3.3 Security
3.3 SECURITY
Global security and stability are increasingly dependent on digital security and stability. The scope of threats is growing. Cyber capabilities are developing, becoming more targeted, more impactful on physical systems and more insidious at undermining societal trust.
“Cyber attacks” and “massive data fraud and threat” have ranked for two years in a row among the top five global risks listed by the World Economic Forum (WEF).152 More than 80% of the experts consulted in the WEF’s latest annual survey expected the risks of “cyber-attacks: theft of data/money” and “cyber-attacks: disruption of operations and infrastructure” to increase yearly.153
Three recent examples illustrate the concern. In 2016, hackers stole $81 million from the Bangladesh Central Bank by manipulating the SWIFT global payments network.154 In 2017, malware called “NotPetya” caused widespread havoc – shipping firm Maersk alone lost an estimated $250 million.155 In 2018, by one estimate, cybercriminals stole $1.5 trillion – an amount comparable to the national income of Spain.156
Accurate figures are hard to come by as victims may prefer to keep quiet. But often it is only publicity about a major incident that prompts the necessary investments in security. Short-term incentives generally prioritise launching new products over making systems more robust.157
The range of targets for cyber-attacks is increasing quickly. New internet users typically have low awareness of digital hygiene.158 Already over half of attacks are directed at “things” on the Internet of Things, which connects everything from smart TVs to baby monitors to thermostats.159 Fast 5G networks will further integrate the internet with physical infrastructure, likely creating new vulnerabilities.160
The potential for cyber-attacks to take down critical infrastructure has been clear since Stuxnet was found to have penetrated an Iranian nuclear facility in 2010.161 More recently concerns have widened to the potential risks and impact of misinformation campaigns and online efforts by foreign governments to influence democratic elections, including the 2016 Brexit vote and the American presidential election.162
Other existing initiatives on digital security
The Paris Call for Trust and Security in Cyberspace is a multi-stakeholder initiative launched in November 2018 and joined by 65 countries, 334 companies – including Microsoft, Facebook, Google and IBM – and 138 universities and non-profit organisations. It calls for measures including coordinated disclosure of technical vulnerabilities. Many leading technology powers, such as the USA, Russia, China, Israel and India – have not signed up.173
The Global Commission on Stability in Cyberspace, an independent multi-stakeholder platform, is developing proposals for norms and policies to enhance international security and stability in cyberspace. The commission has introduced a series of norms, including calls for agreement not to attack critical infrastructure and non-interference in elections, and is currently discussing accountability and the future of cybersecurity.
The Global Conference on Cyberspace, also known as the ‘London Process’, are ad hoc multi-stakeholder conferences held so far in London (2011), Budapest (2012), Seoul (2013), The Hague (2015) and New Delhi (2017). The Global Forum on Cyber Expertise, established after the 2015 Conference, is a platform for identifying best practices and providing support to states, the private sector and organisations in developing cybersecurity frameworks, policies and skills.
The Geneva Dialogue on Responsible Behaviour in Cyberspace provides another forum for multi-stakeholder consultation.
The Cybersecurity Tech Accord and the Charter of Trust are examples of industry-led voluntary initiatives to identify guiding principles for trust and security, strengthen security of supply chains and improve training of employees in cybersecurity.174
Compared to physical attacks, it can be much harder to prove from which jurisdiction a cyber-attack originated. This makes it difficult to attribute responsibility or use mechanisms to cooperate on law enforcement.163
Perceptions of digital vulnerability and unfair cyber advantage are contributing to trade, investment and strategic tensions.164 Numerous countries have set up cyber commands within their militaries.165 Nearly 60 states are known to be pursuing offensive capabilities.166 This increases the risks for all as cyber weapons, once released, can be used to attack others – including the original developer of the weapon.167
As artificial intelligence advances, the tactics and tools of cyber-attacks will become more sophisticated and difficult to predict – including more able to pursue highly customised objectives, and to adapt in real time.168
Many governments and companies are aware of the need to strengthen digital cooperation by agreeing on and implementing international norms for responsible behaviour, and important progress has been made especially in meetings of groups of governmental experts at the UN.169
The UN Groups of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security have been set up by resolutions of the UN General Assembly at regular intervals since 1998. Decisions by the GGE are made on the basis of consensus, including the decision on the final report.170 The 2013 GGE on Developments in the Field of Information and Telecommunications in the Context of International Security agreed in its report that international law applies to cyberspace (see text box).171 This view was reaffirmed by the subsequent 2015 GGE, which also proposed eleven voluntary and non-binding norms for states.172 The UN General Assembly welcomed the 2015 report and called on member states to be guided by it in their use of information and communications technologies. This marks an important step forward in building cooperation and agreement in this increasingly salient arena.
DIGITAL COOPERATION ON CYBERSECURITY
The pace of cyber-attacks is quickening. Currently fragmented efforts need rapidly to coalesce into a comprehensive set of common principles to align action and facilitate cooperation that raises the costs for malicious actors.175
Private sector involvement is especially important to evolving a common approach to tracing cyber-attacks: assessing evidence, context, attenuating circumstances and damage. We are encouraged that the 2019 UN GGE176 and the new Open-Ended Working Group (OEWG)177 which deal with behaviour of states and international law, while primarily a forum for inter-governmental consultations, do provide for consultations with stakeholders other than governments, mainly regional organisations.
In our Recommendation 4, we call for a multi-stakeholder Global Commitment on Digital Trust and Security to bolster these existing efforts. It could provide support in the implementation of agreed norms, rules and principles of responsible behaviour and present a shared vision on digital trust and security. It could also propose priorities for further action on capacity development for governments and other stakeholders and international cooperation.
The Global Commitment should coordinate with ongoing and emerging efforts to implement norms in practice by assisting victims of cyber-attacks and assessing impact. It may not yet be feasible to envisage a single global forum to house such capabilities, but there would be value in strengthening cooperation among existing initiatives.
Another priority should be to deepen cooperation and information sharing among the experts who comprise national governments’ Computer Emergency Response Teams (CERTs). Examples to build on here include the Oman-ITU Arab Regional Cybersecurity Centre for 22 Arab League countries,178 the EU’s Computer Security Incident Response Team (CSIRT)s Network,179 and Israel’s Cyber Net, in which public and private teams work together. Collaborative platforms hosted by neutral third parties such as the Forum of Incident Response and Security Teams (FIRST) can help build trust and the exchange of best practices and tools.
Digital cooperation among the private sector, governments and international organisations should seek to improve transparency and quality in the development of software, components and devices.180 While many best practices and standards exist, they often address only narrow parts of a vast and diverse universe that ranges from talking toys to industrial control systems.181 Gaps exist in awareness and application. Beyond encouraging a broader focus on security among developers, digital cooperation should address the critical need to train more experts specifically in cybersecurity:182 by one estimate, the shortfall will be 3.5 million by 2021.183
Recent Comments on this Site
3rd July 2023 at 2:58 pm
I agree with Michael’s comment.
See in context
3rd July 2023 at 2:56 pm
This first message makes no sense. Please take into consideration the comment made by Torsen.
See in context
3rd July 2023 at 2:37 pm
3 The Ukrainian Internet resilience is impossible without worldwide cooperation, help and support. There are very good examples of such cooperation, and not very good. These lessons also have to be documented and analysed.
See in context
3rd July 2023 at 12:14 am
In responding to the points around the impact encryption, I would ask that the comments I made around the UK’s Online Safety Tech Challenge Fund and academic paper by Ian Levy and Crispin Robinson are added to the key messages.
I referenced a paper by Ian Levy and Crispin Robinson, two internationally respected cryptographers from the UK’s National Cyber Security Centre, which set out possible solutions to detecting child sexual abuse within End-to-End Encrypted Environments that companies could be exploring to balance both the rights to privacy and the rights of children to grow up in a safe and secure environment free from child sexual abuse.
The link to the paper is copied below:
[2207.09506] Thoughts on child safety on commodity platforms (arxiv.org)
And the UK Safety Tech Challenge Fund:
Lessons from Innovation in Safety Tech: The Data Protection Perspective – Safety Tech (safetytechnetwork.org.uk)
It is important that we balance the concerns about the breaking of encryption, with the possibilities that should be being explored to prevent child sexual abuse from entering or leaving these environments.
Andrew Campling also made points about the right to privacy not being an absolute right and the need to balance this right, with other rights- another point I think that is worth reflecting in this final paragraph.
See in context
3rd July 2023 at 12:00 am
I agree with the amendment Torsten has proposed to the initial text.
See in context
2nd July 2023 at 11:58 pm
I would be careful about saying these images have been created consensually. Just because an image is “self-generated” it does not mean it has been created through “sexting”. Children are being “groomed” and “coerced” into creating these images as well.
I agree- however, with the rewritten text above regarding what companies currently do and what they will be required to do if the EU proposal becomes law and is clearer than what was written in the initial text.
See in context
2nd July 2023 at 3:21 pm
The Internet has changed how war is fought, and how it is covered by media. At
the same time, the war has put “One world, one Internet” to a stress test. The foundations of global and interoperable Internet should not be affected by the deepening geopolitical divide, even though it has fragmented the content layer.
No one has the right to disrupt the global network that exists as a result of voluntary cooperation by thousands of networks. The mission of Internet actors is to promote and uphold the network, and to help restore it if destroyed by armed aggression.
The war has been accompanied by heightened weaponization of the content layer of the Internet. New EU legislation is expected to curb at least the role of very large platforms in spreading disinformation and hate speech.
See in context
2nd July 2023 at 2:36 pm
I kindly suggest the following changes:
Please add these two important points that were said by the speakers/audience:
– There is an initiative on the Nordic level to protect children from the harms of the Internet, and this initiative has already been promulgated into legislation in Denmark.
– As the role of parents is crucial in educating children to use the Internet in a savvy way, also parents need education. That’s why we need adult education also from beyond the formal education system, just like the adult education system in Finland already provides training in basic digital skills.
See in context
2nd July 2023 at 2:35 pm
I kindly suggest the following changes:
– governs => governments
– Replace this: ”Therefore, the contemporary political landscape requires three-level trust: political power; knowledge organisations; and individual.”
– By this:
– ”Therefore, the contemporary political landscape requires three levels of trust: trust in basic societal functions and structures of the society, trust in knowledge organizations, and trust between one another as individuals.”
See in context
2nd July 2023 at 2:32 pm
I kindly suggest the following changes:
Replace this: ”Thus, one of the key priorities is to enhance citizens digital literacy and education going beyond only digital competencies and including cultural aspects.”
with this: ”Thus, one of the key priorities is to enhance citizens’ digital literacy and education by going beyond just digital competencies and including also ethical, social and cultural dimensions.”
Add this important point that was said by the speaker: Responsibility for digital information literacy education lies not only with the formal education system, but also cultural institutions, NGOs, youth work play a key role.
See in context