High-Level Seminar “Cybersecurity: Global responses to a Global Challenge” Madrid, 21 March 2014 Multilateral Approaches to Cyber Security Theresa Hitchens, Director, UNIDIR Your Excellencies, Colleagues, Ladies and Gentlemen, I’d first like to thank the Government of Spain for inviting me to present at this necessary and timely high-level conference. I first must note that I do not speak for the United Nations nor for UNIDIR, rather my remarks are made in my own personal capacity. As we all know, issues related to the use of cyberspace are becoming more and more salient for the international community. We have mostly been discussing cyber crime here today, and while a very important subject it is not my area of expertise. Rather, I am going to discuss issues relating to how activities in the cybersphere touch on issues of national and international security. With the emergence of the Internet as a global infrastructure for economic, social and business-related development -- in addition to being a new tool for politics, espionage and military activities -- there is growing international concern regarding the potential use of information and communication technologies (ICT) in conflict, as well as the possibility that traditional conflict may be spurred by cyber activities. The 2011 and 2013 Reports of the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security recommended steps to reduce the risk of misperceptions resulting from ICT disruptions, including the consideration of “Confidence-building, stability, and risk reduction measures to address the implications of State use of ICTs...” The well-known technical difficulty in attributing identity to the perpetrators of cyber malfeasance raises the risk for misperception in times of crisis, and with that, the potential for conflict. Meanwhile, some 40 states are developing cyber tools explicitly for offensive uses as part of their military strategies. The possibility of state-on-state conflict utilizing ICTs could contribute to strategic instability in times of crisis, and loss of escalation control during conflict. Because military and civil users rely on the same infrastructures, the potential negative impacts on civil society could be severe. Against this backdrop, the need is evident for the development of mechanisms for discussion, education and constructive engagement on how to improve cyber security in the multilateral environment. Additionally there is a need for the international security community to be aware of ongoing conversations in the internet governance arena, as developments in that field may have very tangible impacts on the creation of international security parameters in the cyber domain. UNIDIR, under its mandate from the General Assembly to provide research and analysis on emerging challenges to international security, has been for the past several years heavily vested in exploring questions related to cyber stability and security. 1 The focus of our cyber work, under our Emerging Security Threats Programme, is twofold – first, how to prevent conflict in other traditional security domains from spreading to the cybersphere, and second, working to avoid cyber activities being a trigger for wider conflict. Cyber is very different in nature to many of threats to peace and security that the international community is accustomed to address through diplomacy and arms control. The lack of a mutual understanding of what amounts to offensive action in the cyber domain, the difficulties of clearly attributing cyber attacks, and a lack of an established methodology for cyber strategic messaging are all hurdles that complicate the application of traditional security concepts such as sovereignty or warfare to the cyber domain. Thus, there are many gaps that need to be filled as the international community works to build an enduring cyber stability regime. UNIDIR has held several major conferences on cyber stability and security issues, and produced in 2013 a “Cyber Index” that attempted to provide a “snapshot” of cyber activities underway by nation states as well as elucidate issues related to confidence building. In my brief remarks, I am going to discuss some of the ongoing efforts at a multilateral level to address these issues, as well as to lay out some of the challenges to the international community in doing so. To start off, it is necessary to understand that there is no “one stop shop” for addressing cyber issues at the multilateral level. A number of organizations, including but not limited to the UN General Assembly, have been seized of the issue and are undertaking different, and at the same time, overlapping efforts. As we have heard, there is activity on cyber crime and security in the General Assembly’s Third Committee, as well as activity to address the international security issues related to the cyber domain in the First Committee. These two Committees have no formal interaction, and indeed representatives from one do not necessarily know what is going on in the other. This lack of a “focal point” for addressing the multi-faceted issues related to securing the cyber domain is indeed one of the challenges we face in developing multilateral approaches. I am going to address three major “streams” of ongoing multilateral debate and work: at the United Nations, at the Organization for Security and Cooperation in Europe (OSCE) and at the International Telecommunication Union (ITU.) UN First, at the United Nations. Since 2010, starting with GA Resolution A/65/154, states have been providing on a regular basis national views on the question of cyber security to the Secretary-General so that the Secretary-General may report to the General Assembly. The reports are designed to provide information exchange among states about activities and concerns – although taken alone, do not provide a basis for any concrete action. The latest, A/68/156 and A/68/156 add 1, were transmitted to the General Assembly in 2013. In addition, there have been up to now two GGEs on information security: in 2010-2011 (which failed to issue a consensus report) and in 2012-2013 (which did issue a report in June 2013, A/68/98). The 2012-2013 GGE, chaired by Australia, recognized the application of state sovereignty and international norms and principles in cyberspace, as well as respect for human rights. In particular, the GGE report noted the need for more international cooperation in preventing the “wrongful and unlawful” use of state information and communication technologies. However, the terms “wrongful and unlawful” were not defined. 2 The GGE also agreed that there is a need for confidence building measures in the cybersphere, including the development of new multilateral consultative groups; improved information sharing about security incidents, national policies and processes; and improved cooperation on incident response and law enforcement issues. The question of capacity building was also addressed as a necessary foundation stone to ensuring cyber security. Beginning in July 2014, a follow-on GGE will commence its work. The first meeting will take place 21-25 July, the second 12-16 January 2015, the third 13-17 April, and the final meeting 22-26 June 2015. No chairman has yet been announced for the GGE – which is expected to be more political challenging than its predecessor, especially in the wake of revelations by former US NSA whistleblower Edward Snowden. A key problem faced by the GGEs has been that there is little international agreement on fundamental questions regarding activities in the cybersphere. There is no agreed definition of “cyber security” – indeed you will note that the GGEs use in their title and mandate a different term, “information security,” which is interpreted differently by different nation states. There is little agreement on how, or even IF, international law – the Laws of Armed Combat, International Humanitarian Law and International Human Rights Law – apply in the cyber domain. There further is no agreed definition of what might constitute a “cyber attack” that could warrant a diplomatic or even military response under Article 51 of the UN Charter. The bottom line is that while many, if not all, nation states agree that protecting the cyber domain and avoiding conflict and warfare in the cybersphere are good things, there is little, if any, consensus on just what that means and how to go about making it happen. Meanwhile, Russia, China, Kyrgyzstan, Kazakhstan, Tajikistan, and Uzbekistan put forward a letter to the Secretary-General (A/66/359) in 2011 suggesting the need for states to consider a code of conduct on information security. According to Shen Jian, Counselor at the Chinese Mission to the UN in Genva, speaking at UNIDIR’s Cyber Stability Seminar in February 2014, the idea of a code stems from the fact that there are no real “traffic rules” in cyberspace governing state activities. Proponents of the code concept are quick to note that their letter did not constitute a GA resolution, rather a sort of “food for thought” paper to be considered regarding the potential for a UN framework to govern state behavior. According the preamble of the proposed code concept, there is a need to prevent the use of ICTs in a manner that would undercut national and international security, as well as to capacity build to close the digital divide. The code, according to supporters, is designed to identify the rights and responsibilities in the “information sphere” – a term used by Russia and China but not by many Western states, which in and of itself suggests the split in the international community about the very nature of the problem. The proposed code is seen by its proponents as being a legally-binding instrument, and a complement to voluntary TCBMs. In particular, proponents of the code are concerned bout the use of the Internet and social media to foster societal unrest and instability. These countries adhere to the concept that information itself can be a weapon. However, the political viability of the code proposal is somewhat in doubt, as the concept has been rather vehemently rejected by the United States and most Western states, who see the effort as aimed at establishing a strict national sovereignty model over content flow over the Internet and potentially a tool of oppressive regimes. 3 OSCE In the absence of international consensus about the specific problems and solutions, particularly any legal measures, there has been much discussion and debate about the need for transparency and confidence-building in the cyber domain. On that front, there has been some progress at the regional level – in particular at the OSCE. On 3 December 2013, the 57 member states of the OSCE adopted Permanent Council Decision 1106, elaborating an initial set of confidence and security building measures regarding the use of Information and Communications Technologies. The recommendations have a focus on transparency measures through improved information exchange, communications and cooperation, including: 1. Exchange of information on national views on threats in the use of information and communications technologies 2. Exchange of information on measures being taken by states to ensure an open and reliable Internet 3. Exchange of information on strategies, policies, and programs regarding cyber security 4. Consultations to reduce misunderstandings and misperceptions 5. Cooperation between state bodies responsible for establishing best practices 6. Exchange of information on national incident response policies and practices 7. Establishment of methods of rapid communication at senior policy levels regarding national security concerns, and 8. Exchange of information and dialogue on terms of reference used nationally in order to diminish misunderstandings. Of course, all of these suggested measures would be voluntary. The hope is that all states would see the benefit of such measures, at a minimum as an expression of goodwill – and that the elaboration of such possible measures could feed into other processes. The OSCE sees the effort as one of a rolling nature; that is, that the recommendations might be updated and become more ambitious as time goes on. However, given the OSCE’s limited membership and the vague mandate regarding implementation of the proposed measures by OSCE member states themselves, it remains unclear exactly how this initiative could be taken forward by the international community writ large. There has also been some activity on transparency and confidence-building measures in the ASEAN Regional Forum, where China sponsored the first ARF workshop in cyber security in 2013; and as we heard from Adam Blackwell, efforts in the Organization of American States around capacity building and cyber protection. That work, however, has yet to be really translated into the wider international arena. ITU The ITU is the intergovernmental body that manages, under a treaty regime, access to the radio-frequency spectrum for electronic transmission as well as to orbital slots for satellites. It also sets standards to ensure against radio-frequency interference and maximize efficiency of communications networks. The organization comprises 193 nations and more than 700 corporate entities and academic institutions as non-voting members. The relationship and mandate of the ITU with regard to cyber security is the subject of not inconsiderable debate. The ITU’s website states: 4 “A fundamental role of ITU, following the World Summit on the Information Society (WSIS) and the 2010 ITU Plenipotentiary Conference, is to build confidence and security in the use of Information and Communication Technologies (ICTs). At WSIS, Heads of States and world leaders entrusted ITU to take the lead in coordinating international efforts in the field of cybersecurity as the sole Facilitator of ‘Action Line C5,’ ‘Building confidence and security in the use of ICTs. In response, ITU Secretary-General Dr. Hamadoun I Touré launched the Global Cybersecurity Agenda (GCA), which is a framework for international cooperation aimed at enhancing confidence and security in the information society.” This implied mandate is, however, disputed by many Western governments. Nonetheless, issues of cyber governance – that is rule setting and management of the operational functions of the Internet – has become a contentious issue within the ITU. At its most basic level, the debate pits the United States and many Western governments who uphold the so-called “multi-stakeholder” model of Internet governance against Russia, China, Iran and many in the developing world who champion the concept of “national sovereignty” in the cybersphere, which includes the right to monitor and control incoming and outgoing data. While the two “sides” are hardly monolithic in their concerns and suggested approaches, particularly in the wake of the revelations made by former National Security Agency contractor Edward Snowden, the debate is fundamentally one of ideology. In addition, a number of nations are clamoring for the current system of Internet governance – based around the Internet Cooperation for Assigned Names and Numbers (ICANN) and the Internet Engineering Task Force (IETF) that together set the technical protocols and standards for operation of the network and manage the assignment of names in the cyberspace address directory (domain names) – to be transferred to the ITU. The arguments for doing so are that Internet governance is primarily controlled by the United States (a contention for which there is some truth) and Western interests, and that governance needs to be more equitable. With the Snowden revelations regarding NSA activities in the cybersphere, the role of the United States in Internet governance has become an even more heated debate. Indeed, many see the recent announcement by the US government that the Department of Commerce would not renew its contract with ICANN when it expires next year, instead transitioning ICANN to a multilateral support structure, as a “preemptive” strike designed to head off a push for ITU control. While the issue of Internet governance is complicated in the extreme, it does impact both cyber security and international security because of its fundamental nature. The “multistakeholder vs. sovereignty” divide was a centerpiece of the December 2012 Dubai World Conference of International Telecommunications (WC-IT-12). After protracted debated, the conference established new International Telecommunication Regulations (ITRs) but not by consensus – opening the road for divisions in practice as those nations who do not accept the changes are not obliged to implement them. This suggests a potential problem of contradictory rules and regulations. One of the most controversial of the new ITRs was a measure designed to prevent spam that was rejected by most Western states because it implied a right for governments to examine all content. The next forum to address these issues is the World Telecommunication Policy Forum in May in Geneva, and then the ITU Plenipotentiary Conference in Bussan, South Korea in NovemberDecember 2014. The latter meeting is likely to be fraught with tension and controversy as states once again tackle the governance question. 5 Conclusion As apparent from my brief remarks, the international community faces some serious hurdles in addressing the issues related to cyber security, including fundamental disagreement on what should and could be done to avoid increased conflict and ensuring a stable, predictable environment for cyber communications and commerce. Lack of an multilateral forum with a cross-cutting mandate only exacerbates those hurdles – but the primary issues are of a basic nature, i.e. lack of agreement about what actually constitutes security in the cyber domain and how to stabilize the environment. Thus, for the moment, the most feasible path for multilateral actions is to continue to pursue transparency and confidence building, in order to establish a less shaky foundation for serious discussions about threat perceptions and how to cooperatively diminish risks. 6
© Copyright 2024 ExpyDoc
