Cybersecurity and Global Public Policy: Hans Klein Discusses Policy Implications of the WannaCry Attack

Posted May 16, 2017

Commentary by Georgia Tech School of Public Policy Professor Hans Klein

By now everyone has heard about the WannaCry computer virus, which has infected hundreds of thousands of computers worldwide. The “ransomware” ties up computer files and demands a payment of $300. Its victims include Chinese police agencies, British health providers, and individuals around the globe.

While the specific details of this virus are important, the real story is in the big picture. WannaCry is just one event in a larger trend: the conflict between globalization and national governments. Preventing such attacks in the future may involve developing global public policies and global governance institutions that go beyond the nation-state.

The internet brings people, organizations, and governments from around the globe into direct contact, creating a global society in which we increasingly communicate with and affect one another. Unfortunately, this global society lacks rules. Normally, where there is society there is the capacity to make enforceable rules that define what actions are forbidden and how perpetrators of bad actions are punished. But the advent of the internet has created global society, in which hackers from anywhere on the planet can infect computers anywhere on the planet. Without global institutions for making and enforcing rules about such misdeeds, it is hard to apprehend perpetrators.

Governments play two roles in all this. Although fragmented into national territories, they must — and increasingly do — coordinate across the globe to make and enforce cybersecurity laws. In this role, national governments provide solutions.

In their second role, however, governments can make things worse. As national defenders, governments may resist cross-border coordination and may develop cyber weapons used for attacks. Cyberspace is considered a new field of international warfare, and incidents of attacks, infiltration, and subversion are becoming more common every day. Russia is accused of hacking the U.S. elections, North Korea is accused of hacking Hollywood, and the U.S. is accused of hacking Iranian nuclear facilities, among other cyber surveillance activities. A recent WikiLeaks disclosure revealed that U.S. agencies have stockpiled software vulnerabilities that can be used against rival states and organizations.

Like conventional weapons, the very existence of cyber weapons can make the world less safe. And, indeed, in the case of the WannaCry virus that seems to have happened. Malware held by the U.S. escaped and is now used for criminal purposes.

What is to be done? While there are no easy fixes, Microsoft Corporation, whose Windows operating system is being targeted by WannaCry, earlier this year made a bold suggestion: The company proposed a Digital Geneva Convention by which national governments commit to not target civilian systems when engaging in international conflict. While not outlawing cyberwar, it seeks to protect civilians from international conflict. Microsoft’s proposal moves cybersecurity to the level of policy, recognizing that solutions to global cybersecurity require both technical and policy solutions.

This policy-based approach was the focus of Georgia Tech’s workshop on “Cybersecurity and Internet Governance,” hosted last week by the School of Public Policy. That meeting assembled scholars, industry representatives, and government experts from across the globe, including policy experts from Google and Microsoft, to examine issues of territorial boundaries, global institutions, and the role of industry and academia in securing cyberspace.

One take-away from that meeting was that U.S. corporations are increasingly aligning themselves with a global public interest rather than a national public interest. U.S. internet firms like Microsoft, Google, and Facebook no longer serve a U.S. market — they serve users around the globe. Their corporate interest is to help customers everywhere resist attacks and operate effectively. Such firms increasingly find themselves at odds with a logic of national security that promotes the stockpiling of cyber weapons and the possible attack on civilian users of internet services.

Currently, we are at the first stages of developing global public policy for cybersecurity. If episodes like today’s WannaCry attack are to stop, it may well depend on such initiatives.

Dr. Hans K. Klein is associate professor in the Ivan Allen College School of Public Policy at the Georgia Institute of Technology. His research interests include Internet governance, globalization and regulation, the development of large scale systems, federal technology policy, the politics of innovation, Intelligent Transportation Systems, public access television, and Internet and democracy. He is an originator of the Internet Governance Project (IGP) at Georgia Tech.