Usual suspects: Questioning the cybernorm-making boundaries

28 Nov 2019 10:35h - 11:35h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

Governments are currently engaged in ongoing negotiations on establishing norms and confidence building measures (CBMs) for responsible behaviour in cyberspace. The technical community is engaged in day-to-day incident response. Both stakeholder groups are working towards creating a more secure and stable online environment, yet their approach to the problem differs greatly. They have a different understanding of the concepts, and different time-frames for taking action. How can their work be connected, without creating negative effects? As Mr Pablo Hinojosa (Strategic Engagement Director, APNIC) put it, this is the fourth session – four IGFs in a row – which has provided a ‘dating opportunity’ for the policy community: diplomats and policymakers – that shape the basic rules; and the technical community – CERTs and network operator groups (NOG), who are the first responders and possible implementers of the rules.

Ms Madeline Carr (Professor of Global Politics and Cybersecurity at UCL) noted that dialogue on cyber norms is not about cybersecurity, but about preventing conflicts and their escalation. Mr Liam Neville (Assistant Director, Cyber Policy at Australian Department of Foreign Affairs and Trade) pointed out that diplomatic negotiations start by trying to find an agreement on broad principles; implementation is not looked at until much later.

Cyber-diplomacy dialogue is, thus, still in its early stages. However, it is interesting to observe that discussions about implementation are already on the table (which is unusual for diplomatic processes) – which signals that we do not have time to waste due to the increasing impact of technology on society.

Ms Louise Marie Hurel (Cybersecurity Governance Researcher, LSE) challenged the discussion about the implementation of one particular norm – Norm 7 of the GGE report of 2015 (par. 13 (h)) that states should respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts. Had this norm existed earlier, it could have impacted the 2007 cyber-attacks on Estonia; Ms Merike Kaeo (Strategic Security Leadership & ICANN Board Member) explained that the operational response to the incident was there, but no international response or co-ordination was in place. At the same time, diplomats were not sure if and how they should react to such a new type of incident (or attack). To make this norm useful, it would need to be clearer on how the malicious act is defined, how to request assistance, and from whom, etc. Yet the development of CBMs, with the involvement of both the tech and private sectors, may help clarify this. CBMs help with operationalisation, Neville agreed.

Another important example to study is the notPetya global incident from 2017. Since the main victims were parts of the supply chain – like major shipping companies – which is often not considered a critical infrastructure, Mr Maarten Van Horenbeeck (Board Member, / Chief Information Security Officer at Zendesk) asked if the states, including the national CERTs, would follow the norm and get involved. If so, could they actually help, since the infection spread as encrypted data through VPNs of corporate networks, where even CERTs cannot intervene? Or would this in fact be counter-productive and slow down the effective response to, and recovery from, the incident by corporate IT teams? Ms Cristine Hoepers (General Manager, CERT .br) asked whether the need to implement norms could actually prevent implementation, and make things worse? The bottom line is that norms should be aligned with the practice of handling the incidents.

A similar example is the enormous bank heist in Bangladesh in 2016. Mr Sumon Ahmed Sabir (CTO at Fiber@Home) recalled that the fraud happened on a Friday night, and that the banks reacted only on Tuesday, due to the weekend and holidays. Journalists picked up the story only days after, the government took weeks to react, and the courts are still working on the case. A cyber-incident in Pakistan in 2008 that brought down YouTube globally, emerged and was resolved thanks to the global co-operation of network operators, within only 2 hours, Mr Olaf Kolkman (Chief Internet Technology Officer at the Internet Society) added. These examples illustrate the difference in the time-frame of processes led by different sectors. In contrast to the prompt response to incidents, the political process of developing norms related to incidents takes years, and eventually some of the norms are codified into the law, Neville explained. Countries do not seem to be in a hurry, but CERTs are in a hurry due to everyday incidents, Mr Alejandro Pisanty (professor at the National Autonomous University of Mexico) commented.

Concepts such as norms and stability are understood differently by the tech community and diplomats. Kolkman reminded that stability in the tech context is different from stability in an international context, and that the tech community also has its norms – or rather standards, such as ISO – for keeping the environment secure, which are fundamentally different from political norms, like those of the GGE. The tech community, however, can play a role in implementing the political norms as well, but it first, it needs to understand how these norms work, and how to operationalise them, warned Hoepers. For instance, what represents a territory in cyberspace, and how should an international Internet Exchange Point (IXP) – like the one in Amsterdam that transfers most of the global traffic, including some that might contribute to attacks – be treated?

Besides temporality and language, there are other specificities of the two communities. For the CSIRT community, for instance, trust is key for swift reactions to incidents, and it is established primarily on an individual, people basis, Hoepers underlined. CSIRTs operate without a chain of command that comes down to them, Pisanty added. For diplomats, the principles are in the focus of the process, while the tech community focuses on operational mechanisms and actions, Hurel complemented.

As the majority of world’s conflicts today are among developing countries, in particular in Africa and the Middle-East, the escalation of political tensions due to cyber-incidents (and misunderstanding about them) are likely to happen more and more on regional and sub-regional levels, warned Mr Vladimir Radunović (Director of Cybersecurity and E-diplomacy, DiploFoundation). Those countries, however, have not developed clear and functional national co-ordination mechanisms for response to cyber-incidents, and probably will not be able to implement the norms and provide assistance either. According to Neville, it is important to ensure that all countries share what efforts they have undertaken to implement norms, which would help with predictability at least. On the positive side, the activities within the OEWG and GGE show that peace in cyberspace is the common objective of all states.

By Vladimir Radunović