Published daily by the Lowy Institute

What the G20 can do to advance cyber norms

What the G20 can do to advance cyber norms
Published 24 Aug 2016   Follow @fergushanson

The internet is now so central to the world economy (McKinsey estimates it contributed US$2.8 trillion to world GDP in 2014) we forget how weak the norms are governing behaviour online. In several areas these behaviours threaten to degrade and limit the internet’s future contribution to global growth.

Happily the G20 has recently begun to weigh in. In 2013, the word ‘digital’ first entered a G20 Leaders’ communiqué (in relation to taxation) and in 2015 its communiqué referenced a wider range of digital issues.

The G20 now has the opportunity to build on some of the progress made in 2015 and expand its engagement into new areas. In the most recent Lowy Monitor, I propose three issues it could usefully grapple with. [fold]

1. Commercial cyberespionage

State-led, or backed, commercial cyberespionage is imposing huge losses on business (a US Commission estimated US losses at US$300 billion annually) and threatens to lead to retaliatory sanctions or other disruptive measures such as the authorisation of offensive counter-attacks by the private sector.

In September 2015, China just managed to stave off US sanctions when a presidential-level agreement was reached to cease the practice. The G20 extended coverage of this bilateral deal to all its members when it endorsed the same prohibition against commercial cyberespionage in its 2015 communiqué.

Now that the norm against commercial cyberespionage has been agreed, the challenge for the international community is bringing state practice into line. It is here the G20 could fill a gap, encouraging compliance and maintaining political momentum for advancing the agenda. Although the G20 is not a naming and shaming venue, the Business 20 could report on overall levels of state-led, or backed, attacks with G20 Leaders responding to this in their communiqué. Leaders could also encourage a global body, such as the OECD, to provide regular reporting on state-backed, or led, commercial cyberespionage.

2. Peacetime state cyberattacks

State-led, or backed, cyberattacks during peacetime are also a potent challenge. They can impose huge costs on business and are a threat to civilian life.

Examples are numerous. For the G20, three developments make consolidation of this norm a recipe for chaos and a threat to the global economy. First, the threshold for acquiring offensive cyber capabilities is now so low, most states of a reasonable size can build them and strike back. Second, the growth of the ‘internet of things’ expands an already enormous range of targets. Finally, as the defence of government and critical infrastructure targets are improved, businesses and civilian institutions become the more attractive soft targets imposing large costs on businesses and civil society.

All G20 states have an interest in winding back this norm. I make a number of suggestions the G20 could consider, including measures to limit the operational freedom of the most egregious global offenders such as North Korea, endorsing various confidence-building measures (CBMs) and, more ambitiously, suggesting members implement domestic arrangements that allow them to sanction individuals or organisations that conduct or support cyberattacks as the US did after being caught unprepared in the wake of the North Korean attacks on Sony.

3. Free flow of data

Restrictions on data flows are another emerging impediment. They increase the cost of doing business, distort markets, and create inefficiencies.

Many states, including several G20 members, have begun to erect impediments to the free flow of data across borders. Data protectionism can take different forms including requirements that certain data categories (such as that relating to national security or healthcare) be stored and processed domestically or by imposing conditions on the cross-border transfer of personal data. For example, two Canadian provinces mandate that personal information held by public institutions be stored and accessed only in Canada.

This is justified using a range of reasons most of which are spurious, however, the consequences of this trend have far-reaching economic effects. Every business with an online presence is potentially affected, for example via increased data storage and processing costs, with multinationals most affected.

While several G20 members engage in data protectionism, limiting scope for wholesale reform, there are a few steps that the G20 could take to help wind back the trend. At an overarching level, the G20 should state a commitment to the free flow of data. To prevent every state developing unique flow-inhibiting standards that apply to its nationals’ personal data, the G20 could also endorse efforts to raise privacy protections to a global standard and extend mutual recognition of laws that reach this standard to achieve interoperability. To ease frictions arising from delays in processing legitimate government requests for data stored abroad (such as in criminal investigations), the G20 could explore options for improved sharing of information among authorities in G20 countries. This could include encouraging members to review domestic processes for handling requests from abroad with a view to improving responsiveness.

Photo courtesy of Flickr user Marcus Schwan

You may also be interested in