Today there are two parallel approaches to strengthening safety and security in cyber-space: one is top-down and the other bottom-up. The top-down version focuses on international law and security policy, and is primarily concerned with designing and implementing rules of engagement when tracing malicious cyber-attacks. The bottom-up strategy involves international exchanges of best practice for handling IT incidents, either through technical Computer Defence Exercises or by creating joint, cross-border education programmes within regional hubs. An example of the latter is the informal Nordic-Baltic Hub, created by the Swedish National Defence College and the NATO Cooperative Computer Defence Centre of Excellence in Estonia.
Cyber-security is high on today’s global policy agenda, but it is not new. In 2000, two U.S. professors, Abraham Sofaer and Seymour Goodman, proposed an international convention on cyber-crime and terrorism in a paper which drew comparisons with the legal framework and structures that effectively rid the world of civilian plane hijackings in the 1970s. Back then a relatively small body, the UN International Civil Aviation Organisation, was created by a General Assembly mandate to establish security and safety regulations for all airports with international civil passenger traffic. If host countries failed to comply with the new rules, international carriers stopped landing at their airports. As a result, the problem was more or less resolved within 18 months.
The thrust of the case made by Sofaer and Goodman remains relevant today, especially as non-UN bodies such as the Council of Europe, the Organisation for Economic Cooperation and Development (OECD) and the G8 do not have the necessary reach to deny safe havens to the spectrum of actors with malicious intent in today’s cyber-space.
The author is the Director of the Swedish National Defence College’s Centre for Asymmetric Threat Studies.