Billions of devices will soon be vulnerable to cyberattack. But we're not ready

A decade ago, cyber security received little attention as an international issue. The term cybersecurity refers to a wide range of problems that were not a major concern among the small community of researchers and programmers who developed the Internet in the 1970s and 1980s. In 1996, only 36 million people, or about 1% of the world's population, used the Internet. By the beginning of 2017, 3.7 billion people, or nearly half the world's population, were online. Many observers have called for laws and norms to secure this new environment. But developing such standards in the cyber domain faces a number of difficult hurdles. Although Moore's law about the doubling of computing power every two years means that cyber time moves quickly, human habits, norms, and state practices change more slowly. For starters, given that the Internet is a transnational network of networks, most of which are privately owned, non-state actors play a major role. Cyber tools are dual use, fast, cheap, and often deniable, verification and attribution are difficult, and entry barriers are low.

Where does the world go now? Norms can be suggested and developed by a variety of policy entrepreneurs. For example, the new non-governmental Global Commission on Stability in Cyberspace, chaired by former Estonian Foreign Minister Marina Kaljurand, has issued a call to protect the public core of the Internet (defined to include routing, the domain name system, certificates of trust, and critical infrastructure).

Last month, United Nations Secretary-General António Guterres called for global action to minimize the risk posed by electronic warfare to civilians. Guterres lamented that "there is no regulatory scheme for that type of warfare," noting that "it is not clear how the Geneva Convention or international humanitarian law applies to it."