Cyberspace Cooperation

The EastWest Institute (EWI) and the Russian Institute of International Information Security Issues at Moscow State University (MSU), partnering in the framework of the International Information Security Research Consortium (IISRC), have released a joint working group study on ”Methodological issues of the application of norms, rules and principles of responsible behaviour of states to promote an open, secure, stable, accessible and peaceful ICT environment.” The new report is the result of multi-year efforts to promote Russia’s engagement with the West on the development of coherent international cyber norms. The idea of a joint U.S.-Russia project to explore methodological hurdles in reaching international consensus on cyber norms was first discussed by EWI and MSU leaders in late 2017. 

The initiative was born when the United Nations Governmental Group of Experts’ (UN GGE) fundamentally disagreed on the applicability of international law to states' use of ICT, preventing the group from delivering its 2016/2017 consensus report (Report of the UN Secretary-General A/72/327). The Track-2 MSU-EWI project was supported by the IISRC at its meeting in April 2018 in Garmisch-Partenkirchen (Germany), by forming an international group of experts to discuss methodological differences in, and develop common approaches for assessing the applicability of the UN GGE 2015 report recommendations. At that meeting, MSU and EWI representatives were joined by experts from the Cyber Policy Institute (Estonia and Finland), the ICT4Peace Foundation (Switzerland) and the Korea University Cyber Law Centre (Republic of Korea). 

Understanding the issue’s complexity, participants of the IISRC working group decided to limit their effort to only three norms of the UN GGE 2015 report: paragraphs 13(g), 13(h) and 13(k). Respectively, these norms focus on the requirement for states to take measures to protect their critical infrastructures from ICT threats, the requirement to respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts; and the requirement not to conduct or knowingly support activity to harm the information systems of the authorized emergency response teams of another state, as well as discouraging a state from using authorized emergency response teams to engage in malicious international activity. Working group participants also deliberated general methodological issues of cyber norms implementation, including technical and legal aspects.

By 2020, the participants of this discussion concluded that they were not able to develop a consensus set of recommendations, even for the three selected topics, initially considered to be the easiest for international cooperation and voluntary, non-binding implementation. The disagreements between and Russian and Western scholars in this area are concisely summarized in the joint comment by the experts of the Cyber Policy Institute, the ICT4Peace Foundation and the EastWest Institute, published as an integral part of the report (reproduced below). However, participants agreed to publish their findings and major points of agreements and disagreement, primarily as useful thought-provoking material for diplomats, lawyers and technical specialists involved in the current stage of UN-sponsored efforts within the GGE and the Open-Ended Working Group. 

The need to continue dialogue and joint research among scholars and consultants of different schools of thought was also considered to be a priority to help Russia and the West overcome their political disagreements. This effort follows the EastWest Institute’s many years of building partnerships with various institutions in Russia, starting with the Institute of Information Security Issues (IISI) at the Lomonosov Moscow State University—a leading think tank in this area. See our select joint publications, below:

• Russia-U.S. Bilateral on Cybersecurity: Critical Terminology Foundations, 2011 
• Russia-U.S. Bilateral on Cybersecurity: Critical Terminology Foundations, 2014 
• A Measure of Restraint in Cyberspace Reducing Risk to Civilian Nuclear Assets, 2014 

The EastWest Institute would like to express special acknowledgements to Professor Anatoly Streltsov and Dr. Eneken Tikk for their leadership in shaping the discussion, coordinating the activities of the Working Group and persistently navigating the text of the report to completion. We are also grateful to Dr. Vladislav Sherstyuk and Ambassador Andrey Krutskikh for their political support and help in enhancing outreach to the highest levels of the Russian and international diplomatic communities.

----------------------------------

Comment by experts from the Cyber Policy Institute and the ICT4Peace Foundation, supported by the experts of the EastWest Institute

It is not often that the Western scholars get to work with their Russian colleagues on issues of international information or cyber security. It is unfortunate as the lack of contacts makes it difficult to find ways forward in the climate of political differences and competing world views.

We have found our cooperation with the Russian colleagues extremely informative and useful as it has helped us understand the Russian positions and views on several contested issues. We entered this project at the invitation of the International Information Security Research Consortium, Moscow State University to better understand how our colleagues approach the issue of implementing the norms, rules and principles of responsible state behavior as outlined in the UN GGE report of 2015.

At the end of this project, we can conclude that there are not only political but also fundamental methodological differences in how the Western and Russian scholars approach non-binding norms and international law. These differences make it close to impossible for the Western colleagues to acknowledge and appreciate the proposals made by the Russian colleagues on how to implement the UN GGE recommendations and make them universally accepted. Whether there is agreement to be found on these differences or not, we consider it necessary to highlight these differences to facilitate finding consensus and ways forward in the international cybersecurity/information security discourse.

Experts in this very small group remained divided in three fundamental questions:

1. The relevance of the existing international law and current state practices to provide guidance on state behavior. The Russian colleagues are much more pessimistic about the susceptibility of existing rules and standards of international law to be usefully applied to issues of cybersecurity without progressive development. Based on our experience and expertise, we consider it possible to apply the rules and standards of existing international law, such as the prohibition of intervention or the obligation of peaceful settlement of international disputes, to issues of international cybersecurity. It would, indeed, require dialogue between states as to how to best interpret and implement these rules and standards.
2. The nature of the 2015 UN GGE report recommendations for norms, rules and principles for responsible state behavior. In the Russian conception, these norms, rules and principles will be implemented only after they acquire the legally binding status, either by state practice or treaty negotiation. From our perspective, the UN GGE recommendations can be implemented partially on the basis of existing international law and partially by way of national legislation and policy, which, as the Russian colleagues point out, constitutes the exercise of sovereignty.
3. The relevance of the question of attribution in the three examined GGE recommendations. Differences on attribution are particular to strategic contestants and, between these States, have raised concerns of less than satisfactory implementation of international law. For most of the States, however, attribution remains a still to be developed capacity and capability. Therefore, it is early to conclude whether the issue of attribution is, indeed, an equally significant issue of international law for the international community, or will the improvements and increase in national resilience and capacity resolve this issue in practice.

These divisions are also some of the key issues in the political negotiations that have taken place globally and bilaterally. Therefore, we conclude that successful and global implementation of the recommended norms is unlikely before nations come to agreement of their relevant premises and assumptions.

Most importantly, given these foundational differences, expert exchange, joint academic research and political dialogue must continue. This interaction should also cross disciplinary borders and involve more scholars and experts. Remaining in our trenches will only keep the war of attrition going on.

Full text of the report can be found here. 

Security concerns have become a key driver behind government decisions to ban foreign technologies or vendors, impose severe and costly technical requirements, and limit foreign investments in sensitive technologies. Under the banner of TechNationalism, the security of information and communications technology (ICT) and global supply chains has become an issue of high politics among national policymakers. Reverberating from these geopolitical tensions, as well as technical security concerns, restrictive domestic policies have complicated global supply chains and enhanced discussions about ICT trustworthiness and dependence on foreign suppliers. The COVID-19 pandemic has exacerbated  governments' protectionist tendencies regarding supply chains, resulting in similar policy discussions in adjacent sectors such as the pharmaceutical industry. 

From the backdrop of several years of worsening U.S.-China relations, the discussion has centered mostly around 5G technologies sold globally by Huawei, a China-based telecom equipment manufacturer. Offering 5G technology at a fraction of the price of its few remaining competitors, Huawei has been accused of receiving extensive support from the Chinese government and allegedly benefiting from theft of technology from competitors. 

The broader picture, however, is more complicated. In addition to 5G, technologies such as semiconductors, Internet-of-Things (IoT), cloud computing and artificial intelligence are key to a state’s economic well-being and military power. Globalization has created complex, global supply chains with components manufactured and assembled by hundreds of suppliers across continents and countries. Ensuring trustworthiness in this web of contractors and subcontractors has become a defining challenge in securing ICT—including software, hardware, components, devices, services and data—and its supply chains. 

The EastWest Institute’s report Weathering TechNationalism: A Security and Trustworthiness Framework to Manage Cyber Supply Chain Risk, outlines a framework to address ICT trustworthiness while enabling trade, competition and innovation by using objective, risk-informed measures to address security concerns on three levels: individual buyers, the ICT industry and the wider ecosystem. Taking a risk mitigation approach, the framework serves as a basis for much-needed discussions to ease current tensions among major powers on emerging technology issues and to steer away from current policy developments that run the risk of fragmenting cyberspace and decoupling global ICT supply chains. Siloed ICT ecosystems would not only undermine trade and innovation, but likely have adverse effects on global security. 

Following the report’s release in English and Chinese, the EastWest Institute organized two virtual roundtables in May and June with 50 experts, including current and former government officials, corporate executives, industry experts and academics from Canada, China, Germany, India, Japan, Malaysia, Turkey, the UK and the U.S., to discuss the current state of TechNationalism and a way forward. The paragraphs below summarize key arguments made by speakers and participants during the roundtable discussion. 

5G Drives TechNationalism

Rollouts of next-generation communications infrastructure—viewed by many as the most significant build-out of critical infrastructure since the Internet—is the main driver behind current policy controversies. While there is a shared emphasis on 5G security, the approaches that countries and operators have taken to mitigate threats from these emerging technologies vary in significant ways.

The U.S. government has extensively studied how an adversary might undermine U.S. national security by exploiting 5G technology and thus, has decided to tie 5G security to trade to approach national security in a holistic manner. While the U.S. government in principal takes a risk-informed approach to manage 5G security, reservations remain regarding the verification and management of trust in complex, global supply chains. To address long-standing complaints regarding foreign companies’ unfair advantages, the U.S. will continue to use policy levers to manage foreign threats to support its interests and keep vendors that are deemed a threat from doing business in the United States and with U.S. entities. Similarly, India’s largest telecom network operates without Chinese equipment due to national security concerns. 

Putting clear, risk-informed criteria front and center, Germany’s government is in the process of drafting the IT Security Act 2.0, legislation that will outline requirements for 5G technology deployments. Germany wants to avoid political discussions over banning vendors and focus on setting forth objective, transparent technical criteria with stipulations for vendor diversity in critical infrastructure sectors. Diversity of vendors is critical to maintaining market competition; a potential ban would have the opposite effect and increase the dependence on a small number of ICT suppliers. One participant noted that a leading Asian telecom carrier is successfully deploying a mix of equipment in their networks to maintain vendor diversity and address operational pressures created by geopolitical tensions over 5G.

Focusing on application, Malaysia’s government—in close cooperation with industry partners, local telcos, airports and hospitals—established a test-bed on the island of Langkawi to study the application and security of 5G technology. This effort is accompanied by a government working group preparing technical deployment guidelines and a government-run 5G security test lab with a revised 5G rollout set for 2022 to account for changes in the nation’s spectrum allocation. 

Markets Fail to Produce Security

The roundtable’s experts agreed that supply chain security and dependency on foreign suppliers are broader than 5G. States should not rely on a few suppliers for strategic ICT deployed as critical infrastructure, which the U.S. is forced to do after erroneously relying too much on global markets to produce secure ICT. To compensate for these shortcomings, like-minded states need to jointly draft technical standards and interoperable solutions, and U.S. industrial policy should ensure markets produce competitive solutions. Several experts noted the need for greater industry-level transparency to ensure ICT trustworthiness. Others pointed out that trust centers, as operated by Microsoft, Huawei and Kaspersky, can open corporate doors for buyers and independent evaluators to assess a vendor’s security practices and trustworthiness. 

While many experts welcomed the report’s practical framework and its overall recommendations, several noted the significant challenges and efforts in implementing the measures in the industry. One expert argued that current incentives are pulling the industry in the opposite direction of good security practices and hence, new incentive structures are needed for ICT firms to take security seriously. 

Countries Caught in the Middle

Several experts suggested that many countries, from Singapore to Canada to India, find themselves caught in the middle of U.S.-Chinese tensions over 5G. Making important investments in their country’s digital future is riddled with geopolitical obstacles and increasing pressures from great powers to pick sides or potentially face withdrawal of support or cooperation, such as the sharing of intelligence.   

Great powers should be careful with attempts to force smaller nations to choose, as they may be surprised by the outcome. While two Singaporean telecom consortiums recently decided not to use Huawei as their 5G network equipment supplier, it would be false to conclude that the Chinese ICT giant was given the boot. In fact, Huawei remains a key technology provider for Singapore’s Smart Nation initiative. With the exception of Vietnam, which has been working on an indigenous 5G solution, most ASEAN countries are caught in the middle and are trying to balance the geopolitical disparity. 

Misperception as a Major Barrier to Trust

Trust as a precondition to get security right has been a recurring theme throughout the roundtables and the topic was linked strongly to current misperceptions between China and the U.S. From the Chinese perspective, the ongoing controversy around Huawei is seen as unreasonable In the West, Huawei, a privately-held international company that follows local laws, is vilified as a Chinese threat. Standards and operational procedures to ensure technical security in systems, as well as laws and norms to regulate the behavior of corporations and states, provide additional pillars for trust and security. Trust between countries and multinational tech firms must be strengthened, but perception is critical to assess risk accurately and take mitigation measures. 

Agreement Among Fierce Competitors Will Clear Path for Trade and Security

The issues of trust and security are not new to international trade, but the implementation of TechNationalism measures is a concerning path as it accelerates these issues and hampers trade. While countries are trying to find multiple ways to maintain their sovereignty in the digital age, many have engaged in misguided efforts that have created significant trade barriers. From an international trade perspective, such barriers must be minimized so that companies can deploy their technologies of choice, while governments address legitimate national security concerns with targeted, narrow measures. The Digital Economy Partnership Agreement, signed by Singapore, New Zealand and Chile, is exemplary for addressing digital trade issues with a modular approach. Some participants noted the Chinese position that trade policies should be non-discriminatory and all products treated equally as long as companies abide by the local laws of the countries in which they are operating. Others countered that China’s long-standing trade policy restricts market access of U.S. tech companies in China. Despite the ongoing geopolitical tensions, there is still a path for competitors to reach balanced trade agreements, while also accounting for security.

Several participants noted that the current geopolitical tensions created by markets are worrisome, yet technology-driven controversies are not new, but rather reflect the strategic nature of ICT. Solving the challenges that arise from TechNationlism in a way that ensures ICT and supply chain security while allowing for innovation and trade will benefit the entire globe through shared technological innovation, global trade and better digital infrastructure upon which to build the new digital environment.

Moderator and speakers included Ambassador Syed Mohamad Hasrin bin Tengku Hussin of Malaysia; Ms. Izumi Nakamitsu, UN Under-Secretary-General and High Representative for Disarmament Affairs; Mr. Dan Smith, Director, SIPRI; Ambassador Fu Cong, Director General of the Department of Arms Control and Disarmament, Ministry of Foreign Affairs of China; Ms. Ann-Sofie Nilsson, Ambassador for Disarmament and Non-Proliferation, Ministry of Foreign Affairs of Sweden; Ambassador Dian Triansyah Djani, Permanent Representative of Indonesia to the United Nations; and Ambassador Gustavo Zlauvinen, President-designate of the Tenth NPT Review Conference.

The UN video is available here.

The SIPRI link is available here.

This discussion-driven meeting included participants representing governments, businesses, civil society organizations and universities from across Southeast Asia. The meeting opened with presentations on emerging technologies, international norms processes and capacity building all in the context of Southeast Asia and with an eye towards the ongoing COVID-19 pandemic. A video of these presentations can be found here and a summary of the meeting can be found here.   

This meeting was the first event in the Global Dialogue project being undertaken by the EastWest Institute, which seeks to convene regional meetings to address capacity building around key cyber challenges. The initiative is intended to complement the two ongoing UN cyber norms processes: the Open-Ended Working Group (OEWG) and the Group of Governmental Experts (GGE). This first virtual meeting introduced the project to stakeholders in Southeast Asia, and served as preparation for a future in-person meeting in the region.

"The UK decision, responding to market-closing actions by the U.S., ironically demonstrates the benefits of open markets," said McConnell.

“Buyers concerned about security need markets to work so that vendors, no matter where they are located, can supply the best technology for the best price. The UK is concerned about Huawei's technology because of U.S. sanctions. But today's network traffic travels across global, multi-vendor equipment and networks. With few exceptions, restricting technology by country of origin is a poor substitute for ensuring resilience through good security practices. So the UK will pay more for its 5G network, without the assurance of better security."

Click here to read the full article on Inside Cybersecurity (paywall).

This report draws from primary source research and workshops in Europe, East Asia and South Asia to explore how AI integration by nuclear-armed states may impact strategic stability and nuclear risk at the regional and global level. 

Click here to read the full report. 

WASHINGTON, DC/NEW DELHI – The COVID-19 pandemic has shown that the Internet is a critical – and uniquely global – part of our infrastructure. As challenging as the public-health lockdowns have been, their social and economic costs would be far greater in the absence of smoothly functioning digital networks.

Moreover, containing the pandemic itself will likely require better and more innovative uses of our collective data, all of which is generated online. Home offices, home schooling, and home life increasingly depend on our ability to use the Internet. Protecting cyberspace is therefore an increasingly urgent task, not least because it is facing a “pandemic” of its own.

Since early March, there has been an unprecedented global increase in malicious cyber activity. Phishing attacks seeking to steal money or secrets from home-office workers have more than doubled compared to last year, and in some places they are up sixfold. There have also been a number of attempted cyberattacks on critical infrastructure, including airports, power grids, ports, and water and sewage facilities. Even hospitals treating COVID-19 patients have been targeted, and the World Health Organization itself has reported a fivefold increase in attacks on its networks.

Click here to read the full article on Project Syndicate.