Anastasiya Kazakova, Senior Public Affairs Manager
We are all calling for greater transparency about cyber-engagements and greater information sharing, but are there limits to what we can achieve in cyberspace? How much information do we really need? And in the light of the recently adopted final OEWG report, what would the takeaways be for us as a global community?
Continuing our limited series of Community Talks, we organized a fourth edition to discuss mechanisms for sharing and exchanging information and determining attribution with the following experts:
For each edition we discuss three simple questions. For Community Talk #4 they were:
Starting with the positives: what are the existing good practices for sharing and exchanging information between states and non-state actors?
Ms. Johanna Weaver explained that Australia has invested a lot of effort in this field, in particular, by establishing and maintaining the Australian Cyber Security Centre (ACSC), which also cooperates with the private sector and has a trusted info-sharing framework focusing on critical infrastructure protection (CIP) and protection of systems of national importance. Speaking more broadly about incident response, from an operational perspective, the neutral and non-political work of CERTs and, particularly, FIRST is vital in dealing with day-to-day cyber-incidents. At a more strategic level, when dealing with incidents that have the potential to threaten international peace and stability, there are many good examples starting to emerge, e.g., the ASEAN Regional Forum (ARF) has recently established points of contact (PoCs) at technical, operational and diplomatic levels. Knowing who to call is very important during an emergency.
Regarding attribution, Johanna highlighted that it’s important to be clear about what types of attribution we’re talking about. From Australia’s perspective, there is: (i) technical or factual attribution (can we attribute this type of activity to a particular actor?); (ii) legal attribution (is there a legal responsibility?) and; (iii) a political decision to respond to the act (this type is often called political attribution). Speaking of good examples, the U.S. has just released a statement attributing the SolarWinds cyberattack to the Russian Intelligence Services, and Australia expressed its support of this statement (as did several other countries).
From a law enforcement perspective, Mr. Philipp Amann stressed that law enforcement agencies (LEAs), industry, academia, civil society and the CERTs/CSIRTs community need to work together because they all hold essential pieces of the puzzle that are important for successful cybercrime investigations and to improve cybersecurity in general. However, it has proven to be challenging to put this into practice because of regulatory and legal uncertainties, lack of standards, lack of trust, unclear objectives and requirements and overlapping initiatives, to mention some. One of the examples Philipp shared was from his time with OSCE when the organisation managed to finalize a first set of confidence-building measures (CBMs) – an important step forward, especially from a political perspective. And currently we can see how states use those CBMs in practice to deal with incidents.
Speaking of other existing good practices for collaboration and information sharing, the European Union (EU) has the European External Action Service (EEAS) and Cyber Diplomacy Toolbox, as well as the EU NIS Directive (and the current proposal for the NIS 2.0). Within the EU, Europol works closely with ENISA, CERT-EU, the European Defence Agency and other relevant partners; outside the EU, Europol also cooperates with the World Economic Forum (WEF). Industry platforms such as the Cyber Threat Alliance can be named here too. Philipp highlighted that Europol is particularly successful at establishing the necessary networks and getting all the relevant participants to the table to support EU Member States in their investigations: e.g., Europol’s European Cybercrime Centre’s Advisory groups with the participation of industry; cooperation with the CSIRT community and annual workshops with them; and the Joint Cybercrime Action Taskforce (J-CAT) – an operational platform that Europol’s EC3 hosts with LEAs of EU member states and other third countries. The J-CAT drives intelligence-led, coordinated action against key cybercrime threats within and outside the EU. Finally, there is the EU Law Enforcement Emergency Response Protocol, which was adopted by the Council of the European Union. As part of the EU Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises, it serves as a tool to support the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks.
Concerning the role and perspective of the private sector and security researchers, Mr. Jornt van der Wiel shared that the key starting point is who is running the cybercrime investigation. If it is a state, then, of course, security researchers have to abide by the relevant laws of that state. The challenge is that there are no standard mechanisms for sharing data between the public and private sector, though there are different legal approaches/different state laws on info sharing and info exchange in cybercrime investigations, which security researchers need to keep in mind.
Jornt continued that having transparent communication and managing each other’s expectations is critical for effective info-sharing frameworks. The private sector, in particular, often doesn’t need private identifiable information – meta data is enough. Companies are, however, interested in meta data and “technical” data that can help them improve cybersecurity detection and response products as well as their investigations into threat actors’ campaigns. In summing up, Jornt stressed that trusted contacts are key, though things are not so simple when it comes to info sharing, and in many cases trust depends on a particular person and the relationship with that person.
Constructive criticism: what we don’t know about the threats we’re facing in cyberspace and why
First, Johanna stressed that, of course, we need to do a lot more and quickly to address more sophisticated cyberthreats, but we also need to understand that we’ve come a long way in a short period of time. What’s more, our growing ICT inter-dependence creates new opportunities for malicious actors. How do we fix that? Focusing on high-level threats – we certainly won’t be able to address them without significantly increasing cyber-hygiene across the globe. The level of maturity in many countries remains low and, for example, some countries are still lacking domestic cybercrime legislation, meaning certain types of malicious activities may not be illegal in some countries. We also need better coordination of incident response (to ensure all countries are equipped to mitigate malicious activity) .
Speaking of state behavior in cyberspace, Johanna recalled that the global community, including states, have the UN cyber-stability framework, but we also need to hold the actors accountable. In particular, it’s important to be clearer about what the rules are and what happens when those rules are broken. A “global attribution body” is hardly likely to work because the severity of cyber incidents that would be referred to such a body would be inherently connected to national security. States would need to deal with lots of issues on info sharing (as this would require, for example, the sharing of sensitive information related to national security). States are also unlikely to be willing to delegate their sovereign attribution (and response) prerogative to an external body. What we do need though is greater transparency and much clearer expectations of how states should act; this will create greater predictability. Plus, there are many existing tools which we already have and need to make better use of (e.g., referral to the UN Security Council for cyber incidents that have a severe impact).
Philipp agreed and added that from the LEA angle, there are several challenges for investigations and attribution as summarised for instance in the common challenges in combatting cybercrime report which was jointly published by Europol and Eurojust. These include the loss of data, linked for instance to the criminal abuse of encryption, and location; international cooperation and cross-border coordination; public-private partnership. The Crime-as-a-Service (CaaS) model poses another challenge as it provides the tools and services needed to commit cybercrime or cyber attacks.
Speaking of elements for successful info sharing, Philipp highlighted that the issue is not necessarily a lack of initiatives and platforms but often overlapping activities or at times the groups can be too big (generally speaking, the more people you have at the table, the more difficult it is to establish trust). More importantly, there is still a lack of common definitions and standaridsation as well as legal uncertainty. There aren’t always clear-cut answers to questions like: What kind of data are we sharing? How detailed should the data be? Why are we sharing the information? How long will we store the data? What will happen with the information shared and is it actionable? While we are waiting for the process to emerge [ within the Third Committee on developing a legally binding instrument for addressing cybercrime], it is important to use and further promote what we already have – the Budapest Convention in particular. Addressing Johanna’s point on cyber-hygiene, Philipp agreed that the industry has an important role to play here by ensuring and producing secure-by-design technology.
Another challenge mentioned by Jornt is that it’s difficult to publish everything the security researchers might want as there are different laws and legal restrictions that need to be considered. Also, it’s important to limit the public information so as not to undermine the cybercrime investigation. Speaking of attribution, private companies do the technical attribution, but they do not have the legal capabilities or authority for public or legal attributions that states have. The only thing that companies can do is to tie certain campaigns or malware samples to certain groups, but they cannot tie those groups to individuals.
However, this does not mean that security researchers don’t help with investigations. When it comes to attribution, they do the investigation work and based on that, they write a report that can be shared with LEAs. LEAs should then be able to reproduce every step and derive their own conclusion about it.
Our discussant, Dr. Jan Lemnitzer, excellently challenged the ongoing discussion. First, he said that transparency in cyber diplomacy is cheap and demands no direct action from states. When it comes to intelligence operations in cyberspace, states will not share that information freely and fully. That’s why, in essence, information sharing in cyberspace is about sharing between private industry and regulators or states. For example, the latest FBI internet-crime report reported damages of around $29.1 million caused by ransomware. But we should understand that this is only the data that was reported and shared with the FBI. If anybody ever wants to establish a global figure estimating the true damage caused by ransomware, the real challenge would be finding the information and asking others to share it. Jan asked, therefore, to name what really works well in terms of info sharing for addressing ransomware.
Second, he stressed that if we look at existing info-sharing arrangements, trust is key. But when regulators are involved, private actors may behave differently – they will either share not enough (because of the legal risks) or over-report, including on every minor and non-minor cyber-incident, which would diminish the value of the information. Another thing is that many companies expect regulators to share valuable information in return as part of those info-sharing frameworks, but this doesn’t always happen.
In response to that, Johanna addressed the point on transparency and said that it is indeed vital, but it isn’t cheap. For example, Australia is transparent that it has and it uses offensive cyber-capabilities, but, of course, Australia does not disclose details of operations and classified information. However, the fact, that Australia is transparent and publicly commits to use those capabilities in accordance with international law and the agreed norms, is a very important step. Many countries are not being that transparent, nor making such public commitments. And that is concerning.
To a question from the audience on encryption versus cybercrime investigations, Philipp stressed that a perfect balance is difficult if not impossible to be found, and that we need to have a more open discussion that involves all stakeholders in order to find an optimal solution without weakening cyber security or encryption in general. Johanna, in turn, mentioned the Assistance and Access Act that seeks the right balance and avoids creating systemic vulnerabilities and weaknesses.
Priorities & blitz poll
In response to the question on the key process/event to follow in 2021, Jornt said the first priority should be to protect the health care sector and its partners. From a cyber diplomacy point of view, Johanna said that the success of the work by the Group of Governmental Experts on cyberspace is a priority as well as Australia’s soon-to-be-launched Cyber and Critical Technology Strategy. Philipp wants the global community to have further success at the UN level, but at the same time to continue using and promoting the existing frameworks, particularly the Budapest Convention, to address cybercrime. Jan zoomed in to the EU level and said that the NISD 2.0 as well as success in ensuring cyber supply chain management would be an exciting journey to follow.
What can be read in order to learn more about cyber diplomacy? Johanna’s top list includes the OEWG website, Carnegie’s Norm Index, UNIDIR Cyber Policy Portal, and the GFCE Cybil Portal. Philipp recommended checking the OSCE’s CBMs, the WEF’s website, particularly their initiative on establishing a partnership against cybercrime as well as ENISA’s web site and the many relevant technical reports, best practices and assessments they produce. Jan voted for the OEWG website too and added the Tallinn Manual 2.0. Jornt said that anything interesting that could be useful for LEAs in a cybercrime investigation should be shared with them.
Finally, on the question of who you would call if you’re under cyberattack, Philipp suggested speaking to your kids first as they could be the source of your IT problem. Though a more serious answer was LEAs, noting that people should not underestimate the help they can get from them and the important role law enforcement plays in combatting cyber threats. Johanna also joked that the Russian Ambassador for Cyber Affairs Andrey Krutskikh would be a priority contact because every time something happened to her computer during GGE sessions, Ambassador Krutskikh claimed that “Russian hackers are to be responsible’. In all seriousness though, Johanna said she would definitely call a colleague at ASCS or a large cybersecurity firm. Jornt said that he would call his boss – the head of the Global Research and Analysis Team (#GReAT) at Kaspersky, and Jan advised everyone to have a printed list of contacts in case of a cyber-emergency, as all digital data would most likely be destroyed first.
Stay tuned for the next Community Talks on Cyber Diplomacy! You can also re-watch the session here: https://kas.pr/xjf6.