The past decade has been earmarked by serious accusations of foreign powers meddling in the political and national security affairs of different countries. North Korea and Iran have been regularly accused of causing major destabilizations to the sovereign states’ IT infrastructure and systems across the world. The most serious of these allegations involved the major countries of the world – United States, Russia and China have repeatedly traded accusations against each other for meddling in each other’s elections and spreading ransomware among other things.
Image Source: Belfer Center
A central question that remains is – “why has the world not agreed on a single system of regulating the cyberspace”? In the second decade of the 20th Century, international law has matured to a level where the leading countries of the world can sit on this matter and agree on a pathway towards regulating cybersecurity in the shortest amount of time imaginable. However, this has dragged on for so many years.
Starting by Regulating Non-State Cyberterrorists
Earlier this year, 2021, there were many ransomware attacks against mega firms in the United States that was blamed on private small-scale hackers who sought to take advantage of an unregulated cyberspace.
For the most part, international law evolved on the backdrop of dealing with hostis generis humani, which were groups accepted to be dangerous to all human groups and communities. The one group that were most affected by this convention among states were pirates who were seen as people who owed allegiance to no country and were predisposed to cause damage against any government or state. Thus, the international community built on the conventions of the Treaty of Westphalia and made reasonable laws that laid the foundation for today’s war crime and general crimes against humanity.
Today, non-state actors who commit crimes against large sections of society are captured by aspects of international law that can be used as basis to enforce laws against a large array of possible “universal crimes”. Typical examples include terrorism and war crimes.
The same preamble can be applied to the broader set of non-state cyberterrorists who include people engaged in acts that are against the very spirit of the internet and constitute crimes in different parts of the world. This could include scammers and ransomware attackers who take advantage of the loopholes in the cyberspace.
Russia and America’s New Cold War and the Cyberspace
The United Nations has led negotiations for the creation of a framework to deal with ransomware and other attacks on the cyberspace. However, the United States and Russia have major misgivings about each other’s proposals.
America proposed the Group of Governmental Experts (GGE) framework which involves experts from 25 countries working in their personal capacity to formulate laws and agreements to ensure the smoot running of the cyberspace. This group is to act in consultation with major blocs around the world to create a formal system to run the global digital space.
On the other hand, Russia has led the Open-Ended Working Group (OEWG) which seeks to institute a set of non-binding norms for responsible state behavior on the digital space. This includes four key pointers that include: humanity, necessity, proportionality, and distinction. Through this, international humanitarian law will be invoked and used as a basis to form a system of laws that will be used to run the cyberspace.
A Possible Approach Forward
While the United States seek to be pursing an expert-oriented framework that would ultimately lead to specific and enforceable laws, the Russians want a principle-based system. Each of the approaches proposed have their own merits and weaknesses. America’s process is more definite and can help create a more serious framework that can be easily transposed into national legal systems for them to be enforced. Russia’s approach is quite lax but supports the principles of territorial sovereignty and respect for other nations.
The most practical approach will be to apply an expert-led definite framework as presented by the US-backed GGE to deal with non-state actors who commit crime on the cyberspace. On the other hand, for state-actors in the cyberspace, the Russian-led OEWG might be more appropriate since it allows for the respect of national sovereignty to be applied appropriately within the conventions of international law.
Directors of companies are responsible for the security of their digital assets. Therefore, it is necessary to take all reasonable measures to protect your digital infrastructure from risks in the cyberspace. Regulations to police the cyberspace internationally are still developing and will take several years to be set in motion and a few more years to be consolidated into definite enforceable laws. It is logical to infer that the regulation of small-time non-state actors on the global digital space will be regulated and early and digital intermediaries are likely to develop safeguards against such entities. On the other hand, regulating state-run cyber crimes will take a much longer time. It is therefore important for your corporate technological system to be mindful of the risk posed by state-sponsored cyber-crimes and fraudulent activities as they are more likely to be more damaging and difficult to avert in the foreseeable future.