How should the web be governed?
IMD Professor Howard Yu on cyber security
Professor Howard Yu was recently interviewed on cyber governance. Here are extracts below:
Which agency should lead the way in writing cyber rules?
With all the offensive actions by Russia being unveiled recently, it has become all too clear that the current regime that governs cyber security is insufficient. The nature of cyber-attacks is also changing. From explicit state-sponsored actions, using a brute force approach to attack—hacking, industrial espionage, or ransomware—the attack model has become far subtler. Pushing fake news by paying Facebook advertising money is hard to detect, and even harder to prosecute in our current regulatory environment. Is the source of information the only source of guilt? To what extent should Facebook or Google—these legitimate, highly powerful commercial entities—also share the blame? Which is why no agency would be able to single-handedly define cyber rules going forward.
The U.S. Securities and Exchange Commission would be a natural candidate to govern cyber security related to financial transactions. With cloud computing in full rage, with so many big banks deciding to let go of traditional data warehouses and moving to the public cloud such as AWS (Amazon Web Services or Microsoft Azure), someone has to define the responsibilities in the event of a data breach. When banks are purchasing software as a service (SaaS), does data security now completely rest with the external providers? To what extent are banks are still legally liable for data breaches and how can the responsibility be spread fairly across parties? These are the sort of questions the SEC is in the best position to negotiate. However, financial transactions are only one facet that faces the threat of cyber-attack. And in terms of law enforcement, the scope of such an operation would demand extensive collaboration.
Should it collaborate with other agencies?
In the book “Third Wave,” Steve Case, co-founder of AOL, describes how the advance of "Internet of Everything" is to transform every part of our lives to become dependent on an internet connection, like healthcare, education, and agriculture, energy, transport and more. The risk is, when the internet is integrated into our lives so deep, cyber-attacks will not only pose the risk of data breaches, but can possibly take full control of autonomous driving vehicles, smart energy grids, connected heart pace makers, drones, just to name a few. It will no longer be cyberbullying, cyberstalking, theft of wireless services, spamming, or unauthorized access, but crimes with far bigger consequences. For this reason, collaboration with other agencies, from the FBI (Federal Bureau of Investigation), DHS (Department of Homeland Security) and the DOD (Department of Defense) are inevitable.
Are jurisdictional issues a concern?
Yes. The FBI, for example, doesn't have the authority to arrest someone in Spain. And yet with so many attacks that can easily be initiated overseas, it requires a new sort of cross-border coordination.
Now, is it largely best practices and guidance instead of rules?
What we have now is necessary but not sufficient. In high risk areas, no society should allow best practices and guidance as the only regulatory mechanism. There is the FDA which approves drugs. There is FCC which regulates telecom. There is the DOT that regulates transport. The same should be applied to cyber rules.
Why should there be or not be cyber rules?
There should be rules for sure. But more importantly, the regulatory system must be built with a strong enforcement mechanism. The financial meltdown in 2008 and the lack of ability for prosecutors to go after the chief culprits—top level executives and big banks—is an example where policies are only as powerful as the ability of prosecutors to enforce rules.
Is it difficult to write rules on cyber issues because firms come in all sizes and the cyber approach needs to be customized?
Yes, but in our modern legal framework, we fortunately have the jurisprudence of a precedent which also allows the law to evolve. This is particularly important as the development of cyber issues are so rapid. There are too many unknowns. It would be impossible to lay down all the guidelines once and for all.
What would be the first rules, if any, that make sense for cyber issues?
One very critical domain is security related to artificial intelligence (AI). Already, some 1,000 high profile AI experts have jointly signed an open letter, calling for a ban of any “offensive autonomous weapons”. If history is a guide, international protocols surrounding what AI systems are, and how they should be built will soon emerge. All this will certainly prompt additional negotiation at the societal level. The concept of setting up international protocols are not new in IT. Even in our free-for-all Internet, worldwide protocols have helped ensure efficient information exchange. As AI is posed to be the steam engine for the second half of the 21st century, an important rule on what is allowed to be developed and what should banned, can no longer be postponed.
Should be rules be global rather than national?
By nature of the internet, the rules require cross border coordination from day one. It is a fundamentally global problem.
Will a hodgepodge of cybersecurity rules may end up creating less, not more security?
The problem of hodgepodge rules is very real. The basic problem is that it leads to weak enforcement mechanisms. Not only does such a legal framework lack consistencies, it would also cause unnecessary complexity. Once complexity increases, loopholes can easily be exploited by industries. It’s the spirit of the law—the intent and purpose of the lawmaker—that truly matters.
Howard Yu is professor of strategy and innovation at IMD Business School. IMD is based in Lausanne, Switzerland and Singapore.