The team of researchers from the Georgia Institute of Technology has revealed the new form of ransomware malware that attacks specifically the industrial systems. At the RSA Conference in San Francisco, they presented the malware that penetrates the simulated water treatment plant, to emphasise that perpetrators including criminals can also disrupt industrial facilities. The malware that attacks some of the common programmable logic controllers (PLCs) often found in industrial facilities could enable a perpetrators to close or lock down infected industrial systems, thereby holding a utility hostage, and require a ransom. More importantly, the malware could enable attacks on critical infrastructure that could put down power-plants or dump life-threatening amounts of chlorine in water supplies which could potentially poison entire cities. The news comes weeks after the criminals managed to infect the computer system of a hotel in Austria with ransomware, lock the guests in the rooms and request a €1,500 for ransom.
UN Group of Governmental Experts (GGE) on ICT and international security should pause the development of new norms and confidence building measures related to state behavour in cyberspace, and should instead focus on ensuring that the states implement the already defined ones, the US delegate to the UN GGE and deputy coordinator for cyber issues in the Office of the Coordinator for Cyber Affairs at the US Department of State stated at the Carnegie Endowment for International Peace event. Markoff also evaluated the US-Russia cyber-relations as a bright spot, and commented that Russia has not breached the agreed GGE norms in case of alleged cyber-attack against power grid in Ukraine since the norms apply in peacetime, rather than during the conflicts.
Critical infrastructures (CI) can be defined loosely as ‘systems that are so vital to a nation that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety’ (according to the IETF Security Glossary). And most countries have defined their own CI depending on their national context; in most cases, these include both core Internet and, more widely, ICT infrastructures (such as telecommunications networks), and transport, energy, and other key infrastructures that are more and more relying on ICTs.
Critical (information) infrastructure protection (CIP) is ever more important because critical infrastructures depend increasingly on networks linked to Internet. Many vital parts of global society ‒ including industries such as energy, water, and finance ‒ are becoming more and more dependent on the Internet and other computer networks as an information infrastructure. While allowing for resource optimisation, this also leaves them at the risk of a cyberattack or an Internet fallout.
The history of the concept can be traced back to the 1998 US Presidential Decision Directive PDD-63 which set up a national programme of Critical Infrastructure Protection. The aim was to secure infrastructures of national importance from cybersecurity risks. Over the last 15 years the concept of CI has developed into a broader concept to include supply chain insurance to physical damage from natural hazards, as well as targeted physical attacks.
In 2007, the IETF added Critical Information Infrastructures to the Internet Security Glossary (RFC 4949). The definition adopted by IETF (presented in the beginning of this description) shows that while ICT can be a CI in itself, the implementation of ICTs in our daily activity has made it a transversal subject. In order to face cyber risks, many countries and even some larger institutions have developed teams of individuals that may respond in case of emergency. This type of team is often called a Computer Emergency Response Teams, but other variations are Computer Emergency Readiness Teams or Computer Security Incident Response Teams (CSIRT). In the case of nation states, these teams are often characterized by strong public-private partnerships (PPP) as many CIs are in the hands of the private sector. The policies pertaining to Information Infrastructure are often called Critical Information Infrastructure Protection (CIIP) policies.
The US Presidential Decision Directive PDD-63 was updated in 2003 through the Homeland Security Presidential Directive 7 for Critical Infrastructure Identification, Prioritization, and Protection. This update broadened the definition of infrastructure as the physical and virtual systems that are 'so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters'. In 2013, it was replaced by PPD21 - Critical Infrastructure Security and Resilience with the intention of advancing national efforts to 'strengthen and maintain secure, functioning and resilient critical infrastructure'. The policy directive was accompanied by the Executive Order 13636 'Improving Critical Infrastructure Cybersecurity'. The National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity in February 2014. The document provides a generic guideline on how companies and institutions in charge of CI can organize, improve, mitigate and recover from a cyberattack.
In the European Union, the European Programme for Critical Infrastructure Protection (EPCIP), presented by the European Commission in 2006, outlined a series of principles, processes and instruments proposed to implement EPCIP. A complementing CIIP action plan was also set out, and it was built on five pillars: preparedness and prevention, detection and response, mitigation and recovery, international cooperation, and criteria for European Critical Infrastructures in the field of ICT. Directive 2008/114/EC on the identification and designation of European critical infrastructures followed, with the aim to set up a ‘procedure for the identification and designation of European critical infrastructures (‘ECIs’), and a common approach to the assessment of the need to improve the protection of such infrastructures in order to contribute to the protection of people’. The proposal for a Network and Information Security Directive (proposed by the European Commission in 2013 and agreed upon by Parliament, Council and Commission in December 2015), paired with the EU Cybersecurity Strategy, sets a more specific guidance to member states on the CIIP measures, including the setting up of CERTs. At the same time, the European Union Agency for Network and Information Security (ENISA) is in charge of following up on the implementation of CIIP measures, and providing capacity-building measures and resources. ENISA works closely with national CERTs.
The OECD Recommendations on CIIP (2008) provides a number of steps for the member states: at national level, states are invited to adopt policy objectives on high-level, develop national strategy, identify government agencies and organisations responsible for CIIP, develop organisational structure for prevention and response, including independent (CERTs), consult with private sector and build trusted public-private partnerships, facilitate information sharing with acknowledging the sensitivity of certain information, conduct risk assessment, etc. At the international level, states are encouraged to enhance information sharing and strengthen cooperation across institutions in charge of CIIP.
The Organization of American States (OAS), by General Assembly resolution AG/RES 1939 XXXIII-O/03 of 2003 has the Inter-American Cyber-Security Strategy which pools the efforts of three existing, related groupings of the organisation: the Inter-American Committee against Terrorism (CICTE), Ministers of Justice or Other Ministers or Attorneys General of the Americas (REMJA), and Inter-American Telecommunication Commission (CITEL). These groups cooperate to implement programmes that will prevent cybercrime by, among other things, protecting the critical infrastructure by legislative and other procedural measures.
In 2007, the International Telecommunication Union (ITU), in cooperation with the Center for Security Studies of ETH Zurich, provided a generic national framework for CIIP, with a number of action pillars. ETH Zurich also published the International CIIP Handbook 2008/2009, with an inventory of 25 national and seven international CIIP policies.
The latest edition of glossary, compiled by DiploFoundation, contains explanations of over 130 acronyms, initialisms, and abbreviations used in IG parlance. In addition to the complete term, most entries include a concise explanation and a link for further information.
The book, now in its sixth edition, provides a comprehensive overview of the main issues and actors in the field of Internet governance and digital policy through a practical framework for analysis, discussion, and resolution of significant issues. It has been translated into many languages.
The study provides an overview of the international dialogue on establishing norms of state behaviour and confidence-building measures (CBMs) in cyberspace. It offers a comparative analysis of the leading international and regional political documents outlining cyber-norms, CBMs to reduce conflict stemming from the use of ICT, and capacity-building efforts to strengthen co-operation on cybersecurity. It discusses how they could further influence each other, and notes several specific directions that further developments could take.
The report, prepared by the Global Commission on Internet Governance, outlines a series of recommendations to policy makers, private industry, the technical community and other stakeholders on modalities for maintaining a ‘healthy Internet’. It tackles aspects such as: the promotion of a safe, open and secure Internet, human rights for digital citizens, the responsibilities of the private sector, safeguarding the stability and resiliency of the Internet’s core infrastructure, and improving multistakeholder Internet governance.
The moderator, Mr Jean Yves Art, Senior Director, Strategic Partnerships, Microsoft, introduced the panellists and said that Microsoft is proposing a Digital Geneva Convention:
1. To protect civilians against state-sponsored cyber-attacks
2. To assist the private sector to detect and respond to cyber-attacks on companies’ infrastructure
3. To protect companies from states launching cyber-attacks using the companies’ infrastructure
4. To set up institutions to identify the sources of cyber-attacks
H.E. Monique TG van Daalen, Ambassador Extraordinary and Plenipotentiary Permanent Representative of the Kingdom of Netherlands to the United Nations and other international organisations in Geneva, gave a state perspective on the Digital Geneva Convention. The economies of states rely on the Internet more and more. Highly digitalised countries want to keep the Internet open. The Netherlands wants to enhance security on the Internet through international cyber diplomacy. Van Daalen said that Microsoft efforts are greatly appreciated in the Digital Geneva Convention debate. But Van Daalen pointed out that the name could bring confusion because to some, it could mean that the 1949 Geneva Convention is no longer valid. With regard to the proposed Digital Geneva Convention, Van Daalen expressed appreciations towards Microsoft’s efforts, but noted that it will be a cumbersome process to debate such a convention. He also pointed out that the Netherlands remains committed to the principles that the rights people enjoy offline must also apply online.
Mr Laurent Gisel, Legal advisor at International Committee of the Red Cross (ICRC), highlighted that the ICRC is responsible for the development of international humanitarian law. The ICRC’s wish is to see that emerging issues be captured in international law to reduce suffering, since new weapons in warfare pertain to technology.
Cyber-attacks used today are criminal acts. Cyber warfare is as much of a concern as any attack on humanity. The use of cyber-attacks on transportation systems, hospitals, and other critical infrastructurescan result in great human casualties. Cyber operations can endanger humans, and the ICRC backs Microsoft’s proposal for international law.
The 47th WEF Annual Meeting, which took place in Davos-Klosters, Switzerland, on 17‒20 January, brought together leaders from across business, government, international organisations, academia, and civil society, to discuss several digital policy issues.
The future of the digital economy was an overarching theme for many sessions, exploring aspects such as the digital transformation of industries, the fourth industrial revolution and its implications (in areas such as gender equality and jobs), steps for shaping national digital strategies, the need for shared norms and rules for the digital economy, and trust-based collaboration among stakeholders. Security and crime in the digital era were part of the discussions, with a focus on multistakeholder approaches for tackling cybercrime, the cyber resilience of critical infrastructures, cyberwar and forms of manifestation, and terrorism in the digital age. During the meeting, WEF launched a report on Advancing Cyber Resilience: Principles and Tools for Boards. Prepared in collaboration with the Boston Consulting Group and Hewlett Packard Enterprises, the report outlines a series of principles and tools for companies to tackle cybersecurity risks and ensure the resilience of their information infrastructures.
The advancements in the field of Internet of Things (IoT) and artificial intelligence (AI) were also looked at during this year's WEF meeting, as participants explored policy implications and outlined the need for principles and standards to ensure that IoT and AI products bring benefits to society as a whole, while minimising the risks (in areas such as social inclusion, privacy, and security). Trustworthy online information, a topic that has attracted a lot of attention lately, was also discussed, with a focus on possible modalities for balancing freedom of expression with the need to educate users on how to differentiate between real and misinformation.
In addition to contributing thir views to these and many other discussion tracks, WEF participants used the meeting as an opportunity to launch new initiatives and agree on future actions. In one such example, major financial service providers (e.g. Mastercard, Visa, and Paypal), global IT and telecom companies (e.g. Ericsson and GSMA), and intergovernmental organisations (e.g. the United Nations Development Program and the United Nations High Commissioner for Refugees) agreed on six principles on public-private cooperation aimed at facilitating digital cash payments in crisis-affected populations.
As has been the case at many other high-level events recently, the Agenda for Sustainable Development also featured high in Davos. On a more general level, world leaders discussed the challenges of globalisation and the increasing anti-globalisation trends. Many of the debates revolved around the need to identify modalities for reforming the governance of globalisation processes, with a view to improving them and making them better suited to contribute to global growth and development.
In general, the workshops on infrastructure focused on specific areas, such as IXPs, spectrum, interconnection, and IPv6. The often technical discussions verged on other issues, such as sustainable development and security. In relation to other areas, few workshops on infrastructure were scheduled.
There must be a commercial rationale for IXPs to be more widely introduced and for actors to identify with. IXPs: Driving Connectivity and Local Economies (WS 171) served to showcase the success of some regions in establishing IXPs. Canada, for example, has 7 IXPs, whereas the Caribbean region has 11 IXPs. Accounting for this success, especially in the Caribbean, is the fact that regulators are not running them but simply playing a mediatory role. The discussion provided further insights into the current usage of IXPs in developed and developing countries, and offered suggestions for successful uptake. Among these are the fact that they should be community-led rather than having a top-down structure, they should have a reasonable governance structure, and they should be not-for-profit organisations. More case studies were presented during Ensuring Sustainability for IXPs in the Developing World (WS 201), which concluded that, as in many areas of Internet governance, one size does not fit all when it comes to the governance of IXPs.
The topic of protection of key Internet resources resurfaces in digital policy discussions from time to time. In The Global ‘Public Interest’ in Critical Internet Resources (WS 52), it was concluded that an open process of running the infrastructure of the Internet was crucial. The discussion centred on how the Internet, as a global resource, could be managed in an open and inclusive manner that serves the public interest.
It is interesting to note that the panellists could not agree on a definition of public interest in order to determine what this means with respect to critical Internet resources. In Spectrum Allocations: Challenges & Opportunities at the Edge (WS 188), panellists discussed how new technology - including geo-satellites, orbits, high-altitude platform services, drones, and ‘balloons’ - was putting pressure on the use of spectrum. There are various opportunities, including the development of software for spectrum management.
But just as software was introduced into the management of taxis, resulting in huge efficiencies but at the same time many social and economic downsides, we can either wait for the ‘Uberisation’ of spectrum management to happen, or regulate and manage the process in order to maximise the benefits of software.
In relation to the deployment of IPv6, further discussions on the persistent problem of the depletion of IPv4 numbers took place during the Best Practices Forum (BPF) on Creating an Enabling Environment for IPv6 Adoption. Although the pool of IPv4 is running out at an alarming rate, the panel agreed that the deployment of IPv6 is happening, albeit at its own pace. It was predicted that next year’s BPF will most likely focus on the economic aspects of IPv6 deployment.