Despite the increasing number of digital assaults against private industry and governments in the past couple of years, we are still in a state of denial about the prospects of a global cyber showdown.
America and its international partners have offered mostly hand-wringing and half-measures in response.
In a speech last month, Microsoft’s president and chief legal officer, Brad Smith, called for the global community to band together to create a digital version of the Geneva Conventions to combat global cyberthreats.
But why not take Smith’s idea a step further? The United States should be leading the international community in addressing these attacks through existing worldwide organizations by creating a cybersecurity version of NATO.
The next large-scale cyberattack is inevitable. While this summer’s WannaCry attack — which infected more than 150 countries and disrupted critical sectors of the world economy — could have been worse, the next probably will be. But the industry alliances formed in response to such attacks have yet to drive substantial change.
Instead, it is in America’s interest to persuade both citizens and governments around the world of the threat these attacks represent.
They violate basic human norms and flout existing laws that people around the world welcome. Cyberattacks aren’t daring electronic adventures. They’re dangerous, criminal acts — high-tech burglary, theft, armed robbery, piracy and kidnapping with ransoms. And they jeopardize everything from our freedoms and economic prosperity to our way of life.
We can’t go it alone in response to these crimes: Perpetrators of data breaches are difficult to identify and frequently act from outside the United States, making them elusive to domestic authorities. Even with excellent international law enforcement cooperation, few cyber criminals have been brought to account for the significant harm they have inflicted.
Nor can we pretend that the threats will ebb any time soon. The number of reported data breaches in the United States alone this year is expected to hit an all-time high, up nearly 40% from 2016, according to the Identity Theft Resource Center.
The annual price tag for cybercrime — up to $575 billion in losses for the global economy and $100 billion in losses inside the United States, the hardest hit of any country. Juniper Research predicts that the cost of data breaches globally will quadruple to $2.1 trillion by 2019.
America needs to lead an international coalition of partners to help. In 1949, the United States and European nations formed NATO to safeguard their freedoms and security through political and military means. That alliance and other global organizations — including groups that America may need to foster — must campaign against cybercrime with two central features.
First, as with NATO’s Article V, they should agree that a cyberattack on one member country constitutes an attack on all. While rogue states may still harbor cyber criminals, this principle assures that enforcement measures — through diplomatic, trade or other international means — have maximum effect.
Second, worldwide bodies should actively pursue cyber security defenses, sharing these with private enterprise, as a paid service if necessary. Lack of preparedness, after all, is a common theme in breaches that have dominated the news.
This path forward may not be easy and controversy free, given differing national views on critical issues such as privacy and innovation. But as with other global initiatives that have helped to control nuclear arsenals, contain global pandemics and safeguard our skies, coordination and cooperation are critical, and can grow.
The cyber criminals who unleashed WannaCry may unwittingly have advanced the global consensus to battle the grave dangers of future cybercrimes by attacking computers across Eurasia, Latin America and Africa, including in nations reluctant to crack down on bad actors.
The impetus for change typically hinges on a moment when the focus shifts away from words toward action. America must mobilize the world against a cyber doomsday. It’s only a matter of time, without appropriate collective measures, before criminals — on purpose or by accident — cause a global calamity the scale of which fundamentally alters the course of economic and political history.