27 November 2012
Increasing government, military, and industry reliance on the cyber domain has incentivized cyber crime and heightened the cost of internet disruptions. Many vulnerable states—such as Romania and Bulgaria—want to reduce cyber crime within their borders but lack the political will necessary to allocate sufficient funds. Current U.S. policy emphasizes unconditional assistance for vulnerable U.S. allies. This approach, however, discourages these states from prioritizing cybersecurity in their budgets and ultimately increases Washington’s fiscal burden for fighting cyber crime.
To encourage vulnerable states to prioritize cybersecurity, NATO should create and administer an international Cyber Grade Framework (CGF). The primary purpose of this program is to help establish and implement rigorous international cybersecurity standards to hinder the operation of cyber crime and hacktivist groups, while more efficiently using current U.S. aid to produce greater cyber resiliency amongst its allies. The CGF would not require an increase of funding, but simply a more efficient reallocation of existing cybersecurity funds.
The CGF is based on the Thornberry Cybersecurity Task Force private-sector incentive model that seeks to encourage industry to adopt greater cybersecurity standards absent the existence of government mandates. At the international level, this model is the best approach for generating better cybersecurity standards given the political obstacles confronting compulsory international regulations. Participating states would be awarded grades based on the quality of their cybersecurity infrastructure. States that adopt a grade’s requirements would receive a set of associated incentives increasing incrementally with each security grade attained. They include access to: (1) law enforcement cyber training programs; (2) NATO cyber rapid reaction teams; (3) limited technology transfer; and (4) intelligence sharing. In addition to encouraging participating states to make cybersecurity a priority, this policy would strengthen their ties with the international community, creating a more secure global network.
All states, even those not participating in the CGF, would receive baseline assistance from NATO. A team of independent cyber analysts would complete a complementary assessment of the state’s network vulnerability and the cost of intellectual property theft to the national economy. Additionally, those states would be permitted limited access to CGF cybersecurity conferences.
States participating in the CGF would be granted Grade One status, the lowest of three possible grades, if they increase their cybersecurity R&D budget by 10 percent for five years. The corresponding incentives would include unlimited admittance to CGF cybersecurity conferences and access to law enforcement training programs. The aim of Grade One is to promote global innovation and rapidly enhance states’ network capabilities.
Grade Two is intended to facilitate intelligence sharing and install basic law enforcement/extradition standards to allow international cybersecurity cooperation. To achieve Grade 2, states must comply with the CGF’s security breach notification regulations and minimum extradition guidelines for cyber criminals. For states that achieve Grade Two, NATO would provide rapid reaction cyber teams following cyber incidents involving critical infrastructure, intelligence sharing, and limited technology transfer.
The purpose of Grade Three is to promote cooperation between cyber law enforcement teams and military units to increase network resiliency and reduce incident response time. Grade Three states must create a cybersecurity branch of law enforcement, including a Computer Emergency Readiness Team and engage in joint personnel training with other Grade Three states. As an incentive, states would be given the option to participate in joint military exercises with other Grade Three states and would have expanded access to NATO rapid reaction cyber teams.
NATO would administer and enforce the cybersecurity private-sector framework through a compliance organization modeled after the IAEA. This model was selected because of its applicability to a sensitive industry critical to national security. States intending to join the oversight organization must achieve one of the three cybersecurity grades and obtain a two-thirds vote from the General Conference and the North Atlantic Council.
The CGF has a number of advantages over the United States’ current cyber security policies, including:
- Cost Effectiveness: Rather than simply providing free technology transfers to help states update their cybersecurity systems, this policy requires states to make cybersecurity a domestic budget priority. Many of the costs of research and installation would be borne by participating states, while NATO would provide the expertise necessary to ensure the most effective practices and infrastructure are used.
- Promotes International Innovation: All member states would invest in R&D, ensuring the United States and other key cyber powers will not be the only states developing new methods and technologies.
- Enhances International Cybersecurity Norms: Currently international cybersecurity norms regarding cyber criminals and hacktivists are absent or vague. Implementing this framework would clarify and bolster these norms, allowing NATO to hold states to an international standard and encourage international cooperation on cyber crime issues.
- Increases Network Communication Speed: In order to reach the highest cybersecurity grade, states must participate in joint training to facilitate intelligence sharing, early warning systems, and joint cyber operations. Joint personnel training would decrease response time and increase resilience of member states’ networks.
Cybersecurity is vital to preserving stability in the financial sector, military readiness, and critical infrastructure. States must rapidly advance their cybersecurity capabilities to keep pace with growing challenges. Most states are currently at dramatically different levels of cyber capability, impeding their ability to communicate and participate in joint operations. The CGF would encourage states to prioritize cybersecurity in their budgets and meet voluntary regulations to receive security incentives. This proposal fosters innovation and facilitates the transition to a higher level of cybersecurity, cooperation, and law enforcement capability. The advancements from the CGF will create more secure global networks, capable of confronting a critical 21st century threat.
The CGF proposal is the product of the Project on International Peace and Security (PIPS). PIPS is a undergraduate think tank at the College of William and Mary that is rooted in the belief that the creativity and energy of undergraduates, when guided by faculty and members of the policy community, are untapped resources that can make original and meaningful contributions to national security debates. Emily Pehrsson was a 2011-2012 PIPS Research Fellow and is currently a senior at the College.
This article was originally published in the Diplomatic Courier's November/December 2012 print edition.