Challenges in Cybersecurity Risks, Strategies, and ... - Unidir

CONFERENCE RESULT: FOOD FOR THOUGHT
From the point of view of the IFSH, which co-organized the conference, the two days of intense
presentations, discussions, and Closing Panels led to the following observations, which should
guide the development of further research questions and policy responses:
1. The cybersphere is part of the daily life of many citizens, companies, and governments.
Cyberspace entails not only ground-based assets and critical infrastructures, but also
wireless communication and space-based platforms. Cyberspace is fast-growing and its
technological, legal, industrial, political, and military implications have not been fully
explored.
2. A larger framework, including international cooperation, is needed for the establishment of
norms and rules for adequate, responsible state behavior to ensure and guarantee the
peaceful use of the cybersphere.
3. There is a wide range of possible measures to prevent the large-scale build-up of offensive
cyberattack capabilities and their military use, starting with confidence- and securitybuilding
measures in cyberspace and the development of a global code of conduct.
However, definitions will need to be agreed in advance. One option for kickstarting this
process would be for states to make unilateral declarations aimed at preventing large-scale
harm to civilian critical infrastructures.
4. An international forum for discussion of cybersecurity issues has not yet been established,
although the United Nations (and the OSCE) provides a good environment in which further
consensus can be achieved. The upcoming GGE scheduled for 2012/13 can create a
foundation for subsequent initiatives and measures at the UN.
5. The attribution of large-scale cyberattacks is not easy, but may be possible under some
circumstances. If a catastrophic cyberattack were attributed, politically and military
responses would likely follow. Threat detection and diagnostic forensics therefore can and
must be improved.
6. More and more countries are establishing military and national security cybercommands.
These states should make their cyberdoctrines public – explaining their offensive and
defensive motives, measures, and resources. Organizations such as the OSCE could
organize annual seminars to discuss capabilities and perceptions of national cyberstrategies
as a further trust-building exercise.
7. Debates between governments in international forums should take into account new
technological developments regarding the potential misuse of the cybersphere for conflict
and war.
8. Individual states should be responsible for protecting cyberspace assets located on their
territory. This requires them to cooperate to exchange technical and procedural information
about the protection of ICT vulnerabilities, especially in times of crisis. Early warning,
quick responses, and adequate stabilization measures are vital; less-developed countries
should receive support.
9. IHL principles, such as proportionality and the distinction between combatants and
civilians, can be applied to cyberattacks, but legal manuals and handbooks have to be
adapted to new incident scenarios. Also, with regard to self-defense under Article 51 of the
UN-Charter, it is necessary to clarify in legal terms precisely what might constitute an
“armed attack” involving cybermeans.
10. Despite political and ideological differences, more multi-stakeholder conferences (such as
the follow-up events to the London Cyber Conference) complemented by bilateral and
multilateral consultations between governments and, most importantly, regional and
international organizations are necessary in the years to come.
21