Cyberstability Update – February 2019

March 5, 2019, Monthly update

Global Commission Meeting in Kobe, Japan

The Global Commission on the Stability of Cyberspace (GCSC) will meet on 9-10 March in Kobe, Japan, alongside the ICANN64 Community Forum. The Commission will be hosted by the Japanese Ministry of Internal Affairs and Communications, and will continue its work of 2019 by building on its recent meeting in January in Geneva.

The Commission will meet in closed sessions on Saturday 9 and Sunday 10 March, where discussions will focus on developing a definition of “cyber stability” and underlying principles aimed at supporting international efforts to advance peace and security in cyberspace. The Commission will also continue its previous conversations on identifying a governance framework in which to embed norms and anchor stability in cyberspace.

On Sunday 10 March, the Commission will hold a public consultation meeting with the ICANN At-Large Advisory Committee from 15:15-16:15 in the Topaz Room of the Portopia Hotel. The GCSC will also participate in multiple sessions of the ICANN64 program and consult with various ICANN bodies and representatives.

Sign up to the weekly newsletter!

This Cyberstability Update is an overview of all articles included in our Weekly Newsletters for the month. Want to receive these updates on a weekly basis? Sign up here to receive our weekly newsletter on the work of the Global Commission on the Stability of Cyberspace (GCSC), its members and developments in the field of international cyber policy.

The GCSC In The News

UN Panel Reviews Benefits, Risks of Digital Technology

The article by Leila Mead was published on the International Institute for Sustainable Development SDG Knowledge Hub website, 29 January 2019

The Global Commission on the Stability of Cyberspace met in Geneva to discuss international security and information and communications technology (ICT). Fabrizio Hochschild, UN Assistant Secretary-General for Strategic Coordination, who participated in both meetings, reiterated the UN Secretary General’s belief that challenges posed by the digital age are “one of the key issues of our time,” next to climate change and inequality.

The article by Laurens Cerulus was published in Politico, 11 February 2019

A regime for “cyber sanctions” is taking shape — and it could already hit mischievous election hackers in May. The European Union is closing in on a procedure that would allow it to sanction foreign hacker groups when they target the upcoming EU election. The measures would not only allow EU countries to slap sanctions on hacker groups that succeed in intruding into IT systems, but also those attempting to get in, like the suspected Russian intelligence officers who allegedly plotted but failed to hack into the Hague-based Organization for the Prohibition of Chemical Weapons last year. In this article, Commissioner Christopher Painter elucidates the utility and effectiveness of imposing sanctions.

Trying to Craft Global Cyber Limits

This article by Derek B. Johnson was published in GCN, 4 February 2019

Cyberattacks may not meet the traditional definition of war, but they can have serious physical and financial consequences. But U.S. officials, international organizations and independent experts have so far been unable to come to consensus about where to draw that line. In a series of meetings in Geneva, the nongovernmental Global Commission on Stability in Cyberspace hashed out fundamental principles that states, non-state actors and private industry should follow in the digital domain.

This interview with Hari Sreenivasan was published in KSMQ, 12 February 2019

In this interview, Hari Sreenivasan sits down with former US Secretary of Homeland Security Michael Chertoff, who authored the USA Patriot Act which led to a massive expansion of government surveillance. He joins the program to discuss growing threats to our privacy today.

This article by Joshua Geltzer, Beth George and Jonathan Zittrain was published in Just Security, 12 February 2019

The U.S. House Committee on Homeland Security conducted a hearing on election security on Wednesday February 13th. It’s part of a series the new Democratic majority in the House is holding related to the H.R. 1 legislation on election security, campaign funding, and government ethics, entitled the “For the People Act.” Just Security asked several experts what questions they think would be fruitful for discussion at the hearing. One of these experts, Commissioner Jonathan Zittrain, stressed the precarious balance between intelligence sharing and the protection of civil liberties. Furthermore, he raised questions with regard to public-private interaction and its implications for civil liberties.

This article by Alexi Drew was published in The Conversation, 15 February 2019

Reports of malicious and targeted cyber attacks are becoming increasingly common around the world. As more complex and potentially damaging attacks into critical national infrastructure systems are discovered, calls are growing louder for international rules to govern this emerging battlefront. Global efforts are underway to govern the tools used in cyber attacks, such as the Global Commission on the Stability of Cyberspace, which introduced a series of international norms about the use of cyberspace to promote the stability of the internet and good practice of everyone involved. Other efforts have been on the legislative level, such as specific additions to the Wassenaar Arrangement, an export control arrangement that seeks to curtail the spread of civilian technologies that can be put to militarized use.

This article was published in KrebsOnSecurity, 18 February 2019

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy. This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers. In this article, Commissioner Bill Woodcock sheds light on the concept of ‘DNSpionage’ and elucidates the urgency of addressing threats to the global DNS.

This article was published in Harvard Law Today, 20 February 2019

Should Facebook be considered an “information fiduciary” when it comes to the privacy of its clients? How should we weigh the pros and cons of encryption schemes which might bolster privacy and data security at the risk of shutting out law enforcement? And why shouldn’t Facebook tell users how much advertising revenue their respective data generates on a daily basis? Those were some of the questions Facebook Co-founder and CEO Mark Zuckerberg discussed with Jonathan Zittrain ’95, HLS’s George Bemis Professor of International Law, in a conversation among students at Harvard Law School on Feb. 11. The nearly two-hour discussion was part of a series of study sessions for Harvard’s Techtopia initiative, a program for students across the University to explore problems in technology and governance, and it included participants from Zittrain’s course on Internet & Society: The Technologies and Politics of Control.

This article by Newley Purnell, Rajesh Roy and Dustin Volz was published in The Wall Street Journal, 21 February 2019

Washington has hit an unlikely roadblock in its extraordinary global push to sideline China’s Huawei Technologies Co.: the world’s biggest democracy, India. Policy makers and telecommunications firms here are so far largely unpersuaded by U.S. warnings that using Huawei’s equipment to upgrade India’s telecom networks presents a major cybersecurity threat, according to more than a dozen government officials and industry executives. Many argue that any such risk is outweighed by Huawei’s cut-rate prices and technological prowess. Despite sharing areas of concern, “India is independent, they are not just going to do what the U.S. says it wants them to do,“ Christopher Painter said. “They obviously have lots of different priorities and a different history.”

This article by Demetri Sevastopulo and David Bond was published in The Financial Times, 17 February 2019

British intelligence has concluded that it is possible to mitigate the risk from using Huawei equipment in 5G networks, in a serious blow to US efforts to persuade allies to ban the Chinese supplier from high-speed telecommunications systems. One person familiar with the debate said the British conclusion would “carry great weight” with European leaders, as the UK has access to sensitive US intelligence via its membership of the Five Eyes intelligence sharing network. James Lewis, a cyber security expert at the Center for Strategic and International Studies, a Washington-based think-thank, said the disagreement among the Five Eyes was not about the risk of using Huawei but rather how to manage it. “The disagreement is on whether the UK approach (which others will copy) to controlling the risk of using Huawei will work,” he said. “A public ban might be too much for countries that fear repercussions in China, but the UK approach has a little tint of rose-colored glasses to it.”

This article by Pavel Karasev was published in Modern Diplomacy, 20 February 2019

Over the recent years we have observed a significant increase in the use of ICT-instruments to disseminate specially prepared content to achieve malicious political and economic goals. Many experts explicitly claim that ICT-instruments have increased manifold the capabilities to achieve objectives by non-military means. Confirmed are the predictions of competent experts that the new ICTs allow oneself to fight directly at the level of consciousness. The technologies for deliberate preparation and dissemination of content are constantly developing: information targeting, use of Internet profiles of the users, “fake news” and employment of opinion leaders to rollout this news. In the recent article by Anders Fogh Rasmussen (former Secretary General of the North Atlantic Treaty Organization and Prime Minister of Denmark ) and Michael Chertoff (former US Homeland Security Secretary) a generalized concept was proposed for the characterization of such technologies – hyper-partisan content.

This article by Ben Knight was published in DW, 15 February 2019

Cybersecurity experts have met with government officials ahead of the Munich Security Conference to discuss the vulnerabilities in our critical infrastructure — and many ask when Europe will finally shore up its gaps. “We’re lacking a single authority for cybersecurity,” said Oliver Rolofs, co-founder of the conference that acts as a prologue to the ensuing high-powered get-together, the Munich Security Conference (MSC). “We need an agency to orchestrate all the responses to a potential risk.” That theme was picked up by Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace (GCSC), and a former Estonian foreign minister who knows a lot about cyberattacks from hostile nation states. “I see that there is political attention to the topic, I see that there is much more awareness than 10 years ago,” she told DW. “But I don’t think politicians in any country are aware to the level that we can be satisfied.”

This letter by, amongst others, Michael Chertoff and Marietje Schaake was published in The Irish Times, 16 February 2019

The authors of this open letter – politicians from across Europe and North America, spanning the political spectrum – voice their concerns about the risk of external influence on the upcoming European elections. European institutions, national governments, electoral commissions, and intelligence services have mobilized to varying degrees to counter these threats. Yet not enough has been done. The legislative window is closing on European Union institutions to act, and laggard member states are a weak link in a chain that leaves the whole EU vulnerable. At the same time, governments must be careful not to infringe on the rights of their citizens when taking action.

This article by David Wroe and David Crowne was published in The Sydney Morning Herald, 19 February 2019

Barack Obama’s former top cyber diplomat has said that the hacking of Australia’s political parties shows political organizations worldwide have not devoted enough effort to cyber security and need to fix the problem. Chris Painter, the senior cyber official at the State Department in the Obama administration, said the fact political parties were staffed partly by volunteers and had limited budgets meant they were vulnerable, yet they held valuable data on their candidates and voters.

This article was published by the Cybersecurity Tech Accord, 20 February 2019

Since establishing the Cybersecurity Tech Accord, we have worked with many like-minded organizations to develop and promote initiatives aimed at making cyberspace more stable and secure. The Global Commission on the Stability of Cyberspace (GCSC) is one of the organizations we believe has a critical role to play in raising awareness and understanding of issues related to international peace and stability, specifically in driving responsible state and non-state behavior in cyberspace. It has embraced this mission with a spirit of collaboration with other key stakeholders and has been open to different perspectives and views. With this in mind, we are delighted to have been able to contribute to its work around cybersecurity norms by sharing our views on the Singapore Norm Package. Read the full Cybersecurity Tech Accord response to the GCSC consultation here.

This article by David Bond was published in the Financial Times, 1 March 2019

It is unusual to see, let alone hear, from Britain’s spymasters in public. But in the past few weeks the UK’s intelligence chiefs have been uncharacteristically outspoken on the threat posed to national security by Huawei, the Chinese telecoms equipment maker. However, while their carefully crafted remarks suggest the UK’s intelligence agencies are slowly forming a settled view on how to deal with Huawei, behind the scenes the spying organisations’ views diverge. Commissioner Nigel Inkster said that “China has managed to conduct effective cyber espionage operations against the UK for a long time without having to rely on Huawei equipment to do it,” adding, ominously: “A 5G network will require a constant stream of software updates and the scope for infected code. The line that Huawei is just a telecommunications company has worn beyond thin.”

This article was pubished in Axios’ Codebook newsletter, 26 February 2019

Last week, Germany and the U.K., two key U.S. allies, shrugged at Washington’s call to ban Huawei 5G products from their networks. Neither country particularly wants to be spied on. But the U.S. has apparently failed to make a strong enough case to its partners that Huawei can’t be trusted. The U.S. argues that Huawei likely sabotages its products to allow China to spy on the data they transfer. At a minimum, the U.S. says, Chinese law requires a company like Huawei to aid its home country if the government demands. The U.S. may have undermined itself by waging aggressive, America-first diplomacy against traditional partners. “It doesn’t help that we have eroded our soft power,” said Christopher Painter, the State Department’s top cyber diplomat from 2011 to 2017.

This article by Todd Shields was published in Bloomberg, 28 February 2019

American companies for decades have complained about Chinese firms stealing intellectual property – or IP – by theft or by demanding its disclosure in order to do business in the country. U.S. President Donald Trump has made protection of IP a focus of trade talks now underway. Chinese President Xi Jinping and former U.S. President Barack Obama in 2015 reached an agreement to stop the theft of corporate secrets. But the U.S. in November 2018 accused China of continuing a state-backed campaign of intellectual property and technology theft. “IP theft has been part of the opening with China from the start,” James Lewis, director of the technology policy program at the Center for Strategic & International Studies in Washington, said in an interview. “It has been a constant theme.”

This article by Violet Blue was published in Engadget, 1 March 2019

Russia is planning to disconnect itself from the global internet in a test sometime between now and April. The country says it is implementing an internal internet (intranet) and an internet “kill switch” to protect itself against cyberwar. The question is, would this actually work? “This, as a single tactic, would not be sufficient,” explained Bill Woodcock, executive director of Packet Clearing House, via email. “But it hugely reduces their attack surface. So in combination with many other tactics, it’s a component of a reasonable strategy.” An internet “kill switch” has been in Russia’s legislative plans for some time — though it’s not entirely about defense. Russia sees this drastic move as a means to solve the dual issues of defending itself from cyberwar attacks and more tightly controlling its citizens’ access to information.

This article by Erin Banco and Kevin Poulsen was published in The Daily Beast, 23 February 2019

As concerns mount that Russia will unleash hackers and online disinformation brigades to wreak havoc in another American election, senior U.S. officials are taking a second look at a technology handed down from the age of Gorbachev and Reagan: an emergency “hotline” between officials in the U.S. and Russia that might someday pull both countries back from the brink of an all out cyberwar. The cyberhotline idea came to fruition in 2013 amid growing concerns in the U.S. administration that its relationship with Russia was on a crash course. The voice line, Christopher Painter said, “was something the Russians wanted… No matter how bad things get between Russia and the United States, it is always answered.”

This article by Kristine Frazao was published in NewsChannel 12, 25 February 2019

At least twelve Democratic candidates are now poised to take on President Trump in the 2020 election. But despite multiple warnings and hearings, including testimony on Capitol Hill from the highest levels of big tech, concrete action appears to be lacking. A recent report by the cyber enforcement initiative Third Way found that while the last Congress introduced 226 bills on cyber security, many bipartisan, just ten of those were signed into law. Others point to the response toward Russian leaders which in terms of punishment, hasn’t fit the crime, according to former Homeland Security Secretary Michael Chertoff.

This article by Sudeshna Mallick was published in Down to Earth, 28 February 2019

Forum of the Future has released a report that says plastics, migration and climate crisis, nationalism, online presence, participatory democracy, consumerism and biodiversity need urgent attention from world leaders. Concerning online presence, we are, 24/7, throughout the year, unregulated consumers of internet. So much that, social media is home to fake news, extreme views, trolls, deep-fakes, bots and data breaches. Soon, ensuring to keep the world plugged in without destroying the planet will become a challenge, says the report. Internet’s founding-father Tim Berners-Lee and professor of internet-law Jonathan Zittrain call for a repurposed internet that will be regulated and will protect users from fake news and data exploitation. Also, heavy scrutiny of tech giants is required.

International Cyber Affairs

Conflict in Cyberspace

The New Contours of Cyber Conflict

This article by Paul Rosenzweig was published in Lawfare, 27 February 2019

An American military unit used offensive weapons against a target inside Russia. And nobody is noticing. The United States used cyber weapons to take down a Russian state-approved cyber information operation. If the U.S. had done so using a missile (by, say, destroying the facility where the Internet Research Agency is located) it would have been an armed attack and potential a cause of a war-like response And yet, somehow, in doing it via cyber means, the United States has managed to avoid that implication; evaded public scrutiny (until now); and possibly set a new standard for “sub-warlike” cyber activity that begins the creation of new international norms of behavior in the domain.

The article by Raphael Satter was published by the Associated Press, 26 January 2019

The researchers who reported that Israeli software was used to spy on Washington Post journalist Jamal Khashoggi’s inner circle before his gruesome death are being targeted in turn by international undercover operatives, The Associated Press has found. Citizen Lab Director Ron Deibert described the stunts as “a new low.” “We condemn these sinister, underhanded activities in the strongest possible terms,” he said in a statement Friday. “Such a deceitful attack on an academic group like the Citizen Lab is an attack on academic freedom everywhere.”

The article by Kevin Poulsen was published in The Daily Beast, 31 January 2019

Russia’s military intelligence directorate, the GRU, has been caught in a new round of computer intrusion attempts, this time aimed at the Center for Strategic and International Studies, a prominent Washington, D.C. think tank heavy with ex-government officials.

This article by Natalia Drozdiak, Nikos Chrysoloras, and Kitty Donaldson was published in Bloomberg, 11 February 2019

European Union member states are considering a possible joint response to cyber attacks allegedly conducted by a Chinese state-linked hacker group after the U.K. presented evidence last month about network infiltration, according to people familiar with the matter. For any retribution against China tied to cyber attacks, the EU would need to agree unanimously that the country was responsible and not all EU members currently agree, according to one of the people familiar with the matter. The EU is developing protocols to respond to malicious cyber activities, for instance by imposing sanctions, but it can be challenging to clearly attribute actions to any individuals or nation-state.

This article by Stilgherrian was published in ZDnet, 18 February 2019

There has been a shift in thinking about cyberwar, according to professor Greg Austin from the University of New South Wales Canberra Cyber. Austin says that cyber storm thinking is now being replaced by a concept he calls “cyber blitzkrieg”. It’s effectively a more nuanced version of the somewhat tired “cyber Pearl Harbor” concept. “We’re really talking the plans by states to attack each other with multi-wave, multi-vector destructive cyber attacks across the entire civil and military infrastructure of the enemy,” Austin told ZDNet. “Nuclear war is unlikely. So is the multi-vector, multi-wave destructive cyber attacks against a country’s infrastructure. What’s different about this new cyber storm threat, or cyber blitzkrieg, is that states are exploring the use of related tactics very vigorously in a way in which they’re not exploring similar tactics for nuclear warfare,” he said.

This article by Nicole Perlroth was published in The New York Times, 18 February 2019

Businesses and government agencies in the United States have been targeted in aggressive attacks by Iranian and Chinese hackers who security experts believe have been energized by President Trump’s withdrawal from the Iran nuclear deal last year and his trade conflicts with China. Recent Iranian attacks on American banks, businesses and government agencies have been more extensive than previously reported. Instead of hitting victims directly, FireEye researchers said, Iranian hackers have been going after the internet’s core routing system, intercepting traffic between so-called domain name registrars. The Iranian attacks coincide with a renewed Chinese offensive geared toward stealing trade and military secrets from American military contractors and technology companies, according to nine intelligence officials, private security researchers and lawyers familiar with the attacks.

This article by Alexander J. Martin was published in Sky News, 25 February 2019

The internet could deteriorate into “an even less governed space” if the international community doesn’t come together to establish a common set of principles, the head of GCHQ has warned. Giving a rare speech in Singapore, Jeremy Fleming referenced “China, Iran, Russia and North Korea” as having broken international law through cyber attacks. But he also acknowledged there was not much of a legal standard to go by, noting: “Case law is still developing in all of our jurisdictions.” Mr Fleming warned: “Unchecked, we’re heading for an even less governed space where rights and wrongs are not automatically recognised and where acceptable behaviours are not a given.”

This article by Robert McMillan was published in The Wall Street Journal, 26 February 2019

Nearly three years after the Federal Bureau of Investigation abandoned an effort to force Apple Inc. to extract data from an encrypted iPhone, technology companies are facing several new efforts from governments fighting for access to digital secrets. Governments want access to user data to solve crimes and track potential threats. Silicon Valley companies, fearful that this access could be misused for spying or exploited by hackers, continue to build products that are so securely encrypted that the tech companies themselves are sometimes unable to access the data on them. And many tech companies are resisting any efforts to weaken their encryption capabilities.

This article by Patrick Tucker was published in Nextgov, 5 February 2019

A lack of tough cyber operators to play the role of adversary is leaving U.S. cyber defenders unprepared for today’s real-world threats, according to the Pentagon’s Office of the Director of Operational Test & Evaluation. The service branches have too few red teams, the groups of U.S. troops, employees, and contractors who play the bad guys and test Defense Department networks for cyber vulnerabilities. Bottom line, the Defense Department isn’t testing networks hard enough. The result is what the office describes as “a gap” between Defense Department cyber red team capabilities and “persistent threats,” meaning the toughest cyber threat groups, some backed by China, Russia, and others.

This article by Andy Greenberg was published in WIRED, 19 February 2019

In its annual global threat report, released Tuesday, CrowdStrike introduced a new metric of hacker sophistication: what the firm calls “breakout” speed. Analyzing more than 30,000 attempted breaches in 2018 the company says it detected across its customer base, CrowdStrike measured the time from hackers’ initial intrusion to when they began to expand their access, jumping to other machines or escalating their privileges within a victim network to gain more visibility and control. They compared those times among state-sponsored hackers from four different countries, as well as non-state cybercriminals. Their results suggest that Russia’s hackers were far and away the fastest, expanding their access on average just 18 minutes and 49 seconds after gaining their initial foothold.

The article by Dan Goodin was published in ArsTechnica, 23 January 2019

Officials with the widely used PHP Extension and Application Repository have temporarily shut down most of their website and are urging users to inspect their systems after discovering hackers replaced the main package manager with a malicious one. PEAR’s advisory is the latest to expose what’s known as a supply-chain attack. These attacks are particularly effective because a single hack poisons software at its source where potentially large numbers of people go to get their downloads.

This article by Shubham Kalia and Ishita Chigilli Palli was published in Reuters, 20 February 2019.

Microsoft Corp on Wednesday said it had discovered hacking targeting democratic institutions, think tanks and non-profit organizations in Europe and plans to offer a cyber security service to several countries to close security gaps. The hacks occurred between September and December 2018, targeting employees of the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund, the company said. Hackers in most cases create malicious web links and spoofed email addresses that look legitimate, aiming to gain access to employee credentials and deliver malware, the company said. Microsoft said many of the attacks originated from a group called Strontium, which the company has previously associated with the Russian government.

This article by Robert K. Knake was published in Council on Foreign Relations, 25 February 2019

Crowdstrike just dropped the first head-turning cybersecurity report of the year. The report tracks the “breakout time” from when an adversary compromises an initial system to when the adversary is able to move laterally within an enterprise. According to Crowdstrike’s new report, the breakout time for Russian adversaries was under nineteen minutes. Stopping the Russians may require taking the human out of the loop, automatically going from detection to quarantining compromised systems. Of course, some companies are doing that already and a thriving ecosystem exists to provide technologies that will enable this kind of operational nimbleness. What’s interesting to me about the report isn’t that Russia is really fast but that China is relatively, even embarrassingly slow.

National Policy Trends

Which Countries Have the Worst (and Best) Cybersecurity?

This article by Rebecca Moody was published in Comparitech, 6 February 2019

This study looked at 60 countries and found huge variances in a number of categories, from malware rates to cybersecurity-related legislation. Despite some countries having clear strengths and weaknesses, there is definite room for improvement in each and every one. Whether they need to strengthen their legislation or users need help putting better protections in place on their computers and mobiles, there’s still a long way to go to make our countries cyber secure. Plus, as the landscape of cybersecurity constantly changes (cryptominers are growing in prevalence, for example), countries need to try and get one step ahead of cybercriminals.

This article by Patpicha Tanakasempipat was published in Reuters, 28 February 2019

Thailand’s military-appointed parliament on Thursday passed a controversial cybersecurity law that gives sweeping powers to state cyber agencies, despite concerns from businesses and activists over judicial oversight and potential abuse of power. The Cybersecurity Act, approved unanimously, is the latest in a wave of new laws in Asian countries that assert government control over the internet. If a cybersecurity situation reached a critical level, the legislation allows the military-led National Security Council to override all procedures with its own law. Civil liberties advocates, internet companies and business groups have protested the legislation, saying it would sacrifice privacy and the rule of law, and warning compliance burdens could drive foreign businesses out of Thailand.

This article was published in Radio Poland, 5 February 2019

Poland’s defense minister on Tuesday divulged details of a plan to create a new cyber defense force for the country to counter hi-tech security threats. Speaking at a conference in Warsaw, Mariusz Błaszczak said the new force would be established on the basis of two government-run institutions, the National Centre of Cryptology and the military Inspectorate of Information Technology. Błaszczak in December said that cyber security was one of the biggest challenges of the modern world. He was also quoted as saying that the new Polish cyber defense units would work to prevent and counter potential cyber attacks targeting the country. He also said at the time that the initiative to create the new Polish force was a response to a growing cyber security threat and followed decisions made by NATO leaders at a summit in 2015.

This article by Mark Johnston was published in Channel Asia, 18 February 2019

Singapore’s minister for defense Dr Ng Eng Hen announced in his total defense day message that in light of increased digital threats, cyber security will be added to the city state’s total defense framework. The total defense framework was set-up to identify the greatest threats to Singapore, and consists of six pillars, namely military defense, civil defense, economic defense, social defense, psychological defense, and now digital defense. During his speech, the minister asserted that cyber threats from the digital world can be just as damaging as those from the real and physical world, with threats such as terrorism also existing digitally.

This article by Andrew Roth was published in The Guardian, 19 February 2019

Russia’s parliament has voted to ban its soldiers from using smartphones and social networks after a series of open-source investigations revealed their secret participation in foreign conflicts. Russia’s Duma on Tuesday voted to ban members of the armed forces from publishing information online about their military units, deployments and other personal information, including photos, video and geolocation data. They will also be forbidden from carrying smartphones or other smart devices that can connect to the internet and can save data such as photos. Older mobile phones will not be banned. Russian officials said the ban was needed to protect secret military information from foreign intelligence services. The text of the legislation specifically noted attention to Russia’s recent military campaign in Syria.

The article by Catalin Campanu (for Zero Day) was published in ZDNet, 11 February 2019

Russian authorities and major internet providers are planning to disconnect the country from the internet as part of a planned experiment, Russian news agency RosBiznesKonsalting (RBK) reported last week. A date for the test has not been revealed, but it’s supposed to take place before April 1. The Russian government has been working on this project for years. In 2017, Russian officials said they plan to route 95 percent of all internet traffic locally by 2020.

This article by Vindu Goel in The New York Times, 14 February 2019

India’s government has proposed giving itself vast new powers to suppress internet content, igniting a heated battle with global technology giants and prompting comparisons to censorship in China. The new rules could be imposed by Prime Minister Narendra Modi’s government anytime after the public comment period ends on Thursday night. The administration has been eager to get them in place before the date is set for this spring’s national elections, which will prompt special pre-election rules limiting new policies.

This article by Lilly Pijnenburg Muller was published in The CSS Blog (ETH Zürich), 18 February 2019

This Policy Brief provides an overview of the military cyber-defense strategies and capabilities of Norway and of the Netherlands. Comparison of the two different approaches offers insights into their differing tactics and future policy directions. The Brief contributes with a small-state perspective on this malleable and constantly changing field, nuancing the hitherto US-centered debate on the utility and need for deterrence and defense in cyberspace.

This article by George Ogola was published in The Next Web, 21 February 2019

As the internet continues to gain considerable power and agency around the world, many governments have moved to regulate it. And where regulation fails, some states resort to internet shutdowns or deliberate disruptions. The justifications for such shutdowns are usually relatively predictable. Governments often claim that internet access is blocked in the interest of public security and order. In some instances, however, their reasoning borders on the curious if not downright absurd, like the case of Ethiopia in 2017 and Algeria in 2018 when the internet was shut down apparently to curb cheating in national examinations.

This article by Lily Hay Newman was published in WIRED, 10 February 2019

Two weeks out from the longest government shutdown in United States history—and with the possibility of another still looming—government employees are still scrambling to mitigate impacts on federal cybersecurity defenses. And the stakes are high. The effects of the shutdown extend even to agencies that were funded throughout, like the military and intelligence community, thanks to interdependencies and network connections between agencies. The only potential silver lining? The risk management firm SecurityScorecard suggests that threats like spearphishing may have been less effective during the shutdown, since furloughed employees literally weren’t in the office to check their email. Though government employees and contractors who were furloughed have now spent more than two weeks rebuilding from the shutdown, it will be months or even years before the full toll of the incident is understood. And if another shutdown comes next week, count on erasing whatever little progress has been made.

This article by Robert Morgus and Justin Sherman in New America, 11 February 2019

In 2017, the Trump administration eliminated the position of cybersecurity coordinator at the White House and closed the cyber coordinator office at the State Department. This was a decision that undoubtedly harmed the United States’ ability to preserve a global and open internet and promote democratic norms around technology writ large. But now, the State Department is reportedly standing up a new cybersecurity bureau. The exact details and timeline are still unclear, but a spokesperson has at least clarified it will be run by “an ambassador-at-large for cyberspace security and emerging technologies.” Leaders of the House Foreign Affairs Committee have also introduced a Cyber Diplomacy Act that would create a cyber diplomacy office at State, slightly modifying a bill from last year. This article outlines four opportunities for the new bureau moving forward.

The White Paper by Public Knowledge was published on their website, 25 January 2019

The federal government should test a “Security Shield” program to encourage companies to meet cybersecurity best practices, the nonprofit group Public Knowledge said in a white paper published Tuesday. The program would be based on criteria developed by the technical standards agency NIST, in coordination with other agencies and industry experts. “A pilot program” in which well-designed routers carry Security Shield labels “is one way to begin building towards a trusted label that consumers can use to reliably evaluate product risk and move the market towards a more secure internet ecosystem,” wrote Public Knowledge’s Megan Stifel, Dylan Gilbert and Mark Peterson.

Elections and Electoral Infrastructure

Facebook Allowed Fake News Ads ahead of Nigeria Vote

This article by Yarno Ritzen in Al Jazeera, 14 February 2019

Facebook’s automated ad approval system can be tricked fairly easily, making it possible to buy ads to spread misinformation and fake news in advance of the Nigeria elections, an Al Jazeera investigation has found. Last month, Facebook said it would temporarily disallow political ads targeting Nigeria from being purchased outside the country in an attempt to prevent foreign influence in the February 16 elections.

This article was published in Microsoft Corporate Blogs, 26 February 2019

With the European Parliament elections fast approaching, as well as several national elections on the horizon, EU Member States are increasingly worried about possible interference. This builds on concerns that recent elections in the U.S. and France were the target of cyberattacks and disinformation campaigns initiated by foreign actors. Some countries have sought to mitigate the risks by scaling back or avoiding the use of technology in electoral processes. But experts have warned that returning to pen-and-paper ballots does not necessarily mean that elections are more secure.

This article by Ellen Nakashima was published in The Washington Post, 27 February 2019

The U.S. military blocked Internet access to an infamous Russian entity seeking to sow discord among Americans during the 2018 midterms, several U.S. officials said, a warning that the Kremlin’s operations against the United States are not cost-free. The operation marked the first muscle-flexing by U.S. Cyber Command, with intelligence from the National Security Agency, under new authorities it was granted by President Trump and Congress last year to bolster offensive capabilities. The president approved of the general operation to prevent Russian interference in the midterms, officials said. The action has been hailed as a success by Pentagon officials, and some senators credited Cyber Command with averting Russian interference in the midterms.

This article by Tim Starks was published in the POLITICO Morning Cybersecurity newsletter, 21 February 2019

The FEC may finally vote today on a bipartisan election security organization’s request to provide free cybersecurity services to political campaigns and parties. Commissioners will meet this morning to discuss several matters, including the request from Defending Digital Campaigns, a spinoff of the Harvard Belfer Center’s Defending Digital Democracy project. The FEC first considered the request at its Oct. 11 meeting, but it delayed a vote during that meeting and its next two meetings. But if the FEC finally votes today, the result may not please election security experts. Defending Digital Campaigns wants the FEC to declare that it can offer free services — including a cyber hotline, campaign boot camps, on-site training, and incident response assistance — to campaigns and political parties without violating campaign finance law. In its initial draft opinion, the FEC appeared poised to grant the request, citing its recent approval of Microsoft’s similar request. But in a revised opinion presented at a subsequent meeting, FEC staffers changed their minds and recommended denying the request.

Cybercrime and Law Enforcement

Fighting Cybercrime – What Happens to the Law When the Law Cannot Be Enforced?

This article by William Dixon was published in World Economic Forum, 19 February 2019

In the context of cyber security as a major global risk, the global community needs to recognize that there is a “stunning enforcement gap”, as a recent report by the Third Way highlights. Not only is the current wave of cybercrime largely unseen, but the chances of being successfully investigated and prosecuted for a cyber attack in the US are now estimated at 0.05%. This mirrors similar reports from around the world. This is for a crime type that is predicted to be costing the global economy $6 trillion by 2021. For violent crime, the equivalent chance is 46%. The global community needs to ask itself why this is happening, and what can be done to change it.

This article by Nataliya Vasilyeva was published in AP News, 27 February 2019

A Russian military court convicted a former senior counterintelligence officer and a cybersecurity firm executive of treason Tuesday, concluding a case that initially aroused speculation of a manufactured effort to punish the source of leaks about Russian campaign hacking. Moscow’s District Military Court heard several months of evidence and arguments behind closed doors before delivering guilty verdicts against Col. Sergei Mikhailov, an ex-officer at Russia’s Federal Security Service (FSB), and Kaspersky Lab executive Ruslan Stoyanov. The basis for the charges remains murky given the top-secret nature of the criminal proceedings. Russian media reported the case centered on accusations that Mikhailov contacted Stoyanov to pass information from an FSB probe of Russian businessmen Pavel Vrublevsky to an analyst with alleged ties to the FBI. Mikhailov, the deputy head of cyber intelligence at the domestic security agency, received a 22-year prison sentence and was stripped of his military rank and decorations, which included the elite “For Services to the Fatherland.” Stoyanov was sentenced to 14 years.

This article by Hannah Ellis-Petersen was published in The Guardian, 13 February 2019

The editor of an online newspaper in the Philippines has been arrested on charges of cyber-libel as part of what the country’s journalists’ union said was a campaign of intimidation against voices critical of President Rodrigo Duterte. The charges against Ressa relate to a story published on Rappler’s website in May 2012 that alleged ties between a Philippine businessman, Wilfredo D Keng, and a high court judge. The controversial cyber-libel law under which she is being prosecuted, was enacted four months after the story was written.

This article was published in BusinessTech, 14 February 2019

The Select Committee on Security and Justice has invited members of the public to submit comments on the incoming Cybercrimes Bill. According to Fatima Ameer-Mia, a senior associate at Cliffe Dekker Hofmeyr, this version of the Cybercrimes Bill – which was passed by the National Assembly in November 2018 – differs quite substantially from the versions of the bill published previously. “The old bill was divided broadly into two parts, namely cyber crimes and cybersecurity,” she said. “The cyber crimes section, bar a few criticisms, was lauded – however, it was the proposed cybersecurity section which raised very serious concerns about the government’s encroachment on freedom of expression and freedom of the internet.”

Infrastructure and Economy

Alert Regarding Published Reports of Attacks on the Domain Name System

This announcement was published by The Internet Corporation for Assigned Names and Numbers (ICANN), 15 February 2019

The Internet Corporation for Assigned Names and Numbers (ICANN) today announced that it is aware of several recent public reports regarding malicious activity targeting the Domain Name System (DNS). We have no indication that any ICANN organization systems have been compromised, and we are working with relevant community members to investigate reports of attacks against top-level domains (TLDs). ICANN believes it is essential that members of the domain name industry, registries, registrars, resellers, and related others, take immediate proactive and precautionary measures, including implementing security best practices, to protect their systems, their customers’ systems and information reachable via the DNS. The ICANN community will continue the discussion on this critical topic at its upcoming ICANN64 meeting in Kobe. In addition, ICANN org is available to provide consultation on security best practices by emailing globalsupport@icann.org.

This announcement was published by The Internet Corporation for Assigned Names and Numbers (ICANN), 22 February 2019

The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure. In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems. As the coordinator of the top-most level of the DNS, ICANN is in the position to help mitigate and detect DNS-related risks, and to facilitate key discussions together with its partners. The organization believes that all members of the domain name system ecosystem must work together to produce better tools and policies to secure the DNS and other critical operations of the Internet. To facilitate these efforts, ICANN is planning an event for the Internet community to address DNS protection: The first is an open session during the upcoming ICANN64 public meeting on 9-14 March 2019, in Kobe, Japan.

This article by Julian E. Barnes was published in The New York Times, 12 February 2019

The Trump administration is moving closer to completing an executive order that would ban telecommunications companies in the United States from using Chinese equipment while building next-generation wireless networks, according to American officials. The executive order, which has been under discussion for months, is aimed largely at preventing Chinese telecom firms like Huawei from gaining access to the fifth-generation — or 5G — wireless networks that companies are beginning to build in the United States. American intelligence officials have grown increasingly concerned about Huawei and other Chinese telecom companies, saying their inclusion in American networks pose security risks that could jeopardize national security.

This article by Guy Chazan was published in the Financial Times, 28 February 2019

The head of Germany’s national cyber security agency has backed the idea of a “no spy” deal with China as a way to address concerns about using Huawei equipment in Germany’s high-speed telecoms system. The remarks by Arne Schönbohm, head of the BSI, the German federal cyber security agency, suggest that Germany could formally allow Huawei to participate in the 5G roll-out if Chinese authorities give extra assurances on data security. That would mark a setback for attempts by the US to persuade its allies to ban Huawei on the grounds that the Chinese state could use the company to conduct espionage or cyber sabotage.

The European Commission press release was published on their database, 25 January 2019

At the World Economic Forum in Davos today, 76 partners – the European Union and 48 other members of the World Trade Organisation (WTO) – decided to start negotiations to put in place global rules on electronic commerce. The last two decades have seen the exponential growth of domestic and cross-border electronic commerce. Despite this fast increase in electronic transactions, there are no specific multilateral rules in the WTO regulating this type of trade. Business and consumers instead have to rely on a patchwork of rules agreed by some countries in their bilateral or regional trade agreements.

The OECD Directorate for Science, Technology and Innovation paper was published on the OECD iLibrar y website, 22 January 2019

This report examines key properties – or “vectors” – of the digital transformation that fundamentally affect the economy and society and accordingly the design and efficacy of public policies. It explores three main areas where digital transformation affects the ways the economy and society are operating, i.e.: a) scale, scope and speed; b) ownership, assets and economic value; and c) relationships, markets and ecosystems. Exposing the underlying nature of change, the seven vectors provide insights on how the transformation challenges policies that are frequently predicated on an analogue world of tangible products and assets, fixed geographic boundaries and physical locations, on transaction costs that limit the scale and scope of interactions and offerings, and on supply and demand conditions that reflect scarcity. The objective of this report is to support the review of existing and the design of new policies to ensure that they are well‑suited to the digital era.

This article by Joseph Marks was published in The Washington Post, 28 February 2019

Across the world, there are four specific industry sectors at the highest risk of being devastated by cyberattacks. They also hold a big chunk of the world’s debt — to the tune of $11.7 trillion. That’s the sobering conclusion from a new report this morning from Moody’s Investors Service, a division of the credit ratings agency. It found a major cyberattack could potentially bring banks, investment firms, securities exchanges and hospitals to financial ruin and prevent an organization from making good on some of what it owes. It’s encouraging lenders to consider an organization’s cybersecurity vulnerabilities before making loans in those sectors, the report says. Organizations in those sectors are especially vulnerable because they’re highly reliant on computers and other connected technology and couldn’t simply do their work if a cyberattack took them offline, the report states.

The article by Andy Greenberg was published in Wired, 28 January 2019

At the USENIX Enigma security conference in Burlingame, California, on Monday, former Federal Trade Commission chief technologist Ashkan Soltani plans to give a talk centered on an overdue reckoning for move-fast-and-break-things tech firms. He says it’s time for Silicon Valley to take the potential for unintended, malicious use of its products as seriously as it takes their security. Tech companies need to think not just about protecting their own users but about what he calls abusability: the possibility that users could exploit their tech to harm others, or the world.

The article by Sean Lyngaas was published in Cyber Scoop, 6 February 2019

The Washington, D.C. area’s Metro system, in response to U.S. senators who raised security concerns about a new line of railcars, now says it will use the National Institute of Standards and Technology’s cybersecurity framework to vet software and hardware proposed for the project. The senators had expressed security concerns over the railcar procurement after reports that a Chinese state-owned manufacturing company could win the bid. They asked if Metro would consult with defense officials before allowing foreign-government-built railcars to stop at the Pentagon, which is part of the Metro system. Alluding to China, the senators wanted to know if Metro would consider a company’s ties to foreign governments with a history of industrial and cyber-espionage when assessing bids.

The report by the World Economic Forum was published on their website, 13 February 2019

Cyber resilience is a challenge for all organizations, but, due to its vital role as a societal backbone, it is of particular importance for the electricity ecosystem. This report developed by the World Economic Forum in collaboration with electricity industry partners and Boston Consulting Group offers principles to help board members meet the unique challenges of managing cyber risk in the electricity ecosystem.

This article by Madeline Chambers was published in Reuters, 17 February 2019

Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids and water suppliers, the BSI cybersecurity agency said on Sunday, adding however that they were not all due to hacking. The Welt am Sonntag weekly had reported on Sunday that Germany had learned of 157 hacker attacks on critical infrastructure companies in the second half of 2018 compared to 145 attacks in the whole of the previous year.

This article by Andrei Robachevsky was published in MANRS, 5 February 2019

In this article, Andrei Robachevsky assesses changes in routing security in 2018, compared to 2017. He thereby sketches an image of an overall move in the right direction. The overall number of incidents was reduced, but the ratio of outages vs routing security incidents remained unchanged – 62/38. In spite of the abovementioned positive development, Robachevsky calls for more awareness and attention to the issues of routing security in the network operator community.

Others

Researchers Use Intel SGX to Put Malware beyond the Reach of Antivirus Software

This article by Peter Bright was published in ARS Technica, 12 February 2019

Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can’t be analyzed or identified by antivirus software, using the processor’s own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks.

The article by Raphael Satter was published in AP News, 11 February 2019

When mysterious operatives lured two cybersecurity researchers to meetings at luxury hotels over the past two months, it was an apparent bid to discredit their research about an Israeli company that makes smartphone hacking technology used by some governments to spy on their citizens. The Associated Press has now learned of similar undercover efforts targeting at least four other individuals who have raised questions about the use of the Israeli firm’s spyware. The details of these covert efforts offer a glimpse into the sometimes shadowy world of private investigators, which includes some operatives who go beyond gathering information and instead act as provocateurs. The targets told the AP that the covert agents tried to goad them into making racist and anti-Israel remarks or revealing sensitive information about their work in connection with the lawsuits.

This article by Yiannis Mouratidis was published in Forbes, 10 February 2019

To address the issue of cybersecurity effectively, the European Union Agency for Network and Information Security (ENISA) recently took a big step in terms of efficient European cooperation. ENISA has taken the opportunity to work closely with its partner organizations: the European Defense Agency EDA, the European Union Agency for Law Enforcement Cooperation Europol, and the Computer Emergency Response Team for the E.U. Institutions, Agencies and Bodies CERT-EU. In this regard, ENISA has signed a memorandum of understanding, which establishes a framework promoting cooperation on cybersecurity and defense.

On the 6^th of March, the Danish Institute for International Studies (DIIS) will be hosting a seminar on Europe’s role in promoting responsible behavior in cyberspace.

Since the UN Group of Governmental Experts on Information Security failed to reach agreement in 2017, the global, multilateral efforts to promote responsible behavior in cyberspace have tried to regain the political momentum. However, several initiatives have been introduced at both state, non-state and intergovernmental level. The EU has introduced a cyber diplomatic toolbox, Microsoft continues to promote a digital Geneva Convention, the Global Commission on the Stability of Cyberspace proposed six cyber norms, and Denmark has introduced the world’s first Tech Ambassador.

Cyberstability Update – February 2019

Related

Video: Protecting the Public Core of the Internet: from Formulation to Implementation

Video: GCSC Cyberstability Stocktaking of Norms and Institutional Dialogues

GCSC at the Internet Governance Forum 2020