GOVERNMENTS and the private sector don’t always see eye to eye when it comes to security issues. It would require those with jurisdiction in and around cyberspace to seek common definitions and goals to ensure that cyberspace is stable and safe for all.
However, common points of view between the government and private sector can be difficult to reach. Take, for example, violent extremism, where definitions of what quantifies as terrorism or a terrorist aren’t fixed.
While some online posts can be seen as incendiary, in other parts of the world these posts might be part of freedom of expression. Online platform operators might hesitate trying to regulate such content.
But what if the damage isn’t tangible? Or the perception of threat isn’t shared? Europe’s search for digital sovereignty is based on the fear that technological ownership is concentrated in the hands of a few, while the United States and China dominate the development of emerging technologies. This concentration impacts on the ability of individuals and nation-states to shape the rules that would protect Europe’s interests.
On the other hand, former US president Donald Trump’s executive order on foreign interference in telecommunications systems had the private sector weighing supply chain resilience against national security priorities.
Multinational companies, with supply chains spread across the globe, can be politically and strategically ambivalent. The duty of the private sector is to earn the
trust of end users by ensuring that data and security of systems are managed well. These priorities are balanced against bottom lines and other expenditures.
While some companies would link ethics, transparency and cybersecurity with branding exercises, not all digitising companies can afford to do so. Unless it can be shown that threats defined by governments exploit vulnerabilities in systems and will impact end users, the progress of cybersecurity culture and multi-stakeholder processes can be slow or stall altogether.
In such a scenario, it may be tempting for states to push back to regain control. Some would strengthen state control and introduce legislations to demarcate jurisdiction, such as China’s Great Firewall or Vietnam’s data localisation laws. Others would introduce regulations, such as the draft AI regulation proposed in the EU or its General Data Protection Regulation already in place. These emphasise hefty obligations on the private sector to ensure that common principles between governments and the private sector are upheld.
However, threats in cyberspace are multi-faceted and it takes a variety of actors to ensure cyber stability. Stability is the end goal where even in the midst of constant threats to systems, geopolitical tensions and complex impacts of technological diffusion, cyber is still a safe and available domain. This is a step further from the concept of cybersecurity being limited to the security of systems.
Galvanising a multi-stakeholder process to achieve this aim of a stable cyberspace would require greater exchange platforms. Policy labs or submitting suggestions through white papers would be the means to bridge the public-private divide. Policy labs can draw on the expertise of both governments and the private sector to construct useful policy suggestions with swift executions by different sectors.
A multi-stakeholder process to address cybercrime, for instance, could be beneficial for policy development. Innovative platforms such as policy labs would bring together the various government agencies and private sector to address future innovations in technology while building safeguards against future threats. Bringing the private sector on board could realise and enhance the National Cybercrime Enforcement Plan outlined in the National Cyber Security Strategy released last year.
Multi-stakeholder processes are not new to Malaysia. Our approach to the protection of critical infrastructure introduced mechanisms that nominate sector leads, who report to the National Cyber Security Agency (NACSA). This is further supported by a large-scale inter-sectoral and inter-agency simulation exercise held annually. The exercise and relations built since the National Cyber Security Policy was introduced in 2008 enhance trust and smoothen the collaborative mechanism.
However, uncoordinated multi-stakeholder approaches can create responsibility gaps. As certain responsibilities are not assigned, coordinated or discovered, both the private sector and the government assume that the other party is responsible, leaving end users vulnerable. Consistent engagement with a wide variety of stakeholders and constant assessments would be a pathway forward to discover gaps and assess performance.
As cyberspace grows with innovations and jurisdiction in the hands of the private sector, harmonised public-private practices are necessary to build and keep cyberspace stable. It is in Malaysia’s national interests to find a multi-stakeholder process that works to ensure a safer cyberspace for all.
This article was first published in the Malay Mail on 26 July 2021.