Cyberspace Cooperation

The Global Cooperation in Cyberspace Initiative seeks to reduce conflict, crime and other disruptions in cyberspace and promote stability, innovation and inclusion.

Learn More

Congress Can Help Prevent Election Hacking

Michael Chertoff, a member of the EastWest Institute's Board of Directors, writes in the Wall Street Journal that protecting America's voting systems should be an easy bipartisan win.

American voters received yet another rude awakening last month. Chicago’s Board of Elections reported that names, addresses, birth dates and other sensitive information about the city’s 1.8 million registered voters had been exposed on an Amazon cloud server for an unknown period. Worse, it appears hackers might have gained access to employees’ personal accounts at Election Systems & Software, a major election technology vendor—info that could be used to hack a future U.S. election.

Earlier, the Department of Homeland Security reported that foreign agents targeted voting systems in 21 states in the 2016 election, and Bloomberg News reported that hackers had successfully compromised various election-technology companies.

In an age of unprecedented cyber risks, these dangers aren’t surprising. But lawmakers and election officials’ lackadaisical response is both staggering and distressing.

American elections are an increasingly easy target because our election technologies are antiquated, and we have few federal level cybersecurity standards. An estimated 43 states rely on electronic voting or tabulation systems that are at least 10 years old. A survey of 274 election administrators in 28 states found most said their systems need upgrades.

Read the full commentary on the Wall Street Journal here.

The Outcome of the 2016/2017 UN GGE on Information Security: The End of an Era?

BY ELAINE KORZAK, Ph.D, LL.M. 

At the end of June, the 2016/2017 Group of Governmental Experts on Information Security (GGE), convened under the auspices of the United Nations, concluded its last round of deliberations. As has been widely reported, the Group appears to have failed to arrive at a consensus outcome report. This marks a potentially sharp departure from the work of three prior GGEs that had established and carried forward an international conversation on cybersecurity since 2010, particularly on norms and confidence-building measures in cyberspace. The format of GGEs had turned into the main international vehicle for discussions on rules of behavior for states in cyberspace. With the apparent failure of the 2016/2017 GGE one is left wondering whether and how this crucial conversation is going to continue.

What happened?

The 2016/2017 Group was tasked by the UN General Assembly with the study of “existing and potential threats in the sphere of information security” and measures to address them, including “norms, rules and principles of responsible behavior of States, confidence-building measures and capacity-building”. Over the course of one year, experts from 25 countries met under the chairmanship of the German representative.

More importantly, the Group was also to study “how international law applies to the use of information and communications technologies by States”. It appears that exactly this issue - international law and its application - comprised the critical sticking point in the Group’s deliberations. An unusually explicit statement issued by the American representative Michele Markoff indicates as much. Markoff submits that “the reluctance of a few participants to seriously engage on the mandate on international legal issues” has ultimately prevented the conclusion of a consensus report. The United States expected “clear and direct statements on how certain international law applies to States’ use of ICTs”, including international humanitarian law, the right to self-defense, as well as international law of state responsibility and countermeasures.      

Other countries, however, balked at the inclusion of such provisions. The Cuban representative argued that they would lead to a militarization of cyberspace that would “legitimize… unilateral punitive force actions, including the application of sanctions and even military action by States claiming to be victims of illicit uses of ICTs.” Instead, the Group should be emphasizing the peaceful settlement of disputes and conflict prevention. Western countries have countered that clear affirmations of international legal frameworks precisely “help reduce the risk of conflict by creating stable expectations of how States may and may not respond to cyber incidents they face.

The Issue of International Law

In the end, these clashing viewpoints appear to have sealed the fate of the 2016/2017 GGE. To some extent, this is not surprising as the appropriate means of applying international law has been a source of contention since the beginning of UN discussions in 1998. Back then, the Russian initiative in the General Assembly was geared towards the negotiation of an international treaty – an idea that has been vigorously opposed by Western states but still finds appeal almost 20 years later with the Cuban representative calling for an “international legally binding instrument”.

Still, previous GGEs had managed to mediate diverse viewpoints to arrive at consensus reports that moved the debate more or less forward. The 2012/2013 Group of Governmental Experts had been widely heralded for its simple statement that international law is applicable to cyberspace as this was the first time Russia and China had publicly shared this position. And while the following GGE in 2014/2015 made a lot of waves with the concept of norms, its very modest progress on international law aptly reflected the deeply diverging views among states. The final language, for instance, noted the “inherent right” of a state to take measures consistent with international law and the UN Charter without expressly mentioning the right to self-defense or Article 51 of the Charter. The same unresolved issues continued to play out in this year’s GGE but it seems that it was not possible to achieve any kind of compromise in this contentious area.  

Where does this leave us?

First, it leaves us with an unresolved international legal debate where the viewpoints seem to be diverging and solidifying rather than converging. Second, and perhaps more disconcertingly, the outcome of the 2016/2017 GGE raises the question whether and how this legal debate, as well as the broader discussion of the GGE, is going to be continued. Even though the interest of states in participating in a GGE has dramatically increased over the years, many had noted the low appetite for a follow-on Group even prior to the start of the 2016/2017 GGE. One of the questions expected to be discussed by the current Group was ways and mechanisms to take the international debate beyond the current GGE format. With the lack of agreement on international law and its application, this and many other aspects (including norms, confidence-building measures and capacity-building) remain up in the air. This could mark an end to years of slow, yet steady progress – something that is going to be more than desperately needed in light of the differences that led to the outcome of the current GGE.

 

Elaine Korzak, Ph.D, LL.M. is a Visiting Assistant Professor at the Middlebury Institute of International Studies at Monterey. She was previously a fellow at Stanford’s Center for International Security and Cooperation and the Hoover Institution. Her research focuses on international law and norms in cyberspace, the Wassenaar Arrangement and export control regulations, as well as cyber capacity-building.

The views expressed in this post reflect those of the author and not that of the EastWest Institute.

Global Cooperation in Cyberspace Progress Roundtable 2017

Overview

The EastWest Institute is hosting its annual Global Cooperation in Cyberspace Progress Roundtable, taking place at the William and Flora Hewlett Foundation in Palo Alto, California, on September 6-7, 2017.

This roundtable is the annual strategic review of EWI's cyberspace program. Approximately 40 leaders of EWI's cyber cooperation breakthrough groups and other key stakeholders will meet in person to present the groups' recent work, discuss progress made so far and examine next steps to refine our collective undertaking to stimulate responsible global action in cyberspace.

The roundtable will review ongoing work on addressing security and safety in IoT-connected cities, promoting norms of responsible behavior in cyberspace, increasing access to more secure ICT products and services, and understanding and insuring systemic cyber risk. The event will also include an in-depth workshop on balancing encryption and lawful access to data. Additionally, updates will be presented on EWI's continued support of the Global Commission on the Stability of Cyberspace, which is seeking to develop proposals for norms and policies to enhance international security and guide responsible state and non-state behavior in cyberspace.

The Global Cooperation in Cyberspace Progress Roundtable is organized with support from, among others, Microsoft, Huawei Technologies, Unisys, Sonus Networks, Palo Alto Networks, Qihoo 360, NXP Semiconductors, CenturyLink, VEON, JPMorgan Chase, Marsh & McLennan, The Hague Centre for Strategic Studies and the William and Flora Hewlett Foundation.

McConnell Talks Cybersecurity of Election Systems

EWI Global Vice President Bruce McConnell discusses how disputes over the alleged hacking of Georgia's June special election are exposing the vulnerability of the U.S. election system.

Talking to USA Today, McConnell states: "As public attention finally starts to focus on the cybersecurity of election systems, we will see more suits like this one, and eventually, a woke judge will invalidate an election."

Click here to read the full story on USA Today.

The Race to Cyber Supremacy Reaches New Levels

Although cyberspace is important for economic growth, countries must also have supremacy in it through their ability to navigate it for intelligence gathering and cyberwarfare. Kamlesh Bajaj writes in The Wire.

Chris Painter, a cybersecurity coordinator in the U.S. Department of State since 2011, stepped down in the third week of July when the Trump administration decided to close the state department’s Office of the Coordinator for Cyber Issues, and move it to the Bureau of Economic and Business Affairs. This marked the jettisoning of cyber issues from cyber diplomacy—something which the Obama administration had established with strong belief in their importance in contemporary world since the emergence of the cyberspace as an engine of economic growth.

In its diplomatic efforts, through this office, the U.S. state department wanted the cyberspace to be used for free flow of information across borders, promotion of democracy, freedom of expression, and human rights—in what was collectively referred to as the Internet freedom agenda. The US signed agreements with several countries for cyber cooperation to share information on cyber incidents, vulnerabilities, new attack vectors, forensics etc to enhance peaceful uses for growth of economies. The zenith of this diplomacy was the signing of an agreement with China, in 2015, to stop economic espionage for intellectual property, to not attack critical information infrastructures such as banking, electricity generation and distribution. Not surprising that some two dozen Democrats promptly urged US secretary of state Rex Tillerson on July 21 to keep the state department’s cyber division citing the reduction in espionage of U.S. industry as a direct outcome of this agreement. With the world getting more interconnected, they argued cyber diplomacy would assume greater importance.

Read in full here.

Controlling Cyber Conflict

Joseph Nye, a member of the Advisory Group for the EastWest Institute, poses the question: "Are cyber-attacks the wave of the future, or can norms be developed to control international cyber conflict?"

When cyber-security professionals were polled recently at their annual BlackHat conference in Las Vegas, 60% said they expected the United States to suffer a successful attack against its critical infrastructure in the next two years. And U.S. politics remains convulsed by the aftermath of Russian cyber interference in the 2016 election. Are cyber-attacks the wave of the future, or can norms be developed to control international cyber conflict?

We can learn from the history of the nuclear age. While cyber and nuclear technologies are vastly different, the process by which society learns to cope with a highly disruptive technology shows instructive similarities. It took states about two decades to reach the first cooperative agreements in the nuclear era. If one dates the cyber-security problem not from the beginning of the Internet in the 1970s, but from the late 1990s, when burgeoning participation made the Internet the substrate for economic and military interdependence (and thus increased our vulnerability), cooperation is now at about the two-decade mark.

The first efforts in the nuclear era were unsuccessful United Nations-centered treaties. In 1946, the U.S. proposed the Baruch plan for UN control of nuclear energy, and the Soviet Union promptly rejected locking itself into a position of technological inferiority. It was not until after the Cuban Missile Crisis in 1962 that a first arms control agreement, the Limited Test Ban Treaty, was signed, in 1963. The Nuclear Non-Proliferation Treaty followed in 1968, and the bilateral U.S.-USSR Strategic Arms Limitation Treaty in 1972.

Read the full commentary on Project Syndicate here.

GCSC Convenes in Las Vegas

The Global Commission on the Stability of Cyberspace (GCSC) hosted a meeting in Las Vegas on July 27 which coincided with both the 20th edition of Black Hat USA and the 25th edition of DEF CON. The Commission was well represented with GCSC Co-Chair Michael Chertoff, former U.S. Secretary of Homeland Security, delivering the opening keynote address at the Black Hat CISO Summit, and Chair Marina Kaljurand, former Foreign Minister of Estonia, and several Commissioners participating in a policy briefing on “Challenges of Cooperating Across Cyberspace” at the conference. Sean Kanuck, Chair of the GCSC Research Advisory Group, and Alexander Klimburg, Director of the GCSC Initiative, also discussed “Hacking Democracy” at DEF CON.

“The second GCSC meeting proved to be extremely productive on several levels,” commented Marina Kaljurand, Chair of the GCSC. “Our representatives had the opportunity to engage on a range of topics and discussion formats at both Black Hat and DEF CON—and we sincerely thank both organizations for including the GCSC as part of its program. The Commission also took the occasion to hold a closed meeting to further advance its agenda in the context of current developments in global cybersecurity.”

The one-day meeting began with a discussion on the recently concluded round of the United Nations Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International Security (GGE), and the lack of a consensus report. The Commissioners discussed the future of the UN process and sought to gain a better understanding of what the post-GGE process could look like, and how other relevant stakeholders could be involved. The GCSC Commissioners will further explore possible post-GGE processes, including with governments and other organizations that seek to advance the development of norms of responsible State behavior.

The Commissioners outlined the next operational steps for the prioritized topics from the First Full Commission Meeting in Tallinn this last June, with the overall aim to gain a better understanding of the Public Core of the Internet, Critical Information Infrastructures and ICT-aspects of non-Internet Critical Infrastructures, as well as the means of protecting each. This included generating a comprehensive list of the required systems, through surveys of experts. Also, research will be conducted in cooperation with experts and institutions from the Research Advisory Group, resulting from the Request for Proposals.

“Any norm on the public core of the Internet should reflect both the technology and the realities of international relations. We have to view cyberspace in its political context,” added James Lewis, Senior Vice President of the Center for Strategic and International Studies. “The Commission will continue to work on defining what constitutes the core of the Internet and creating a norm on how states should protect it.”

In addition to its prioritized topics, the Commissioners also touched upon other issues, including election infrastructures, the impact of new technological developments such as the Internet of Things and Artificial Intelligence on cyberstability, improving the ability of international peace and security processes to engage on matters pertaining to cybersecurity, limiting offensive cyber operations, and refining the legal concept of “effective control” as applied to cyberspace.

The GCSC will convene a larger-scale Commission Meeting on November 20-21 on the margins of the next Global Conference on CyberSpace (GCCS) in New Delhi. In the run-up to this meeting, the GCSC welcomes input from other processes, organizations and institutions that are concerned with norms of responsible behavior and international cyberstability. The GCSC Secretariat will also disseminate surveys to support its research and deliberations.

The Hague Centre for Strategic Studies, the EastWest Institute, the Chairs and Commissioners would like to thank Black Hat and Commissioner Jeff Moss for hosting the GCSC in Las Vegas, as well as the GCSC partners, the governments of The Netherlands, Singapore and France, Microsoft, ISOC, and the other funders for their support.

For additional information about the Commission and its members, please visit www.cyberstability.org or get in touch with the Secretariat via info@cyberstability.org.

Pages

Subscribe to RSS - Cyberspace Cooperation