Global cybersecurity: Do we need more law?

Par Karen Sadler juin 13, 201813 juin 2018

Global cybersecurity: Do we need more law?


“Should we be worried? Extremely worried?” That’s the question Rosemary McCarney (pictured above) opened with at the 2018 CCCA National Conference & In-House Counsel World Summit earlier this spring. As the Canadian Ambassador and Permanent Representative to the United Nations (and the Conference on Disarmament in Geneva in 2015), she’s well poised to shed light on the pros and cons of the internet as well as the steps we need to take to address cybersecurity concerns as the world gets smaller and smaller.

“I was struck by how quickly what I wanted to say even just a few weeks ago was overtaken by real-time events,” she began. “Our cyber codependency, while still offering both advantages and opportunities, will cause us some sleepless nights because it makes us vulnerable.”

Cyberthreats are in the top three of global threats reported by the World Economic Forum, and are becoming more frequent and more disruptive. However, McCarney is optimistic. She argues that the myriad of treaties, conventions, standards and norms that make up the international rules-based order we rely on to govern trade, foreign policy, commerce and war are more than sufficient to govern cybercrime and cybersecurity issues too. Is the global commons under threat? Absolutely. But McCarney strongly believes we’re up to the task of defending it.

On the next episode of Black Mirror

We live in a world where there are more interconnected devices than there are people. Even the 3.9 billion people around the world still not connected will be, as connectivity is a prime objective of governments.

McCarney urges in-house counsel to think about the cyber ecosystem we’re living and working in, and how it handles data. The cyber highway that stretches from developed to developing nations goes in both directions—our information crosses multiple jurisdictions, and we must trust people and organizations are handling it properly. That highway is controlled by a mix of private and public sector groups with very different political and security objectives. Any message we send is crossing thousands of kilometres and passing through multiple filters and checkpoints that can be monitored, monetized and suppressed. Yikes.

“Think about cyber as business crossing borders. The environment is both physical and non-physical. We’re storing and exchanging data across three layers,” says McCarney. Those layers are physical (hardware, cables, servers, routers), logical (applications, data, protocol), and social (groups and communities using these systems). “We attach rules to each of these,” she explains, “but we don’t always enforce compliance and deal with rule-breakers.”

Delving deeper into the social layer—where most of us spend the majority of our time—there are so many new and powerful actors on the stage that it is hard to stay on top of them. Google, for instance, which didn’t exist 20 years ago, would have revenue comparable to the top seven nations on the planet if it were a country.

She also warned that malware is now more prevalent than legitimate software. “Software companies are struggling and failing to keep up, and each of us are unwitting players in the drama if we use outdated software systems, if we conduct financial transactions over WiFi, if we mindlessly agree to terms of service . . . . We have to be constantly vigilant, otherwise we’re part of the problem. Are we savvy in our professional and personal lives? The algorithms created by these companies are quietly watching us and manipulating our choices without us knowing.”

Yes, we can (But no, we shouldn’t)

Cybersecurity is rife with ethical grey areas. McCarney is adamant that data scientists and officers need more training in data ethics, and that just because we can do something doesn’t mean we should.

“Google can predict outbreaks faster than traditional methods by scrutinizing purchases and search terms. Algorithms can incentivize us to buy things before we even know we need them ourselves. The ability to geolocate and therefore be tracked provides information to those watching us that we wouldn’t knowingly provide. What is the dark side of this openness and immediacy and convenience?” she asks.

“Cyberspace is increasingly regulated and controlled by governments,” she continues. “While many of us still believe in the Arab Spring-inspired idea of the internet as a democratizing force for good, it is often being used as a form of social control and oppression over dissenting voices and popular opinion. As we become uncomfortable with the big tech companies, are we being distracted from the threats from governments?”

Whether it’s facial recognition, voice-activated machines, robotic cleaners or driverless cars, what does all this mean for the practice and the pursuit of law when it comes to privacy, human rights, warfare and our own jobs? After all, experts argue that algorithms could be fairer than human judges at sentencing by removing our emotional biases from the equation. When do we move from trepidation to outright fear?

Fumbling in the dark

McCarney warns that when it comes to the internet, we think we have access to the complete picture but we don’t. The filters and bubbles through which digital information flows serve to reinforce our own beliefs, creating confirmation bias. So how do we take corrective action and create good governance if most of us don’t even understand how this stuff works?

Here are three key threat areas to focus on:

  1. Cybercrime: Gone are the days when our biggest worry was emails from a Nigerian prince. Cybercrime is now tied to serious criminal syndicates, and many organizations have poor or non-existent defenses in place. In addition, machine-learning models are creating more sophisticated messages to entice people to open malevolent emails and attachments. Attacks are growing in scope, focusing not just on individuals but also on entire infrastructure systems, like power grids and health systems. The GDPR, which just came into effect, requires companies doing business in Europe to report data breaches within 72 hours or face fines of up to €20 million or 4% of a company’s local revenues, whichever is higher.
  2.  War: We need to start thinking of cyberspace as a man-made theatre of war, just like air, space, land and sea. This new dimension may lack physicality at first—but what starts in cyber does not always stay there. Cyberattacks on hospitals, financial institutions, pipelines and water purification systems can create real-life damage and disruption. How do we apply the Geneva Convention to these types of scenarios? For example, attacks on schools and hospitals are considered war crimes, and international humanitarian law requires States to punish the perpetrators. But cyberspace provides anonymity. What happens when you don’t know who committed the crime? Do viruses qualify as acts of violence? And at what point is the right to self-defence triggered during a cyberattack?
    These are just a few of the many questions we need to start answering. But creating more law is not the answer. McCarney argues that existing international legal instruments like non-interference in state sovereignty, the international telecommunications union or even civil law are quite robust and can address these threats.
  3. Human rights and the internet: Privacy rights are the portal and gatekeeper to all other human rights. McCarney wonders if we’re normalizing surveillance and counsels that a focus on human rights should be woven into business policies (both existing ones and new ones as they’re developed). She encourages in-house counsel to visit the Freedom Online Coalition ( for the latest thought leadership in this area.

The path forward

“There is no agreement on definitions of what cybercrime actually is in the international community,” McCarney explains. “In China, online slander could be considered a cybercrime; in other places, that’s considered free speech. If we tried to create a UN convention on cybercrime today, we might actually end up with fewer rights, not more. This is why we have to be careful, and why I don’t believe we need more law.”

She emphasizes that “we have a universal framework already. The Declaration of Human Rights guarantees our right to no interference in our private lives.”

As parting advice, she says, “The increasing range of threats should compel us not to overreact or over-legislate. The importance of the internet for social inclusion compels us to get internet governance right. We do need to develop a system for enforcement and accountability amidst all this. But we need to enable, not disable, and to connect the unconnected and under-connected. I think we’re smart enough to pull it off. I think we can have it all.”

Karen Sadler is the Marketing and Communications Coordinator at the CCCA.

This article was initially published in the Summer 2018 issue of CCCA Magazine.

No comments

Leave message

 Security code