Cyberstability Updates – August 2018
The Global Commission on the Stability of Cyberspace (GCSC) will convene its full meeting on 19-20 September 2018 in the margins of the Singapore International Cyber Week (SICW).
On 19 September, the Commission will host its public Cyberstability Hearings between 14:00-18:00 at the Marina Bay Sands Expo and Convention Centre. The Hearings are open to all SICW participants and will feature discussions between Commissioners, governmental advisors, private sector and civil society representatives on matters pertaining to international peace and security in cyberspace. They will provide advanced insight into and discussion about some of the current developments and thinking on norms of responsible behaviour in cyberspace, implementation and enforcement mechanisms, and the way forward for the international security architecture in cyberspace.
On 20 September, the Commission will convene in a closed session to advance its agenda and the discussion on governance.
Sign up to the weekly newsletter!
Want to receive these updates on a weekly basis? Sign up here to receive our weekly newsletter on the work of the Global Commission on the Stability of Cyberspace (GCSC), its members and developments in the field of international cyber policy.
The GCSC in the News
At a recent workshop on cybersecurity at Ditchley House, sponsored by the Ditchley Foundation in the U.K., a primary topic of consideration was how to preserve the freedom and openness of the Internet while protecting against the harmful behaviors that have emerged in this global medium. In other columns, I have argued for better software development tools to reduce the common mistakes that lead to vulnerabilities that are exploited. Here, I want to focus on another aspect of response related to law enforcement and tracking down perpetrators. What is of interest to me is a concept to which I was introduced at the Ditchley workshop, specifically, differential traceability.
Amid the theatrics surrounding the defense spending issue at the recent NATO Summit in Brussels, some groundbreaking decisions made by the allies on cyber defense were overlooked. They represent a major shift in NATO’s approach to cyberattacks and their details are worth decoding. NATO’s new approach, spelled out in the comprehensive “Summit Declaration” and other public documents, is all about the operationalization of cyber defense and imposing costs upon attackers.
The Internet Society Cybersecurity Special Interest Group uploaded a webinar on Advanced Experiences in Cyber Policies and Practices on 6th August, in which Commissioner James A. Lewis was a speaker. Watch the full video of the Webinar here.
This is How We Protect our Democracy in Online Times
The article (in Dutch) by Commissioner Marietje Schaake was published in the Volkskrant, 12th August 2018
Special prosecutor Mueller sued a troll factory in the US this year. Through fake accounts, employees of the ‘Internet Research Agency’ tried to manipulate American public opinion. Twelve members of the Russian military intelligence service recently also joined in, actively hacking the Democratic Party leadership and Hillary Clinton’s campaign. A commission from the British Parliament presented a preliminary report on the impact of the spread of fake news on the Brexit referendum. The underlying question in both surveys is how we prevent digital manipulation of future elections.
There are numerous actors who impose national interests on the internet with unfair means. But far too little has been paid to EU politicians on this global digital arms race. Si vis pacem, para bellum. Does the Latin saying, “If you want peace, prepare the war,” also apply to cyberspace? If one looks at the militarization of the digital world, then one could speak with a dose of cynicism of a phase of active cyber-peace policy. Of course, it’s nothing like it. With each new cyberhack, there is a growing risk that the world will enter a dangerous spiral that can lead to disaster.
Cyber Threats to Our Nation’s Critical Infrastructure
Senate Judiciary Committee on Crime and Terrorism, 21st August 2018
Commissioner James A. Lewis, senior vice president for the Center for Strategic and International Studies (CSIS), testified before the Senate Judiciary Committee on Crime and Terrorism on “Cyber Threats to Our Nation’s Critical Infrastructure.” Watch the video of the Committee Hearing here and download the testimony of Dr. Lewis here.
In the latest in a series of articles, Commissioner Joseph Nye discusses President Donald Trump and the issue of trust.
Nearly three decades ago, American political scientist and former Clinton administration official Joseph Nye put forth an idea in the pages of Foreign Policy. He called it soft power, a concept that caught fire and went on to define the post-Cold War era. This article explores this concept in the modern era.
For further discussion see the article of Graeme Dobell, ‘The Power Of Soft Power‘, published in the Australian Strategic Policy Institute (ASPI) on the 20th August 2018. Follow Mr. Nye in his column on Project Syndicate, or listen to The Cyberlaw Podcast by Stewart Baker, where he revisits an April 2015 interview with Joseph Nye on the challenge posed by cyberweapons.
Commission Co-Chair Michael Chertoff will be a speaker at the Offshore Northern Seas (ONS) Foundation Conference, taking place in Stavanger, Norway from August 27th-30th. The panel discussion, “100% cyber secure—Is it utopia?” will examine digitalization and how the use of smart grids and smart devices make the energy sector an attractive target for cyber-attacks, with an eye to how enterprises can manage the risks and, more importantly, become cyber resilient.
If you would like to hear more from Mr. Chertoff, tune in to the Cybersecurity Breakfast at the American Chamber of Commerce, Sweden, on the 30th August. He will be describing his thoughts on current cybersecurity threats, measures that have been implemented to protect U.S. interests, and how business can learn from past experiences and address critical vulnerabilities.
The Trump administration rescinded Presidential Policy Directive 20, a move that sets the stage for more aggressive use of offensive cyber operations by the Pentagon against nation-states and their associate hacking groups. This article discusses U.S. cyber operations moving forward, referencing Commissioner Christopher Painter.
Derek Hawkins of the Washington Post also discusses this issue and the comments of Mr. Painter in his article ‘The Cybersecurity 202: Trump just gave the military a lot more leeway to launch cyber operations’, published on 17th August 2018
Dig Deep for Real Change. “We need to be more ambitious, strategic and collaborative in our approach to defense,” said Google’s Engineering Director, Parisa Tabriz in the opening keynote. As the world’s dependence on increasingly interconnected and complex technology rises, we need to do more digging to find out the structural and organizational security issues that need to change. Black Hat Founder and member of the GCSC Commissioner Jeff Moss echoed the need for a more strategic approach.
Cyber security is a relatively new international problem. A decade ago, it received little attention as an international issue, but since 2013 the Director of National Intelligence has named cyber security risks as the biggest threat facing the USA. Many observers have called for laws and norms to manage the growing cyber threat. In this paper Joseph Nye outlines the key normative restraints on cyber conflict. He draws on the development of international norms in recent history to offer insights into the formation of normative restraints in the cyber realm.
Estonia’s Cyber Unit Holds Lessons for a more Secure Online Future
The article by Heather Stephenson was published in Tufts Magazine, 3rd August 2018
The Baltic country of Estonia was subjected to an unprecedented cyberattack in April 2007, shortly after it removed a controversial Soviet-era war memorial from its capital. The IT community, together with help from international partners including NATO, eventually contained the problem and got the country back online. Inspired by its home-grown, high-tech volunteers, Estonia created a new group within its voluntary military organization the next year: the Estonian Defense League’s cyber unit. GCSC Chair Marina Kaljurand said governments must find ways to partner with the private sector to ensure cybersecurity. “We need a multi-stakeholder approach. Not just IT geeks, but also civil society, academia.
Undersea Cables are a Vital Link to Cyberspace Stability
The article by Commissioner Motohiro Tsuchiya was published in AsiaGlobal Online, 2nd August 2018
On July 27, 2018, the Japanese government updated its cybersecurity strategy, calling for the strengthening of infrastructural protection, including that of international undersea cables. Given that cyber espionage, hacking, and information manipulation have featured extensively in the global news cycle and become agenda items for policymakers in many governments, we are reminded that functional infrastructure remains essential to the stability of societies. Undersea cables connecting continents and islands form the very core of global communications. The protection of such cables is crucial to maintaining the stability of cyberspace.
18th Meeting of the ICANN Studienkreis
The meeting took place in Tallinn, Estonia 30-31 August 2018
Established in 1999, the ICANN Studienkreis organizes annual high level expert seminars on subjects, related to Internet Governance and the development of ICANN. The program includes a welcome & opening by Commissioner Wolfgang Kleinwächter (Chair & Founder, ICANN Studienkreis), as well as a key note speech on Cybersecurity and Internet governance from GCSC Chair Marina Kaljurand.
International Cyber Affairs
From Cyber-Utopia to Cyber-War: Normative Change in Cyberspace
The dissertation by Matthias Schulze was published in the Digital Library Thüringen, 3rd August 2018
This dissertation analyzes a normative change in state perception and political action towards the Internet. This change is currently reflected in certain measures aimed at the exercise of control and state sovereignty in and over cyberspace. These include phenomena such as the total surveillance of data streams and the extensive collection of connection data by secret services, the control (political censorship) and manipulation of information (information war) as well as the arms spiral around offensive cyber capabilities to disrupt and destroy information infrastructures.
Ten years ago this month, war erupted between Russia and Georgia after Georgian troops attacked South Ossetia and shelled the town of Tskhinvali, in response to alleged Russian provocations. Russia’s application of hybrid warfare – a concurrent use of battlefield and cyber operations – was precedent setting. Russia enhanced and enabled its extensive land, air, and sea attacks with sophisticated and synchronized cyberspace operations. Russia’s cyber attacks against Georgia reflected a new level of complexity, which built on the massive DDoS attacks against Estonia the year before.
Eliminating a Blind Spot: The Effect of Cyber Conflict on Civil Society
The article by Lennart Maschmeyer was published by the Council of Foreign Relations, 7th August 2018
Civil society organizations (CSOs) have been targeted by the same campaigns as large corporations and governments for over a decade, threatening not only freedom of expression but democracy itself. A prominent example is the 2009 Aurora campaign that compromised over thirty large corporations and became infamous for succeeding to steal Google’s source code. Since then, state-backed digital espionage has been increasingly used against journalists, activists, and humanitarian groups around the globe. Importantly, while facing the same advanced threats as large companies, CSOs lack resources to build up resilience and enlist outside help, rendering them highly vulnerable—and increasingly so as threats continue to evolve.
From Laboratory in Far West, China’s Surveillance State Spreads Quietly
The article by Cate Cadell was published in Reuters, 14th August 2018
The officers took Liu’s iPhone, hooked it up to a handheld device that looked like a laptop and told him they were “checking his phone for illegal information”. Liu’s experience in Urumqi, the Xinjiang capital, is not uncommon in a region that has been wracked by separatist violence and a crackdown by security forces. But such surveillance technologies, tested out in the laboratory of Xinjiang, are now quietly spreading across China. Government procurement documents collected by Reuters and rare insights from officials show the technology Liu encountered in Xinjiang is encroaching into cities like Shanghai and Beijing.
Few attempts have been made by states in the last few years to create a global governance framework for cyber space. India has supported non-governmental efforts such as the Global Conference on Cyber Space (hosted in New Delhi in November 2017) and the Global Commission on the Stability of Cyberspace, both of which are developing cyber norms. The newest effort comes from the UN Secretary General, António Guterres, who has set up a High-level Panel on Digital Cooperation, headed by China’s Jack Ma (Alibaba Group) and the U.S.’ Melinda Gates (Bill & Melinda Gates Foundation). It will identify policy, research and information gaps, and propose ways to strengthen global digital cooperation.
International Cyber Norms: Reflections on the Path Ahead
The article by Prof. Dr. Michael N. Schmitt was published in the Netherlands Military Law Review, 17th August 2018
Recent events have proven rather discouraging with respect to the recognition and further development of a normative architecture to govern operations in cyberspace. Efforts to identify cyber norms are underway, such as those of the Global Commission on the Stability of Cyberspace, which recently proposed adoption of a non-binding norm. The private sector has also been active in the field. However, the greatest prospect for progress in the near term lies in states making clear their positions with respect to when and how specific international law principles and norms apply in cyberspace.
Authoritative attribution of cyberattacks to nation-state actors requires more than purely technical solutions. New institutions are needed to develop the credibility and procedural checks and balances that can take attribution beyond one nation pointing its finger at one of its adversaries. This white paper explores the attribution challenge, reviews proposed models for new institutions, and sketches an agenda for future research.
The Link Between More Internet Access and Frequent Internet Shutdowns
The article by Conor Sanchez was published on the Council on Foreign Relations blog, 22nd August 2018
As internet connectivity has spread dramatically throughout the world in the past decade, so has the propensity of governments to disrupt or completely block it. Access Now, a digital rights group, reports that the number of state-imposed internet shutdowns jumped from 75 in 2016 to 108 in 2017. Interestingly, many of the countries where shutdowns occur include places where the internet is growing fastest, especially ones that saw the number of users double between 2010 and 2016.
What We Now Know About Iran’s Global Propaganda Campaign
The article by Issie Lapowski was published in Wired, 24th August 2018
In a new report published Thursday, FireEye illuminates exactly how this front in the global information wars played out. In a lot of ways, the latest influence campaign followed a playbook similar to the one used by Russian propagandists at the Internet Research Agency during the 2016 election. But there are key differences. As a candidate, Trump campaigned on overturning what he referred to as the “disastrous” Iran Deal. In May of this year, Trump followed through on that promise, heightening fears of escalating cyberattacks from an already active Iran. (In March, the US indicted nine Iranians for cyberattacks on 144 US universities. This week, cybersecurity firm Secureworks published a new report indicating that those attacks are ongoing.)
Battlefield Internet: A Plan for Securing Cyberspace
The article by Michele Flournoy & Michael Sulmeyer was published in Foreign Affairs as part of their September/October 2018 Issue
Cyberspace has been recognized as a new arena for competition among states ever since it came into existence. In the United States, there have long been warnings of a “cyber–Pearl Harbor”—a massive digital attack that could cripple the country’s critical infrastructure without a single shot being fired. Presidential commissions, military task force reports, and congressional investigations have been calling attention to such a risk for decades. Yet the Internet has always been much more than a venue for conflict and competition; it is the backbone of global commerce and communication.
When China Rules the Web: Technology in Service of the State
The article by Adam Segal was published in Foreign Affairs as part of their September/October 2018 Issue
For almost five decades, the United States has guided the growth of the Internet. From its origins as a small Pentagon program to its status as a global platform that connects more than half of the world’s population and tens of billions of devices, the Internet has long been an American project. Yet today, the United States has ceded leadership in cyberspace to China.
In the spotlight this month: Industry action
Tech Companies Endorse MANRS Routing Security Actions
The article by Grant Gross publishes the Mutually Agreed Norms for Routing Security, 8th August 2018
A coalition of more than 40 companies focused on protecting online users has endorsed a global community initiative, coordinated by the Internet Society, to improve the security of the Internet’s routing system. The Cybersecurity Tech Accord, whose members include Facebook, Microsoft, Oracle, and Hewlett Packard Enterprise, will support the Mutually Agreed Norms for Routing Security (MANRS) initiative. The goal of MANRS is to ensure a secure and resilient Internet by protecting its routing infrastructure. In 2017 alone, more than 14,000 routing outages or attacks — such as hijacking, leaks, or spoofing – resulted in stolen data, lost revenue and reputational damage.
BlackHat 2018: More Industry Collaboration Vital in Cyber Crime Battle
The article by Charles Cooper was published by Symantec, 9th August 2018
As annual security confab gets underway, attendees hear clarion call for deeper industry-wide cooperation to strengthen security. Hunting down one cyber vulnerability only to find another new hole to patch, hard-pressed security practitioners might be excused for wondering whether they’ll ever shake free from playing an endless game of catch-up with attackers. But as the Black Hat USA 2018 security conference gets underway in Las Vegas this week, the executive who manages the information security team at Google said there’s new reason for optimism.
Experts Predict Countries will use Smart Devices to Launch Cyberattacks
The article by Justin Lynch was published in The Fifth Domain, 15th August 2018
A vast majority of security professionals and experts who attended the Black Hat conference in Las Vegas predict that nation-states will target smart devices in the next year, according to a survey. Hackers are using connected devices as intermediaries to attack computer networks, the FBI warned Aug. 2. Examples of previous hacks using smart devices include an attack on a Las Vegas casino through the thermometer of an aquarium. Experts have warned that manufacturers of smart devices need to impose minimum security standards on their products in the face of growing cyberattacks.
It was a perfect sunny summer afternoon in Copenhagen when the world’s largest shipping conglomerate began to lose its mind… this article tells the story of the most devastating cyberattack in history. Crippled ports. Paralyzed corporations. Frozen government agencies. How a single piece of code crashed the world.
Facebook has removed 652 fake accounts and pages with ties to Russia and Iran attempting to exert political influence in the US, UK, Middle East and Latin America. The accounts and pages were divided between four separate campaigns, three of which originated in Iran, of “coordinated inauthentic behaviour”, disclosed by the social network. FireEye, which first identified the campaign and flagged the campaign to Facebook, said the intent behind the activity appeared to be to “promote Iranian political interests, as well as promote support for specific US policies favorable to Iran, such as the US-Iran nuclear deal”. FireEye noted that the activity did not appear to have been specifically designed to influence the US midterm elections as the content extended beyond US audiences and politics.
DHS, Microsoft to Brief States on Latest Russian Intelligence Activity
The article by Sean Lyngaas was published in CyberScoop, 22nd august 2018
The Department of Homeland Security will hold a conference call for Microsoft representatives to brief state election officials on new evidence showing Russian hackers have targeted the U.S. Senate and conservative think tanks, according to senior DHS cybersecurity adviser Matthew Masterson. The goal will be to turn Microsoft’s observations into actionable security advice for state officials as the November midterms approach. DHS held a similar call earlier this month with Facebook representatives and state officials.
Google has invested in robust systems to detect phishing and hacking attempts, identify influence operations launched by foreign governments, and protect political campaigns from digital attacks through their Protect Your Election program. The Threat Analysis Group, working with partners at Jigsaw and Google’s Trust & Safety team, identifies bad actors, disables their accounts, warns users about them, and shares intelligence with other companies and law enforcement officials. This week, there has been a lot of news about attempted state-sponsored hacking and influence campaigns. In this update, Google provides an update on some of their ongoing work in this area.
In April 2017, a previously unknown group calling itself IntrusionTruth began releasing blog posts detailing individuals believed to be associated with major Chinese intrusion campaigns. Although the group’s exact motives remain unclear, its initial tranche of information exposed individuals connected to long-running GOTHIC PANDA (APT3) operations, culminating in a connection to the Chinese firm Boyusec (博御信息) and, ultimately, Chinese Ministry of State Security (MSS) entities in Guangzhou. Recently, in July and August 2018, IntrusionTruth has returned with new reporting regarding actors with ties to historic STONE PANDA (APT10) activity and has ultimately associated them with the MSS Tianjin Bureau (天津市国家安全局). Though CrowdStrike® Falcon Intelligence™ is currently unable to confirm all of the details provided in these most recent posts with a high degree of confidence, several key pieces of information can be verified.