"It could take years to arrive at a global treaty on cybersecurity, since many states are not ready for it – and perhaps never will be", according to the EastWest Institute’s Protecting the Digital Economy report.
Rather, voluntary private sector agreements and international standards are a better approach to promote cybersecurity globally, the report said. This enables the private sector in different countries to take charge of implementing cybersecurity measures, instead of waiting for slow-moving government bureaucracies to implement measures, it added.
The report identified a number of problems facing policy makers in tackling cybersecurity: there is no common international definition of what “cybersecurity” means; the private and public sectors have not worked together effectively to protect cybersecurity; companies do not have an incentive to build security into network equipment and services; and diplomatic assets assigned to cybersecurity are inadequate.
In addition, the report expressed concerns about the Pentagon setting up a Cyber Command because this tends to blur the line between commercial infrastructure and military assets.
"This new idea of war raises troubling questions – for instance, is it acceptable for one country to attack another's hospital databases? How about the flight systems that support passenger planes in the air?" the study asked. "While cyber conflicts have the potential to hurt citizens as profoundly as conventional battles, we do not have a Geneva Convention for cyber war", it noted.
The report also called for greater cooperation among governments to develop cybersecurity emergency response capabilities.
“If the cyber equivalent of Pearl Harbor strikes, there is a response in place…up to a point. While many countries and companies have Computer Emergency Response or Readiness Teams (CERTs) capable of dealing with worms and virus like Stuxnet, there is still a big gap in our ability to respond to a major cyber emergency”, the report warned.
It called on nations to lay the groundwork for cooperation in case of a major cybersecurity crisis. “Such a capability would complement the existing CERT capabilities with ‘infrastructure-level emergency response’ capabilities in order to better prepare for a catastrophic cyber event”, the report concluded.