Cyberstability Update – September 2018
The Global Commission on the Stability of Cyberspace (GCSC) convened its full meeting on 19-20 September 2018 in the margins of the Singapore International Cyber Week (SICW).
On 19 September, the Commission hosted its public Cyberstability Hearings between 14:00-18:00 at the Marina Bay Sands Expo and Convention Centre. The Hearings were open to all SICW participants and featured discussions between Commissioners and high-level representatives of international organizations, the private sector and a large number of governments. The objective of the public hearing was to engage with all stakeholders and give an opportunity for feedback on the norms and other work of the Commission so far.
On 20 September, the Commission convened in a closed session where it agreed on five new norms of responsible behavior. The norms package was developed by the GCSC Commissioners, advisory experts and the GCSC Research Advisory Group and was refined by extensive debate. Once finalized, the norms will urge governments and other stakeholders to avoid acts or omissions that would impair the stability of cyberspace. They will also urge action to preserve the stability of cyberspace. The norms package builds on previous norms introduced by the GCSC concerning the disruption of elections through cyber attacks on electoral infrastructure and a Call to Protect the Public Core of the Internet.
The Research Advisory Group (RAG) fulfills a critical research and execution element of the Commission. It functions as the Commission’s academic backbone and links the GCSC to the wider research community.
The core interaction of the Research Advisory Group (RAG) of the Global Commission on the Stability of Cyberspace (GCSC) has been merged into one email list that consolidates the key subject areas that the Commission focusses its work on.
Interested in joining the Research Advisory Group?
The Commission is currently looking to recruit researchers and experts to join the Research Advisory Group. Interested parties should send an application email to [email protected] from the email address you want to subscribe. Find more information about the requirements and how to join here.
Sign up to the weekly newsletter!
Want to receive these updates on a weekly basis? Sign up here to receive our weekly newsletter on the work of the Global Commission on the Stability of Cyberspace (GCSC), its members and developments in the field of international cyber policy.
The GCSC in the News
United Nations Secretary-General António Guterres convened the first in-person meeting of the High-level Panel on Digital Cooperation in New York this week. The Panel, comprising a diverse group of leaders including government ministers, young entrepreneurs, academics, and activists, discussed how collaborative, global approaches could help tackle some of the challenges posed by rapid technological change. Taking part in the panel was GCSC Chair Marina Kaljurand.
During the two-day meeting, Panel members discussed how greater global cooperation could help achieve an inclusive and safe digital future for all. Panel members reviewed a range of issue areas in order to begin distilling potential principles and modalities for digital cooperation.
The new High-Level Panel on Digital Cooperation (HLP.DC), appointed by UN Secretary General Antonio Guterres, will have its first face-to-face meeting in New York, September 25-26, 2018, just before the beginning of the 73rd UN General Assembly.
To paint a picture, how the “digital future for all” should look like, is a big challenge. There is obviously an opportunity that the panel concludes with some exciting new political innovations on how to stabilize a peaceful cyberspace which enables digital trade, sustainable development as well as economic growth and respects human rights. But there is also a risk that the outcome will be just another report which will sooner or later disappear in the UN archives.
To some fanfare, the White House announced a national cyber strategy last week. It breaks little new ground but still sends an important message that cyber continues to be a priority. Now action is needed to ensure it doesn’t become shelf-ware.
The Trump administration claimed this was the first such strategy since 2003 when President George W. Bush issued the National Strategy to Secure Cyberspace. That’s a little misleading. Though it wasn’t styled as a ‘strategy’ President Barack Obama issued a detailed cyberspace policy review within four months of taking office.
The new document is still very important because threats in cyberspace are increasing and it clearly defines this administration’s cyber policy. It doesn’t discard work and policy but builds on it.
Information technology has reshaped international conflict. The 1990s vision that the end of the Cold War was a triumph for market democracy has proven to be an illusion. Several powerful trends, including the reaction to U.S. supremacy, the fraying of the international order created after 1945, and the political effect of information technology are reshaping international security. There is a broad discontent with the international status quo among new and resurgent powers, and competition and conflict among great powers has been reshaped by information technologies. The nexus of strategic competition is not jihad or defending some imaginary global commons, but over how the world will be ordered and who will order it.
International Cyber Affairs
The article by Ellen Nakashima was published in the Washington Post, 20th September 2018
The White House has “authorized offensive cyber operations” against U.S. adversaries, in line with a new policy that eases the rules on the use of digital weapons to protect the nation, national security adviser John Bolton said Thursday.
The Trump administration is focused on foreign governments’ attempts to target U.S. networks and interfere in November’s election. The strategy incorporates a new classified presidential directive that replaced one from the Obama administration, Bolton said. It allows the military and other agencies to undertake cyber operations intended to protect their systems and the nation’s critical networks.
The address was given in New York, 25th September 2018
In his address to the 73rd Session of the General Assembly, His Highness Sheikh Tamim bin Hamad Al-Thani Amir of the State of Qatar stated that “a series of events recently experienced by several countries reminded us that new needs have emerged that were previously unknown, such as the freedom of access, and the need to protect the private sphere of citizens from the risk of hacking. He
also alerted us to the cyber security of nations. Accordingly, it is necessary to regulate dealing with these issues and control their risks internationally.”
Sheikh Tamim bin Hamad Al-Thani Amir proposed convening an international conference to examine ways to have this matter regulated by international law and expressed the readiness of Qatar to host this conference.
The article was published on the Reporters Without Borders website, 9th September 2018
Seventy years after the UN General Assembly adopted the Universal Declaration of Human Rights in Paris, the Paris-based international NGO Reporters Without Borders (RSF) announces the formation of a panel of 25 prominent figures with the aim of drafting an International Declaration on Information and Democracy.
Co-chaired by Nobel peace laureate Shirin Ebadi and RSF secretary-general Christophe Deloire, the “Information and Democracy Commission” includes Nobel economics laureates Joseph Stiglitz and Amartya Sen, Peruvian novelist and Nobel literature laureate Mario Vargas Llosa and Nigerian human rights lawyer Hauwa Ibrahim, a recipient of the European Parliament’s Sakharov Prize.
This initiative’s ultimate goal is an international commitment by governments, private-sector companies and civil society representatives. To this end, RSF expects a political process to be launched at the initiative of the leaders of several democratic countries on the basis of the Declaration, and that this will lead to an “International Pledge on Information and Democracy.”
The article by Herb Lin was posted on the Lawfare Blog, 6th September 2018
This article defines information warfare and influence operations as the deliberate use of information by one party on an adversary population to confuse, mislead and ultimately influence the actions that the targeted population makes.
In the context of U.S. military doctrine, information warfare and influence operations are most closely related to information operations or military information support operations. But the primary focus within U.S. military doctrine on these operations is tactical. By contrast, the focus of this article is information warfare and influence operations that seek to affect entire national populations.
The article by Adam Segal was posted on the Council on Foreign Relations blog, 26th September 2018
This week, three years after President’s Xi and Obama signed an agreement that neither side would engage in cyber espionage for economic advantage, the International Cyber Policy Centre at the Australian Strategic Policy Institute has published a report looking at the state of the agreement, along with China’s adherence to follow-on agreements it signed with Australia and Germany. The findings, based on public reporting and interviews with government officials and cybersecurity companies, are not good: “In all three counts, it was found that China was clearly, or likely to be, in breach of its agreements.”
Despite a downturn in Chinese hacking after the agreement with the United States, there is now evidence that Beijing has adapted its methods.
The post was published on the Cybersecurity Tech Accord website, 10th September 2018
Governments are beginning to consider the risks associated with discovering or acquiring cybersecurity vulnerabilities and the wide-ranging scope of potential impact if they are exploited for use in a cyberweapon. While there may be national security benefits from acquiring and retaining such vulnerabilities, these benefits must be weighed against the risks that those same vulnerabilities may be used against a government’s own computing infrastructure, all its citizens, and, potentially, interdependent organizations around the world.
To strike an appropriate balance between risks and benefits, governments should optimize investing in defensive rather than offensive technologies and develop policies that clearly define how they acquire, retain, and use vulnerability information. Central to this approach should be a presumption of private disclosure over the retention of vulnerabilities.
The opinion piece was posted by Brad Smith on the Microsoft Blog, 11th September
Governments around the world have started to modernize the processes by which law enforcement accesses digital evidence across borders. In the United States, passage of the CLOUD Act created the foundation for a new generation of international agreements that allows governments to engage with each other to create lasting rules to protect privacy and facilitate legitimate law enforcement access to evidence. In Europe last week, the European Commission presented its proposed e-Evidence legislation to the European Parliament. Many other governments are similarly seeking to update their laws to protect privacy, promote digital security and address the challenge of an increasingly borderless world.
As a global company entrusted by millions of users, Microsoft believes it is important to make clear how governments should address these issues. For that reason, they are sharing six principles that have driven, and will continue to drive, their advocacy as governments reform their laws and negotiate international agreements.
The article by Ben Buchanan was published on the Council on Foreign Relations blog, 25th September 2018
The concept of “defend forward” is heavily emphasized in the new Department of Defense cyber strategy. Despite what others may think, defending forward in cyberspace is not a new concept. Last week, the Department of Defense launched a new cyber strategy. Although the details of the strategy are classified, the unclassified summary has attracted a lot of attention. Much of it has focused on the U.S. military’s plan to “defend forward” to better protect U.S. networks. Beyond the political posturing, the strategy does seem to reflect a freeing of U.S. Cyber Command to do more outside U.S. networks in order to interdict adversarial hackers before they can have malicious effects.
The article by Sergey Sukhankin was published in The Jamestown Foundation Eurasia Daily Monitor, 26th September 2018
Russian military strategists who have analyzed regional military conflicts between 1999 and 2014 conclude that even a less-developed party may be able to at least partly degrade the technological advantage of a stronger adversary if the weaker power can attain information superiority over its opponent.
Indeed, one of the key lessons Russia has drawn from its participation in the Syrian civil war is that defeating the enemy on the information battlefield is an integral part of a successful asymmetric counter-actions strategy. The adoption of the new Information Security Doctrine (2016) and subsequent steps illustrate Russia’s growing determination to ensure its control over the entire information space of the Moscow-led Collective Security Treaty Organization (CSTO), and arguably beyond.
The article by Kim Zetter was published in New York Times Magazine, 26th September 2018
As the midterms approach, America’s electronic voting systems are more vulnerable than ever. Why isn’t anyone trying to fix them? The answer, ultimately, comes down to politics and money. The ballot box is the foundation of any democracy. It’s not too grand to say that if there’s a failure in the ballot box, then democracy fails. If the people don’t have confidence in the outcome of an election, then it becomes difficult for them to accept the policies and actions that pour forth from it. And in the United States, it’s safe to say, though few may utter it publicly, that the ballot box has failed many times and is poised to fail again.
The article by Merle Maigre & Kadri Kaska was published in RKK International Centre for Defense and Security (RKK ICDS), 20th September 2018
In recent years, the development of cyber defence has been shaped by two major trends. The first derives from technology and its role in today’s society. The complexity of the digital environment has increased due to rapid and multidirectional technological development, thereby also diversifying the vectors and targets of cyber threats. New technologies and solutions—mobile devices and the Internet of Things, cloud computing, biometrics, machine learning and artificial intelligence, self-driving vehicles, the emergence of quantum computing—create new opportunities. However, technology is never perfect; any technological system, service or innovation is ultimately vulnerable. Nobody has a full understanding of the risks that accompany digital products, services and forms of enterprise.
The article by Jack Corrigan was published NextGov, 27th September 2018
The government needs to diversify and strengthen its efforts to stop China from co-opting the U.S. innovation economy to support its own global ambitions, industry experts told lawmakers on Wednesday. And tariffs probably aren’t the best way to do it, they said.
“For more than 40 years, the U.S. has encouraged China to develop its own economy and take its place alongside the U.S. as a central and responsible player on the world stage,” said House Oversight IT subcommittee Chairman Will Hurd, R-Texas. “China does not want to join us, they want to replace us. More importantly, China has not been playing fair.”
In the spotlight this month
The article by Ava Kofman was published in The Intercept, 8th September 2018
LinkNYC kiosks have become a familiar eyesore to New Yorkers. Over 1,600 of these towering, nine-and-a-half-foot monoliths — their double-sided screens festooned with ads and fun facts — have been installed across the city since early 2016. Mayor Bill de Blasio has celebrated their ability to provide “the fastest and largest municipal Wi-Fi network in the world” as “a critical step toward a more equal, open, and connected city for every New Yorker, in every borough.”
But even as the kiosks have provided important services to connect New Yorkers, they may also represent a troubling expansion of the city’s surveillance network, potentially connecting every borough to a new level of invasive monitoring. Each kiosk has three cameras, 30 sensors, and heightened sight lines for viewing above crowds.
The article was published by BBC News, 20th September 2018
The UK government is considering “all options”, including a regulator, as part of new legislation governing the internet. It has previously said it will publish a White Paper in the coming months, laying out its proposals. According to Buzzfeed News, the White Paper will propose a regulatory body similar to Ofcom, which regulates broadcasters and telecoms companies.
The article by Kevin Poulsen was published in The Daily Beast, 27th September 2018
Russia’s GRU has secretly developed and deployed new malware that’s virtually impossible to eradicate, capable of surviving a complete wipe of a target computer’s hard drive, and allows the Kremlin’s hackers to return again and again.
The malware, uncovered by the European security company ESET, works by rewriting the code flashed into a computer’s UEFI chip, a small slab of silicon on the motherboard that controls the boot and reboot process. Its apparent purpose is to maintain access to a high-value target in the event the operating system gets reinstalled or the hard drive replaced—changes that would normally kick out an intruder.
The article by Chris Pleasance was published in the Daily Mail Online, 26th September 2018
A former NSA employee who took secret files home with him in an effort to get promoted has been jailed after they were allegedly stolen by Russian spies. Nghia Hoang Pho, 68, from Maryland, was sentenced to five and a half years Tuesday after earlier pleading guilty to willful retention of national defense information. Pho was working as a software developer for the NSA’s Tailored Access Operations branch, which hacks into foreign computer networks, at Fort Meade when he began taking the files home in 2010.