The UK Government will host a conference in nOvember at which the major nations of the world will sit down to discuss a subject so delicate it is likely to occupy their best talkers for at least the next decade.
That subject is cyberspace, specifically the norms of what is and isn’t acceptable for countries to do to one another through, on and using a medium that 15 years on from its commercialisation is governed by technical agreements but previous few hard rules.
“We have a shared responsibility to address the challenges presented by the networked world including cyber crime that threatens individuals, companies, and governments,” said Foreign Secretary William Hague in his invitation to participants, which will include 80 organisations from governments themselves to national CERTs, policy-making bodies, NGOs, and large private companies.
"It is vital that cyberspace remains a safe and trusted environment in which to operate. This can only be done effectively through international cooperation, engaging both the public and private sectors."
The conference will doubtless be seen as another talking shop, politely low on the finger-pointing rhetoric that has made up most inter-governmental exchange on cyberwarfare, mostly up to now aimed at one country, China.
What might the delegates end up discussing?
Objective number one will simply be to get governments to agree that cyberspace has become an urgent geo-political problem, and having accepted that, to commit to coming up with a mechanism for governments to talk to one another without resorting to rote speechifying.
At some point, the G20 nations will also have to start talking about to harmonise their laws on cybercrime, a major global weakness at the moment. Some countries – notably the US and UK – have already passed into law tough legislation that outlaws domestic criminality but progress elsewhere has been slow. The template is to build on the aging 2004 Budapest Convention on Cybercrime, ratified by 30 states including, earlier in 2011 the UK, and on EU plans to outlaw certain kinds of hacking tools.
The legal initiative is important not simply because e-crime is a major drain on the world economy but because legality will be the bedrock of emerging notions on how nations can behave online. Would a nation refrain from some forms of Internet behaviour if it’s not even clearly illegal for their citizens to do so? It's hard to see how.
A sticking point here could be extradition treaties, a means for criminals operating from one country to be brought to stand trial in a second state in which they are accused of committing, in this case, cybercrimes. Even where extradition treaties exist – for example the one negotiated between the UK and the US – arguments over where crimes were committed and under which jurisdiction they should be prosecuted can consume years of argument. Just ask accused British hacker, Gary McKinnon.
This issue perfectly underlines how complex cybercrime can be for legal systems founded on notions of national sovereignty and due process.
Having somehow defined and agreed on a basic level of cyber-behaviour, how are disputes presented to be judged and what separates nefarious attacks from legitimate and pre-emptive defence?
Country A is convinced that country B is trying to hack its military and industrial infrastructure but what evidence counts? Paradoxically, although it is not easy for individuals to hide on the Internet without giving themselves away it is remarkably easy for whole countries to do so.
Attacks can be hidden using layers of proxies that hide the country of origin or are even deliberately designed to implicate an innocent party as a fall guy; deciding which country or group launched an attack or probe is often based on opaque analysis that is never made public. Even deciding whether an event was offensive or defensive is problematic. With square one beckoning, and so much weight resting on definitions of intent, suspicion could easily win out.
Clearly, the barriers to long-term progress remain immense, added to which is the difficult fact that some countries, including Iran and the totalitarian throwback North Korea, will never sign up to discuss anything. On the plus side, the Chinese will turn up to Hague’s London conference because it would look a bit odd if they didn’t and Russia – another country that claims to endorse the notion of international standards for cyber-behaviour – should be keen to attend.
The danger is that policy makers get caught up in seeing the world from the point of view of countries, ignoring the wider experience of private sector and citizens themselves, neither of which necessarily rank high on the priority scales of national cyber-defence. By inviting enterprises to the London conference, the UK Government clearly acknowledges this.
“States should be ensuring that cyberspace remains open to innovation and the freeflow of ideas and they should respect individual rights of privacy, proper protection for intellectual property, and work collectively between states to tackle the threat from criminals acting online,” said Hague on this very issue in an interview he gave to the BBC’s File on 4 radio programme earlier this month.
A consensus is emerging in some quarters, that governments should not stand back and simply allow the Internet to continue as a free-for-all. Western governments are always reluctant to dictate to commercial interests but there is no question that some form of policy intervention is back on the table in London, however privately that will be expressed. That is a natural consequence of the startling growth in cybercrime, cyber-spying, industrial espionage and IP theft that worries politicians such as Hague.
Ultimately, legality has to be the means by which acts of aggression in cyberspace should be judged because the law is accessible to all parties not simply well-resourced states able to threaten retaliation away from public gaze. Building this will take decades and will be moulded by events as yet unforeseen.
That is the shape of Internet 3.0 to come, one defined not so much by technical standards as the integration of political, legal and perhaps even social policies yet to be written down. It has been in the making for a decade but now the pace is quickening.
William’s Hague’s London conference won't change the world but it could at least be the start of some important note taking.
The Foreign Office-sponsored conference on cyberspace is scheduled for 1 and 2 November.