Ensuring that the state is secure from cyber threats is increasingly becoming the priority of governments worldwide, sometimes clashing with concerns over privacy. There were four notable ways that states increased their presence in cyberspace in 2016, and this presence is forecast to become more prominent this year.
First, similar to what Prussian general Carl von Clausewitz said about war being “politics by other means”, states are increasingly using cyber capabilities as a way to extend their policies by other means.
The most prominent recent example of this is allegedly Russia, a nation accused by the United States of interfering with the US presidential elections.
The United States Office of the Director of National Intelligence and the Department of Homeland Security charged that the Russians hacked into the computers of the Democratic National Committee (DNC), and then leaked the emails to WikiLeaks to discredit the Democratic candidate, Hillary Clinton, whom they thought would be less favourable to Russian interests than now President-elect Donald Trump.
This episode provides an interesting twist to what is considered to be the critical information infrastructure (CII) in any given state.
Typically, states see CII to be more technical in nature in fields such as transportation, communications and finance, but now they also need to view the media, electoral and political systems in the same way. These systems also need to be protected against interference from other states who want to influence opinion and decision-making.
Second, states around the world are increasingly looking to implement strong surveillance laws with regard to cyberspace. China approved its new Cybersecurity Bill in November, including more stringent rules that require companies to provide data to the Chinese government upon suspicion of wrongdoing. The bill also requires businesses’ domestic data to be stored on Chinese servers, and this data cannot be transferred overseas without state permission.
Last year Britain passed the Investigatory Powers Act, giving the state broad-ranging powers that allow surveillance on a large scale. It is only a matter of time before more states adopt such sweeping legislation on surveillance in cyberspace.
Corporations may have to concede on some dearly held principles to do business in a foreign state, or forgo business opportunities in nations that are too restrictive.
Third, states increasingly want back doors to be built into the security of commercially available software, or for access to private data that has been secured by businesses. Last year, the FBI brought Apple to court to compel it to help unlock the encryption of a dead terrorist’s phone. Apple refused to do so, arguing that this would create a back door and would make all iPhones vulnerable to malicious hackers, and in the end was not forced to do so.
Given the failure of the US to force Apple’s cooperation, it may be difficult for smaller nations to compel large corporations like Apple to tweak encryption technology to help with their law enforcement efforts.
In the wake of terrorist attacks this year, France and Germany are also pushing the European Union to adopt a law that would require software companies to make encrypted messages available to law enforcement.
The right to privacy has thus come under much pressure in the past year even in Western democracies that were previously known for their liberal views.
Fourth, some states appear to be offering cybersecurity protection to private enterprises. In September, Ciaran Martin, the head of the cyber department at Britain’s surveillance agency Government Communications Headquarters (GCHQ), proposed erecting a government-maintained firewall against malicious hackers. The primary goal of the move is to secure government websites and critical infrastructure against hackers, but in his comments, Martin said it could be expanded to include private companies as well.
While this move naturally raises privacy concerns about governments holding and securing the data, the overall security gain for small- and medium-sized enterprises (SMEs) who are concerned about the cost of implementing an effective cybersecurity programme may tempt some companies to trust their data to a government-maintained firewall.
However, states should be aware of the additional risk in assuming responsibility for cybersecurity of SMEs. While this move may bring SMEs up to a minimum standard, a government cloud, with multiple SME eggs in one basket, would be a prime target for cyberattacks, and any breach or breakdown would result not only in financial losses, but also in reputational and political damage.
State intervention in cyberspace is not a new thing, but the tightening embrace of cyber issues by the state can be quite disconcerting and worrying to individuals and business. This is especially true for those who fiercely guard their privacy or fear giving states too much power over its citizens. This may well lead to a restriction of fundamental liberties. States need to realise that the increasingly Orwellian nature of state behaviour in cyberspace reduces the confidence of all users of cyberspace.
Given the increasing stewardship role of states in cyberspace, there should be appropriate discussions about who will serve in the role of ombudsman to the state, and if there is a danger of overreach into personal lives. There is also a need to define how information is secured while protecting both personal and enterprise privacy.
If this trend continues, the state will be responsible for a massive amount of data about its citizens, and any misuse of this data could erode trust in the agencies using the data. There are consequences for expanding the role of the state in cyberspace, and these consequences may not be conducive for the growth of both society and the economy.
Eugene E G Tan is an associate research fellow at the Centre of Excellence for National Security, a constituent unit of the S. Rajaratnam School of International Studies, Nanyang Technological University, Singapore.