While Vice President Joe Biden and Russian Foreign Minister Sergey Lavrov were dealing with Syrian rebels and other conflicts, some at the recent Munich Security Conference were focused on a topic with much greater implications for global security: cyberthreats. Unfortunately, those conversations revealed how strikingly little has been done to create international norms of behavior in cyberspace and the means to punish those who would deviate from them.
At the World Conference on International Telecommunications in Dubai last year, global regulations concerning cyberspace were also discussed, but the two major culprits of malicious cyber-activity were at the table dominating the meeting. The conference largely turned out to be an attempt by China and Russia to establish more control of cyberspace through the United Nations-sponsored International Telecommunications Union. Yet it is the Chinese and, to a lesser extent, the Russians who are behind much of the pandemic of online espionage and crime that costs Americans and Europeans hundreds of billions of dollars a year.
To date, the only significant agreement on cybercrime is the 9-year-old Budapest Convention, but that treaty does not set up international operational mechanisms to hunt down and arrest cybercriminals. Nor does it do anything significant to stop the multibillion-dollar-a-year criminal enterprises that prey on the United States and Europe from many nations of the former Soviet Union.
There are, nevertheless, significant opportunities to develop international collaborations to reduce the impact of cybercrime. An international cybercrime center could aggressively go after and disconnect computer networks used to steal credit card information and other personal data. The center could have "fly-away teams" of experts who could move to and assist a country with a cybercrime problem. The center could also document the failure of certain countries to assist investigations or successfully prosecute cybercriminals. Senior government leaders then would have to decide what to do about those de facto sanctuaries, beginning with multilateral diplomatic approaches.
Tackling cyber-espionage and disruptive or destructive cyberattacks is more complicated than addressing cybercrime, but progress is possible. In Munich, I proposed that we begin with some "baby steps" on norms regarding the exploitation, disruption or destruction of certain information networks. For instance, nations ought to be able to agree on something they all appear to practice already: forswearing cyberattacks that alter or destroy the networks of financial institutions. If nations played cybergames with banking or stock market records, trust in the international financial system would be shot. Since every nation has a stake in the trustworthiness of markets and banks, it is in no country's interest to launch or tolerate such attacks.
Like-minded nations also ought to be able to agree to forswear attacks on the infrastructure that enables cyberspace: the series of routers, servers and databases that issue digital certificates used to identify trusted parties in online interactions, run domain-name addresses and manage multi-factor authentication systems. As with the international financial system, the trusted systems that make the Internet and cyberspace work must be protected.
Nations should also agree that governments should not steal data from private corporations and then give that information to competing companies, as China has been doing on a massive scale. The victims of Chinese economic espionage should seek to establish clear guidelines and penalties within the World Trade Organization system or, if China blocks that, victim states should seek to develop countermeasures and sanctions outside of that structure. The necessary initial steps, however, are agreeing on international norms governing online economic espionage.
Or, we could just continue to do nothing while Russian cybercriminals and Chinese cyber-spies steal from us without any risk or penalty.
Richard A. Clarke was special adviser to the president for cybersecurity in the George W. Bush administration.