Thousands of people from all over the world, from the deeply technical to highly political, many NGOs and a smattering of industry gathered to discuss the ‘state of the net’. Some of the big recurring conversations revolved around the geopolitics of the Internet, emerging technical challenges related to the Internet of Things, and cybernorms — a very interesting area that we have been working on for many years now.
Cybernorms seek to clarify misunderstandings
Discussions about cybernorms began in the United Nations way back in 1998 when Russia called for an international action to address the potentially destabilizing effects of the Internet. This led to the formation of the UN Group of Governmental Experts (UNGGE), which has now convened in different configurations of a small number of states (but always the five permanent members of the UN Security Council) several times over the course of the last decade.
In 2015, the UNGGE proposed 11 norms that states (hopefully) agree constitute proper behaviour. They’re quite wordy so I won’t reproduce them here but they refer to things such as information sharing, working to stop attacks emanating from within one’s borders and responsible reporting of vulnerabilities.
The objective of the UNGGE process has not actually been to ensure the smooth functioning of the Internet. Rather, it has been to avoid the possible escalation to a dangerous, kinetic conflict that might be brought about by misunderstanding, miscommunication or even deception through cyber incidents. By agreeing to some ‘rules of the road’ for cyberspace, states hope to maintain international peace and security through those foundational principles of diplomacy — predictability and transparency.
While most dialogue about cybernorms focuses on the political dimension, we’ve been particularly interested in the response from the technical community — particularly the Cyber Security Incident Response Teams and Computer Emergency Response Teams (CSIRTs and CERTs). These people really are the firefighters of the Internet, operating on the front lines of global cyber incident response.
Within a much larger community, there is a small group of highly skilled, highly experienced people who operate in an informal network of deep trust and personal relationships. They work across borders, across sectors and without prejudice. And they have some significant concerns about the formulation and expected execution of some of the UNGGE norms.
So, what happened at the recent meeting?
Building on similar events over the past three years, 2019 marked the fourth workshop at the UNIGF in which we set out to explore this fascinating intersection of the technical and political dimensions of cybernorms.
This year, we did something particularly innovative and fruitful: we asked a group of leaders from the CSIRT community to take us through global incidents that they had been involved in and talk through how just one of the UNGGE norms mapped onto the actual practice of responding to these incidents.
Merike Kaeo discussed the 2007 Estonian attacks that really kick-started the international community’s recognition of cybersecurity as a global political issue. She acknowledged that the norm on responding “…to appropriate requests for assistance…” would have been helpful in that context, but she questioned what exactly constitutes an “appropriate request”. By what criteria would she be expected to judge the appropriateness of a request?
Maarten van Horenbeeck talked about the NotPetya ransomware incident that brought shipping giant Maersk to a standstill in 2017. Maarten drew out some of the complex jurisdictional issues that a multi-dimensional incident like this one raised.
He also commented on the engagement of this very tight-knit, trusted community with national CSIRTs, which may not always be part of this inner circle, depending on their links to national security infrastructure. In such incidents, Maarten said, the national CSIRT might “help respond, coordinate and get awareness to other companies out there” but would not necessarily be best placed to try to end the attack. In fact, Maarten suggested, bringing national CSIRTs in could introduce a dangerous latency to the response effort.
Sumon Ahmed Sabir provided the network operator’s view of the 2016 Bangladesh Bank heist during which USD 100M was stolen using the SWIFT network. He gave a harrowing account of the response efforts to this incident. In Sumon’s view, the norms complicate an already highly complex and time critical practice. He also made the point that most people in the technical incident response community know nothing of the norms and would see minimal benefit from them.
Expanding the reference of cybernorms
Of course, we must return to the point that these norms were not developed to aid incident response – they were developed to maintain international stability, peace and order. However, with the growing emphasis on implementation of the proposed norms, this diplomatic process now comes into conversation (or collision) with the pragmatic reality of how security practitioners work on the ‘front line’ when they collaborate to respond to cyber incidents. Here, we find a preference for much more specificity and clarity than is currently in the UNGGE document.
The overarching theme to emerge from these discussions was that it would be much more effective to have the technical community involved early on in the process of norms discussions because without their input and advice, the downstream operationalization of those norms can pose real challenges. And, most critically, the diplomatic process may actually serve to inadvertently undermine or weaken the processes and practices that have, thus far, allowed us to bounce back from serious, widespread cyber incidents.
Adapted from original post which appeared on University College London STEaPP Blog.
Madeline Carr is Professor of Global Politics and Cybersecurity at University College London and the Director of the UK Research Institute for Sociotechnical Cyber Security (RISCS).
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.