In the end of 2017, the world has developed a situation in which cybersecurity issues are considered as urgent as nuclear threats. The world has become digital.
The threats of the global network have become so grave that losses and damage are measured not just by large amounts of money, but also by human lives, sometimes of the rising generation.
Cyberspace opportunities are so powerful that they can organise rallies in tens of thousands of people and create real threats to the existence of the state system. There is even a new model of the global internet – the “splinternet,” which implies the creation of national state segments of the Internet. New media and social networks represent the next stage of internet development, which by the number of users exceeds the population of many countries.
Alliances and arrangements that previously existed between countries were more of an intelligence nature and did not provide for a joint struggle regardless of the countries’ bloc affiliation. That is why the Council of Europe adopted the Budapest Convention on Cybercrime in 2001, which for the first time defined and classified crimes in cyberspace and determined mechanisms for cooperation between countries, the order of interaction of law enforcement bodies and conditions for information storage by Internet providers. The convention entered into force July 1, 2004 and was signed by 30 countries in 2005, including European countries, the USA, Canada, Japan and South Africa. It was based on voluntary information exchange and provision of technical access for participating countries. The countries that signed the convention had strong economic ties and most were part of the North Atlantic Treaty Organisation (NATO) military bloc.
By the mid-2000s, the world was divided into two according to their approaches to cyberspace. Some countries, like the U.S. and Europe, insisted on the adoption of joint measures to counter cyber threats based on voluntary access to the countries’ technical resources, while Russia, China and others insisted on taking measures to prevent the very threat of an information war. After heated debates at the United Nations and the Organisation for Security and Co-operation in Europe (OSCE), the sides began to act independently. One side acted within a military and political union; the others acted within bilateral relations and various associations. Joint cybersecurity collaboration continued only within the Computer Emergency Response Team.
The starting point for the Shanghai Cooperation Organisation (SCO) was the establishment of joint measures to counter information security threats. The first intergovernmental SCO agreement on information security cooperation was signed June 16, 2009. The document is unique in the sense that the participating states commit themselves not to use cyber weapons against other countries and assist other parties. In fact, the obligation not to use cyberforces equalises the threats of cyberspace with the threats of using nuclear weapons against the parties. Kazakhstan ratified the agreement on May 6, 2010.
By that time, Kazakhstan had already made significant steps towards building an information society and begun to provide public services in electronic format. Government databases were created and maintained, while the e-government had become an actual link between government agencies. With the digitalisation of the government system, the population learned to enjoy the benefits of the information society. However, the threats emanating from cyberspace had become widespread and affected the national security of entire states.
At the meeting of the SCO Council of Heads of State on June 15, 2011, Kazakh President Nursultan Nazarbayev noted that “it is time to introduce new concepts into international law such as electronic border and electronic sovereignty.”
“It might be useful to think about creating a special SCO body that performs the functions of a cyberpol. Separatism, terrorism, extremism and drug trafficking use the global network to penetrate our countries and spread throughout the world,” he said.
The Kazakh President’s proposal to create a special SCO agency was relevant and timely. Some countries have already had relevant offensive units and set up so-called “cyber troops.” The development and maintenance of a new modern branch of troops in terms of intellectual costs are available only to some countries, such as the U.S., China, Russia, the U.K., Israel, Germany and, perhaps, Iran. Can Kazakhstan have such an army? It is very unlikely, but it is simply necessary to have e-borders and e-sovereignty.
Two years later, in December 2013, the OSCE participating states adopted the initial set of OSCE confidence-building measures (CBMs) to reduce the risks of conflict stemming from the use of information and communication technologies. The CBMs list provides for data exchange and cooperation, consultations and coordination of participating states in information and communication technology (ICT) and internet security. The fundamental element of the entire document is the voluntary information exchange. Additional CBMs to “step up individual and collective efforts to address security in the use of ICTs in a comprehensive and cross-dimensional manner in accordance with OSCE commitments” were introduced in March 2016.
After the Edward Snowden case, significant changes were made to the work of the U.S. intelligence agencies; many countries took relevant measures to protect their information space and governmental institutions from external interference. Each country thought about its own digital sovereignty and started to carry out relevant work.
Resolution No. 407 of the Kazakh government of June 30, 2017 approved the concept of cybersecurity (Cybershield of Kazakhstan), which “determines the main directions for implementing state policy in the field of protection of electronic information sources, information systems and telecommunications networks.” Among them are the establishment of a national information security coordination centre, development and construction of electronic borders, “a unified approach to the monitoring of information security” and “the development of mechanisms for preventing and promptly responding to information security incidents.”
The key problems of Kazakhstan’s information space identified in the concept include the presence of a large number of malicious programmes, low legal literacy of the population in information security, poor knowledge of protection methods, lack of educational institutions and specialists, less than 5 percent of products of Kazakh origin, high risks of high level of digitilisation and automation, the illusion of impunity created by the cross-border nature of cybercriminals and, finally, tension and the “use of ICT for intelligence, subversive and other purposes” created by ICT militarisation by countries.
It appears that in their analysis of international experience, the authors of the Cybershield Concept focused on the Global Cybersecurity Index of the International Telecommunication Union (ITU), which, albeit useful, does not reflect the real situation in countries since it is based on formal signs of cybersecurity development. There is a need to study the real experience of countries that are truly advanced and have all the potential for this.
Kazakhstan, which is rapidly integrating into the digital world, considers cybersecurity as its top priority. Automation of enterprises and organisations, e-government development, introduction of information systems into national companies and widespread use of modern technologies in the banking sector require appropriate security systems not only at the corporate level, but also at the national one.
Over the past six months, there has been a large number of documents, legal acts and draft laws seeking to change legislation in the field of cybersecurity. This is done primarily to ensure the compliance of the work of the recently created Ministry of Defense and Aerospace Industry with the legal framework. This new industry destined to become a backbone of the economy is under development; and these processes and changes accompanying them will affect all levels of the society and the state.
Unfortunately, the reality so far is that each country promotes its own models of information security, taking into account only military-political and bloc interests. Further development and efforts on collective confidence-building measures between countries could only be ensured at the global platforms of the UN and the OSCE. Cross-border nature of cybercrimes is a problem not only at the national, but also at the international level. The immediate and effective fight against cyberterrorism is possible only through cooperation between countries. There is no other option.
The author is President of the Internet Association of Kazakhstan and a member of the Public Council overseeing the work of the Kazakh Foreign Ministry.