A Digital Geneva Convention: Why it is needed and how it can be - PowerPoint PPT Presentation

A Digital Geneva Convention: Why it is needed and how it can be created Alaa Ajweh Financial Sector Lead Microsoft QSTP LLC.

Agenda The need for a Digital Geneva Convention 1 Where the discussions are today 2 3 The importance of multi-stakeholder dialogue 4 Three essential parts of a Digital Geneva Convention 5 What next?

The need for a Digital Geneva Convention

Cyberattacks cause immense costs $ 400bn $ 3tr 71% cost of cyberattacks to estimated economic cost companies each year of cyberattacks by 2020 of companies admit they fell victim to a successful cyberattack the prior year 140+ 160m Median # of days 556m between infiltration Data records and detection compromised from victims of cybercrime top 8 breaches per year in 2015

Cyberattacks also create wider problems SIGNIFICANT ORGANIZED CRIME ELEMENT DISRUPTION AND DANGERS TO CRITICAL INFRASTRUCTURE AND SYSTEMS INVASIONS IMPACT OF PRIVACY REDUCED GOES BEYOND INNOVATION FINANCES CONTENT RELATED CRIME, AND EXTREMIST DECREASED RECRUITING TRUST

Governments heavily involved in cyberspace 50+ Countries with Defensive Capabilities 38+ Countries with Offensive Capabilities 95+ Countries Developing Legislative Initiatives USER PROTECTOR LEGISLATOR 70+ Countries with Cybersecurity Strategies EXPLOITER USA China Germany Russia < $6.7bn ~ $1.5bn ~ $1.1bn < $300m ESTIMATED SPENDING ON CYBER OPERATIONS UK N. Korea Iran ~ $2bn ~ $200m ~ $1bn

Government sponsored cyberattacks are increasing Operation North Korea – Aurora South Korea US presidential elections ‘Cast Lead’ and Jasmine RasGas ‘Pillar of Defense’ Revolution OPM DDoS against (Israel/Palestine) USA - ISIS Norway Estonia Stuxnet 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 India – Pakistan Sony ADP Japan Czech Yahoo! cyber war GhostNet Pension MFA Montenegro Service Sony Heartbleed Russian banks security bug Ukraine North Korea Russo- power grid Georgian war

Risk to civilians from cyber-conflict needs a response

Where the discussions are today

Existing intergovernmental discussions and fora UNGGE G7 G20 SCO OSCE FIRST NATO UNODC UNIDIR

SHANGHAI COOPERATION ORGANIZATION FOR ORGANIZATION SECURITY AND CO- PROPOSALS (2015) OPERATION IN EUROPE CONFIDENCE BUILDING MEASURES (2013 + 2016) INCREASING MOVEMENT TOWARDS CONCRETE G7 NATIONS LUCCA US GOVERNMENT PROPOSALS DECLARATION (2017) PROPOSALS (2015) UN GROUP OF G20 LEADERS ANTALYA GOVERNMENTAL COMMUNIQUE (2015) EXPERTS REPORT US-CHINA CYBER (2015 and onwards) AGREEMENT (2015)

G7 declaration was positive but needed to go further April 11, 2017 declaration on “Responsible • state’s behavior in cyberspace”. Sees urgent need for rules in cyberspace to • prevent conflict and promote stability. But needs to move beyond voluntary • approach to binding agreements. And needs to more fully endorse a role for • the private sector, especially the tech sector.

The importance of multi-stakeholder dialogue

Governments’ many roles & challenges in cyberspace PROTECTOR Rising Increasing International Regulatory Pressure Insecurity EXPLOITER USER INNOVATION AT RISK LEGISLATOR

Private sector constituents are many and varied PLATFORM AND TECHNOLOGY DEFENDERS AND ASSURANCE ASSURANCE INFRASTRUCTURE MANUFACTURERS RESPONDERS ORGANIZATIONS ORGANIZATIONS PROVIDERS CRITICAL INFRASTRUCTURE OPERATORS

The tech sector’s specific relevance Regulatory costs Complicated from dynamic response cycles Reciprocity Loss of trust in Distorted threat costs from state compliance and operational products and models actions environment uncertainties services

The essential civil society perspective Variety of relevant civil society • groups and non-governmental organizations already engaged: Standards bodies; • Advocacy groups; • Think tanks. • Providers of essential third party, • expert or holistic perspectives. Strongly influential at national • level, some even internationally. The Regime Complex for Managing Global Cyber Activities (Joseph S. Nye Jr., 2014)

Limited number of public-private platforms Global Conferences Munich Security GOVERNMENTS on Cyberspace Conference aka The London Pro aka The London Process ess (GCCS) (MSC) PRIVATE SECTOR GFCE Global Forum on Global Commission Cyber Expertise for the Stability of Cyberspace CIVIL SOCIETY & NON- GOVERNMENTAL (GFCE) (GCSC) GROUPS

The three essential parts of a Digital Geneva Convention

Three essential components are required DIGIT AL GENEVA CONVENTION BINDING GOVERNMENT TECH SECTOR ATTRIBUTION AGREEMENTS ACCORDS ORGANIZATION

Binding government agreements need to be crafted LEGALLY BINDING FRAMEWORK CAN START AS VOLUNTARY OR GOVERNING STATES’ BEHAVIOUR POLITICALLY BINDING SHOULD AIM TO CONSTRAIN PRECEDENTS EXIST FOR NUCLEAR AND/OR PREVENT CYBER-CONFLICT AND CHEMICAL WEAPONS.

10 key commitments within those agreements ACT IN ORDER TO: DO NOT ACT AGAINST: Have clear Assist private Mass-market policy re. Safety and sector commercial Systems key vulnerabilities security of detection, tech products to global in mass private containment, by inserting economy market citizens response, and “backdoors” products and recovery services Journalists Develop Avoid mass Intellectual and private limited, damage to Limit property or citizens precise, non- civilian proliferation confidential involved in reusable infrastructure of cyber business electoral cyber in cyber weapons information processes weapons offensives

The tech sector needs its own common accords Individuals and organizations …which means they need to be …and to be able to trust those need to trust cyberspace able to trust the technology who make the technology… before they fully commit to it… underpinning cyberspace… … therefore, tech …and, in the face of companies must act growing state activity in to create a trustworthy cyberspace, individual environment for users companies can draw and to reassure states strength from a collective of their neutrality... “tech sector” approach.

6 possible common tech sector objectives COLLABORATION TO BOLSTER COORDINATION NO ASSISTANCE FIRST-RESPONDER TO ADDRESS FOR OFFENSIVE EFFORTS VULNERABILITIES CYBER OPERATIONS FIGHTING ASSISTANCE TO SUPPORT FOR PROLIFERATION PROTECT GOVERNMENTS’ OF CUSTOMERS RESPONSE EFFORTS VULNERABILITIES EVERYWHERE

Critical elements for an attribution organization DEEP TECHNICAL FOCUSED ON EXPERTISE SEVERE ATTACKS GEOGRAPHICALLY SUBJECT TO DIVERSE PEER REVIEW

Striking a technical and political balance in attribution POLICY TECHNICAL ATTRIBUTION OPTIONS Say nothing, do • Trade craft • nothing Artifacts • Say nothing, use • covert options T arget selection • Make a private • Specialized knowledge accusation • Make a public • accusation

What next?

Our call to action Undertake to create politically binding then legally binding agreements committing governments to certain, acceptable behaviors in cyberspace. Drive forward a tech sector accord that commits the ICT industry to objectives and actions that will protect users and the wider internet, and will ensure the sector’s neutral status in any cyber-conflict. Support the establishment and operation of politically-neutral, independent, transparent and peer-reviewed attribution organization. Identify and provide avenues for multi-stakeholder input and involvement in the development of cyberspace policies and agreements.