What’s in a Word? When it Comes to Cyber Security… Everything
The recent proposed climate accord in Paris is seen as an historic achievement getting 196 countries to agree and approve an effort to dramatically reduce greenhouse gas emissions. Developed and underdeveloped nations agreed to limit fossil-fuel burning emissions with the objective of curtailing temperature to no more than 3.6 degrees above the pre-industrial average. However, prior to the final vote, a single word in the draft text was changed threatening to derail the entire 13-day effort.
The cause for the potential setback was seemingly semantic – someone substituted “should” for “shall.” While seemingly inconsequential, the adjustment proved nearly fatal for the agreement. In a section of the draft that addressed financial obligations of states, the tiny revision implied substantial new legal and financial obligations for any signatory government. After an intense investigation to ascertain if the change had been purposeful or an accident, the word was ultimately altered to its original intent thereby securing the accord’s pathway to adoption.
This almost potential deal breaker illustrates the difficulty the international community has in trying to get on the same page with cyber security where differing perceptions and terminology definitions seem to cause frequent impasses in getting countries to agree. The United States has been carrying on discussions with China and Russia on cyber security wherein disagreements on lexicon perpetually stymies progress as definition nuances remain fixed obstacles. Talks with China were put on hiatus in 2013 when the U.S. Department of Justice indicted five People’s Liberation Army officers for conducting industrial cyber espionage. However, two governments met in early December, restarting talks to help bring clarity to a domain that is anything but.
When viewing the cyber security talks between governments through the prism of the Paris climate accord, it is easy to see why governments balk when it comes to trying to find consensus on cyber issues. If fundamentally there is no agreement as to what cyber security is and what it means to each respective government, there is little hope that governments can use that as a foundation from which to find harmony on other issues such as when cyber attacks cross the threshold to war, Internet governance, and what are the acceptable actions of states in cyberspace. While the commercial no-hack pact agreed to by the G20 is a start at trying to identify activity that should not be knowingly conducted by governments, the complexities of cyberspace to include the potential use of proxies, non-state actors, and independent actors calls into question if a global agreement such as the one achieved in Paris will every gain traction or even succeed here.
The United States prefers to view cybersecurity as a technological domain concerned with preserving the confidentiality, integrity, and availability of information systems and the information resident on them. China and Russia prefer to look more holistically beyond the technology, seeing information as much of a threat as the malware or viruses that traverse it. While all three consider cyberspace a national security imperative, the inability to accept or downplay that information can be a detriment to a government’s interests will fundamentally keep these governments from gaining any significant ground. When you look at the Paris accord and how one word almost derailed a global effort, it’s easy to see why for the foreseeable future this is unlikely to change.
While there have been promising engagements between China and the U.S. and Russia and the U.S. in trying to find a common definitions in cyberspace, they have ultimately failed. In 2011, a report by the EastWest Institute showed Russia/U.S. attempts to define cyber and information security. While lauded as promising, little headway has been made since. Similarly, since 2009 China and the U.S. have been engaged in formal “Track 2” meetings on cybersecurity between the China Institute of Contemporary International Relations and the U.S.’ Center for Strategic International Studies. These talks are important venues in which to improve mutual understanding, identify confidence-building measures to establish and build trust, and clarify national intentions. However, until strides are made in finding common ground in defining key terms in cyberspace, these talks risk being held in a quagmire with neither side willing to give concessions.
Lessons to be drawn from the Paris accord can be applied to how cyber security is defined and what it entails. No government wants to risk liability – political or otherwise – because it misinterpreted what a particular word meant in a legally binding document. What this suggests is that neither the United States nor China and Russia will likely budge on “information” as a part of their respective security interpretations. It’s too vital a point from all sides – national security for China and Russia, and human rights for the United States. As cybersecurity discussions remain at a perpetual standstill, interdependency between the three nations continues to increase, suggesting everything else is moving forward. Perhaps its time to reconsider going over old ground in favor of collaboratively redefining what it is they are trying to achieve.