The days when cyberspace could be regarded as a lawless wild west are long over. The internet has become a critical part of our global infrastructure, and attacks against its core functions, especially in the context of the COVID-19 crisis, should be treated as the existential threats that they are.
The COVID-19 pandemic has shown that the internet is a critical – and uniquely global – part of our infrastructure. As challenging as the public-health lockdowns have been, their social and economic costs would be far greater in the absence of smoothly functioning digital networks.
Moreover, containing the pandemic itself will likely require better and more innovative uses of our collective data, all of which is generated online. Home offices, home schooling, and home life increasingly depend on our ability to use the internet. Protecting cyberspace is therefore an increasingly urgent task, not least because it is facing a “pandemic” of its own.
Since early March, there has been an unprecedented global increase in malicious cyber activity. Phishing attacks seeking to steal money or secrets from home-office workers have more than doubled compared to last year, and in some places, they are up six-fold. There have also been a number of attempted cyberattacks on critical infrastructure, including airports, power grids, ports, and water and sewage facilities. Even hospitals treating COVID-19 patients have been targeted, and the World Health Organization (WHO) itself has reported a five-fold increase in attacks on its networks.
In a recent communiqué to a United Nations (UN) working group on cyber issues, the Dutch government spoke for many when it said it was “appalled” by this belligerent behaviour, much of which is directed, supported, or at least tolerated by only a few governments, with Russia and China being the most reported examples. Likewise, Josep Borrell, the European Union’s (EU) High Representative for Foreign Affairs and Security Policy, has condemned these attacks as “unacceptable.” Issuing a thinly veiled threat of sanctions, he has called on all governments to abide by international law and existing political agreements governing cyberspace, the most pertinent of which involve so-called “norms of responsible state behaviour.”
Despite all the current mayhem, cyberspace is not a lawless domain. Like the seas, outer space, and other shared domains, it is subject to international law. The question is how exactly international law should apply. Countries like Russia and China have long advocated a new treaty-based approach, whereas liberal democracies have, for the most part, insisted that the entire body of existing international law should be the point of departure.
Since 2010, the compromise between these two camps has been to establish certain norms of behaviour and rules of the road on how states should conduct themselves in cyberspace. These norms – which include an injunction against interfering with critical infrastructure in peacetime – have often been violated soon after having been agreed. Yet they represent the only international consensus on what constitutes responsible behaviour in cyberspace, which means they are the only standard by which the global community can call out malicious state activity.
In these uncertain times, we clearly need more standards of this kind. Academic research has shown that while it can take years for agreed norms to be routinely upheld, new norms can help reinforce existing ones.
Fortunately, there are already two negotiation tracks within the UN dedicated to debating and finalizing new norms for cyberspace. Both the Open-Ended Working Group and the Group of Governmental Experts are now considering several proposed norms that originated from the Global Commission on the Stability of Cyberspace, which we lead. One of the most prominent is also the most urgent: a prohibition on attacking the basic “public core” infrastructure of cyberspace, including the equipment, organisations, and processes that provide for a globally accessible, properly functioning internet.
As the international community struggles to come together to fight COVID-19, political leaders and publics must recognise that the internet has become the manifestation of our connectedness. It is what unites us as a global community, and it is the medium on which our economic, civic, and family lives all now depend.
We therefore call on all governments to adopt the norm against attacking “public core infrastructure,” not only to protect this essential global domain, but also to signal a clear commitment to our shared human future. As our dependence on digital technologies deepens, success or failure in protecting the internet – a true global public good – will determine not only how fast and effectively we can contain the pandemic, but also what kind of world we will live in afterwards.