Food for Thought: "Rules, Resources and Expertise: Gearing Up for the Digital Age"
Do we have an adequate security strategy for the digital age?, asks MSC chairman Wolfgang Ischinger in our new Monthly Mind column on the occasion of the 4th MSC Cyber Security Summit on September 19/20 at Stanford University.
A cyberattack cripples sections of the Ukrainian electrical grid. Intruders penetrate the German Parliament's IT system and steal sensitive data. Hackers manipulate the election databases in several US states – and threaten to plunge the entire Presidential Election into chaos.
These scenes are no longer merely the stuff of science fiction novels, but real-world incidents of the past months. And what we have witnessed in the recent past is only the tip of the iceberg. We are in the middle of a digital arms race, with a diverse weapon arsenal.
What does this mean for our security? It would be an exaggeration to say that we are in the middle of a full-scale cyberwar. But we have to be aware of the fundamental changes in the nature of today's conflicts as a consequence of the opportunities offered in the cyber realm: The barriers to entry for a "cyber warrior" are comparably low. Massive damage can be caused with little effort only. Aggressors can conduct attacks for which the responses remain uncertain. The lines between peace and war are becoming increasingly blurry. And: often times, it remains unclear who was behind an attack – and if it was state-sponsored or not. In short: after "weapons of mass destruction," we are today faced with "weapons of mass disruption" in cyberspace.
Fortunately, terrorist groups such as ISIS have not succeeded in inflicting major damage through cyberattacks yet. But they have also discovered the opportunities the digital world offers for themselves. Whether it is recruiting new members, spreading its propaganda messages, or communicating internally – a large part of ISIS' success is based on its digital strategy. As early as 2014, the head of the UK's GCHQ intelligence service called social networks the "command-and-control networks of choice" of groups such as ISIS. In order to destroy these, US Secretary of Defense recently gave the US Cyber Command "its first wartime assignment", as he himself called it.
This confronts us with critical questions: Do we have an adequate security strategy for the digital age? Are we doing enough to protect us from the threats that it poses?
Particularly in three areas, a lot remains to be done: When it comes to rules, resources and expertise.
A major challenge lies in underpinning the developments in the field of cyberwarfare with an international framework of rules. Clearly, in order to keep the threats from cyberspace under control, international law has to apply to the online and offline world. Some progress in the quest for international norms has been made, but, so far, there are very little international rules addressing or governing cyberwarfare as such. Therefore, we urgently need to find common responses – in Europe and worldwide.
Besides international rules, we also need concrete measures of protection on the national level. Implementing these requires sufficient financial and human resources. Many countries are significantly scaling up their cyber budgets already: The British government has announced that it will nearly double its expenditure on cybersecurity over the next five years. For the 2017 US budget, President Obama proposed 19 billion US dollars in federal cybersecurity expenditures. These are the orders of magnitude in which Germany must think as well. The recently announced investment plans by the Federal Intelligence Service BND and the Federal Office for the Protection of the Constitution are steps in the right direction. The German Defense Ministry's announcement to complement the German Army with a cyber force and to massively scale up the number of cyber experts in the Ministry is an important signal as well. But we should see these measures as the beginning of our adaptation to a new age, not as a final response.
A top priority should be the training and recruitment of specialists. We will fail to implement even the best plans for new cybersecurity structures if we do not manage to attract IT and software specialists, developers and programmers who are able to follow through. One of the key questions will thus be how to inspire an interest in German military or public service among younger people who are not necessarily interested in security and defense policy – and how to combine their lateral entry with Germany's complex public service legislation.
The demand for qualified workforce also illustrates a third major challenge: In many respects, politicians do not have the necessary expertise in the field of cyber security. Many politicians do not understand the language of IT professionals, while they in turn are often times rather apolitical. This is why we need interpreters, or even better, bilinguals! We do not only need more cyber experts in our political institutions, but also an extensive cross-sectoral dialogue. Only by ensuring a close collaboration between politics and the military, science and the business sector, we will be able to successfully meet the challenges of the digital age. In order to promote this exchange, the Munich Security Conference is regularly bringing together decision-makers and experts from these fields – as was the case on 19 & 20 September at the MSC Cyber Security Summit in Silicon Valley, organized together with Deutsche Telekom and hosted by Stanford University.
Rules, resources and expertise – the big task for politics must be to peacefully ramp up our efforts in these three areas. Only then can we minimize the potential risks of cyberspace as much as possible, and at the same time realize the numerous opportunities offered by a free, open and secure Internet.
Wolfgang Ischinger is chairman of the Munich Security Conference (MSC) and teaches international politics at the Hertie School of Governance. This article was published on the occasion of the MSC Cyber Security Summit Stanford on 19/20 September 2016. It first appeared as a German version in the news magazine "Focus".