Share
FacebookFacebook icon TwitterTwitter icon LinkedInLinkedIn icon Email
The legal battle against cyber crooks should be national, not global

Magazine

The legal battle against cyber crooks should be national, not global

Published 28 November 2022 in Magazine • 6 min read • Audio availableAudio available

While the temptation exists to create an overarching international framework to combat cyber-risks, it is nation states that must be in the vanguard, argues Edite Ligere

.

In the wake of the financial crisis of 2008, there was much discussion about creating global regulatory standards to stop a repetition of the devastation wreaked on financial systems. Gordon Brown, the British prime minister at the time, argued in a landmark speech two years later for a “new global order”, maintaining that “only a truly international response – in policy and governance” could be effective in preventing future crashes.

In today’s digital world, it is tempting to make a similar case for cyber-risk: that creating a global governance framework would help to stop bad actors damaging government institutions and holding businesses to ransom.

Pandemic weariness, geopolitical turbulence, and inflationary pressures are palpable across the globe and disruptive technological innovation offers promise and despair in almost equal measure. Digital banking is helping to boost financial inclusion. Internet-based services have improved the lives of millions. Decentralized autonomous organizations are becoming increasingly popular, even though their precise legal status remains opaque. Smart contracts rely on cybersecurity. Smart cities and automated vehicles are in varying degrees of readiness.

Conversely, state-sponsored cyberattacks and those of other actors on critical infrastructure and essential services are widespread and becoming more frequent. The ransomware attack on America’s Colonial Pipeline last year is just one example of how alarming cyber-risk has become. Even the legal profession is not immune: in April, the IT systems operated by the Bar Council of England and Wales were targeted.

Cyber-risk ranked as the top concern of chief executives in consultancy PwC’s latest CEO Survey. Trust in institutions, politicians, and much established practice is low. Even the concept of currency is under attack. The violent shifts in the value of crypto assets illustrate the volatile, unaccountable, and unreliable nature of what is becoming a parallel financial system.

Despite the picture postcard setting, Tallinn, the capital of Estonia, is a technology hub. The small Baltic nation has worked hard to rebuild trust after a devastating cyberattack in 2007

Yet the solution is not building a new global cyber legal and regulatory infrastructure. We should rather focus on making better use of existing national legal and regulatory regimes — where they exist — to address cyber-risks, while encouraging greater international cooperation underpinned by universal values such as integrity, fairness, and due process.

Nation states must be in charge of their own destiny. Cybersecurity is central to that destiny. Of course, international cooperation is vital, and the work of Interpol here is exemplary. The agency’s establishment in 2014 of a Global Complex for Innovation in Singapore to fight cybercrime through research and development for the identification of transnational criminals, training, and operational support, has been a significant step forward in tackling the issue in Asia especially.

Instinctively, most stakeholders are enthusiastic about tighter global cybersecurity standards. It makes sense to tackle the matrix of sometimes overlapping national and regional rules that add to complexity and costs. For example, the European Union’s proposed Digital Operational Resilience Act (DORA) aims to better strengthen the resilience of financial institutions against cyberattacks.  

Yet global rules and regulations will only be as effective as the extent to which they avoid settling on the lowest common denominator that does not survive contact with the enemy in the cyberverse when something adverse happens. While harmonization of legal, regulatory, and policy frameworks is an excellent idea,  effective enforcement ultimately remains national — and nobody is (yet) responsible internationally.

An effective approach to cybersecurity must be based on transparency, accountability, effective enforcement, and trust in the system. In the current geopolitical context, we should be making the most of national frameworks and not putting resources and trust into creating a global behemoth that could be vulnerable to political weaponization. 

Therefore, instead of building supra-national institutions to deal with cyber-risk we need to identify the ways in which we can enhance and adapt existing national legal frameworks. More imaginative use of existing domestic legal, regulatory, and policy measures, not necessarily the addition of new ones, would appear to be a more effective use of limited resources.

For example, in the UK a cyber awareness and reporting element could be added to the existing Senior Managers and Certification Regime in the financial regulatory context. A “fit and proper” person could be required to demonstrate cyber awareness and conduct certain due diligence. In the “know-your-customer” (KYC) sphere, entities and individuals could be required to know and monitor on an ongoing basis what cyber “hygiene” is carried out in supply chains. A specific cyber element could be added to the Financial Conduct Authority’s Principles for Business and the City Code on Takeovers and Mergers.

Such measures would be a more productive use of resources than creating an over-arching cyber architecture. Common law jurisdictions have some advantage here, of course, because of the inherent adaptability of the common law.

More imaginative use of existing domestic legal, regulatory, and policy measures, not necessarily the addition of new ones, would appear to be a more effective use of limited resources.

But more generally, it is ultimately the practical, operational capability at the national level to strengthen cyber-resilience and minimize threats that is critical. Trust is vital. Estonia was the first country in the EU to become a “digital state”, offering digital identification to citizens to pay tax, vote, and access public services. The large-scale attack in 2007 on Estonia’s digital infrastructure (some of which was inherited from its membership of the former Soviet Union), widely attributed to Russia, was not only an example of the urgent need for heightened resilience in the digital age, but also galvanized the nation’s efforts to strengthen and build trust domestically in its defenses. 

Businesses and nation states should increase preparations for cyber-attacks and proceed on the assumption that they will occur with increasing regularity. Such preparations should include ongoing investment in physical and digital security, ensuring that systems are recoverable and adaptable and maintaining adequate, risk-based safeguards to absorb shocks.

The balance between innovation and operational resilience in the cyberverse is a moving target. Decision makers should aim to ensure that:

  1. Existing national frameworks are adapted and used imaginatively to the fullest extent to address cyber-risk.
  2. Ethics are at the heart of any innovation and operational resilience regulatory frameworks.
  3. International cooperation against cyber threats is enhanced.
  4. Polarization between developed and developing parts of the world as a consequence of cyber-risk is minimized.

Given increasing global polarization, tantalizing as the idea of a global cyber legal, regulatory, and policy order may sound, the practical utility of this idea remains aspirational. It is hoped that in future the international community will reunite, rebuild trust, and row in the same direction. Until then, cybersecurity is far too central an issue to national security and other vital interests to be left to a global construct.

Authors

Edite Legere

Edite Ligere

Barrister at 1 Crown Office Row Chambers

Edite Ligere is a barrister at 1 Crown Office Row Chambers, London, and an advisor at Galileo Global Advisors in New York. Edite focuses on global financial regulation, banking, insurance, human rights, climate action, artificial intelligence, machine learning, and cybersecurity.

Related

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up

You have 4 of 5 articles left to read.