One of PCH’s long-term efforts has been to encourage governments to restrict their use of offensive cyber attacks against civilian networks. We've successfully gotten that effort out of the U.N., where it was floundering, and into a well-supported stand-alone commission. It’s being taken seriously by governments, and will be one of the main topics under discussion at the Global Conference on Cyberspace in Delhi next week.
The work has been divided into two working-groups: one is addressing the question of what a norm should say (i.e. “Governments shouldn’t cyber-attack X”). The other is addressing the question of what infrastructures should be protected (i.e. what is the X that shouldn’t be attacked). I’m chairing that second working group. The main thing we’re delivering in Delhi is the result of a survey of what infrastructure people think should be protected. That survey is still open, and we’d like as many people to respond as possible. So, please consider doing so. It’ll only take a couple of minutes, and it’s a critical part of an admittedly very lengthy process to make your life easier.
https://www.surveymonkey.com/r/criticalinfrastructure
Much appreciated,
-Bill
Links in case you want to pursue further reading on the things I’ve mentioned above:
https://en.wikipedia.org/wiki/Eligible_Receiver_97
https://lawfareblog.com/un-gge-failed-international-law-cyberspace-doomed-we...
https://cyberstability.org/about/
https://en.wikipedia.org/wiki/Global_Conference_on_CyberSpace
-Bill
Dear Bill
Thank you very much for making me/us aware of this.
I talked to a few people about it after starting to answer the survey and noticing that I run into a lot of problems.
Since I have hardly thought about this topic (attacks against civilian infrastructure), my thoughts are still rather unstructured, but I feel it important to give you feedback, especially as I see no other feedback on this list.
My concerns: - what _exactly_ am I stating with my answers? - how will the results be used? - By saying "I do not consider it necessary to include X in this protection from government attacks" do I not implicitly say "I consider it OK for governments to attack this infrastructure"? - By saying "Governments should never attack Y", what are the implications for private law? Does one (not being a government) become a terrorist when one attacks Y, or is one still "just" a criminal? - There are similar things in effect already, and there are a lot of players who simply do not care about it. I don’t think Guantanamo is in any way in concordance with a lot of law. NSA and CIA don’t seem so very concerned about too many regulations, and AFAIU participate in false flag operations both in the physical world and "cyberspace", leaving false trails, leading investigators of their attacks to e.g. russians or iranians. How is this different?
On Tue, 14 Nov 2017 21:41:29 -0800 Bill Woodcock woody@pch.net wrote:
commission. It’s being taken seriously by governments, and will be
Hahahahahahahahahaha Sorry, but I’d love to know which governments you are talking about. The ones I consider relevant for this topic are the ones who will lie to your face without even noticing themselves that they are lying, because the person lying is just a strawman and actually believes what he is saying. I remember a promise by the PoTUS himself to close guantanamo and I believe there is more historical evidence that politicians (which make up governments) can possibly not be taken literally 100% of the time.
cyber-attack X”). The other is addressing the question of what infrastructures should be protected (i.e. what is the X that shouldn’t be attacked). I’m chairing that second working group. The main thing we’re delivering in Delhi is the result of a survey of what infrastructure people think should be protected.
To give my answer to that questions: all. Why should _any_ _civilian_ infrastructure _ever_ be a target for inter-national disputes at all? In how far is that ok?
If we do need rules, how about "don’t attack anyone"? And if anyone breaks that, one has to answer in a courtroom and bear the consequences of ones actions.
That survey is still open, and we’d like as many people to respond as possible. So, please consider doing so. It’ll only take a couple of minutes, and it’s a critical part of an admittedly very lengthy process to make your life easier.
It only takes a couple of minutes when one does not question the premise and actually thinks about this topic. Please be honest about this. You are chairing that working group. There is nothing easy about that topic.
And I wonder: what is this process that will make my life easier?
Thanks
Hendrik
On Nov 29, 2017, at 6:19 AM, Hendrik Jaeger swinog@henk.geekmail.org wrote: Since I have hardly thought about this topic (attacks against civilian infrastructure), my thoughts are still rather unstructured, but I feel it important to give you feedback, especially as I see no other feedback on this list.
Thank you. It’s an area that we’ve been working to try to improve since the 1996 “Eligible Receiver” attacks, and I’m always happy to see public discussion.
- what _exactly_ am I stating with my answers?
Your opinion of the relative priority of protecting (or not protecting) each of these categories of infrastructure from cyber-attack by national governments outside of the context of a declared war. That last part we can’t hope to do anything about at this stage.
- how will the results be used?
We are using the results to prioritize the types of infrastructure that are explicitly called out for protection against attack in the draft norms. We started with the phrase “the public core of the Internet” (contributed by the Dutch foreign ministry) and the phrase “the central forwarding and naming infrastructures of the Internet” (contributed by PCH and the IETF) and have been trying to work toward a more broadly-informed expert consensus which is also more specific.
Ultimately, if the norm is successful, cyber-offense military officers will need to extract (“whitelist”) the IP addresses of these infrastructural elements from the lists of IP addresses being attacked, so if the definition is insufficiently specific, we risk it being ignored completely, or discounted as unactionably vague. On the other hand, if it’s too specific, we risk loophole interpretations.
- By saying "I do not consider it necessary to include X in this
protection from government attacks" do I not implicitly say "I consider it OK for governments to attack this infrastructure”?
Rankings to the left of the center on the slider do imply that, yes. While rankings to the right of the center on the slider imply that you believe some degree of protection, exclusion from attack, is warranted.
- By saying "Governments should never attack Y", what are the
implications for private law? Does one (not being a government) become a terrorist when one attacks Y, or is one still "just" a criminal?
The goal we’re working toward at this stage is a norm, rather than a treaty, so somewhat less formal. Countries which abide by the norm would make efforts to behave well themselves, and to use their own domestic laws to encourage the people within their borders (because diplomacy is Westphalian) to also respect the norm and the protections it describes.
So, although the original goal was to describe protections for civilian infrastructure against government attack, the effort has shifted slightly to encourage governments to also try to get their residents to not participate in such attacks, either.
All in all, it seems like a good thing, and the consensus of the diplomats involved was that that was not a poison-pill… it would not make adoption of the norm less attractive to governments.
- There are similar things in effect already, and there are a lot of
players who simply do not care about it.
Perhaps similar, but there is no norm on this topic which enjoys any consensus. The effort in the UN failed.
And if by “similar” you mean comparable-but-in-other-fields, like nuclear nonproliferation, or climate protections, or non-use of landmines, sure, there are lots of norms out there, and they all have different levels of adoption. The most successful ones also tend to be the most obvious and the least far-reaching. Those can serve as easy building-blocks toward more ambitious agreements that can then follow, but couldn’t have been reached in a single step.
I don’t think Guantanamo is in any way in concordance with a lot of law.
A norm is not law. A norm encodes a common understanding of shared social values. If a country’s government does not share those values, it won’t ascribe to the norm, or it will do so in name only, but will not actually abide by it. National governments are sovereign, and are only responsible to their citizens if to anyone at all. That’s the unfortunate reality that we find ourselves in. But the building-block we have is social ostracization. If a country fails to abide by a widely-adopted norm, it finds itself isolated diplomatically, and that has real costs in achieving its objectives. That’s all the stick we have, but we have to fashion that stick, and in doing so, we have to reasonably judge the compromise between making it too weak (which allows governments to claim to abide by the norm while not actually improving their behavior) versus making it too strong (which reduces consensus on its adoption, and weakens its effect).
In that context, it’s important that we prioritize what we want to protect as accurately as possible.
It turns out that experts on Internet infrastructure believe that “wealth management” services do not require any special protections, whereas Internet exchange points and the power grid do. No big surprise there. That’s not to say that the 1% wouldn’t be awfully unhappy if they found their private bankers to have been compromised, but it is to say that we don’t need to spend our own effort on that particular battle while IXPs and the power grid still aren’t protected.
NSA and CIA don’t seem so very concerned about too many regulations
That’s not exactly how I’d put it. They employ a vast number of lawyers to contrive baroque explanations for why what they’re doing is ok, for radically-unrecognizable values of “ok.”
But yes, fundamentally, this effort pits the US, Russia, and China, against pretty much all the other governments of the world. On the one side are a very few countries which do not want to see their self-defined “right” to attack other people at will called into question. On the other side are all the other countries, which view the operation of the Internet as being critical to the wellbeing of their people and the functioning of their economies, and don’t want that undermined. There are a very few other countries which are on the fence, but they’re not really diplomatically significant in the numbers that we’re talking about here.
How is this different?
When the CIA does a drone strike against a hospital, after having been duly informed of the location of the hospital, the US government loses face, loses friends, and loses diplomatic influence. That’s a violation of the Geneva Conventions. In cyberspace, we have no equivalent of the Geneva Conventions, which is recognized as holding sway by most nations. Thus when the cyber-offense units of the US, Russian, and Chinese militaries conduct attacks against civilian infrastructure, there’s little to no diplomatic consequence. Gaining widespread adoption of a norm on cyber-offense is the first step toward that goal.
It’s being taken seriously by governments
Hahahahahahahahahaha Sorry, but I’d love to know which governments you are talking about.
Netherlands, Estonia, Singapore, India, France, Kenya, as a few examples that are particularly active in the current effort. If you look at the previous effort in the UN, you see the following countries participating:
2015: Belarus, Brazil, China, Colombia, Egypt, Estonia, France, Germany, Ghana, Israel, Japan, Kenya, Malaysia, Mexico, Pakistan, the Republic of Korea, the Russian Federation, Spain, the United Kingdom of Great Britain and Northern Ireland and the United States of America.
2013: Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, the Russian Federation, the United Kingdom of Great Britain and Northern Ireland and the United States of America.
2010: Belarus, Brazil, China, Estonia, France, Germany, India, Israel, Italy, Qatar, the Republic of Korea, the Russian Federation, South Africa, the United Kingdom of Great Britain and Northern Ireland and the United States of America.
Note that the three countries which don’t want to see consensus in this area participated each time, and indeed, it proved impossible to reach consensus under those conditions. When I say “taken seriously” I don’t mean that they all agree, I mean that they think it’s important.
And I think it’s vastly more important to figure out what 90% of the world agrees on, than what the US, Russia, and China, don’t disagree with.
cyber-attack X”). The other is addressing the question of what infrastructures should be protected (i.e. what is the X that shouldn’t be attacked). I’m chairing that second working group. The main thing we’re delivering in Delhi is the result of a survey of what infrastructure people think should be protected.
To give my answer to that questions: all. Why should _any_ _civilian_ infrastructure _ever_ be a target for inter-national disputes at all? In how far is that ok?
I agree, and that’s exactly my motivation, and PCH’s organizational motivation. However, we’re a small organization, and cannot reach “all” in a single step. With the concurrence of many like-minded governments, however, we can advance toward that goal by taking a number of smaller steps, and gathering momentum along the way. The fact that the entire goal cannot be reached in a single step is not a reason to avoid working toward the goal.
If we do need rules, how about "don’t attack anyone"? And if anyone breaks that, one has to answer in a courtroom and bear the consequences of ones actions.
Unfortunately, Westphalia. And armies. So, it would be nice, but people with guns don’t want to listen to us. And we can’t force them without stepping down to their level. And I hope that’s not a compromise that any of us would make.
It only takes a couple of minutes when one does not question the premise and actually thinks about this topic. Please be honest about this. You are chairing that working group. There is nothing easy about that topic.
Indeed, it’s a very difficult topic, and has taken a portion of my time and effort for more than twenty years, now. Likewise, it’s taken the time and effort of a number of other people. But we can’t expect everyone to put very much time and effort into it, regardless of how right-thinking they may be on the topic, because people have lives and work and those must be attended to. So, I try to bring other people into the process when I have some degree of confidence that the amount of their time that I’m asking for is an amount that’s justified by the benefit, and is unlikely to be wasted. The survey you’re seeing is a vastly-simplified one that’s distilled from the results of a previous survey that had several hundred much more specific questions. A much smaller number of people were able to afford the time to work through it, but their contribution was very valuable, in that it allowed us to draft this simpler one, based on its results.
When you say “question the premise,” do you mean the implicit premise that it’s possible to assign relative priorities to the protection of these different infrastructures, when you’d much rather none of them were attacked? Or do you mean something else?
This isn’t an ideological position, it’s a pragmatic one. I think our ideology is in agreement, in so far as I can tell from what you’ve written.
I wonder: what is this process that will make my life easier?
If we succeed in achieving a norm, the diplomatic costs of violation of the norm will place a disincentive on violators, and yield a relative reduction in the number of national cyber-attacks we all have to cope with. Leaving us with more time for our lives and work. For some of us, the amount of time invested, particularly if it can be just a few minutes filling out a survey, can be relatively quickly recouped in the event of even a modest success.
-Bill
Hi
* on the Tue, Nov 14, 2017 at 09:41:29PM -0800, Bill Woodcock wrote:
The work has been divided into two working-groups: one is addressing the question of what a norm should say (i.e. “Governments shouldn’t cyber-attack X”).
It's much simpler than that. The difference between black hats and white hats is only one: White hats publish.
Because the victims of vulnerabilties exploited will be everyone, maybe with the exception your specific organization. If your spy-agency hoards vulnerabilites, the victims will be your own police, army, hospitals, power plants and citizens. Plus everyone else. And that's not how you spell "security". It's not even how you do "national security", it's actually "endangering national security" -- and your own outfits are doing it.
Therefore, the only right thing to do is to compel everyone to publish security vulnerabilities, and ostracize everyone who hoards them.
Cheers Seegras