We’re at an inflection point in the Cyber sector’s rapid evolution and its domestic and international significance. A combination of factors has thrust the concept of Responsible Cyber Behaviour (RCB) further up government agendas, including:
- More actors (particularly private companies) of varying size and sophistication joining and influencing the Cyber market
- The growing impact of cyber capabilities in the changing geopolitical landscape
- Malicious and irresponsible activity by state and non-state actors presenting a continuous threat to international peace, stability and security
It’s against this backdrop that the need to understand and promote the concept of RCB has become vital. Now is an appropriate time to consider how responsible behaviour in cyberspace – comprising values, norms, policies, practices and technologies – extends beyond the remit of national governments and multi-lateral organisations. More importantly, we must broaden the conversation to define what it means to be a responsible cyber player.
Experience from the Defence sector
Defining and embedding responsible practices is well established in the Defence sector, which – led by Government – has historically had to deal with and reflect on many questions concerning the responsible and irresponsible production, distribution and use of military capabilities.
Defence offers several parallels to the Cyber sector that could guide Cyber industry practices, notably in terms of the development and distribution of dual-use capabilities. Given the vast heritage of the Defence sector – which is built upon core principles long embedded in international humanitarian laws and treaties – there are opportunities to learn from how it has embedded responsible behaviours to promote and maintain responsibility within Cyber.
Export control regimes are probably the most well-known mechanisms used by Government to enforce corporate accountability in Defence. Robust enforcement of export control drives accountability and curbs misuse – with the loss of public reputation, financial repercussions and distrust with government stakeholders incentivising organisations to minimise the risk of export control breaches. In Cyber, enforcement and penalties for regulatory non-compliance can also be costly and risk reputational damage.
However, the export control model in Cyber operates differently – in part because of the need to keep pace with the rapid technological pace of change. The UK operates a ‘catch and release’ process where cyber products are initially subject to catch-all controls for export control licences, and exemptions are then issued to elements of capabilities that do not pose risk as the technology is consolidated. This approach is inherently different to the Defence model, where there are clearer definitions of what is controlled from the outset.
Defence is also underpinned by a breadth of domestic and international legislation and regulatory constraints that are designed to embed and promote responsible behaviours, with a focus on reducing harm to civilians and oppression. Notable examples include Arms Control Treaties, Geneva Conventions, and International Legal Protections of Human Rights in Armed Conflict.
The same is of course true for Cyber, but the approach is different. In the Cyber world, regulation is focused on mitigating risks on businesses and individuals. Legislation is underpinned by the right to data privacy and, via regulations such as the NIS Regulations, the protection of essential services through the safeguarding of data confidentiality, integrity and availability. This contrast between Defence and Cyber legislation highlights how both sectors have evolved in reaction to misuse and the risks posed by capabilities as they develop.
Non-legal tools also play a valuable role in driving responsible behaviour, such as ethical considerations over the potential misuse of sophisticated cyber capabilities. In Defence, these approaches have been shaped by historical events, non-legal doctrines, politics and public feeling over many years. Cyber operations are relatively new compared to kinetic capabilities traditionally procured by the military, but their impact is rightly now being considered with reference to a similar set of ethical principles.
These legal and non-legal mechanisms – developed in line with the changing nature of conflict – serve to promote robust concepts of responsible behaviour that ought to spark discussions across the Cyber landscape and, in turn, lead to coherent business practices.
Applying lessons to Cyber
Based on our understanding of the sector, there are several mechanisms in Defence that define responsible behaviour that could also guide the responsible production and sale of capabilities in the Cyber sector:
- Effective regulation and legislation at a domestic level will be vital to enforcing accountability. This should be supplemented by international agreements to shape common principles of responsible behaviours. Any regulatory programmes must, however, be agile enough to keep pace with the fast-paced nature of Cyber.
- Enforcement through actions including fines, sanctions and consent agreements will help to grow commercial understanding of responsible behaviour. Publicising violations can provide a deterrent effect while helping firms prevent avoidable mistakes.
- Providing transparency into operational and business practices can help firms across Cyber understand and reinforce commercial norms, as well as building confidence that industry understands regulations and misconduct.
Beyond this, proactive and dynamic collaboration across the multi-stakeholder landscape – involving industry, government and academia – is essential to defining what responsible behaviour means and setting standards for conduct. Both the Defence and Cyber industries have helped to enable valuable insights into both legal implications and technical potential of capabilities, which has ensured policy makers can implement effective legislation and controls over advancing technologies. Establishing the structures and mechanisms to embed the exchange of good practice could further contribute to the development and sustainability of appropriate corporate norms.
In the complex and rapidly evolving landscape in which we find ourselves, maintaining this enhanced level of collaboration and industry-wide engagement will be critical to supporting a Cyber industry with a commitment to responsible behaviour at its core.
Responsible cyber behaviour
Want to learn more about how the mechanisms that have defined responsible behaviour in the Defence sector can be applied to Cyber? Read our report: ‘Responsible cyber behaviour: Lessons from the Defence industry’.