Cyberspace Cooperation

The Global Cooperation in Cyberspace Initiative seeks to reduce conflict, crime and other disruptions in cyberspace and promote stability, innovation and inclusion.

Learn More

Global Commission's Final Report Launch at Paris Peace Forum

Presented at the Paris Peace Forum, GCSC report features a cyberstability framework and recommendations at a critical juncture in the future of cyberspace

The Global Commission on the Stability of Cyberspace (GCSC) issued today its final report Advancing Cyberstability, as part of a panel held at the 2019 Paris Peace Forum. Stef Blok, Minister of Foreign Affairs of the Netherlands, Jean-Yves Le Drian, Minister of Europe and Foreign Affairs of France, and David Koh, Chief Executive, Cyber Security Agency of Singapore, launched the report and placed the findings in the context of ongoing global efforts to enhance international security in cyberspace. Commission Co-Chairs, Michael Chertoff and Latha Reddy, along with former Chair Marina Kaljurand, presented recommendations and commented on the strategic approach and work of the GCSC.

This report represents the culmination of the Commission’s work over the last three years, offering a cyberstability framework, principles, norms of behavior, and recommendations for the international community and wider ecosystem.

“Earlier this year, 28 EU-member states backed a framework for sanctions targeting malicious cyber activities. Today, the GCSC consolidates a set of norms and principles for behavior of state and non-state actors. This is an important contribution to a digital space in which order and peace must prevail,” commented Stef Blok, Minister of Foreign Affairs of the Netherlands, a co-founder of the GCSC. “Since stability in cyberspace is directly linked with stability in the ‘real world,’ such a cyberstability framework is more crucial than ever. The next step in this multilateral process is to collect evidence and hold those who break the rules responsible. Together we must increase accountability and combine all pieces of the puzzle, between governments, tech and security firms, and civil society.”

The work of the Commission originated out of a desire to address rising social and political instability as a result of malicious actions in cyberspace. The situation has further deteriorated as evidenced by the rise in the number and sophistication of cyber attacks by state and non-state actors, which increasingly puts the considerable benefits of cyberspace at risk. In this increasingly volatile environment, there is an apparent lack of mutual understanding and awareness among communities working on issues related to international cybersecurity. With this report, the GCSC seeks to contribute to international efforts to address these challenges.

“Cyberstability and governance are inextricably and naturally linked,” added Michael Chertoff, GCSC Co-Chair. “As the digital age evolves so rapidly, governments and societies lack the desired level of exchange, let alone the decision-making processes needed to ensure the stability of cyberspace. The GCSC’s effort complements the work of other organizations, and will serve to influence how critical actors can engage with one another and collaborate towards a stable cyberspace.”  

Emphasizing a concerted, multistakeholder approach, the framework reflects technological, product and operational measures, as well as a focus on behavioral change required among all stakeholders.

“The publication of this final report is not the end, but rather the beginning of a new profound effort toward implementing the suggested principles, norms, and recommendations,” stated Latha Reddy, GCSC Co-Chair. “The onus is on all stakeholders—governments, industry, civil society—to collaborate, adopt and implement accepted practices to help strengthen cyberstability. The stakes are higher than ever, which dictates a response in kind.”

Following the release, the GCSC members will continue to advocate and engage with their respective communities. Input and feedback from these groups were reflective of interactions with both state and non-state experts and will form the basis of advocating for the report going forward.

For an overview, see the Fact Sheet and for a copy of the report, visit Advancing Cyberstability.

About the Commission

Launched at the 2017 Munich Security Conference, the mission of the Global Commission on the Stability of Cyberspace is to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace. The Commission helps to promote mutual awareness and understanding among the various cyberspace communities working on issues related to international cybersecurity. For more information, please visit www.cyberstability.org.

For media inquiries contact: loukfaesen@hcss.nl or cjarzebowski@eastwest.ngo.

Cyber Insurance and Systemic Market Risk

The EastWest Institute (EWI) today released a new report: Cyber Insurance and Systemic Market Risk—developed to provide a framework to better understand and address the systemic nature of cyber risk and the challenges it presents to the burgeoning cyber insurance industry. The report features an overview of the current state of the cyber insurance market along with proposals to help the market mature in a healthy, stable manner while promoting increased cybersecurity. 

The report outlines a definition of systemic cyber risk and the mechanisms behind the probability of contagion, emphasizing the role of the insurance industry, risk management firms and governments to ensure sufficient insurance capacity in the event of a cataclysmic cyber incident that impacts markets and consumer confidence globally.

Four recommendations to enhance the ability of the cyber insurance market to support cyber resilience efforts, guard against systemic risk and mitigate losses include the following:

  • Enhance cyber insurance underwriting ability
  • Promote a strong and healthy market with positive impacts on society
  • Increase transparency and uniformity in underwriting language
  • Establish a government backstop to increase capacity to handle a major, multi-market loss

The report is a product of the EastWest Institute’s Global Cooperation in Cyberspace program, and was authored by Davis Hake, Andreas Kuehn, Abagail Lawson and Bruce McConnell, with expert input provided by Arceo.ai, Marsh & McLennan Companies and Microsoft.

Global Commission's Cyber Stability Hearings at the UN

The Global Commission on the Stability of Cyberspace (GCSC) conducted its fifth public hearings at the Palais Des Nations, United Nations Office in Geneva, on January 22, 2019. Hosted by the United Nations Institute for Disarmament Research (UNIDIR), the hearings featured discussions between members of the Global Commission, Geneva-based international organizations, government representatives, civil society and the private sector, and focused on how peace and security in cyberspace is influenced by international law, human rights, Internet governance, development, sustainable development goals and other issues.

“We greatly appreciate UNIDIR hosting the Commission and lending its expertise on the incredibly complicated topic of cyber stability,” said Marina Kaljurand, the GCSC’s Chair. “This meeting was emblematic of the multi-stakeholder nature of the issue and the range of actors required to address stability, security and continued confidence in the digital platforms on which we all depend.”

Renata Dwan, Director of UNIDIR said that “These Commission meetings were important because after being on the UN agenda for over two decades, we are now seeing an expansion on the discussion around what cyber stability means and for whom. A debate that began focused on State behavior, is now becoming a much wider discussion about the role of the private sector, of regions and of individuals—and how to develop space for rights, for equity, and for access that enhances development for all.”

A keynote address was delivered by Fabrizio Hochschild, United Nations Assistant Secretary-General for Strategic Coordination, and remarks were also provided by Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy, Federal Department of Foreign Affairs of Switzerland.

Over the course of the day, attendees participated in two hearings. The first focused on International Law, Peace and Security and Cyber Stability and featured the following speakers: Anja Kaspersen, Director, United Nations Office for Disarmament Affairs, Geneva Branch; Deborah Housen-Couriel, Senior Researcher, Interdisciplinary Cyber Research Center at Tel Aviv University; Helen Durham, Director of International Law and Policy, International Committee of the Red Cross.

The second hearing focused on the 2030 Agenda for Sustainable Development, human rights and Internet governance and included remarks by: Francesco Pisano, Director of the Library, United Nations Office at Geneva; Peggy Hicks, Director of the Thematic Engagement, Special Procedures and Right to Development Division, Office of the United Nations High Commissioner for Human Rights (OHCHR); and Elena Plexida, Senior Director Government and IGOs Engagement, ICANN.

In its closed session on January 23, the Commission continued discussions on the definition and principles for cyber stability, and recommendations for a future international peace and security framework for cyberspace. The input from the hearings informed the Commissioners’ discussions. A definition of cyber stability and recommendations for the international community going forward will be central elements in the GCSC’s report.

The GCSC would like to thank the organizations that have submitted feedback in response to the Request for Consultation on the Singapore Norm Package. The received comments were collected and presented to the Commission in Geneva and will be considered in the writing of the GCSC Report.

The Hague Centre for Strategic Studies, the EastWest Institute, the Chairs and Commissioners would like to thank UNIDIR for hosting the GCSC in Geneva, as well as the GCSC partners, the governments of the Netherlands, Singapore and France, Microsoft, ISOC, Afilias and the other funders for their support.

The GCSC will next convene in March 2019 in Japan on the margins of the ICANN64 meeting. In the run-up to this meeting, the GCSC continues to welcome input from other stakeholders on its work. Comments may be sent to info@cyberstabililty.org or cyber@hcss.nl.

Click here to learn more.

Cyberspace Program 2018-2019 Action Agenda

The EastWest Institute's Global Cooperation in Cyberspace program has published its Action Agenda 2018-2019. The Action Agenda reviews the program’s successes during 2016-17 and presents a road map for our work in 2018-19.

During 2018-19, EWI’s cyberspace program will continue to focus on reducing the risk of miscalculation and escalation among major cyber powers, maintaining active engagement with government officials, companies and civil society in China, Europe, India, Russia and the U.S.

Building on important roundtable events such as the first-ever trilateral dialogue on cyberspace between China, India and the United States held in 2017 and the launch of its Encryption Report earlier this year, the program will advocate for policy changes in the private and public sectors. 

In 2018-19, the program will advance the work of its five breakthrough groups, including:

  • Ubiquitous Encryption and Lawful Government Access
  • Resilient Cities and the Internet of Things
  • Increasing the Global Availability and Secure Use of ICT Products and Services
  • Systemic Risk and Cyber Insurance
  • Promoting Norms of Responsible Behavior in Cyberspace

Also, EWI’s cyber program has added two new areas of focus to its agenda: Strategic Stability and Nuclear Risk in the Age of Machine Learning, and Balanced Approaches to Fighting Fake News and Terrorist Content. The former focuses on addressing how artificial intelligence might undermine stability through nuclear commands, while the latter will identify and publish practicable, actionable recommendations to combat fake news.

The EastWest Institute, along with The Hague Centre for Strategic Studies, will continue to serve as the secretariat of the Global Commission on the Stability of Cyberspace (GCSC). The Commission was launched in 2017 as an international, multi-stakeholder forum to evaluate and propose norms and policy initiatives for state and non-state behavior in cyberspace. It released its first proposed norm in November 2017.

McConnell Talks Cyber Strategies, Policy with Foreign Policy Magazine

Bruce McConnell joined a podcast hosted by the Foreign Policy magazine on expanding global cybersecurity issues, particularly U.S. cyber policies under the Donald Trump administration.

The Editor's Roundtable podcast touched on a wide range of topics, including the Trump administration's decision to move forward with a proposal to separate U.S. Cyber Command from the National Security Agency and the possible consequences. McConnell, in essence, expressed content that this was finally making progress.

"Military and intelligence authorities are different, and it's important to keep that distinction. It's difficult enough already in cyberspace to figure out who's doing what and under what authority without compounding the problem by having an ambiguous governmental organization," he said. "I'm glad to finally see it come through."

The podcast also discussed the various aspects of cyber deterrence and cyber response to attacks in the future, using the controversial alleged Russian cyber interference in the U.S. presidential elections last year as a major case.

"Because of the way that cyber works, the barriers to entry are very low. The magnitude, because of the megaphone effect of cyber, is much bigger so it's changed the dynamic just like cyber crime. These are regular crimes which take place on the cyber domain, and it's now much easier for criminals, or in this case malicious actors of various sorts, to have an effect. We're not used to that. We don't know yet, as a policy, how to calibrate and filter," said McConnell.

Also joining the conversation were New America's Peter W. Singer and Foreign Policy's Sharon Weinberger and Elias Groll. To access in full, click here.

Transnational Security Governance and Cyberspace Security

Bruce McConnell, who oversees EWI's cyberspace initiative, will deliver his presentation at the 2017 Annual Security Review Conference on June 29 in Vienna. The three-day conference is organized by Organization for Security and Co-operation in Europe (OSCE).

Four years ago, U.S. national security advisor Susan Rice observed that the world’s “most vexing security challenges are transnational security threats that transcend borders: climate change, piracy, infectious disease, transnational crime, cyber theft, and the modern-day slavery of human trafficking.” Today, one could add migration, violent extremism, the safety of fissile nuclear materials, and overall information security to that list.

These issues share at least two characteristics: First they are accentuated in their severity by modern technology. The bad guys, both state and non-state actors, are well equipped with the latest computers, communications equipment, and weaponry, and their ability to use these tools is enhanced by their access to global networks. Second, no international regimes or institutions have these transborder issues well in hand. Rather, global bodies like the World Health Organization or the International Telecommunication Union are generally struggling to remain relevant. The post-war structures that have kept peace for 70 years face a crisis of legitimacy as rising powers that were not present at Bretton Woods scorn the old order and create their own institutions and power centers.

The Cyber Arms Race and Information Warfare

Today we are focusing on security and cyberspace. Cyber-enabled attacks in the lead-up to the U.S. Presidential election roiled relationships in Washington and globally. The term cyber-enabled emphasizes a new characteristic of cyberspace—it’s no longer its own thing. It’s part of everything. There is very little actual “cyber crime.” Instead, we see a plethora of ordinary crimes and attacks: theft, fraud, trespassing and destruction of property that use cyber means.

From a geopolitical standpoint, this cyber-enablement has produced a runaway cyber arms race, led by the United States, Russia, China, Iran, Israel, and some European countries, with many others, including North Korea, following close behind. Over thirty countries have formed cyber offense units. Non-state actors such as organized criminal gangs and the Islamic State are also players.

The U.S. Democratic National Committee hacks and related incidents consist of burglary and publication of the fruits on Wikileaks. From a legal standpoint, while it is against U.S. law to enter a computer without authorization, these incidents may fall more into the shadow zone of espionage. As for the publication, the U.S. Supreme Court has generally protected media publication of accurate, stolen materials of public interest obtained by a third party.

What’s new for Americans is the possibility that there is an “information war” between East and West. Indeed, some states do not use the term cybersecurity, preferring the broader term “information security." The events around the U.S. election have evoked a global conversation around fake news, political trolling, social media bots, and the weaponization of intelligence.

On the other hand, we have recently seen additional evidence regarding Western cyber actions against North Korean missile systems and the CIA’s capabilities. Even assuming the most benign motivations by all parties, these continuing, ungoverned state-on-state skirmishes in cyberspace increasingly undermine terrestrial security and stability.

In contrast to cyberspace, other international domains are governed by norms of behavior and international law. In the airspace it is illegal to shoot down a commercial aircraft. But in cyberspace, the way in which international law applies is still being debated. In commercial aviation we have organizations like the private sector International Air Transport Association and the governmental International Commercial Aviation Organization that partner to maintain safety and security on a global basis. There are no comparable institutions for cyberspace.

Everyone in this room is painfully familiar with the provisions that keep that network secure: identity proofing of everyone who gets close to a passenger plane, licensing of pilots, filing of flight plans, certification of aircraft, etc. We have none of these things in cyberspace. Yet the financial value of the commercial transactions conducted over the Internet (and here I’m not even counting SWIFT and other special purpose networks) is actually 100 times greater on an annual basis than the value of goods transported in the air cargo system.

Progress is modest. A group of governmental cyber experts has worked at the United Nations for over 10 years to come up with an initial set of non-binding norms of behavior in cyberspace. These include:
• Not allowing the use of information and communications technology, or ICT, to intentionally damage another country’s critical infrastructure.
• Not allowing international cyber attacks to emanate from their territory.
• Responding to requests for assistance from another country that has been attacked by computers in the first country.
• Preventing the proliferation of malicious tools and techniques and the use of harmful hidden functions.
• Encouraging responsible reporting of ICT vulnerabilities and sharing associated information.
• Not harming the information systems of the authorized cybersecurity incident response teams.

In February 2017, the government of the Netherlands, with the support of Microsoft, the Internet Society, the EastWest Institute, and the Hague Centre for Strategic Studies, launched the Global Commission on the Stability of Cyberspace. The GCSC is chaired by Marina Kaljurand, former Estonian foreign minister, and co-chaired by Michael Chertoff, former U.S. Secretary of Homeland Security and Latha Reddy, India’s former deputy national security adviser. This multistakeholder commission will build on and extend existing efforts to develop and advocate for norms and polices to enhance international security and stability and guide responsible state and non-state behavior in cyberspace.

On the private sector side, global ICT companies are beginning to step up to the responsibility that comes with their great power in cyberspace. For example, Microsoft recently issued a set of norms of industry behavior that global ICT companies should follow in their business practices. Examples of the kinds of norms that companies are considering include:
• Creating more secure products and services.
• Not enabling states to weaken the security of commercial, mass-market ICT products and services.
• Practicing responsible vulnerability disclosure.
• Collaborating to defend their customers against and recover from serious cyber attacks.
• Issuing updates to protect their customers no matter where the customer is located.

Clearly, the industry is at an immature stage. Its rapid growth in importance has outstripped systems of governance, including the first line of defense—the market. As a general matter, until very recently customers demanded two things from the firms that supply ICTs—price and features. The market has responded, giving us all manner of convenience and efficiency, in business and in our private lives. Finally, however, buyers are starting to recognize the criticality of ICT to their daily activities, and thus they demand, and may be willing to pay for, security.

Yet there is a gap between what they need and what they are able to command. To address this gap, we recently published a “Buyers Guide for Secure ICT.” This guide recommends questions that buyers can ask ICT suppliers to help them evaluate the security of the products and services that these suppliers deliver. Despite best efforts, the reality of today’s dynamic technological environment—with product cycles of 18 months or less—continues to challenge policy development. Two developments are dramatically altering the security picture.

First, we are moving to the cloud. We store our information there on virtual machines operated by major providers like Amazon Web Services. While AWS and Microsoft’s Azure provide much stronger cybersecurity and resilience than any single enterprise can field, they also create systemic risk, with large potential consequences from technology failures or attacks. A second emerging source of risk is the Internet of Everything (IoE). In a few years there will be ten times as many devices—Fitbits, heart monitors, automobiles, thermostats, machine tools and floodgates—connected to the Internet than today’s smartphones and computers. These devices, when combined with 3-D printing, promise to disruptively transform manufacturing and transportation. They will also create a ubiquitous, global sensor network that will be communicating what is going on everywhere. And these sensors are shockingly insecure—built with easy to guess passwords, transmitting their data unencrypted, and being essentially un-patchable.

The conventional wisdom is that the IoE represents a massive increase in the attack surface. But at EWI, we are exploring two questions. First, why do we assume the bad guys will own the sensor network? Why not have the good guys own it and use the knowledge of what is happening on the Internet to increase security—for example, by isolating problems and fixing them before they can spread? Second, we ask, how will the IoE shift the balance between endpoint and network security, and what are the societal implications of that shift?

There is much to be done in cyberspace to make it, and the information we all rely on, trustworthy and secure. I will be happy to get into some of those issues during the discussion. The question becomes, what institutional constructs are needed to ensure that work gets done?

Sovereignty and its Alternatives

One of the existing constructs that no longer serves us in the networked age is sovereignty, at least as defined by the Treaty of Westphalia that ended the Thirty Years War, in 1648. We need new forms and combinations of local and global leadership and participation. Since Westphalia, sovereignty has been focused primarily on protecting territory from outside forces. Today, we stand in a time of transition, balancing this traditional emphasis with a newer one based on states’ responsibility to citizens for what happens within their borders.

It is not that borders do not exist, but borders matter differently than they have before. Take cyberspace, for example. It is impossible to define in what country the domain citibank.com actually resides, not to mention where the tens of thousands of cyber attacks each day on that domain come from. This ambiguity makes it difficult for individual states to enforce the law in cyberspace. We need networked responses to networked threats.

One example of the creation of a new form of governance relevant to cyberspace was last year’s transfer of Internet traffic routing management from U.S. control to an international, multi-party, multi-sector governance community. The result is a complex structure that only a geek could love. But, it is also a real-time experiment in so-called multi-stakeholder governance, and well worth watching. For the shorter term, however, as states turn inward and transnational challenges multiply, we face an urgent need for institutions that can act globally in an agile manner, or at least with more agility than governments. Currently, the only existing organizations that can approach that agility are large, global corporations. Admittedly, they are not ideal—they have conflicts of interest based on their focus on returning shareholder value. 

Of course, states have conflicts of interest as well when it comes to global issues, rooted as they are in territory. Nevertheless, companies, such as Coca-Cola, are increasingly investing in the future. Coca Cola needs clean water resources in Africa—it will not be in business there in 20 years if there is not clean water. Microsoft practices and advocates for responsible behavior by large technology companies to reduce conflict and increase stability in cyberspace.

Power in the 21st Century

These challenges and responses relate directly to the nature of power in the 21st century. We are living in the networked age. The value of networks increases as more people become members. In my view, we are reaching a critical mass of interconnectedness in the developed world, and the rest of the world will be there in the next 10 years. But critical mass for what effects? Not even the most civic-minded would advocate for direct democracy by everyday citizens on the complex questions that face our planet and our societies. That is why we have professional politicians and expert agencies, at least on a good day. What we do need, however, are ways to help those officials get to more nuanced answers. This is already happening on the local level in Europe and the U.S. where experts brief randomly selected civic councils to help them come up with advice for elected officials on a broad range of issues, from refugee assimilation to sustainability planning.

For these kinds of conversations to happen globally, we need to harness the technology that is increasingly connecting us. How can corporations help? Could firms host objective global forums that deal with some of the issues that will affect their bottom line and the rest of us with them? Perhaps some of the lessons learned from the trend to open, collaborative innovation networks—as practiced by DuPont, BT and other firms—may apply here.

National Security and Global Security

While global security issues are becoming salient for the long-term, in the short-term, national security “stories” dominate national security policy. I use the term “stories” to distinguish rhetoric from actuality—both in terms of action and in terms of effectiveness. The increasing attractiveness to mainstream politicians and electorates of fear-based, nationalistic narratives does not always translate into action—and when it does, such actions do not always improve national security. For example, Xi Jinping’s government discriminates against U.S. technology companies in rhetoric, but the implementation is much more measured. And as far as the effects, banning world-class technology does little to improve global confidence in the Chinese banking sector.

The principal reason for this trend is that our planet is shrinking—people everywhere are feeling increasingly impinged by alien cultures, values and populations. Certainly, this is understandable in Europe given the weak economy and the rapid influx of hard-to assimilate refugees. But even when there are not a lot of new people coming, digital information from around the world affronts and disrupts our attention. And so in democracies, many people find the echo chamber of like-minded voices or the seductive addition to a constant feed of electronic news more comfortable. The networked age is not easy to live in. Meanwhile, dictators—like cult leaders—always shield their subjects, and themselves, from diverse viewpoints.

Nationalist isolationism does not do well against threats that cut across borders, like migration and terrorism. ISIS is a global threat network, as we have seen this year in Paris and London. Networked threats require networked responses. Until we get this right, humanity will continue to lose ground against the forces of atavism, cynicism and hopelessness. We cannot let this happen on our collective watch.

Photo credit: "Data Security Breach" (CC BY 2.0) by Visual Content

U.N. Internet Governance Forum: Assurance and Transparency in ICT Supply Chain Security Workshop

Overview

Ensuring security in global supply chains is critical to ensuring trust in ICT and the future of the digital society. Today’s ICT products and services are comprised of a multitude of software, hardware and service components, more often than not, produced, assembled or provisioned by a large number of ICT manufacturers, vendors and service providers around the globe. Interdependency of ICT vendors’ supply chains and complexity of products and services make the mitigation of third-party risk a daunting task. The growing number of cyber incidents targeting supply chains further exacerbate the situation.

While global ICT firms have invested heavily in mitigating third-party risk, governments in the Global South and emerging markets, as well as small and medium-sized businesses, often lack the capacity and resources to manage ICT supply chain risk effectively. In addressing supply chain-related security concerns, some governments have enacted strict measures, ranging from technical security reviews based on domestic standards to data localization requirements and foreign investment restrictions. Current geopolitical dynamics have also led to ill-guided attempts to exercise sovereign powers over global ICT supply chains and the Internet, which may further fragment cyberspace and lead to a technological and economic decoupling.

The workshop will shed light on current developments and discuss approaches to strengthen risk mitigation and trust in ICT supply chains by:

  • Assessing ICT supply chain risk and threat landscape
  • Building confidence in ICT supply chains through assurance and transparency measures
  • Closing the ICT supply chain security capacity and competence gap

Managing ICT supply chain security effectively requires close cooperation between government, corporate and civil society stakeholders to address their interests and concerns as buyers, users, service operators and manufacturers along these three dimensions at technical, operational and normative levels.

The workshop is organized by the EastWest Institute in cooperation with the Association des Utilisateurs des Systèmes d’Information au Maroc, the ICT Authority of Kenya and Kaspersky.

Speakers 

Dr. Philipp Amann
Head of Strategy, Europol EC3 European Cybercrime Centre

Dr. Amirudin Abdul Wahab
CEO, CyberSecurity Malaysia

Dr. Katherine Getao
CEO, ICT Authority Kenya

Anastasiya Kazakova
Public Affairs Manager, Kaspersky

Mohamed Saad
President, Association des Utilisateurs des Systèmes d’Information au Maroc (AUSIM)

Moderator 

Dr. Andreas Kuehn
Senior Program Associate, EastWest Institute

The Cybersecurity Cooperation Paradox - And How to Overcome It

Overview

Collaborative action is needed more than ever to address growing global cybersecurity challenges. Renewed interest in global ICT supply chain security and cyber resilience emphasize the need for holistic approaches that address cybersecurity end-to-end, rather than settle for fragmented solutions. Despite numerous efforts at the international and national levels, current approaches remain largely disjointed. 

On October 8, the EastWest Institute will host a virtual panel convening thought leaders from global organizations—including the Charter of Trust, the Global Commission on the Stability of Cyberspace, the Global Forum on Cyber Expertise, the Cybersecurity Tech Accord and the Linux Foundation’s DBoM Consortium—to spearhead signature efforts to develop these holistic approaches. Ranging from cyber norms and international cybersecurity capacity-building efforts to technical standards and best practices, these organizations are working to improve cybersecurity everywhere by reducing security disparities between regions and establishing common ground for a safe, secure and transparent cyberspace.

Using their current work as a point of departure, the discussants will identify gaps and critical action needed for future cybersecurity cooperation. The discussion will note how they collaborate with the wider cybersecurity ecosystem and discuss opportunities for effectively engaging and leveraging tech firms, government agencies, academic institutions and civil society organizations. 

Speakers 

Chris Blask
Global Director Industrial Security, Unisys

Kaja Ciglic
Senior Director, Digital Diplomacy, Microsoft

Amb. Nathalie Jaarsma
Ambassador-at-Large, Security Policy & Cyber, Ministry of Foreign Affairs of the Kingdom of the Netherlands  

Elina Noor
Director, Political-Security Affairs, Asia Society Policy Institute; former Commissioner of the Global Commission on the Stability of Cyberspace

Chris Painter
President, GFCE Foundation Board; former Coordinator for Cyber Issues for the U.S. State Department

Leo Simonovich
Vice President and Global Head, Industrial Cyber and Digital Security, Siemens

Moderator 

Bruce W. McConnell
President, EastWest Institute

Agreeing to Disagree: Advancing Expert Discussion with Russia on International Cyber Norms

The EastWest Institute (EWI) and the Russian Institute of International Information Security Issues at Moscow State University (MSU), partnering in the framework of the International Information Security Research Consortium (IISRC), have released a joint working group study on ”Methodological issues of the application of norms, rules and principles of responsible behaviour of states to promote an open, secure, stable, accessible and peaceful ICT environment.” The new report is the result of multi-year efforts to promote Russia’s engagement with the West on the development of coherent international cyber norms. The idea of a joint U.S.-Russia project to explore methodological hurdles in reaching international consensus on cyber norms was first discussed by EWI and MSU leaders in late 2017. 

The initiative was born when the United Nations Governmental Group of Experts’ (UN GGE) fundamentally disagreed on the applicability of international law to states' use of ICT, preventing the group from delivering its 2016/2017 consensus report (Report of the UN Secretary-General A/72/327). The Track-2 MSU-EWI project was supported by the IISRC at its meeting in April 2018 in Garmisch-Partenkirchen (Germany), by forming an international group of experts to discuss methodological differences in, and develop common approaches for assessing the applicability of the UN GGE 2015 report recommendations. At that meeting, MSU and EWI representatives were joined by experts from the Cyber Policy Institute (Estonia and Finland), the ICT4Peace Foundation (Switzerland) and the Korea University Cyber Law Centre (Republic of Korea). 

Understanding the issue’s complexity, participants of the IISRC working group decided to limit their effort to only three norms of the UN GGE 2015 report: paragraphs 13(g), 13(h) and 13(k). Respectively, these norms focus on the requirement for states to take measures to protect their critical infrastructures from ICT threats, the requirement to respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts; and the requirement not to conduct or knowingly support activity to harm the information systems of the authorized emergency response teams of another state, as well as discouraging a state from using authorized emergency response teams to engage in malicious international activity. Working group participants also deliberated general methodological issues of cyber norms implementation, including technical and legal aspects.

By 2020, the participants of this discussion concluded that they were not able to develop a consensus set of recommendations, even for the three selected topics, initially considered to be the easiest for international cooperation and voluntary, non-binding implementation. The disagreements between and Russian and Western scholars in this area are concisely summarized in the joint comment by the experts of the Cyber Policy Institute, the ICT4Peace Foundation and the EastWest Institute, published as an integral part of the report (reproduced below). However, participants agreed to publish their findings and major points of agreements and disagreement, primarily as useful thought-provoking material for diplomats, lawyers and technical specialists involved in the current stage of UN-sponsored efforts within the GGE and the Open-Ended Working Group. 

The need to continue dialogue and joint research among scholars and consultants of different schools of thought was also considered to be a priority to help Russia and the West overcome their political disagreements. This effort follows the EastWest Institute’s many years of building partnerships with various institutions in Russia, starting with the Institute of Information Security Issues (IISI) at the Lomonosov Moscow State University—a leading think tank in this area. See our select joint publications, below:

The EastWest Institute would like to express special acknowledgements to Professor Anatoly Streltsov and Dr. Eneken Tikk for their leadership in shaping the discussion, coordinating the activities of the Working Group and persistently navigating the text of the report to completion. We are also grateful to Dr. Vladislav Sherstyuk and Ambassador Andrey Krutskikh for their political support and help in enhancing outreach to the highest levels of the Russian and international diplomatic communities.

----------------------------------

Comment by experts from the Cyber Policy Institute and the ICT4Peace Foundation, supported by the experts of the EastWest Institute

It is not often that the Western scholars get to work with their Russian colleagues on issues of international information or cyber security. It is unfortunate as the lack of contacts makes it difficult to find ways forward in the climate of political differences and competing world views.

We have found our cooperation with the Russian colleagues extremely informative and useful as it has helped us understand the Russian positions and views on several contested issues. We entered this project at the invitation of the International Information Security Research Consortium, Moscow State University to better understand how our colleagues approach the issue of implementing the norms, rules and principles of responsible state behavior as outlined in the UN GGE report of 2015.

At the end of this project, we can conclude that there are not only political but also fundamental methodological differences in how the Western and Russian scholars approach non-binding norms and international law. These differences make it close to impossible for the Western colleagues to acknowledge and appreciate the proposals made by the Russian colleagues on how to implement the UN GGE recommendations and make them universally accepted. Whether there is agreement to be found on these differences or not, we consider it necessary to highlight these differences to facilitate finding consensus and ways forward in the international cybersecurity/information security discourse.

Experts in this very small group remained divided in three fundamental questions:

  1. The relevance of the existing international law and current state practices to provide guidance on state behavior. The Russian colleagues are much more pessimistic about the susceptibility of existing rules and standards of international law to be usefully applied to issues of cybersecurity without progressive development. Based on our experience and expertise, we consider it possible to apply the rules and standards of existing international law, such as the prohibition of intervention or the obligation of peaceful settlement of international disputes, to issues of international cybersecurity. It would, indeed, require dialogue between states as to how to best interpret and implement these rules and standards.
  2. The nature of the 2015 UN GGE report recommendations for norms, rules and principles for responsible state behavior. In the Russian conception, these norms, rules and principles will be implemented only after they acquire the legally binding status, either by state practice or treaty negotiation. From our perspective, the UN GGE recommendations can be implemented partially on the basis of existing international law and partially by way of national legislation and policy, which, as the Russian colleagues point out, constitutes the exercise of sovereignty.
  3. The relevance of the question of attribution in the three examined GGE recommendations. Differences on attribution are particular to strategic contestants and, between these States, have raised concerns of less than satisfactory implementation of international law. For most of the States, however, attribution remains a still to be developed capacity and capability. Therefore, it is early to conclude whether the issue of attribution is, indeed, an equally significant issue of international law for the international community, or will the improvements and increase in national resilience and capacity resolve this issue in practice.

These divisions are also some of the key issues in the political negotiations that have taken place globally and bilaterally. Therefore, we conclude that successful and global implementation of the recommended norms is unlikely before nations come to agreement of their relevant premises and assumptions.

Most importantly, given these foundational differences, expert exchange, joint academic research and political dialogue must continue. This interaction should also cross disciplinary borders and involve more scholars and experts. Remaining in our trenches will only keep the war of attrition going on.

Full text of the report can be found here

Pages

Subscribe to RSS - Cyberspace Cooperation