There is general consensus all over the world that coordinated and serious attention needs to be given towards responding to cyber attacks. Malevolent cyber activities have become a growing threat.
Cyberattacks are posing a number of chat lenges, both technical and political. Many countries are also discovering that they lack the required cyber and intelligence capabilities, and the political and administrative processes necessary to properly attribute cyberattacks. In addition, it is also becoming clear that attribution of such attacks remains a political decision for national leaders. It has also become evident that like most foreign policy decisions, the connotation of attribution to a great degree is directly and indirectly influenced by varied geo-political considerations. It is also apparent that in some regions, like the European Union or Southeast Asia, some decisions will require collective action and unanimity. For this to happen, the first step will have to be towards upgrading information sharing and the creation of what is now popularly known as the Cyber Diplomacy Toolbox.
There is now general consensus all over North America and also Australia and the countries of the Far East that all countries who are slowly moving into the digital paradigm need to take necessary strengthening of cyber capabilities, both defensive and offensive. It is also understood that such measures will require investment not only in human and technical capacities but also in the creation and updating of internal procedures. This step will enable personnel involved with cyber security to be also associated with the political decision-making process. This requirement will be very sensitive and challenging. However, every country in question will have to take these steps before attributing cyber attacks or adopting subsequent action in the form of possible sanction against the institution or country in question. The possibility of use of sanctions will also have to be wielded carefully, based on strong compelling evidence. Mere allegation or indictment might not help.
Strategists, in this regard, have also highlighted that cooperation with the private sector and with international partners need to be pursued.
It has been pointed out by political analysts in this regard that the EU is bound to end up facing several constraints after Brexit has come into full operation. Both the EU and Britain have been mentioning continued cooperation in many areas of national governance. However, till today, it is very vague whether such cooperation will tackle the question of cyber security in all its dimensions. Both parties need to realise that they will need to set up enhanced paradigms of cyber security cooperation and also further develop EU-NATO cooperation within this dimension.
It needs to be noted here that geo-political tensions currently existing in several socio-economic political arenas — between Russia and the European Union, between the USA and Russia, between the USA and China, between India and China, between the USA and Iran, between North Korea and a few adjacent countries and also between some other countries in the Middle East — are creating their own repercussions and anxiety.
It is consequently being suggested that the post-pandemic world will need to seriously consider investment in confidence building measures, in the creation of norms at the UN level. In addition, there is also the need to convene global, regional and bilateral cyber dialogues pertaining to the identifying of the least common denominators regarding cyberspace.
This format needs to be pursued because attributing cyber attacks or adopting sanctions to another country or an institution can potentially worsen relations with the other party.
It needs to be remembered that acting together would permit States to be more credible. It will also help to send a stronger message. By responding to cyber threats as a united actor, countries will be better placed to defend their security, their political and economic interests. It will also further augment their credibility as international actors.
We might not like it, but breakdown of cyber security has begun to affect the proper functioning of several areas of functioning in many countries. This has been apparent all over the world– including several sub-regions in South Asia. In some cases, we have noticed malicious cyber hacking leading to hospitals being forced to cancel their operations, factories temporarily shutting down and global companies being put off line by some of their competitors. This has led to affected institutions incurring huge losses. Unfortunately, this development has become an unwelcome reality.
Digital hacking through cyberspace is not constrained because of geographical borders. It can, and does, compromise ICT systems and can result in massive damage.
Cyber security incidents have become a daily occurrence. In this context one needs to recall the osmotic effect of the two massive global cyberattacks in 2017 that affected Europe as well as several other international institutions and infrastructures.
The WannaCry ransom ware attack in May 2017 quickly spread around the world, encrypting data and demanding ransom payments in the crypto currency-Bit coin. It was subsequently estimated that it possibly affected more than 300,000 computers across 150 countries, causing between USDollar 4 to 8 billion worth of damages. Carmakers Renault, Nissan and Honda were severely affected by the attack and were forced to reduce and in some cases even stop production at a number of production sites in France, the United Kingdom, Romania, Slovenia, Japan, and India. The attack, most unfortunately, also affected the national healthcare system (NT-IS) in the UK. This had a severe effect on hospitals and doctors being able to access patient data. This had a severe effect on many who were looking forward to surgical interventions.
In addition, as reported in the international media, many pharmaceutical companies including internationally reputed Merck & Co., one of the largest in the world, had to shut down production of one of its pediatric vaccines. It may be mentioned here that according to a White House assessment, the WannaCry and NotPetya cyberattack created damages amounting to more than USDollar 10 billion. Some have, however, disputed this figure as being limited as it did not take into consideration what happened in many developing countries.
Recognising the reality of the threat, the EU and its member states have worked over the past few years to strengthen cyber security in Europe and tackle cyber attacks against infrastructures, cyber espionage, intellectual property theft, and hybrid threats using cyber means. The Union has primarily invested in increased prevention, early warning mechanisms, resilience and coordination.
It would be worthwhile at this point to draw attention to recent efforts by the EU to try and lay down a fundamental guideline pertaining to an efficient pro-cyber framework strategy. These efforts on their part need to be carefully studied by others.
There was at first the 2013 EU Cyber security Strategy. It was followed by the 2016 Network and information Security (NIS) Directive and subsequently the 2016 Joint Framework on countering hybrid threats. Certain aspects of these measures are being already replicated elsewhere. That includes countries setting up national Computer Security Incident Response Teams (CSIRTs) and a competent national NIS authority. This is being done to facilitate strategic cooperation and exchange of information about ongoing threats and cooperating on potential cyber security incidents.
One needs to hardly reiterate that these steps will greatly help post-Pandemic and post-Brexit Europe which will rely greatly on digital marketing and e-commerce. One hopes that Bangladesh will also move forward in this direction.
We should also consider working together on this issue within South Asia. This will help all of us to move forward together. Our economic front, in particular, has many obstacles. As such, it would be useful for all of us to make a serious examination about what Netherlands proposed during its 2016 Presidency of the EU Council. Their comment on this issue, initially controversial, has subsequently gained appreciation.
Similarly, in South Asia, there are divergent opinions on practically most issues. Creating cyber security will consequently not be very easy. Nevertheless, today, after the emergence of the pandemic, everyone in South Asia, instead of blaming each other and attributing narrow objectives need to respond proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of every country’s cyber activity.
These procedures that are being adopted in other regions of the world should be studied very carefully by the Information Technology sector in Bangladesh. A Committee could be constituted with the direct and indirect participation of the private sector, different financial institutions and chambers of commerce. Our Ministry of Foreign Affairs can also be part of this matrix. There should not be any politicisation of this process. If necessary, we could also seek counselling from representatives from Japan, Australia, European Union, the USA and Canada.
One strongly believes that we need to achieve cyber resilience. It will require cyber diplomacy, and that should not be a difficult task for Bangladesh. The measures that are being undertaken in other regions of the world should be studied very carefully by the Information Technology sector in Bangladesh.
Muhammad Zamir, a former Ambassador, is an analyst specialised in foreign affairs, right to information and good governanance.