Cyberspace Cooperation

The Global Cooperation in Cyberspace Initiative seeks to reduce conflict, crime and other disruptions in cyberspace and promote stability, innovation and inclusion.

Learn More

Cybersecurity at the International Level

Many countries are drafting domestic policies to combat cyber attacks and cyber crime, but the larger question is what can be done on the multilateral level since the digital world routinely ignores national boundaries. One measure of the problem is provided by the 2011 Symantec survey on the scale of cyber crime, showing that the annual cost of cyber crime to individuals in 24 major countries is $114 billion. But, so far, international initiatives are plagued by the lack of agreed upon frameworks, institutions and procedures. Below, a few examples—far from a complete list—of the organizations and initiatives dealing with cybersecurity on the multilateral level:

  • Perhaps the largest player in the international cybersecurity arena is the International Telecommunication Union (ITU). A United Nations organization comprised of 193 UN member states and over 700 private companies and organizations, the ITU seeks to create guidelines and frameworks for international initiatives. ITU facilitates the World Summit on the Information Society (WSIS) and the Global Cybersecurity Agenda (GCA).  It also drafts UN General Assembly resolutions concerning information security and criminal utilization of information technology. ITU initiatives are voluntary and merely provide guidelines, serving as a foundation for customary international law, which means they lack a concrete legal framework. Still, they do serve to raise awareness on cybersecurity issues, which is an essential prerequisite for international action.

 

  • The Asia-Pacific Economic Cooperation (APEC) is a working group of 21 nations, which includes Australia, Canada, China, Japan, Mexico, Russia, Taiwan and the United States. In 2002 APEC created the Shanghai Declaration Program of Action, which illustrates the potential for intelligence sharing and cybersecurity defense through regional partnerships. However, there’s still a lack of clear policy statements to promote cooperation, and the organization has failed to meet the Bogor goals set forth in 1994.

 

  • The European Network and Information Security Agency (ENISA) is a working group tasked with protecting the critical information systems of European Union member states through prevention and reaction to attacks on these critical systems. The prevention measures are focused on raising awareness and information sharing.

 

  • The CERT-EU (Computer Emergency Response Pre-configuration Team) is tasked with responding to cyber attacks on information systems of EU member states. But CERTS often get overloaded with calls and, as a result, responses are frequently delayed. Such delays and call-center overload illustrate the larger challenges of providing adequate funding and member state commitment within this regional organization.

 

  • Cybersecurity is also an issue under discussion within the NATO-Russia Council, as both sides have expressed interest in possible cooperation. However, there are frequent disagreements over definitions, language and terminology.  Russia considers “cyber attacks” to be a military issue while the U.S. sees them as criminal activity. The U.S. uses the term “cybersecurity” and for what Russia calls “information security.” The two countries also have very different notions of what constitutes Internet censorship.

 

EWI’s experiences hosting international cybersecurity summits and leading bilateral Russia-U.S. and China-U.S. efforts have demonstrated that progress on the multilateral level is possible—but also can be hindered by mistrust. To ensure further progress, all sides need to place a greater emphasis on building up trust as they pursue the common goal of a safer, more secure digital world. 

Campaign 2012: The Presidential Candidates on Cybersecurity

In January 2012, the U.S. Department of Defense released its new strategic guidance outlining plans for a “leaner” U.S. military. The plans envision budget reductions of $487 billion over 10 years. Cybersecurity, however, continues to rise as a priority: the strategy calls for increased investment in cyber capabilities.

How to adapt the U.S. military to a technology-driven future will be an important question for any U.S. president. Below, a look at what the leading candidates in the 2012 election—President Barack Obama, Mitt Romney, Rick Santorum, and Newt Gingrich—are saying about cybersecurity and how they are planning to address what they see as growing cyber threats.

BARACK OBAMA

Obama has identified cybersecurity as one of the most serious economic and national security challenges facing the United States. Shortly after taking office, he directed a 60-day “clean-slate” review to assess U.S. policies and structures for cybersecurity, resulting in a 2009 report titled Cyberspace Policy Review. To implement the recommendations in this report, Obama appointed Howard A. Schmidt to serve as White House Cybersecurity Coordinator. The strategy is twofold: first, it aims to improve the country’s resilience when confronted with cyber incidents; second, it seeks to reduce the cyber threat.

In the last year, the administration issued two strategies that address major items on the action plan: the National Strategy for Trusted Identities in Cyberspace and the first comprehensive International Strategy for Cyberspace, which provides a unified foundation for U.S. international engagement on cyberspace issues.

Last May, Obama declared in his State of the Union address: “To stay one step ahead of our adversaries, I’ve already sent this Congress legislation that will secure our country from the growing dangers of cyber threats.”

The legislative proposal would give the government new authority to ensure that corporations with assets critical to national security and economic prosperity are adequately prepared to defend them. Moreover, the proposals would give the government new authority to share information about cyber threats with businesses, and, when asked, provide them with federal assistance to prevent attacks and defend against intellectual property theft. According to Howard Schmidt, the “proposals would provide new tools to help our citizens and law enforcement professionals defend against cyber crime and identity theft, while, at the same time, safeguarding individuals’ privacy and civil liberties.”

In the face of defense cuts as part of the administration’s efforts to reduce deficits, the strategy calls for increased investment in cyber capabilities. “Operate effectively in cyberspace and space” is cited as one of the primary missions of the U.S. armed forces.

The Defense Department and the State Department have also been more active on cyberspace issues during the Obama administration. In 2010, the Pentagon established a cyber command to fight in cyberspace and defend the country’s computer systems. In February 2011, Hillary Clinton appointed Christopher Painter to serve as the State Department's first coordinator for cyber issues. Painter is leading the new Office for Cyber Issues and is tasked with bringing together the many parts of the State Department working on cyber issues to advance U.S. cyber interests more effectively.

The administration has framed intellectual property protection and cybersecurity initiatives as complementary. With regard to the controversial Stop Online Piracy Act and Protect IP Act, the White House issued a statement in January saying it “will not support legislation that reduces freedom of expression, increases cybersecurity risk, or undermines the dynamic, innovative global Internet.”

Mitt Romney

On the Republican side, former Massachusetts Governor Mitt Romney is considered the front-runner for the nomination. His stated security strategies also prioritize cybersecurity.

In October 2011, Romney released a white paper on foreign policy “An American Century - A Strategy to Secure America’s Enduring Interests and Ideals,” outlining his view on some of the most significant foreign policy and national security challenges. He calls for a “strong America” and “will strive to ensure that the 21st century is an American Century.”

In his white paper, Romney underlines the importance of cybersecurity and marks it as one of eight actions for the first 100 days. According to the paper, he would “order a full interagency initiative to formulate a unified national strategy to deter and defend against the growing threats of militarized cyber-attacks, cyber-terrorism, cyber-espionage, and private-sector intellectual property theft.”

While recognizing that Obama has made some progress in this area, Romney argues that the administration has not yet updated the national cybersecurity strategy of 2003. Romney maintains that a much more coordinated interagency effort is necessary, involving the Department of Defense, the intelligence agencies, the Department of Homeland Security, and the Departments of Commerce and the Treasury.

Back in October, Romney introduced his Foreign Policy and National Security Advisory Team. Among more than 20 advisers are Michael Chertoff, currently chairman of the Chertoff Group and former U.S. Secretary of Homeland Security (and an EWI board member); and Michael Hayden, former director of the CIA and NSA. In an interview with National Journal, Hayden indicated that cybersecurity is one of the issues he discussed with the Romney camp and that his future advice would mirror his public statements on the issue. Hayden is in favor of a stronger, more centralized federal office to oversee cybersecurity and would like to see the NSA taking a more active role in protecting U.S. networks.

 

Rick Santorum

Like Obama and Romney, Santorum has a list of initiatives on national security. On his campaign website, Santorum announces a ten-point plan to “reestablish America’s standing in the world” and states it is time that “America stop leading from behind and stand for freedom once again.” Advocating increased military preparedness, he describes Obama's defense cuts as "wrong signal, wrong effort and wrong time.” He has staked out some hawkish positions, notably on Iran and China, and states that the United States is “facing a global alliance that includes Russia, North Korea, China, Iran, Syria, Venezuela, Bolivia, Nicaragua, Ecuador and of course Cuba.”

The former senator from Pennsylvania has not expressed a clear position on cybersecurity and how he thinks cybersecurity threats should be addressed. On the Stop Online Piracy Act, Santorum agrees with the other Republican candidates that the law goes too far. During the South Carolina debate in January, he added that he “will not agree with everybody up there that there isn’t something that can and should be done to protect the intellectual property rights of people. … The Internet is not a free zone where anybody can do anything they want to do and trample the rights of other people.”

Newt Gingrich

On his campaign website, former Speaker of the House Newt Gingrich put forward a plan to tackle the job crisis and meet the challenges of the 21st century. He calls it the 21st Century Contract with America.” The contract consists of four parts including a set of legislative proposals and a so-called “Day One Plan” of executive orders.

One of Gingrich’s legislative proposals is to “revitalize our national security system to meet 21st century threats by restructuring and adequately funding our security agencies to function within a grand strategy for victory over those who seek to kill us or limit American freedom.” He has called for a new strategy, pointing to cybersecurity-related threats: “There are new emerging technologies endangering us – for example electromagnetic pulse weapons, cyberwar and lawfare, which we are not prepared to deal with.”

Gingrich ranks cyber warfare as a threat on a par with an electromagnetic pulse and a nuclear weapon in an American city and argues those threats require greater attention. During the Republican national security debate in Washington, D.C., in November 2011, candidates were asked what national security issue they worry about that nobody is asking about. Gingrich said a cyber attack is a primary concern, reiterating that the current system does not have the capacity to deal with this threat. The issue of cybersecurity was only addressed in the debate closing. Paul, Romney and Santorum did not mention cybersecurity in that debate.

Gingrich would abolish the position he calls a Cybersecurity Czar (White House Cybersecurity Coordinator). He claims the president does not have the authority to appoint bureaucrats to power who are not accountable to Congress. If those positions were still needed, he argues they should be installed with the advice and consent of the Senate.

Regarding cybersecurity threats originating from China and Russia, Gingrich has said he would seek to engage both countries in a high-level conversation and present them with an ultimatum saying “there are games we’re not going to tolerate being played; we either need an armed truce or we’re going to engage as aggressively as you are.” Talks should be “top secret” and include people from the defense sector, Gingrich continues. He says cyber espionage should be considered an act of war.

During the Michigan debate last November, Gingrich said that the U.S. should “find ways to dramatically raise the pain level for the Chinese cheating, both in the hacking side, but also on the stealing and intellectual property side. I don’t think anybody today has a particularly good strategy for doing that.”

Gingrich calls for disrupting Iran’s nuclear program through covert action, including “taking out their scientists” and cyber warfare. He would “wage real cyber warfare” to bring about regime change in Iran, and would be “prepared to use military force” as a last resort to keep Iran from obtaining a nuclear weapon. He continues “we could wage real cyber warfare against Iran and probably be remarkably effective at closing it down.”

Conclusion

Both Romney and Gingrich are critical of Obama’s foreign policy approach. They call for a strong America and “peace through strength” policy. They understand the importance of cybersecurity and the related threats. Romney claims Obama has not done enough in this area (i.e. interagency coordination) and makes cybersecurity one of his priorities during the first 100 days. He has also surrounded himself with experienced advisors in the cybersecurity arena.

Gingrich proposes some concrete actions including revitalizing the national security system, abolishing the “cybersecurity czar” position, and engaging China and Russia in conversations on sensitive issues. Both Romney and Gingrich say the U.S. needs to become tougher when it comes to China and intellectual property protection in particular. It is not entirely clear how Santorum feels about cybersecurity, but his current rhetoric lets us believe that he might be tougher on China in certain areas (i.e. trade) than Romney and Gingrich.

No matter what happens in the 2012 election, there’s no doubt that cybersecurity will continue to rise higher on the Washington policy agenda. It’s an issue that any president will have to keep addressing.

Anneleen Roggeman is Program Coordinator for the EastWest Institute’s Worldwide Cybersecurity Initiative. 

'I Am Not Willing to Accept Deadlock'

The objective of the EastWest Institute’s Cyber Crime Working Group is to propose a new set of harmonized legal frameworks to effectively combat cyber crime by means of increased international cooperation.

The group is made up of experts from Australia, Belgium, India, Italy, France, Russia, South Africa, Switzerland, Sri Lanka, the United Kingdom and the United States. In a meeting held March 15-16 in Brussels, the group expanded on their discussions about proposals for legislation on cybersecurity, including the need for a global tribunal on cyberspace.

Judge Stein Schjolberg, a co-chair of the working group, is a retired Court of Appeal Judge in Norway and an expert on cyber crime. He previously worked with INTERPOL and ITU on cybersecurity issues. Following the group’s most recent meeting, Judge Schjolberg spoke with EWI’s Thomas Lynch on international means of prosecuting cyber crime.

 

What’s the purpose of the Cyber Crime Working Group? What does it aim to accomplish?

 

The Cyber Crime Working Group was established in July 2010 by EastWest Institute President John Edwin Mroz. We have since been working for a year and a half on a project on the issue of cyber crime and global cyber attacks. We are dividing the issue of cyber crime into five pillars, ultimately developing a proposal for a potential treaty or several treaties on the United Nations level.

The first issue, or pillar, is international criminal law for cyberspace. The second is a global virtual task force for the investigation and prosecution of cyber crimes/attacks. The third pillar is the establishment of an international criminal tribunal (not a court) for cyberspace. The fourth is a broader look at cybersecurity issues as a whole, and the fifth focuses on blocking child pornography or other online child abuse.

 

What is “cyber crime” as opposed to “cyber espionage,” “cyber war,” or other similar buzzwords being used today?

I have been involved in this field for many years. I began by making a definition, but I very shortly quit that. In my opinion, cyber crime must be defined by each country independently, so we do not have any global definition of the term. Some countries use the term “cyber warfare,” some use “espionage” and so on; we leave it to each country.

 

How do you propose to overcome the political deadlock on international cyber crime cooperation?

I am not willing to accept deadlock. From a layman’s perspective, you read newspapers, gather information, and understand that dialogues are always occurring. A dialogue may include the hope that it develops into further projects. Since I am concerned about cyberspace, I know these dialogues have been taking place. I attended the United Nations twelfth criminal congress in Salvadore, Brazil, which had dialogue among the United States, the European Union and the so-called BRIC countries (Brazil, Russia, India and China). This dialogue developed into the establishment of working groups through the U.N. Office on Drugs and Crime in Vienna. This office is studying these issues and will come forward with proposals and recommendations; we will take it from there.

 

What progress has been made in internationally in bringing these issues to the U.N. level?

There has not yet been any kind of legal agreement on cyber crime developed at the U.N. level, nor treaties, protocols or a convention. There is of course the European Convention, the Budapest Convention, a convention now developing in the Caribbean countries, and developments in Asia under the APEC and ASEAN countries. We have several developments for regional agreements but not yet anything on the U.N. level on cyber crime, cybersecurity or global cyber attacks.

Everyone I speak to agrees that something is missing at the global level. That’s why we have four working groups now studying this issue; the UNODC, the European Union and United States working group, the EastWest Institute, and the Commonwealth working group. With four groups working on this issue now, I am sure that in the next two to four years we will have a full proposal prepared.

 

With respect to the Budapest Convention on Cybercrime, many consider it to be outdated; do you agree with that assessment?

I would not describe the Budapest Convention as outdated, I would maybe describe it as “old fashioned.” Of course, it was established, produced and written in 1990s using older terminology. Now that we are in the 2010s, we have seen a lot of development, new kinds of criminal conduct and new ways of describing systems and behaviors.

 

What would be the role of an International Criminal Tribunal for Cyberspace?

There is criminal conduct in cyberspace that no one is investigating, no one is prosecuted for. No one is sentenced for all this damage that is created as a result of international attacks.  The only thing we are doing is repairing damage, but a lot of economic losses have occurred, so something must be done. On other issues there have been global courts or tribunals. Since the United States, Russia and China have not signed on to the International Criminal Court, we are left to establish potential tribunals. There have been tribunals for Rwanda, for the former Yugoslavia, Lebanon and so on; this is why I’m moving forward with a proposal for a potential international criminal tribunal for cyberspace.

It is a pleasure to work together with EWI. I think that EWI has a very unique position to bring forward global dialogues, global proposals and maybe global solutions.

EWI's Rauscher on Humans and Supply Chains in Cybersecurity

 The EastWest Institute's chief technology officer, Karl F. Rauscher, discussed the importance of supply chain management in cybersecurity in Inside Supply Management's January issue.

“Ten years ago, if there was an access or integrity issue in a supply organization’s computer network, the impact would be limited,” Rauscher said. “But the criticality and connectivity in today’s supply chains are absolutely staggering.”

The cover article, written by Mary Siegfield, reviews recent developments in computer system security and supply chain security.

Supply chains for digital technology are critical links in the chain of necessary measures to achieve the highest level of security. No amount of software engineering or best practices by users can overcome vulnerabilities built directly into the hardware.

“We have flung ourselves fully into a reliance upon this (technology), but too often do not have a ‘plan B,’” Rauscher said.

 

Michael Chertoff of EWI Board Pushes Action on Cybersecurity

EastWest Institute Board Member and former U.S. Homeland Security Secretary Michael Chertoff sent a letter to leaders in Congress emphasizing the need for swift action on cybersecurity, Bloomberg reported.

Writing with former Secretary of Defense William Perry and six other former security officials, Chertoff called for action to secure infrastructure.

According to Bloomberg, the letter read in part:

"The present cyber risk is shocking and unacceptable. Control system vulnerabilities threaten power plants and the critical infrastructure they support, from dams to hospitals. …

"Congress must act to ensure that appropriate tools, authorities and resources are available to the executive branch agencies, as well as private sector entities, that are responsible for our nation’s cybersecurity."

In October 2012, EWI will hold the Third Worldwide Cybersecurity Summit in New Delhi to advance breakthroughs on thus far intractable policy issues that reach across national and sectoral divides.

The Private Sector, Internet Policy, and SOPA

EWI's Graham Webster, writing for Al Jazeera English, examines controversial Internet legislation before the U.S. Congress and underlines the role of the private sector in communication policy.

It would have been the most expensive political ad buy in the history of the world. Google's search engine, the most visited website in the world, displays a black block over its logo. Wikipedia, the sixth most visited site globally, has disabled its English-language service. This unprecedented action to oppose legislation under consideration in the US Congress signals the importance of the private sector in Internet policy - and it won't stop here..

Private companies are almost entirely responsible for your ability to read this article. The text travelled through a purchased operating system, over an enterprise office network, through privately-owned wires and fibre optic cables, and finally reached the privately-run "cloud" service in which it was composed. If you're overseas from Al Jazeera's servers, the message also travelled through privately-owned undersea cables-the bedrock of international communication and finance.

Many experts, including Jonathan Zittrain of Harvard and the leaders of the MIT Media Lab, have described in detail the threat to free speech, innovation, and the technology business posed by the legislation: the Stop Online Piracy Act (SOPA) in the House and the PROTECT IP Act (PIPA) in the Senate. Most people, however, learned of the controversy through today's online demonstrations, in which the online goliaths of our day have filled the picket lines.

Read the full piece at Al Jazeera English.

Graham Webster is a public policy and communications officer at the EastWest Institute and an independent analyst on East Asian politics and technology.

U.S.–China 'Cyber Cold War' is a Myth

Writing for Al Jazeera English, EWI's Graham Webster argues that cybersecurity depends on a focus on vulnerabilities, not threats, and that talk of any kind of U.S.–China war is irresponsible.

In January 2010, a Google executive announced "a new approach to China" in a blog post, revealing that the firm had "detected a highly sophisticated and targeted attack… originating from China" and that it would reconsider business operations there. In the ensuing two years, US rhetoric about China and cyber security has become ever more breathless.

"China is waging a quiet, mostly invisible but massive cyberwar against the United States," wrote the Washington Post editorial board earlier this month. A Bloomberg News headline summed up concerns about attacks on corporate targets by conjuring an "undeclared cyber cold war."

Computer systems in government and the private sector are indeed vulnerable to unauthorised access, as seen in the recent report of an allegedly China-based incursion at the US Chamber of Commerce. People who gain access can exfiltrate data, insert false information, or further tamper with systems for a variety of purposes. But the notion of a cyber cold war with China is inaccurate and irresponsible.

Read the full op-ed at Al Jazeera English.

Making Peace After Cyber War

This article originally appeared in the Swedish magazine Skydd & Säkerhet (Protection & Security) on Nov. 8, 2011. It was translated into English by the author.

In a conventional war, there is always a counterpart to negotiate with to make peace. Concluding a peace after battles in cyberspace is not that easy. You may not even know who is behind an attack or how to make contact with the counterpart. It is even more difficult to make peace agreements stick.

Questions around war and peace in cyberspace were at the center of this year’s Worldwide Security Conference, which was held October 3–5, at the World Customs Organization headquarters in Brussels. The conference is organized annually by the EastWest Institute (EWI), together with the World Customs Organization (WCO) and the chair country of G8, this year France.

The conference is open, but it is intended mainly for diplomats, leading politicians, security experts, scientists and media. This year’s conference focused on the possibilities of preventing war-like attacks in cyberspace.

EWI has previously published reports on rules for cyber conflicts. They are intended to be some kind of modern guidelines corresponding to international law in war.

The Internet was designed by the U.S. Defense Department to be impossible to wipe out. An unexpected side effect was that Internet has opened an arena for attacks, vilification, hate propaganda, and many other crimes.

As there is no central or international authority to appeal to, difficulties arise when trying to prevent fraud or similar crimes. Therefore, EWI has in recent years paid much attention to the question of creating trust in an environment where it is easy to hide behind anonymity.

Another problem in cyberspace is that a minor actor, such as a lone hacker or a small group of hackers, can wreak enormous damage.

The threshold to becoming a conflict-driving or warring party is very low. The hacker group Anonymous in October succeeded in what no government had done―to get the group Los Zetas, which is highly capable in the use of violence and is in control of a large part of the drug trade from Northern Mexico, to back off from a kidnapping by threatening to divulge names of names of members and associates of the organization.

The problem of “false flag,” which has occurred in naval warfare for example, appears in new forms when cyber actors are hiding behind false or stolen identities and are making use of other actors’ channels for communication. The problems are accentuated by the fact that forensic analyses of origins or authenticity become almost impossible.

With ever larger sectors become dependent upon continuous connection through the internet, almost all parts of society enter the risk zone for a cyber war. According to the laws of traditional warfare, it is a crime under international law to attack hospital structures marked with red crosses. A hospital can, however, have its medical records and logistics centers in other geographic locations and be forced to close if a cyber attack is directed at infrastructure such as power grids. It is not obvious that a domain or an IP address belongs to a hospital.

Measures discussed in order to protect hospitals included giving hospitals a top-level domain of their own with close monitoring, such as “.hosp.” Then an attacker would know that he is attacking a target that according to international law has a special level of protection.

Before the operations in the civil war against Gadhafi, the Pentagon discussed the possibilities of initiating the hostilities with a “cyber offensive” to jam or even strike out Gadhafi's air defenses. The proposal, however, got serious criticism, as it could create a precedent for other countries such as China or Russia for their own cyber raids.

An analyst remarked that the United States would not want to appear as “the one who broke the glass cover to this kind of warfare.”

The United States has also, on several occasions, chosen to carry out conventional attacks, using usual protective measures, such as airborne radar, instead of blocking Net links to radar systems.

Last year, a worm called Stuxnet contributed to knocking out a large number of centrifuges in the Natanz plant, blocking an important part of Iran’s production capacity for nuclear material. No group has claimed responsibility.

American public authorities have also carried out a large number of war games to find out what would happen during cyber war, including everything from hacker attacks against critical infrastructure to economic warfare against American interests. The results, together with practical experiences, have lead to a realization by the U.S. Defense Department that they must modernize their strategic doctrine in order to give guidance for cyber warfare.

Other countries have also written their own strategic IT doctrines. At the conference, the retired Russian Colonel General Vladislav P. Sherstyuk presented a policy report from the Russian Federation that had been launched just one week before. The report contains clear position markers about the measures which will be put in place by the Russian Federation to ensure that other countries are fully in control of their IT structures.

The International Organization for Standardization (ISO), through its standard ISO 27 000, has set basic rules for information security. Probably being the first country in the world in this respect, the government of the People’s Republic of China has let an outside expert carry out a third party certification of the country’s IT security. It indicates that the leadership of the country takes IT issues most earnestly.

Cyber warfare raises a number of questions for diplomacy and international law. Who is the counterpart or the enemy? What rules will apply for revenge and counterattack? Is a country to he held responsible for an attack carried out through its territory, i.e. its IT structure? With whom should one make peace? How is peace to be monitored?

EWI, an American think tank headquartered in New York with offices in Brussels and Moscow, has for more than 30 years been involved in “back channel diplomacy.” They have gathered experts from Russia, the United States and others to create a platform for dialogue when a cyber attack could be approaching. The question has many facets, such as how to create a common terminology.

The idea is to have a diplomatic protocol ready long before the outbreak of the first cyber war. In addition, they would like to create secure channels for crisis communication, such as the famous Moscow–Washington “hot line,” with an encrypted telephone line between United States and the Soviet Union in the most frozen days of the Cold War.

“We ought to focus more on crating 'cyber peace' than avoiding cyber war,” said researcher Stuart Goldman in summary.

He meant that states and other actors must focus on methods and channels that make it possible to create a trust and cooperation in cyberspace.

Financial Services and Industry Advance Undersea Cable Security

The EastWest Institute (EWI) on November 10 held its 12th meeting on the security of global digital transmissions. Hosted in New York by Goldman Sachs, the meeting reviewed key recommendations from the ongoing Reliability of Global Undersea Communications Cable Infrastructure (ROGUCCI) process.

EWI Chief Technology Officer and Distinguished Fellow Karl Rauscher presented recommendations from previous meetings, including detailed findings of the 2009 Global Summit on ROGUCCI held in collaboration with IEEE, the communications industry's leading publisher of peer-reviewed literature.

Thursday’s seminar, the first held in New York City and the first hosted by a major financial services industry stakeholder, discussed existing recommendations and pressed for further progress in key areas for private sector stakeholders, international information utilities, and governments.

Goldman Sachs Executive Vice President, Chief of Staff and Secretary to the Board John F.W. Rogers, who recently joined the EWI board, welcomed the meeting.

“I accepted the honor to join the leadership of the EastWest Institute, because it is always facilitating action, not just thinking and publishing,” Rogers said. “EWI is an unusual organization that does not seek credit for what it does but exists to effect change by turning dialogue into meaningful results.”

Among the other participants were seven distinguished discussants:

Andrew Bach, Senior Vice President of Network Services, NYSE Euronext
Douglas R. Burnett, International Cable Law Advisor, International Cable Protection Committee; Partner, Squire, Sanders & Dempsey LLP
Peter S. Cornell, Vice President, Global Network Field Operations, AT&T
Wayne Pacine, Interagency Project Analyst, Board of Governors of the United States Federal Reserve System
Ronald J. Rapp, Director, Industry and Marine Liaison, TE SubCom
Michael Sechrist, Project Manager, Explorations in Cyber International Relations, Harvard University
Philip J. Venables, Managing Director and CISO, Goldman Sachs

The discussants and a diverse group of attendees drawn from the ranks of engineers, cable laying companies, and organizations that depend on high reliability in Internet communications reviewed key recommendations of previous ROGUCCI meetings and listed new priorities for dependable communications.

In order to achieve security in undersea cable infrastructure, the global community must work together to ensure more resilient cable placement and faster response when something goes wrong.

The meeting’s emphases included: A focus on choke points such as the Strait of Malacca and the Suez Canal where numerous cables pass through small points, increasing the chance of multiple failures in certain kinds of incidents; the need for transparency in how the risk of interrupted or slowed service is calculated and communicated; the need for increased information access in the private sector to allow better risk assessments; a need for stakeholders to understand the challenges faced by operators and support the work of finding optimal solutions; and the need to address security of end-points for undersea cables, where they come ashore and meet terrestrial networks.

With the vast majority of international Internet traffic traveling through undersea cables, the importance of continued service and low latency (transit time for information) is clear for both public and private organizations.

The private sector’s role, however, is extremely important. The financial services industry, one seminar participant noted, has done the world a service by beginning the measure the value of consistent and fast communications. The quality and location of the Internet’s infrastructure, also built and maintained predominantly by the private sector, is what determines the availability of this vital service.

Seminar participants said increased cooperation among private sector organizations and governments can accelerate the repair process when something goes wrong at sea. Now, some jurisdictions take days to approve a repair mission, costing operators and their stakeholders time and money. With greater cooperation and international policy streamlining, repairs could take place much more quickly.

The ROGUCCI program will continue with further meetings to be announced and in coordination with EWI’s Worldwide Cybersecurity Initiative, which holds its third annual summit in New Delhi Oct. 30 and 31, 2012.

Some of the ROGUCCI recommendations are detailed in a 2010 IEEE-ROGUCCI report authored by EWI’s Rauscher, who is also a Bell Labs fellow. Read the full report at http://www.ieee-rogucci.org.

Pages

Subscribe to RSS - Cyberspace Cooperation