July 25, 2017
The significant increase in cross-border cyberattacks has been a wake-up call for the global community on the societal and political consequences of an insecure cyberspace. In order to prevent and prepare for future transnational cybersecurity challenges, governments must adopt a “multistakeholder model,” along with international collaboration and open discussions, according to a cybersecurity expert.

While governments have differing views on the role that they must play in the cyber realm, rethinking the role of the public sector in addressing cybersecurity risks is essential for effectively overcoming the challenges these risks pose, said Alexander Klimburg, a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative and author of the new book The Darkening Web: The War for Cyberspace.

Klimburg participated in a conversation at the Atlantic Council on July 17 along with Laura Galante, founder of Galante Strategies, and Jane Holl Lute, a former deputy secretary in the US Department of Homeland Security who currently serves as chief executive officer of SICPA North America. Tai Kopan, a reporter with CNN, moderated the discussion.

Klimburg said that the most prevalent threat to the West is the “cyberwar” narrative, or conflict that spirals out of control due to outcomes that cannot be predicted.

The worst possible scenario, said Klimburg, would be the “weaponization of information.” In such a scenario, he said, sensitive pieces of “information become pawns in a game that can be sanctioned only by the government.”

Referencing Russia’s meddling in the 2016 US presidential election, Lute remarked on the public outrage surrounding the incident. Given that the Internet “represents such a universal good for so many,” she said, it then “begs the question of who will keep it good.”

Klimburg added that the only way to avoid these attacks is to have a “full commitment to the multistakeholder model” on how the Internet is run. Government leaders must also encourage proper segmentation of how discussions on cybersecurity and Internet security issues are held. He said such discussions on varying aspects of the problem should be conducted “seperate[ly], so they don’t contaminate each other and fundamentally endanger the Internet as it is today.” This is essential, he said, because “without the free Internet there is no free speech, and without free speech, we don’t have a free society.”

This is most evident in authoritarian states where leaders fear the freedoms afforded by cyberspace will “encourage dissent” among citizens, resulting in “some type of uprising planned and conducted through the Internet,” said Klimburg. Such fears are not entirely unfounded; social media served as a convening space for staging the 2011 Arab Spring uprisings.

Interactions through cyberspace can be a physical threat to the authoritarian government itself, said Klimburg, adding that, in response, many attempts have been made by authoritarian governments, such as Russia, to alter the structure of the Internet. Klimburg stated that these nations “see information as a weapon,” and view “the Internet as the only way to ensure the stability of their regime[s].” Therefore, their goal is to remove all influences that the civil society or public sector may have.

Galante compared the views of Russia and the United States on this issue as “two ships passing in the night.” She said that while some countries “see information as the main currency,” as Russia does in its disinformation campaign, the other side views “cyber as a technical realm.” Galante explained that Russia has been advocating for the “sovereignty approach,” or the view that cyber space should be treated as sovereign entity by all countries, for the past sixteen years, articulating that “cyberspace can be sovereign.” According to Galante, Russia’s hacking of the Democratic National Committee (DNC) servers during the 2016 election campaign constituted a violation of sovereignty. It is thus crucial for the United States to determine how nations “exhibit power in this domain and how [the country] define[s] the domain,” she said.

An additional facet to the problem is the lack of trust in institutions, said Klimburg. As written in his book, today, only 20 percent of US citizens approve of the mainstream media, and only 6 percent approve of the US Congress. This lack of trust, Klimburg said, can be detrimental to the cybersecurity of the United States; the disconnect between the public and these institutions create vulnerabilities in which potential hackers can strike. Given these numbers, he said, it is “no surprise that the US is such a soft target” in comparison to other European nations. Lute added that “the public’s trust in institutions globally has collapsed,” and these institutions must “go back to fundamental principles” and “architect trust in public places.”

Referring to the private industry, Galante asked “what is [its] duty to share with the rest of the world… given that [it] know[s] the implications.” Klimburg suggested that “open, transparent conversation[s]” and “public discussion” are key when approaching these dilemmas.

Lute argued that the key role of the government should be how the United States “distribute[s] responsibility for cybersecurity,” such as informing users and manufacturers of actions they can take to reduce gaps in cybersecurity. Given that “unpatched vulnerabilities” pose a major threat, Lute also noted that a multilateral approach to protecting cyberspace is crucial, stating that “multilateralism is multistakeholderism.”

“Responses to cyberattacks [don’t] have to be cyber,” said Klimburg, adding that governments can access diplomatic, military, and economic means to combat the problem. However, he warned that nations “still have trouble communicating... what the certainty of attribution actually means.” Moreover, attacks may be considered “false-flags,” or operations in which the perpetrator purposely misleads all attempts at attribution. By providing a false-flag cyberterrorism attack as a possibility, Klimburg concluded that even if the United States disclosed the source of the attack, the lack of public trust would be detrimental to carrying out a strategic response. “That would be the ultimate win in information warfare,” said Klimberg, “to weaken the trust in your adversary.”

Xiaojing Zeng is a communications intern at the Atlantic Council. 

RELATED CONTENT