3

International Norms in Cyberspace

CAMBRIDGE – Last month, the Netherlands hosted the Global Conference on Cyberspace 2015, which brought together nearly 2,000 government officials, academics, industry representatives, and others. I chaired a panel on cyber peace and security that included a Microsoft vice president and two foreign ministers. This “multi-stakeholder” conference was the latest in a series of efforts to establish rules of the road to avoid cyber conflict.

The capacity to use the Internet to inflict damage is now well established. Many observers believe the American and Israeli governments were behind an earlier attack that destroyed centrifuges at an Iranian nuclear facility. Some say an Iranian government attack destroyed thousands of Saudi Aramco computers. Russia is blamed for denial-of-service attacks on Estonia and Georgia. And just last December, US President Barack Obama attributed an attack on Sony Pictures to the North Korean government.

Until recently, cyber security was largely the domain of a small community of computer experts. When the Internet was created in the 1970s, its members formed a virtual village; everyone knew one another, and together they designed an open system, paying little attention to security.

Then, in the early 1990s, the World Wide Web emerged, growing from a few million users then to more than three billion today. In little more than a generation, the Internet has become the substrate of the global economy and governance worldwide. Several billion more human users will be added in the next decade, as will tens of billions of devices, ranging from thermostats to industrial control systems (the “Internet of Things”).