R.Kols: Cyberspace needs its own ‘Geneva Convention’

Attacks on information systems, large-scale disinformation campaigns, spoofing of sensitive data and attacks on critical infrastructure are no longer just storyline twists and turns in a dystopian novel – these …

Attacks on information systems, large-scale disinformation campaigns, spoofing of sensitive data and attacks on critical infrastructure are no longer just storyline twists and turns in a dystopian novel – these are real, substantial threats that affect individuals, businesses and governments every day. Cyber agression has become an important platform through which strategic goals can be achieved, countries can be destabilized and massive economic losses can be caused. There is a reason why the field of cybersecurity in Latvia is under the control of the Ministry of Defence – as the targeted DoS attacks, carried out by Russia, on Estonia back in 2007 demonstrated, cyberspace should be considered as a military sphere – like land, air and sea. If a cyber attack against any member state can trigger Article 5 – NATO’s mutual defence clause -, it is time we realise that there is nothing ‘virtual’ or abstract about it. We must work together on an international level to combat these threats.

Cyber-attacks today are a part of a lucrative industry, affecting millions of people around the globe every day. According to the latest estimates, last year European Union alone suffered losses of 60 billion euros from cyber attacks. Our communication and governance systems, business and infrastructure is becoming more and more dependent on cyberspace, thus cyber-criminals are increasingly capable of endangering both individuals and businesses, as well as the interests of the general public by jeopardizing the basic principles of democracy.

2016 marked a turning point in cybercrime – the United States formally accused Russia of sponsoring cyber attacks against the Democratic Party with the aim of influencing US presidential elections, widespread cyber attacks also took place during the French and Dutch elections, while the media reported record-breaking numbers of data breaches worldwide. Cyber attacks experienced in the last few years point to a significant issue in the context of international conventions and legislation where cyberspace is still largely a ‘grey zone’ – without rules and internationally accepted norms. At a time when most of the information in the world is transmitted and stored online, the lack of international convention defining a cyber-etiquette of sorts – the permissible limits for the use of information and cyber-tools – is unacceptable. We should not be in this situation. Just as we once had to agree on the Vienna Convention on Road Traffic in order to facilitate international road traffic and increase road safety by establishing standard traffic rules, a new convention is needed for cyberspace.

Both the European Union and the United Nations have made significant progress in defining how these rules should work and which basic principles they should entail. However, the dialogue necessary in order to move forward with developing an international regulation keeps getting stuck in the corridors and the never-ending debate on what is it that we really wish to protect – internet users, countries, infrastructure, cyberspace itself or information.

Although the use of the term ‘cyber-warfare’ as an aspect of hybrid warfare has become more common in the public domain, the definition of ‘hybrid warfare’ itself is yet to be agreed upon, not to mention the serious lack of understanding of what the terms ‘attack’, ‘defence’, ‘deterrence’, ‘escalation’, ‘norms’ and ‘weapons control’ mean in the context of cyberspace.

The cyber attack on Estonia took place almost ten years ago. It should have been a wake-up call clearly illustrating the urgent need to act. But over the past decade we have seen an increase in state-sponsored cyber attacks on other nations; just a few months ago a massive ransomware attack infected around 200 000 businesses and individuals in 150 countries – an attack of unprecedented scale. Cybercriminals have the potential not only to destroy critical infrastructure but also undermine public trust in institutions and the basic principles of democracy. After seeing how external forces were able to carry out targeted, aggressive and effective attacks in order to manipulate the elections of democratic states, the need for internationally recognized cyberspace regulation is undeniable.

If we fail to set specific and strict rules, Russia and other states will continue to push the boundaries to see how far their tactical attacks in cyberspace can go. Such games are dangerous and can affect everyone. However, there still are governments that claim that they do not believe that cybercrime is an issue at all – this in fact means that there is a significant lack of the ability to identify, search and respond to cyber attacks. We cannot be so naïve.

Nations can act on their own, without waiting for an international convention or an agreement, in order to strengthen their cyberspace. A good place to start would be carrying out a comprehensive and exhaustive ‘audit’ in key institutions in order to ensure that the software used there is safe – the recent issues raised over Kaspersky Lab’s ties with the Kremlin is a valid reason to push for a government-wide ban of security software produced by Kaspersky Lab since its’ extensive ties to Russian intelligence produce a valid threat to other nation states. Closed data networks and systems should be created to ensure that key governmental institutions receive secure communications services and that, in the event of a cyber attack, both state institutions and critical infrastructure is protected and able to function. Setting up an ‘early warning system’ of sorts could prove to be invaluable in stopping the spread of the attack and mount an effective defensive response. Systems of warning dissemination are relatively simple and are effectively implemented in other areas – for example, text messages to citizens sent by law enforcement agencies in order to inform of the crisis and instruct on the necessary actions to deal with the situation. Along with the use of various tools and increasing security and defence capabilities, it is also important to increase awareness about the risks associated with cyberspace. The basic principles of IT security and the ability to recognize the signs of a cyber attack are fundamental and need to be taught. We need to motivate people to report cyber attacks. Every computer can become a weapon in the hands of a cybercriminal, and everyone’s data is valuable.

When discussing the lack of an internationally established convention, the Budapest Convention on Cybercrime has to be mentioned. This Convention, opened for signature in 2001, is the first international treaty seeking to address Internet and computer crime by harmonizing laws, improving investigative techniques, and increasing cooperation among nations. Seventeen years later, it remains the most relevant international agreement on cybercrime. Membership keeps growing, and both the quality of implementation and enforcement and the level of cooperation between signatories keeps improving. Russia, China, India and other major powers have refused to ratify the Budapest Convention, arguing that the ratification of the Convention would be in violation of their sovereignty. However, it has to be understood that cyberspace is non-territorial, thus the investigation and elimination of cybercrime requires an extensive cross-border coordination and cooperation. The international legal framework must be adapted to the reality we are facing to day – it has to be applicable, practical and must be able to protect critical infrastructure as well as respond to ongoing attacks.

From the practical side of things, the preparation and ratification of a new international and comprehensive cyberspace convention is likely to require intensive diplomatic efforts over many years, and even then a positive outcome is not guaranteed. But the Budapest Convention has proven that we are capable of working in this direction, that we are able to agree on some basic principles. Therefore, the prevailing scepticism about our common ability to reach a general agreement on how to combat cybercrime is unfounded, even disruptive. The dialogue on such an international agreement should be based not on a political game of push and pull but rather on practical cooperation in defining collective position on information or behaviour in cyberspace that would de facto be detrimental to any country, regardless of political ideology. Only through cooperation will we be able to provide an effective international strategy to combat cybercrime. It is an issue of national security for most states around the world, and an international agreement will not only help to improve the security of individual nation states but will also help to ensure the stability and development of the global economic and financial system.

Rihards Kols

Member of the Saeima of the Republic of Latvia