Given the deluge of reporting on cyber attacks splashed across the headlines, it is natural to throw up one's hands in exasperation, or even to seek a higher power. James Lewis of the Center for Strategic and International Studies, for example, has said, "We have a faith-based approach [to cybersecurity], in that we pray every night nothing bad will happen." Indeed, in just the past few months, it has come to light that nearly half of U.S. adults have been hacked, and the U.S. is not alone. A disgruntled contractor stole the names, credit card information, and social security numbers for nearly half the population of South Korea. China also suffered one of the largest cyber attacks in history last year. In all, cyber attacks have been estimated by McKinsey & Company to cost some $3 trillion in lost productivity by 2020. Some, such as Professor Joseph Nye, Jr. and Secretary General of the International Telecommunication Union (ITU) Hamadoun Touré, and organizations, such as the Vatican's Pontifical Academy of Sciences, though, have called for an approach beyond prayer. They have challenged the international community to consider the meaning of cyber peace at a time of seemingly endless and escalating cyber conflict.
Defining and fostering cyber peace is no easy feat; in fact, it has been said that "achieving and maintaining cyber-peace can be as demanding as starting a cyberwar." What seems clear, though, is that cyber peace is not the absence of attacks or exploitations, an idea that could be called negative cyber peace. Rather, it is the creation of a network of multilevel regimes working together to promote a global, just, and sustainable cyber peace by clarifying the rules of the road for companies and countries alike to help reduce the risk of conflict, crime, and espionage in cyberspace to levels comparable to other business and national security risks. Working together, we can stop cyber war before it starts by laying the groundwork for a positive cyber peace that respects human rights, spreads Internet access along with cybersecurity best practices, and strengthens governance mechanisms by fostering multi-stakeholder collaboration to help engender a global culture of cybersecurity.
Some have argued that achieving cyber peace requires globalizing cybersecurity, along with Internet governance, which is currently the responsibility of numerous stakeholders from the Internet Corporation for Assigned Names and Numbers (ICANN), which is a California-based non-profit responsible for matching IP addresses with domain, to the Internet Engineering Task Force and the Internet Governance Forum. But instead of focusing on a single path to cyber peace, such as a new cyber arms treaty that would face difficulties ranging from politics and enforcement to even defining what constitutes a "cyber weapon," it may be more worthwhile to consider utilizing a range of technical, legal, political, and economic tools potentially couched within a polycentric framework. This is a multi-level, multi-purpose, multi-type, and multi-sectoral model developed by scholars including Nobel laureate Elinor Ostrom and Professor Vincent Ostrom that challenges orthodoxy by demonstrating the benefits of self-organization and networking regulations to address common problems such as cyber attacks. Among its many applications in this space is the finding that "a single governmental unit" is often incapable of managing "global collective action problems" such as climate change, or potentially, cyber attacks. Instead, a polycentric approach recognizes that diverse organizations working at multiple levels can create different types of policies that can increase levels of cooperation and compliance, enhancing regime flexibility and adaptability. Consequently, a top-down approach focused on a single treaty regime or institution could crowd out innovative bottom-up best practices developed organically from diverse ethical and legal cultures.
Active and important debates are ongoing about what is the best that we can reasonably hope for in terms of "peace" in cyberspace. But even though a grand Internet governance and cybersecurity bargain looks unlikely in the near term, concrete steps may be taken now to reduce cyber risk to all parties while raising the cost to attackers. These include the cyber powers creating a "Cybersecurity Forum," similar to the Major Emitters Forum in the climate change context, which could begin by clarifying norms to secure critical international infrastructure such as the global financial system, air traffic control, and the energy sector. Sanctions and countermeasures could be levied against nations and private organizations that launch cyber attacks against these or other critical systems. Legal assistance treaties could be strengthened and forums created to help prosecute attackers when national courts are unable or unwilling to exercise jurisdiction. Cybersecurity could also become more central in trade and bilateral investment treaty negotiations so as to better protect trade secrets, which may be occurring in current U.S.-China discussions. Stakeholders could even make effective anti-malware and anti-spyware tools available for free along with open source encryption technologies to better safeguard private data, which would have the added value of helping to rebuild the reputation of U.S. technology firms that have been tarnished in the wake of disclosures from former Booz Allen systems administrator Edward Snowden. None of these suggestions are a magic bullet, but together they can begin the process of building a positive, global culture of cyber peace. Engaging in a constructive dialogue is critical to harmonizing divergent approaches to governance and reaching a middle ground between Internet sovereignty and freedom that both respects human rights and secures vital systems. Though a little prayer couldn't hurt, too.