chatham house cyber+space conference june 2013 - international norms for cyberspace: deadlocks to...
DESCRIPTION
The presentation was prepared for the workshop of the Chatham House on 'Making the Connection: Building Stability in Cyber and Space" (London, 7 May 2013)TRANSCRIPT
On the Way Towards International Norms for Cyberspace: Deadlocks to Resolve,
Lessons to Learn
Oleg Demidov,Program Coordinator, PIR Center
Chatham House, London, 07.05.2013
Deadlocks of Cyberspace Regulation
1. Adaptation of existing mechanisms or adoption of new international norms and documents?
2. Technical aspects of cybersecurity or content related issues to be the subject of negotiation and international regulation?
3. Who is responsible for actions constituting cyber conflict – The State or a Citizen?
4. Attribution of Proxy Actors – the key problem
Chatham House, London, 07.05.2013
USA: Cyberspace
U.S. Department of Defense (latest edition 2012)
A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processes and controllers
Information space - the sphere of activity connected with the formation, creation, conversion, transfer, use, and storage of information and which has an effect on individual and social consciousness, the information infrastructure, and information itself.
Russia, SCO: Information Space
Russia – U.S. Bilateral on Cybersecurity. Critical Terminology Foundations. East-
West Institute, 2011
U.S-Russian Study Group: Cyberspace
An electronic domain through which information is created, transmitted, received, stored, processed and deleted
Cyber Security Strategyfor Germany, 2011
The virtual space of all IT systems linked at data level on a global scale. The basis for cyberspace is the Internet as a universal and publicly accessible connection and transport network which can be complemented and further expanded by any number of additional data networks. IT systems in an isolated virtual space are not part of cyberspace.
Germany: Cyberspace
Conflicting Understanding of Cyberspace: An Obstacle for Common Norms
O.V. DemidovProgram Coordinator PIR Center
Inf. space
CyberSpace
Convention on International Information Security (concept); SCO Yekaterinburg Agreement
June 16, 2009
Threats in Cyberspace: ClassificationO.V. DemidovProgram Coordinator PIR Center
Formulated by UN GA Resolution A/RES/54/49 on December 1, 1998
(adopted under Russia’s initiative)
Elements are interrelated and inseparable
Includes the issues of content
Does not provide understanding of technical nature of threats
Military and Political Threats
CybercrimeTerrorism
Russia: the Triad of threats in the information space
Malicious Activities in Cyberspace: Actor-Object Classification
Object
Actor
Citizens States and Proxy Actors
CitizensCyber Crime(Сitizens vs Citizens)
Cyber Terrorism(Сitizens vs States)
States and Proxy Actors (States vs Citizens)
?Cyber war(States vs States)
Any universal classification?
Soft Law Mechanisms and Codes of Conduct for Cyberspace
O.V. DemidovProgram Coordinator PIR Center
Proposals
Authors
Soft Law Mechanisms
1. Russia Russia supports the idea of a Code of Conduct for cyberspace as a global UN-backed document with strong emphasis on content issues
2. The SCO and its states
1. Code of Conduct in the field of International Information Security (drafted by Russia, Tajikistan, Uzbekistan and China on September 12, 2011)
2. In March 2013 China called for creating some code of conduct for cyberspace in order to tackle the threat of cyberwar
3. USASince the end of 2012 actively support elaboration of “norms of responsible behavior” in cyberspace. Adaptation of the existing international law (jus in bello, jus ad bellum) Support of the Tallinn Manual approach Statement by the Secretary of State Hillary Clinton at the international
Conference on Cyberspace in Budapest on November 5, 2012
4. UN and the ITU
International private-state cooperation mechanisms: IMPACT-ITU Alliance since 2011
(Russia refused, Group-IB and Kaspersky Lab participate)The ITU: National Cybersecurity Strategy Guide: is not in demand in
Russia, as well as the ITU cybersecurity standardsGlobal Cybersecurity Culture: UN GA Resolution A/RES/64/211,
A/RES/58/199, A/RES/57/239 (just recommendations)
Legally Binding Mechanisms for CyberspaceO.V. DemidovProgram Coordinator PIR Center
Proposals
Authors
Proposals of legally binding acts
1. Russia
1. Convention on International Information Security (concept)Presented on 11.2011 (Conference on Cyberspace)Global scale as a UN actComprehensive nature (the triad of threats + the issues of cyber sovereignty)
2. Project of a universal UN Convention on international cybercrime (to be presented probably in Seoul in October 2013)
To provide new level of cooperation and to avoid the flaws of the Budapest Convention of CoE
Embraces only criminal segment of the Triad of threats
2. SCO and its separate states
1. The agreement of SCO on cooperation in the field of ensuring the international information security signed on June 16, 2009
Laid terminological foundation in the field of IISFirst legally binding international documentNo any particular mechanism of intergovernmental cooperation on countering
cyberthreats
3. USAParticipate in CoE Convention and promote it as a potentially global mechanismOppose the initiatives of Russia and the SCO because of cyber sovereignty
component
4. UN and the ITU
2010: The ITU Secretary General Hamadoun Toure called to elaboration of a global treaty on prevention of cyberwars
Concept of a “peace treaty before war”Never promoted at the UN GA levelPolitical disputes between Russia, China, USA make the idea hardly feasible
The Tallinn Manual Approach
The International Law Applicable to Cyber WarfareIssued by CCD COE International Group of Experts on March 28, 2013 Adaptation or a new vision of the international law of armed conflict?
States may not knowingly allow cyber infrastructure located in their territory to be used for acts that adversely affect other States
The State itself is responsible for proxy actors acting under its direction
The prohibition on the use of force in international law applies fully to cyber operations. Any cyber operation that caused harm to individuals or damage to objects qualified as a use of force
An attack is a cyber operation that causes injury or death to individuals or damage or destruction to objects or which interferes with the functionality of cyber infrastructure in a manner that requires repair
Civilian hacktivists conducting cyber operations during an armed conflict can become legitimate targets under certain circumstances
Chatham House, London, 07.05.2013
International Criminal Court for Cyberspace
An International Criminal Court or Tribunal for Cyberspace (ICTC)Stein Schjolberg, Norwegian Judge, High Level Experts Group (HLEG), ITU, Geneva, Chairman (2007-2008)
A United Nations court of law, established through a Resolution by the Security Council in accordance with Chapter VII of the United Nations Charter
The idea of international criminal jurisdiction over individuals committing massive and well-coordinated cyber attacks, which effectively equals to criminal jurisdiction over proxy actors in cyber conflicts (including state vs state cyber wars with the use of proxy actors)
Two areas of jurisdiction:
1. “Core cybercrimes” (fraud, data interception, forgery, illegal access, etc.) 2. Massive and coordinated global cyber attacks against critical information Infrastructures“To prosecute … whoever by destroying, damaging, or rendering unusable critical communications and information infrastructures, causes substantial and comprehensive disturbance to thenational security, civil defense, public administration and services, public health or safety, or banking and financial services”.
No room for responsibility of a state actor for malicious activities in cyberspace – because of the attribution problem
Chatham House, London, 07.05.2013
Lessons for Space Agenda
1. Bilateral cooperation on technical matters on the initial stages works better than attempts to come to a consensus on a comprehensive legal mechanism of global scale
2. Outer space agenda has the advantage of quite clear attribution of actions unlike cyberspace, where it will remain a key stumbling block
3. If the Proxy Actors problem remains unresolved in cyberspace, the outer space regulation will also face it in the future as the private sector of space will become more diversified and complex
4. A major problem of Codes of Conduct projects for cyberspace is the lack of compliance and verification mechanisms – which might be also true for Codes of Conduct for outer space in the future
Chatham House, London, 07.05.2013
Information on PIR Center program “International Information Security and Global Internet Governance”
net.pircenter.org Contacts (Oleg Demidov)[email protected]
Thank you for your attention!
Chatham House, London, 07.05.2013