Cyberstability Update – January 2019Thursday 7th of February 2019
Global Commission Convenes Fifth Cyber Stability Hearings in Geneva
The Global Commission on the Stability of Cyberspace (GCSC) conducted its fifth public hearings at the Palais Des Nations, United Nations Office in Geneva, on January 22, 2019. The Hearings were hosted by the United Nations Institute for Disarmament Research (UNIDIR).
A keynote address was delivered by Fabrizio Hochschild, United Nations Assistant Secretary-General for Strategic Coordination, and remarks were also provided by Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy, Federal Department of Foreign Affairs of Switzerland.
Read more information on the content of the GCSC meeting in Geneva here.
The GCSC will next convene in March 2019 in Japan on the margins of the ICANN64 meeting. In the run-up to this meeting, the GCSC continues to welcome input from other stakeholders on its work. Comments may be sent to [email protected] or [email protected].
Request For Consultation Submissions
The GCSC would like to thank the organizations that have submitted feedback in response to the Request for Consultation on the Singapore Norm Package. Excellent submissions were received from a wide range of stakeholders (governments, private sector, and civil society) for which the GCSC is very grateful. The received comments were collected and presented to the Commission in Geneva and will be considered in the writing of the GCSC Report.
In-line with the expected GCSC work program, an “Expanded Request for Consultation” will be launched by the beginning of Q3 2019. A format for this Expanded Request for Consultation will be devised and circulated in due course.
Sign up to the weekly newsletter!
This Cyberstability Update is an overview of all articles included in our Weekly Newsletters for the month. Want to receive these updates on a weekly basis? Sign up here to receive our weekly newsletter on the work of the Global Commission on the Stability of Cyberspace (GCSC), its members and developments in the field of international cyber policy.
The GCSC in the News
The article by Howard Solomon was published in IT World Canada, 23rd January 2019
The two-day meeting in Geneva of the Global Commission on the Security of Cyberspace, hosted by a United Nations agency, is the fifth public hearing run by the commission which is trying to create momentum behind a set of unacceptable norms of online behavior. A think tank of prominent people from around the world, the commission hopes to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace.
After holding public hearings Tuesday, today commission members will hold their first meeting of 2019 to discuss a definition for cyber stability. In addition they’ll try to stitch together “a way forward for the international peace and security architecture in cyberspace.”
The article by Warwick Ashford was published in Computer Weekly, 21st January 2019
Regarding the usage of offensive tools for defensive purposes, more focus should be put on rules of engagement, political control, and legality, the experts said, noting that the nature of offensive cyber actions is unique and will require new areas of planning. “It’s important to reiterate that, whatever states will do, must stay within the framework of international law,” said Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace, and former foreign affairs minister for Estonia. “International law applies to cyber,” she said. “International law applies to offensive capabilities. No question, no doubt should be raised about that.”
The article by Gareth Corfield was published in The Register, 22nd January 2019
Frédérick Douzet, a member of the Global Commission on the Stability of Cyberspace, gloomily opened with: “We really believe that cyberspace stability is at risk, international security and peace is also at risk,” She qualified that by saying it was “because of a broader geopolitical context that shows a lot of tension right now.” “There is a strong incentive to find a way to regulate this space to avoid a major catastrophe,” she added, pointing out that nation states’ tools (such as the NSA’s Eternalblue) have a nasty habit of leaking into the public domain, with elements ending up in malware such as WannaCry and NotPetya.
The report by Commissioner James A. Lewis was published by The Center for Strategic and International Studies, 9th January 2019
James A. Lewis provides comments to the U.S. Department of Commerce, Bureau of Industry and Security – Recent legislative changes call for enhanced scrutiny on potential transfers of “emerging and foundational technologies.” These are broadly defined as technologies essential to U.S. national security. The Congressional intent is for agencies to develop a more specific list, with robotics and artificial intelligence as primary concerns. Developing this list raises several issues. These include how to determine the military utility of an emerging technology, how to control the diffusion of the technology, and how to manage the risks of increased control for American innovation.
Last April, when 34 technology companies announced their membership of a Cybersecurity Tech Accord, it was portrayed as proof that the private sector was, at long last, taking responsibility for protecting civilians online — something governments had conspicuously failed to do. Since then, the ranks of signatories to the self-imposed cybersecurity standards has more than doubled. I am entirely in favor of companies acting responsibly: For too long, they have been negligent about protecting the data of their users and customers. But when the most powerful tech companies take on the responsibility of global rule-making and cross-border governance, to set and enforce standards, that is deeply problematic for democracy and the rule of law.
The article by Jim Smith and Lynn St. Amour was published by the World Economic Forum, 18th January 2019
It is one of the great ironies of the immense potential of digital technology that we are no longer dealing with just a question of technology – 60% of global GDP is expected to be digitized by 2022 and there is increasingly little distinction between the digital economy and the ‘real’ economy, between digital society and ‘real’ society. As a result, we must address larger issues that are forcing their way onto the global agenda.
In the year ahead, dozens of global organizations and institutions, including the G20, the UN General Assembly, the Internet Governance Forum, the Wuzhen Internet Conference, Global Commission on the Stability of Cyberspace, the UN High Level Panel on Digital Cooperation and the World Economic Forum will convene communities around these topics. These efforts are mirrored and enriched through regional, national and local efforts.
The article by Leila Mead was published on the International Institute for Sustainable Development SDG Knowledge Hub website, 29 January 2019
The Global Commission on the Stability of Cyberspace met in Geneva to discuss international security and information and communications technology (ICT). Fabrizio Hochschild, UN Assistant Secretary-General for Strategic Coordination, who participated in both meetings, reiterated the UN Secretary General’s belief that challenges posed by the digital age are “one of the key issues of our time,” next to climate change and inequality.
International Cyber Affairs
The article by Keith Bradsher and Katrin Bennhold was published in The New York Times, 23rd January 2019
Leaders of Japan, South Africa, China and Germany issued a series of calls on Wednesday for global oversight of the tech sector, in a clear signal of growing international interest in seizing greater regulatory supervision of an industry led by the United States. Prime Minister Shinzo Abe of Japan said his country would use its chairmanship of the Group of 20 nations this year to push forward a new international system for the oversight of how data is used. Data governance will be the theme when the group’s presidents and prime ministers gather in June in Osaka for their annual summit meeting.
The full speech by Shinzō Abe, Prime Minister of Japan, was published by the World Economic Forum, 23rd January 2018
In his speech, Prime Minister Abe highlights the G20 summit, taking place in Osaka in June 2019. He addresses the digital economy, data governance and Japan’s commitment to preserving and enhancing the free, open, and rules-based international order.
The article by Elias Groll and Robbie Gramer was published in Foreign Policy, 24th January 2019
The heads of the House Foreign Affairs Committee will introduce a bill Thursday that would establish the Office of International Cyberspace Policy at the State Department, a measure that attempts to reinvigorate U.S. cyberdiplomacy efforts. The bill aims to fill what lawmakers see as a critical gap in the U.S. diplomatic front, as the Trump administration ramps up the targeting of state-backed hackers in China and Russia through sanctions and indictments, while removing Obama-era rules that restricted the U.S. government’s ability to launch offensive cyberattacks.
The bill also seeks to address a broader philosophical fight going on within the government on how the United States should address diplomacy in the digital age, and how to balance human rights and economic priorities with national security concerns.
The European Commission press release was published on their database, 25 January 2019
At the World Economic Forum in Davos today, 76 partners – the European Union and 48 other members of the World Trade Organisation (WTO) – decided to start negotiations to put in place global rules on electronic commerce. The last two decades have seen the exponential growth of domestic and cross-border electronic commerce. Despite this fast increase in electronic transactions, there are no specific multilateral rules in the WTO regulating this type of trade. Business and consumers instead have to rely on a patchwork of rules agreed by some countries in their bilateral or regional trade agreements.
This report examines key properties – or “vectors” – of the digital transformation that fundamentally affect the economy and society and accordingly the design and efficacy of public policies. It explores three main areas where digital transformation affects the ways the economy and society are operating, i.e.: a) scale, scope and speed; b) ownership, assets and economic value; and c) relationships, markets and ecosystems. Exposing the underlying nature of change, the seven vectors provide insights on how the transformation challenges policies that are frequently predicated on an analogue world of tangible products and assets, fixed geographic boundaries and physical locations, on transaction costs that limit the scale and scope of interactions and offerings, and on supply and demand conditions that reflect scarcity. The objective of this report is to support the review of existing and the design of new policies to ensure that they are well‑suited to the digital era.
The article by Raphael Satter was published by the Associated Press, 26 January 2019
The researchers who reported that Israeli software was used to spy on Washington Post journalist Jamal Khashoggi’s inner circle before his gruesome death are being targeted in turn by international undercover operatives, The Associated Press has found. Citizen Lab Director Ron Deibert described the stunts as “a new low.” “We condemn these sinister, underhanded activities in the strongest possible terms,” he said in a statement Friday. “Such a deceitful attack on an academic group like the Citizen Lab is an attack on academic freedom everywhere.”
The article by Kevin Poulsen was published in The Daily Beast, 31 January 2019
Russia’s military intelligence directorate, the GRU, has been caught in a new round of computer intrusion attempts, this time aimed at the Center for Strategic and International Studies, a prominent Washington, D.C. think tank heavy with ex-government officials.
The article by Shashi Tharoor was published in The Washington Post, 18th January 2019
India is now ground zero in a struggle over the instrument that so enhanced its democracy but now threatens to undermine it: the Internet. In late December, Prime Minister Narendra Modi’s government proposed new rules empowering it to order Internet companies like Facebook and Twitter to remove content from their platforms within 24 hours. The government broadly defines the rules as affecting “intermediaries,” which could potentially mean all Internet-based companies, from social media platforms to search engines to e-commerce platforms. The criticism was swift from Internet giants, who are calling the move a form of censorship and are mounting a legal battle.
Trust and Accountability in the Supply Chain
The article by Micah Lee and Henrik Moltke was published in The Intercept, 24th January 2019
In October, Bloomberg Businessweek published an alarming story: Operatives working for China’s People’s Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro. But while Bloomberg’s story may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents. What’s clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance — and much work remains to be done to secure computing devices from this type of compromise.
The White Paper by Public Knowledge was published on their website, 25 January 2019
The federal government should test a “Security Shield” program to encourage companies to meet cybersecurity best practices, the nonprofit group Public Knowledge said in a white paper published Tuesday. The program would be based on criteria developed by the technical standards agency NIST, in coordination with other agencies and industry experts. “A pilot program” in which well-designed routers carry Security Shield labels “is one way to begin building towards a trusted label that consumers can use to reliably evaluate product risk and move the market towards a more secure internet ecosystem,” wrote Public Knowledge’s Megan Stifel, Dylan Gilbert and Mark Peterson.
The article by Dan Goodin was published in ArsTechnica, 23 January 2019
Officials with the widely used PHP Extension and Application Repository have temporarily shut down most of their website and are urging users to inspect their systems after discovering hackers replaced the main package manager with a malicious one. PEAR’s advisory is the latest to expose what’s known as a supply-chain attack. These attacks are particularly effective because a single hack poisons software at its source where potentially large numbers of people go to get their downloads.
The article by Andy Greenberg was published in Wired, 28 January 2019
At the USENIX Enigma security conference in Burlingame, California, on Monday, former Federal Trade Commission chief technologist Ashkan Soltani plans to give a talk centered on an overdue reckoning for move-fast-and-break-things tech firms. He says it’s time for Silicon Valley to take the potential for unintended, malicious use of its products as seriously as it takes their security. Tech companies need to think not just about protecting their own users but about what he calls abusability: the possibility that users could exploit their tech to harm others, or the world.