Despite evident challenges, the BRICS block also offers opportunities to its member countries. Cybercrime: no difference between developed and developing worlds
There is not a single day that goes by without reports of serious cyber-attacks on the most developed countries. The latest cybersecurity breaches include thousands of classified files containing personal and sensitive information on the US citizens that have been exposed presumably for most of the year due to a security lapse.
In one of the largest data breaches in history, a misconfigured spambot computer program publicly leaked more than 700 million email addresses and passwords in Australia. Equifax, a consumer credit reporting agency in the United States was recently hit hard by cyber-attacks that exposed estimated 143 million personal data of people in the US, UK and Canada. Although not biggest in numbers, this attack is considered the worst ever as it can put half of the US population at risk of fraud for an indefinite period. And the list goes on.
A number of reports in the last two years revealed that the BRICS economies (Brazil, Russia, India, China and South Africa) were found to be amongst the largest victims of cybercrime. For example, China, Russia and Brazil are among the top countries prone to malware infection. India and Brazil are countries which users are most attacked by ransomware. South Africa is listed as one of the ten globally most vulnerable countries to cyber-attacks. Data breaches cost South African companies on average R1 632 per lost or stolen record.
No wonder that the recent BRICS summit, held in Xiamen, China, could not avoid this hot topic. One of the main themes of the Summit was global security, including cybersecurity. The leaders of the block countries called for coordinated actions in these areas, driven by the requirements and priorities, which were previously discussed at the 3rd BRICS Communications Ministers Meeting, held in July this year in Hangzhou, China. The ministers discussed digital transformation and have reached a wide consensus on issues such as technology innovation, IT infrastructure building, connectivity and cybersecurity. Importantly, the Summit was to establish a coordinated arrangement to reinforce these priorities.
The question, however, is how this cooperation can be achieved having in mind that BRICS unites countries that are different in many respects.
Germane BRICS facts
The bloc has never been and will not, in the nearest future, become an integrative group similar to the European Union, NAFTA (North American Free Trade Agreement) or the Eurasian Economic Union. There are still too many contradictions between the BRICS countries.
For example, with regards to the vision of the future world, Russia and China oppose the reforms of the UN and the UN Security Council in particular, while India, Brazil and South Africa support the idea. Moscow and Beijing oppose the US unilateral control over the global financial-political system, while the rest of the BRICS member states are (arguably) satisfied with the US dominance.
Furthermore, all the member states are geographically dispersed all over the world and the scale of their economic cooperation is currently not high. While China and Russia are continually and significantly increasing economic cooperation, economic ties between Russia, Brazil and South Africa are developing slowly.
It is also important to note that there are serious bilateral conflicts between some member states. For example, India and China are balancing on the verge of war over the disputed territories in the Himalayas and are in a serious competition over the influence in the South-East Asia. Before the Summit, the Chinese state news agency Xinhua reported that the upcoming summit was very important because it was set to resolve differences between BRICS nations and also to extend cooperation beyond economic issues to include other areas.
However, despite all the complications, it seems that the BRICS bloc remains an alternative approach to influencing and managing global processes. This optimism is based on the fact that the bloc unites the most powerful developing countries. Besides, the block countries are fully sovereign states resolute to maintain this sovereignty and have no desire to undermine the authority of other countries. It is not possible for a country within the block to impose its programme on the others.
Brief genesis of BRICS cybersecurity agenda
The BRICS countries have, in recent years, actively contributed to the cyberspace agenda at bilateral, regional and multilateral forums. These countries have engaged in the development of norms in cyberspace in bodies such as the UN Group of Governmental Experts (UN GGE).
The beginning of BRICS countries’ engagement with questions of information security at the UN can be traced to Russia’s draft resolution on “Developments in the field of information and telecommunications in the context of international security” in 2001.Later, the same year, Russia proposed the establishment of a GGE on information security in a report to the UN Secretary-General. The group was tasked to review potential and existing threats to information security, examine possible ways of cooperation between the UN member states, and perform a study of international information security issues.
At the first GGE convened in 2004, Russia, China and Brazil had called for state sovereignty over information security. The US had opposed such calls for state control of information, considering the move to be political, culturally and socially disruptive. Fast forward, the GGE 2009 report endorsed dialogues on norms for States’ use of ICT to reduce risk and protect critical infrastructure. It also recommended risk reduction methods, including the use of ICT during the conflict. It is at this time that other countries (notably, China) became increasingly aligned with Russia, under the Shanghai Co-operation Association. This led to the discussion on information security becoming increasingly polarised, with the US on one side and Russia and China on the other. The tension was created and is still lasting.
Diverse cybersecurity agendas
BRICS countries were not united in supporting Russia and China in the row with the US. China and Russia sought to define information security as the absence of threats to a state’s sovereignty caused by the distribution of information. India, Brazil and South Africa, however, defined information security as preserving an individual’s freedom of expression.
In September 2011, India, Brazil and South Africa called for the creation of a new global body within the UN system that would develop and establish international public policies for the Internet. The countries put emphasis on the Internet governance as a key strategic point and called for the cooperation in this area. They also recommended the establishment of an Internet Governance and Development Observatory for these three countries but the proposal was not accepted.
In parallel, China and Russia had introduced the document titled ‘International Code of Conduct for Information Security’, which proposed that the UN Secretary-General should regulate cyber norms and governance. The proposal underlined China’s broader strategy of increasing its participation in creating the Internet policies. Some countries, led by the US, believed that the Code raised important concerns regarding the human rights. Hence, the efforts to generate a consensus were undermined. Negotiating the issue is currently underway.
After Edward Snowden exposed the US National Security Agency (NSA) surveillance activities, in October 2013, India and Brazil expressed concerns over the surveillance programme of the US’ National Security Agency. The two countries were concerned over the NSA unauthorised interception of communications and data from citizens, businesses and governments, which could compromise both national sovereignty and individual rights. In November 2015, these two countries issued a statement highlighting the importance of strengthening joint efforts on combating cybercrime. This included improving bilateral cooperation in the fields of technology, law enforcement, research and development as well as cybersecurity capacity building.
The list of differences, however, does not stop here.
BRICS countries understood that having formal cybersecurity strategies will help in achieving national and international goals in combating cybercrime. Hence, Russia pioneered cybersecurity strategy in 2000, followed by South Africa in 2011 and India in 2013. Brazil publicised its cybersecurity strategy in 2015 while China released its first cybersecurity strategy in December 2016.
Although all these cybersecurity strategies have common elements such as multi-stakeholder engagement through private-public partnerships, creating cybersecurity culture, public awareness and capacity building, the BRICS countries view intentional cooperation through different lenses. India, for example, puts emphasis on information sharing, South Africa on bilateral and international opportunities while Russia accentuates stopping illegal activities.
On the practical side, national Computer Emergency Response Teams (CERTs) are very important for effective actions in combating cyber threats. China, Brazil, India and Russia have CERTs responsible for monitoring and analysis of cyber threats (e.g. type and origin) and issuing timely warnings.
Currently, South Africa does not have CERT but has the National Cybersecurity Hub that should serve needs of South African government, industry and civil society. However, South Africa is a member of a regional CERT, which is located in Ghana and includes 11 countries that form AfricaCERT. It is, though, not clear how much South Africa benefits from this membership.
The commitments at the BRICS Summit include creating a safer world by organised and coordinated action on at least three issues: counter-terrorism, cybersecurity and disaster management. In that regard, the BRICS countries advocated the creation of an effective mechanism and close cooperation for fighting against the threats of cybercrime and terrorism. This includes cooperation in the areas such as sharing of information and best practices relating to cybersecurity and effective coordination against cybercrime. The development of international norms, principles and standards also tops the bloc’s cybersecurity agenda that can be advocated through organisations such as the UN or the International Telecommunication Union.
The signing of these high-level agreements allows the relevant agencies of BRICS countries to launch a direct dialogue regarding the main cooperation aspects of maintaining international cybersecurity. In other words, this will allow BRICS countries to conduct practical cooperation on a range of issues such as the establishment of nodal points in member-states for the intra-BRICS cooperation by using the national Computer Security Incident Response Teams. This suggests the creation of a joint system for responding to cybersecurity threats, investigating cases of the use of ICT for terrorist and other criminal purposes.
The opportunities for joint BRICS cybersecurity research and development projects can potentially result in the innovative protection of promising technologies such as the Internet of Things, Cloud Computing, Big Data, Artificial Intelligence and ICT infrastructure. On the ground, this requires encouraging identification and facilitation of partnership between institutes, organisations and enterprises by leveraging complementary strengths. The implementation of proof of concepts and pilot projects must also be part of this cooperation.
Practical cooperation will, however, largely depend on an effective collaboration in the capacity building. This is of particular importance having in mind a global shortage of cybersecurity skills. Transfer of professional skills from other BRICS countries will hugely benefit South African cybersecurity agenda. This is particularly true having in mind that Russia and China top the global cybersecurity expertise list.
It is also important to note that executing the BRICS cybersecurity agenda will require a considerable investment in the ICT hardware, software, skills and projects. However, it is uncertain if South Africa would be able to execute this agenda without borrowing or persuading investors to support it.
The New Development Bank (formerly BRICS Development Bank) might be the right door to knock for support. This Bank, which has been set up with an initial capital of USD 100 billion, recently announced that it had allocated a 1, 5 billion US dollars for developing projects in next 18 months.
The list of opportunities presented here is not exhausted. However, it is still to be seen if BRICS can boost cybersecurity of its member countries.
Dr Zoran Mitrovic is Director of Research & Advisory at the Mitrovic Development and Research Institute, consultant and senior academic.