International cybersecurity treaty might not be achievable, report says

Lawmakers have pledged to make comprehensive cyber legislation a top priority.

An international treaty to establish regulations for computer security might be unattainable, according to a new report by the EastWest Institute think tank.

"It could take years to arrive at a global treaty on cybersecurity, since many states are not ready for it -- and perhaps never will be," concludes the study, which is based on ideas gathered during a May 2010 international summit sponsored by the Brussels-based institute.

The organization's leaders determined that cybersecurity legislation isn't the best fix for the frail digital economy. Voluntary private sector agreements and international standards are more practical avenues to pursue, they said. The report comes as lawmakers in both chambers have pledged to make comprehensive cybersecurity legislation a top priority this Congress.

In the same vein, a cyberwar pact outlining which networks and data should be off-limits in times of conflict might be impractical, according to EastWest. The Defense Department, recognizing that cyberspace is terrain for warfare, established a Cyber Command last spring as a new military wing. "This new idea of war raises troubling questions -- for instance, is it acceptable for one country to attack another's hospital databases? How about the flight systems that support passenger planes in the air?" the study's authors asked. "While cyber conflicts have the potential to hurt citizens as profoundly as conventional battles, we do not have a Geneva Convention for cyberwar" that would protect civilians.

The institute posits provocative scenarios, such as this: "In an overseas factory, a foreign agent inserts malicious logic into a batch of computer chips. Months later, a logic bomb is activated in the chip, which sits inside a Pentagon computer." Chips and other components in U.S. government equipment are susceptible to tampering because the global supply chain is difficult to secure, the report noted.

The researchers maintain tech giants and smaller startups cannot afford to be burdened by overly rigid international regulations, so EastWest instead is promoting standards -- a measurable scale like a thermometer -- that governments and businesses can use to assess the integrity of products and services.

Some computer security experts say global treaties are workable, pointing to precedents such as the Convention on Cybercrime of the Council of Europe. The binding international instrument, which covers 30 countries including the United States, Canada, Japan and South Africa, serves as a guide for developing national legislation against crimes committed via the Internet and other computer networks. The agreement mainly deals with copyright infringement, computer-related fraud, child pornography and violations of network security.

The cyber crime convention is a good example of how treaties can be accomplished, said Evgeny Morozov, a visiting scholar in the liberation technology program at Stanford University, who studies the Internet's effect on authoritarian states.

As for cyberwar, existing rules, including the Geneva Convention, can be updated to address digital conflicts, said Evgeny, the author of The Net Delusion: The Dark Side of Internet Freedom (Public Affairs, January 2011). "Essentially, many of the parameters are the same; for example, the proportionality principle. I'm not sure what's so special about cyber that these principles suddenly no longer work," he said, citing, the mandate that a state is allowed to defend itself in righting a wrong as long as the response is proportional to the injury suffered.

Jessica R. Herrera-Flanigan, former senior counsel for the Justice Department's computer crime arm, said treaties could be an effective tool to safeguarding the Internet, but will require complex negotiations. The cybercrime convention took years to compile due to disagreements over hate crimes, she said, noting that protected speech in one country could be illegal in another.

Establishing an overarching treaty, in concert with voluntary principles, might be the best approach, she said.

A cyberwar pact would require a separate treaty, said Herrera-Flanigan, now a partner at the Monument Policy Group consulting firm. Such an agreement would have to address where boundaries should be placed in terms of affected networks. "Do you put limitations on attacking hospital systems of other countries?" she asked. Digital patient records and school system networks should probably be off-bounds, she noted.

Another aspect of cyberwar that might require treaty stipulations is information war, where one nation state releases disinformation, private information or propaganda about another country. WikiLeaks, a website that dealt many countries a black eye by posting sensitive State Department diplomatic cables, underscores this issue, Herrera-Flanigan said.

EastWest officials on Tuesday said standards and voluntary agreements across nations are easier to implement because they permit the private sector, which controls much of the technology, to take charge.

Since industry carries the major burden in protecting critical information infrastructure and is responsible for complying with agreements, the sector plays a much larger role in policy formulation than is traditionally the case, said Franz-Stefan Gady, a foreign policy associate with EastWest.

Applying Geneva Convention concepts to cyberspace would be too difficult because of the anonymous nature of the Internet, he added. To build trust, major nations with widespread Internet penetration could compose a code of conduct for cyberspace that would focus on each country's vulnerabilities rather than threats, Gady suggested.

"This code would contain provisions of who to hold responsible for cyber crimes originating from nation states," he said. "Following the code of conduct, governments would decide upon cyber risk reduction centers set up in the various defense ministries, notably in Russia, China, India, the United States and major European countries. These centers, permanently staffed and linked with each other, should reduce misunderstanding and tensions in times of crises."