This is the first in what I hope will be an ongoing series about the interplay between cyber security and geopolitics. At last week’s Paris Peace Forum, President Emmanuel Macron announced the Paris Call for Trust and Security in Cyberspace. The pact, non-binding and largely lacking in specifics, still represents a coordinated effort to get countries to agree on a set of international rules for cyberspace.
Dozens of countries and corporations signed on to support the Paris Call, which builds on earlier agreements like the Budapest Conventions. Supporters are agreeing to work together to increase prevention against and resilience to malicious online activity. The Paris Call also advocates for strengthening relevant standards to protect the accessibility and integrity of the Internet, with protections for intellectual property and enhancement to “cyber hygiene” in products.
The timing was auspicious, occurring the day after the 100th anniversary of the end of World War I. Now that the soldiers of the “Great War,” as it was known at the time, have all passed into history, a new generation of world leaders appears to be taking responsibility for avoiding the next destructive conflict. The Paris Call is a recognition that cyberspace is one of the potential battlefields that could trigger a worldwide conflagration.
A lot has happened in 100 years. It would probably have been hard for those who fought in the Great War to imagine what a cyber war would look like. Yet, at the time, WWI was the most advanced technological war ever fought. It brought science to the battlefield, with tanks, airplanes, submarines, telephones, chemical weapons and so forth. From the vantage point of 1918, it would not be a big leap to assume that today’s advanced technologies will be turned into weapons.
The announcement of the Paris Call provides an opportunity to explore a topic that is emerging, both explicitly and implicitly in discussions about cyber security and cyber policy: The tension between nation state actors and the global nature of technology. The two entities exist separately, with overlapping and deeply conflicting goals.
What’s good for the world of technology is not necessarily good for a given country, in terms of national security and economics. Highlighting the essence of this tension, neither the United States, Russia or China signed on to support the Paris Call. That can tell us a lot. These are the world’s biggest cyber operators. They don’t want to constrained, even by a symbolic agreement.
I asked several cybersecurity experts for their perspectives. Paul Bischoff, privacy advocate at Comparitech.com, put the US refusal in perspective, explaining, “The US is also involved in a fair deal of cyber espionage, and it has its own interests to worry about. The US is home to most of the world’s largest and most profitable tech and internet giants, many of which served as a medium for previous election hacking campaigns. This pact could seek to regulate them. And after seeing Trump walk away from the Paris Climate Accord, I’m not sure why anyone would be surprised at this result.”
Colin Bastable, CEO of Lucy Security, condemned the effort, saying, “This is grandstanding by a politician, a nothingburger.” Mounir Hahad, head of the Juniper Threat Labs, similarly opined, “This initiative is DOA (Dead On Arrival). The non-signatories are the countries that are the most active in cyberspace in terms of intercepts, espionage and even offensive cyber warfare.”
“The Paris Call for Trust and Security in Cyberspace is replete with good intentions but likely short on practical results,” said Pravin Kothari, CEO, CipherCloud. “Statements of support to stop online mercenary activities and offensive activity are important and worthy of public praise and U.S. participation. That said, there is no operational legal framework within the Paris Call that can produce any new or meaningful results.”
Bastable offered added perspective, noting, “The conflict is between those who want an unregulated internet, and those who want a regulated internet. Nation states and global entities (corporations, NGOs etc.) combine to impose control. It is a three-cornered fight – globalists who want global control, nationalists who want national control, and users who want personal control.” His recommendation? He said, “We should not seek reconciliation in this conflict – conflict drives innovation. Tension between interest groups creates new technologies.”
Will this agreement have any impact? Hahad expressed doubt, saying, “One can hope that the world comes to abide by such an agreement, but it is naive to believe that we are at a point where all countries are ready to sign it. For us to reach that point, the internet has to evolve to allow for irrefutable attribution of cyber attacks and I’m sad to say that it may also require a catastrophic attack for the world to come to its senses. There is a very strong parallel with nuclear weapons.”
Kothari added, “In the absence of meaningful enforcement within such initiatives such as the Paris Call, we need to continue to call out bad actors, confront them on the world stage, and work with our allies to mitigate and contain their activity.”
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks thought it’s not enough. As he put it, “I appreciate the Paris initiative, however, it falls short of being the Digital Geneva Convention. We need to go further. The only effective way to prevent significant widespread attacks will be to institute a formal agreement with a global mechanism of international penalties enforced by many countries. My hope is that the largest governments of the world will not wait for a catastrophic precipitating event to put this type of framework in place.”
The consensus seems to be that the Paris Call is a helpful step toward a real solution, but ultimately a symbolic action despite the number of endorsements it has received. The difficult will likely be in creating an effective global mechanism of international penalties, as Bilogorskiy suggested. There are many incentives for nation states to avoid such a system, despite the risks inherent in avoiding accountability and control over cyberspace.