A Global Cyber Federation? Envisioning a Red Cross Movement in Cyberspace

Lately, I’ve spent a lot of time thinking about the future of cyberspace and how to deal with the coordination and collective action problems that are leading to the normalization of cyber insecurity. As I’ve written previously, I’m skeptical that the standard legal regulatory move — proscription — will work at either the individual or the State level.  Thus, I’ve tried to examine ways law can help regulate and promote resilience in cyberspace independent of identifying and punishing bad actors, including an idea for some sort of e-SOS system.  Much of the feedback I received on that idea involved questions on operationalizing any duty to assist.  Certainly, it could be something States (or other actors) adopt unilaterally; or it could be something States might coordinate in some form of international agreement such as a treaty (or more likely these days) some form of political commitment.  There is, however, another option based on one of the most successful humanitarian organizations in history — the Red Cross.  Simply put, why not have a Red Cross-like movement in cyberspace where interested entities (including CERTs) combine to coordinate and offer assistance to victims of severe cyberthreats impartially, neutrally, and independent of governments and their particular interests (e.g., surveillance)?

Together with Tim Mauer of New America, I’ve got a populist call for such a movement in Time today.  To be clear, the idea is not to hand over cyberspace to the Red Cross (even if it may have a clear role to play in future cyber conflicts).  Rather, it’s to see the potential of using the movement’s evolution, its structure and its norms (e.g., neutrality, independence, and impartiality) to improve resilience and cyber security at a global level.  Here’s the opening salvo:

Here’s an understatement: 2014 was a bad year for cybersecurity. The Sony hack was the highest profile hack of the year, a cyber-attack against a German iron plant caused massive physical damage, and the Heartbleed vulnerability was considered “catastrophic” even among experts not known to be alarmist. In the meantime, large-scale data breaches hit household names such as Target, Home Depot and JP Morgan Chase, with new reports emerging almost weekly. In the history of cybersecurity, 2014 marks a new low. As 2015 gets underway, news of the insurance company Anthem being hacked suggests cybersecurity is unlikely to improve anytime soon. That’s why conversations in national capitals, boardrooms, international conferences and on-line discourse feature a growing call to action.

The time is ripe for a bolder approach to cybersecurity, one not beholden to the existing politics of Internet governance nor linked to particular governments or intergovernmental organizations. We believe cyberspace could use a global cyber federation, a federation of non-governmental institutions similar to the role that the Red Cross and Red Crescent movement and humanitarian assistance organizations more broadly have with respect to armed conflicts and natural disasters.

Obviously, there are lots of questions (and details) that require elaboration. For now, however, I’m going to push this idea and see whether it might get traction among those who would be in a position to actually participate in such a movement.  After all, if a few committed individuals like Henry Dunant could create the Red Cross, what’s to stop a similar idea from taking hold in cyberspace?