One click to attack critical infrastructure. What can we do? Reflections from the UN IGF Workshop

Anastasiya Kazakova, Senior Public Affairs Manager

A new chapter in UN cyber negotiations

Earlier this year we started discussions on how the world could improve its cross-border “firefighting” within the RSA 2021, and wrote a separate piece with some concrete ideas. With a new UN cyber-dialogue beginning this week, diplomats of all 193 countries re-convene to continue discussing the use of ICTs in the context of international security and peace to ensure cyber-stability. The ideas we discussed and associated non-binding cyber norms and confidence-building measures (CBMs) are all part of the UN cyber-stability framework.

It is yet to be seen how States will organize the work, and what the priorities will be for the international community. What we can already say with high certainty today is that modern sophisticated cyberattacks and growing digitalization taking place in the industrial sector make attacking critical infrastructure (CI) terribly simple. Ransomware hitting critical sectors in headlines in 2021 as an example, among others, brings forth a valid question: what can we do? Do we as international community have the means for cross-border cooperation to effectively mitigate such attacks on CI and protect people?

To be, hopefully, one step closer to a possible solution, we organized a workshop at the 2021 UN Internet Governance Forum (IGF), and were honored to have key practitioners and experts from cyber diplomacy, cybersecurity research, and incident response to discuss this in a two-part workshop.

Learning national perspectives on critical infrastructure protection (CIP): what is considered critical and what is not?

In the first part we focused on national approaches and existing good practices to CIP, also touching on the UN cyber-stability framework negotiated in the UN First Committee to see how States domestically implement (or not) the UN cyber agreements and specifically norms on CIP. We were privileged to discuss this with four experts, representing different countries and regions:

• Ambassador Regine Grienberger, Federal Foreign Office, Germany (@GERonCyber);
• Daniel Klingele, Senior Advisor, International Security Division of the Federal Department of Foreign Affairs, Switzerland (@SecurityPolCH);
• Mr. Dan Yock Hau, Assistant Chief Executive (National Cyber Resilience), Cyber Security Agency, of Singapore (@CSAsingapore); and
• Ms. Johanna Weaver, Director of the Tech Policy Design Centre, Australian National University, and former head of the Australian delegation to the UN OEWG and GGE (@_JohannaWeaver).

Ambassador Grienberger outlined Germany’s approach to CIP and shared the perspectives coming from the European Union, and experience from the U.S.-led ransomware initiative where Germany specifically participates in a diplomatic track. She stressed that Germany implements a whole-of-government and whole-of-society approach to CIP, where the essential element is close public-private cooperation with intense information-sharing best practices and lessons-learned. The national framework is based on the IT security law, CI strategy, and recently updated cybersecurity strategy, and it is complemented by the EU NIS Directive. All of these provide a legal framework clarifying technical and organizational security obligations for CI operators.

Deciding on what is critical and what is not, Ms. Grienberger highlighted that size (e.g., financial turnover and/or number of users) is an important criterion, additionally to the service, and this is currently being discussed within the EU countries. It is indeed a responsibility of the government to define CI and provide an institutional framework for CIP; however, a lack of human resources and cybersecurity talent is a challenge requiring greater capacity building efforts.

“Continuous improvement of cybersecurity level is the key to dynamic architecture, and in Germany we have built a national framework to CIP, which is embedded in the legal framework at the European Union level and complemented by our cooperation with partners at the international level. Lack of human resources remains a serious challenge, and we need greater investments into cyber capacity building.”

Ambassador Regine Grienberger, Federal Foreign Office, Germany

Speaking of Switzerland’s approach, Mr. Klingele shared a clear-cut definition of CI as ‘processes, systems and facilities essential to the functioning of the economy and wellbeing of the population’, as provided by the Swiss CIP strategy (2018-2022). The national regulatory approach is dictated by different elements, such as costs of the regulatory actions versus creating incentives; ensuring a decentralized structure of responsibilities; and building an inventory of critical functions to where organizations can voluntarily ask to be added as critical operators. But beyond that, defining clear processes for CIP and thus clarifying who uses this critical service, how, and in which particular context, is critical. Mr. Klingele agreed with Ambassador Grienberger that CIP is a shared responsibility, and the focus should be placed on building effective public-private partnerships; however, CI operators must understand their responsibilities and duties to manage cyber risks. What’s more, if there is a request for assistance from another State, Switzerland tries to help mitigate the effects of malicious activity and thus to respond to such requests.

“Both reports from the UN OEWG and UN GGE give valuable guidance on how to implement cyber norms. Development of a national strategy and national institutional framework is an important first step to implementing these norms. Focusing on public-private partnerships to ensure a shared responsibility is the important principle in protecting critical infrastructure.”

Daniel Klingele, Senior Advisor, International Security Division of the Federal Department of Foreign Affairs, Switzerland

Mr. Dan Yock Hau shared that Singapore has operationalised a three-tiered CIP governance framework and structure, where the CSA closely works with eleven CI sector regulators to strengthen the cyber resilience of the CI organisations. They together define the cybersecurity minimal baseline requirements and perform criticality assessments to identify CI systems. The established Cybersecurity Act is the key piece of the country’s legislation, which (i) strengthens CIP against cyber threats; (ii) authorizes CSA as a national agency to prevent and respond to threats and incidents; and (iii) establishes a licensing framework for cybersecurity service providers. On international cooperation, there are also three key areas to secure CI: Consensus among States (i.e., agreeing on ‘rules of the road’); Collaboration (i.e., keeping the digital domain safe and secure through effective collaboration and partnerships); and Capabilities (i.e., investing in capacity building to spearhead a systemic response to cybersecurity).

Mr. Dan stressed that governments do not necessarily have a monopoly on the solutions to cyber challenges, where CIP is a collective responsibility borne by the government, CI operators and the private sector. In that regard, Singapore’s multistakeholder approach is rather aligned with the perspectives we heard from Germany and Switzerland.

“Cyber threats are not confined within geographical boundaries. Bilateral, multilateral cooperation are key to share timely information and respond to incidents swiftly. Singapore will work closely with our partners to collectively combat cross-border cyber threats.”

Mr. Dan Yock Hau, Assistant Chief Executive (National Cyber Resilience), Cyber Security Agency of Singapore

Ms. Weaver also shared Australia’s perspective and highlighted that new legislation has just been passed which extends the definition of CI from four to 11 sectors, and, interestingly, it specifically designates the DNS as CI. The new legislation also outlines mandatory reporting requirements for CI operators, and extension of the powers of the government to take control of infrastructure in case of a serious cyberattack. For ensuring an effective incident response, it is critical to have pre-existing plans both with governments and with the private sector, and to test if those plans are effective they should be exercised on a regular basis.

Speaking of the takeaways from the two previous UN cyber dialogues, Ms. Weaver stressed that they provide an additional layer of guidance, and specifically the 2021 GGE report guides countries on the implementation of non-binding cyber norms that are supported by binding international law.

“All states have now unanimously agreed that they are not going to intentionally damage the critical infrastructure of other states using ICTs and that they should protect critical infrastructure. But there are not enough countries making public commitments and being transparent about the use and development of offensive cyber capabilities. Australia is among the few countries that publicly commit that we are not going to use these to damage the infrastructure of other states. We need more transparency around that.”

Ms. Johanna Weaver, Director of the Tech Policy Design Centre, Australian National University

Exploring opportunities for a ‘UN cyber emergency phonebook’

After conceptualizing national approaches to CIP, we wanted to investigate further in the second part of the workshop whether a ‘UN cyber emergency phonebook’ is possible. If you were to ask what such a thing is, our answer would be that it is something that does not exist (yet), but nicely covers the main idea we are looking to explore. Practically speaking, if an affected state does not have the capability to respond and protect itself, who should it approach for help? And where a cyberattack affects CI in several jurisdictions, is cross-border cooperation possible, and if it is – how?

We were privileged to discuss these questions with three other experts, also representing different organizations and regions:

• Mr. Serge Droz, Board of Directors, FIRST (@sergedroz);
• Ms. Carmen Corbin, Head of Counter Cybercrime Programming (West and Central Africa), Global Programme on Cybercrime, UNODC (@CarmenCorbin_UN); and
• Mr. Pierre Delcher, Senior Security Researcher, Global Research and Analysis Team (GReAT), Kaspersky (@securechicken).

Mr. Droz opened the discussion and stressed that most CERTs/CSIRTs will sooner or later need the help of others as they do not have access to infrastructure operated by third parties, and most often in different jurisdictions, a fact that attacker exploit.

While a global directory or phonebook is essential to collaborate in the first place it is by no means enough. Sharing information with others requires a high degree of trust. To maintain this, often high level of, trust it’s key that CSIRTs are not engaged in any adverse activities, they should remain neutral. Activities detrimental to trust include offensive operations but also attribution which is intently non-neutral. Failing to uphold trust relationships may ultimately mean that key stakeholders will no longer support participate or pick up the phone.

Mr. Droz noted that trust is inherently a human thing and it is difficult to institutionalize. But in the end this is about people working together who have had something in common in the past. That’s why for trust – you should really start collaborating on a regular basis; then individual trust may likely spread further to entire teams.

“CERTs are designed, and whose key role is, to respond to incidents, and they shouldn’t be part to any other activity such as attribution or using offensive capabilities. And focusing on their role is key to ensuring their neutrality during a cyber emergency. FIRST provides a unique space including members from any political block, which during a cyber crisis still talk to each other. We need to foster such cooperation and promote the work of incident responders more.”

Mr. Serge Droz, Board of Directors, FIRST

Ms. Corbin also touched on trust issues and agreed that building relationships is absolutely critical as this is something that helps in fostering an incident response among experts, communities and countries. At the same time, echoing remarks in the first part, Ms. Corbin stressed that keeping an ongoing focus on capacity building, training, and building a shared understanding on digital evidence and cybersecurity investigations are important elements in helping States be more effective in dealing with significant cyber incidents involving CI. In this regard, Ms. Corbin shared about the regional work for capacity development which her team undertakes as an example of how they bring together cybersecurity experts and various CERT members to provide space for trust building.

“Experiencing together cyber emergencies helps experts and communities build closer and trusted relationships. And relationship building – at the national and regional levels – and to know who are points-of-contact and if they are reachable for assistance, is absolutely critical for dealing with a cyber emergency.”

Ms. Carmen Corbin, Head of Counter Cybercrime Programming (West and Central Africa), Global Programme on Cybercrime, UNODC

Coming back to the core question on what an effected State could do during a significant cyberattack, Mr. Delcher noted that various options already exist, such as the regional CSIRT community, regional crisis and incident response mechanisms, multilateral cooperation bodies, and additional bilateral agreements. But at the same time, not one of these is fully international by nature and covering all States and which could be cyber-specific (and thus also providing a platform for cooperating with the private sector). Sharing his past experiences, Mr. Delcher said that cooperation does not happen as a result of any single specific action, whoever the initiator may be. It is rather a result of multiple factors such as common grounds, goals, values, shared commitments, mutual understanding, compatible capabilities, clear outcomes or explicit successes, time, and most of all – trust. There is no magic recipe to build trust between individuals and organizations. Only by continuously collaborating and experiencing common events (as also Serge and Carmen highlighted) – parties can truly work together and trust each other.

“A cyberattack or cybersecurity incident would most likely be global in nature, but the response almost never is. What an unbalanced situation we put ourselves in! So, yes, cross-border cooperation must be possible, and should bring better results. A “UN emergency phonebook” could be a good start and could surely be done easily by leveraging existing cooperation mechanics, but we surely must go further right away.”

Mr. Pierre Delcher, Senior Security Researcher, Global Research and Analysis Team (GReAT), Kaspersky

What’s next?

All the great ideas expressed during the two-part workshop can hardly disagreed with – they are important and provide a practical way forward. But, testing those ideas against the existing reality, we also need to keep up with the dynamics of the inter-state discussions and on the willingness of States to enhance international cooperative mechanisms. The new five-year long round of the UN cyber dialogue starts this week, and hopefully the international community will have new practical achievements even sooner.