The 6th Cyber Stability Conference's started with opening remarks by Ms Renata Dwan (Director of UNIDIR) who recognised the importance of a multistakeholder dialogue, underlining UNIDIR’s efforts in this regard. She also mentioned the role of signalling in online behaviour, given that it fosters predictability in state behaviour, and is an essential element of cyber deterrence.
Mr Michael Møller (Director-General, United Nations Office at Geneva) reminded the audience of the dangers and challenges that emerged alongside the rapid development of information and communications technology (ICT), and the difficulties in finding common agreements on the regulation of cyberspace.
Session 1 – Preventing and Mitigating the Risk of Conflict Stemming from the Malicious Use of ICT: Insights into Current State Strategy and Practice
Mr Sean Kanuck (Director of Cyber, Space and Future Conflict at IISS) moderated the first panel and spoke about discrepancies between diplomatic declarations and national cyber strategies. Kanuck reiterated the importance of signalling, and highlighted the importance of making sure that digital weapons are used in measured and proportional ways. He noted that deterrence strategies are often difficult to implement, given the little knowledge that is out there about the potential damages by cyber tools, and the secrecy surrounding cyber weapons. Indeed, if these weapons cannot be calibrated sufficiently, signalling might not be used with the same sophistication as it would with a conventional military 'show of force'.
The first panellist, Ms Michelle Price (Chief Executive Officer, Australian Cybersecurity Growth Network) identified technological convergence as one of the main challenges of cyber stability. Given that legitimate and illegitimate actors alike have access to and use the same technologies, it is harder for legitimate actors to catch up with actions perpetuated by illegitimate ones. She thus urged policymakers to adapt strategies to find quicker responses to rapidly changing threat levels.
Another growing issue is supply-chain security. According to Price, applying due diligence on supply-chains is becoming more difficult than ever, given that knowledge supply chains nowadays are intertwined with physical supply chains, making supply-chain protection much more complex and difficult.
She also noted that within national spheres, governments try to regulate different elements of cyberspace (e.g. local governments vs. national governments) which leads to working in silos and undermining multilateral efforts.
Price further mentioned the establishment of public-private partnerships. Although she recognised the challenges and difficulties of these partnerships, she identified them as crucial in order to help governments and regulators to keep pace with rapid technological developments. She further advocated for the implementation of incentives and reward-based models to foster multistakeholder involvement.
The second panellist, Mr Chuanying Lu (Senior Fellow at the Shanghai Institute for International Studies) introduced the concept of an insecurity dilemma in the context of cybersecurity. Therein, one of the questions faced by governments is whether to adopt an offensive or defensive stance, considering that offensive actions online are easier to carry out than to build defences.
Another challenge is the attribution of an attack. Lu noted that only very few actors have the capacity to investigate the origins of an attack. Furthermore, the insecurity dilemma also affects countries’ e-commerce activities as they are a very important source of data that can be stolen and used with malicious intent. Given the threats to cyber stability, Lu emphasised the necessity for countries such as China, Russia and the United States to take on a more prominent role in the determination of internationally agreed frameworks, given their wide expertise and power to enforce these frameworks.
The third panellist, Mr Oleg Shakirov (Expert on Foreign Policy and Security at the Center for Strategic Research) drew parallels from pacts and agreements made between the United States and the Soviet Union for today’s ensurance of cyber stability. He referred to the US-Soviet Incidents at Sea agreement in 1972, the Agreement on the Prevention of Nuclear War in 1973, the US–Soviet Agreement on the Prevention of Dangerous Military Activities in 1989, and the Memorandum of Understanding of Flight Safety in Syria in 2015.
Certain mechanisms, such as calls for urgent negotiations in case of imminent nuclear attacks, could be implemented in cyberspace, according to Shakirov. Other restrictions, such as conducting military exercises in cyberspace, which could be perceived as a threat by certain actors, could also be regulated in a similar way to that outlined in the Prevention of Dangerous Military Activities agreement.
Shakirov used further examples for the illustration of achieving cyber stability based on these bilateral treaties, and highlighted that they had already served as templates for other bilateral agreements between states. He concluded by saying that these could once again serve as best cases for cyberspace issues.
The fourth panellist, Mr Rafal Rohozinski (Chief Executive Officer of The SecDev Group) pointed out that we have been instilled with a culture of rules. He took the example of a recent power shortage and blackout in Ottawa after the passing of six hurricanes, explaining that despite the lack of power, activities that did not need power carried on normally, traffic kept on running and that this was due to a culture of rules. He further noted that nowadays space flights are also surrounded by rules that were set up in the decade after the first flight, and they have evolved into a culture of rules.
He stated that in the absence of this culture of rules, and the lack of universally accepted rules in cyberspace, efforts of achieving cyber stability and mitigating conflicts prove much more difficult. He advocated for the emergence of a hybrid model for the governance of the Internet, picking up on the Internet Corporation for Assigned Names and Numbers' (ICANN) multistakeholder model. He argued that providing predictability in cyber related matters is a critical component for the strategic development of the Internet, given that 20% to 30% of the global Gross Domestic Product (GDP) is already dependent on the digital economy.
Additionally, he hinted at the lack of policy frameworks regarding the evolution of artificial intelligence (AI) as critical infrastructure, and underlined AI's importance in light of the crucial role that it could play in the future of cyber defence.
Session 2 – Regional Opportunities and Mechanisms to Prevent and Mitigate Cyber Conflict
The second panel was moderated by Mr Paul Cornish (Associate Director, Oxford Martin Fellow, The Global Cyber Security Capacity Centre), who started the session with brief introductory remarks. He argued that we have been trying to govern, organise, and discipline the global (cyber) environment, looking at the problem with three different approaches: bottom up, sideways, and by observing various regional initiatives. All these discussions seem to be shifting from theoretical to practical ones; now, they are in the implementation phase. However, help is needed for effective regional co-operation and stability in the digital sphere.
The first panellist, Ms Katherine Getao (ICT Secretary, Ministry of ICT of Kenya), addressed the topic by recalling two African cornerstones in terms of prevention and mitigation of cyber conflicts. First, the African Union Convention on Cyber Security and Personal Data Protection, which mainly focused on civil conflict and cybercrime. Second, the African involvement in the work of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE), which mainly focused on state-to-state conflicts. Getao argued that previous examples represented attempts to create norms; however, any robust and stable mechanism needs to be mutually internalised, understood, and implemented. Following this line, she said that the African pathway for a stable and robust mechanism is still in its beginning stages. She underlined the importance of public-private partnerships that Kenya has in place in terms of digital co-operation. Finally, Getao concluded her remarks by addressing the lack of practical and adequate rules, stating that they need to be evaluated in practice and in practical scenarios.
The second panellist, Ms Heli Tiirmaa-Klaar (Ambassador for Cyber Diplomacy, Ministry of Foreign Affairs of Estonia), framed her speech by arguing a need to differentiate contexts in various regions. She focused the examples of regionalism such as the European Union (EU). Tiirmaa-Klaar highlighted the unique nature of the EU, where member states delegate a part of their sovereign rights. She pointed to the EU as a good example of successful cyber conflict prevention mitigation legislation. In this regard, she argued that the involvement by the private sector is indispensable, as 90% of the services necessary for resilience belong to the private sector. Finally, she concluded by pointing out that in Estonia, the involvement of the private tech sector was essential and constant in digital co-operation.
The third panellist, Ms Nato Goderdzishvili (Head of Legal Department, LEPL Data Exchange Agency, Ministry of Justice of Georgia), focused on Georgia, and its activities in regional digital co-operation. She explained that, on the national level, Georgia invests both in capacity building for government authorities, and technical co-operation in Computer Emergency Response Team (CERT) communities. On the regional level, she gave the Eastern Partnership countries (Georgia, Armenia, Azerbaijan, Moldova and Ukraine) as examples, stating that when the same threat actors are involved, resource sharing to co-operate against threats and challenges is needed. Goderdzishvili also said that Georgia was working on making Georgian legislation comply with EU laws; and working closely with the North Atlantic Treaty Organization (NATO) in organising two advanced research workshops as platforms for drafting co-operation proposals. Stressing that three critical sectors for Georgia are energy, finance, and transportation, she underlined the need for collaboration with the private sector, especially related to confidence-building measures.
Fourth panellist, Mr Pablo Hinojosa (Strategic Engagement Director, APNIC Asia Pacific Network Information Centre), approached the topic from an Asia-Pacific regional perceptive. He explained the different assumptions and starting points when addressing the issue of regional co-operation. On the one hand, in international relations, the starting point is often the lack of trust in technologies. While on the other hand, trust is the basic principle for technology use, thus, the starting point must be maintaining trust. However, attacking authoritative services such as DNS route services, and reverse DNS undermine trust, affecting the public core of the Internet. Hinojosa concluded his remarks by stressing the need for cyber norms for states to be a trusted partner in driving implementation.
Session 3 – The Role of the Private Sector in Countering the Proliferation of Malicious ICT Capabilities, Tools and Techniques
The third panel was moderated by Ms Kerstin Vignard (Deputy Director and Chief of Operations at UNIDIR) who welcomed participants from the private sector and academia, highlighting their role in identifying urgent issues in cyberspace that could easily escalate and become security threats. She noted that collaborating with the private sector allows states to become informed of issues that non-state actors perceive as pressing matters.
Mr John Malery (Research Affiliate at the Computer Science & Artificial Intelligence Laboratory of the MIT) spoke about the importance of 'foregoing offensive capabilities in order to increase cyber stability' by enforcing a form of arms control. He also acknowledged the difficulty of enforcing conventional arms proliferation counter-measures, given the covert nature of cyber weapons. Malery thus emphasised the necessity of adopting proactive architectural changes for the protection of cyberspace instead of patching up vulnerabilities which are often discovered after an attack. In addition, he proposed the adoption of equity processes in which countries determine whether a newly developed cyber weapon is deemed disproportionately harmful or whether it can be kept for future use.
He also presented a range of national policy levers which could be used to incentivise better system resilience. These ranged from naming and shaming practices, to the support of insurance markets, tax policies, and trade incentives. Malery believes that through such incentives it would be possible to encourage all parties to move away from an offensive arms race towards a defensive arms race.
Mr Nicolas Mazzucchi (Research Fellow at Fondation pour la Recherche Stratégique) focused on the emerging role of cyber criminality and warned that we might see the rise of cyber mercenaries a few years from now. Mazzucchi pointed out that the problem of the attribution of an attack is not as much a technical issue, as it is a political one. Seeing that malicious cyber tools are already being used for geopolitical reasons, reverse-engineering of these weapons by non-state actors has become common practice. Additionally, these tools are being offered and sold on the black market through brokers.
He cautioned against practices of 'hack-backs' in which companies or states that have been breached would retaliate by trying to penetrate the attacker’s systems. In his opinion, these practices would only create more tension.
According to Mazzucchi, technological developments, such as the emergence of artificial intelligence (AI) and the Internet of things (IoT), will lead to new strategies in cyberterrorism and cyberwarfare, leading to a shift from attacks that mainly target IT infrastructures, to attacks that target widespread, privately-used and connected devices. In order to better prepare for these developments, confidence building measures must not solely focus on intergovernmental co-operation, but also should be established between states and private companies.
He explained that current cybersecurity strategies are based on a stronghold model which aims at being impenetrable, trying to keep up with cybercriminals’ various types of attacks. Lastly, Mazzucchi asked: 'Do we want resilience or do we want resistance?', stating that the answer to this question changes how governments interact with private companies.
Ms Liga Rozentale (Director of Cybersecurity Policy, Europe, Microsoft) reiterated Microsoft’s common efforts for peace, clear principles for industry and governments, as well as accountability for infringements perpetuated against these principles. She mentioned Microsoft’s programmes working with law enforcement agencies on the prevention of cybercrime as well as the Tech Accord, which empowers customers and citizens worldwide, aiming to prevent companies from becoming complicit to governmental abuse of privacy. Rozentale stated that Microsoft is one of the main sponsors of the Paris Peace Forum in November 2018, which will happen alongside IGF 2018 in Paris.
Rozentale further spoke about the role of private companies in drawing governments’ attention to certain issues and developments in cyberspace. She mentioned that Microsoft does not believe that more policies are needed to regulate cyberspace, but rather, that existing frameworks should be reinforced.
Mr Anton Shingarev (Vice President for Public Affairs at Kaspersky Lab) gave an overview of the trends in cyberattacks. He firstly mentioned the fast growing number of advanced persistent threat (APT) attacks. The problem of these attacks is that it is difficult to determine whether the attacks are state-sponsored or criminal. Shingarev noted that Kaspersky Lab does not focus on attributing these attacks, but that they observed that the attacks are coming from all over the world, and not limited to certain places or countries.
A second trend observed by the company is the professionalisation of cybercrime. According to the speaker, organised crime and gangs has started to enter the digital space with clear business models. The professionalisation of cybercrime paired with the sale of services and tools for malicious intent, makes the fight against cybercrime more complex and difficult.
The third trend is that attacks are increasingly being carried out against industrial control systems (ICS). These attacks on private companies are worrying because, by extension, some of these ICS are related to critical infrastructure. Shingarev therefore urged companies and states to collaborate closely together in order to better prepare and respond to such attacks.
Shingarev also noted that cybercriminals benefit from the current state of geopolitics, given that certain states do not collaborate or communicate on cyber issues, creating a void that can be exploited by cybercriminals.
Session 4 – Multilateral Processes and Synergies Across Initiatives: Looking Ahead
The final panel addressed multilateral processes and synergies across initiatives, and was moderated by Ms Camino Kavanagh (Senior Visiting Fellow, Department of War Studies, King’s College London). She recalled Russian efforts in pushing information and communication technologies (ICT) issues to the international agenda and the role of the United Nations Group of Governmental Experts (UN GGE). She further stressed the aim of preventing malicious use of ICT. However, despite the progresses achieved, significant challenges remain, and it is shown by the failures in the approval of the last report of the UN GGE.
The first panellist, Ms. Nadezhda Sokolova (Expert in International Information Security, Ministry of Foreign Affairs of the Russian Federation), recalled the message of the ambassador of the Russian Federation with regards to the use of new technologies, and the aim of achieving a peaceful information space. Referring to the application of international humanitarian law (IHL) in cyberspace, she argued that in the report, there is no international consensus on the 'automatic' application of international law (IL) and IHL to the information space. Finally, Sokolova stated that the attribution problem perpetuates a misguidance concept due to the focus on operationalism.
During the Q&A part of the session, she further stressed the importance of universal norms for responsible behaviour, and said that collaboration with regional organisations cannot be fully effective if they are not complemented by political norms that legitimise them.
The second panellist, Ms Carmen Gonsalves (Head, International Cyber Policy, Security Policy Department, Ministry of Foreign Affairs of the Kingdom of the Netherlands), reinstated the need for a new round of expert discussions by enhancing inclusivity, by capacity building in IL and the overall stakeholder environment. She disagreed on the notion that cyberspace is ungoverned, and noted that significant progresses has been achieved, such as the application of IL in cyberspace. During the Q&A, Gonsalves stressed that the progress made in the applicability of IL in cyberspace should not be forgotten and should be seen as a first step leading to more investment in capacity building efforts. Talking about future steps of the UN GGE, she mentioned the need to operate as a network entity with meaningful consultation mechanisms at its core. It must be remembered that more stakeholders develop deep and legitimate interests in the discussion each day. With this regard, ensuring collaboration with regional organisations is essential: they could represent additional platforms for consultations in between and during the activities of the UN GGE, and providing recommendations to the chair.
The third panellist, Mr Joe Preston (Head of Cyber Diplomacy, United Kingdom Foreign and Commonwealth Office), stressed that we need to look at ways to make concrete progress. It is important to reaffirm the rules of international order in cyberspace, and build patterns of responsible behaviour for a more stable cyberspace. Moreover, there is a need to internationalise the understanding of the rules approved by the UN GGE, and go further with their implementation by involving public-private partnerships.
During the Q&A, Serbia mentioned asymmetry in operational cyber capabilities as a threat to the international system. In response, Preston argued that countries able to develop these capabilities should be required to show that it is done in compliance with IL.
The fourth panellist, Mr Amandeep Singh Gill (Executive Director, Secretariat of the High-Level Panel on Digital Cooperation), recalled the first meeting of the High-Level Panel on Digital Cooperation, and underlined its role as a platform for opportunities for high-level policy that cuts and connects across silos, and to present practical recommendations. He argued that governments are worried about the stability of the Internet; about cybersecurity and ensuring confidentiality, integrity and availability; and, about the implications of new technologies for democratic processes such as electoral and public opinion manipulation. Furthermore, he argued that the time we live in today is challenging and features a deep lack of trust. Following this line, trust should be addressed with a cross-border approach between the public and private sector due to the cross-cutting nature of digital risks. The approach that can be used to tackle these issues is of hybrid nature: bottom-up, when it comes to pushing responsible behaviours in the cyberspace, and working on security standards; complemented by a top down approach; and finally, an additional approach that includes the involvement of the industry, which is already taking steps in further pushing the agenda (i.e. the Cybersecurity Tech Accord). Regarding this, Gill argued that measures for capacity and confidence building offer new grounds for the above mentioned approaches. Furthermore, a broader approach to cybersecurity could be complemented by the achievements reached on the discussions on lethal autonomous weapons (LAWS) such as the shared agreement on guiding principles and the application of IHL on digital weapons.
The session then opened the floor to the audience and received comments and questions from some of the diplomatic representatives in the room. The EU shared its thoughts on the draft proposal – already presented by Russia – stressing the following points:
The structure of the new UN GGE needs to achieve more effectivity with a focus on the application of IL in cyberspace; moreover, principles and norms of human rights law should be kept in mind while analysing the application of such norms in the cyberspace.
The group should be composed by 20-25 experts, and receive the support of national contributions on the subject by all UN GGE member states while also allowing contributions by civil society, academia and the private sector. The statement was supported by Poland with the addition of a focused and time-limited mandate for the UN GGE.
In addition to this, the International Committee of the Red Cross (ICRC) stressed that IHL is applicable in cyberspace, regardless of the lawfulness of the use of force. Nonetheless, the applicability of IHL does not imply that the ICRC condones the use of force in the cyberspace, recalling the UN charter regarding the legitimacy of the use of force.