Written by Derek S. Reveron

With regularity, cyberattacks are increasingly dominating national security discussions. Cyberspace operations can fuel interstate rivalry and exacerbate tensions among states. Well-known examples include: attacks against Iran’s nuclear program, North Korea’s attack against Sony Pictures Entertainment, China’s theft of U.S. security clearance data, and Russia’s influence on the U.S. election. Outside of well-known hacks, there are routine cyberspace encounters among well-known rivals such as India and Pakistan, North Korea and South Korea, and the United States and China.

…dozens of countries are developing cyber commands and are learning how to integrate cyber operations into traditional military operations.

When thinking about cybersecurity as national security, three important questions must be answered. First, what can individuals do to protect their identity, privacy, and cyberspace? Second, what can consumers expect from the information technology community? Finally, what can citizens expect from their governments?

Citizens regardless of nationality are exposed to risks created by cyber insecurity. The risks are all too familiar:

• identity theft is common and harasses individuals’ financial futures and denies access to their own data;
• intellectual property theft undermines corporations’ innovations through loss of trade secrets;
• data corruption undermines corporate reputations;
• unsecured networks become gateways for malicious activity and means for ransomware.

The same space that ignited commercial opportunities and shrank the size of the social world, facilitates illegal activities. Cyber tools expand the range of actors in international security. Only governments can conduct missile strikes, but individuals and groups can conduct cyber strikes. Development costs are minuscule relative to conventional military power and has expanded the range of threats motivated by profits. Governments have incorporated cyberspace operations to conduct espionage, wage influence operations, and target critical infrastructure. At the same time, dozens of countries are developing cyber commands and are learning how to integrate cyber operations into traditional military operations. The head of U.S. Cyber Command, Navy Admiral Michael S. Rogers sees “It is only a matter of the ‘when,’ not the ‘if’—we’re going to see a nation-state, group or actor engage in destructive behavior against critical infrastructure in the United States.”

With persistent vulnerabilities in the software we use and the relative impunity with which states, groups, and individuals operate in cyberspace, we will continue to experience data breaches leading to fraud, intellectual property theft, and significant disruptions in IT-reliant societies. This undercuts benefits that citizens derive from the technology.

The promises of an open, transparent, and secure cyberspace look bleak. Cybergeddon is not inevitable as critical sectors like financial services, telecommunications, and power generation have significant incentives to secure their infrastructure. However, as we have seen in other national security areas, security becomes a cat-and-mouse game where malicious actors get better too. Governments do have the power to convene to develop best practices, but when the market fails, governments have regulatory power to compel.

Governments want to and need to work with industry, but neither side has understood how cyberspace operations pose a different set of challenges for each. Government does not appreciate the business side of IT and the IT industry does not appreciate the national security dimensions of their businesses. Challenging public-private cooperation are disclosures about governments’ intelligence operations that undermine trust. Cyberspace operations also challenge the national security divide where government is responsible for national security and public safety, but the threats manifest in corporate created networks and individuals are in the battlespace.

To reduce insecurity, there are a number of efforts to establish norms in cyberspace through negotiations at the UN and other regional forums. For example, in September 2015, the United States and China agreed not to target commercial entities for economic value as a way to slow down intellectual property theft. At the November 2015 G20 summit, governments agreed that nation-state conduct in cyber space should conform to international law and the UN charter. Additionally, the G20 agreed that no country should conduct or support cyber-enabled intellectual property theft for commercial purposes. In May 2016, cybersecurity was featured prominently at the G7 summit in Ise-Shima. The summit’s agenda recognized that cybersecurity is a key component of the global economy and trade, development, and quality infrastructure investment. Countries considered the norms advanced by the Boston Global Forum. Corporations too have proposed norms of behaviour. The lead legal counsel at Microsoft, for example, called for a Digital Geneva Convention to “protect the civilian use of the internet.”

With this in mind, the next steps to improve cybersecurity include:

1. Convening sub-regional summits to outline the scope of cybersecurity challenges and improve multilateral efforts to promulgate norms;
2. Establishing information sharing centers where governments can share threat information, coordinate cybersecurity policies, and implement best practices for governments, organizations, companies, and individuals;
3. Assisting governments in developing countries to strengthen their government networks, improve protection of critical public infrastructure, and educate citizens to raise their security posture improving human capital.

There are no borders in cyberspace, and networks are only as strong as the weakest access point. When thinking about improving security in cyberspace, we should look at how international partners contribute to security in the terrestrial space through cooperative military operations, peacekeeping, and international assistance. These are important norms to replicate in cyberspace.

Derek S. Reveron is Professor of national security affairs at the U.S. Naval War College in Newport, Rhode Island and faculty affiliate at the Belfer Center for Science and International Affairs at Harvard University. The views expressed here are the author’s alone and do not represent the official position of the Department of the Navy, the Department of Defense or the U.S. government. He tweets at @DerekSReveron. Image Credit: CC by Blogtrepreneur/Flickr.