Cyber Security: Policy Dilemmas in the Fifth Domain

There are few developments that had the same impact on global operations at every scale as the advent of the internet. Once thought to be a luxury only developed countries could afford, the internet and information technology has not just spread to the developing world but has also grew more rapidly in lower income countries than the higher income ones in which it originated.¹Andrea Calderaro and Anthony J. S. Craig, “Transnational Governance of Cybersecurity: Policy Challenges and Global Inequalities in Cyber Capacity Building,” Third World Quarterly 41, no. 6 (June 2, 2020): 917–38, https://doi.org/10.1080/01436597.2020.1729729. With the growth of the internet, however, also came security concerns regarding both information stored on the internet and the potential abuse of more sophisticated cyber technology. Cyberspace and the pervasive realm of the internet has now been internationally recognized as the “fifth domain” of warfare after outer space. Just like with outer space, there is international concern on equitable use of this new domain and safeguards against its weaponization. However, the speed of its growth and its use at the most individual level in society gives rise to completely unique policy dilemmas in the field of cybersecurity.

While the United Nations Group of Government Experts on cyberspace (established as early as 2004) has reaffirmed through consensus that the principles of “international law, state sovereignty, and human rights” apply to cyberspace,²Arindrajit Basu Lau Irene Poetranto, Justin, “The UN Struggles to Make Progress on Securing Cyberspace,” Carnegie Endowment for International Peace, accessed May 25, 2023, https://carnegieendowment.org/2021/05/19/un-struggles-to-make-progress-on-securing-cyberspace-pub-84491. this is about as far as consensus has been able to reach. There remains contentious debate amongst states on the fundamental issues such as what constitutes a “cyberattack.”³Shruti Bajaj and Dr Rajesh Kumar Singh, “COMPARISON OF CRIME OF DIFFERENT COUNTRIES—CYBER CRIME,” n.d. Differing views on the notions of state sovereignty, private sector influence, and government attitudes on information sharing resulted in substantially different policies on maintaining high standards of cybersecurity.⁴Bajaj and Singh.

This article identifies three major areas of consideration that cause these differences in cybersecurity policy. Firstly, the approach taken by a state in defining “cyberattack” or “cybercrime” (depending on if a state draws a distinction between the two); secondly, the extent a state is willing to collaborate with the private sector/business in achieving cybersecurity and finally, the extent a state is open to international cooperation, information sharing and multilateral approaches to enhances defenses against cyberattacks.

Defining “Cyberattacks”

The way a country chooses to define cyberattacks in its strategic documents can provide significant insight into its approach to cybersecurity. Most Western states explicitly define (or at the very least mention) the term cyberattack as a unique security threat, while many others (such as Australia) further distinguish between “cyberattack” and “cybercrime”.⁵Bajaj and Singh. Yet, even within Western nations, there are differences in how cyberattacks are defined which in turn reflects the defensive priorities of the state. For example, Britain’s Cyber Security Strategy (2011) defines cyberattacks more narrowly as attacks with objectives to “steal sensitive information.”⁶Bajaj and Singh. In contrast, New Zealand takes a broader approach and defines cyberattacks as attempts to “undermine or compromise the functions of a computer-based system.”⁷Bajaj and Singh. The scope of the definition influences how focused each country’s defense strategy is. Some, like the UK, may prioritize the guarding of information in critical infrastructure while others like New Zealand may pursue general user security.

In the same vein, countries that wish to maintain more ambiguous cyber polices may not mention the word “cyberattack” at all. Official policy documents from both Russia and China do not mention the word “cyberattack” but rather mention “information security” or “computer information crime.”⁸Bajaj and Singh. This serves a dual purpose. Firstly, in Russia’s case, it allows the government to take a more flexible approach when dealing with cyberattacks conducted by its own citizens in other states. It allows Russia to be more flexible in the crime it chooses to indict, the types of liability and create barriers to extradition. This was seen in the Vladimir Drinkman case.⁹Tim Maurer, “Why the Russian Government Turns a Blind Eye to Cybercriminals,” Carnegie Endowment for International Peace, accessed May 24, 2023, https://carnegieendowment.org/2018/02/02/why-russian-government-turns-blind-eye-to-cybercriminals-pub-75499. Vladmir Drinkman was involved in a 160 million dollar credit card hacking case in New Jersey and pled not guilty. Russia attempted to block extradition. Secondly, these terms help forward the “information sovereignty”—or state control over its own cyber networks—agenda that the Russo-China bloc forwards in the United Nations.¹⁰Lau, “The UN Struggles to Make Progress on Securing Cyberspace.” Such a “government-first” approach increases the executive’s control over cyber policy and prevents the public from potentially learning of weaknesses in the state’s critical infrastructure.

Influence and Importance of the Private Sector

 The extent to which a country views its private businesses as an important interest group influences cyberpolicy in two ways. Firstly, it defines how much a state is willing to collaborate with private business on developing mechanisms/hiring workers which could be used to defend critical national infrastructure. The private sector has long had more incentives to develop online data protection mechanisms to safeguard against competitors. Thus, states which partner with the private sector may be quicker in identifying attacks on their online platforms. Countries such as the United States have partnered with non-governmental entities such as the Multi-State Information Sharing and Analysis Center which provides state/federal agencies with professional assistance on information security.¹¹“Multi-State Information Sharing and Analysis Center,” CIS, accessed May 25, 2023, https://www.cisecurity.org/ms-isac/. Other countries have made private-public sector partnerships a formal part of their cybersecurity policies. For example, Australia’s 2009 Cybersecurity Strategy explicitly mentions “cooperating with businesses” as one of its priorities.¹²Bajaj and Singh, “COMPARISON OF CRIME OF DIFFERENT COUNTRIES—CYBER CRIME.” Creating partnerships with the private sector keeps the government up-to-date with latest developments/threats in the cyber realm as it is often companies that are the primary target of online criminals before they shift to state-owned platforms. At the same time, however, governments must be willing to display a certain degree of transparency regarding its own online capabilities—which is a cost not every state will be willing to pay. In addition, corporatization of security efforts creates its own complications in terms of industry competition and the lines between public and private security software/applications may become increasingly blurry.

Secondly, having secure internet access has become a prerequisite for successful business operations. This applies equally to both the developing and developed world, as exemplified by the huge loss of nearly 20 billion NOK to Norwegian companies due to cyberattacks in 2012. This occurred after cyber criminals/hackers chose to target not just government technology but also the oil/gas sectors and high-tech industry in general.¹³Bajaj and Singh. Similarly, in developing countries, there is not only risk of financial losses but also loss of privacy for businesses. This can be seen in the case of the hacking of Aadhar personal data base in India after which private information was being sold for as low as $7 over WhatsApp.¹⁴Michael Hill and Dan Swinhoe, “The 15 Biggest Data Breaches of the 21st Century,” CSO Online, November 8, 2022, https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html.

If a state values private investment and the growth of commercial industry, it will prioritize creating a secure cyber environment. Here, defending against cyberattacks and breaches of online privacy have not just security-oriented incentives but also financial ones. The United Kingdom is among the states that follow this mindset, with its 2011 Cyber Security Strategy stating its foremost objective is to make the UK “one of the most secure places in the world to do business in cyberspace.”¹⁵Bajaj and Singh.

International Cooperation

It is fairly common for cyberattacks within one country to be launched by hackers present in another country using technology/software which are not well-known in the victim state.  Bearing this in mind, it seems reasonable for countries to share information regarding potential threats and defense mechanisms. This would also greatly assist developing countries who do not always have the resources to independently develop costly defense software.

However, significant disagreement remains on the norms for international cooperation on cybersecurity. The only existing global framework in the Budapest Convention. Introduced by the Council of Europe but open to accession of all states, the Convention provides a collaborative criminal justice framework on how to define, investigate and punish cybercrime. It also encourages international judicial cooperation on “cybercrime and e-evidence.”¹⁶“The Budapest Convention on Cybercrime: A Framework for Capacity Building – Global Forum on Cyber Expertise,” accessed May 29, 2023, https://thegfce.org/the-budapest-convention-on-cybercrime-a-framework-for-capacity-building/. Since the Convention takes such a strongly multilateral approach, however, it is not surprising that several important actors remain a non-signatory of the convention including Russia, China, India, and Pakistan.¹⁷“Budapest Convention – Cybercrime – Www.Coe.Int,” Cybercrime, accessed May 26, 2023, https://www.coe.int/en/web/cybercrime/the-budapest-convention. Rather, countries like Russia and China are pursuing a more “individualistic” approach to cybersecurity where no country is compelled to divulge information about its own cyber defense (or offense) capabilities (or lack thereof).

Interestingly enough, countries like Russia and China are still using multilateral forums to make this individualistic strategy a global norm, as seen by Russia’s successful establishment of a UN Open Ended Working Group in 2019.¹⁸Allison Peters, “Russia and China Are Trying to Set the U.N.’s Rules on Cybercrime,” Foreign Policy (blog), September 16, 2019, https://foreignpolicy.com/2019/09/16/russia-and-china-are-trying-to-set-the-u-n-s-rules-on-cybercrime/. Hence, while the need for global cooperation in achieving cybersecurity is becoming increasingly clear, the way a state chooses to approach such collaboration will depend heavily on how willing it is to participate in information sharing schemes.

Conclusion

The decisions a state makes about its cyber strategy are influenced by a multitude of factors including economic incentives, defense priorities and even its foreign policy strategy. Yet, as the internet continues to develop at an increasingly rapid pace, the decisions a country makes must be both time-sensitive and cognizant of potential costs. With the pandemic encouraging practically every industry to pursue online platforms, securing against online threats has become more important than ever before.

Pakistan must also take the aforementioned policy dilemmas into account as it refines its own cyber strategy. The country currently ranks at number 79 on the Global Cybersecurity Index,¹⁹“Global Cybersecurity Index,” ITU, accessed May 25, 2023, https://www.itu.int:443/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx. hence has yet to take significant steps towards defending its users in the Fifth Domain.

My opinion on how Pakistan should consider tackling the gaps in its cyber policy are as follows: Given the rather volatile state of Pakistan’s federal government in recent years, private sector collaborations seem necessary in order to expedite the process of creating a secure interweb network. Here, the government can retain a degree of executive control by only extending collaborating to specific areas of immediate priority. For example, partnerships can be created to strengthen NADRA’s biometric verification system, which was already targeted by hackers and resulted in over 13,000 fake mobile SIMs being generated.²⁰Javed Hussain, “Nadra’s Biometric Data Has Been Compromised, FIA Official Tells NA Body,” DAWN.COM, 17:42:51+05:00, https://www.dawn.com/news/1660199. Finally, Pakistan should also consider acceding to the Budapest Convention. Isolationist policy on cyberspace will likely leave the country more prone to hackers from abroad. Rather, signing the Budapest Convention before either of India and Israel will provide Pakistan higher ground in foreign policy negotiations over cyberspace.