Cyberstability Updates – July 2018
The Global Commission on the Stability of Cyberspace (GCSC) will convene its full meeting on 19-20 September 2018 in the margins of the Singapore International Cyber Week (SICW).
On 19 September, the Commission will host its public Cyberstability Hearings between 14:00-18:00 at the Marina Bay Sands Expo and Convention Centre. The Hearings are open to all SICW participants and will feature discussions between Commissioners, governmental advisors, private sector and civil society representatives on matters pertaining to international peace and security in cyberspace. They will provide advanced insight into and discussion about some of the current developments and thinking on norms of responsible behaviour in cyberspace, implementation and enforcement mechanisms, and the way forward for the international security architecture in cyberspace.
On 20 September, the Commission will convene in a closed session to advance its agenda and the discussion on governance.
The GCSC will be represented at Black Hat USA 2018 by Commissioners Jane Holl Lute, James Andrew Lewis, Christopher Painter and Jeff Moss. They will form a panel on New Norms and Policies in Cyber-Diplomacy, taking place in the Jasmine Ballroom on Thursday, August 9th from 09:45am. The format for the panel is 50-minute briefings. For more information on the panel, the speakers and other events taking place at Black Hat, visit the website here.
The Global Commission on the Stability of Cyberspace (GCSC) hosted a lunch panel on “Cyber Diplomacy Meets InfoSec and Technology” alongside IETF 102 on Tuesday, 17 July. During this session,the Commission wanted to inform and engage with the IETF community on its work so far and the work that is in the pipeline. This event is now closed, but you can watch all of the IETF session recordings online.
Watch the GCSC live feed recording by clicking here
Sign up to the weekly newsletter!
Want to receive these updates on a weekly basis? Sign up here to receive our weekly newsletter on the work of the Global Commission on the Stability of Cyberspace (GCSC), its members and developments in the field of international cyber policy.
The GCSC in the News
The report by Sean Kanuck & John Drennan is the latest edition of the International Institute for Strategic Studies (IISS) Cyber Report, 05 July 2018
Russian media reported that the Kremlin plans to introduce two resolutions concerning cyber norms to the United Nations General Assembly in September. The first resolution is an updated version of the Code of Conduct that the Shanghai Cooperation Organisation (SCO) has been promoting, since 2011, as an alternate set of norms to govern states’ use of information and communications. The second resolution calls for a global treaty on cyber crime to replace the Budapest Convention on Cybercrime.
As NATO prepares for its annual summit, to be held July 11-12 in Brussels, media attention has been focused on whether member states will boost their defense spending and readiness across the traditional operational domains of land, air and sea. This reflects a needed focus on important, but frankly longstanding alliance priorities. What many NATO-watchers are missing, however, is NATO’s full embrace of its newest operational domain: cyberspace.
For years, political leaders such as former US Secretary of Defense Leon Panetta have warned of the danger of a ‘cyber Pearl Harbor’. We have known for some time that potential adversaries have installed malicious software in our electricity grid. Suddenly the power could go out in large regions, causing economic disruption, havoc and death. Thus far, however, cyber weapons seem to be more useful for signalling or sowing confusion than for physical destruction—more a support weapon than a means to clinch victory.
Support for building in privacy and security by design is growing as a result of the explosion of such new technologies as artificial intelligence, IoT and various digital devices, says Latha Reddy, co-chair of the Global Commission on the Stability of Cyberspace and former deputy national security and cybersecurity adviser of India. The interview, on the sidelines of an ISMG Fraud and Breach Prevention Summit held last month in Bangalore, touches on the GDPR, India’s requirement for a strong Data Protection Act and the need for security by design.
The article by Chase Gunter was published in Government Cyber Insider, 16 July 2018
With approaches to election security still up in the air, a group of former cybersecurity officials are concerned about the cybersecurity of another democratic foundation: the decennial census. In a July 16 letter to acting Director of the Census Bureau Ron Jarmin and Commerce Department Secretary Wilbur Ross, former officials, including Commissioner Christopher Painter, stressed the importance of the security of data collected by the bureau’s first-ever electronically based survey and pushed the bureau to publicly share plans for how it plans to protect that information.
The article by Eric Geller was published in Politico, 17 July 2018
It could go down as one of the most ridiculed ideas in cybersecurity that won’t go away: A joint Russian-American task force to protect future elections from hackers. The notion prompted bipartisan disbelief, and Trump backed away from it within hours. But it surfaced again Monday after the two leaders met in Helsinki, Finland, when Putin suggested both countries work together to examine the evidence that Russia had meddled in the U.S. presidential election. Commissioner James Andrew Lewis provides his comments on the working group in this article.
The article by Paolo Ciocca & Claudia Biancotti was published in the Financial Times, 19 July 2018
A global governance framework is difficult to build because a cyberspace crisis may develop due to one nation state’s unilateral actions. If there is a possibility that states do not share goals and do not agree on ground rules, the notion of technically optimal global accords loses its purpose. Political scientist Joseph S. Nye has argued non-governmental cyber norm entrepreneurs, such as the Global Commission on Stability in Cyberspace, may play a key role in helping to solve this problem. Solutions may also be developed in groups of like-minded countries, such as the EU, and subsequently extended to a broader constituency.
During Donald Trump and Vladimir Putin’s joint press conference following the summit, the Russian president proposed that special counsel Robert Mueller use the 1999 US–Russia Mutual Legal Assistance Treaty to make a formal request for Russian investigative assistance in the charges against 12 current Russian intelligence officers for interference in the 2016 US elections. Specifically, he said that if a formal request was approved, Mueller’s team could even be present for any interviews conducted by Russian law enforcement. Trump, apparently without any consultation with his law enforcement or security experts, declared this to be ‘an incredible offer’. It’s not.
The race to cyberarmament has begun, warns this specialist in cyberstrategy. International laws regulating the digital world have become indispensable.
The Internet and Digital Communications – Examining the Impact of Global Internet Governance took place on Tuesday 31 July 2018
This week, GCSC Co-Chair Michael Chertoff and Commissioner Christopher Painter took part in a U.S. Senate Committee Hearing on the Internet and Digital Communications. The Commissioners formed part of a panel examining the impact of global Internet governance. It offered an opportunity to discuss the work of the GCSC and the Commissioners in particular highlighted the recent norms proposed and advocated by the GCSC.If you missed the live feed, watch the archived webcast and find all panels members and their testimony by clicking below
International Cyber Affairs
US Cyber Command hosted its inaugural Cyberspace Strategy Symposium at National Defense University on February 15, 2018. This day-long event showcased thought leaders from the Command and its partners inside and outside government pondering the challenges ahead for cyberspace operations. The Symposium’s four panels and keynote addresses discussed current and likely issues, and debated USCYBERCOM’s strategy and operations in a collective effort to improve operational outcomes. The proceedings in this document shed insight on the Symposium’s central question: “What are the foundational organizing principles we need to operate more effectively in cyberspace?”
The report was published by the Network and Information Systems (NIS) Cooperation Group, July 2018
The NIS Cooperation Group, established by Article 11 of Directive (EU) 2016/1148 (NIS Directive), was established with a mandate to share experiences and provide guidance, as well as an overview of tools, techniques and protocols to detect, prevent and mitigate threats to the cybersecurity of election technology. This month they released a living document presenting a broad sum of guidelines that are based on the experiences and best practices of its’ contributors. It is also a compendium of practical and workable measures that can be taken by cyber security organizations and election management bodies to secure the technology involved in elections.
The article by Bruno Lété and Peter Chase was published as a Workshop Briefing Paper by the German Marshall Fund of the United States, July 2018
In February 2017, Microsoft President and Chief Legal Officer Brad Smith presented arguments for a “Digital Geneva Convention,” and a month later presented the case to Europeans at GMF’s Brussels Forum. GMF was interested in understanding how Europeans thought about the idea of developing binding international law to constrain nation states’ ability to engage in cyber-attacks. The following report is based upon a series of off-the-record roundtable discussions in Berlin, Paris, and Warsaw involving top government officials, lawyers, academics, corporate leaders (including from non-IT companies), and civil society, as well as GMF’s own research.
The article by Margi Murphy was published in The Telegraph, 09 July 2018
Cyber attacks should be treated like airline accidents or failures on the operating theatre, BAE Systems has said. The defence giant’s UK cyber boss Julian Cracknell said shifting blame from individuals, in a similar vein to how airlines and hospitals deal with pilots and surgeons, could promote a “wider conversation” about the cyber threats businesses face from nation states and criminals. This might incentivise companies to share potentially critical information to help others who are in the firing line, he said. On Monday BAE Systems cyber arm launched an “international intelligence network”, a support network where companies can come forward and share insider knowledge about cyber attacks.
The article by Chris Bing was published in CyberScoop, 10 July 2018
In the run up to Cambodia’s general election on July 29, a hacking group tied to China has been breaking into multiple organizations that share a connection to either the country’s main opposition party, voting process or human rights movement, according to new research and additional analysis provided by U.S. cybersecurity firm FireEye. The findings — made possible through a glaring operational security mistake where hackers left their attack servers exposed on the open internet — help illustrate how governments are leaning on cyber-espionage capabilities to learn about foreign elections.
New York, 12 July 2018
United Nations Secretary-General António Guterres announced the launch of a High-level Panel on Digital Cooperation. The Panel has a total of 20 members, representing a cross-section of expertise from government, private industry, civil society, academia and the technical community. The Secretary-General has asked the Panel to contribute to the broader public debate on the importance of cooperative and interdisciplinary approaches to ensure a safe and inclusive digital future for all taking into account relevant human rights norms. The panel is expected to identify policy, research and information gaps, and make proposals to strengthen international cooperation in the digital space.
The article by Ellen Nakashima was published in Washington Post, 17 July 2018
The head of the nation’s largest electronic spy agency and the military’s cyberwarfare arm has directed the two organizations to coordinate actions to counter potential Russian interference in the 2018 midterm elections. The move, announced to staff at the National Security Agency last week by NSA Director Paul Nakasone, is an attempt to maximize the efforts of the two groups. It is the latest initiative by national security agencies to push back against Russian aggression in the absence of direct guidance from the White House on the issue.
The article by Andrea Little Limbargo was published in Threat Post, 18 July 2018
While there certainly remains a global hierarchy when it comes to cyber capabilities, smaller state and non-state actors are increasingly exploiting the asymmetric nature of cyberspace to achieve a broad range of objectives. The diffusion of cyber capabilities is only expanding and the lack of any international legal framework for cyber norms means that the range of targeted and opportunistic attacks will only continue, with the risk of collateral damage amplifying.
The article by Lincoln Pigman was published in the New York Times, 22 July 2018
Russia, which American intelligence agencies said spread its fair share of misinformation during the 2016 United States election, says it will crack down on “fake news” at home, with a proposed law that critics say could limit freedom of speech on the internet. The bill, submitted by lawmakers from the governing party, United Russia, proposes holding social networks accountable for “inaccurate” comments users post. Under existing Russian law, social media users can be punished for content deemed to promote homosexuality, to threaten public order or to be “extremist” in nature, with fines as well as prison time.
The article by Olivia Beavers was published in The Hill, 23 July 2018
The final version of an annual defense policy bill would set new authorities for the Department of Defense to deter and respond to attacks in cyberspace, including establishing the first U.S. policy on cyber warfare. Congress said if it is faced with a cyberattack or malicious cyber activity, it will first encourage the White House to take action before acting unilaterally. If passed into law, this legislative text from the Senate would establish the nation’s first cyber warfare policy. Trump applauded a provision that would affirm the ability of the secretary of Defense to carry out military activities and operations in cyberspace, designating these cyber military activities to be traditional military activities.
The article by Steven Aftergood was published by the Federation of American Scientists, 26 July 2018
Rebuking the Trump Administration for its “passivity,” Congress is pressing the Department of Defense to engage in “active defense” in cyberspace against Russia, China, North Korea and Iran. A new provision in the conference report on the FY2019 national defense authorization act would “authorize the National Command Authority to direct the Commander, U.S. Cyber Command, to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace.” The congressional report does not propose an actual cyber strategy, nor does it specify desired outcomes, or address unintended consequences.
The article by Josh Rogin was published in the Washington Post, 26 July 2018
The United States lost an important early skirmish this week over whether American companies must comply with the Chinese government’s political demands. But the greater conflict is just beginning, which means the Trump administration must now prepare to help U.S. corporations fight Chinese coercion in future rounds. The Xi regime claims that any public speech criticizing Communist Party propaganda is a grave offense to 1.3 billion Chinese people. Never mind that Twitter and Instagram are blocked in China: Beijing is trying to enforce its political censorship outside its borders and online. That can’t be tolerated. The whole world cannot become a “safe space” for Chinese sensitivities.
The article by Mike Stone was published by Reuters, 27 July 2018
The Pentagon is working on a software “do not buy” list to block vendors who use software code originating from Russia and China, a top Defense Department acquisitions official said on Friday. Ellen Lord, the under secretary of defense for acquisition and sustainment, told reporters the Pentagon had been working for six months on a “do not buy” list of software vendors. The list is meant to help the Department of Defense’s acquisitions staff and industry partners avoid buying problematic code for the Pentagon and suppliers. Click below for more information on developments by IPVM (login required).
The article by Erica Pandey was published in Axios, 27 July 2018
American companies eager to enter China’s massive market brace themselves for potential intellectual property theft or forced technology transfers. But there’s another threat at play: their technology is being used for surveillance. The big picture: China has sophisticated systems of state surveillance, and elements of these systems have long been powered by technologies developed by American companies. Beijing has used U.S. tech to surveil its citizens, violate human rights and even modernize its military.
The article by Mirko Hohmann and Thorsten Benner was published in Global Public Policy Institute (GPPI), 28 June 2018
The laissez-faire understanding of a “free and open” internet is facing competition from abroad and is increasingly inconsistent with the regulatory stance of liberal democracies. To counter an emboldened authoritarian approach, address charges of hypocrisy, and carefully guide the fragmentation of content and applications on the internet, the notion of “free and open” must be updated. European policymakers should take the lead in this process and face these challenges head on. To do so, they need to strengthen their own credibility, build new coalitions, and address the effects of fragmentation. Full paper available for download here.
The article by Kevin Collier was published in BuzzFeed, 29 July 2018
The US government says that so far in 2018, Russia’s attempts to meddle in US elections have been limited to social media and disinformation campaigns. But in the eight months since its creation, the group tasked with leading the fight against those sorts of campaigns, the FBI’s Foreign Influence Task Force, has been almost invisible to the public. But since the announcement of its creation, almost nothing is known about the task force. Wray’s own remarks have been sparse. The other information has come from people frustrated with trying to work with it.
The article by Victoria Clark was published in Lawfare, 30 July 2018
The article by Julia Tarlevski was published in ARN, 30 July 2018
The Department of Defence is inviting research proposals from industry and universities with a view to enhance the cyber capabilities of the Australian Defence Force. Minister for Defence Industry, Christopher Pyne, said the agency wants academia and industry to collaborate with Defence Science and Technology Group, and CSIRO’s digital research network, Data61, to deliver technology developments and demonstrator systems within three to five years. Specifically, the Department highlighted that it aims to understand the potential of cyber technologies, create prototype systems, and demonstrate the practical application of systems to Defence problems.
The article by Nicholas Fandos and Kevin Roose was published in the New York Times, 31 July 2018
Facebook said on Tuesday that it had identified a political influence campaign that was potentially built to disrupt the midterm elections, with the company detecting and removing 32 pages and fake accounts that had engaged in activity around divisive social issues. The company did not definitively link the campaign to Russia. But Facebook officials said some of the tools and techniques used by the accounts were similar to those used by the Internet Research Agency, the Kremlin-linked group that was at the center of an indictment this year alleging interference in the 2016 presidential election. Click below for further analysis by Kevin Roose.
In the spotlight this month: Elections
The article by Thomas MacLellan was published in Symantec Expert Perspectives, 03 July 2018
State and local governments must continue to think beyond voting boxes, voter rolls, to protect the electoral process With mid-term elections around the corner and 2020 not too far behind, we need to change our thinking about how to counter this challenge. Adversaries looking to influence the results of an election or undermine confidence are probing all avenues of attacks and are becoming more creative and persistent. While much of the focus on election security has been on voting technology, voter rolls, and related systems, election security professionals need to look beyond the ballot box and consider a range of other threats to systems and individuals that previously may not have been considered essential.
The article by Zachary Young was published in Politico, 04 July 2018
French Parliament voted late Tuesday to pass a law cracking down on so-called “fake news,” allowing courts to rule whether reports published during election periods are credible or should be taken down. The draft law, which ran into fierce criticism during a June 7 debate, will allow election candidates to sue for the removal of contested news reports during election periods, as well as forcing platforms such as Facebook and Twitter to disclose the source of funding for sponsored content.
The article by Derek Hawkins was published in the Washington Post, 09 July 2018
Twitter is finally taking a flamethrower to fake and suspicious accounts, following months of public criticism that it wasn’t doing enough to crack down on the bots and trolls that used the platform to spread disinformation during the 2016 election. The social media giant has suspended more than 70 million accounts since May, at a rate of more than 1 million a day. That’s more than double the rate it was suspending accounts in October.
The article by Sean Gallagher was published in ArsTechnica, 20 July 2018
In a panel discussion at the Aspen Institute’s Security Summit yesterday, Microsoft Corporate Vice President for Customer Security and Trust Tim Burt said that in the course of hunting for phishing domains targeting Microsoft customers, members of Microsoft’s security team detected a site set up by Russian actors that was being used in an attempt to target congressional candidates. Microsoft alerted US law enforcement and worked with the government to take down the sites. In April, Microsoft launched the “Defending Democracy” program, providing support to state election authorities, as well as to campaign organizations, in an effort to help better safeguard the electoral process.
The article was published in CBS News, 30 July 2018
Hackers from around the world had the rare opportunity to crack election-style voting machines this weekend in Las Vegas – and they didn’t disappoint. After nearly an hour and a half, Carsten Schürmann, an associate professor with IT-University of Copenhagen, successfully cracked into a voting machine at Las Vegas’ Defcon convention on Friday night. Synack, a San Francisco security platform, discovered serious flaws with the WinVote machine months ahead of this weekend’s convention. The team simply plugged in a mouse and keyboard and bypassed the voting software by clicking “control-alt-delete.”