Cyberspace Cooperation

Prepared by a team of Russian and U.S. experts convened by EWI, Critical Terminology Foundations presents twenty terms – the basis for an international cyber taxonomy.

“It may seem like a small step, but Russians and Americans have never before sat down and really agreed on the terms that are the prerequisite for rules of the road for cyber conflict,” says EWI Chief Technology Officer Karl Rauscher who led the process with Valery Yaschenko, Director of the Information Security Institute at Moscow State University. “Defining terms together is the first step for creating international cybersecurity agreements.”

According to experts on the team, several bodies have sponsored efforts to create a U.S.-Russian cyber glossary for over a decade, but they stalled out on the definition of an essential first term: cybersecurity itself.  Unlike Americans, Russians saw cybersecurity as an inextricable part of a larger discussion on information security.  In the EWI-led process, the group resolved this difference by consciously addressing “cyber” as a crucial subset of “information.”

Conducting analysis of usage and needs, engaging in rigorous discussion and consulting existing lexicons, the group went on to define terms ranging from cyberspace to cyber exploitation, then rendering each definition in English and Russian.  The terms were presented in a three-component taxonomy structure that included the Theatre, the Modes of Aggravation and the Art.  The next step, according to Rauscher, is to use the report to launch a multilateral discussion on the most critical terms for the development of international cybersecurity policy, which lags far behind rapidly moving technology.

Today, an advance edition of the report will be presented in Garmisch-Partenkirchen, Germany at the Fifth International Forum "Cooperation between Government, Civil Society and Business in the Field of Information Security and Combating Terrorism.”

Next, a multilateral working group on key terms will meet at EWI’s Second Worldwide Cybersecurity Summit, to be held in London June 1-2.  The summit will bring together over 400 business, government and technical experts from around the world to find new solutions for securing cyberspace.

“Skeptics on both sides said that securing definitional agreement between Russians and Americans was an impossible task,” says EWI President John Mroz. “Thanks to the efforts of this team, the table is set for the start of meaningful multilateral conversations that lay the groundwork for ‘rules of the road’ agreements.”

Click here to learn more about EWI's Second Worldwide Cybersecurity Summit in London

On January 10, 2011, the EastWest Institute released a report detailing the results of the First Worldwide Cybersecurity Summit: Protecting the Digital Economy, and outlining the cybersecurity initiative’s next steps as it prepares for the Second Worldwide Cybersecurity Summit in London on June 1-2.

At the summit, held from May 3 to 5, 2010 in Dallas, Texas, EWI brought together over 400 technical experts, policy elites and national security officials from the Cyber40, an informal grouping of the world’s most digitally-advanced countries—among others, the United States, China, India, Russia and Estonia. Participants worked to identify problems facing crucial sectors of the Internet, such as financial services and essential government services, and forge concrete solutions to protect the world’s digital infrastructure.

“We left the conference with a confirmed conviction that voluntary agreements, private sector leadership, and urgent attention define the avenue to positive change, but not cumbersome regulations,” said Karl Rauscher, EWI’s Chief Technology Officer.

As the report details, EWI’s cybersecurity agenda grew in part out of small, intensive working groups that met at the summit. Currently, EWI’s cybersecurity team is building private-public partnerships to protect the undersea fiber-optic cables that carry intercontinental financial internet traffic, developing policies to assure international priority communications, and facilitating bilateral processes to create “rules of the road” for cyber conflict, among other steps.

The summit drew participants including: Randall Stephenson, Chairman of the Board, Chief Executive Officer and President of AT&T; Byeong Gi Lee, President of the IEEE Communications Society; Jody Westby, CEO of Global Risk, LLC;  and Michael Dell, Chairman of the Board of Directors and Chief Executive Officer of Dell Communications, who spoke at the opening ceremony. The participant list reflected the rapid growth of EWI’s cybersecurity initiative which, a year after its founding, has already gained the support of 300 companies including AT&T, Microsoft, and Goldman Sachs.

“EWI is filling a necessary niche, providing leadership and bringing together resources and expertise from different sectors around the world,” said Terry Morgan, EWI Vice President. “Clearly, protecting the Internet is a job too big for one company or country alone.”

What’s next for EWI’s cybersecurity initiative? The Second Worldwide Cybersecurity Summit, to be held June 1-2, 2011, in London.

Click here to download the report

Related Pieces:

Click here to read Franz Gady's piece on the Huffington Post

The EastWest Institute released a report calling for Russia and the United States to work together to protect the world’s digital infrastructure, including joint participation in NATO-Russia cyber military exercises.

According to the report’s co-authors EWI’s Franz-Stefan Gady and Greg Austin, this is just one step that the United States and Russia could undertake as a part of a broader effort to secure cyberspace – a potentially groundbreaking collaboration between the two former rivals. Russia, The United States, and Cyber Diplomacy: Opening the Doors takes as its starting point the nations’ pledge to begin talks on promoting cybersecurity made in the United Nations last December – talks that have been slow in coming.

“It is important for both the United States and Russia to recognize that cybersecurity is a global problem, transcending national boundaries,” says Austin. He points out that cyber attacks can be launched from anywhere in the world, target dozens of nations and be impossible to attribute, which prevents individual states from tracking and prosecuting criminals. “Mutual exchanges of information like the cyber military exercises would help both nations better protect themselves against such threats.”

In their report, Gady and Austin recommend three other possible areas of collaboration, each to be jointly addressed in a specific international forum: (1) an agreement on Public Key Infrastructure -- the certificates and identification systems that protect private information on the Internet -- in the International Telecommunication Union; (2) an expanded Network of Contact for High Tech-Crime under the G8 and the creation of a 24/7 point of contact; (3) joint policy assessments of international cyber law in the OSCE.

Given the bilateral relationship’s long difficult history, is it realistic to think that Russia and the United States can cooperate effectively on cybersecurity? The authors believe it is, even to the extent of staging cyber military exercises. As Austin says, “The United States and Russia are facing a shared threat, a shared set of vulnerabilities from personal information and banking records to controls on nuclear power plants. To safeguard the world’s information infrastructure, the old policy paradigms will simply have to change.”

Скачать резюме доклада на русском.

Jody Westby, CEO of Global Cyber Risk LLC., stresses the need for international rule of law. "Governments have an obligation to help protect the Internet and systems that support their economies, enrich the lives of their citizens and support government and military operations,” she writes. “They also have an obligation to assist in tracking and tracing cyber crime activities."

Given the capabilities and complexities of bot-nets and bot-herders, a central issue in the publication is how to trace the source of a cyber attack.
“In the netwar paradigm, any machine can be the controller,” says William Barletta, Director of the United States Particle Accelerator School, whose essay examines the 2007 cyber attack on Estonia. "Above all, they must coordinate across borders to clarify norms and expectations in cyberspace and eliminate the threat of a crippling cyber war."

Henning Wegener, a former Ambassador of Germany, agrees with the need for an international legal framework, but stresses the importance of safeguarding freedom of expression and access to information. He argues that cyber repression is a human rights issue. “Massive cyber repression can alter the collective state of mind of a nation,” he writes, referring to Internet censorship.  “A first step could be to reach in these bodies a broader international understanding of the development and technical underpinning of current Internet filtering, and to create an international monitoring mechanism.”

Cyberspace comprises IT networks, computer resources, and all the fixed and mobile devices connected to the global Internet. A nation’s cyberspace is part of the global cyberspace; it cannot be isolated to define its boundaries since cyberspace is borderless. This is what makes cyberspace unique. Unlike the physical world that is limited by geographical boundaries in space—land, sea, river waters, and air—cyberspace can and is continuing to expand. Increased Internet penetration is leading to growth of cyberspace, since its size is proportional to the activities that are carried through it.

Cyberspace merges seamlessly with the physical world. So do cyber crimes. Cyber attackers can disrupt critical infrastructures such as financial and air traffic control systems, producing effects that are similar to terrorist attacks in the physical space They can also carry out identity theft and financial fraud; steal corporate information such as intellectual property; conduct espionage to steal state and military secrets; and recruit criminals and others to carry out physical terrorist activities.

Anyone can exploit vulnerabilities in any system connected to the Internet and attack it from anywhere in the world without being identified. As the Internet and new technologies grow, so do their vulnerabilities. Knowledge about these vulnerabilities and how to exploit them are widely available on the Internet. During the development of the global digital Internet and communications technology (ICT) infrastructure, the key considerations were interoperability and efficiency, not security. The explosion of mobile devices continues to be based on these insecure systems of Internet protocols.

It is increasingly cheap to launch cyber attacks, but security systems are getting more and more expensive. This growing asymmetry is a game changer. It has another dimension, too—individuals, terrorists, criminal gangs, or smaller nations can take on much bigger powers in cyberspace, and through it, in the physical world, as well. The effects of attacks on critical infrastructure such as electricity and water supplies are similar to those that would be caused by weapons of mass destruction, without the need for any physical attacks.

Proving attribution in cyberspace is a great challenge. In most cases, it is extremely difficult to attribute cyber attacks to nation-states, collecting irrefutable evidence. The very nature of botnets and zombies makes it difficult to do so, leading to the conclusion that “the Internet is the perfect platform for plausible deniability.”

Nations are developing cyber attack capabilities with a view to dominating cyberspace. However, unilateral dominance in cyberspace is not achievable by any country. But uncontrolled growth of cyber attack capabilities—in effect, cyber attack proliferation—is an increasingly troubling phenomenon. Yet another disturbing reality is that cyber attacks can be launched ever more easily, and propagated faster using the same broadband that nations are building for global e-commerce. Finally, the consequences of a cyber attack are more likely to be indirect and more uncertain than most scenarios currently envision; we may not always recognize the damage inflicted by cyber attackers.

Cybersecurity is a global problem that has to be addressed globally by all governments jointly. No government can fight cybercrime or secure its cyberspace in isolation. Cybersecurity is not a technology problem that can be ‘solved’; it is a risk to be managed by a combination of defensive technology, astute analysis and information warfare, and traditional diplomacy. Cyber attacks constitute an instrument of national policy at the nexus of technology, policy, law, ethics, and national security. Such attacks should spur debate and discussion, without any secrecy, both inside and outside governments at national and international levels. This is all the more so because of the growing number of significant actors not tied to, or even loosely affiliated with, nation-states. Over the last few months, events in cyberspace such as the GhostNet attacks on governments and large multinational corporations, whether to steal intellectual property or attack free speech, bear this out. They are not restricted by geographical borders or national laws.

There is an added dimension to this problem: the infrastructures are owned and operated by the private sector, and cyberspace passes through various legal jurisdictions all over the world. Each government has to engage in supporting its private sector for cybersecurity through effective public-private partnership (PPP) models, with clearly-defined roles for government and industry. Because cyberspace is relatively new, legal concepts for ‘standards of care’ do not exist. Should governments create incentives to generate collective action? For example, they could reduce liability in exchange for improved security, or introduce tax incentives, new regulatory requirements, and compliance mechanisms. Nations have to take appropriate steps in their respective jurisdictions to create necessary laws, promote the implementation of reasonable security practices, incident management, and information sharing mechanisms, and continuously educate both corporate and home users about cybersecurity.

International cooperation is essential to securing cyberspace. When it comes to tracking cyber criminals, it is not only the laws dealing with cyber crimes that must exist in various countries, but the collection of appropriate cyber forensics data in various jurisdictions and their presentation in courts of law, which are essential to bring criminals to justice in sovereign countries. The term “cybersecurity” depends upon international cooperation at the following levels:

• National nodal centers on information infrastructure, based on public-private partnerships, to cooperate;
• Global service providers such as Google, Microsoft, Twitter, Yahoo, and Facebook to cooperate with law enforcement agencies in all countries and respond to their requests for investigations;
• Computer Emergency Response Teams (CERTs) to exchange threats and vulnerabilities data in an open way to build an early-watch-and-warning system;
• Incident management and sharing of information with a view to building an international incident response system;
• Critical-infrastructure protection: Establishment of an international clearing house for critical-infrastructure protection to share threats, vulnerabilities, and attack vectors;
• Sharing and deployment of best practices for cybersecurity;
• Creation of continued awareness on cyber threats, and international coordination as part of early-watch-and-warning system;
• Acceptable legal norms for dealing with cyber crimes regarding territorial jurisdiction, sovereign responsibility, and use of force to reconcile differing national laws concerning the investigation and prosecution of cyber crimes, data preservation, protection, and privacy. Address the problem of existing cyber laws that do not carry enforcement provisions;
• Incident response and transnational cooperation, including establishment of appropriate mechanisms for cooperation. Such measures must include provisions to respond to counter cyber terrorism, including acts of sabotage of critical infrastructure and cyber espionage through information warfare
• Law enforcement agencies to investigate cases, collect forensic evidence at the behest of other countries, and prosecute cyber criminals to bring them to justice.

It is time for the international community to start debates and discussions to encourage nations to create domestic public-private partnerships for cybersecurity, establishing laws for cyber crimes, and, more importantly, to take steps for international cooperation to secure cyberspace.

Foreword

Cybersecurity looms as the 21st century’s most vexing security challenge. The global digital economy hinges on a fragile system of undersea cables and private-sector-led partnerships, while the most sophisticated military command and control systems can be interfered with by non-state as well as state actors. Technology continues to race ahead of the ability of policy and legal communities to keep up. Yet international cooperation remains stubbornly difficult, both among governments as well as between them and the private sector—the natural leaders in everything cyber. In 2007, the International Telecommunication Union (ITU) set up a High-Level Experts Group to try to address the problem but progress is slow. The European Union and Asia-Pacific Economic Cooperation (APEC) are working at the regional level. But it has only been in the past six months that public consciousness has started to grasp the scope and significance of the cybersecurity challenge. Pushed by a spate of revelations about cyber attacks worldwide, the media and key elites now seem to get it: cybersecurity is a fundamental problem that must be addressed across traditional boundaries and borders by the private and public sectors in new and cooperative ways.

Three years ago, the EastWest Institute used its Strategic Dialogue team from the United States led by General (ret.) James Jones and EWI President John Edwin Mroz to challenge senior Chinese and Russian leaders to begin the process of promoting international cooperation to meet cybersecurity challenges. The responses have been favorable and practical in both cases. Since then, we have engaged not just the Chinese and the Russians but also a broader array of “Cyber40” countries—the members of the G20 plus other countries who are key players in the cyber arena—to tackle together issues of cybersecurity. There was an immediate recognition of the lack of awareness of what is involved in protecting cyberspace. This quickly moved to a push for practical solutions that transcend national borders.

In early 2009, these cybersecurity efforts came together in the form of EWI’s Worldwide Cybersecurity Initiative. Its purpose is to work across borders to catalyze more rapid and effective responses to cybersecurity challenges identified by industry, governments and international organizations as well as civil society. There’s growing recognition—and mounting concern—about the vulnerabilities of today’s digital infrastructure, whether it’s international financial systems or critical government services. There are also growing dangers posed by criminal and terrorist groups, and the very real risks of cyber warfare, including attacks on states by non-state actors. As a result, top industry and government officials agree on the urgent need for bold new measures to ensure the secure functioning of the cyber dimension that underpins all of our lives in this century.

For this policy paper, EWI asked top cyber experts in five countries—China, the U.S., Russia, India, and Norway—to present their vision of what is needed to build an effective system of cyber deterrence. It is a first step in the process of building trust on tackling cybersecurity challenges—listening, understanding and probing the views, interests and concerns of key players in the global system. The EastWest Institute is not endorsing any of these proposals or taking a position on them. We strongly believe that it is vital for everyone involved in the cybersecurity debate to understand the differing perceptions, concerns and suggested solutions that are emanating from different parts of the globe. This is also a vital first step in the effort to find common ground for joint actions that are so desperately needed.

These essays will help stimulate discussions at EWI’s First Worldwide Cybersecurity Summit in Dallas from May 3 to 5, 2010, which will convene hundreds of international business leaders, technical experts, policy elites and national security officials. Building on earlier EWI consultations, most recently at the Worldwide Security Conference in Brussels in February 2010, we will seek to identify common problems and suggest breakthroughs and new agreements in critical sectors. We cannot allow the technological advances to continue outpacing common sense cybersecurity measures. It is time for the world to confront the challenges of our digital age. Comments and alternative views are warmly welcomed by the EWI cybersecurity team.