Cybersecurity is a big issue at this year's Munich Security Conference. Security expert Michael Chertoff is demanding global rules for cyberspace.
Deutsche Welle: Mr. Chertoff, cyberspace is a space without borders, but now, a new Global Commission on the Stability of Cyberspace is set to be launched and you are slated to be a commissioner. The challenge seems big, the challenge seems urgent. Cyber security is a big topic at this year's Munich Security Conference. What can this global commission achieve realistically?
Michael Chertoff: I liken the internet a little bit to the high seas. Everybody uses it but it is not necessarily within any countries boundaries. So over a period of time we developed a body of maritime law that governs free passage - what you are allowed to do and what you are not allowed to do on the high seas. Sometimes there is controversy and sometimes the rules get broken. But the fact that we have rules makes it possible for everybody to use the oceans. And I think we could do the same in cyberspace. We can at least in some areas reach agreement that there should be some limits to what is done offensively or what is done defensively in cyberspace. It is not going to solve every problem and it won't be perfectly enforceable. But if we begin with some common interest, then I think first if we can reach some agreements we can build trust and we can at least begin to reduce some of the challenges to using the internet and the trust in the internet which otherwise I think can be a problem.
One of the big problems when it comes to enforcing norms in cyberspace is that it is a problem of attributing cause or blame. It is very difficult to pin down a violator and to find a smoking gun.
Attribution is difficult, and one of the things that makes it more challenging to enforce the rules is that, with respect to cyberspace as with nuclear proliferation, it is precisely that the capabilities are wide and distributed. It is easy to masquerade as somebody else. And, in fact, one of the norms that perhaps we ought to have is an obligation to identify oneself.
That being said, there are ways to attribute. It may not be as straightforward as watching where a missile might have been launched, but there are tools you can use to actually track back who launched an attack. So, while it won't be a perfect situation, I do think there is enough capability. I think that we could call out somebody who persistently violates the norms - often, frankly, because you see the effects of what they do in terms of how it benefits the perpetrator.
What are the next steps after the launch of the commission?
First, we will have a broad representation from countries around the world. And we hopefully have representatives coming on board from China and Russia, as well as obviously the West and Africa and South America. I think we then want to define clearly what we want to achieve - at least in the short term and then in the medium term - and put together a plan to begin to develop some output and some results relatively quickly. Then, we can begin to socialize the recommendations with governments around the world. There are some areas where I think you could reach a pretty broad consensus because everybody benefits from having a clear understanding of the rules of the road.