It was hard not to crack a wry smile when reading Tobias Feakin’s post on the Budapest Conference on Cyberspace. Let’s just say that the position of the blocs settling behind a more ‘rules-based’ approach, on one hand, and a ‘norms-based’ approach sit very uneasily with track records, both documented and rumoured.
The incongruities of diplomacy aside, the debate about a more voluntary and organic ‘norms-based’ or an enforceable ‘rules-based’ approach to cybersecurity is an important one to have.
There has already been some movement towards a rule-based approach with regards to some aspects of cybersecurity, with Australia becoming the most recent nation to sign and pass enabling legislation for the convention on cybercrime, a treaty acceded to by most European states, Japan, and the United States, and which covers issues such as computer-based fraud, unauthorised access to systems, child pornography production and distribution, and copyright infringement.
This very treaty, and its companion Additional Protocol, illustrate the difficulties of achieving broad international consensus on a comprehensive rules-based approach to cybersecurity. While the United States has signed up to the original convention, it is very difficult to see how, with its extremely broad constitutional protection of even highly objectionable speech, it would ever accede to a Protocol which seeks to prohibit the computerised dissemination of racist and xenophobic material.
Most pertinently, in the more traditional ‘national security’ domain, there is clearly no consensus between states as to the appropriate limits and scope of what you can and can’t do, most notably in the area of cyberwarfare and cyberespionage, and it is hard to see any likelihood of serious progress on the matter any time soon.
But Australia does have real interests in the establishment of some key norms of international behaviour in this area. Not least, the targeting of civilian, or even dual-use infrastructure for cyberattack, is something that Australia has a real interest in avoiding. While many of the more alarmist scenarios are what computer security researcher Bruce Schneier has aptly dubbed movie plot threats, a sufficiently skilled, determined, and well-resourced foe could cause considerable havoc and disruption to relatively poorly-secured civilian infrastructure. The skills and resources required would be far lower than that required to infiltrate the much more security-conscious IT systems of military and other national security establishments.
If we aren’t careful, we might find ourselves with a ‘cyber’ analogue of asymmetric warfare—well-protected Western militaries using offensive capabilities with impunity, leaving those seeking to retaliate with the choice of hitting ‘soft’ civilian targets.
So, if norms on this evolving area are to be sought, it seems to me that restraint in the use of any evolving offensive cyberwarfare capabilities would be a good place for Australia to start.
Robert Merkel is a lecturer in software engineering at Monash University.