Cyberspace Cooperation

The Global Commission on the Stability of Cyberspace (GCSC) issued today its final report Advancing Cyberstability, as part of a panel held at the 2019 Paris Peace Forum. Stef Blok, Minister of Foreign Affairs of the Netherlands, Jean-Yves Le Drian, Minister of Europe and Foreign Affairs of France, and David Koh, Chief Executive, Cyber Security Agency of Singapore, launched the report and placed the findings in the context of ongoing global efforts to enhance international security in cyberspace. Commission Co-Chairs, Michael Chertoff and Latha Reddy, along with former Chair Marina Kaljurand, presented recommendations and commented on the strategic approach and work of the GCSC.

This report represents the culmination of the Commission’s work over the last three years, offering a cyberstability framework, principles, norms of behavior, and recommendations for the international community and wider ecosystem.

“Earlier this year, 28 EU-member states backed a framework for sanctions targeting malicious cyber activities. Today, the GCSC consolidates a set of norms and principles for behavior of state and non-state actors. This is an important contribution to a digital space in which order and peace must prevail,” commented Stef Blok, Minister of Foreign Affairs of the Netherlands, a co-founder of the GCSC. “Since stability in cyberspace is directly linked with stability in the ‘real world,’ such a cyberstability framework is more crucial than ever. The next step in this multilateral process is to collect evidence and hold those who break the rules responsible. Together we must increase accountability and combine all pieces of the puzzle, between governments, tech and security firms, and civil society.”

The work of the Commission originated out of a desire to address rising social and political instability as a result of malicious actions in cyberspace. The situation has further deteriorated as evidenced by the rise in the number and sophistication of cyber attacks by state and non-state actors, which increasingly puts the considerable benefits of cyberspace at risk. In this increasingly volatile environment, there is an apparent lack of mutual understanding and awareness among communities working on issues related to international cybersecurity. With this report, the GCSC seeks to contribute to international efforts to address these challenges.

“Cyberstability and governance are inextricably and naturally linked,” added Michael Chertoff, GCSC Co-Chair. “As the digital age evolves so rapidly, governments and societies lack the desired level of exchange, let alone the decision-making processes needed to ensure the stability of cyberspace. The GCSC’s effort complements the work of other organizations, and will serve to influence how critical actors can engage with one another and collaborate towards a stable cyberspace.”  

Emphasizing a concerted, multistakeholder approach, the framework reflects technological, product and operational measures, as well as a focus on behavioral change required among all stakeholders.

“The publication of this final report is not the end, but rather the beginning of a new profound effort toward implementing the suggested principles, norms, and recommendations,” stated Latha Reddy, GCSC Co-Chair. “The onus is on all stakeholders—governments, industry, civil society—to collaborate, adopt and implement accepted practices to help strengthen cyberstability. The stakes are higher than ever, which dictates a response in kind.”

Following the release, the GCSC members will continue to advocate and engage with their respective communities. Input and feedback from these groups were reflective of interactions with both state and non-state experts and will form the basis of advocating for the report going forward.

For an overview, see the Fact Sheet and for a copy of the report, visit Advancing Cyberstability.

About the Commission

Launched at the 2017 Munich Security Conference, the mission of the Global Commission on the Stability of Cyberspace is to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace. The Commission helps to promote mutual awareness and understanding among the various cyberspace communities working on issues related to international cybersecurity. For more information, please visit www.cyberstability.org.

For media inquiries contact: loukfaesen@hcss.nl or cjarzebowski@eastwest.ngo.

The EastWest Institute (EWI) today released a new report: Cyber Insurance and Systemic Market Risk—developed to provide a framework to better understand and address the systemic nature of cyber risk and the challenges it presents to the burgeoning cyber insurance industry. The report features an overview of the current state of the cyber insurance market along with proposals to help the market mature in a healthy, stable manner while promoting increased cybersecurity. 

The report outlines a definition of systemic cyber risk and the mechanisms behind the probability of contagion, emphasizing the role of the insurance industry, risk management firms and governments to ensure sufficient insurance capacity in the event of a cataclysmic cyber incident that impacts markets and consumer confidence globally.

Four recommendations to enhance the ability of the cyber insurance market to support cyber resilience efforts, guard against systemic risk and mitigate losses include the following:

• Enhance cyber insurance underwriting ability
• Promote a strong and healthy market with positive impacts on society
• Increase transparency and uniformity in underwriting language
• Establish a government backstop to increase capacity to handle a major, multi-market loss

The report is a product of the EastWest Institute’s Global Cooperation in Cyberspace program, and was authored by Davis Hake, Andreas Kuehn, Abagail Lawson and Bruce McConnell, with expert input provided by Arceo.ai, Marsh & McLennan Companies and Microsoft.

The Global Commission on the Stability of Cyberspace (GCSC) conducted its fifth public hearings at the Palais Des Nations, United Nations Office in Geneva, on January 22, 2019. Hosted by the United Nations Institute for Disarmament Research (UNIDIR), the hearings featured discussions between members of the Global Commission, Geneva-based international organizations, government representatives, civil society and the private sector, and focused on how peace and security in cyberspace is influenced by international law, human rights, Internet governance, development, sustainable development goals and other issues.

“We greatly appreciate UNIDIR hosting the Commission and lending its expertise on the incredibly complicated topic of cyber stability,” said Marina Kaljurand, the GCSC’s Chair. “This meeting was emblematic of the multi-stakeholder nature of the issue and the range of actors required to address stability, security and continued confidence in the digital platforms on which we all depend.”

Renata Dwan, Director of UNIDIR said that “These Commission meetings were important because after being on the UN agenda for over two decades, we are now seeing an expansion on the discussion around what cyber stability means and for whom. A debate that began focused on State behavior, is now becoming a much wider discussion about the role of the private sector, of regions and of individuals—and how to develop space for rights, for equity, and for access that enhances development for all.”

A keynote address was delivered by Fabrizio Hochschild, United Nations Assistant Secretary-General for Strategic Coordination, and remarks were also provided by Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy, Federal Department of Foreign Affairs of Switzerland.

Over the course of the day, attendees participated in two hearings. The first focused on International Law, Peace and Security and Cyber Stability and featured the following speakers: Anja Kaspersen, Director, United Nations Office for Disarmament Affairs, Geneva Branch; Deborah Housen-Couriel, Senior Researcher, Interdisciplinary Cyber Research Center at Tel Aviv University; Helen Durham, Director of International Law and Policy, International Committee of the Red Cross.

The second hearing focused on the 2030 Agenda for Sustainable Development, human rights and Internet governance and included remarks by: Francesco Pisano, Director of the Library, United Nations Office at Geneva; Peggy Hicks, Director of the Thematic Engagement, Special Procedures and Right to Development Division, Office of the United Nations High Commissioner for Human Rights (OHCHR); and Elena Plexida, Senior Director Government and IGOs Engagement, ICANN.

In its closed session on January 23, the Commission continued discussions on the definition and principles for cyber stability, and recommendations for a future international peace and security framework for cyberspace. The input from the hearings informed the Commissioners’ discussions. A definition of cyber stability and recommendations for the international community going forward will be central elements in the GCSC’s report.

The GCSC would like to thank the organizations that have submitted feedback in response to the Request for Consultation on the Singapore Norm Package. The received comments were collected and presented to the Commission in Geneva and will be considered in the writing of the GCSC Report.

The Hague Centre for Strategic Studies, the EastWest Institute, the Chairs and Commissioners would like to thank UNIDIR for hosting the GCSC in Geneva, as well as the GCSC partners, the governments of the Netherlands, Singapore and France, Microsoft, ISOC, Afilias and the other funders for their support.

The GCSC will next convene in March 2019 in Japan on the margins of the ICANN64 meeting. In the run-up to this meeting, the GCSC continues to welcome input from other stakeholders on its work. Comments may be sent to info@cyberstabililty.org or cyber@hcss.nl.

Click here to learn more.

The EastWest Institute's Global Cooperation in Cyberspace program has published its Action Agenda 2018-2019. The Action Agenda reviews the program’s successes during 2016-17 and presents a road map for our work in 2018-19.

During 2018-19, EWI’s cyberspace program will continue to focus on reducing the risk of miscalculation and escalation among major cyber powers, maintaining active engagement with government officials, companies and civil society in China, Europe, India, Russia and the U.S.

Building on important roundtable events such as the first-ever trilateral dialogue on cyberspace between China, India and the United States held in 2017 and the launch of its Encryption Report earlier this year, the program will advocate for policy changes in the private and public sectors. 

In 2018-19, the program will advance the work of its five breakthrough groups, including:

• Ubiquitous Encryption and Lawful Government Access
• Resilient Cities and the Internet of Things
• Increasing the Global Availability and Secure Use of ICT Products and Services
• Systemic Risk and Cyber Insurance
• Promoting Norms of Responsible Behavior in Cyberspace

Also, EWI’s cyber program has added two new areas of focus to its agenda: Strategic Stability and Nuclear Risk in the Age of Machine Learning, and Balanced Approaches to Fighting Fake News and Terrorist Content. The former focuses on addressing how artificial intelligence might undermine stability through nuclear commands, while the latter will identify and publish practicable, actionable recommendations to combat fake news.

The EastWest Institute, along with The Hague Centre for Strategic Studies, will continue to serve as the secretariat of the Global Commission on the Stability of Cyberspace (GCSC). The Commission was launched in 2017 as an international, multi-stakeholder forum to evaluate and propose norms and policy initiatives for state and non-state behavior in cyberspace. It released its first proposed norm in November 2017.

Bruce McConnell joined a podcast hosted by the Foreign Policy magazine on expanding global cybersecurity issues, particularly U.S. cyber policies under the Donald Trump administration.

The Editor's Roundtable podcast touched on a wide range of topics, including the Trump administration's decision to move forward with a proposal to separate U.S. Cyber Command from the National Security Agency and the possible consequences. McConnell, in essence, expressed content that this was finally making progress.

"Military and intelligence authorities are different, and it's important to keep that distinction. It's difficult enough already in cyberspace to figure out who's doing what and under what authority without compounding the problem by having an ambiguous governmental organization," he said. "I'm glad to finally see it come through."

The podcast also discussed the various aspects of cyber deterrence and cyber response to attacks in the future, using the controversial alleged Russian cyber interference in the U.S. presidential elections last year as a major case.

"Because of the way that cyber works, the barriers to entry are very low. The magnitude, because of the megaphone effect of cyber, is much bigger so it's changed the dynamic just like cyber crime. These are regular crimes which take place on the cyber domain, and it's now much easier for criminals, or in this case malicious actors of various sorts, to have an effect. We're not used to that. We don't know yet, as a policy, how to calibrate and filter," said McConnell.

Also joining the conversation were New America's Peter W. Singer and Foreign Policy's Sharon Weinberger and Elias Groll. To access in full, click here.

Four years ago, U.S. national security advisor Susan Rice observed that the world’s “most vexing security challenges are transnational security threats that transcend borders: climate change, piracy, infectious disease, transnational crime, cyber theft, and the modern-day slavery of human trafficking.” Today, one could add migration, violent extremism, the safety of fissile nuclear materials, and overall information security to that list.

These issues share at least two characteristics: First they are accentuated in their severity by modern technology. The bad guys, both state and non-state actors, are well equipped with the latest computers, communications equipment, and weaponry, and their ability to use these tools is enhanced by their access to global networks. Second, no international regimes or institutions have these transborder issues well in hand. Rather, global bodies like the World Health Organization or the International Telecommunication Union are generally struggling to remain relevant. The post-war structures that have kept peace for 70 years face a crisis of legitimacy as rising powers that were not present at Bretton Woods scorn the old order and create their own institutions and power centers.

The Cyber Arms Race and Information Warfare

Today we are focusing on security and cyberspace. Cyber-enabled attacks in the lead-up to the U.S. Presidential election roiled relationships in Washington and globally. The term cyber-enabled emphasizes a new characteristic of cyberspace—it’s no longer its own thing. It’s part of everything. There is very little actual “cyber crime.” Instead, we see a plethora of ordinary crimes and attacks: theft, fraud, trespassing and destruction of property that use cyber means.

From a geopolitical standpoint, this cyber-enablement has produced a runaway cyber arms race, led by the United States, Russia, China, Iran, Israel, and some European countries, with many others, including North Korea, following close behind. Over thirty countries have formed cyber offense units. Non-state actors such as organized criminal gangs and the Islamic State are also players.

The U.S. Democratic National Committee hacks and related incidents consist of burglary and publication of the fruits on Wikileaks. From a legal standpoint, while it is against U.S. law to enter a computer without authorization, these incidents may fall more into the shadow zone of espionage. As for the publication, the U.S. Supreme Court has generally protected media publication of accurate, stolen materials of public interest obtained by a third party.

What’s new for Americans is the possibility that there is an “information war” between East and West. Indeed, some states do not use the term cybersecurity, preferring the broader term “information security." The events around the U.S. election have evoked a global conversation around fake news, political trolling, social media bots, and the weaponization of intelligence.

On the other hand, we have recently seen additional evidence regarding Western cyber actions against North Korean missile systems and the CIA’s capabilities. Even assuming the most benign motivations by all parties, these continuing, ungoverned state-on-state skirmishes in cyberspace increasingly undermine terrestrial security and stability.

In contrast to cyberspace, other international domains are governed by norms of behavior and international law. In the airspace it is illegal to shoot down a commercial aircraft. But in cyberspace, the way in which international law applies is still being debated. In commercial aviation we have organizations like the private sector International Air Transport Association and the governmental International Commercial Aviation Organization that partner to maintain safety and security on a global basis. There are no comparable institutions for cyberspace.

Everyone in this room is painfully familiar with the provisions that keep that network secure: identity proofing of everyone who gets close to a passenger plane, licensing of pilots, filing of flight plans, certification of aircraft, etc. We have none of these things in cyberspace. Yet the financial value of the commercial transactions conducted over the Internet (and here I’m not even counting SWIFT and other special purpose networks) is actually 100 times greater on an annual basis than the value of goods transported in the air cargo system.

Progress is modest. A group of governmental cyber experts has worked at the United Nations for over 10 years to come up with an initial set of non-binding norms of behavior in cyberspace. These include:
• Not allowing the use of information and communications technology, or ICT, to intentionally damage another country’s critical infrastructure.
• Not allowing international cyber attacks to emanate from their territory.
• Responding to requests for assistance from another country that has been attacked by computers in the first country.
• Preventing the proliferation of malicious tools and techniques and the use of harmful hidden functions.
• Encouraging responsible reporting of ICT vulnerabilities and sharing associated information.
• Not harming the information systems of the authorized cybersecurity incident response teams.

In February 2017, the government of the Netherlands, with the support of Microsoft, the Internet Society, the EastWest Institute, and the Hague Centre for Strategic Studies, launched the Global Commission on the Stability of Cyberspace. The GCSC is chaired by Marina Kaljurand, former Estonian foreign minister, and co-chaired by Michael Chertoff, former U.S. Secretary of Homeland Security and Latha Reddy, India’s former deputy national security adviser. This multistakeholder commission will build on and extend existing efforts to develop and advocate for norms and polices to enhance international security and stability and guide responsible state and non-state behavior in cyberspace.

On the private sector side, global ICT companies are beginning to step up to the responsibility that comes with their great power in cyberspace. For example, Microsoft recently issued a set of norms of industry behavior that global ICT companies should follow in their business practices. Examples of the kinds of norms that companies are considering include:
• Creating more secure products and services.
• Not enabling states to weaken the security of commercial, mass-market ICT products and services.
• Practicing responsible vulnerability disclosure.
• Collaborating to defend their customers against and recover from serious cyber attacks.
• Issuing updates to protect their customers no matter where the customer is located.

Clearly, the industry is at an immature stage. Its rapid growth in importance has outstripped systems of governance, including the first line of defense—the market. As a general matter, until very recently customers demanded two things from the firms that supply ICTs—price and features. The market has responded, giving us all manner of convenience and efficiency, in business and in our private lives. Finally, however, buyers are starting to recognize the criticality of ICT to their daily activities, and thus they demand, and may be willing to pay for, security.

Yet there is a gap between what they need and what they are able to command. To address this gap, we recently published a “Buyers Guide for Secure ICT.” This guide recommends questions that buyers can ask ICT suppliers to help them evaluate the security of the products and services that these suppliers deliver. Despite best efforts, the reality of today’s dynamic technological environment—with product cycles of 18 months or less—continues to challenge policy development. Two developments are dramatically altering the security picture.

First, we are moving to the cloud. We store our information there on virtual machines operated by major providers like Amazon Web Services. While AWS and Microsoft’s Azure provide much stronger cybersecurity and resilience than any single enterprise can field, they also create systemic risk, with large potential consequences from technology failures or attacks. A second emerging source of risk is the Internet of Everything (IoE). In a few years there will be ten times as many devices—Fitbits, heart monitors, automobiles, thermostats, machine tools and floodgates—connected to the Internet than today’s smartphones and computers. These devices, when combined with 3-D printing, promise to disruptively transform manufacturing and transportation. They will also create a ubiquitous, global sensor network that will be communicating what is going on everywhere. And these sensors are shockingly insecure—built with easy to guess passwords, transmitting their data unencrypted, and being essentially un-patchable.

The conventional wisdom is that the IoE represents a massive increase in the attack surface. But at EWI, we are exploring two questions. First, why do we assume the bad guys will own the sensor network? Why not have the good guys own it and use the knowledge of what is happening on the Internet to increase security—for example, by isolating problems and fixing them before they can spread? Second, we ask, how will the IoE shift the balance between endpoint and network security, and what are the societal implications of that shift?

There is much to be done in cyberspace to make it, and the information we all rely on, trustworthy and secure. I will be happy to get into some of those issues during the discussion. The question becomes, what institutional constructs are needed to ensure that work gets done?

Sovereignty and its Alternatives

One of the existing constructs that no longer serves us in the networked age is sovereignty, at least as defined by the Treaty of Westphalia that ended the Thirty Years War, in 1648. We need new forms and combinations of local and global leadership and participation. Since Westphalia, sovereignty has been focused primarily on protecting territory from outside forces. Today, we stand in a time of transition, balancing this traditional emphasis with a newer one based on states’ responsibility to citizens for what happens within their borders.

It is not that borders do not exist, but borders matter differently than they have before. Take cyberspace, for example. It is impossible to define in what country the domain citibank.com actually resides, not to mention where the tens of thousands of cyber attacks each day on that domain come from. This ambiguity makes it difficult for individual states to enforce the law in cyberspace. We need networked responses to networked threats.

One example of the creation of a new form of governance relevant to cyberspace was last year’s transfer of Internet traffic routing management from U.S. control to an international, multi-party, multi-sector governance community. The result is a complex structure that only a geek could love. But, it is also a real-time experiment in so-called multi-stakeholder governance, and well worth watching. For the shorter term, however, as states turn inward and transnational challenges multiply, we face an urgent need for institutions that can act globally in an agile manner, or at least with more agility than governments. Currently, the only existing organizations that can approach that agility are large, global corporations. Admittedly, they are not ideal—they have conflicts of interest based on their focus on returning shareholder value. 

Of course, states have conflicts of interest as well when it comes to global issues, rooted as they are in territory. Nevertheless, companies, such as Coca-Cola, are increasingly investing in the future. Coca Cola needs clean water resources in Africa—it will not be in business there in 20 years if there is not clean water. Microsoft practices and advocates for responsible behavior by large technology companies to reduce conflict and increase stability in cyberspace.

Power in the 21st Century

These challenges and responses relate directly to the nature of power in the 21st century. We are living in the networked age. The value of networks increases as more people become members. In my view, we are reaching a critical mass of interconnectedness in the developed world, and the rest of the world will be there in the next 10 years. But critical mass for what effects? Not even the most civic-minded would advocate for direct democracy by everyday citizens on the complex questions that face our planet and our societies. That is why we have professional politicians and expert agencies, at least on a good day. What we do need, however, are ways to help those officials get to more nuanced answers. This is already happening on the local level in Europe and the U.S. where experts brief randomly selected civic councils to help them come up with advice for elected officials on a broad range of issues, from refugee assimilation to sustainability planning.

For these kinds of conversations to happen globally, we need to harness the technology that is increasingly connecting us. How can corporations help? Could firms host objective global forums that deal with some of the issues that will affect their bottom line and the rest of us with them? Perhaps some of the lessons learned from the trend to open, collaborative innovation networks—as practiced by DuPont, BT and other firms—may apply here.

National Security and Global Security

While global security issues are becoming salient for the long-term, in the short-term, national security “stories” dominate national security policy. I use the term “stories” to distinguish rhetoric from actuality—both in terms of action and in terms of effectiveness. The increasing attractiveness to mainstream politicians and electorates of fear-based, nationalistic narratives does not always translate into action—and when it does, such actions do not always improve national security. For example, Xi Jinping’s government discriminates against U.S. technology companies in rhetoric, but the implementation is much more measured. And as far as the effects, banning world-class technology does little to improve global confidence in the Chinese banking sector.

The principal reason for this trend is that our planet is shrinking—people everywhere are feeling increasingly impinged by alien cultures, values and populations. Certainly, this is understandable in Europe given the weak economy and the rapid influx of hard-to assimilate refugees. But even when there are not a lot of new people coming, digital information from around the world affronts and disrupts our attention. And so in democracies, many people find the echo chamber of like-minded voices or the seductive addition to a constant feed of electronic news more comfortable. The networked age is not easy to live in. Meanwhile, dictators—like cult leaders—always shield their subjects, and themselves, from diverse viewpoints.

Nationalist isolationism does not do well against threats that cut across borders, like migration and terrorism. ISIS is a global threat network, as we have seen this year in Paris and London. Networked threats require networked responses. Until we get this right, humanity will continue to lose ground against the forces of atavism, cynicism and hopelessness. We cannot let this happen on our collective watch.

Photo credit: "Data Security Breach" (CC BY 2.0) by Visual Content