Last week at Chatham House, the Royal Institute of International Affairs hosted its annual conference on Cyber Security. The theme was “Building Resilience, Reducing Risks” and it brought together a diverse set of speakers in the various panels, ranging from diplomats to public servants, from former military persons to corporate managers, from academicians to think tankers. The result was and extremely interesting discussion that produced a lively debate. Below I would like to present a selection of the most interesting concepts the speakers presented, bearing in mind that apart from the kickoff keynote session, the rest of the conference was held under the Chatham House Rule, so the speakers’ names are not mentioned. My personal comments are in italics.
Keynote Session
This session, chaired by Dr. Patricia Lewis, featured two high-level policymakers: Chris Painter, Coordinator for Cyber Issues of the US. Department of State and Jaak Aaviksoo, Estonian former Minister of Defence. Painter -a lawyer with a background as a prosecutor in cybersecurity cases- presented the current US posture on the matter, stressing first the strong US-UK cooperation and common views in this matter. In the current debate on Internet governance, the US cyberspace strategy aims to foster and promote openness and freedom in cyberspace. A viable method for governments to increase security of their portion of cyberspace is what he calls “Cyber Security due diligence”, where each state is responsible for protecting Critical Infrastructures, IT infrastructures and so on.
Painter stated very clearly the commitment of the United Stated government to international cooperation both in cybersecurity matters, considering the Council of Europe Budapest Convention a useful tool and on Internet governance, affirming support for a multi-stakeholder model based on consensus.
The concept of due diligence seems to point to states being responsible not only for malicious activities originating inside their territory but also for those traversing it. This goes directly against the concept of cyberspace as a common, but promotes the sovereignty of states. If you like it you call it Westphalian Internet, if you don’t, Balkanization.
Official US support of Internet freedom and openness is important, one wonders however how much credibility the US can bring to international fora after the Snowden revelations and the unwillingness demonstrated by the Obama administration to terminate mass surveillance practices. Amazing how a high-level diplomat could deliver a whole speech on cybersecurity without mentioning, even in passing, the NSA scandal.
Jaak Aaviksoo, former cabinet member in Estonia, one of the countries on the forefront of Internet development and freedoms, gives the audience a more balanced view on the subject, suggesting a reasonable balance between security and freedom in cyberspace. He acknowledges that high levels of freedom bring instability and risks, but high level of security foster something akin to a dictatorship. More and more countries are looking for a “third way” between the two. He recognises that the very terms security and freedom have different meanings for different state actors: a more “multipolar” view and at the same less optimistic than the (official) US position. The role of governments should be that of promoting trust, both domestically and internationally. The best wat to do this is to do less, in his view. Public-private collaboration is paramount, cyberspace being very much managed by private entities. Establishing minimum standards and baselines could be the way, leaving the rest to the private sector. Broad definitions of what are Critical Infrastructures is an example of excessive government role.
Off the record
Thoughts from the rest of the conference are unattributed, as per the Chatham House Rule.
– For public and private entities, measuring cybersecurity is hard, so is evaluating products. One method of managing cyber risks is to externalise them via insurances.
Information security, and cyber security even more so, is by far not about products alone, not even technology alone.
– The threat from insiders is the most important risk for corporations.
– Small business that are part of the supply chain of a big private corporation can be a risk, as they are less protected but can easily be a vector of attack.
– In a corporate environment, of several billions “cyber events” a year, less than a hundred are actual serious cyber attacks.
– The private sector has a very different approach to risk management from the public sector. A certain level of residual risk is acceptable (“shrinkage”) because it is not economical to bring the risk to zero. Not so for the governments, especially the military, where each attack counts.
– Intelligence-led IT operations are a good way to minimise risks and spend less, in the long run.
– The EU Critical Infrastructure directive (2008/114) is not implemented in the UK via legislation, only through non-legislative mechanisms.
– Another important piece of European Cybersecurity legislation the NIS (Network Information Security) Directive was voted by the EP plenary in spring 2014, but is stalled now, pending the elections.
– Breach reporting is “all the rage now” in law circles. According the the Directive, market operators are mandated to assess risks and apply measures (“controls” in ISO parlance).
– Anti money laundering laws have an impact on cyber security too (and data protection).
– All in all cyber security legislation is piecemeal and patchy, with a lot of overlapping European and national legislation.
– Economic mechanism can be effective in elevating security levels. An example is Basel II, where the most sophisticated the risk model used by the bank, the less capital is required to have. Economics could be a tool more useful than pure top-down approaches.
– The future of cybersecurity will look more complicated. Some trends (Internet of Things, Big Data, etc) will require a multistakeholder approach, even more so than today. For governments this means that they cannot do it alone. Public-private partnerpships, cooperation with civil society and other countries is and will be necessary. Comment by another panel member: the current US approach is very far from this.
Preceding speech by Mr. Painter notwithstanding…
– The three dimensions of cyberspace are: privacy, security and economic growth. All three must be pursued in a balanced way.
Very useful model, this is a balanced view of the issues at hand.
– The role of governments is paramount, especially the military. A country should define its Critical Infrastructure and protect them, always under state coordination, even if they are civilian-owned. Strong regulation is needed. Public investments in R&D should be in line with national strategy, not business and market goals. Human resources choices must also be guided by state, not academia or think tanks.
This view comes from a country that has reason to think in this way. I personally strongly disagree but I come from a soft country in Europe so… the point of views and world views are very different. The point about states protecting directly private resources and networks closely reminds me of Gen. Alexander’s doctrine about Wall Street protection by the NSA.
– Cybersecurity cooperation in fighting cybercrime against the financial sector could be a basis for cooperation even among the USA, China, Israel, Iran, Russia.
– Cyberspace is very physical and can be regulated by International Law, it is not in a different dimension.
This is a pet point of mine that I stress often.
– Trust in cyberspace is a negotiation. It is not “earned” or “given” or built. It is a set of mutual expectations. Individuals should start acting on the Internet as citizens, not purely as consumers.
– How to re-establish trust in cyberspace, four norms for states:
– Inclusivity. “Nothing without me”. Citizens must be involved in decisions. Also called democracy…
– Transparency. We must know how decisions are made by states and most of all why.
– Reciprocity. What is valid for me, it is for you too.
– Accountability. Everybody must accept the consequences of their decisions, especially governments and public actors.
– The European Court of Justice decision about Google and the “right to be forgotten”, taken with the recent declaration of invalidity of the Data Retention directive, signal an important tilt towards privacy of the European Union, even in opposition to freedom of speech.
– The Internet has made the world a better place, just because it was not owned by a single entity or government. That it remains open and free is much more important that it be secure and reliable. By and large the internet is reliable enough, secure enough.
