ICT vulnerabilities: Who is responsible for minimising risks? | Introduction

The Geneva Dialogue session, moderated by Anastasiya Kazakova, a Cyber Diplomacy Knowledge Fellow at DiPLA, focused on the implementation of cyber norms, particularly by non-state actors and stakeholders. The session concentrated on two specific cyber norms: supply chain security and responsible reporting of Information and Communication Technology (ICT) vulnerabilities. These norms are part of a set of 11 established by the United Nations to promote responsible behaviour in cyberspace.

Vladimir Radunović, Director of Cyber Security and E-Diplomacy Programs at DiPLA, presented the Zero Draft of the Geneva Manual, a guidance document to aid non-state actors in implementing the cyber norms. Radunović emphasised the importance of various stakeholders, including civil society, industry, research, academic communities, and users, in the successful implementation of these norms. He noted that while the norms are designed for state-to-state relations, their realisation requires the active involvement of these diverse stakeholders.

Participants engaged in a debate, discussing the complexity of the supply chain and the distribution of responsibility among different actors. They noted that industries vary, and vulnerabilities can occur in software or due to misconfigurations, implying a role for consumers, operators, or system integrators. The discussion also covered the use of advanced technologies like Artificial Intelligence (AI) to assist with software verification and traceability. However, it was acknowledged that technology alone cannot solve the problem and that human intervention remains essential.

Another significant topic was the need for a global regulatory framework to address cybersecurity issues effectively. Participants discussed the challenges of synchronising various regulatory frameworks and the necessity of a global jurisdiction as the ideal solution. They also touched upon the importance of handling vulnerabilities correctly, as not all vulnerabilities pose the same risk, and the details of addressing them can be complex.

An audience member commended the Geneva Dialogue for bringing together a vital community and highlighted the importance of the work being done to provide feedback into the UN system and the global system. Anastasiya Kazakova expressed her gratitude for the contributions and encouraged further engagement from the community.

The session concluded with an emphasis on the importance of categorising digital products to understand their criticality and define roles and responsibilities accordingly. It was also noted that even labelled products might not be entirely secure, and users should still exercise due diligence. The need for a regional definition of digital products was also discussed, as different regions may have varying approaches and mindsets.

Kazakova thanked the participants for their contributions and encouraged them to provide feedback on the Geneva Manual, which will be finalised and published later in the year. The manual is expected to serve as a practical guide for stakeholders on how to contribute to reducing vulnerabilities and enhancing cybersecurity. The session underscored the collaborative effort required to address cybersecurity challenges and the importance of multi-stakeholder conversations in shaping a secure and stable cyberspace.

Geneva dialogue session explores implementation of cyber norms by non-state actors

Anastasiya Kazakova:
session. If possible, please sit a bit closer to the stage. It’s not scary. Welcome everyone to the Geneva Dialogue session. Today we will discuss the implementation of the cyber norms and the focus will be on the implementation of these norms by non-state actors and relevant stakeholders. We will also discuss the expectations between the stakeholders who should do what and who are expected to do what to implement the norms and our focus will be on the two specific norms related to supply chain security and responsible reporting of ICT vulnerabilities. My name is Anastasia Kazakova. Those who don’t know me, I’m a Cyber Diplomacy Knowledge Fellow at DiPLA and I’d like to remind as well to those who are not familiar with the Geneva Dialogue, the process is international conversation initiated in 2018 and led since then by DiPLA and also initiated by the Swiss Federal Department of Foreign Affairs. This year exclusively we also have the partnership and the support from the Center of Digital Trust, EPFL Lausanne and UBS. The Geneva Dialogue on Responsible Behavior in Cyberspace focuses on the discussions of different roles and responsibilities in cyberspace to enhance the security and stability there and this year we focus on the normative framework which has been agreed and negotiated upon by states and as I mentioned our focus is two specific norms today. We have covered stakeholders, multiple stakeholders, representatives of different stakeholder groups throughout this year and we had different consultations to discuss whether stakeholders agree or disagree with states about these norms, whether they see the challenges, how to implement them and what could be the best practices that could be shared with the other communities. So the early insights that we got will be framed within Geneva Dialogue and we will also publish the final results within the Geneva Manual at the end of this calendar year. The Geneva Manual will be the comprehensive guidance on the non-state actors implementation of these two cyber norms but strategically we will also expand the outlook and look for the other norms. So to introduce all of you with what the Geneva Manual is, we have the zero draft and some early insights that we received from the first consultations that we organized with the stakeholders. I’m also happy to introduce my two colleagues, part of the team today who will also help to moderate the discussion. So online, hope that’s possible to display the screen. So online with us today I’m happy to introduce Vladimir Adinovich, Director of Cyber Security and E-Diplomacy Programs at Diplom. Vlada will introduce us with some early insights of the Geneva Manual today and also with us in the room I’m also happy to introduce Pavlina Edelson, Executive Director of DPLA-US. So probably a final note from my side, we will have the discussion today as one of the further addition to the consultations we held this year with the non-state actors and the goal will be to again hear all of your inputs, your agreements, disagreements with the norms, your reflections, where you as a representative of the stakeholder groups see the implementation of the norms and which good practices could be shared in this regard. After the IGF, we will also share the results and the insights within Geneva Manual and we’ll be also happy to hear further feedback from the IGF community and beyond. So thank you very much again for joining us and I’d just like to pass the floor to Vlada to share some early insights of the Geneva Manual. Thank you. Vlada, the floor is yours.

Vladimir Radunović:
Thank you Nastia. With a traditional greeting I hope you can hear me from the middle of the night. This is the first time that actually we in the European time zone have to sacrifice our sleep it’s usually on the Asian side so I’m glad to break that ice and happy to wake up early. As Nastia mentioned, I’ll briefly run through, if I can be brief, through the Geneva Dialogue and what are the first intentions when it comes to the, what is the background and the first intentions of the Geneva Manual. So I’ll share the screen, I promise I’m not going to bug for too long with slides, I hate slides, but this is important for the introduction of the discussion. We have been talking about responsible behaviour in cyberspace for quite some time and many of you know about the United Nations norms of responsible behaviour. There are 11 norms but two of them particularly stand out for us in the Geneva Dialogue and they were basically the background of our discussions. They relate, so those two norms are one related to the integrity of supply chain and the other one related to reporting of ICT vulnerabilities. The logic was that in majority of cases of particularly sophisticated cyber attacks, vulnerabilities are one of the main building blocks and if we could reduce the vulnerabilities in digital products we could probably reduce the exploitation and the load of cyber attacks. So looking at these two norms, if you read them briefly, the first one says the states should take responsible steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products and the other one says states should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats. Now what stands out is because the norms are basically and these norms are focused on the state-to-state relations, what stands out is the role of the states in these two norms. What is not so clear but is absolutely clear if you read between the lines is that none of this can happen without other stakeholders. The information sharing, the response to vulnerabilities, the ensuring the integrity of supply chain and reasonable steps as the norm says that all basically requires the involvement of variety of stakeholders and this is exactly what we want to look at. That means civil society, industry, research, academic communities, users and everyone else but only the states. Now looking at what the Geneva Dialogue is, how we can describe it and Nastia scratched the surface of that, thematic focus in the last couple of years and we’ve been here for five years already discussing the roles and responsibilities of various stakeholders is the security of digital products. That is the focus and these two norms that we’re looking at and when it comes to stakeholders as I mentioned we are trying to bring in the views and contributions of all different stakeholders. So both the vendors that are doing often quite much to reduce vulnerabilities by security, by design and other approaches. The researchers who are trying to find and disclose the vulnerabilities. The academic sector that is usually looking into norms but also assessing the efficiency of some of those practices. Civil society which has been a lot concerned about human rights and rightly so with the espionage and surveillance tools that are also based on vulnerabilities. So there are many actors that actually have a lot of stakes and we are basically a global initiative. Now the Geneva is in the name, it is more like the description of the good offices of Geneva for international discussions and dialogue rather than a geographical location. Now what is the goal of the Geneva manual? As Nastia said in the past couple of years we’ve been trying to collect good and bad practices of what particularly in the industry have been doing in regards of strengthening the digital products. But now we’re trying to see to provide a very useful guidance. Imagine it as and it’s not going to be only a booklet, it will probably be a combination of visuals, tools like AI tools, interactive platforms. So you get one of those packages, let’s say you’re a representative of an NGO in Africa, it doesn’t really matter. You get one of those small booklets or packages of materials so that you can go through and see what you can do to reduce the vulnerabilities. In your case it could be advocacy, it could be education, it could be a pressure on businesses and so on. Same stands for small businesses, same stands for researchers. Everyone has a role to play, everyone has incentives, everyone has expectations from the others in that pool of actors from governments, businesses, civil society users and so on. Ultimately all of us are users of digital products. So it has to be, it should be a very practical guide on what each of us can do and how we interplay best. Now some of the sneak peeks into the early draft, the general couple of takeaways which are interesting now, still quite general, but there are many more specific ones we are discussing in the process of drafting the manual. So stakeholders agree in general that norms are important but they see differently often. Geopolitical trends are challenges to implementation of those norms. The governments that develop advanced cyber capabilities sometimes retain these vulnerabilities and there is a risk of that instead of disclosing them. There is a core shared responsibility and contribution to overall security so everyone has a role to play. There is no single entity, this is interesting, that has full complete control or accountability over supply chain security. There is a need for universally accepted rules and standards for supply chain security and not just state-to-state relations. Trust is one of the key issues in vulnerability reporting and information sharing. Now moving to a couple of open questions which are really provocative and we’ll address some of them today at the session. So who is primarily expected to take an action on an insecure product vulnerability? Is it the vendor only? Is it the regulator on a broader and longer term? Is it an open source community if much of the components are from the open source? Is it researchers or us, the users? Are labeled digital products more secure than non-labeled ones? We have seen attempts of regulators such as Singapore, EU to introduce labeling schemes. Should there be an obligation on the level of manufacturers for a software bill of materials so that they actually know what’s inside and also patching? Whom would the reporting of vulnerabilities be considered responsible? And a very interesting question, can we really trust national cybersecurity authorities having in mind the possible abuse of vulnerabilities for state capacities? In terms of supply chain, is it possible to develop a global rules for supply chain today and is there an appropriate international platform for that? And lastly, are commercial vendors responsible for vulnerabilities in the open source that they use and most of them actually use open source and should they be required to actually patch and return the patches to the open source community? These are just some questions that we touch upon. As Nastia said, what we expect from you, apart from this discussion, is to share good and bad practices, your views on these questions. Be with us when we draft in a public form the final output of the Geneva Manual online and then the event in Geneva, but I’m sure Nastia will mention more on that. Nastia, back to you. I’ll just share the questions they will discuss, but back to you to guide the next steps.

Anastasiya Kazakova:
Thank you very much, Vlada. And thanks so much for sharing the summaries from the Zero Draft. For those who are partners already of the Dialogue, we’ll be sharing the Zero Draft really soon and we’ll be grateful for your feedback. Again, agreements, disagreements with different bits of the Manual. And again, if you are not a part of the Dialogue, but you would like to contribute, feel free to reach out to us. The final launch of the inaugural edition of the Manual will be in December this year. So now we’d like to again hear your thoughts and we have four questions for the discussion. You have them on the big screen. The idea that, with my colleague Pavlina, we’d like to split you in two small groups, but probably we’ll just make one group. And let’s discuss the questions and people who join us so late, for those who are based in Europe and for others who are based in other parts of the world, in Zoom. So this is a question that we also invite you to discuss. We’ll have around 20 minutes to share the reflections. Vlada and I will carefully listen to all of you to make the notes that will be extremely valuable for further work with the Manual. And after the 20 minutes, we will also have the floor to ask some follow-up questions to share the summaries. And again, if you have any further reading contributions, we’ll be really grateful for this. So now, Vlada, I guess we’ll take the moment for the discussion and I’ll get back to the main room in 20 minutes.

Vladimir Radunović:
Fran, you can mute us in your room and then we’ll continue discussions online and get back to you in 20 minutes.

Anastasiya Kazakova:
So we kindly ask the organizers to mute as well as for the participants who joined online so we do not interrupt the discussions as well. Thank you.

Vladimir Radunović:
Unplug the cables. Okay. I hope they won’t be okay. We cannot hear us. Yeah, that’s good. And I hope they cannot hear us.

Debate:
Can we mute as well, participants on the Zoom? Okay. I don’t hear Vlada anymore. So that’s good. Thank you. So why don’t we just move these chairs like this? I’m sorry. Okay. Okay. So, sorry, can we get back to the slides? Thank you. I also have a number of questions. So the first question is, who is responsible for vulnerability in the situation of addicts and for such incidents? And then this question, the other question, is primarily asking who is supposed to take action to reduce the problem of violence in the world, and who should act to improve happiness, equity, and so on. Will you please join us for the discussion? Thank you. So one side aspires to the supply chain of digital products, while there is no integrity of the responsibility chain. So we would like to have a digital product, but we would like to be liable for what happens. So as there is integrity of the supply chain, there should be integrity of the responsibility chain as well, one way or another. I also think that the question of liability should be addressed in financial insurance kind of terms, and I think there would be more efforts to study how that applies to digital products in a sense. It’s a supply chain. I think those were the ways in which they break up groups that we have. I’m just generally wondering how important it is to combat norms that were being discussed not with full information or with the perspectives from multidisciplinary or different stakeholders, and how sometimes the operationalization of those norms fail to go back to the way the norms were addressed originally, because they sometimes have very little sense of the current administrative viewpoint of the technical community. What does that mean? And do we need to sort of interpret them very creatively? Certainly with intention, but really working on the bezel, which is the minimalist type. I guess the same kind of dependence on the social side is true in the world, and once we also have a machine, and people come and say, hey, what do you want me to do? So further division of the roles is quite a problem. I just met a guy from London, a famous game developer, and he’s under a stress. He’s a high security expert. He’s seen it. He’s known them. Same kind of role. Just for gaming, you need to try new things. And they like to entertain everyone, but that’s not good. I just met a guy from London, a famous game developer, and he’s under a stress. He’s a high security expert. He’s seen it. He’s known them. Same kind of role. I just met him. That’s the same thing. They think it’s quite nice to have a video game. Or transparency. So, I think we need to have a different category of products. We face that problem all the time. We have zillions of products. Individual needs. Internal rules. Internal rules to govern all of this is impossible. So, we have to figure out. We are always challenged to figure out how to come up with ways to say, you need to do this, but you don’t need to do that. In a reasonable way. I also touched on this at the end of that. I’m worried about transparency. The mobile they have. I can’t imagine what the opposition is going to say. This line of devices we buy. This is to understand. When it comes to digital products, there are cloud-based solutions. So, we have to approach different solutions. That’s mainly cloud-based. It’s hosted. So, I believe they are responsible for getting it. I don’t know. I don’t know. Is there room? I am in the right set of vulnerabilities. I feel like we need to know that it’s a new, globally diverse place, and knowing people is not an opportunity. But at the same time, it’s a global solution, and how we do this is important. And this is an issue that we need to solve. What about the role of consumer groups and their relationship with the consumer? There’s a strong sense of community, and there’s a kind of mutual interest. And we need to be able to have meetings, to have discussions, to be able to discuss issues. But how do we do this? So, how do I do this? Well, there’s a certain approach to harmonization. I don’t know if there’s any other questions. I’d like to look at this from a national level. What is the question on consumer protection? Where do we go from here? I don’t know about you, but you don’t have a baseline. There are groups who are trying to build a global, let’s say, second level of understanding of the issue of the consumer. And they’re very active in the international forum as well. But you are basically running into the same issues of not having a baseline. What is it that consumers are doing to consider for us not to be dangerous, not to be taxing, to be safe, not to be dangerous, et cetera, et cetera. What about the EU? You guys don’t know stuff. The EU doesn’t know stuff. No, they don’t. The EU doesn’t know stuff. Yeah. The EU is trying to do a certain thing. We’ve heard about AI. There are certain platforms for the market. There are certain things that are being shared. Yeah. What about the United States? I don’t know what happened. I don’t know. What about variations of statistics? Yeah. And what’s happening in the United States is the regulations on pharmaceuticals and that all. And they’re not tied to, for example, the data that’s coming from the persons and personal data. So they’re tied to the user. They’re tied to being a consumer. And in a sense, that’s going to be a driver for that. I don’t know. I don’t know. I don’t know. I don’t know. Yeah. What’s it like to be a citizen? It’s like a little sitcom. It’s not bad. It’s not always a good time. No. The floor. Can we give him another minute and then you can hear him as well. I guess Martin is gonna have a problem with that. And then you take over the floor. Is that ok. Yeah, absolutely. Yeah.

Anastasiya Kazakova:
Sure. Do you want me to run through quickly to our group.

Vladimir Radunović:
Yeah, that would be good. Please do. So we didn’t address question by question I think we addressed all of them simultaneously. Some interesting takeaways that we came up that the least of actors that we have to look at is actually bigger. Not all industries are the same so there are differences in the industry players some are producing gadgets some are producing components, then not all vulnerabilities are in software some are in misconfiguration, which means you also have consumers or operators or system integrators, then having an analogy of food supply chain if you find something wrong in a food you get back to maybe a supermarket first and then complain which means we also have the responsibility of those marketplaces whether those are the app stores or other platforms or distributors that are actually distributing the product so the pool of responsibilities is getting bigger and bigger. There were mentionings of the use of advanced emerging technologies like AI to assist with the verification of software traceability and so on dependencies but ultimately it’s a human problem. We cannot solve it without ideally a global system in a global jurisdiction, as the only possible way. And that brought us to the regulatory framework where we also had a chance to have a delegate from the European Union to tell us about the CRA plans thinking about the territorial effect of the regulations and the jurisdictions basically that there is an open question how to sync these all sort of regulatory frameworks. And finally, as I think Martin concluded, is that devil is in details when it comes to sharing the information when it comes to addressing the vulnerabilities not all vulnerabilities are the same some bring risks as bomb has certain risks so it’s really devil is in details and we have to unpack each and every detail of that and find the best way. I actually forgot something but the others can probably place in the chat if I forgot any, any important message back to you.

Anastasiya Kazakova:
Thanks a lot. And I’m really also happy personally to see all the familiar faces joining us. So, in our room, we also touched on various aspects and I think that we really helpful, particularly we discussed about the responsibility about the integrity of the supply chains, and we often speak about technical community, but they’ve been a really good comment. What the technical community actually includes what it actually with particular actors and roles it will presume in a particular context. I think the couple of the colleagues also mentioned that for discussing the security of digital products we need a further categorization of this products to understand the level of criticality for each subset of the products to define further the roles responsibility accountability. And with regards to the either the labeled or non labeled products. Do you provide more security, we had a conversations that it’s actually not necessarily that label products to provide more security, and that might be one of the. Actually factories that still users who lack of security information by the products need to be aware that even the product is labeled is still might be not completely or absolutely secure, so they still sort of the due diligence even on the shoulders of the users needs to be taken off. And I think one of the final good comments we discuss is further definition of the digital products within the context of the Geneva dialogue previously we discussed. Different approaches across the industry how to define the digital products we also relied on the definition of the OECD of other communities. So definitely it’s one of the questions that might have regional specifics depending on where the community is allocated on which approaches and mindsets are prevailing but overall that’s one of the open questions still exist in the community. I like to open briefly the floor if anybody would like to take the floor and share any concluding remarks. Both online and on site.

Audience:
I wouldn’t mind just quickly commending, can I commend the Geneva dialogue, and in particular Vlad and yourself Nastia for bringing this in vitally important community together, and it’s great to see the industry here, it’s fantastic also to see folks like Madison from GitHub, very important community. It’s fantastic also to see folks like Madison from GitHub, very important that we all come together for this, and I know that you’re doing a lot of work behind the scenes to pull together this overall feedback into into the UN system into the global system. And I just wanted to flag how what a terrific job you’re doing, and thank you for doing.

Anastasiya Kazakova:
Thank you Christopher for always kind words and your contributions, regardless where you are, for your commitment to participate in the discussions. Vlad, if you have any brief reflections. So thank you so much. As again, we’re really grateful for all of your feedback. We are finalizing the Geneva manual, the zero draft. As a reminder, this will be published later this year as a comprehensive guidance on the contributions which relevant stakeholders could do to implement the norms. There could be different discussions of where the stakeholders agree with the norms that have been negotiated by states where they still see the challenges to implement them, which good practices could be shared and find useful by others in other regions and other communities. We do invite after this session to contribute to share your feedback, you could find the zero draft of the Geneva manual. Later this month at the Geneva dialect that ch this is the main website, but also feel free to reach out directly to us. Thank you so much for being here for your contributions. Thank you so much for those who joined us online, especially so late. We wish everyone the rest of the IGF and a good day and a good night. Thank you. Thank you.