This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques that
demonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open up
in the ast-paced transormations o our technological world. Every new sotware program, social networking
site, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates an
opportunity or this ecosystem to morph, adapt, and exploit.

It has also emerged because o poor security practices o users, rom individuals to large organizations. We
take or granted that the inormation and communications revolution is a relatively new phenomenon, still
very much in the midst o unceasing epochal change. Public institutions have adopted these new technologies
aster than procedures and rules have been created to deal with the radical transparency and accompanying
vulnerabilities they introduce.

Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored across
cloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o
communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposure
and potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind the
bureaucrat’s careul watch, than they are on the PC today.

The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyber
espionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanning
satellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence in
this report o the involvement o the People’s Republic o China (PRC) or any other government in theS h a d o w
network. But an important question to be entertained is whether the PRC will take action to shut theS h a d o w
network down. Doing so will help to address long-standing concerns that malware ecosystems are actively
cultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploits
though the black and grey markets or inormation and data.

Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o
one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,
to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunity
structure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutual
restraint at a global level, a vacuum exists or subterranean exploits to ll.

There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvert
cyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,
or through gradual irrelevance as people disconnect out o ear o insecurity.

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o
inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in the
cyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activities
operate rom within their jurisdictions, and protects and preserves this valuable global commons.