Anastasiya Kazakova, Senior Public Affairs Manager
Community talks on cyber diplomacy are back with season 2.
These will be hot on the heels of the first talks we organized – in late 2020 and into 2021 – whose purpose was identifying, collecting and sharing a number of actionable points from different stakeholders’ perspectives on what would help us – the global community – live and prosper in cyberspace. For season 2, our goal continues to focus on helping the private sector and technical community learn more about the UN cyber-dialogue (the UN OEWG), and how they could support UN Member States in maintaining international security and peace. We thus aim to close the gap that exists among different professionals in building cyber-stability.
For Community Talk #1, which took place right after the first UN OEWG substantive session, we wanted to explore what expectations different stakeholder groups – including cyber diplomats, academia, industry, the technical community and civil society – might already have for the five-year long process. Why? Well, the mapping of these expectations could be helpful in understanding whether multistakeholders are aligned or not, and how they could provide meaningful support to inter-state negotiations for achieving greater results (especially after the momentous 2021 OEWG consensus report).
For the first round we discussed this with the following expects:
- Laura Carpini, Cybersecurity Coordinator, Italian Ministry of Foreign Affairs and International Cooperation (@LauraCarpini);
- Isaac Morales Tenorio, Coordinator for Multidimensional Security Issues, Ministry of Foreign Affairs of Mexico (@iMoralesTenorio);
- David Emm, Principal Security Researcher, the Global Research and Analysis Team (GReAT), Kaspersky (@emm_david); and
- Vladimir Radunović, Director, E-diplomacy and Cybersecurity Programmes, DiploFoundation, as a discussant (@VRadunovic).
To cover several aspects, we focused on three simple questions.
#1 – Exploring expectations to the five years of the new UN cyber-dialogue: what are they?
First of all, Laura highlighted that the new five-year long process – UN OEWG – is a confidence-building measure (CBM) which provides an inclusive, universal and open process and platform for all states where their voices are heard. The OEWG is also a place where states, especially smaller ones, can find help to build their cybersecurity structures. One expectation would also be to reach a common understanding of what the concept of stability means in cyberspace or what constitutes critical infrastructure. In this regard, discussing further how international law applies to cyberspace can help reach this understanding. Previously agreed guidance in UN GGE reports can be specifically instrumental here for inter-state negotiations.
Speaking of the multistakeholders’ participation, Laura shared that states have seen their willingness to contribute, and their participation can indeed be helpful in accordance with the common agenda of the UN Secretary-General, which calls for a more inclusive multilateral system and involvement of stakeholders. Multistakeholders, in particular, could help better understand so many aspects in ‘cyber’ and, at the same time, help to stay focused on the action-orientated approach we are all looking for.
Isaac agreed that the OEWG is a CBM, and added that the international community now has the entire framework [of responsible behavior in cyberspace], and the key goal now is to spread information about this and focus on its implementation. In this regard, reporting – both through official and unofficial channels – is the key tool, which would help understand what we are doing globally and what our needs are for cooperation (including with private sector and civil society) and for capacity building. The OEWG could also hopefully become a much-needed space where diplomats and techies can exchange views more.
What should we not expect from the UN OEWG? Isaac outlined two points. First, we should not expect to have a broad and holistic framework to solve all cyber issues, because the UN OEWG is a very concrete process for discussing ICTs in the context of international security and peace. Second, we should not expect a comprehensive legally binding instrument – the level of maturity in our conversations is not yet sufficient for this. Concluding, Isaac also stressed that it’s important to keep balance and take into account both development and human rights considerations in these security negotiations.
David provided a security researcher’s perspective on where we are in 2022 and future expectations. He noted that there will be significant challenges ahead: technology and connectivity are firmly embedded in everyday life, for both organizations and individuals, and this is already being exploited by threat actors. Moreover, changes of both a geographic and technological nature are likely to drive developments in the attacks we see. We foresee, for example, a growth of attacks focused on Africa, as ICT becomes further developed and given its strategic position in maritime trade. We would also anticipate an increase in attacks against cloud providers and outsourced services. Finally, the burgeoning private sector market in surveillance tools will likely bring an influx of new APT threat actors, as well as supporting established threat actors.
Where does all that lead us? David believes that states will also start to clarify acceptable cyber offense practices: and while this would be driven by the need to distinguish between what they see as legitimate activity from measures targeted on their own systems, it will also have a positive aspect – underlining the importance of identifying acceptable and unacceptable use of technology to further geopolitical aims. And this underlines the importance of international conversations such the UN OEWG.
What other expectations do security researchers have? David said it's impossible to ignore geopolitical aspects with the increasing militarization of cyberspace. That’s why it’s vital to call for greater transparency in the use of technology by governments and, particularly, consider developing definitions of what's acceptable (and unacceptable) behavior in cyberspace. It's also important to recognize that what is developed by nation-state-sponsored threat actors also impacts the wider threat landscape – as TTPs developed by the most sophisticated threat actors trickle down to cybercrime groups.
#2 – Agenda for the UN OEWG: new or old one? What are immediate questions for inter-state negotiations?
Laura recalled many open questions left from the previous UN OEWG and added that we could already take the previous Chair’s Summary for discussions within the new OEWG. To Italy, the application of both international law and international humanitarian law is an important item on the agenda. As for capacity building and more practical implementation, Laura highlighted the Program of Action (PoA), which Italy co-sponsored with some other states, and it is expected that there will be further discussion of how the PoA as a complementary and more flexible process could be achieved.
Isaac shared that at the first session in December a number of states brought up new elements for the UN OEWG’s agenda, and it is yet to be seen how discussions will proceed later. Ransomware, for example was very mentioned as a challenge to be considered on the agenda too – as it links international security and crime, hopefully states could better address the respective threats and challenges within the OEWG. To this, Laura shared that discussions on ransomware in the UN First Committee could rather complicate the ongoing negotiations.
Isaac continued that to the new OEWG states need to develop more guidance on the implementation of the agreed framework and specifically articulate best practices in this regard. A mapping exercise – exploring how each norm relates to particular CBMs and capacity building efforts in the implementation – could help identify if we need new norms or new CBMs.
Another point for the agenda, as Isaac mentioned, is to pave the way for more inter-regional or cross-regional work between different regions and regional organizations to ensure consistency in implementation as well as exchange about region-specific best practices. Finally, the international community needs concrete projects to boost research, collect data and raise awareness with the help of academia and scholarship.
From the perspective of security researchers, David hopes that the new OEWG will further focus on implementation of norms affecting critical infrastructure protection, the integrity of supply chains, and responsible reporting of ICT vulnerabilities. The issue of vulnerabilities – their discovery, reporting and stockpiling – is very important. Vulnerabilities are frequently exploited by attackers to gain an initial foothold in a target organization. So it's vital that the international community develops practical steps to help defenders mitigate the risks and increase cyber-resilience.
Another aspect, which David added, is about attribution in the geopolitical sense. He said that defenders need established points of contact within their countries and the means to obtain the information that would help them deal with a cyber incident effectively. Therefore, a sort of a mechanism for dealing with significant international cyber incidents (e.g., affecting critical infrastructure), is another area where more progress could be achieved. Why? Such attacks require a timely, coordinated response from states, CERTs, those who manage critical infrastructure installations, and security providers. The establishment of norms of responsible behavior is also important for security researchers – to avoid them falling foul of local legislation.
#3 Multistakeholder participation: what are possible modalities?
David reiterated that the threat landscape represents a moving target as it is constantly shifting, and that's why it's essential to see security as a process, rather than as a static response. So for the new OEWG it is important to ensure ongoing dialogue between different stakeholders – something that's central to and has been practically implemented within the Paris Call. The OEWG can also provide a means to achieve tangible outcomes throughout the entire five-year process, rather than aiming to deliver something at the end. In this way, it can provide consensus on achievable goals without a lack of consensus on others jeopardizing the wider process.
Isaac agreed that it is important to encourage ourselves to step forward and give more official feedback to multistakeholders than what we had within the previous OEWG. He shared that states are currently discussing possible modalities for multistakeholder participation, and it is difficult to anticipate what will be the result. But the key message would be that we need more to take advantage of full-spectrum non-official and official processes, such as the UN Internet Governance Forum (IGF), and thus go beyond the UN to have more fruitful dialogue with different stakeholders.
Laura agreed as well with this and also added that it is also in the interests of governments to have multistakeholders in a conversation to mainstream back the agreements made to the community.
Did we miss anything in the discussion?
Vladimir, with a special role of a discussant, provided a fourth-party opinion on what experts have shared regarding the three questions and highlighted some further elements. In particular, he asked how the international community could see that the agreed framework [of responsible state behavior in cyberspace] works. How does this ‘embody’ in everyday life? One way could definitely be through reducing vulnerabilities and overall exploitation of cyberspace. The 2021 UN GGE report gave guidance on the private sector’s role in this regard. Multistakeholder processes – e.g., the Geneva Dialogue or Paris Call – could be helpful as well. But the role of governments is even greater – particularly through prohibition of commercial weaponization (as happened in cases like NSO Pegasus). The weaponization risks are briefly discussed in the GGE report but not clear enough.
Speaking of the demilitarization efforts, Vladimir highlighted that states need to recognize this among the top problems, and clarify ‘legitimate’ offensive operations: namely to provide more transparency of such weapons, as well as provide more transparency on who is allowed to use them, for which goals and in which circumstances. And hopefully these items could also be discussed within the new UN OEWG.
Another practical question is how we can operationalize the international response to incidents of high global impact, e.g., to NotPetya? Should there be some sort of Cyber Security Council? Or a more operational (even if informal) group of officials and experts exchanging information? Starting with a directory of national points-of-contact as an already agreed CBM, and gathering them as an operational group, may be the first step.
Vladimir also spoke about the role of non-state stakeholders in the process and said that we need to bring them more into the decision-shaping – including of the future ‘institutional dialogue’. Their role is not just in implementing the agreements: to be able to implement, they need to have ownership of the process too, together with governments which ultimately decide in it. For now, the UN OEWG does not have a mechanism to provide such space to them.
What could be the quick wins for the upcoming five years? Vladimir first talked about capacity building and implementation of CBMs. We need abilities for dialogue among these radically professionally different cultures – diplomats, technical experts, businesses, and civil society – to communicate with each other. How could we boost through practical exercise greater understanding between them? Some good practices already exist. For instance, a game training teaching the complexities of technical attribution for diplomats, developed by Kaspersky in cooperation with DiploFoundation. Also, DiploFoundation delivers special courses on cybersecurity diplomacy for diplomats, and now also for businesses and civil society.
My personal favorite part is to discuss unscripted and short reflections of our experts to the three simple questions:
1. What or who makes cyberspace stable?
- David: Each and every one of us.
- Vladimir: Cooperation and dialogue amid geopolitical tensions.
- Isaac: The applicability of international law and the UN Charter.
- Laura: Genuine commitments of responsible state behavior in cyberspace.
2. What is the key trend/event or process in ‘cyber’ for us all to follow this year?
- David: We would need to look at how states define what is acceptable and unacceptable behavior in cyberspace.
- Vladimir: The OEWG and Ad-Hoc Committee on Cybercrime as well as the Geneva Dialogue pushing for principles reducing vulnerabilities. Speaking of trends – we might see more attacks against cloud services, and this could be a game changer.
- Isaac: Multiple and simultaneous conversations at the UN level, but also focusing on regions and work conducted in regions to ensure implementation of the agreed framework.
- Laura: Building multistakeholder participation, and particularly building more public private partnerships.
3. If you’re under a cyberattack, who do you call first?
- David: colleagues – anyone from Kaspersky’s GReAT.
- Vlada: Google search
- Laura: a newly-established National Cybersecurity Agency.
- Isaac: colleagues at CERT MX.
Stay tuned for the next Community Talks on Cyber Diplomacy! You can also re-watch the session here: https://kas.pr/q3k7