ICT vulnerabilities: Who is responsible for minimising risks? | Introduction

12 Oct 2023 00:45h - 01:45h UTC

Event report

Speakers

  • Anastasiya Kazakova, Cyber Diplomacy Knowledge Fellow, DiploFoundation
  • Pavlina Ittelson, Executive Director, Diplo US
  • Vladimir Radunović, Director of Cybersecurity & E-diplomacy, DiploFoundation

Table of contents

Disclaimer: This is not an official record of the WEF session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed. The official record of the session can be found on the WEF YouTube channel.

Knowledge Graph of Debate

Session report

Full session report

The Geneva Dialogue session, moderated by Anastasiya Kazakova, a Cyber Diplomacy Knowledge Fellow at DiPLA, focused on the implementation of cyber norms, particularly by non-state actors and stakeholders. The session concentrated on two specific cyber norms: supply chain security and responsible reporting of Information and Communication Technology (ICT) vulnerabilities. These norms are part of a set of 11 established by the United Nations to promote responsible behaviour in cyberspace.

Vladimir Radunović, Director of Cyber Security and E-Diplomacy Programs at DiPLA, presented the Zero Draft of the Geneva Manual, a guidance document to aid non-state actors in implementing the cyber norms. Radunović emphasised the importance of various stakeholders, including civil society, industry, research, academic communities, and users, in the successful implementation of these norms. He noted that while the norms are designed for state-to-state relations, their realisation requires the active involvement of these diverse stakeholders.

Participants engaged in a debate, discussing the complexity of the supply chain and the distribution of responsibility among different actors. They noted that industries vary, and vulnerabilities can occur in software or due to misconfigurations, implying a role for consumers, operators, or system integrators. The discussion also covered the use of advanced technologies like Artificial Intelligence (AI) to assist with software verification and traceability. However, it was acknowledged that technology alone cannot solve the problem and that human intervention remains essential.

Another significant topic was the need for a global regulatory framework to address cybersecurity issues effectively. Participants discussed the challenges of synchronising various regulatory frameworks and the necessity of a global jurisdiction as the ideal solution. They also touched upon the importance of handling vulnerabilities correctly, as not all vulnerabilities pose the same risk, and the details of addressing them can be complex.

An audience member commended the Geneva Dialogue for bringing together a vital community and highlighted the importance of the work being done to provide feedback into the UN system and the global system. Anastasiya Kazakova expressed her gratitude for the contributions and encouraged further engagement from the community.

The session concluded with an emphasis on the importance of categorising digital products to understand their criticality and define roles and responsibilities accordingly. It was also noted that even labelled products might not be entirely secure, and users should still exercise due diligence. The need for a regional definition of digital products was also discussed, as different regions may have varying approaches and mindsets.

Kazakova thanked the participants for their contributions and encouraged them to provide feedback on the Geneva Manual, which will be finalised and published later in the year. The manual is expected to serve as a practical guide for stakeholders on how to contribute to reducing vulnerabilities and enhancing cybersecurity. The session underscored the collaborative effort required to address cybersecurity challenges and the importance of multi-stakeholder conversations in shaping a secure and stable cyberspace.

Geneva dialogue session explores implementation of cyber norms by non-state actors

Speakers

A

Anastasiya Kazakova

Speech speed

144 words per minute

Speech length

1546 words

Speech time

645 secs

Arguments

The implementation of cyber norms by non-state actors and relevant stakeholders is a focal point of discussion.

Supporting facts:

  • The Geneva Dialogue session are international conversations that began in 2018, focusing on various roles and responsibilities in cyberspace.
  • The goal is to enhance security and stability in cyberspace.
  • The focus this year is on normative frameworks agreed upon and negotiated by states.
  • Two specific norms being focused on are related to supply chain security and responsible reporting of ICT vulnerabilities.

Topics: Cyber norms, Non-state actors, Cybersecurity

Anastasiya introducing the subject matter of the Geneva Dialogue, its objectives and intended results.

Supporting facts:

  • Geneva Dialogue is focused on two norms from the United Nations norms of responsible behaviour, specifically addressing integrity in supply chain and ICT vulnerability reporting.
  • Geneva Dialogue is making a practical guide (The Geneva Manual) which is intended to be a useful tool for all stakeholders to reduce vulnerabilities.
  • The final launch of the inaugural edition of the Manual is expected in December this year.
  • Through the Geneva Dialogue, Anastasiya and her team are also inviting stakeholders to contribute via feedbacks, discussions, and even partnership.

Topics: Geneva Dialogue, Security of digital products, Role of stakeholders, Vulnerability reporting, Supply chain integrity

Responsibility and integrity of supply chains discussed

Supporting facts:

  • Discussions took place regarding supply chain security and integrity.

Topics: Supply Chain, Security

Technical community includes various actors and roles depending on context

Supporting facts:

  • In conversations, different roles and actors within a technical community context were identified.

Topics: Technical Community, Responsibility

Categorization of digital products required for understanding security levels

Supporting facts:

  • It is suggested that for a stronger understanding of security levels, a categorization of digital products is necessary.

Topics: Digital Products, Security

Labelled products do not necessarily provide more security

Supporting facts:

  • Even if a product is labelled, users are cautioned that it may not be absolutely secure and should still carry out their own due diligence.

Topics: Digital Products, Security

Further regional definition for digital products is necessary

Supporting facts:

  • The definition of digital products may need to be region-specific, influenced by where the community is located and the prevalent approaches and mindsets.

Topics: Digital Products, Regional Definition

Anastasiya Kazakova appreciates the contributions of the audience

Supporting facts:

  • She expresses gratitude to Christopher for his kind words and commitment to discussions
  • She praised the involvement of people who joined online especially at late hours

Topics: Geneva dialogue, Community participation

Report

The Geneva Dialogue session, an international conversation that began in 2018, aims to enhance security and stability in cyberspace. This year, the dialogue is focusing on normative frameworks related to supply chain security and responsible reporting of ICT vulnerabilities. The main discussions revolve around the implementation of these norms by non-state actors and relevant stakeholders.

Anastasiya Kazakova, an advocate for multi-stakeholder conversations, supports the creation of these conversations to help implement cyber norms. Throughout the year, consultations have taken place to gather perspectives from different stakeholder groups. These consultations aim to determine agreement or disagreement over norms, identify challenges, and explore potential best practices.

The results of these consultations will be published in the Geneva Manual. The Geneva Dialogue specifically concentrates on two norms from the United Nations norms of responsible behavior: integrity in the supply chain and ICT vulnerability reporting. To aid stakeholders in reducing vulnerabilities, the Geneva Dialogue is creating a practical guide called the Geneva Manual.

The final version of the Manual is set to launch in December this year. Anastasiya and her team invite stakeholders to contribute to the Manual through feedback, discussions, and potential partnerships. Anastasiya, together with her colleague Vladimir Radunović, are the main organizers of the Geneva Dialogue.

They believe that an inclusive approach is vital to the success of the dialogue, with all stakeholders playing an important role. Anastasiya encourages not only the Dialogue’s partners but also other interested individuals or groups to contribute to the zero draft of the Geneva Manual.

During the discussions, the responsibility and integrity of supply chains were thoroughly explored. The dialogue also identified various roles and actors within the technical community context. It was suggested that categorizing digital products is necessary for a stronger understanding of security levels.

However, it’s important to note that even if a product is labeled, users should still carry out their own due diligence, as labeled products do not guarantee absolute security. Additionally, the definition of digital products may need to be region-specific, taking into account the prevalent approaches and mindsets within a specific community.

Anastasiya expresses gratitude for the contributions of the audience, particularly appreciating Christopher’s kind words and commitment to the discussions. She highlights the involvement of people who joined online, especially at late hours. In conclusion, the Geneva Dialogue aims to enhance cyber norms and security in cyberspace through multi-stakeholder conversations.

The dialogue focuses on normative frameworks related to supply chain security and responsible reporting of ICT vulnerabilities. Anastasiya Kazakova plays a crucial role in organizing and encouraging an inclusive approach to the dialogue. The Geneva Manual, a practical guide to reducing vulnerabilities, is set to launch in December.

Stakeholders are invited to contribute to the zero draft of the Manual, and Anastasiya appreciates the audience’s involvement and feedback.

A

Audience

Speech speed

129 words per minute

Speech length

116 words

Speech time

54 secs

Arguments

There is a responsibility about the integrity of supply chains and determination of the security level of digital products.

Supporting facts:

  • Discussions shifted towards understanding the level of criticality for each subset of the products to define further the roles, responsibility, accountability.
  • Even a labeled product is not necessarily more secure, buyers need to be aware and conduct due diligence.

Topics: Supply Chain Integrity, Digital Product Security

Report

The Geneva dialogue focused on the vital responsibility of supply chains in ensuring the integrity and security of digital products. The discussions explored the intricacies of different subsets of products to determine their level of criticality. This, in turn, influenced the roles, responsibilities, and accountability associated with them.

It was highlighted that simply labelling a product as secure does not guarantee its actual security. Therefore, buyers need to exercise caution and conduct thorough due diligence. The audience highly praised the Geneva dialogue, particularly commending individuals such as Vlad and Anastasiya Kazakova for their valuable contributions.

They were recognized for bringing together a vibrant community and for their efforts in providing feedback to the UN and the global system. The recognition highlighted the dedication and impact of the dialogue on a larger scale. Overall, the sentiment regarding the discussion on supply chains was neutral, reflecting the complexity and challenges involved in ensuring their integrity and security.

However, the sentiment towards the Geneva dialogue itself was overwhelmingly positive. It is evident that the dialogue serves as a platform for community building, tech industry collaboration, and partnerships for the goals outlined in SDG 17. In summary, the Geneva dialogue shed light on the responsibility of securing supply chains and determining the security level of digital products.

It emphasized the need for defining roles and accountability, as well as the importance of buyer awareness and due diligence. The positive reception and recognition from the audience testify to the invaluable contributions of individuals like Vlad and Anastasiya Kazakova and the broader impact of the dialogue on the UN system and the global community.

D

Debate

Speech speed

114 words per minute

Speech length

1190 words

Speech time

626 secs

Report

During the Zoom meeting, the participants discussed various aspects of communication, including the ability to mute others on the platform. They expressed relief when they realized that one participant, Vlada, had been muted, which improved the overall experience of the meeting.

The participants then moved on to other topics, starting with questions about responsibility in situations involving addiction and violence. They wondered who should be held accountable for the vulnerability of addicts and the incidents that stem from it. Additionally, they pondered who should take action to reduce violence and improve happiness and equity in the world.

These questions highlighted the participants’ concerns regarding the need for collective responsibility and action to address such complex issues. The importance of integrity and accountability in both the supply chain and responsibility chain of digital products was emphasized. The participants discussed their desire for digital products but also acknowledged the need for companies to take responsibility for the consequences of their products.

They argued that just as there is integrity in the supply chain, there should be integrity in the responsibility chain as well. One participant suggested addressing the issue of liability in terms of financial insurance. They believed that studying how this concept applies to digital products could lead to a better understanding of responsibility and accountability in the industry.

By considering digital products as part of a supply chain, it would be possible to establish guidelines and standards for accountability. The participants also raised concerns about the lack of multidisciplinary perspectives and stakeholder input in the formation of norms.

They questioned the effectiveness of norms that are created without full information and understanding, suggesting that they may fail to align with current administrative viewpoints of the technical community. This led to a discussion on the need for creative interpretation of norms, as well as intentional collaboration between different stakeholders to ensure comprehensive decision-making.

The participants noted the importance of transparency, especially in the context of consumer products. They observed that having clarity about the devices and technologies consumers use is essential for understanding potential vulnerabilities and risks. They discussed the challenges associated with governing and regulating the vast array of products available in the market, as each individual has unique needs and preferences.

The meeting concluded with further consideration of consumer protection and the role of consumer groups. The participants recognized the sense of community and mutual interest that underpins such groups. However, they also acknowledged the difficulties in facilitating meetings and discussions to address consumer issues effectively.

They discussed the need for a harmonized approach towards consumer protection and suggested the importance of establishing baselines for consumer safety. The participants noted variations in regulations between different regions, specifically highlighting the European Union (EU) and the United States.

They mentioned that regulations related to pharmaceuticals in the US do not necessarily consider personal data and consumer perspectives. This disparity in regulations showcased the need for a unified approach to ensure comprehensive protection and regulation. Overall, the meeting highlighted the ongoing challenges faced in communication, responsibility, and accountability in the digital age.

The participants emphasized the importance of collaborative efforts, transparency, and a global perspective to address these complex issues effectively. They concluded the meeting by emphasizing the need for fair and effective communication, allowing each participant the opportunity to contribute their insights and thoughts.

VR

Vladimir Radunović

Speech speed

165 words per minute

Speech length

1809 words

Speech time

659 secs

Arguments

United Nations norms of responsible behaviour in cyberspace focus on two norms related to the integrity of the supply chain and reporting of Information and Communication Technology (ICT) vulnerabilities.

Supporting facts:

  • The Geneva Dialogue focuses on security of digital products and the role of various stakeholders in implementing the two UN norms.
  • The integrity of the supply chain facilitates security of ICT products while responsible reporting of ICT vulnerabilities helps to eliminate potential threats.
  • The norm regarding the integrity of the supply chain suggests that states should ensure the integrity of supply chain so that end users can have confidence in the security of ICT products.
  • The norm about reporting of ICT vulnerabilities promotes responsible reporting and sharing of associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats.

Topics: Cybersecurity, Responsibility in Cyberspace, ICT vulnerabilities, Supply Chain Integrity

Various stakeholders, including the civil society, industry, research and academic communities, users and more, play a vital role in implementing these norms.

Supporting facts:

  • States cannot implement these norms without involvement from other stakeholders, including vendors, researchers, academia, and civil society.
  • Everyone has a role to play in reducing vulnerabilities.

Topics: Internet Governance, Cybersecurity, Stakeholder roles

Different actors and considerations in tracking vulnerabilities

Supporting facts:

  • Not all industries are the same and they produce different kinds of products
  • Vulnerabilities could be in misconfiguration, implying a role also for consumers, operators or system integrators
  • Responsibility also lies with marketplaces or platforms that distribute the products

Topics: Software vulnerabilities, Industry players, System integrators, Consumer responsibility

Role of technology and human intervention in solving the problem

Supporting facts:

  • Emerging technologies like AI can assist with verification of software traceability
  • Human intervention is necessary; the problem can’t be completely solved by technology alone

Topics: Artificial Intelligence, Software traceability

Global legal framework need for regulation

Supporting facts:

  • A global system in a global jurisdiction is the ideal solution
  • There’s an open question about how to synchronise various regulatory frameworks

Topics: Regulatory frameworks, Jurisdiction, Cybersecurity

Report

The United Nations has established two norms for responsible behaviour in cyberspace: the integrity of the supply chain and reporting of ICT vulnerabilities. These norms aim to ensure the security of digital products and promote responsible reporting. The Geneva Dialogue focuses on the security of digital products and the role of various stakeholders, including states, vendors, researchers, academia, and civil society, in implementing these norms.

The norm regarding the integrity of the supply chain suggests that states should ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. It emphasises the need for states to take measures to prevent the compromise of ICT products through the supply chain.

By doing so, it aims to facilitate the security of ICT products. The norm about reporting of ICT vulnerabilities promotes responsible reporting and sharing of associated information on available remedies to such vulnerabilities. It recognises the importance of timely reporting to limit and possibly eliminate potential threats.

Responsible reporting helps in identifying and addressing vulnerabilities in a proactive manner, thereby enhancing the security of ICT products. Implementing these norms requires involvement from various stakeholders. It is emphasised that states cannot effectively implement these norms without the collaboration of other actors, such as vendors, researchers, academia, and civil society.

Everyone has a role to play in reducing vulnerabilities and ensuring the security of cyberspace. However, the implementation of global rules for supply chain security and responsible vulnerability reporting requires universally accepted rules and standards, not just state-to-state agreements. The complex nature of supply chain security and the challenges posed by geopolitical trends makes it necessary to establish global standards and rules that are universally accepted.

Building trust among stakeholders is also critical in vulnerability reporting and information sharing. Different industries and actors play a role in tracking vulnerabilities. Not all industries are the same, and they produce different kinds of products. Vulnerabilities could be in misconfiguration, implying a role also for consumers, operators, or system integrators.

Responsibility also lies with marketplaces or platforms that distribute the products. Furthermore, emerging technologies like artificial intelligence (AI) can assist with the verification of software traceability. While technology can play a crucial role, human intervention is necessary, as the problem can’t be completely solved by technology alone.

The combined efforts of technology and human expertise are needed to ensure software traceability and enhance cybersecurity. The need for a global legal framework for regulation in cyberspace is highlighted. A global system in a global jurisdiction is considered the ideal solution.

The challenge lies in synchronising various regulatory frameworks to effectively address cybersecurity issues. A cohesive and comprehensive global legal framework is essential to regulate and govern cyberspace. Lastly, the importance of handling vulnerabilities correctly is emphasised. Addressing vulnerabilities requires attention to detail, as not all vulnerabilities pose the same risk.

It is crucial to prioritise vulnerabilities based on their potential impact and allocate resources accordingly. Responsible and strategic management of vulnerabilities is essential for maintaining the security and integrity of ICT products. In conclusion, the United Nations has established norms for responsible behaviour in cyberspace, focusing on the integrity of the supply chain and reporting of ICT vulnerabilities.

Implementing these norms requires collaboration from various stakeholders, and the establishment of universally accepted rules and standards. Different industries and actors play a role in tracking vulnerabilities, and emerging technologies like AI can assist with software traceability. The need for a global legal framework and the importance of handling vulnerabilities correctly are also highlighted.