Speech for Seminar on “Cybersecurity: Global responses to a Global Challenge”
Madrid, March 21, 2014
Second Round table: “An international vision of cyberspace”
I would like to thank the Spanish authorities for convening this seminar of such an important topic, and for inviting me to be part of it.
At Davos in Jan 2014 I was on a panel titled “risks in a hyper-connected ” world, a distinguished and expert group that included Timothy Bremmer Lee who invented the World Wide Web a little more than twenty years ago. When it was my turn to speak I decided that I had to be frank to this distinguished group and say that we seem to have almost aimlessly wandered into total dependence on digital connectivity – which was a risk in and off itself. By 2014 there will be an estimated 8 billion cell phones half of them connected to the internet giving close to 80 percent of the population some form of connectivity. For many of us, the first thing we do in the morning and the last thing we do at night is look at our smart phone. We use the internet to check our email, the weather, stocks, and the news; we pay taxes; vote; arrange trips; receive healthcare; and of course, conduct business online. Just think how our foreign ministries have changed from, boats and pouches to faxes and cables to now 24/7 availability.
In 1999 Kevin Ashton, cofounder and executive director of the Auto-ID Center at MIT, coined the phrase “the internet of things” to describe a system in which the internet is connected to this physical world through conventional sensor-laden devices. Today, according to CISCOs 2013 Security Report it is estimated that 50 billion “things” are connected to the Internet, a number that will increase exponentially as technology continues to become more affordable and widely available.
Furthermore, the growth of multi-billion dollar businesses such as Facebook, Twitter, Instagram, Google and Yahoo; the increase in of virtual services offered by entrepreneurs; and the endless possibilities of virtual collaborations in scientific, technical, cultural, intellectual, and educational realms – demonstrate not only the benefits of the Internet, but also the critical importance of its openness.
Its openness coupled with our growing use of the internet has enabled an explosion in data. Big data we call it. In using Big Data, we have created a digital economy which is driving business and investments at exponential rates, and increasingly, driving political decision-making and the relationships between citizens and their governments and each other.
This latter point is one that is often overlooked, what are the socio-economic impacts of digital connectivity on our daily lives? Maybe I should coin the phrase: the “Internet of People,” acknowledging that our generation of data and dependence on the internet has no doubt raised the quality of life for many. Today, knowledge is democratized more than ever before. The internet has changed the way individuals communicate and collaborate; the way corporations do business and governments communicate and interact with their citizens. It has revolutionized the way privacy is viewed with the advent of new media such as Flickr and YouTube. Or a developing country example of the mobile banking system in Kenya called MPESA. And now, more so than anytime in history, opportunities for education and information and services to all citizens regardless of their remote location – abound.
As a result, the internet was created with few controls built into its architecture to regulate and secure the data passing through networks— after all, implementing too many controls would be counterintuitive to a system meant to facilitate sharing. Today, we are starting to see the downsides of, and the risks associated with, loosely regulated hyper-connectivity.
Despite our investments in research and development to improve the Internet, cyber criminals are investing their time and efforts in researching their targets and strategically planning their attacks to profit their own illicit business ventures. It is estimated that cybercrimes cost more than $1 trillion each year from the licit global economy.
Cyber security is by its nature a transnational issue. The internet knows no borders. Although Bhutan and Belize are geographically thousands of kilometers apart, they are cyber neighbours; problems in one country can have instantaneous effects in the other – this is what is meant by virtual borders– these borders can be crossed in microseconds. In considering the international implications of cyber threats that easily transcend geographical borders, more must be done to build partnerships and cooperation. We must match the efforts of cyber criminals who cooperate seamlessly, regardless of language or physical location. In our efforts, we must adapt our global governance and structures to address cyber crime, and recognize that due the very nature of the internet, traditional tools for governance cannot be applied.
Unlike physical crimes, when a citizen is victimized by cybercrime, there is no guarantee that the perpetrator is the same country, making law enforcement difficult indeed. A cyber attack can be directed from country A, use malware stored on servers in country B, be routed through countries C and D, and target a company in country E. What are the chances these countries have similar legislation and technical abilities to investigate cyber incidents? Almost zero.
This is because law enforcement agencies often lack procedures, tools and trained personnel to handle cybercrime. One would think that combining forces to catch cyber criminals would add to something greater than the component parts, but this is not always the case.
The debate as to whether there is a need for a universal agreement to govern international cooperation on cyber issues is ongoing, and cybercriminals are not waiting for us to make up our minds. I call them cyber cartels and just as we have seen the balloon effect in the illicit drug trade, we know that cyber criminals have capitalized on the lack of coordination and capability in areas of weak institutions and gravitate to the relative safety of legal black spaces to enhance their illicit businesses.
National and Global Security strategies must therefore adapt to the transient nature of the cyber world. The OAS Cyber Security Strategy launched in 2004 has continuously enlisted best practice expertise like the Spanish technicians from government the Guardia Civil, CCN-CERT, and the Center for Industrial Cyber Security to assist in guiding the governments of OAS Member States in the development of cyber security capacities. Spain’s national security strategy includes salient portions on protecting critical infrastructure from digital threats and employing an integrated and multi-stakeholder approach to improving national cyber regimes.
We have heard from Interpol but another model of regional cooperation and integration, Europol has a number of praiseworthy initiatives to battle cybercrime. From EC3 – the European Cybercrime Center – to its partnership with Microsoft, to the International Cyber Security Protection Alliance, Europol has developed into a world leader on cyber issues. The OAS maintains similar programs and initiatives, and in many ways seeks the sort of regional coordination that appears, at least from the outside, to come so naturally to European institutions.
The OAS has taken other extraordinary measures to address the gaps between the abilities of cyber criminals to violate networks and the capacity of governments to secure them. In 2006, there were six national Computer Security Incident Response Teams (CSIRTs) in the Americas. Today, thanks in large part to tailored assistance from the OAS, that number stands at 23 and is growing. Since 2011, we have helped three countries develop and adopt National Cyber Security Strategies, which seek to outline an organized and sustainable approach to harnessing and strategically employing cyber assets at the national level. In 2014, we will help three more countries draft such strategies.
It is also worth noting that the Budapest Cybercrime Convention is the first international treaty that criminalized certain behaviors cyber-sphere and contains a series of powers and procedures that facilitate investigation of these crimes. While some might argue it is outdated and euro-centric, non-European countries have signed or acceded to it, including OAS Member States such as Canada, Dominican Republic, Panama and the United States, with several others invited and considering accession, including Argentina, Chile, Colombia, Costa Rica and Mexico. Within the context of the OAS, the Meeting of Ministers of Justice and Attorney Generals of the Americas (REMJA) called member states to recommend that “those states that have not yet done so, assess the usefulness of applying the principles of that Convention and consider the possibility of adhering thereto, and of adopting the legal and other measures necessary for their enforcement.
I raise this international instrument as an option for international cooperation on this pressing issue. The tenants of the Convention align with the fundamental principles of freedom of the Internet and recognize that we can not achieve information security alone. Rather, we require mechanisms for information sharing and harmonization of terms and crimes to secure the convictions of online predators.
As we adapt to this dynamic digital age, cyber security raises parallels between the quintessential security questions that have defined our societies for centuries. What is the government’s duty in keeping us safe? Undoubtedly, technological advances have the power to enhance our liberties. Knowing the benefits the internet provides but also its ability to become a vehicle for government abuse, we must, ensure that it becomes a tool which protects and enhances our freedoms, rather than limiting them. We must be careful that in our attempts to secure the internet, we don’t stifle the very purpose for which it was created: to promote the open flow of knowledge and exchange of information. How do we find the balance between security and personal freedoms? As we seek to promote greater partnership among those of us employing the internet for good, we need to take into account balanced governance. This issue is exceedingly difficult.
Recent events, such as Edward Snowden’s revelations on government surveillance programs; the malware-related theft of data of more than 50 million credit cards from Target servers; and more recently, the massive cyber identification of demonstrators in Ukraine, have caused many to lose trust in the ability of states and business to manage and govern the Internet.
In our new reality of the Internet of Things connecting people, processes, and data, anytime, anywhere, any device — the Internet must be seen as a facilitator for freedom, economic growth, and efficient services.
Our call to action today could look like is:
1) We need to ensure resilient states by building best practice models to ensure robust national strategies: like the example of Spain, I discussed earlier.
2) These strategies need to be inclusive to ensure resilient communities, businesses, academia and each sub component should have their own best practice strategy. Think of Target and the loss of 50 million credit card swipes. There are simple things that we can all do to protect ourselves, like we would do with our household security.
3) We desperately need smart global governance that builds on models like, Interpol, the OAS and Europol, which balance the power of the digital world while understanding the risks; harmonizing laws, nomenclature, citizen bill of rights and responsibilities, etc, etc.
4) Finally let’s keep in mind that this is not impossible and that we are not starting from zero, there are global governance mechanisms and standards that do work; ITU,WCO,Banking,IPU, etc.
I am an unsatisfied optimist, with some effort and leadership, like Spain here today, we should be able to agree to a global partnership for internet governance, one that promotes freedom of information and ensures network reliability, as the only answer to the difficulties posed by cyber insecurity today and in the future.