December 31, 2011

Business Interests Under Attack in Cyberspace: Is International Regulation the Right Response?

Recent cyber-incidents targeting economic and business interests have turned up the heat on the debate roiling around the issue of whether there should be international legal instruments to regulate various aspects of the Internet, such as cyber-security, permissible content, and intellectual property rights. The debate ranges from technical to economic to human rights issues. As the debate is widely reported, there seem to be two very general camps emerging at the international level: one in favor of state-led international frameworks, sponsored most recently by China and Russia; and the other favoring a more libertarian view, generally comprising Western democracies, including the United States. While the United States argues in favor of a more laissez faire, multi-stakeholder approach at the international level, it is pursuing legal and regulatory approaches at the national level, particularly with respect to cyber-security. In terms of business and economic interests on the Internet, recent debates concerning cyber espionage is a case-in-point providing a revealing look into this ongoing debate.

More, importantly, however, the positioning of these two "opposing" camps in terms of the use of international legal instruments is a bit misleading. No one could deny either that more and better international cooperation is needed (although there are questions of where and led by whom) or that nation-states will exercise their sovereign rights to take measures to ensure and protect their interests. Rather, as further developed below, the fundamental issues involve the basic principles and values on which any international legal instruments would be based.

Threats in Cyberspace

Cyber-attacks on U.S. business interests, for example--emanating from both governmental and non-governmental sources--are on the rise and represent a "persistent threat to US economic security," according to a recent report of the U.S. Office of the National Counterintelligence Executive (ONCIX). The report, titled Foreign Spies Stealing U.S. Economic Secrets in Cyberspace and issued to Congress in October 2011 states:

Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation's prosperity and security. Cyberspace-where most business activity and development of new ideas now takes place-amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect.

The ONCIX report specifically identifies China as a "persistent collector" of US economic data citing numerous computer network intrusions originating from IP addresses in China. The report also accuses Russia of using highly sophisticated means to obtain US economic information with the aim of diversifying Russia's heavily natural resource-dependent economy.

An International Response?

Perhaps not so ironically, the ONCIX report came out shortly after the permanent representatives to the UN of China, Russia, as well as Tajikistan and Uzbekistan, jointly submitted a draft resolution on an "International Code of Conduct for Information Security" to the UN's General Assembly in September, 2011. Adherence to the Code of Conduct would voluntary and open to all States. It also calls for "international deliberations within the UN framework on . . . an international code, with the aim of achieving the earliest possible consensus on international norms and rules. . ."

The 12-point Code of Conduct--some two-and-a-half pages long--provides, among other things that states adhering to the Code of Conduct would pledge:

  • "Not to use information and communications technologies, including networks, to carry out hostile activities or acts of aggression, pose threats to international peace and security or proliferate information weapons or related technologies;"
  • "To cooperate in combating criminal and terrorist activities that use information and communications technologies, including networks, and in curbing the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries' political, economic and social stability, as well as their spiritual and cultural environment; . . ."
  • "To reaffirm all the rights and responsibilities of States to protect, in accordance with relevant laws and regulations, their information space and critical information infrastructure from threats, disturbance, attack and sabotage;"
  • "To fully respect rights and freedom in information space, including rights and freedom to search for, acquire and disseminate information on the premise of complying with relevant national laws and regulations;"
  • "To promote the establishment of a multilateral, transparent and democratic international Internet management system to ensure an equitable distribution of resources, facilitate access for all and ensure a stable and secure functioning of the Internet; . . ."

There are a number of issues with this Code of Conduct. First, as cyber-security blogger, Jeffrey Carr, has pointed out, the Code of Conduct does not follow international best practice of cross-border law enforcement as one of the most effective strategies for combating cyber attacks. Instead, he says, the Code focuses on the territorial integrity and the sovereign right of states to protect their own information space. Second, the wording of the Code of Conduct also incorporates by implication a number of basic public international law concepts on which there is no consensus. One of these is that nation states may adopt public policy (ordre public) exceptions to internationally accepted human rights norms without also giving full weight to interpretive principles of predictability, transparency, legitimacy, necessity, proportionality and independence. Because it is unclear what sort of obligations would be imposed on states to ". . . cooperate in combating criminal and terrorist activities that use information and communications technologies, including networks and in curbing the dissemination of information that incites terrorism, secessionism or extremism or that undermines other countries' political, economic and social stability . . ." (emphasis supplied), a severe, secretive and random national censorship regime would be consistent, on a verbal level, with the Code of Conduct. Finally, although it is unclear what the phrase might mean, the Code of Conduct also assumes that an "international Internet management system" is a desirable goal. This is a sharply contended proposition on several levels, ranging from the long-standing efforts of the International Telecommunication Union to have a role in the management of the Domain Name System to efforts of some counties to "manage" the permissible content of Internet transmissions from outside their borders.

The Code also assumes that "policy authority for Internet-related public issues is the sovereign right of States." However, many states recognize that international norms place important limitations of state sovereignty with respect to crafting international responses to critical issues arising on the Internet. Take "net neutrality" for example. In the lead up to the UN's Sixth Annual Internet Governance Forum in September 2011, the 43 member Council of Europe (CoE) announced the adoption by its Committee of Ministers of two recommendations and two declarations calling, inter alia, on CoE member states to take action to protect on-line freedom of speech, even in the face of national security responses to cyber threats. Of particular interest is the statement on the link between net neutrality and human rights, contained in the Declaration of Internet Governance Principles. While avoiding the term "net neutrality," which was used in earlier draft versions of the Declaration, Principle 9, titled "Open Network" provides:

Users should have the greatest possible access to Internet-based content, applications and services of their choice, whether or not they are offered free of charge, using suitable devices of their choice. Traffic management measures which have an impact on the enjoyment of fundamental rights and freedoms, in particular the right to freedom of expression and to impart and receive information regardless of frontiers, as well as the right to respect for private life, must meet the requirements of international law on the protection of freedom of expression and access to information, and the right to respect for private life.

It must also be recognized that in many substantive areas governing behavior on the Internet, international legal instruments already apply. These include, most notably, the CoE's Convention against Cybercrime (or Budapest Convention), a recognized international standard in the area of the fight against cybercrime, and to which the United States is a member. In the area of recognizing the human right of freedom of expression, Article 19 of the UN Universal Declaration on Human Rights and Article 19 of the UN Covenant on Civil and Political Rights preserve the right to receive and impart information and ideas without interference and regardless of medium and regardless of frontiers.

In addition to the basic net neutrality example, it is important to recognize that there is a tension between the "sovereign right of States" and the concept of multi-stakeholder governance as a key aspect of Internet Governance generally. If private companies, civil society, the technical community and other independent organizations all have a role to play, then the role of states is thereby circumscribed. In addition, the concept of multi-stakeholder governance should be considered an intrusion in the traditional roles played by nation states if it is the case that the concept is strongly supported by states. In that regard the United States has taken a clear position. In May of 2011 the White House released its "International Strategy for Cyberspace" which stated as among its basic principles:

  • "Upholding Fundamental Freedoms: States must respect fundamental freedoms of expression and association, online as well as off."
  • "Multi-stakeholder Governance: Internet governance efforts must not be limited to governments, but should include all appropriate stakeholders."

On June 28 and 29, 2011 the Organisation for Economic Co-operation and Development held a High Level Meeting in Paris on the subject: "The Internet Economy: Creating Innovation and Growth." The participants underlined the need to maintain the open, decentralized design of the Internet and emphasized that the multi-stakeholder approach has been key to the Internet's rapid growth and impact and to the maintenance of freedom of expression and communication. In addition, the G-8 held its 2011 Summit on May 26-27, 2011 and at the end issued a declaration containing a comprehensive statement of policy on the Internet that touched on nearly every policy issue. The declaration was clear in its support of the multi-stakeholder model. Hence, the issue, once again, is not 'international" versus "national." The more basic question is presented of what is the role of the nation state.

In terms of cyber-security, what is the proper response to the ever evolving sophistication of these threats? More regulation? At the international level? At the national level? Not at the international level according to Assistant Secretary of State Michael Posner who addressed the Silicon Valley Human Rights Conference in late October 2011. Posner pointed out one of the soft-underbelly-features of the Arab Spring. The use of social media that gave rise to the popular revolts, "brought home [to repressive governments] the power of the Internet." He went on to say that "[t]oday we face a series of challenges at the intersection of human rights, connected technologies, business, and government. It's a busy intersection-- and a lot of people want to put up traffic lights." He continued in his address to say that a system that shifted away from multi-stakeholder focus towards "a system dominated by centralized government control . . . [is] [n]ot a good idea." On the military side, U.S. General Keith Alexander, head of U.S. Cyber Command, reacted to the draft UN resolution suggesting that regulation was perhaps not the answer. "I'm not for regulating per se," Gen. Alexander said.

U.S. Efforts

So while there is resistance to regulate at the international level, there is at the same time, growing attention being paid to bolstering the U.S. legal framework affecting cyber-security. Indeed, cyber-security, as it affects U.S. business interests, has been on the radar screen of the U.S. government for years. In May 2009, the White House issued a review, titled "Cyberspace Policy Review," to assess U.S. policies and structures for cyber-security. The document presents a very sobering assessment:

The architecture of the Nation's digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations. Our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information. Other intrusions threaten to damage portions of our critical infrastructure. These and other risks have the potential to undermine the Nation's confidence in the information systems that underlie our economic and national security interests. The Federal government is not organized to address this growing problem effectively now or in the future.

In May 2011, the White House sent to Congress its legislative plans for improving cyber-security for the country's critical infrastructure, for the federal government's own networks and computers, and for the population generally (White House Proposal). And in October, 2011, the White House issued an executive order addressing information security and data breach rules.

In Congress, dozens of cyber-related bills have been introduced in both the current session (112th) and in the previous session, reflecting a growing concern over cyber-security. The administration proposal addresses in one way or the other nearly all of the key variables in that body of proposals and can be used as an outline of the main issues. The administration proposal includes:

  1. Federal data breach reporting legislation;
  2. New and increased penalties for cyber-criminals, the application of the Racketeering Influenced and Corrupt Organizations Act to cyber crimes and setting mandatory minimums for cyber intrusions into critical infrastructure.
  3. A framework within which businesses, states, and local governments can request and receive federal government assistance from chiefly the Department of Homeland Security for repairing damage done by cyber-intrusions and attacks and for advice on building better defenses.
  4. Critical Infrastructure Cybersecurity Plans. The Nation's critical infrastructure, such as the electricity grid and financial sector, is vital to supporting the basics of life in America. Market forces are pushing infrastructure operators to put their infrastructure online, which enables them to remotely manage the infrastructure and increases their efficiency. However, when our infrastructure is online, it is also vulnerable to cyber attacks that could cripple essential services.

Here is where the varying positions of countries in these debates can appear a bit confusing. The U.S. response could be characterized as being exactly the exercise of sovereign rights over territorial integrity that was called for in the draft UN resolution. The various U.S. initiatives seem to support a U.S.-centric effort and exercise of U.S. sovereign rights to ensure that the security and integrity of U.S. interests in cyberspace are protected. On one level, this apparent inconsistency is no more than the constant tensions within any society between the demands of security and the demands of freedom. On another level, it is quite another thing for international instruments to be adopted that have the effect of legitimating on a global level any security regime that a nation state chooses to adopt regardless of long-standing international norms, properly interpreted.

Putting aside the question of whether there should be "international norms" as suggested in the draft UN resolution, and whether criticism of international Internet regulation can be easily reconciled with the efforts at strengthening national sovereignty (even by the United States) in cyber-space, laws alone will not do the trick, even at the national level.

The ONCIX Report also highlights what can be done beyond developing the legal framework, calling for improved collaboration among the intelligence community to better understand the nature of these cyber-economic-espionage-threats as well as pointing out the responsibilities that US corporations already have with respect to reporting on and addressing corporate risks, including cyber-threats. Specifically the ONCIX Report suggests that cross functional cyber teams across an enterprise need to be in place and that corporate officers and boards need to take an interest in network security matters (citing the 2006 Delaware Supreme Court Decision in Stone v. Ritter, 911 A.2d 362 (Del. Supr. 2006)(building on the 1996 decision in the Caremark case, 698 A.2d 959 (Del. Ch. 1996)) that directors may be liable for failures in the company's information and reporting systems).

A Way Forward?

With existing international legal instruments already applying, it is probably a little bit disingenuous to suggest that any movement at the international level to protect businesses' economic interests against cyber-threats is inappropriate. It is inevitable that there will be continued pressure to address these issues on the international stage. Moreover, the absence of an agreed upon framework--whatever form that might take--including a framework for sanctions, will keep open the door for cyber-safe havens. Countries not adhering to accepted international norms in the fight against cyber-security threats will become, wittingly or unwittingly, the safe havens for those perpetrating cyber-threats. Clearly, any argument against an international "regulation" would need to take account of this, and criticisms of international regulation should not be equated with criticisms of international cooperation. The key, then, will be (1) finding--and leading--international fora where important issues of cyber-security will be seriously tackled (but in a manner respecting the multi-stakeholder principles already recognized in the Internet governance sphere), and (2) identifying incentives for governments of all countries, even those currently accused of cyber-violations, to participate.

Additional Resources

"Multi-stakeholderism" is a shorthand reference to multi-stakeholder Internet governance or the multi-stakeholder model which can be described as a more "bottoms-up" approach to Internet Governance, in which governments, private companies, civil society, the technical community and other independent organizations all have roles to play but in which no single entity operates without checks and balances. The model is more directly representative and at the same time gives rise to tensions among the various parties.