By Eric Loeb, Vice President, AT&T International External Affairs
Last month, I had the opportunity to participate on a panel at the 2013 India Conference on Cyber Governance and Cybersecurity – or CyFy 2013 – sponsored by FICCI and the Observer Research Foundation. There were lively discussions about how to improve collaboration on cybersecurity, not only between countries, but between stakeholders. This is one of the most important policy topics of the day, so I wanted to share some of the ideas raised at this terrific conference in New Delhi.
As we all know well, the past few years have been a time of dramatic technological change for our industry. As a result, our business customers are finding new ways to speed growth and operate more productively with fully connected solutions around the world. And of course, in parallel with the growth of open connectivity, there has been an evolution in security risks. A pro-active investment in cybersecurity is the cost of doing business in today’s connected world.
By nature of our business, AT&T maintains a global focus on proactive risk mitigation. We have an incredible team that works on the leading edge of security for our customers, and we correspond with hundreds of carriers throughout the world. We’re constantly developing new tools to detect and prevent potential damage from cyber threats for our customers.
As we continue to move towards communications platforms that are based on cloud and mobility, the inter-dependency and need for international collaboration to mitigate cybersecurity risks will only increase. The new paradigm of security risk requires a new paradigm of security risk planning, and international partnerships in the government, business and civil society communities must be a cornerstone of this.
I’m often asked whether international cooperation is feasible in this complex world. My answer to this is influenced by the fact that AT&T already operates in countries on nearly every continent, and I have the privilege to work with people all the time to find consensus and cooperation on a variety of complex issues. So, my emphatic answer is that international cooperation on cyber-governance and cyber-crime is not only feasible, it is essential to maintain user confidence. So how do we make this happen?
Below are a few concrete, tactical recommendations. With these, I’m a believer in making incremental progress, because each step builds confidence for the next step. Don’t get discouraged by the enormity of the complete task. Just get going on the achievable first steps!
Improved international collaboration. We need to build international working groups that are as broad as possible while maintaining a high degree of trust – including governments, companies, NGOs and civil society – based on a common set of practices and principles.
- Voluntary working relationships that can be called upon to coordinate in the event of a large attack.
- Conducting regional exercises to expand our understanding of the complementary nature of our work and our respective capabilities.
- Mutual Aid Agreements to increase resilience in the face of DDoS attacks.
Public-Private Partnerships. Within the private-public partnership efforts, the industry needs to work intensively to develop an industry-led approach to protect critical infrastructure. This approach must encourage investment and innovation in cybersecurity and must allow for flexibility in how industry can respond to threats. In our work, we need to avoid “check the box” types of prescriptive rules on cybersecurity, because these will always be based on what is already known, and will often lag behind the rapidly evolving threat environment. The key is finding ways for the private sector and public sector to collaborate on forward-looking innovative strategies that anticipate where the risks are headed.
Cyber-crime Enforcement. We need much more emphasis on law enforcement and pursuit of cyber criminals across borders, including in places that can be sanctuaries for bad behavior. These pursuits are very difficult without strong law enforcement commitments in each country.
- Budapest cybercrime convention is the best framework out there, and it can be improved with more participation.
- Consider forming an International Cyber Crime Center to focus on complementing INTERPOL work to solve crimes and achieve successful prosecutions.
- Streamline the Mutual Legal Assistance Treaty process and find ways to create interoperable law enforcement frameworks that can be used to respond to global cybersecurity threats.
In addressing security risks, companies and governments need to avoid the impulse to take a checklist approach, and instead develop flexible strategies for anticipating and rapidly reacting to evolving security risks. Innovation must be a key component of this strategy. Because of the borderless nature of globally interconnected networks, our cyber dependencies are inherently international.
We must work together, and I’m confident that steps such as those above can help us build competence and confidence in the collaborative efforts.