International Cooperation in Developing Codes of Conduct for Cyberspace
- Keynote speech at the Center for Strategic and International Studies (CSIS)
- Dr. Hans-Peter Friedrich, Bundesminister des Innern
Ladies and gentlemen,
Thank you very much for your warm welcome. It’s good to be back in Washington. Every time I’m in town, I recall the fantastic years my family and I spent here in D.C. during the early 90s when I served in the Economics Department of the German Embassy to the United States. In the 90s, the Internet was just getting started, and few people were familiar with the concept of cyberspace or worried about cyber security. Now, we can’t imagine a world without the Internet.
Ladies and gentlemen, as you know: Our common cyberspace – meaning global networks of IT systems at data level –has been the driving force behind enormous economic growth over the past twenty years. This great success is based on several factors:
- global communications networks,
- enormous increases in production,
- totally new business models, and
- ever shorter innovation cycles for ICT products.
According to a recent study, half of all businesses in Germany today depend on the Internet in some way. At the same time, we recognize how fast this development continues. We are now standing on the threshold of new levels of networking:
- cloud computing,
- smart grids,
- e-mobility and
are only a few of the new buzzwords. The number of Internet users will also continue to rise: Already two billion people use the Internet today. As networks expand in the BRICS nations, Central and South America, Africa and Asia, soon three billion or more will be online. As global networks and the economic role of ICT and the Internet grow, however, we depend more and more on the integrity and reliability of the data we process and store. And we expect these systems to be available at all times. This is first of all a national task. Germany was one of the first countries to take a strategic position. The main points of our cyber security strategy of February 2011 call for the following:
- First: strengthening protection for critical infrastructures and government IT systems against cyber attacks. Already in 2007 the Federal Government started building the necessary public-private partnership in which government agencies work closely with operators of critical infrastructures;
- The second point of our strategy is protecting IT systems in Germany and increasing public cyber security awareness;
- Third: creating a National Cyber Response Centre to implement our preventive security policy. The aim here is to avoid or minimize damage by providing information as quickly as possible.
Fourth: establishing a National Cyber Security Council made up of
- deputy secretaries from the ministries concerned,
- representatives of the business community
- local governments and
- Internet-related companies. The Council discusses new issues of cyber security, their possible impacts on Germany and what position the Federal Government should take; and
- Finally: a very important goal of our strategy is the close and effective cooperation on cyber security in Europe and around the world.
At the international level, the (Budapest) Convention on Cybercrime in 2001 noted the economic, social and political significance of ICT by making computer sabotage and manipulation a crime. So far, about 30 nations have ratified this Council of Europe Convention, including the U.S. and Germany. However,many countries have not yet ratified. They may think, wrongly, that the Convention only applies to Europe. In fact, however, this Convention is open also to countries that do not belong to the Council of Europe. The fact that so many countries have not ratified the Convention is unfortunate, as we need the global harmonization of criminal law on computers so that we don’t leave any safe havens for criminals. But even if more countries did ratify this Convention, it would not be enough. Instead, I believe the international community must agree to establish an area of security, freedom and justice on the Internet. Understanding cyberspace as an area of security, freedom and justice is in the economic and social security interest of all countries. How can we achieve this cyber security space at the international level? The greatest challenge is probably the different ideological perspectives, already apparent from differences in terminology: for example, "cyber security" versus "information security", "cyberspace" versus "information space". But we should not let ideological differences get in the way; instead, we must try to find where agreement is possible on the basis of shared views. Fortunately, there already seems to be consensus on a number of key points: Due to our dependence on information and communications technologies, IT failures are seen as a threat everywhere in the world. I also expect the constructive discussions and input of
- the G8,
- the OSCE and
- the cyber conferences in London and Berlin last year to be very useful for the further process.
We should also note the Russian/Chinese strategies for international information security:
- the Russian draft convention of Yekaterinenburg and
- the draft International Code of Conduct for Information Security signed by China, Russia, Tajikistan and Uzbekistan.
Both indicate that a process of discussion has begun in these countries. Due to the differences in our societies and political systems, I of course do not agree with all of their positions. But the most important nations on earth are focusing on the problem of ICT dependence. This makes clear that we should work together to find solutions. So I welcome the founding of the UN Group of Governmental Experts on Cyberspace, which will begin seeking common solutions this summer. Germany will also participate in this process, and I am positive about opportunities to find a common denominator at the international level. As we know, security in cyberspace does not stop at national borders. Despite our ideological differences, all nations could achieve consensus in the following areas:
- economic prosperity and protection against crime,
- politico-military stability,
- the desire to reduce the digital divide between developed and less-developed countries,
- human rights, and
- state responsibility for actions launched from own national territory.
In formal terms, I could imagine starting with a politically binding, widely accepted soft law codex for norms of state behaviour in cyberspace. As Interior Minister who is responsible for homeland security, I spend a lot of time dealing with the existing threat of cyber attacks, which can also come from outside the country, whether launched
- by criminals,
- patriotic hackers or
I am also thinking of the legal aspects of options for averting such threats. The key to greater collective security lies in international law. But the details have not yet been completely discussed. International cooperation is crucial when it comes to
- secure and predictable activities in cyberspace;
- transparency and measures to build trust and security;
- fighting crime; keeping IT systems available and ensuring the confidentiality and integrity of data and networks.
In terms of structure, I imagine a cyber commitment open to all states, in the following form: In compliance with international law and basic, effective elements of the Council of Europe Convention on Cybercrime, states could agree on further general principles that apply to cyberspace, such as
- peaceful use
- a culture of cyber security
- availability, reliability, integrity, authenticity
- an obligation to protect critical infrastructures
- an obligation to fight malware as well as criminal and terrorist misuse
- a right to self-defence
- cooperation among states in finding out who is responsible for cyber attacks.
Based on these principles, a series of concrete, trust-building measures and cooperation mechanisms could then be developed, such as
- building a network of contacts for crisis communications
- creating early-warning mechanisms and improving cooperation between computer emergency response teams (CERTs)
- sharing national strategies, white papers and best practices
- building capacities in less-developed countries
making critical infrastructures more resilient in view of cross-border dependencies, and so on.
In this respect, Germany is also helping with current efforts by the OSCE and the UN, especially when it comes to the urgent question of global agreement on a collective security mechanism. The meeting of the UN Group of Governmental Experts in August of this year is a first milestone in this regard.
When it comes to preserving, protecting and strengthening global cyberspace and its benefits, state action is desirable and unavoidable – just as in the physical world. The U.S. and Germany could propose the necessary norms, with the aim of reaching rapid global agreement on a common denominator. Further discussion of Internet policy with countries that do not share our understanding of freedom would be a separate chapter; these are questions that require discussion over the long term. Now we should tackle the current challenges according to the Eisenhower Principle, that is: Working for agreement soon on norms of state behaviour in cyberspace with a collective security mechanism in areas where consensus is possible. The first important steps have already been taken. International dialogue is under way; now it needs to be focused on achieving rapid results. The U.S. and Germany are already working closely together on important aspects of cyber security, including
- cyber security awareness,
- participation in exercises,
CERT collaboration and
– very importantly –
- cooperation in international forums devoted to cyber security, such as the IWWN (International Watch and Warning Network) and the G8 working groups.
The Federal Government of Germany is very grateful to the United States for this trusting and effective cooperation. I am positive that we will be able to further strengthen this cooperation. Resolving these urgent political and diplomatic issues of cyber security is in our common interest. I am convinced that common action will lead us to shared success.
Thank you very much.