"An open internet is the only way to support security and prosperity for all," said UK Foreign Secretary William Hague at this morning’s session of the Budapest Conference on Cyberspace. Notably, although he calls for “a new international consensus on rules of the road,” he continues, “We are not calling for a new Treaty between governments which would be cumbersome to agree, hard to enforce and too narrow in its focus.” (Emphasis added.) That is the policy challenge, isn’t it. Stewart Baker, among others, often asserts that such treaties are not the way to go. But how do we agree on rules in cyberspace that are enforceable and adaptable to a dynamic environment?
Secretary Hague’s entire speech follows, as provided by the Foreign & Commonwealth Office:
I congratulate the Government of Hungary for hosting this conference. Prime Minister Orbán, Hungary has provided important leadership to maintain the momentum from the London Conference on cyberspace, and I also thank the Korean Government for agreeing to build on our efforts in 2013.
We are here to address one of the greatest global and strategic challenges of our time: how to preserve and expand the benefits of the digital age.
We should never be pessimistic about this. The internet has been an unprecedented engine for growth, for social progress and for innovation, across the globe and in all areas of human endeavour.
But there is a darker side to it, and in the United Kingdom we believe it is time to shine a strong light on those shadows.
We are calling for a new international consensus on rules of the road to guide future behaviour in cyberspace, and to combat the worst abuses of it.
We are not calling for a new Treaty between governments which would be cumbersome to agree, hard to enforce and too narrow in its focus.
Instead, last year I proposed a set of seven principles as a basis for more effective cooperation between states, business and organisations. These are:
• The need for governments to act proportionately in cyberspace and in accordance with international law;
• The need for everyone to have the ability to access cyberspace, including the skills, technology, confidence and opportunity to do so;
• The need for users of cyberspace to show tolerance and respect for diversity of language, culture and ideas;
• The need to ensure that cyberspace remains open to innovation and the free flow of ideas, information and expression;
• The need to respect individual rights of privacy and to provide proper protection to intellectual property;
• The need for us all to work together collectively to tackle the threat from criminals acting online;
• And the promotion of a competitive environment which ensures a fair return on investment in networks, services and content.
There are three reasons why we believe this remains an urgent, unavoidable and essential task.
One is that cyberspace is emerging as a new dimension in conflicts of the future. Many nations simply do not yet have the defences or the resources to counter state-sponsored cyber attack. If we do not find ways of agreeing principles to moderate such behaviour and to deal with its consequences, then some countries could find themselves vulnerable to a wholly new strategic threat: effectively held to ransom by hostile states.
The second, and currently much larger threat, is from organised cyber crime. It has never been easier to become a cyber criminal than it is today. It is now possible to buy off-the-shelf malicious software, designed to steal bank details, for as little as £3,000, including access to a 24-hour technical support line.
As Foreign Secretary I see frequent evidence of deliberate and organised attacks against intellectual property and government networks in the United Kingdom.
Earlier this year, a well-protected international company was breached via a foreign subsidiary. Hackers used a spear-phishing email attack to gain access to the subsidiary’s network. From there, they stole many thousands of passwords, including those for the parent company’s file servers. From that file server, they were able to steal 100GB of the parent company’s sensitive intellectual property, roughly equivalent to a document made up of 20 million pages of A4.
In another case, a large international manufacturer was targeted during a period of negotiation with a foreign government. We do not know how the company’s networks were initially penetrated. But the company later identified that the hackers had accessed the accounts of the company’s entire leadership team during the negotiations. Their significant commercial interests were clearly threatened by this loss of confidentiality.
Attacks of such scale and severity continue to compromise many millions of pounds of investment in research and development, damaging a company’s ability to defend its Intellectual Property Rights and wiping away years of sensitive negotiations and commercial positioning. If these attacks are left unchecked they could have a devastating impact on the future earning potential of many major companies and the economic wellbeing of countries.
These attacks are not aimed solely at commercial organisations. This summer one particular group targeted over 200 email accounts at 30 of the UK’s 47 government departments, in a single attack. They too sent a spear-phishing email with a malicious attachment which, if opened, would install malware on the user’s machine. Without good protective security the attackers might have gained unfettered access to sensitive government information.
Such attacks are criss-crossing the globe from North to South, East to West, in all directions, recognising no borders, and with all countries in the firing line.
In the UK we are determined to remain a world leader in cyber security. We want to our country to be a pre-eminent safe space for e-commerce and intellectual property online. We are significantly increasing our cyber capabilities and have committed an extra £650 million of government funding over a four year period. We successfully defended our core networks against a range of threats throughout the Olympics and Paralympics, working seamlessly across the government and private sector to do so.
And last month we shared for the first time detailed information about cyber attacks against British companies with the CEOs of our major firms, launching new guidance for British businesses developed with our Security and Intelligence Agency GCHQ, to help them to comprehend the scale of the problem and to secure their networks.
But some countries lack the infrastructure and expertise to police their cyberspace and we need to do more to increase the capabilities of others. Cyber criminals and terrorists should have no refuge online, just as they should have no sanctuary off-line.
I can therefore announce today that the UK is developing a new Centre for Global Cyber-Security Capacity Building in the United Kingdom, and we will be investing £2m a year to offer countries independent advice on how to build secure and resilient cyberspace, improving co-ordination and promoting good governance online.
This practical initiative will help close the gap between supply and demand for capacity building and to ensure we make better use of the skills and resources available internationally. My colleague Francis Maude will discuss the full details of this announcement shortly.
I also welcome the work that has been done since the London conference on creating a framework of norms to help reduce the threat of conflict in cyberspace, in the OSCE, in the ASEAN Regional Forum and at the UN. We need to be able to communicate in this area with more than just our closest allies. As the importance of cyberspace grows and the threats are magnified we will all need cyber hotlines to each other.
A great deal can be achieved through relatively simple measures such as improved crisis communications, greater cooperation between national computer emergency response teams and collaboration on tackling e-crime and responding to cyber attacks.
These two reasons of crime and state sponsored cyber attack should be reason enough for states to come together. But there is a third factor, in itself part of the problem, which makes our task more urgent. This is the growing divergence of opinion and action between those countries seeking an open future for the internet and those who are inching down the path of state control.
We believe that it is not simply enough to address economic and security threats on the internet without also taking steps to preserve the openness and freedom which is the root of its success.
We see growing evidence of some countries drawing the opposite conclusion. Some appear to be going down the path of state control of the internet: pulling the plug at times of political unrest, invading the privacy of net users, and criminalising and legislating against legitimate expression online.
We are all aware of the countries where YouTube is permanently blocked as are webpages mentioning ‘democracy’ or ‘human rights’. In some countries the websites of human rights organisations have come under cyber attack themselves. Some countries are considering going down the route of build their own national, ghettoised internets for a variety of reasons. And following the Arab Spring, we see growing numbers of people ending up in jail for blogging and tweeting about issues we would consider to be legitimate political debate and freedom of expression.
We believe that efforts to suppress the internet are wrong and are bound to fail over time. Governments who attempt this are erecting barricades against an unstoppable tide, and acting against their own long term economic interests and their security. This debate needs to be part of international efforts to protect the future of cyberspace.
We accept that no country has a perfect record. And we are under no illusions about how difficult these issues can be when they flare up as crises, even in established democracies.
The protests around the world against the anti-Islam trailer were a compelling example of this. This was a contemptible piece of work, designed to provoke outrage and we deplore the fact that innocent people died in the violence that followed.
But democratic governments must resist the calls to censor a wide range of content just because they or others find it offensive or objectionable. If we go down that path, we begin to erode the hard won rights of freedom of expression. We will always argue that is its necessary to err on the side of freedom.
So in the United Kingdom we aspire to a future cyberspace that is characterised by openness and transparency. A future where safe, trusted and reliable access to the internet is the norm irrespective of where you are born, in which we are able to harness the power of new technologies to close the digital divide, to spur growth and innovation, to protect cultural diversity and to increase accountability and transparency. A future where the flow of business and ideas drives down barriers to trade and increases choice for citizens. A future where human rights are respected online as well as offline. And a future where cooperation between nations makes it harder for people to abuse the internet for crime, terrorism, cyber attack or political ends. This is what we hope the process begun in London and taken forward in Budapest and Korea can take us closer to agreeing.
And we will do all we can in Britain to support such agreement: promoting the social and economic benefits of the internet and human rights and freedom online; developing our own skills, capabilities and defences at home, sharing that expertise with others abroad, and working with our allies to help win the argument that an open internet is the only way to support security and prosperity for all.
CHECKED AGAINST DELIVERY
Foreign Secretary speech at the Budapest Conference on Cyberspace
Leave a Reply