The United States and the European Union announced plans to join the Paris Call, an international effort to combat cyberthreats endangering citizens and infrastructure.
Established in November 2018 and supported by 80 international states and more than 700 private enterprises, the Paris Call is based around nine common principles—from protecting the internet to defending the electoral process—to secure cyberspace. These nine principles act as areas for discussion and action.
Lisa Plaggemier, interim executive director at the National Cybersecurity Alliance, said even before the widespread breach-driven news cycle of 2021, cybersecurity has long been an interconnected and global issue—it just hasn’t been particularly acknowledged as such.
“The fact of the matter is that our entire business world is incredibly interconnected, and that isn’t going to change anytime soon,” she said. “Sure, Berlin or Tokyo may be thousands of miles away, but gone are the days when physical security was the number-one security concern.”
She said instead, due to our interconnected way of life, a hack on a piece of critical infrastructure in Los Angeles can have far-reaching consequences for the entirety of a business’s—or a government’s—operations.
“Simply put, without global collaboration and a clear strategy, untangling breach instances—let alone preventing them altogether—becomes much, much more challenging,” Plaggemier said.
No Geographic Limits
Ross Rustici, managing director at StoneTurn, a global advisory firm, agreed, pointing out cybersecurity cannot solely be tackled domestically.
“There are no geographic limits to the activity a malicious actor can conduct which means the traditional, geographically bounded approach to law enforcement simply does not work,” he said. “The FBI has no jurisdiction over threat actors in Canada, the UK or Russia.”
Rustici said without the cooperation of those governments, laws that align around what illegal online activity consists of and robust extradition, cybercriminals can conduct their activity with virtual impunity.
“The international community needs to harmonize their legal interpretations of protected data, what type of evidence and collection methods are admissible in court and what constitutes a violation of criminal statues vis-à-vis online activity,” he said.
Plaggemier noted the Paris Call’s nine common principles serve as a good summation of the areas the international community should generally be focused on.
“It is good to see that both ‘traditional’ priorities such as general internet security are listed alongside more emerging challenges such as election security,” she said. “But the proof will, of course, be in how we actually set out to accomplish these goals and, ultimately, how effective we are in doing so.”
Plaggemier pointed out there are numerous smaller-scale international cybersecurity collaborations already doing great work today such as OmniSOC, ISSA and many others.
However, without large-scale coordination, these groups can only tackle so much, which she says is why agreements such as the Paris Call are so important.
“There, of course, is a healthy dose of cynicism out there about how much this initiative and others like it can ultimately achieve,” she said. “And while it is true that actions are what really matters here, we would be remiss to ignore the sea change that is slowly occurring within the global cybersecurity community surrounding the importance of collaboration—which has been lacking in years past.”
A Huge Step Forward
She called the acknowledgement alone a “huge step forward” that would be incredibly helpful in shaping the cooperative cybersecurity landscape that is needed to address the challenges we face.
“Despite being late to the party, it is great to see the U.S. government signing on to the Paris Call,” Plaggemier said. “The U.S. is one of the world’s biggest technology and business markets, so the more we can engage with ‘cyber do-gooders’ in both the public and private sphere, the better.”
She pointed out cybersecurity is not just a public or private sector problem and, therefore, to really put the most comprehensive plan in place there needs to be a constant effort to build bridges between both worlds.
“The cybersecurity landscape is rapidly changing due to a variety of factors, so the opportunity is ripe for the U.S. to lead by example,” she said. “By continuing to build partnerships and modernizing both our technical and human cybersecurity infrastructure, we can do just that.”
Rustici added there needs to be “significant up-leveling” of capabilities to discover, analyze and prosecute cybercriminals.
“There is a significant amount of work that will require unparalleled coordination and harmonization between countries and, as such, it will take a long time to get to a point where results are visible,” he said. “The biggest role the U.S. can play is in technical training for other law enforcement agencies.”
He explained the U.S. government lags in terms of privacy considerations, and the nature of its military and espionage programs also make it harder to take a moral leadership role around network defense initiatives.
“Additionally, most of the major successes in terms of combatting cybercrime have been run through Interpol due to the location of the criminals,’ he said. “Supporting that established institution and providing technical assistance is the best near-term solution for the U.S. to provide leadership.”
Beyond that, Rustici said leveraging its large bureaucracy to help staff, support and push the diplomatic and regulatory efforts could also greatly aid an Atlantic consensus on this activity.
“The U.S. cannot do this alone, and for reputational reasons cannot be seen as the primary driver in a lot of respects,” he said. “This must be a coalition effort of peers to make real, substantial progress.”