A Digital Geneva Convention: Why it is needed and how it can be - - PowerPoint PPT Presentation

A Digital Geneva Convention:

Why it is needed and how it can be created

Alaa Ajweh Financial Sector Lead Microsoft QSTP LLC.

Agenda

The need for a Digital Geneva Convention Where the discussions are today The importance of multi-stakeholder dialogue Three essential parts of a Digital Geneva Convention What next? 1 3 2 4 5

The need for a Digital Geneva Convention

71%

• f companies admit

they fell victim to a successful cyberattack the prior year

Cyberattacks cause immense costs

$400bn

cost of cyberattacks to companies each year

160m

Data records compromised from top 8 breaches in 2015

140+

Median # of days between infiltration and detection

$3tr

estimated economic cost

• f cyberattacks

by 2020

556m

victims of cybercrime per year

REDUCED INNOVATION

Cyberattacks also create wider problems

CONTENT RELATED CRIME, AND EXTREMIST RECRUITING SIGNIFICANT ORGANIZED CRIME ELEMENT DISRUPTION AND DANGERS TO CRITICAL INFRASTRUCTURE AND SYSTEMS DECREASED TRUST INVASIONS OF PRIVACY

IMPACT GOES BEYOND FINANCES

50+ Countries with Defensive Capabilities 38+ Countries with Offensive Capabilities 95+ Countries Developing Legislative Initiatives 70+ Countries with Cybersecurity Strategies

Governments heavily involved in cyberspace

Germany ~$1.1bn China

~$1.5bn

Russia

<$300m

USA

<$6.7bn

UK

~$2bn

• N. Korea

~$200m Iran

~$1bn

ESTIMATED SPENDING ON CYBER OPERATIONS

USER PROTECTOR EXPLOITER LEGISLATOR

Government sponsored cyberattacks are increasing

DDoS against Estonia Russo- Georgian war ‘Cast Lead’ and ‘Pillar of Defense’ (Israel/Palestine) GhostNet Operation Aurora Stuxnet India – Pakistan cyber war Jasmine Revolution Sony Heartbleed security bug Yahoo! Japan Pension Service Montenegro Russian banks Norway Sony OPM USA - ISIS US presidential elections North Korea Ukraine power grid ADP Czech MFA

2007 2011 2014 2016 2008 2009 2010 2012 2013 2015 2017

North Korea – South Korea RasGas

Risk to civilians from cyber-conflict needs a response

Where the discussions are today

Existing intergovernmental discussions and fora

G20 G7 SCO UNGGE FIRST UNIDIR OSCE UNODC NATO

US-CHINA CYBER AGREEMENT (2015) US GOVERNMENT PROPOSALS (2015) UN GROUP OF GOVERNMENTAL EXPERTS REPORT (2015 and onwards) SHANGHAI COOPERATION ORGANIZATION PROPOSALS (2015) G20 LEADERS ANTALYA COMMUNIQUE (2015) ORGANIZATION FOR SECURITY AND CO- OPERATION IN EUROPE CONFIDENCE BUILDING MEASURES (2013 + 2016)

INCREASING MOVEMENT TOWARDS CONCRETE PROPOSALS

G7 NATIONS LUCCA DECLARATION (2017)

G7 declaration was positive but needed to go further

• April 11, 2017 declaration on “Responsible

state’s behavior in cyberspace”.

• Sees urgent need for rules in cyberspace to

prevent conflict and promote stability.

• But needs to move beyond voluntary

approach to binding agreements.

• And needs to more fully endorse a role for

the private sector, especially the tech sector.

The importance of multi-stakeholder dialogue

Governments’ many roles & challenges in cyberspace

USER PROTECTOR LEGISLATOR EXPLOITER

INNOVATION AT RISK Rising International Insecurity Increasing Regulatory Pressure

Private sector constituents are many and varied

PLATFORM AND INFRASTRUCTURE PROVIDERS TECHNOLOGY MANUFACTURERS DEFENDERS AND RESPONDERS ASSURANCE ORGANIZATIONS ASSURANCE ORGANIZATIONS CRITICAL INFRASTRUCTURE OPERATORS

The tech sector’s specific relevance

Loss of trust in products and services Complicated response cycles and operational uncertainties Distorted threat models Reciprocity costs from state actions Regulatory costs from dynamic compliance environment

The Regime Complex for Managing Global Cyber Activities (Joseph S. Nye Jr., 2014)

The essential civil society perspective

• Variety of relevant civil society

groups and non-governmental

• rganizations already engaged:
• Standards bodies;
• Advocacy groups;
• Think tanks.
• Providers of essential third party,

expert or holistic perspectives.

• Strongly influential at national

level, some even internationally.

Global Conferences

• n Cyberspace

aka The London Pro aka The London Process ess

(GCCS) Global Forum on Cyber Expertise (GFCE) Munich Security Conference (MSC)

Limited number of public-private platforms

GOVERNMENTS

GFCE

Global Commission for the Stability of Cyberspace (GCSC) PRIVATE SECTOR CIVIL SOCIETY & NON- GOVERNMENTAL GROUPS

The three essential parts of a Digital Geneva Convention

Three essential components are required

DIGIT AL GENEVA CONVENTION

ATTRIBUTION ORGANIZATION TECH SECTOR ACCORDS BINDING GOVERNMENT AGREEMENTS

Binding government agreements need to be crafted

LEGALLY BINDING FRAMEWORK GOVERNING STATES’ BEHAVIOUR PRECEDENTS EXIST FOR NUCLEAR AND CHEMICAL WEAPONS. SHOULD AIM TO CONSTRAIN AND/OR PREVENT CYBER-CONFLICT CAN START AS VOLUNTARY OR POLITICALLY BINDING

10 key commitments within those agreements

Safety and security of private citizens

DO NOT ACT AGAINST: ACT IN ORDER TO:

Mass-market commercial tech products by inserting “backdoors” Systems key to global economy Intellectual property or confidential business information Journalists and private citizens involved in electoral processes Have clear policy re. vulnerabilities in mass market products and services Assist private sector detection, containment, response, and recovery Develop limited, precise, non- reusable cyber weapons Avoid mass damage to civilian infrastructure in cyber

• ffensives

Limit proliferation

• f cyber

weapons

The tech sector needs its own common accords

… therefore, tech companies must act to create a trustworthy environment for users and to reassure states

• f their neutrality...

…which means they need to be able to trust the technology underpinning cyberspace… …and to be able to trust those who make the technology… Individuals and organizations need to trust cyberspace before they fully commit to it… …and, in the face of growing state activity in cyberspace, individual companies can draw strength from a collective “tech sector” approach.

6 possible common tech sector objectives

COLLABORATION TO BOLSTER FIRST-RESPONDER EFFORTS COORDINATION TO ADDRESS VULNERABILITIES ASSISTANCE TO PROTECT CUSTOMERS EVERYWHERE NO ASSISTANCE FOR OFFENSIVE CYBER OPERATIONS FIGHTING PROLIFERATION OF VULNERABILITIES SUPPORT FOR GOVERNMENTS’ RESPONSE EFFORTS

Critical elements for an attribution organization

DEEP TECHNICAL EXPERTISE GEOGRAPHICALLY DIVERSE SUBJECT TO PEER REVIEW FOCUSED ON SEVERE ATTACKS

Striking a technical and political balance in attribution

• Say nothing, do

nothing

• Say nothing, use

covert options

• Make a private

accusation

• Make a public

accusation

• Trade craft
• Artifacts
• T

arget selection

• Specialized knowledge

TECHNICAL ATTRIBUTION POLICY OPTIONS

What next?

Our call to action

Undertake to create politically binding then legally binding agreements committing governments to certain, acceptable behaviors in cyberspace. Drive forward a tech sector accord that commits the ICT industry to objectives and actions that will protect users and the wider internet, and will ensure the sector’s neutral status in any cyber-conflict. Support the establishment and operation of politically-neutral, independent, transparent and peer-reviewed attribution organization. Identify and provide avenues for multi-stakeholder input and involvement in the development of cyberspace policies and agreements.