Building a Global Partnership for Responsible Cyber Behavior | IGF 2023 Launch / Award Event #69

Knowledge Graph of Debate

Session report

Pablo Castro

Chile’s new national cybersecurity policy places a strong emphasis on promoting international norms and applying international law in cyberspace. This commitment is vital for achieving the goals outlined in SDG 9 (Industry, Innovation and Infrastructure) and SDG 16 (Peace and Justice). The policy reflects Chile’s dedication to upholding principles that respect human rights and international law in cybersecurity operations. Chile began working on cybersecurity in 2017 and released its cyberdefense policy in 2018, which stated that cyber operations would be conducted with respect for international law and human rights. The upcoming national cybersecurity policy reaffirms Chile’s commitment to promoting international norms and law in cyberspace.

In Latin America, there is a need for further discussion on attribution in cyber attacks. Unlike other regions, there is little dialogue about responsibility for cyber attacks. Governments in Latin America must decide whether publicly attributing an attack to a foreign power is beneficial. This highlights the need for comprehensive conversations and analysis on attribution in the region.

Capacity building and international cooperation are crucial for cybersecurity in Latin America. A lack of national cybersecurity agencies is often seen, with governance falling under committees. However, training courses offered by countries such as the US, Canada, Estonia, and the UK are helping enhance capacity building efforts. These courses focus on applying international law in cybersecurity and play a critical role in equipping Latin American countries with the necessary skills and knowledge to combat cyber threats effectively.

It is stressed that Chile needs to develop a national position on international law in cyberspace. The new cybersecurity policy mandates the establishment of this position. Defining Chile’s stance and approach towards international law in cyberspace is essential to ensure consistency and effectiveness in its cybersecurity efforts.

Regarding cyber attack response, a collective approach in the region is recommended as an effective way to express condemnation without attributing the attack directly to a specific actor. This approach allows for a unified stance against cyber attacks, maintaining diplomatic relations and avoiding unnecessary conflicts.

Pablo Castro, an expert in cybersecurity and related areas, supports discussions taking place in United Nations working groups on emerging threats and technologies such as artificial intelligence and cyber mercenaries. His previous experience in dealing with these issues, particularly in the field of cyber mercenaries, further underscores the importance of these discussions. However, caution is expressed regarding potential difficulties and disagreements in reaching a consensus within the working group. Maintaining a good working relationship among members is prioritised to ensure the effectiveness of the discussions.

In conclusion, Chile’s new national cybersecurity policy highlights the importance of promoting international norms and applying international law in cyberspace. This commitment aligns with the goals of SDG 9 and SDG 16, aiming to foster innovation, ensure infrastructure security, and promote peace and justice. Latin America faces challenges in attributing cyber attacks and requires further discussion. Capacity building and international cooperation are crucial for the region, with training opportunities provided by the US, Canada, Estonia, and the UK. Chile is encouraged to develop a national position on international law in cyberspace to enhance consistency and effectiveness. Furthermore, a collective response to cyber attacks in the region is recommended to express condemnation without directly attributing the attack to a specific actor. Discussions in the United Nations working groups, supported by Pablo Castro, are of vital importance in addressing emerging threats and technologies, while maintaining a good working relationship within the group.

John Hering

The Cybersecurity Tech Accord is a coalition of 168 tech companies from around the world committed to upholding foundational cybersecurity principles. It was established in 2018 with 34 companies and has grown quickly in size and influence. The primary objective of the accord is to give the tech industry a voice on matters of peace and security in the online realm.

One of the driving forces behind the growing interest in joining the Cybersecurity Tech Accord is the pressure from customers, as cyberspace has become an emerging domain of conflict. Companies feel the need to clarify their stance on not weaponising their products and services. This pressure compels companies to actively participate in initiatives like the accord to demonstrate their commitment to cybersecurity principles.

However, a challenge for the accord is getting companies with different capacities on the same page. While some are large multinational corporations with significant resources, others may not have the same level of resources. Bridging this gap is an ongoing challenge.

The accord advocates for coordinated vulnerability disclosure policies. It encourages companies to have these policies in place to address and disclose potential vulnerabilities in a timely and responsible manner. Over 100 coordinated vulnerability disclosure policies from the accord’s signatory base can be reviewed online.

Microsoft, a prominent member of the accord, has played a significant role in the context of the war in Ukraine. The company has prioritised strengthening security for its customers in the region and has responded to multiple generations of wiper malware used in operations targeting Ukrainian data. Microsoft also actively reports its findings in the context of the conflict, providing insights into the activities of broad threat actor groups aligned with military campaigns.

The importance of a robust multi-stakeholder coalition is highlighted, particularly in the context of hybrid warfare. The accord, which includes both private sector companies and public agencies, can provide asymmetric benefits to defenders as hybrid warfare becomes a domain of conflict. The collaborative efforts of the Ukrainian CERT, which had the necessary authorisations and coordinated efforts effectively, have been crucial in thwarting cyber operations in the Ukraine conflict.

Policymakers are urged to carefully consider the impact of their regulations on the security research community. John Hering, a cybersecurity expert, raises concerns about potential negative consequences if regulations do not prioritise fixing vulnerabilities and ensuring customer and user security. Poorly considered policies may inadvertently compromise product security and data safety by creating a race to the bottom.

On a positive note, accountability in cybersecurity is improving. Governments are taking steps to include norms violations in public attribution statements, and the International Criminal Court (ICC) has declared its intention to investigate potential cyber-enabled war crimes. These developments demonstrate progress in holding actors accountable for their actions in the cyber realm.

Overall, the Cybersecurity Tech Accord has garnered significant support and interest from tech companies worldwide. Its commitment to foundational cybersecurity principles and efforts to give the industry a voice in online peace and security are noteworthy. Challenges remain in bringing companies with different capacities together, but the focus on coordinated vulnerability disclosure policies and the active role of Microsoft in securing customer data in the Ukraine conflict show the practical impact of such collaborative initiatives. Policymakers must be cautious in crafting regulations that consider the impact on the security research community. Nevertheless, positive strides in accountability in cybersecurity, with government actions and ICC involvement, indicate progress in creating a safer and more secure online environment.

Koichiro Komiyama

The analysis reveals several important points regarding cybersecurity incident reporting and vulnerability information sharing. In Japan’s case, it is highlighted that sharing information with JP CERT (Japan Computer Emergency Response Team) or the National Cybersecurity Centre is crucial for effective incident handling. On the other hand, the US Securities and Exchange Commission has introduced a new regulation that requires financial institutions to disclose any cybersecurity incidents they experience.

However, it is noted that the role of CSERT has slightly changed. The specific details of this change are not provided, but it suggests that there may be some adjustments or updates in the way CSERT operates in handling cybersecurity incidents.

JP CERT, being a key player in incident reporting and response in Japan, receives around 20,000 incidents per year. This indicates the scale of the cybersecurity challenges faced by the country. Furthermore, JP CERT predominantly communicates with entities in the United States and China, indicating the importance of international cooperation in dealing with cybersecurity issues.

One of the supporting facts provided highlights a negative incident involving a Chinese security researcher. After identifying a vulnerability issue, the researcher promptly shared the information with Log4j developers. However, the researcher was subsequently summoned by Chinese authorities. This incident raises concerns about the potential hindrance to global information sharing and collaboration on cybersecurity matters.

The analysis also suggests that cyberspace is not as global as imagined, with over 80% of JP CERT’s incident engagements involving the US and China. This indicates that despite the interconnected nature of the internet, there are still significant gaps in global information sharing and cooperation in the realm of cybersecurity.

Another significant point raised is the localization of data and vulnerability information. This localization hinders global information sharing and collaboration, resulting in a chilling effect among Chinese security researchers. The introduction of regulations in China has had an impact on the willingness of researchers to share valuable vulnerability information due to potential legal repercussions.

The speakers argue that regulations should not hinder international information sharing and that vulnerability information should not be localized. They emphasize the importance of global cooperation and partnership in addressing cybersecurity challenges effectively. By overcoming barriers to information sharing and collaboration, the international community can collectively work towards a more secure cyberspace.

In conclusion, the analysis highlights the need for effective incident reporting and vulnerability information sharing in cybersecurity. It underscores the significance of international cooperation and the potential implications of regulations on global information sharing. The argument is made for regulations that foster collaboration rather than hinder it, ensuring that vulnerability information is not localized and that the global community can work together to address cybersecurity threats.

Charlotte Lindsey

The Cyber Peace Institute is an organisation dedicated to studying the impact and harms caused by cyber attacks. They recognise the importance of having evidence and data-driven understandings of the harm inflicted by these attacks. They emphasise the need for a context-aware approach to accurately calculate the harms and impacts.

One of the main concerns highlighted by the institute is the increasing targeting of vulnerable communities, specifically humanitarian, human rights, and development organisations, by cyber attacks. To help these organisations respond and enhance their capabilities, the institute has established a humanitarian cybersecurity centre and a cyber peace builders programme. This initiative aims to support these organisations in preventing and responding to cyber attacks effectively.

Understanding the impacts of cyber attacks on vulnerable communities is crucial for policy-makers. The institute believes that lessons learned from data analysis can be injected into policy discussions to develop efficient strategies and measures to address the issue.

During the height of the pandemic, attacks on healthcare infrastructure became a significant concern. Critical healthcare infrastructure experienced an alarming increase in cyber attacks. In response, the Cyber Peace Institute collaborated with the government of the Czech Republic and Microsoft to develop a compendium of best practices aimed at protecting the healthcare sector from cyber harm. This initiative provides guidance and recommendations for safeguarding healthcare facilities and systems from cyber threats and vulnerabilities.

The institute also stresses the need for clear accountability for breaching cybersecurity laws and norms. They are actively monitoring 112 different threat actors related to the Ukraine and Russian conflict. By holding these actors accountable, the institute aims to deter future cyber attacks and ensure a safer cyber environment.

In conclusion, the Cyber Peace Institute’s work revolves around deepening the understanding of cyber attack impacts and harms. They actively support vulnerable communities through their humanitarian cybersecurity centre and cyber peace builders programme. Their collaboration with the government and industry partners highlights the importance of protecting critical healthcare infrastructure from cyber threats. Additionally, the institute advocates for clear accountability to prevent future breaches of cybersecurity laws and norms. Overall, their efforts contribute to creating a more secure and peaceful digital space.

Regine Grienberger

Germany is actively taking steps to strengthen the normative framework for cyber behaviour. They are dedicated to implementing, monitoring, capacitating, and attributing cyber incidents. To protect critical infrastructure, Germany is developing national legislation in alignment with the EU directive. This signifies their commitment to safeguard essential systems and services from cyber threats.

In order to promote transparency and the sharing of best practices, Germany intends to document its progress in implementing cyber norms. By doing so, they hope to contribute to an international dialogue on cybersecurity and encourage other nations to adopt similar measures.

Germany has also established a national attribution procedure, which is coordinated by the Foreign Ministry. This procedure involves conducting comprehensive analyses and making informed political judgments regarding cyber incidents. By attributing cyber attacks, Germany aims to hold perpetrators accountable and deter future malicious activities.

Moreover, Germany recognises the importance of attributing cyber incidents as an essential practice. They believe that it is both achievable and necessary to respond effectively. Germany’s attribution procedure involves extensive analysis and political judgment, demonstrating their commitment to accurately identify and assign responsibility for cyber attacks.

Furthermore, within the context of the European Union diplomatic toolbox, sanctions are considered an instrument for responding to cyber incidents. This highlights Germany’s support for using sanctions as a means to deter and punish those responsible for cyber attacks. By leveraging sanctions, the EU aims to send a strong message that cyber aggression will not be tolerated.

In conclusion, Germany is actively working towards strengthening the normative framework of cyber behaviour through various means. Their efforts include developing national legislation, establishing a national attribution procedure, documenting progress in implementing cyber norms, and supporting the use of sanctions as a response to cyber incidents. These initiatives showcase Germany’s commitment to promoting cybersecurity, accountability, and international cooperation in tackling cyber threats.

Eugene EG Tan

This comprehensive analysis examines the viewpoints presented by Eugene EG Tan on various aspects of cybersecurity research and responsible behavior. Eugene expresses genuine excitement about a project that takes a broad perspective on cybersecurity, inclusive of diverse stakeholders such as states, industry, civil society, and academia. He believes that the project’s wide consultation and intersectionality greatly contribute to the richness of insights generated.

In terms of academic research in cybersecurity, Eugene argues that it has historically been limited to documenting state actions on an individual or regional level. He identifies a critical need for the development of universal measures of responsibility that can be applied across different contexts. Eugene suggests that this lack of common measurement has impeded progress in defining responsibility in the field of cybersecurity.

Furthermore, Eugene advocates for a collaborative and region-interactive approach within the academic community to enrich cybersecurity research. He highlights that academics often tend to focus on individual contexts or specific topics, but funding opportunities are now emerging, enabling cross-regional interactions. By broadening the conversation and understanding different contexts, this inclusive approach can greatly enhance the overall quality of cybersecurity research.

Controlling for cultural and contextual variables across different regions and states in a global study proves to be a significant challenge. Eugene acknowledges the difficulty in establishing a baseline definition of responsible behavior when conducting research on such a broad scale.

To address this challenge, Eugene suggests that it would be reasonable to identify common aspects of responsible behavior while also acknowledging deviations from the norm. This approach would help establish a baseline definition of responsible behavior and provide valuable insights into how the concept of responsibility varies across different states or businesses.

Eugene also emphasizes the crucial importance of implementing additional measures to ensure responsible behavior in cybersecurity. He believes that it is of utmost importance to determine how these measures can be effectively implemented to mitigate irresponsible behavior, subsequently benefiting the entire cybersecurity community.

Accountability and transparency are highlighted as key concerns in the use of commercial spyware. Eugene points out the lack of transparency surrounding the utilization of such tools and the pressing demand for a systematic focus on providing redress for victims. He argues for a coordinated response that effectively shapes the political and normative environment related to spyware. Furthermore, the ability to attribute responsibility becomes crucial in holding individuals accountable for their actions.

Eugene also supports the notion of state responsibility in protecting human rights and holding violators accountable. He emphasizes that states have a legal obligation to protect and promote human rights. Eugene fervently advocates for individual and collective action by states in bringing perpetrators of abuses, such as abusive surveillance technology, to account. He emphasizes the importance of relying on legal avenues, such as formal investigations and subsequent legal cases against the financiers and commissioners of abusive surveillance technology.

In conclusion, Eugene EG Tan highlights the need for a comprehensive perspective in cybersecurity research, the development of universal measures of responsibility, and a collaborative approach within the academic community. He emphasizes the challenges of controlling cultural and contextual variables in global studies, the critical importance of implementing additional measures to ensure responsible behavior, and the urgent need for accountability and transparency in the use of commercial spyware. Furthermore, Eugene supports state responsibility in protecting human rights and holding violators accountable.

Louise Marie Hurel

The analysis explores various perspectives on responsible cyber behavior and the challenges associated with its implementation. It highlights the importance of understanding different interpretations of responsibility in cyberspace, especially in different contexts. The global partnership, which involves over 70 scholars, aims to map practical understandings of responsible cyber behavior and how it is interpreted by different stakeholders. It emphasizes the need to give a voice to less dominant countries, as their interpretations of responsibility are often overshadowed by larger powers.

In promoting responsible state behavior, capacity building and proper implementation of cyber norms are seen as crucial. Germany, for example, has established a national attribution procedure to hold malicious actors accountable, while Regine Grienberger emphasizes the importance of monitoring and sharing information on the implementation process. However, it is also noted that attribution should be a political decision based on effect-based and responsible analysis, rather than an automatic step towards sanctions. There is a growing desire for sanctions in response to malicious behavior, with the EU having the instrument of sanctions in its diplomatic toolkit.

The analysis also stresses the involvement of other actors, such as the private sector, academia, and civil society, in promoting responsible cyber behavior. Louise Marie Hurel argues for more space to be given to less dominant countries in the debate, including private sector companies like Microsoft. She also highlights the role of academia and research in the global cybersecurity landscape, emphasizing the need to connect researchers with the realities on the ground. Hurel acknowledges the multifaceted aspect of cybersecurity, which encompasses statecraft, private sector involvement in conflict situations, and civil society engagement.

Trust-building and better interregional channels are also deemed essential for advancing responsible cyber behavior. Hurel mentions the Point of Contact directory within the Confidence Building Measures at the Organization of American States as an area for development. Furthermore, the analysis highlights the importance of creating a common understanding of responsible behavior in different states and regions, as well as identifying deviating elements in norms across different states to better understand variations in perceptions of responsibility.

The analysis also explores the nuanced implications of state regulations on cybersecurity. While regulations are necessary to ensure vulnerability disclosures and establish necessary procedures, there are concerns about whether these regulations hinder communication channels that are already established. Hurel advocates for careful contemplation and assessment when developing regulations to ensure effective communication channels and feasible job roles.

In conclusion, the analysis underscores the need for understanding different interpretations of responsibility in cyberspace, providing a voice to less dominant countries, capacity building, proper implementation of cyber norms, the role of sanctions and attribution in promoting responsible state behavior, the involvement of the private sector, academia, and civil society, trust-building and interregional communication, and the nuanced implications of state regulations on cybersecurity. It highlights the multifaceted aspect of cybersecurity and the importance of research and academia in connecting with real-world issues. The significance of creating a common understanding of responsible behavior and identifying variations in norms across different states is also emphasized.

Speakers