Cyberspace Cooperation

The EastWest Institute released the first joint Russian-American report aimed at defining the “rules of the road” for cyber conflict.  Prepared by a team of Russian and U.S. experts convened by EWI, Working Towards Rules for Governing Cyber Conflict: Rendering the Geneva and Hague Conventions in Cyberspace explores how to extend the humanitarian principles that govern war to cyberspace.

“Today, nearly all critical civilian infrastructure is online, from the electricity grids that support hospitals to the systems that guide passenger planes through the air,” says EWI Chief Technology Officer and Distinguished Fellow Karl Rauscher, who led the U.S. experts group.  “And, by and large, it is not protected by international norms.”        

Rauscher and Andrey Korotkov, the leader of the Russian experts group, are the principal co-authors of the report.  They led the cyber and traditional security experts through a point-by-point analysis of the Geneva and Hague Conventions. Ultimately, the group made five immediate recommendations for Russian and U.S.-led joint assessments, each exploring how to apply a key convention principle to cyberspace, each focused on a crucial question:

• Can protected critical humanitarian infrastructure entities be “detangled” from non-protected entities in cyberspace?
• Just as a Red Cross designates a protected entity in the physical world, is it feasible to use special markers to designate protected zones in cyberspace?
• Should we reinterpret convention principles in light of the fact that cyber warriors are often non-state actors?
• Are certain cyber weapons analogous to weapons banned by the Geneva Protocol?
• Given the difficulties in coming up with an agreed definition for cyber war, should there be a third, “other-than-war” mode for cyberspace?

In the report, the five joint Russian-U.S. recommendations also include essential background information, required commitments, benefits of implementation, next steps and measures of success.

“Our hope is that these recommendations will provoke a broad international, cross-sector debate on the very hot topic of cyber conflict,” says Korotkov.

The report is the first product of an ongoing EWI Track 2 bilateral program that seeks to open dialogue, build sustainable trust and have a positive impact on cybersecurity. In addition to engaging Russia and the United States, EWI is also working with a range of experts from the Cyber40, the world’s most digitally-advanced countries. Next up?  Bilateral and multilateral working group sessions to implement the recommendations, followed by the Second Worldwide Cybersecurity Summit in London in June. 

“We do this work very much in the spirit of the reset,” says Rauscher. “These recommendations carry great potential for engaging the international community, because when Russia and the U.S. speak together, the world listens.”

Click here for the wide media coverage of the report.

Скачать текст на русском.

“Cyber threats have taken on a new dimension over the last year, from Wikileaks and Stuxnet to large-scale theft of customer data,” said EWI Vice President Greg Austin, who leads the initiative. “At the summit, government and business leaders emphasized that, despite new countermeasures, we are not winning the war on cyber crime. We need stronger policies to protect our digital economy.”

Held in London on June 1-2, the summit was a part of EWI’s ongoing worldwide cybersecurity initiative, which builds international, private-public partnerships to protect cyberspace.

The report details the work of small international “breakthrough groups” of experts pursuing practical steps for everything from securing the undersea cables that carry over 99% of intercontinental Internet traffic to ensuring emergency communications after disasters. 

“These groups have made concrete progress towards innovative cyber solutions,” said EWI’s Chief Technology Officer Karl F. Rauscher. In particular, he says, he is encouraged by private sector commitments to explore the default inclusion of software in network equipment that would enable government-authorized users to make priority calls.  

The report also outlines the direction of EWI’s cybersecurity initiative in the months leading up to the Third Worldwide Cybersecurity Summit, to be held in New Delhi in October 2012. In addition to follow-up meetings of the breakthrough groups, bilateral dialogues will continue between Russian and U.S. experts on charting “rules of the road” for cyber conflict (the group has already produced an attention-getting report). Talks will also continue between Chinese and U.S. experts, whose report on reducing spam was released at the summit.

“EWI’s China-U.S. bilateral report on Fighting Spam to Build Trust is a rare breakthrough in international cooperation,” said IEEE Communications Society President Dr. Byeong Gi Lee. IEEE was the summit’s technical co-sponsor.

The summit report shares insights from a range of high-profile participants, including Sir Michael Rake, Chairman BT Group plc, who warned about cyber technology arms race, and Microsoft’s Corporate Vice President of Trustworthy Computing Scott Charney, who spoke about the challenges of securing the global cyber supply chain.

Founded in 2010, EWI’s cybersecurity initiative has gained the support of the United States, Chinese, Russian and Indian governments, among other members of the Cyber40, an informal grouping of the world’s most digitally-advanced nations. Its corporate sponsors include AT&T, Microsoft, Deloitte, BAE Systems, Goldman Sachs, Huawei and Vodafone.

EWI President John Mroz credits this unusually high-level, diverse international participation to a recognition of the urgency of the cybersecurity threat and the need for the policy, business and technology communities to forge solutions.

“The largest roadblock to cyber solutions is a lack of trust,” says Mroz. “EWI’s trademark for three decades has been bringing the people who need to work together into the same room to craft solutions to particular issues of common concern. Nowhere is this needed more than in the cybersecurity arena.”

Click here for more information on the 2011 Second Worldwide Cybersecurity Summit in London

EWI’s Worldwide Cybersecurity Initiative is made up of a diverse group of professionals, ranging from top government and military advisors to business and technical consultants. If you are interested in contacting one of our cybersecurity experts, please e-mail us at communications@ewi.info

Many of the participants emphasized the importance of the conference's location. "We are all in the room today because we recognize that India is an essential partner on cybersecurity," said Ross Perot, Jr., chairman of the EastWest Institute.

The report contains results of an informal poll of participants, where 93 percent expressed the view that the cybersecurity risk is higher than one year ago. A preview of EWI's 4th Worldwide Cybersecurity Trustbuilding Summit, which will be held in Silicon Valley in 2013, is also included.

High-ranking Indian officials—among them, Deputy National Security Advisor Latha Reddy and Secretary R. Chandrashekhar of the Department of Telecommunications—not only participated in the summit but also helped frame key issues on the agenda. In addition, EWI partnered with the National Association of Software and Service Companies (NASSCOM), the Federation of Indian Chambers of Commerce and Industry (FICCI) and the Data Security Council of India (DSCI), which sponsored three breakthrough groups. The topics were chosen in consultation with the Indian government and private sector leaders. 

Key summit sponsors included Deloitte, Goldman Sachs, Huawei, Knightsbridge Cybersystems, Microsoft, Reliance Industries Limited, Stroz Friedberg, and Vodafone. (For a full list of sponsors, see the opening section of the report.)

Top authorities from both industry and government agreed that the rapid pace of technological change has triggered a corresponding leap in exposure to vulnerabilities that can be exploited by cyber criminals. This has also raised fears about government intrusion that could threaten privacy and individual freedoms. 

Michael Chertoff, chairman of the Chertoff Group and former U.S. Secretary of Homeland Security, pointed out how complicated many of these issues have become. "You cannot have privacy without security," he said, while acknowledging the legitimate fears that some governments will attempt to control Internet content.

Building Trust in Cyberspace illustrates how, as was the case with the previous summits in Dallas and London, the New Delhi summit helped spur the process of producing concrete recommendations for industry and government. If implemented, those recommendations will help make cyberspace and the real world more stable and secure. 

Click here for video highlights of the summit.

For information on the 3rd Worldwide Cybersecurity Summit, please visit www.cybersummit2012.com

It’s no secret that the United States and China have a contentious relationship when it comes to their cyber capabilities and intentions. But according to a new report released by the EastWest Institute, these two countries have common cyber concerns that could bring them to the table to lay the groundwork for diplomatic exchanges and solutions, avoiding an escalation of aggressive strategies from either country.

In Cyber Detente Between the United States and China: Shaping the Agenda, co-authors Greg Austin, EWI professorial fellow, and Franz-Stefan Gady, EWI associate, point out that through Track 2 processes some very useful preparatory work has already taken place. However, they argue that the diplomacy—both official and unofficial—needs to be more intense, to cover more concrete problems and to involve a larger number of people on both sides, especially from the military and private sector. The paper calls for a fresh appraisal of the impact of both countries’ military cyber policies.

“We should have no illusions that the two countries will agree quickly to a set of military confidence building measures in cyberspace,” said Austin. “But there is some room to lay the foundations to begin to bridge the bilateral divides by addressing issues that are closer to the civilian domain rather than exclusively military.

The paper recommends three specific proposals: a joint study on both countries’ critical information infrastructure; inclusion of China in the existing infrastructure of the 24/7 Network of Contacts for High-Tech Crime of the G-8; and reaching a common understanding of what constitutes cyber espionage.

“The challenge here, among many, is to deepen the conversations and reduce mistrust through enhanced transparency and predictability,” said Gady.

The release of the report coincides with the convening of the Third Worldwide Cybersecurity Summit in New Delhi on October 30-31, where leading experts will discuss these and many related issues. The first Worldwide Security Conference took place in Dallas in 2010, and the second in London in 2011.

For information on the 4th Worldwide Cybersecurity Trustbuilding Summit, please visit cybersummit.info.

That’s the argument of a new report released by a team of experts convened by EWI and sponsored by Microsoft Corporation. The report examines how the model of international public health can inform efforts to track and block malware and other malicious actors.

“For years, we have talked about computers being infected by viruses,” said EWI President John Mroz. “With this breakthrough report, we have the opportunity to treat the health of the entire Internet as a shared problem needing cooperative solutions.”

Cybersecurity problems like malware, botnets, and vulnerabilities need to be monitored and analyzed, the paper argues, just like the U.S. Centers for Disease Control and the World Health Organization monitor epidemic and study pathogens. Just as hand-washing and immunization can help prevent illness, education about threats to computer systems and measures to defend them have broad application.

“A public health model encompasses several interesting concepts that can be applied to internet security,” said Scott Charney, vice president of Trustworthy Computing at Microsoft. “As use and reliance on the Internet continues to grow, improving Internet health requires all ecosystem members to take a global, collaborative approach to protecting people from potential dangers online.”

Contributors to the report included experts from numerous countries, representing universities, telecommunications companies, government computer emergency teams, and think tanks, among other groups.

The public health model isn’t a perfect fit, the authors note. Computers have no naturally occurring immune system, for example, and human viruses don’t attack on purpose. Still, the study finds that the systemic perspective of public health provides useful suggestions for how to promote Internet health.

This study of Internet health is part of a broader program of EWI-sponsored groups who gather to build concrete recommendations to solve prominent cybersecurity problems. Among others, the groups have produced already-released recommendations to increase the reliability of undersea cables and forthcoming research on international priority communications—systems that allow emergency services to operate when communication networks are overloaded, such as during a natural or national security disaster.

After successful meetings in Dallas in 2010 and London in 2011, the EastWest Institute’s Worldwide Cybersecurity Initiative will hold its third Worldwide Cybersecurity Summit in New Delhi in October 2012.