Background
Malware can be defined as malicious code that causes computers to do things that their users would not want done. Malware also includes cyber-weapons and spyware. Cyber-security analysts stress that malware is constantly evolving. Developers today can modify and recombine software to create new threats without significant costs, yielding malicious software that is cheaper, better hidden and more effective. As a result, defenders and policymakers struggle to catch up with the direct and indirect effects of malware.
Despite policymakers’ concerns about malware’s effects on Internet stability, some governments are becoming major consumers of malware. These states have a wide range of justifications for their actions. Some purchase malware to prevent other nations from using or exposing their cyber-security gaps. Other governments buy malware to attack other countries, steal information, test cyber-offensive capabilities, or to destroy infrastructure. Reuters, the Economist and the New York Times have reported that Israel, Russia, Britain, India, and Brazil, as well as the U.S. are major purchasers of malware. These governments allegedly buy information on the vulnerabilities in widely used programs and business and governmental systems. Other governments are using this information for surveillance purposes. The British government allegedly hacked Belgacom to enable covert wiretaps; and other governments may be taking similar steps to hack into U.S. firms. Der Spiegel reported that the NSA allegedly inserts malware on communications equipment before it is sold. Some cyber-security analysts say it is increasingly difficult to distinguish between malware designed for and used by criminals and malware designed for and used for government purposes. Consequently, policymakers may struggle to regulate users and uses.
Some governments are also allegedly major exporters of cross-border infections. The U.S. admits to using cross-border information flows to disseminate malware designed to disable Iranian nuclear controllers processing uranium (the Stuxnet worm). The U.S. also admitted it used malware to alter Al Qaida sites in Yemen. In 2012, NATO reported that it is attacked by malware on average thirty times a day. Since 2009, China has allegedly used malware to attack foreign journalists and media operations both within the country and abroad. In 2012, computer security researchers uncovered malware that appeared to spy on European diplomatic and government agencies.
Why are Malware and Cross-Border Infections a Governance Problem?
Increasingly, policymakers recognize there are gaps in global governance of the Internet, particularly relating to the rules governing information flows across borders. Some governments have tried to fill this gap by developing common principles aimed to facilitate the free flow of information across borders. But they have struggled to clarify the responsibilities of governments, given the ad hoc multistakeholder nature of Internet governance. For example, in 2009, the 57 members of the Council of Europe States set up a study group “to explore the feasibility of drafting an instrument designed to preserve or reinforce the protection of cross-border flow of Internet traffic openness and neutrality.” The Study group described the Internet as a global asset and advised that member states should cooperate to prevent threats to Internet stability, but the group did not develop specific regulations as to how nations should cooperate to protect it. In 2011, some thirty-nine nations–members of the OECD, (a club of middle income and industrialized countries) and Egypt, agreed that they must encourage the free flow of information online while addressing cybersecurity through cooperative endeavors. Later that year, many of the same nations agreed to a different set of principles to encourage human rights, including access to information, online “The Freedom Online Coalition.” In April 2014, after learning that the National Security Agency of the US spied on senior Brazilian and German leaders (among others) the government of Brazil set a global meeting to develop a set of principles and a road map for Internet governance. Although the final document does not mention malware per se, the participants called for strengthening international cooperation to promote cybersecurity in a multistakeholder manner. They noted “Mass and arbitrary surveillance undermines trust in the Internet and trust in the Internet governance ecosystem.” In 2013, the UN convened a group of experts to examine the relationship between international law and cyber-incidents. The Experts noted “Malicious actors exploit networks no matter where they are located. These vulnerabilities are amplified by disparities in national law, regulations and practices related to the use of ICT.” Hence, “it is in the interest of all States to promote the use of ICTs for peaceful purposes. States also have an interest in preventing conflict arising from the use of ICTs…..State sovereignty and the international norms and principles that flow from it apply to States’ conduct of ICT-related activities and to their jurisdiction over ICT infrastructure with their territory; States must meet their international obligations regarding internationally wrongful acts attributable to them.” But the experts could not devise effective strategies that could ensure that governments meet their obligations. The experts concluded, “States should consider the development of practical confidence-building measures to help increase transparency, predictability and cooperation.