Unresolved questions dog international cybersecurity policies

Cyberspace presents international security threats, many that can only be adequately met through international cooperation. But experts say countries around the world are just beginning to work out the complicated questions surrounding international responses to cybersecurity.

In the United States, businesses and government agencies have reported a growing number of sophisticated cyberattacks. In a report to Congress released on Friday, U.S. intelligence agencies said hackers in China and Russia are stealing large amounts of U.S. technological and trade secrets.

Such attacks have national-security and economic implications, James Miller, principal deputy undersecretary of Defense for policy, said at a Center for Strategic and International Studies forum on Monday.

With the United States seeking to retain its dominant role in the world, "It's just a lot harder to do when potential adversaries and others are inside our networks," Miller said.

While repeating DOD policy that a government response to a cyberattack may not be limited to cyberspace, Miller said no one agency, business, or country can secure cyberspace by itself.

For example, he said, the Defense Department uses civilian networks for 90 percent of its Internet traffic, highlighting the need for governments and the private sector to work together.

Miller expressed optimism that China and other countries value existing international trade systems enough to work with the United States to cut down on cyberattacks and espionage.

Besides the relatively new nature of many cyberthreats, one of the reasons that the international community has been slow to develop a strategic cybersecurity framework is because the Internet and other networks are often dually used by both the private and public sectors, the Atlantic Council's Frank Kramer said at Monday's CSIS event.

"The incentives between private sector and governments are different," Kramer said. This makes it difficult to come to a broad consensus on how to protect cyberspace without interfering with privacy, economic innovation, and international jurisdictions.

Martin Libicki, a senior management scientist at the RAND Corporation, said many efforts are undermined by attempts to apply understanding of physical military or security issues to cyberspace.

Cyberspace needs to be understood as a whole different issue, with unique challenges and problems, Libicki argued. Online, tools that can be used for security can easily become double-edged swords. "The same mechanisms that are used to suppress malware can be used to suppress a lot of other things," he said.

Kramer said it is time for governments, businesses, and others to formalize their policies and start moving forward with implementation.

On Monday the Defense Advanced Research Agency announced it would increase cybersecurity research funding by 50 percent over the next five years.

"We need more and better options," said DARPA Director Regina Dugan at an agency event on Monday. "We will not prevail by throwing bodies or buildings at the challenges of cyberspace. Our assessment argues that we are capability limited, both offensively and defensively. We need to fix that."