The global cybersecurity debate will be more fractious in 2019, following significant controversies in both the United Nations (UN) and International Telecommunication Union (ITU) on cyber policy. Infringements of norms by major players could reduce others states’ willingness to abide by them and, as the primary operator of the global Internet infrastructure, businesses will continue to be caught in the crossfire.
In 2019, policy solutions will be harder to achieve, and the risks of cyber conflict will increase until states find an incentive to cooperate. While there won’t be a cybersecurity angle at the major ITU conference this year (the World Radio Conference concerns itself primarily with spectrum usage issues), the debate will proliferate into new venues, including a likely renewal of the Global Conference on Cyber Space (GCCS). While the 2017 GCCS, in India, was focused primarily on that government’s priorities, the 2019 host (TBD) has a chance to harness and reinvigorate the international policy dialogue.
For example, the Asia-Pacific region ,which is rapidly improving its national cyber policies and capacities, could serve as a global example — both good and bad. For example, Viet Nam’s recently-enacted cybersecurity law criminalises public criticism of the government, mandates data localization, and grants authorities access to private data without a warrant. Conversely, Singapore’s recent creation of a regulatory framework to protect essential services and to invest in skills and defence training demonstrates an understanding that cybersecurity requires a sustainable ecosystem focused on both immediate and long-term actions.
In 2019, we will likely see a proliferation of cybersecurity laws like these in Asia, particularly Indonesia, and will need to monitor how they balance freedom with security. Leaders like Australia, Singapore, and Japan are already providing invaluable assistance to less-developed countries in the region. With a growing commitment to mutual defence, adoption of cyber norms, and regional-level capacity building, the Asia-Pacific region is responding to the significant geopolitical risks facing it.
We will also see a proliferation of threats— ranging from denial-of-service and ransomware to data theft — and their preparators, whether criminals, hacktivists or nation states. Cyber action will continue to be a low-intensity, low-risk operational methodology for nation states: Chinese theft of sensitive data from the Office of Personnel Management in the US resulted in the loss of security clearance information, personal details and fingerprints of millions of people. It will also continue to be used as a precursor to kinetic attacks, as we have seen with the Russian government-affiliated attacks on Ukrainian government and military targets.
As we saw with the leak of Shadow Brokers materiel, which was repurposed for use by criminals and the North Korean government, the continued proliferation of cyber weapons by nation-state actors will continue to aid less sophisticated actors in acquiring advanced tools, with corresponding effects on other targets. Last year alone, Facebook announced that hackers accessed the accounts of up to 50 million users, and the Under Armour data breach affected an estimated 150 million users.
As cyberattacks continue to grow in scale and scope, governments will face increasing pressure to protect their own infrastructure and establish a framework for industry. As such, we should expect the continued proliferation of norms in 2019. Late last year, the UN General Assembly established a short-term UN Group of Governmental Experts (UNGGE) and an Open-Ended Working Group (OEWG) to study the normative behaviour of states in cyber conflict and to discuss cybersecurity in the international arena. The working group will aim to build consensus for norms that will guide the establishment of legal concepts within cyberspace. In addition, the UN Global Commission for Stability in Cyberspace will continue to build on its proposed norms, offering a more multistakeholder perspective on how normative behaviours can be created and enforced.
The outcome of these groups, though, will depend on the commitment by individual states to follow the international principles and overcome policy challenges, such as:
- Selecting which norms they want to promote and adopt at the national level, which will impact the way that states deal with private infrastructure in their cyber operations.
- Ensuring appropriate protection of civilian critical infrastructure between military and intelligence resources while coordinating with industry.
- Foster public trust within laws and regulation without creating secondary effects such as weakened encryption of content censorship.