On the Way Towards International Norms for Cyberspace: Deadlocks to Resolve,

Lessons to Learn

Oleg Demidov,Program Coordinator, PIR Center

Chatham House, London, 07.05.2013

Deadlocks of Cyberspace Regulation

1. Adaptation of existing mechanisms or adoption of new international norms and documents?

2. Technical aspects of cybersecurity or content related issues to be the subject of negotiation and international regulation?

3. Who is responsible for actions constituting cyber conflict – The State or a Citizen?

4. Attribution of Proxy Actors – the key problem

Chatham House, London, 07.05.2013

USA: Cyberspace

U.S. Department of Defense (latest edition 2012)

A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processes and controllers

Information space - the sphere of activity connected with the formation, creation, conversion, transfer, use, and storage of information and which has an effect on individual and social consciousness, the information infrastructure, and information itself.

Russia, SCO: Information Space

Russia – U.S. Bilateral on Cybersecurity. Critical Terminology Foundations. East-

West Institute, 2011

U.S-Russian Study Group: Cyberspace

An electronic domain through which information is created, transmitted, received, stored, processed and deleted

Cyber Security Strategyfor Germany, 2011

The virtual space of all IT systems linked at data level on a global scale. The basis for cyberspace is the Internet as a universal and publicly accessible connection and transport network which can be complemented and further expanded by any number of additional data networks. IT systems in an isolated virtual space are not part of cyberspace.

Germany: Cyberspace

Conflicting Understanding of Cyberspace: An Obstacle for Common Norms

O.V. DemidovProgram Coordinator PIR Center

Inf. space

CyberSpace

Convention on International Information Security (concept); SCO Yekaterinburg Agreement

June 16, 2009

Threats in Cyberspace: ClassificationO.V. DemidovProgram Coordinator PIR Center

Formulated by UN GA Resolution A/RES/54/49 on December 1, 1998

(adopted under Russia’s initiative)

Elements are interrelated and inseparable

Includes the issues of content

Does not provide understanding of technical nature of threats

Military and Political Threats

CybercrimeTerrorism

Russia: the Triad of threats in the information space

Malicious Activities in Cyberspace: Actor-Object Classification

Object

Actor

Citizens States and Proxy Actors

CitizensCyber Crime(Сitizens vs Citizens)

Cyber Terrorism(Сitizens vs States)

States and Proxy Actors (States vs Citizens)

?Cyber war(States vs States)

Any universal classification?

Soft Law Mechanisms and Codes of Conduct for Cyberspace

O.V. DemidovProgram Coordinator PIR Center

Proposals

Authors

Soft Law Mechanisms

1. Russia Russia supports the idea of a Code of Conduct for cyberspace as a global UN-backed document with strong emphasis on content issues

2. The SCO and its states

1. Code of Conduct in the field of International Information Security (drafted by Russia, Tajikistan, Uzbekistan and China on September 12, 2011)

2. In March 2013 China called for creating some code of conduct for cyberspace in order to tackle the threat of cyberwar

3. USASince the end of 2012 actively support elaboration of “norms of responsible behavior” in cyberspace. Adaptation of the existing international law (jus in bello, jus ad bellum) Support of the Tallinn Manual approach Statement by the Secretary of State Hillary Clinton at the international

Conference on Cyberspace in Budapest on November 5, 2012

4. UN and the ITU

International private-state cooperation mechanisms: IMPACT-ITU Alliance since 2011

(Russia refused, Group-IB and Kaspersky Lab participate)The ITU: National Cybersecurity Strategy Guide: is not in demand in

Russia, as well as the ITU cybersecurity standardsGlobal Cybersecurity Culture: UN GA Resolution A/RES/64/211,

A/RES/58/199, A/RES/57/239 (just recommendations)

Legally Binding Mechanisms for CyberspaceO.V. DemidovProgram Coordinator PIR Center

Proposals

Authors

Proposals of legally binding acts

1. Russia

1. Convention on International Information Security (concept)Presented on 11.2011 (Conference on Cyberspace)Global scale as a UN actComprehensive nature (the triad of threats + the issues of cyber sovereignty)

2. Project of a universal UN Convention on international cybercrime (to be presented probably in Seoul in October 2013)

To provide new level of cooperation and to avoid the flaws of the Budapest Convention of CoE

Embraces only criminal segment of the Triad of threats

2. SCO and its separate states

1. The agreement of SCO on cooperation in the field of ensuring the international information security signed on June 16, 2009

Laid terminological foundation in the field of IISFirst legally binding international documentNo any particular mechanism of intergovernmental cooperation on countering

cyberthreats

3. USAParticipate in CoE Convention and promote it as a potentially global mechanismOppose the initiatives of Russia and the SCO because of cyber sovereignty

component

4. UN and the ITU

2010: The ITU Secretary General Hamadoun Toure called to elaboration of a global treaty on prevention of cyberwars

Concept of a “peace treaty before war”Never promoted at the UN GA levelPolitical disputes between Russia, China, USA make the idea hardly feasible

The Tallinn Manual Approach

The International Law Applicable to Cyber WarfareIssued by CCD COE International Group of Experts on March 28, 2013 Adaptation or a new vision of the international law of armed conflict?

States may not knowingly allow cyber infrastructure located in their territory to be used for acts that adversely affect other States

The State itself is responsible for proxy actors acting under its direction

The prohibition on the use of force in international law applies fully to cyber operations. Any cyber operation that caused harm to individuals or damage to objects qualified as a use of force

An attack is a cyber operation that causes injury or death to individuals or damage or destruction to objects or which interferes with the functionality of cyber infrastructure in a manner that requires repair

Civilian hacktivists conducting cyber operations during an armed conflict can become legitimate targets under certain circumstances

Chatham House, London, 07.05.2013

International Criminal Court for Cyberspace

An International Criminal Court or Tribunal for Cyberspace (ICTC)Stein Schjolberg, Norwegian Judge, High Level Experts Group (HLEG), ITU, Geneva, Chairman (2007-2008)

A United Nations court of law, established through a Resolution by the Security Council in accordance with Chapter VII of the United Nations Charter

The idea of international criminal jurisdiction over individuals committing massive and well-coordinated cyber attacks, which effectively equals to criminal jurisdiction over proxy actors in cyber conflicts (including state vs state cyber wars with the use of proxy actors)

Two areas of jurisdiction:

1. “Core cybercrimes” (fraud, data interception, forgery, illegal access, etc.) 2. Massive and coordinated global cyber attacks against critical information Infrastructures“To prosecute … whoever by destroying, damaging, or rendering unusable critical communications and information infrastructures, causes substantial and comprehensive disturbance to thenational security, civil defense, public administration and services, public health or safety, or banking and financial services”.

No room for responsibility of a state actor for malicious activities in cyberspace – because of the attribution problem

Chatham House, London, 07.05.2013

Lessons for Space Agenda

1. Bilateral cooperation on technical matters on the initial stages works better than attempts to come to a consensus on a comprehensive legal mechanism of global scale

2. Outer space agenda has the advantage of quite clear attribution of actions unlike cyberspace, where it will remain a key stumbling block

3. If the Proxy Actors problem remains unresolved in cyberspace, the outer space regulation will also face it in the future as the private sector of space will become more diversified and complex

4. A major problem of Codes of Conduct projects for cyberspace is the lack of compliance and verification mechanisms – which might be also true for Codes of Conduct for outer space in the future

Chatham House, London, 07.05.2013

Information on PIR Center program “International Information Security and Global Internet Governance”

net.pircenter.org Contacts (Oleg Demidov)demidov@pircenter.org

Thank you for your attention!

Chatham House, London, 07.05.2013