Community Talks on Cyber Diplomacy (#5)

Anastasiya Kazakova, Senior Public Affairs Manager

In cyberspace, it is well-known that once a vulnerability is being exploited, many of us will hardly be immune to the risks due to the global nature of technology. There’s even a saying that ‘if you fire a weapon in cyberspace, it will shoot you back’.

We organized the final – fifth – Community Talk on Cyber Diplomacy, where we discussed the risks of a cyber arms race and use of ICT capabilities for defense and offense, and we zoomed the discussion in to ICT vulnerabilities and what we can do for their responsible treatment to avoid the risks of further malicious use and exploitation. We had the following great experts:

• John Reyels, Head of the Cyber Policy Coordination Staff, Federal Foreign Office, Germany (@GermanyDiplo);
• Kathryn Jones, Head of International Cyber Governance at the UK Foreign, Commonwealth and Development Office (@FCDOGovUK);
• Costin Raiu, Director of the Global Research and Analysis Team (GReAT), Kaspersky (@craiu); and
• François Delerue, Research Fellow in Cyberdefense and International Law, IRSEM and a Lecturer at Sciences Po (@francoisdelerue), as discussant.

For each edition we discuss three simple questions. For Community Talk #5 they were:

1. What good practices/mechanisms already exist, between states and non-state actors, for responsible reporting of ICT vulnerabilities and their treatment?
2. Where we failed or are failing: what we as a global community don’t have yet for responsible vulnerability treatment to avoid their exploitation?
3. What should the priorities be for the global community in 2021 to enhance transparency in cyberspace about states’ and non-state actors’ engagements?

Good practices first: what are the existing mechanisms for responsible reporting of ICT vulnerabilities and their treatment?

Starting with a cyber diplomacy angle, Mr. John Reyels outlined first successes, which include the recent successful conclusion of the UN Open-Ended Working Group (OEWG) and its consensus report, which re-affirmed many of the previously agreed principles, especially in the current difficult political environment. He also reminded that we are close to the conclusion of the current UN Group of Governmental Experts (GGE), and this month we should expect the launch of the Ad-Hoc Committee negotiating a new convention on cybercrime. Zooming in to responsible reporting of ICT vulnerabilities, we have norm J and confidence-building measure (CBM) C in place, which are applicable at the worldwide level. Additionally, there are regional instruments – particularly within the OSCE, which agreed a list of CBMs and which are already operationalized and used by OSCE Member States. Therefore, the framework has been set up already, and technically it’s possible for states to exchange information, including on vulnerabilities. The question is if it is desired politically, and here is where we need to focus.

John also mentioned other mechanisms such as informal exchanges taking place between CERT teams as well as corporate frameworks for exchange of information, given the closer interconnectedness of public and commercial networks. The recent takedown of Emotet malware showed that governments and security forces have the opportunity to act very decisively to terminate ICT vulnerabilities, and this gives us all reasons to be confident about government responses in the future.

Ms. Kathryn Jones also highlighted that we need to look at international and national initiatives first; pooling national initiatives through the international arena is often how states make the progress; therefore, countries can make real progress by just doing things domestically, together with consumers, providers of technology as well as with the IT security community. In the UK, particularly, the National Cyber Security Centre (NCSC) is maturing the national approach to ICT vulnerability disclosure and remediation. Specifically, it runs a vulnerability reporting service – when someone finds a vulnerability in the UK government online service and can’t report to the systems owner, they can report it to the NCSC directly. For the triage phase, the NCSC also provides a summary to the systems owner with a full description of the vulnerability as well as recommendations on how to mitigate it. The UK also has a vulnerability co-ordination pilot, which helps improve the UK government’s ability to adopt best practices by creating vulnerability disclosure programs for any department. The development of the NHS Covid-19 tracking system and contribution by the security community in finding vulnerabilities in this system is an excellent example of a nationwide vulnerability management program. Finally, the vulnerability disclosure toolkit, a free online resource that helps implement steps in the disclosure process for public and private actors, can be named as another good practice implemented nationally.

Internationally there is also good news. Kathryn highlighted that norm J is the least contentious norm that the GGE came up with in 2015, and this signals that all states have a consensus that this is important. We also gladly see states and other communities taking considerable steps to implement this norm. Mr. Reyels mentioned the OSCE framework, but there is also the ongoing work on norm implementation in ASEAN countries. To learn more about the good practices and progress made at the state level, Kathryn recommended two upcoming documents: (1) the GGE report, which will touch on norms in greater detail; and (2) the GFCE norms implementation guide, which will provide examples of how states implement existing norms.

From the perspective of the security research community, Mr. Costin Raiu started with an optimistic note sharing that the industry has been doing a lot better than it did 20 years ago, and through continued efforts we are maturing in coordinated vulnerability disclosure (CVD), vulnerability management, and bug bounty programs. Kaspersky, in this regard, has a special/unique position and works in this field from three different directions. First, Kaspersky’s dedicated teams work on keeping the software the company uses updated. Second, Kaspersky is, at the same time, a software producer itself and it’s also important to make sure that the company’s products are not vulnerable. And finally a third direction: his team is looking for vulnerabilities in other companies’ software. In this regard, the Kaspersky Ethical Principles reveal the company’s approach where rule #1 is that all vulnerabilities discovered are immediately reported to the vendor, and all bug bounty rewards are paid. This year Costin’s team reported three critical vulnerabilities in one very popular software program. These types of vulnerabilities that they discover are usually attractive to sophisticated threat actors.

Costin also highlighted the development of specialized teams focusing on increasing the security of software (e.g., the Zero Project), and the Microsoft MAPP program, which facilitates the sharing of vulnerability information between vendors. Concluding, he stressed that the reality is that pretty much every piece of software has vulnerabilities, but what’s more important is the speed at which these vulnerabilities are being remediated. So it is not only important to produce secure code, but also to be able to patch holes in it.

Constructive criticism: what we as a global community don’t have yet for responsible vulnerability treatment to avoid their being exploited

John pointed out the current implementation gap and added that we’re lacking the information on how existing norms are implemented. We are also missing sufficient common understanding of how norms should be implemented, and for that we need further guidelines to make sure we implement these norms in a more uniform way to come up with an effective response. The future Program of Action (PoA) might help here, but it would most likely be hard to agree on uniform reporting because it’s sensitive. Being more realistic, however, states, at least, may agree on doing the outmost for ICT vulnerability reporting at the national level, and this is already may be a step forward. He also added that we need to keep in mind that some regional organizations haven’t identified yet CBMs, and some of them haven’t been able yet to agree on the common frameworks, so there’s a plenty of work to do in the future.

From a security research perspective, Costin continued on existing challenges and, first, mentioned the need to incentivize security researchers to check software further and report it responsible. The issue is that they are sometimes hindered by legal issues – when researchers are threatened legally simply because there is a lack of standardized way of doing security research and reporting its findings. Further, Costin mentioned the problem of two polarized worlds: imagine a security researcher finds a vulnerability in a popular browser, and he or she has two choices – either report it to the vendor and get two or 20k US dollars, or go to the market where a vulnerability may be priced at a million dollars (and with the risk of being weaponized further). He continued that we are being told that intelligence agencies need ICT vulnerabilities for catching criminals; however, he mentioned an interesting case of how the Belgian police recently seized nearly two billion dollars in cocaine after gaining access to encrypted phone network of cybercriminals without weakening encryption or exploiting vulnerabilities. On a final point in this section, Costin said that though financial reward is one of the main incentives, if we have more developed and stable programs to incentivize researchers in a safe way – from a legal standpoint – then we might all be able to reach better results.

Kathryn agreed with both John and Costin, and added that the recent UN OEWG report makes clear that capacity building is the key (both sharing the experience and pooling necessary resources), and capacities of states to prevent and respond to are important to consider here, particularly in the context of critical infrastructure protection, and, sure, we need to do more. Also speaking of failures in the bigger picture, we need an open transparent debate on what we want to achieve. States will always look for ways to pursue a strategic advantage, and this would increase competition between them. So we can encourage transparency and standardized handling and disclosure of vulnerabilities (such as the Vulnerability Equities Process (VEP) of GCHQ), but as Costin said there will always be a market for these vulnerabilities. Kathryn added that both patching and disclosure are fundamental, but we can’t win this patching race. So, a failure here would lie in a lack of our common ability to address security at the very start. We need to work on a new model for cyberspace where stakeholders lead on innovation and development of modern standardization by collaborating across borders, while states traditionally struggle to do so at the same pace.

Dr. François Delerue intervened as a discussant and first agreed on the issue of standardization in this context as well as on the issue to provide greater protection for security researchers. However, in the context of the UN-led discussions, and looking at past examples (EternalBlue, WannaCry, NotPetya, etc.), he stressed that we see that one state allegedly identified a vulnerability and decided to keep it to develop an exploit, and then it was leaked to other actors who re-produced this to target others. So, the question is what responsibility might be for the first actor who decided to keep the vulnerability secret? François suggested that, building on norm J, we should be less naïve about a possible general ban on the use of vulnerabilities and their exploitation. Instead we need a more realistic approach by putting off-limits specific types of software (e.g., medical software or software used in critical infrastructure) to make sure that when the vulnerability is identified in such a software, the rule should be that it cannot be used for a strategic advantage and it should be disclosed.

Priorities & blitz poll

To a question on what the key priorities for the global community should be in light of the discussion, John named the anticipated conclusion of the GGE (and defending the 2015 GGE report’s substance in these difficult political circumstances) and potential of the PoA, which could be instrumental to close an implementation gap in developing actionable advice and recommendations for cyber-stability. He added that the PoA for small arms and light weapons can serve as a blueprint for achieving success.

For Kathryn, the real priority would be to have real open discussions between states and wider communities (within the PoA) based on greater realism on what states will and won’t do as well as on greater technical understanding of the issues discussed (in this regard, publishing states’ views on how international law applies to cyberspace is important). We also need a further alignment of conceptual understanding across communities, including the public and media, on what we’re talking about (e.g., what constitutes a cyberattack?) to have a more nuanced, transparent, and evidence-based dialogue.

Reflecting on François’s remarks on responsibility, Kathryn added that indeed most states are building ICT capabilities, and certainly there is room for further discussions on legal and political responsibility once ICT vulnerabilities are retained. What’s important is to be transparent however on the use of those ICT capabilities, and few states are transparent about this. The UK has recently published its review where it sets out the vision in the context of rapid technological change, which is re-shaping our societies. This document states that the UK will take advantage of these ICT opportunities which the national cyber force can gain through cyber operations to protect the nation from modern threats in the online and real world. But in doing so, the UK is also taking a progressive and proactive approach by shaping the frameworks that govern cyberspace, upholding existing rules, and building consensus around positive norms of behavior. So, the UK will be shaping international rules and standards in line with the fact that it is using ICT military capabilities.

Costin was also realistic (and less optimistic) that we can’t really avoid an arms race in cyberspace as it’s already happening, and the speed is probably increasing. More and more threat actors continue leveraging stockpiled vulnerabilities, and we will probably not be able to avoid it. Instead, we should admit it and ask for greater transparency and accountability: transparency on how many vulnerabilities are being traded, acquired, leveraged, and for what particular purpose; and accountability on providing guidelines to identify who is responsible for vulnerabilities leading to large outbreaks that were kept secret and then exploited.

In this regard, François noted that we need to continue discussing implementation of the norms, but we also need to move from more general discussions to more concrete questions, including the particular practice and experience. As John and Kathryn previously mentioned, the PoA could be a positive evolution in the UN-led discussion.

In response to the question on the key process/event to follow in 2021, Kathryn answered the organizational session of the upcoming new UN OEWG, which will kick off on June 1, 2021, and recommended following this session to see how much stakeholders can contribute to the future process. Costin named responsible disclosure and further efforts in this regard. Both John and François named the PoA as the key process to monitor.

What can be read in order to learn more about cyber diplomacy? Kathryn recommended checking the ASPI’s resources on the UN cyber-stability framework. John advised to check the work of the IFSH at the University of Hamburg. François mentioned the Directions Blog, and Costin quoted the ‘Holographic Universe’ by Leonard Susskind, which suggests the idea that the universe we live in is actually a projection of a two-dimensional world, and this could be applied to cyber diplomacy and cyberspace.

Finally, on the question of who you would call if you’re under cyberattack, François said a local authority is the best to call as they are in charge in going into a victim’s network system. Kathryn agreed, and said that, as a cyber diplomat, she would call her lawyer with international legal expertise to establish if there is a breach of states’ legal obligations. John's number one contact would be the Federal Office for Information Security, BSI, which as he said, has been successful in keeping German citizens safe so far. And if Costin faces a cyberattack, he would call first a pizza take-away, as it would be, most likely, a long night .

The limited series of Community Talks on Cyber Diplomacy has been finalized. But we’ve already heard wishes in the communityto continue this format, and, who knows, maybe we’ll come back with Season 2 .

In the meantime, we all await new major processes to start (i.e., the UN OEWG and PoA) and finalize (i.e., the GGE), and you can also re-watch the session here: https://kas.pr/cej7