Towards an international agreement on cybersecurity


In an unprecedented joint initiative on Monday 19 July, the United States, the EU, the Atlantic Alliance and five other countries issued a public attribution of responsibility against hackers linked to the Chinese government for a massive cyber-attack last March on Microsoft's email system (Microsoft Exchange Server), which affected tens of thousands of public and private users. At the same time, they point to China as ultimately responsible for the cyber-attack and warn it in no uncertain terms of its responsibility for allowing or sponsoring such practices. If this wide-ranging and impactful attack was just one of many in cyberspace, the West's collective reaction to it could have geopolitical consequences that are difficult to foresee. If anything, it looks like a turning point.

It is clear that the time has come for the international community to mobilise to try to stem the rising tide of cyber-attacks and criminal practices deployed with impunity in cyberspace, the use of which lacks globally enforceable regulation. It is not easy to quantify the immense economic cost to individuals, businesses, public administrations and governments, in terms of theft of intellectual property, the payment of large bribes to hackers to rescue locked computer equipment, or the investment in sophisticated digital security systems to mitigate or recover from cyber-attacks. But even beyond the huge economic price tag, abusive or outright criminal practices using global cyberspace are causing political tensions, geostrategic risks and bitter rivalries between major powers.

This being the case, we face a critical geopolitical juncture in which it is imperative and urgent to negotiate and agree internationally on a conventional normative framework on the proper use and repression of criminal practices, which guarantees a free, open, secure and non-discriminatory cyberspace. We cannot afford to denaturalise or degrade cyberspace to a terrain of tension and confrontation between nations, ignoring its essential potential as a common global good, a powerful catalyst for the wealth of nations, and an effective multiplier of business productivity and citizens' well-being. An asset of global ownership, of immense potential benefit to all, cannot be reduced to a scenario of strategic competition and impoverishing antagonism, either directly or through interposed hackers.

Moreover, in the absence of such corrective political agreements at the international level, the current divergent strategic trends among the main global players will inevitably lead in the short term to a fragmentation of cyberspace into spheres of influence, mainly around the US and China, with incompatible standards, certifications and technical specifications. Let us recognise that the multilateral efforts deployed in this regard so far in the United Nations General Assembly by two specific working groups cannot be sufficient to respond to the political and geostrategic dimension of the threat we face. Among other things because the agreements of such groups, if reached, would amount to mere declarations of the General Assembly, which, as is well known, are not binding norms. Therefore, the debate and the eventual achievement of executive agreements on the proper use of cyberspace and the repression of malicious practices translated into legally binding resolutions for all should be brought before the Security Council itself.

The first of these agreements should define the responsibility of any state for malicious digital activities or criminal abuse of cyberspace carried out on its territory, or encouraged and sponsored by its authorities.

Nicolás Pascual de la Parte: Ambassador-at-Large for Cybersecurity and Hybrid Threats/The Diplomat