Tech community has role to play in improving efficiency of cyber norms

The United Nations Internet Governance Forum (IGF) took place last month in Berlin with opening addresses from both the German Chancellor Angela Merkel and UN Secretary General António Guterres.

Thousands of people from all over the world from the deeply technical to highly political, many NGOs and a smattering of industry gathered to discuss the ‘state of the net’. Some of the big recurring conversations revolved around the geopolitics of the Internet, emerging technical challenges related to the Internet of Things, and cyber norms – a very interesting area that we have been working on for many years now.

Cyber norms seek to clarify misunderstandings

Discussions about cyber norms began in the United Nations way back in 1998 when Russia called for an international action to address the potentially destabilising effects of the Internet. This led to the formation of a UN ‘Group of Governmental Experts’ (UNGGE) that has now convened, in different configurations of a small number of states (but always the P5), several times over the course of the last decade.

In 2015, the UNGGE proposed 11 norms that states [hopefully] agree constitute proper behaviour. They’re quite wordy so I won’t reproduce them here but they refer to things such as information sharing, working to stop attacks emanating from within one’s borders and responsible reporting of vulnerabilities.

The objective of the UNGGE process has not actually been to ensure the smooth functioning of the Internet. Rather, it has been to avoid the possible escalation to a dangerous, kinetic conflict that might be brought about by misunderstanding, miscommunication or even deception through cyber incidents. By agreeing some ‘rules of the road’ for cyberspace, states hope to maintain international peace and security through those foundational principles of diplomacy – predictability and transparency.

While most dialogue about cyber norms focuses on the political dimension, we’ve been particularly interested in the response from the technical community – particularly the Cyber Security Incident Response Teams (CSIRTs or CERTs). These people really are the firefighters of the Internet, operating on the frontlines of global cyber incident response.

Within a much larger community, there is a small group of highly skilled, highly experienced people who operate in an informal network of deep trust and personal relationships. They work across borders, across sectors and without prejudice. And they have some significant concerns about the formulation and expected execution of some of the UNGGE norms.

So, what happened at the recent meeting

Building on similar events over the past three years, 2019 marked our fourth workshop at the UNIGF in which we set out to explore this fascinating intersection of the technical and political dimensions of cyber norms.

This year, we did something particularly innovative and fruitful: We asked a group of leaders from the CSIRT community to take us through global incidents that they had been involved in and talk through how just one of the UNGGE norms mapped onto the actual practice of responding to these incidents.

Merike Kaeo discussed the 2007 Estonian attacks that really kickstarted the international community’s recognition of cybersecurity as a global political issue. She acknowledged that the norm on responding ‘…to appropriate requests for assistance…’ would have been helpful in that context but she questioned what exactly constitutes an ‘appropriate request’. By what criteria would she be expected to judge the appropriateness of a request?

Maarten van Horenbeeck talked about the ‘NotPetya’ ransomeware incident that brought shipping giant Maersk to a standstill in 2017. Maarten drew out some of the complex jurisdictional issues that a multi-dimensional incident like this one raised.

He also commented on the engagement of this very tight-knit, trusted community with national CSIRTs, which may not always be part of this inner circle depending on their links to national security infrastructure. In such incidents, Maarten said, the national CSIRT might ‘help respond, coordinate and get awareness to other companies out there’ but would not necessarily be best placed to try to end the attack. In fact, Maarten suggested, bringing national CSIRTs in could introduce a dangerous ‘latency’ to the response effort.

Sumon Ahmed Sabir provided the network operator’s view of the 2016 Bangladesh Bank heist during which $100M was stolen using the SWIFT network. He gave a harrowing account of the response efforts to this incident. In Sumon’s view, the norms complicate an already highly complex and time critical practice. He also made the point that most people in the technical incident response community know nothing of the norms and would see minimal benefit from them.

Expanding the reference of cyber norms

Of course, we must return to the point that these norms were not developed to aid incident response – they were developed to maintain international stability, peace and order. However, with the growing emphasis on implementation of the proposed norms, this diplomatic process now comes into conversation (or collision) with the pragmatic reality of how security practitioners work on the ‘front line’ when they collaborate to respond to cyber incidents. Here, we find a preference for much more specificity and clarity than is currently in the UNGGE document.

The overarching theme to emerge from these discussions was that it would be much more effective to have the technical community involved early on in the process of norms discussions because without their input and advice, the downstream operationalization of those norms can pose real challenges. And most critically, the diplomatic process may actually serve to inadvertently undermine or weaken the processes and practices that have, thus far, allowed us to bounce back from serious, widespread cyber incidents.

Madeline Carr is Professor of Global Politics and Cybersecurity at University College London and the Director of the UK Research Institute for Sociotechnical Cyber Security (RISCS).