Creating Trust Out of Norms of Behavior
Chris Painter's Daunting Task to Foster Global CybersecurityChris Painter faces a daunting task in facilitating an international consensus on cybersecurity. A major barrier, one Painter suggests can be surmounted, is trust.
As the State Department cyber coordinator - a post created in February (see Schmidt Aide Moves to State as Cyber Chief) - Painter helped shape the Obama administration's international cyberspace strategy introduced this past week by four cabinet secretaries and three senior federal executives at a White House event (see White House Unveils Int'l Cybersecurity Strategy).
One of the seven principles of the international cyberspace strategy is to reduce intrusions into and disruptions of U.S. networks, in part, through engaging not only our allies but other nations as well. Wouldn't that require trust among the nations? But how much trust exists?
A survey of 600 IT and security executives from 14 countries conducted by the public policy institute Center for Strategic and International Studies for IT security provider McAfee published in 2010 showed that the United States was the most feared, followed by China and Russia (see Which Nation is Most Feared in Cyberspace?). A year later, the same survey determined China was the most feared, followed by Russia and the U.S. (see U.S. Threat as Cybervillain Diminishes).
The Chinese are seen as a force behind intrusions into Pentagon systems as well as the digital assaults on Google and other companies known as Operation Aurora. Russians have been blamed for hacking government and business websites in Estonia and the Ukraine. Whether the Chinese and Russian governments were behind these attacks isn't conclusive, but many experts believe they were at least aware and may have endorsed these intrusions.
America isn't off the hook, either. True or not, a widely held belief is that the United States was in cahoots with Israel in planting the Stuxnet worm in centrifuges to cripple Iran's nuclear weapons program.
With these cyber incidents in mind, I asked Painter to assess the level of trust among nations to pursue common goals of safeguarding national networks and what his office needs to do to achieve that trust (see U.S. Initiates Cybersecurity Diplomacy).
Painter didn't directly address trust, but suggested that we need to engage friends and foes alike to determine common consensus of proper behavior on the Internet, which could serve as a foundation of future cooperation on cybersecurity:
"We engage with countries that agree with us and we engage in countries that don't agree with us. ... We try to build a consensus around these norms of behavior, these norms of state actions that build more confidence around this area. We try to come up with confidence building measures."
Norms and trust aren't the same. But agreeing on norms of cyber behavior could help improve the security of the Internet. It's a start.