Challenges in Cybersecurity Risks, Strategies, and ... - Unidir

More documents

Recommendations

Info

possible. Military “cyberweapons” are therefore single-use in nature and require various levels of effort and resources, which makes these attacks very costly compared to everyday cybercrime. As also discussed in other sessions, the panelists argued that attributing cyberattacks is one of the biggest challenges of cybersecurity. Although this is complex, it is theoretically possible; however, it requires international cooperation. It was emphasized that one of the key aspects of defending against, detecting, and countering military hacking is to know one’s own system better than any attacker and to keep developing and questioning its security constantly. The speaker added that a further defense mechanism is to enhance threat detection and diagnosis, which will reduce response time and thus minimize damage. The development of offensive defense mechanisms could also be an option, for example, having a team of experts gather intelligence on the attackers and analyze zero-day exploits. Many therefore argue that the ability to hack others is a requirement for successful defense. At the international level, one panelist also proposed that intelligence agencies and militaries should share vulnerabilities, knowledge of unknown attack mechanisms and zero-day exploits, while making use of trusted sources for attack and defense tools. Restricting the spread of malware, penalizing internet service providers (ISPs) for hosting malware, and making the software industry liable for their products were also proposed as options. In contrast to these new approaches to high-end cybersecurity, most products of the IT-security industry currently in place and marketed as advanced were considered to be of low or negligible value in the defense against sophisticated attackers. The IT-security industry was criticized for scaremongering about the wrong things and for selling a false sense of security instead of actual security. TRACK 2.3 REGULATING CYBERSECURITY The final Track examined the potential for international regulation in the cyber realm. While the need for international cooperation and public law regulating the response to challenges and attacks originating in cyberspace has not been questioned, it is, however, difficult to determine how existing law can be applied to the cyber realm. Among the key challenges – a panelist argued – is the lacuna in international law regarding cybersecurity or cyber activity, especially regarding the laws of armed conflict, since warfare is still pictured in conventional terms. So far few attacks have triggered state responses and the progress in defining what responses are legitimate is considered to be very slow, not least because of the attribution problem. A speaker argued that the present situation does not permit the exercise of Article 51 of the UN Charter, the right to self-defense, which requires several prerequisites to be met: the damage caused by an attack should be comparable to armed attacks, the identity of the attacker must be known, and a state needs to be attributed with the attack. The panelist also explained that the measures taken in response have to be proportional. As attribution – among other things – is not always currently possible, the expert concluded that Art. 51 is currently inapplicable. Regarding precautionary measures, international environmental law could be considered to be transferrable to the cybersphere, according to the next panelist, as “existing international law governs state activities wherever they are carried out, including in cyberspace.” Nonetheless, the expert pointed out, the unique and specific attributes of the cyber domain complicates the application of existing law, norms, and terminology. It was argued that some of the key challenges could be resolved by interpreting treaties using “common sense”, while others depend upon “unanimous 19
policy decisions” by the global state community. The panelist stressed, however, that neither the technological and military implications and potentials have yet been fully examined, nor has there been any broad dialogue internationally on how to interpret and apply existing international law to warfare in cyberspace. According to the expert, both cybercrime and cyberterrorism should be distinguished from cyberwarfare when IHL is concerned. The extent to which the principles and rules of jus in bello governing “traditional means and methods” apply to warfare in cyberspace therefore need to be determined. It has been proposed that jus ad bellum is difficult to apply unless attacks amount to a conventional armed attack, whereas jus in bello should be applied in the case of cyberattacks, as it is already used to deal with the attribution challenge in non-international armed conflict. The emergence of a treaty restricting cyber activities is still considered to be unlikely; however, an international code of conduct may become necessary, according to an expert. Customary international law may also lead to clarification of acceptable and non-acceptable behavior. Guidelines based on CBMs – for example, structured exchanges of national views on norms and national strategies, perceptions and best practices, developing technical recommendations for reliable and secure global IT infrastructures, accountability for combating terrorism using cyber mechanisms – will be required, according to one expert. Another issue raised was the current tendency for states to nationalize their internal network structures, and the modification of IT structures in the process of the emergence of a “Cyber Westphalia”, which it is argued will encompass the majority of nation states by 2020. It was observed that this move is a response to the current uncertainty in the cybersphere, with states attempting to give themselves time to respond when intrusions happen. Measures to compartmentalize networks are already beginning to be implemented, facilitating attribution and making the structure of the internet more resilient. This would be important, according to the speaker, when dealing with sophisticated actors, whose intrusions would require more disruptive responses. For civil-system resilience – the panelist argued – a partnership between state and private actors is essential to enable collective defense. Coordinated reaction would reduce threats, while collaborative risk assessment could prove essential for public and private assurance efforts. Following the presentations by the chairs of the respective sessions, who gave a summary of the topics, ideas, and challenges discussed in each Track, the sessions on both conference days were closed by a plenary Panel Discussion. The conference concluded with an additional panel discussion at which the representatives of the organizing institutions summarized the two days. The representatives thanked the participants for a fruitful conference with many lively discussions and expressed the hope that further dialogue will follow. 20
Page 1 and 2: Conference organizing Institutions:
Page 3 and 4: NOTE This report represents a summa
Page 6 and 7: FOREWORD The idea of a major confer
Page 8 and 9: CONFERENCE OVERVIEW “Challenges i
Page 10 and 11: transparency, and confidence-buildi
Page 12 and 13: speaker stressed both that the glob
Page 14 and 15: new-founded German Cyber Security C
Page 16 and 17: therefore urgent if this gap in pol
Page 18 and 19: to achieve international consensus
Page 22 and 23: CONFERENCE RESULT: FOOD FOR THOUGHT
Page 24 and 25: CONFERENCE DOCUMENTS DOCUMENT 1 Ope
Page 26 and 27: a wider context. Cybersecurity must
Page 28 and 29: If we want to strengthen internatio
Page 30 and 31: The facts are alarming: Last year,
Page 32: Based on these principles, a series

Challenges in Cybersecurity Risks, Strategies, and ... - Unidir

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?