Summary of “Challenges in International Cyber Security” NDU Conference Report Charles Barry Center for Technology and National Security Policy The National Defense University Presented at the 4 th International Forum Garmisch-Partenkirchen, Germany April 2010
Barry/CTNSP-NDU2 Background 2007: NDU launched a research project on Cyberpower and National security. A conference series was planned. One conference addressed challenges in international cyber security. The intent was to ask as many national representatives as possible to share their perspectives on cyber power and cyber security. The conference was held at NDU April The research project results were published in two volumes by NDU Press: “Cyberpower and National Security” and “Military Perspectives on Cyber Space.” NDU continues its research on Cyber Security, including in the international arena, with the goal of increasing the dialogue.
Barry/CTNSP-NDU3 Challenges in International Cyber Security Conference and Report Overview 2 days 260 attended, including 24 non-US 40 speakers – including from ICANN, Russia, India, Brazil, key US stakeholder organizations 6 panels 12 key observations 2 persistent themes 7 recommendations
Barry/CTNSP-NDU4 Key Observations 1 International dialogue on cyber governance, crime and security is imperative, long over due and still embryonic There is essentially only one network in cyberspace – every major stakeholder has a vested interest in securing this common network for all users Developing effective security requires technologies that can provide early detection, increase situational awareness and – critically - track attribution. The development of cyber law is fundamental to determining conduct in cyberspace: types of legal entities, crimes to be prevented and the threshold of acts of war. By its nature, cyber law is international law.
Barry/CTNSP-NDU5 Key Observations 2 Threats to cyber security are naturally asymmetrical. Credible deterrence may call for the capacity to respond in kind. But constitutes a legitimate response to cyber attacks? There are three general levels of ‘bad’ conduct in cyber space: individual hackers, organized criminal behavior and acts of warfare on states, by other states or non-states. Nations generally deal with the first two through law enforcement bureaucracies and the third by defense ministries – but is this division wise, creating two cyber defense capabilities? The international community needs agreed definitions in order to coalesce around effective cyber space governance. A common lexicon forms the basis of international understanding. Nations, including the US have not established fully national governance over cyber space matter. It is unclear where responsibility lies for network security. Overcoming national ambiguity is a precursor to international agreement.
Barry/CTNSP-NDU6 Key Observations 3 Globalization has brought an age of cyber interdependency between national security and financial stability. In determining areas of mutual interests, threats and vulnerabilities, global financial stability should be the common denominator. Cyber security is not only infrastructure security but content security. International monitoring efforts should be federated among governments as well as across the public-private sector divide. Commercial goals and national security goals should be meshed through collaboration, especially with multinational industries, to establish a culture of ethics and responsibility regarding cyber security
Barry/CTNSP-NDU7 Two Persistent Themes Thus far no international code of conduct for cyber space. Standards, ‘rules of the road’ in the cyber domain should be agreed, beginning where common values, understandings are evident. Coalescing common rules will be long and arduous. It requires continuous dialogue among nations, private sector and international stakeholders – more so than is now taking place.
Barry/CTNSP-NDU8 Conclusions and Recommendations 1 Most players demonstrate large gaps in understanding the positions of other stakeholders. Dialogue helps close these gaps. The concerted efforts at NDU to hear from Brazil, Russia, India and China as well as international organizations and US agencies paid significant dividends, both for formal and informal understanding. NDU should host or participate in at least one international conference on cyber security annually.
Barry/CTNSP-NDU9 Conclusions and Recommendations 2 Future conferences should be expanded to included more major industry players and major cyber countries such as Germany The US and others should consider a major cyber security initiative focused on cooperation among both traditional allies as well as other major cyber countries and organizations. Collaboration should be continued and expanded among the many major cyber powers, as well as across governments, industry, scientific communities and academia.
Barry/CTNSP-NDU10 Summary The NDU conference was a strong contribution to the dialogue among international cyber experts that we all should be determined to maintain and expand Form is far less important than substance – the goal is to build momentum behind an ongoing dialogue through many avenues Multiple international venues will be essential Everyone should be engaged – states, international organizations, industry, think tanks, etc There is a long path ahead – we must roll up our sleeves and get to work We look forward to seeing you back at NDU
Barry/CTNSP-NDU11 Discussion?
Barry/CTNSP-NDU12 International Challenges of Crime, Security and Governance Response to cyber crime has remained unchanged for 25 years while the threat has grown exponentially due to the value of information. The cyber technology industry needs international standards and laws for data protection, privacy. International cyber governance is ambiguous, needs to be clarified.
Barry/CTNSP-NDU13 Policy Challenges in Defending Against Cyber Attack Law enforcement can only work with identification and attribution – this is technology as well as policy challenge. Consensus around a threshold of unacceptable behavior should emerge through international dialogue. The concepts of territorial jurisdiction and integrity, and sovereignty, must be applied to cyber space, information security and the meaning of ‘attacks.’ Concerns over effective countering of attacks against cyber systems and data need to move from the margins to the mainstream, engaging the global expertise of both the public and private sectors.
Barry/CTNSP-NDU14 Critical Cyber Infrastructure Protection Timely sharing of information about vulnerabilities and attacks, between governments and the private sector – more so than at present – will help mitigate losses. The convergence of cyber and communications creates a public- private imperative to promote survivability of critical infrastructure circuits Standards and best practices, generated by public-private collaboration, will encourage investment in risk mitigation and ease the debate over the need for regulation Critical Infrastructure Protection requires not just preparedness but risk assessment to prioritize investment in risk mitigation
Barry/CTNSP-NDU15 Potential Thresholds of War in Cyberspace At present there is no consensus on what constitutes an act of war in cyberspace. Clarification is needed on what differentiates cyber warfare from less severe cyber threats. In order to reach a definition of cyber warfare partnerships are critical – strong ties and open communications among trusted powers and groups are the basis of building broad agreement on unacceptable behavior. The UN Charter may be the place to start: it provides widely accepted distinctions between ‘war’ and ‘not war’ as well as principles of self defense, sovereignty and proportionality.
Barry/CTNSP-NDU16 National Perspectives on Infrastructure Protection, Cyber Crime, and the Potential for War in Cyber Space Cyber security challenges involve a spectrum ranging from the state level to non-state groups to individuals. In Brazil, cyber crime is mainly cell phone based and conducted by organized gangs. A secondary challenge is the serving as a source of global botnets. Russia’s main concern is state-on-state hostilities via the cyber domain and prevention of a cyber ‘arms race.’ India’s place in among major cyber powers has been a rapid rise, however it has managed to avoid an exponential growth in cyber crime. China’s acceptance of cyber as a legitimate domain for business as well as international relations is fully matured. It knows the malicious use of cyber power is a double-edged sword, likely to disrupt its own processes as well as others.
Barry/CTNSP-NDU17 Institutional and Multilateral Governance Initiatives There are gaps in efforts of institutions and multilateral enterprises to counter cyber threats Solutions should be sought at multiple levels, from multinational organizations to small technology innovators. In the US the private sector has shown greater expertise and flexibility in addressing cyber security problems for both private and public sector systems. National governments and ICANN should tap into the private sector and seed informal collaborative networks to develop the best solutions. Governance is a concept best implemented though active, continuous public-private engagement, including at the international level