The existing international treaty, the Budapest Convention, focuses only on cybercrime.
The internet continues to expand its reach through innovative applications that are appearing in hundreds every day. With known vulnerabilities in the platforms, and the ever expanding cyberthreat landscape, cybercrimes are growing phenomenally. These include financial fraud and identity theft, which affect citizens and corporates globally — the recent $45 million ATM heist reported in the media was conducted by criminals spread across 27 countries. There may be cyberattacks on critical information infrastructures such as banking, power distribution, air traffic control, as well as espionage. Current debate focuses on whether cyberspace is more a battleground for nations or yet another arena for traditional crimes.
Even though cyberspace is proving to be of vital importance for the economic growth of nations, the global discourse on international cooperation in cyberspace is dominated by the national security paradigm. It is acknowledged that cyberspace is a global commons, the fifth after sea, land, air and outer space. It must be navigated safely by countries for economic and social activities. But militaries must also navigate this global commons for national security. It is here that the discourse tends to get skewed, leading to differing views on cyberspace. If the intent is to gain military advantage, militarisation of cyberspace is essential. It is this view that has been dominant in the US, as is evident from the fact that cybersecurity is under the overall control of the national security advisor, not under the Department of Homeland Security. The US also declared that, if attacked, it would defend its fifth domain by resorting to proportionate attacks in any of the other four domains. The policy of deterrence is employed for cybersecurity, which is reminiscent of Cold War security.
Is the cyber threat being blown out of proportion in an attempt to continue the growing emphasis on militarising cybersecurity? The self-defence paradigm, flowing from the Law of Armed Conflict (LOAC), favours military solutions to cybersecurity. The use of Stuxnet malware against Iran was indeed a case of a nation-state using cyber weapons for destructive use. But the vast majority of cyberattacks are carried out by individuals for financial gain, which qualifies as espionage or theft — no different from crimes in the physical world. The law governing cyberspace should, therefore, be the law governing economic rights and non-intervention, not the LOAC. A cyber treaty that demilitarises cyberspace and emphasises law enforcement cooperation will promote a safe internet. Improved international governance of the internet is an integral part of this cooperation. Russia and China have proposed treaties in the UN for increased information security, and for restricting the development of cyber weapons — again driven by militarist thinking. The US, till recently, was not in favour of a global treaty restricting military use. North Korea, however, openly talks of cyberwarfare. While nation-states recognise that unilateral dominance of cyberspace is not possible, they continue the development of cyber weapons to gain advantage before a treaty takes shape.