The increasing number of cyber attacks blamed on nation states is getting on the nerves of a lot of Internet experts.Some say there’s a cyber arms race going on while others think we’re close to state of permanent quiet cyber warfare.
So a lot of eyes will be watching what happens at this week’s 12th annual United Nations Internet Governance Forum in Geneva., which opens today.
The four-day forum, which brings together about 2,000 representatives of countries, technology firms, standards bodies and non-profits to discuss public policy issues relating to the Internet, doesn’t produce binding recommendations.
However, if and when it reaches consensus it may lead to governments adopting policies that affect the world.
Cyber security will be one of the six main sessions at this year’s conference. Others are digital transformation, gender inclusion on the Internet, discussions of work by done so-called dynamic coalitions (which range from IoT and blockchain technologies, to child online safety), digital rights and how multi-stakeholder co-operation can deal with Internet shutdowns, encryption and data flows.
There will also be groups working on Best Practices, one of which is finalizing a report on cyber security actions nations and the IT industry should adopt. That document is expected to be finalized in January.
One recommendation in the draft best practices report is that governments must not hoard IT vulnerabilities or create backdoors in secure communications technology.
The conference will also see Microsoft present its call for a “Digital Geneva Convention” to protect cyber space.
“Governments continue to invest in greater offensive capabilities in cyberspace, and nation-state attacks on civilians are on the rise,” an introduction to the panel discussion reads. “The world needs new rules to protect and defend civilians against nation-sponsored attacks.
The proposal, which Microsoft says still needs fleshing out, would call on countries to sign a binding document promising they will not engage in cyber attacks on the private sector, nor target civilian electrical, economic or political infrastructure. There would also be an independent peer-reviewed agency to attribute the authors of cyber attacks, as well as a convention of best practices for technology companies.
The Forum is a way to assure governments around the world they have a say in the development of Internet governance. However, given the wide range of interests, with some governments insisting on the right to have full control over the Internet within their boundaries, agreement on cyber security issues isn’t easy.
For example in July a United Nations Group of Government Experts failed for the first time to reach unanimity that some principles of current international law apply in cyberspace. The Group, with an expanding number of countries, has been meeting since 2004 to agree on how laws and rules limiting conventional war – such as an “armed attack” and the right to self-defense – apply in the cyber world.
But things are tense enough that last month the Global Commission on the Stability of Cyberspace issued a call for countries and non-state actors to agree they “should not conduct or knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace.”
Still, conference supporters insist talking has value. Wim Degezell, a Belgian Internet consultant and advisor to the Best Practices Cyber Security Forum, said in an email that outcome documents for previous sessions have been used as background reading for policy makers as they attend other forums, such as the Global Conference on Cyberspace.
The value of Best Practices Forums “lays in its multistakeholder character and therefore its ability to break down the traditional ‘silos’, bringing in varied expertise from people who normally don’t work together,” he wrote. “Recommendations are not directly enforceable but intend to serve as starting points for further policy debate on the identified issues between stakeholders at different levels.”
Kaja Ciglic, Microsoft’s director of government cyber security policy and strategy and a co-proposer of the company’s session said in an email that “effective cybersecurity policy requires a multi-stakeholder dialogue. Today’s cyber security and stability problems cannot be solved by governments alone. Neither can industry or civil society do it by themselves. We need a constructive and collaborative effort. IGF is an ideal venue for those conversations.
“We put our Digital Geneva Convention proposals forward over the past year but before we detail them further we want to gather additional input and feedback from other stakeholders. We identified a problem— but it is critical to have a collaborative solution.”
Among the civil society groups participating at the conference is the Internet Society, which promotes an open Internet. It recently issued a report on the future of the Internet which said “addressing cyber threats should be the priority” of the international community. “It is critical for individual safety and for the future Internet economy.”
In an interview Constance Bommelaer de Leusse, the society’s senior director of global Internet policy said two years ago her agency agreed the Forum has to move beyond a “talk shop” towards a process that would deliver tangible outcomes that policy makers, tech companies and civil groups can hammer out into something concrete. The Best Practices Forums are one result. They are the culmination of a number of online collaboration sessions that take place over many months.
“In the past we’ve been able to develop best practices on mitigating spam, dealing with online violence against women and accelerating the deployment of IPv6,” she said.
The Internet Governance Forum’s mandate isn’t to create binding resolutions, she emphasized. But she added “people are looking for solutions they can take back home and implement for concrete problems.”
Microsoft’s Digital Geneva Convention workshop gives the company the ability to test-drive the idea before an international audience. It isn’t easy at the best of times to get the UN to agree to a document, let alone on an issue where countries see a great advantage to using technology to attack others without – so far – causing casualties.
For example, de Leusse wonders if a treaty is really necessary. Perhaps, she said, it would be better to enforce current law and norms on international behaviour. She also wonders if an attribution centre could definitively lay blame for a cyber attack.
Last year’s conference called for a concerted effort to close the digital divide.
The draft report on recommended cyber security best practices says in part
—Governments are encouraged to identify and implement international conventions to address cyber crime, and provide a legal framework for investigation, prosecution and sanctioning. It offers means to criminalize and prosecute cyber crime;
—-Software and product vendors must implement security at all stages of the development lifecycle. Products must be patched to address vulnerabilities throughout their well described lifecycle;
–The state of cyber security of these systems in developing countries is very poor. States and other stakeholders must support the development and sharing of security practices for ICS such as identifying vulnerabilities, and ensure patches are available;
–States should enact appropriate laws to criminalize use of information beyond its intended, appropriate purpose;
–Unauthorized access to devices should be criminalized by enacting appropriate laws. The Budapest Convention offers states a legal framework for prosecuting and dissuading;
–Each stakeholder community has a responsibility in helping to ensure that cyber security does not hinder future Internet development.
In addition to the Microsoft proposal the sessions on cyber security will discuss how to improve cyber security incident response (CIRT) teams (either industry-wide or national); a separate session on how CIRT’s can co-operate; a European approach to securing critical infrastructure; the Dutch government’s approach to the concept of duty of care and the Internet of Things; whether regulation is needed for IoT; legal challenges of international law and encryption to criminal and counter-terrorism investigations; conflicts between fighting terrorism online and Internet freedom; and a debate on whether governments should have the right to “hack back” at cyber attackers.