top of page
Blog: Blog2

Cyber-Risk & Resilience in Financial Services Roundtable


Columbia Institute for Tele-information

Columbia University Business School

1:35pm-2:30pm June 28, 2019

The State of Cyber-Security and Resilience

Moderator: Professor Richard Berner, Executive-in-Residence and Adjunct Professor, Leonard Stern School of Business, New York University

Jason Healey, Senior Research Scholar, School for International and Public Affairs, Columbia University

David Balcar, Security Strategist / Cyber Profiler, Carbon Black

Rich Jacobs, Assistant Special Agent, FBI

Lesley Ritter, Associate Vice President, Moody's

● Dr. Edward M. Roche, Executive Director, Institute for Cyber Arms Control


Below: Panel Comments of Edward M. Roche

Title: Cyber Stability

A political science perspective.

There is an arms race.

Nations are developing both offensive and defense cyber weapons.

In the US, this work is done by the NSA’s Cyber Command.

Other countries have equivalent organizations.

Cyber has become part of warfare.

Cyber attacks damage infrastructure, including financial services.

Perhaps in the not too distant future, there will be a very major cyber war.

An Internet Melt-down –– a global cyber emergency.

Disruption of nations and their economies.

How can the international community handle such a catastrophic event?

Lets look back.

Role of the United Nations Security Council

The UN Security Council was set up to serve as a mechanism to prevent war.

But in 1946, when the UN Charter was drafted, there was no Internet.

The UN was designed to handle conventional warfare.

You know, bombs, guns, battleships, that kind of thing.

Some have argued cyber makes the UN obsolete.

Since cyber attacks are not “kinetic” in nature, there is no role for international peacekeeping.

That is not correct.

In order for the UN to act, it merely must determine under Article 39 of its Charter that there is a threat to international peace and security.

My analysis of Security Council resolutions since 1947 shows that that although at the beginning, it focused on conventional military conflict, over time it has considerably expanded the definition of a threat to international peace and security.

In the past two decades, it has applied Article 39 to situations as diverse as HIV/AIDS, sexual violence, economic underdevelopment, and even transnational crime.

What this means in practical terms is that should there be an international cyber emergency, there is absolutely no barrier to the Security Council being called into action.

But how would this work?

Figure 1 – The United Nations Security Council over time has broadened what it considers to be a "threat to international peace and security" under Article 39 of the Charter. (Source: Author analysis)

Article 41 of the UN Charter

Under Article 41, the Security Council can call on member States to interrupt or blockade the telecommunications of a country causing the disturbance.

In today’s terms this would mean putting a kill switch on the Internet.

In the offending nation, all of the social media, cloud services, email, and apps would go dark.

Yes, the Security Council could do that.

Would this have an effect? Yes, particularly in a cyber war.

But how would this really work?

After all, most cyber is run by private enterprise.

Could the NSA tell Facebook to cut off access in a country?

Could the U.S. government give commands to Google, or Apple, or Microsoft?


And if some genius proposed enabling legislation to compel US tech giants to comply with UN resolutions, well, the lobbyists in Congress would ensure it never comes to a vote.

So what is the solution?

Perhaps a voluntary code of conduct would be a starting point.

The Cyber Arms Race

But the bigger problem is the cyber arms race.

There is an urgent need for an international convention to control the proliferation of cyber weapons.

Cyber non-proliferation.

But cyber weapons are different.

They are invisible.

With nuclear weapons, there is a complicated fuel cycle for manufacturing.

But with malicious code circulated on the Dark Web, creating weapons is only cut and paste.

How can one define a cyber weapon?

Are all viruses weapons?

They may not be counted like bombs or rockets.

What does that mean? That no arms control treaty could have a quantitative element?

If you don’t count, then what exactly is going to be controlled?

Why would countries give up their cyber weapons? Or even admit they have them?

Is international law the answer?

Law is evolving at its typically glacial pace.

Informal norms may lead to binding norms, then to customary international law, then to treaties.

UN Norms for Cyber Stability

The UN General Assembly First Committee, which looks at disarmament, has been working on cyber norms.

For example, cyber attacks should not target Emergency Response Teams.

A nation should not allow its territory to be used as a base for cyber attacks.

Nations should cooperate in investigating the source of an attack.

Nations should guarantee the security of the ICT supply chain to prevent tampering with equipment.

Cyber weapons should never target medical facilities.

But to be honest, a close reading of these norms reveals loopholes.

For example, a norm may have a phrase such as “in accordance with legal obligations”.

Self-defense is a legal obligation, so there is a loophole for defensive cyber weapons.

But don’t be too cynical about it.

Right now, this is the best that we can do, folks.

Just remember one phrase: “Non-proliferation of cyber weapons”.

Everything else will follow.

3 views0 comments

Recent Posts

See All


bottom of page