Section 1: Emerging technologies will fundamentally change the nature of cyber risk
Cyberspace has rapidly become essential to the daily life of individuals, governments and businesses. Yet with this exponential increase in activity comes the ease of use and access to data for malicious purposes. Cyber attacks are increasing in number, sophistication, scope and impact. In this context, cyber security is arguably the most salient non-traditional security issue on the global agenda.
Emerging technologies such as the Internet of Things will increase the complexity of networks. Other disruptive technologies, such as unmanned aerial vehicles, additive manufacturing (such as 3-D printing), new home appliances or autonomous vehicles may also shake up established business practices and create new security threats. Cyber risks will become increasingly interconnected with other global risks.1 Much of this evolution is already apparent.
Companies in almost all sectors are exposed to cyber threats, with the potential for causing enormous damage in terms of reputation and physical losses, liabilities, and regulatory costs. Unchecked, growing cyber threats risk curtailing technical and economic development on a global scale.
Section 2: An inadequate global cyber governance framework
Cyber attacks respect neither state nor organizational borders. A holistic and global approach to cyber governance is therefore vital. Despite some recent progress at the international and regional levels on norms and confidence-building measures (CBMs)2, a comprehensive and functional regime of global cyber security governance is clearly lacking. In an effort to improve the situation, we undertook a detailed mapping of the rules, institutions, and procedures that form the current global cyber governance framework. This chapter summarizes the main conclusions of that work. An academic report containing this research in detail will be publicly available in the near future.
The current global cyber governance regime can be regarded as having three layers. First, there are the more technical aspects that facilitate the proper functioning of network systems. Global governance in this area is relatively effective, and is based on a multi-stakeholder model. At the other extreme of the spectrum are cyber warfare issues such as terrorism and espionage between states, or cyber attacks on critical infrastructure for political purposes. Here, effective global governance is lacking. Between these two extremes, we find the ‘gray zone’ – a sphere where the interests of industry, governments and individuals intersect. Issues addressed in this space include net neutrality, intellectual property rights, freedom of speech, non-state or criminal cyber attacks and data protection.
The ‘gray zone’ encompasses all international instruments that deal with cyber risks from a non-technical and non-military perspective. It is in this area, with its various global governance models and organizational cultures, that the international community can most effectively work to improve the current situation and facilitate the mitigation of cyber threats.
Our analysis has identified two key characteristics of global cyber governance: ideological differences and geopolitical tensions preclude strong and effective global governance institutions; and the current governance framework does not adequately reflect the global nature of cyberspace.
Section 3: Toward a new governance framework: challenges and opportunities
Given the shortfalls in global cyber governance and the urgent need for effective risk mitigation, there are a number of recommendations that should be considered. In the absence of state consensus, we believe there is a role for the private sector to actively lobby for a set of guiding principles to overlay the global cyber governance framework. That governance should be global and inclusive in nature, based on a multi-stakeholder approach and flexible enough to adapt to rapidly-evolving challenges. The private sector should also take specific steps to mitigate cyber risk and enhance general resilience in the meantime, given the lack of effective global governance. Greater information-sharing will play a key role in developing the tools to achieve this, such as a well-functioning insurance market.
For policymakers, there are a number of steps that we believe, if taken, would allow major progress toward a more effective global cyber governance framework. Recommendations include:
- Strengthen ‘fit for purpose’ global institutions, which would include creating a G20 + 20 Cyber Stability Board and taking steps to isolate these institutions from geopolitical tensions.
- Consider creating a cyber alert system, based on the model of the World Health Organization (WHO).
- Enhance public-private cooperation, including dialogue and incentives for investment in cyber security.
- Seek to increase the representation of LDCs and civil society within the global governance framework.
1 Zurich Insurance Group/Atlantic Council (2014) ‘Beyond Data Breaches: Global Interconnections of Cyber Risk,’ Risk Nexus. Available at: http://www.zurich.com/internet/main/SiteCollectionDocuments/insight/risk-nexus-april-2014-en.pdf
2 ICT for Peace, ‘Baseline Review of ICT-Related Processes and Events: Implications for International and Regional Security’, 2014, p.44.