Here’s an understatement: 2014 was a bad year for cybersecurity. The Sony hack was the highest profile hack of the year, a cyber-attack against a German iron plant caused massive physical damage, and the Heartbleed vulnerability was considered “catastrophic” even among experts not known to be alarmist. In the meantime, large-scale data breaches hit household names such as Target, Home Depot and JP Morgan Chase, with new reports emerging almost weekly. In the history of cybersecurity, 2014 marks a new low. As 2015 gets underway, news of the insurance company Anthem being hacked suggests cybersecurity is unlikely to improve anytime soon. That’s why conversations in national capitals, boardrooms, international conferences and on-line discourse feature a growing call to action.
The time is ripe for a bolder approach to cybersecurity, one not beholden to the existing politics of Internet governance nor linked to particular governments or intergovernmental organizations. We believe cyberspace could use a global cyber federation, a federation of non-governmental institutions similar to the role that the Red Cross and Red Crescent movement and humanitarian assistance organizations more broadly have with respect to armed conflicts and natural disasters.
The good news: we do not have to start from scratch. Some of the building blocks for such a system already exist. Back in 1988, when the Internet was the victim of its first serious threat - the Morris worm - a group of people created a Computer Emergency Response Team (“CERT”). These visionaries were not focused on commercial markets or making money; they simply cared about the Internet’s survival. They sought to maintain and protect the security of the network and the systems that rely on it, whether they faced “internal” threats of inter-operability and unforeseen errors, or “external” ones from hacktivists, criminal groups, or foreign nation states. Their example inspired others, and today there are dozens of CERTs and CSIRTS (Computer Security Incident Response Teams) established around the world. Many of them are part of a global umbrella confederation dubbed “FIRST.”
The bad news: many of these CERTs and CSIRTS are relatively weak and their independence is increasingly under threat from other interests. They lack support from policy makers and, depending on the institutional set-up, may be subject to control by national governments pursuing other political purposes (think intelligence collection). Moreover, at the global level, FIRST is not (yet) a mature system, capable of directing CERTS to coordinate or cooperate when cyber security problems transcend borders.
From Solferino to Sony
So what does the Red Cross and Red Crescent have to do with the Internet? The Internet and accompanying CERT system could benefit from a set of principles akin to those of the Red Cross and other humanitarian organizations. Having a network of assistance organizations, united in a commitment to independence, neutrality, and impartiality could strengthen and support existing CERTs and make cyberspace a safer and more secure place than current conflicts and instability allow.
The Red Cross Movement began on June 24, 1859 as the French and Austro-Hungarian monarchs faced off in the battle of Solferino. Touring the streets and fields in the battle’s aftermath, a young Swiss businessman, Henry Dunant, saw, smelled, and heard the cries of the thousands wounded and left to die without care. Appalled, he organized aid work and launched a powerful idea for the future – a group to assist victims and prisoners of armed conflicts. Through his book, A Memory of Solferino, Dunant lobbied for the initiation of national associations to help the sick and wounded and for governments to agree on laws of warfare. Dunant’s work bore fruit in the first Geneva Convention and fed into the emergence of the Red Cross and (in Islamic nations) Red Crescent movement. For his ideas and advocacy, Dunant received the first-ever Nobel Peace Prize.
Today, the International Red Cross and Red Crescent Movement is the world’s most admired humanitarian endeavor. It consists of three, inter-related groups: (i) 188 national societies that provide training, assistance, and relief for disasters; (ii) the International Federation of Red Cross and Red Crescent Societies (IFRC), which coordinates the national societies and tackles large-scale crises; and (iii) the International Committee of the Red Cross (ICRC) which focuses on protecting the lives and dignity of victims of armed violence, whether detainees or civilians. This structure means that the Red Cross Movement can not only provide assistance and protection everywhere, but also do so in ways tailored to the problems presented. Thus, national societies organize food, shelter, and medical care after an earthquake, while the ICRC works to visit detainees wherever fighting occurs. Its emblems – the Red Cross, the Red Crescent, and most recently a more secular Red Crystal – enjoy such universal respect that international law prohibits their misuse as a war crime.
The success of the Red Cross and Red Crescent movement – and it has had many – may be traced to several core principles: neutrality, impartiality, and independence. The movement is neutral at its core – it does not become involved in or take sides in crises where it offers its assistance and protection. Such assistance and protection is given impartially, without discrimination or concern for the victim or detainee’s identity or what they may have done before needing help. And it is independent, most notably with the ICRC’s avowedly non-governmental structure, making it beholden to no individual government nor any inter-governmental organization.
Similar to the national societies of the Red Cross and the Red Crescent, CERTs form a growing network of like-minded groups of dedicated individuals, focused on identifying vulnerabilities in cyberspace and assisting in remediating threats when they cause harm. But today’s CERTS do not have anything resembling a coordinating institution like the IFRC nor a universal set of shared values recognized and appreciated by states and non-state actors alike. Unlike the autonomy of national Red Cross societies, some CERTS are regularly assumed to be agents of the states in which they reside, an assumption that may be increasingly accurate as more CERTs are subsumed within governmental structures. As such, there’s no guarantee that CERTs will reveal all vulnerabilities they see; they may keep secret those used by other agencies within their government. Nor is it clear they have a duty to assist all victims, as opposed to only those that their government has an interest in assisting.
Simply put, CERTs and CSIRTS have yet to engender the reputation or trust of a neutral, impartial and independent institution like the Red Cross and humanitarian organizations generally. Nor are they fully equipped to tailor cyber security responses to their nature and scale. Certainly, some formalized CERT cooperation occurs, primarily at a bilateral or regional level, alongside more robust informal communications. But there is no structure like the International Federation of the Red Cross and Red Crescent Societies to ensure coordination and communication among all national groupings, let alone anything akin to the ICRC, for remediating the most severe cyber events.
Today, CERTs may best be thought of as “digital fire brigades” – a label devised by the European Union’s Agency for Network and Information Security (ENISA). Another initiative, Cyber Green, invokes the language of public health to describe cyber security and the functions of CERTs. These analogies have limitations. Fire brigades, for example, are inherently local organizations that focus on problems of a certain scale; they usually do not have to cooperate transnationally as most cyber incidents require. As such, fire brigades have little need for values like neutrality and impartiality to explain their functions in the way that Dunant described French doctors “who would do everything that was humanly possible without distinction of nationality” to assist those in need. But, given the current state of cybersecurity, we’d argue cyberspace needs independent, neutral, and impartial organizations to restore trust in the Internet and protect the information technology that increasingly supports critical infrastructure, and thru it, human existence.
Whatever their current weaknesses, CERTs could form the basic building block for a Red Cross-like movement in cyberspace. The key lies in generating an appreciation for the benefits of institutionalizing an independent and neutral security and assistance function. Of course, some States may object to creating such an institution; indeed, the United Kingdom and France originally resisted the Red Cross idea as unnecessary or incapable of operating with neutrality. But those States eventually came to appreciate how trusting a neutral actor to provide relief and assistance could better mitigated the harm from wars and disasters than relying on States and their agents to do so. Today, nation states around the world value and support the Red Cross and Red Crescent movement and the humanitarian principles.
Certainly, neither the Red Cross movement nor our metaphor to it, are perfect. Sometimes assistance fails to arrive. Red Cross neutrality can be controversial, with questions of whether it should help law enforcement when it comes to war criminals hiding in refugee populations, or whether it should take sides in cases of egregious war crimes or violations of human rights. But the success of the Red Cross rests on principles like neutrality and impartiality precisely because it operates on the assumption that bad things will happen. When they do, it has the trust and status within the international community to step in and make things better for the worst affected. That’s a role that no one plays in cyberspace right now, but one which cyberspace desperately needs. Recognizing the existing norms that guide the CERT community and strengthening them akin to the humanitarian principles could be an important start.
The Internet’s Dunantist moment
The time for a Dunantist moment in the Internet’s history has come. The Red Cross was the vanguard of the humanitarian movement. It set up institutions to deal with harms regardless of cause – from tsunamis to wars. It laid the foundation for principles guiding humanitarian NGOs around the world today – humanity, neutrality, impartiality and independence. These principles were first implicitly then explicitly recognized by states as they devised provisions for the protection of humanitarian principles, workers, and organizations. We need the same sort of approach for organizations whose mission is to keep the networks running and to provide assistance in times of cyber crises.
The appalling cyber security landscape of 2015 is obviously a far cry from the Solferino battlefield. Our argument is not that cyber security failures are equivalent to the ravages of war; so far, cyber threats have bruised more bank accounts and egos than people. Nor do we want the Red Cross itself to take on responsibility for cyber security. Nevertheless, we do believe that the principles the Red Cross and humanitarian organizations around the world adhere to and the networked governance structure offer an interesting blueprint to develop a new regime for cyberspace – a global cyber federation. This federation could provide neutral, impartial and independent assistance to the Internet and its users.
To call for independent, neutral, and impartial cyber protection institutions and principles does not mean that governments cannot support these efforts. In fact, many humanitarian NGOs receive government funding. As Dunant pointed out, it is imperative for the success of such a system “to secure the goodwill of the authorities of the countries in which they had been formed, but also, in case of war, to solicit from the rulers of the belligerent states authorization and facilities enabling them to do effective work.” Dunant was not naïve. He expected that future wars would happen and that they would be more lethal than previous ones because of new technologies. He wanted institutions and norms that could deal with these scenarios, and pushed for their establishment in advance, that is in times of peace so as to be ready for times of war and crisis. Dunant insisted on a resilient, global network of assistance. We would like to do the same for cyberspace.
There are obvious open questions and significant obstacles to forming a global cyber federation. For example, law enforcement agencies and intelligence agencies have vested interests to cooperate with CERTs to gain access to new vulnerabilities or avoid their disclosure where it might undermine ongoing operations. Moreover, governments need CERTs to protect their own networks. Such issues implicate important questions of independence and neutrality. How can existing CERTs become building blocks for a global cyber federation; should they be pushed to more autonomy within each nation like the Red Cross and Red Crescent societies? Or, do we need a parallel system of nongovernmental CERTs? We do not have all the answers. Our point is more simple; to start a conversation about whether and how a global cyber federation could make cyberspace a more resilient and humanitarian human creation. To use Dunant’s words, we hope that “once people begin to think about a matter of such general interest as this, it will lead to reflections and writings by people abler and more competent than” us.
Duncan Hollis is James E. Beasley Professor of Law at Temple University. Tim Maurer is research fellow at New America. This piece was originally published in New America’s digital magazine, The Weekly Wonk. Sign up to get it delivered to your inbox each Thursday here, and follow @New America on Twitter.