime, and so on, suggesting a need for greater coordination.

These ad hoc and uncoordinated measures may not be sufficient to ensure the integrity and availability of information systems and critical infrastructure that support everyday life. In the multinational context of cyberspace, one is only as strong as one's weakest, well, hyperlink. Further cross-government and cross-sector efforts may be required. Mapping in detail the "hubs" of institutional cyber policy decisionmaking in each country would be a valuable step toward seamless cooperation.

Future efforts should also be supported by advanced intelligence capabilities that identify and prevent prospective attacks rather than merely reacting to them. The Netherlands, the United States, and others, for example, are building "active defense" capabilities, such as an ability to break into the computer networks of adversaries, under the principle that "attack is the best form of defense." However, the jury is still out on whether this approach would be appropriately preventive in nature or indeed could be counterproductive.

In discussions at the European Union in Brussels and in other national capitals, policymakers are seeking to ensure that the cost to adversaries of exploiting cyberspace vulnerabilities is high, that the prospects for success are low, and that business and society are prepared and resilient. Policymakers will also need to consider where to draw the line between prudent prevention and risky preemption. square