With advances in information warfare mixed in with people becoming increasingly connected around the world through the internet, the power and influence of the digital sphere are growing exponentially and will continue to do so. Add competing international powers to this mix, and we see another aspect of this brave new digital world that we have created – the increase in global intrusive cyber threats in the form of data breaches and theft, and invasions of privacy. What is still lacking in this rapidly changing context are effective global rules and norms that can adequately respond to these threats. In what follows we will look at some examples of such security threats to data and attempt to ascertain why current rules and norms are unable to cope with these threats.

1. Data security and privacy

A significant modern digital threat is the theft and misuse of people’s private data, which can affect governments, businesses and private citizens alike. Data has been lost and stolen from all over the world, such as in the case of compromised debit cards in India, and the theft of account data from a tech unicorn in Australia and from the Chinese social network Weibo. While most of these cases are attributed to cyber criminals who sell on the data, and who are therefore accountable to criminal law rather than international norms, other examples are more complicated. In September 2017 Equifax announced a data breach due to hacking that exposed the personal information of 147 million people. What is interesting about this data breach is that no clear responsible actor was found until the US charged four Chinese military officers with the theft in February 2020, more than two years after it had happened. A similar hack of Marriot Hotels’ database also led to “hints” of Chinese state involvement. This issue is not only criminally led, however – even some US allies such as the UAE have created a smartphone chatting app “Totok” that is able to access its users’ conversations in an attempt to increase the country’s surveillance of both its own citizens and its rivals in the Middle East, according to the New York Times. These kinds of surveillance and loss of data, which some may see as inconsequential, are real threats, because countries and organisations can use the data and information they steal for their own strategic goals at the expense of people’s civil liberty and privacy. The Russian Federation government did just that during the 2016 US presidential election, probing state voter databases and spreading propaganda in order to influence the outcome of the election. With the number of internet users increasing every year, these problems will only escalate.

2. Rules and norms in the era of digital competition

What is important about these invasive data breaches is that, unlike in traditional military strategy, the targets of these operations are not military or security entities, but ordinary citizens. While these citizens are not in danger of experiencing physical harm from such attacks, the idea of a right to digital privacy is a common one dating back to UN Resolution 68/167 of 2013, which expressed the UN’s concern over the potential negative impact that surveillance and the interception of communications may have on human rights. However, with the increasing capabilities of artificial intelligence (AI), the risks expand past digital privacy and enter the world of cyber security, which means that more effective government and international regulations must be drawn up to combat rising threats such as deepfakes and other problems arising from AI.

These regulations, however, cannot be created haphazardly. An overly aggressive approach, for example, can stifle innovation in the field of AI and even hinder the path to possible solutions to security problems. What is needed, then, is to hold consistent and open dialogue between the key stakeholders in the digital sector that finds an acceptable middle ground between the needs of governments, private industries and ordinary citizens – a complex task that will need both creativity and patience to be realised. The Global Commission on Stability in Cyberspace is a good example of the steps taken in this regard, comprising various government, industry, technical and civil society stakeholders who can speak authoritatively on the various aspects of cyberspace that need to be considered. Another good example is that of the European Commission, which seeks to both invest in AI research and innovation, and also ensure the creation of an appropriate legal and ethical framework to guide and control this process, while simultaneously creating space for dialogue with its High-Level Expert Group on Artificial Intelligence.

While these are positive changes, most of the world’s top 100 AI companies are based either in the United States or China, which means that the EU’s power may be strong in terms of protecting citizens’ privacy, especially through its General Data Protection Regulation (GDPR), but it lacks the jurisdiction to follow through on a global scale. If the United States and China were to play a larger role in the creation of the needed digital rules and norms similar to the EU GDPR, this would significantly enhance global security.

The likelihood that this would happen in the current context, however, is improbable, because the United States is not keen to impose restrictions on large US-headquartered service providers like Google, Apple, Facebook and Amazon, while China is increasing its already intrusive state surveillance due to the coronavirus, valuing national security over personal privacy. But governments are not the only actors that can make a difference –  ordinary citizens must also take a greater interest in the safety and security of their data and demand that their own countries’ governments and companies carefully consider the growing threat to their digital privacy and safety. Only together can we create a fair global system of rules and norms to ensure a safer digital world.

ABOUT THIS BLOG SERIES:

As the world attempts to navigate yet another major disruption, we continue to look to one another to identify sustainable solutions and rebuild better. It is time for our world to take conscious steps towards unity and to work together so as to move beyond our preconceptions and challenge our stagnation. This #OnlyTogether blog series provides you with expert insights and the beginnings of a roadmap to a more peaceful and secure future. This blog series was launched to celebrate our 25th Anniversary, discover our 3-day event programme here.

Disclaimer: The views, information and opinions expressed in the written publications are the authors’ own and do not necessarily reflect those shared by the Geneva Centre for Security Policy or its employees. The GCSP is not responsible for and may not always verify the accuracy of the information contained in the written publications submitted by a writer.