The Game of Rules

22 september 2015

Can Cybersecurity Be a Uniting Force?

Oleg Demidov is a consultant at the PIR Center.

Yelena Chernenko - PhD in History, Head of the International Section (Kommersant newspaper), Member of Presidium of the Council on Foreign and Defence Policy (SVOP), Member of the PIR Center Working Group on International Information Security and Global Internet Governance.

Resume: Not so long ago Russia was the only country to advocate the adoption of a code of responsible conduct in cyberspace. Today the expert community is already actively discussing the need for such a code with regard to the global Internet infrastructure.

Even though adopting an international code of responsible conduct in cyberspace would serve the national interests of Russia, not all of the rules proposed by Moscow are acceptable to Western countries. Yet there are at least three norms that would strengthen Russia’s security without angering its political opponents.

Not so long ago Russia was the only country to advocate the adoption of a code of responsible conduct in cyberspace. Concerned about the growing number of actors and threats in cyberspace, the Russian authorities suggested negotiating generally acceptable rules of conduct, at least at the national level. To make its case, Russia compared the use of information and communication technologies with highway traffic, and found that a lack of clear rules makes collisions inevitable, including interstate accidents.

Guided by its own national interests, Russia tried not only to protect its resources from cyber threats in the strict sense (software and hardware sabotage, computer espionage, etc.), but also to prevent the use of information and communication technologies for political purposes (to manipulate public opinion in other countries, destabilize regimes, etc.).

Until recently, Western countries were not interested in rules of conduct and viewed Russian initiatives as nothing less than an attempt to establish tighter national control over the Internet and limit the cyber potential of other countries, primarily the United States. Therefore, it is not surprising that a draft International Code of Conduct for Information Security was not even discussed when Russia and several other SCO countries (China, Tajikistan, and Uzbekistan) presented it at the UN General Assembly in September 2011. The draft UN Convention “On International Information Security,” prepared by the Russian Security Council and Foreign Ministry and proposed two weeks later, received the same treatment. In addition to making it illegal to use the Internet to interfere in other countries’ internal affairs and remove regimes, Russia also proposed banning the militarization of the World Wide Web, while giving governments broad powers within their national segments. But the West did not understand this position.

FROM MARGINAL TO MAINSTREAM

Since then the situation has changed somewhat. Growing technological openness (spurred by the rapid development of information and communication technologies and their penetration into more spheres of life) has made countries increasingly dependent on these technologies and therefore more vulnerable. Although some experts predicted a cyber Pearl Harbor, thankfully there has not been one yet. But there have been large-scale attacks on major U.S. banks, numerous instances of industrial cyber espionage and hacking of government resources, and also the reverberating act of sabotage against Sony Pictures. To further complicate the situation, NSA whistleblower Edward Snowden revealed that global online spying by U.S. security agencies was only the initial stage of U.S. military cyber strategy. The next stage calls for developing and planting malware designed to sabotage the enemy’s critical infrastructure, including banking systems, power and water supply systems, industrial enterprises, and airports.

All these developments changed the status of the discussion on states’ behavior in cyberspace from marginal to mainstream. Many European countries, authoritative analytical centers, and even the software giant Microsoft have presented codes of conduct. 

Changes have occurred at the United Nations as well. In June 2015, the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security concluded that international law was applicable to the use of information and communication technologies and could, if necessary, be supplemented with new norms, including rules and principles for the responsible conduct of countries in information space. The GGE is made up of representatives from 20 countries, including Russia. The unanimously approved report was sent to the UN Secretary-General for submission to the forthcoming 70th session of the UN General Assembly.

Russia has not abandoned its previous initiatives. In January 2015, acting on behalf of all SCO states, Russia presented an updated version of the International Code of Conduct for Information Security at the United Nations. Although the idea of adopting such a code is no longer frowned upon in the world, the document does not have a bright future.

Some of the provisions proposed by Russia and its SCO partners may be acceptable for Western countries. These include, for example, a provision requiring countries to develop practical confidence-building measures to increase predictability, reduce misperception, and diminish the risk of conflict.

The proposed measures include, inter alia, voluntary exchanges of information on national strategies and organizational structures aimed at promoting national information security, the publication of White Papers, and exchanges of the best practices wherever practicable and expedient. The OSCE adopted similar confidence-building measures in late 2013, and there are reasons to believe that this practice could be expanded globally.

The SCO’s proposal to force countries to assist developing countries in enhancing their information security capabilities and closing the digital divide will not antagonize the West.

But the U.S. and its European partners will likely once again oppose some of the norms critical for Russia’s national interests. These include a ban on the use of information and communication technologies (ICT) and information and communication networks for interfering in the internal affairs of other countries and undermining their political, economic, and social stability. Western countries rejected this proposal before as an attempt by authoritarian regimes to protect themselves from outside influence.

Nor will the West support the SCO’s proposal to mandate countries to work towards ensuring security through the delivery of ICT goods and services, prevent other countries from using their dominant position in the IT sector to undermine the right of states to independent control of ICT products and services, or to threaten their political, economic and social security. The U.S., which holds such a “dominant” position in this field, does not need this kind of self-restrictions at all.

The same is true about the provision in the Code that “all states must play the same role in, and carry equal responsibility for, international governance of the Internet.” At present, a non-profit organization known as ICANN (Internet Corporation for Assigned Names and Numbers) has the primary responsibility for governing the Internet and acts under an agreement with the U.S. Department of Commerce. By proposing changes to this model in order to “internationalize” Internet governance, Russia is insisting that control over critical business processes and operation of key infrastructures be handed over to the international community, which usually means a non-governmental organization such as the International Telecommunication Union (a specialized UN agency). However, this goal seems unachievable in the foreseeable future, mainly because the proposed institutional architecture is not consistent with the principle of Internet governance by all interested parties the way it is understood in the West, many other parts of the world, and the technical community itself.

SPARE THE BANKS

But the situation is not hopeless. There are norms that fully serve the national interests of Russia and should not irritate its Western counterparts. One of the noteworthy proposals GGE members are discussing is a political construct banning attacks on banking infrastructure facilities. Such a construct can be devised not by adopting a legally binding international document, but by encouraging countries to reach an informal agreement on the inadmissibility of computer attacks and other malicious infiltrations of networks and information systems used by banks.

Importantly, it was Russia that put forth this proposal at the GGE. It was first mentioned in a resounding article by Andrei Krutskikh, the Russian president’s special representative on information security, and Anatoly Streltsov, adviser to the director of the Moscow State University’s Information Security Institute, and published in International Affairs in November 2014. The authors suggested using the tactic of taking small steps and, as the first step, protect banking infrastructure and sign a “non-aggression pact” with regard to banks.

What already makes this proposal interesting is that it reflects certain progress in the Russian approach to international information security. Previously, the prevailing view among Russian government agencies was that there should be a universal agreement on international information security in order to avoid splitting the agenda, limiting it to only the technical aspects of network and information system protection by employing methods acceptable to Western partners, and removing issues of content which are of high priority for Russia, including the influence of transborder information flows on the sociopolitical situation in sovereign states. The stalemate in the dialogue on a global cyberspace agreement apparently made Russia adopt a more flexible position and it no longer considers this tactic as a concession to the West.

This position proved useful in 2013 when Russia and the U.S, locked in long disputes over terminology and other issues, managed to hammer out and sign a series of bilateral agreements aimed at building confidence in the use of information and telecommunication technologies. These agreements, focusing entirely on the technical aspects of cooperation and avoiding the issue of content (exchange of information between national CERTs, establishing instant lines of communication on cyber incidents and channels for information exchanges about incidents between the national Nuclear Risk Reduction Centers) were an example of such small steps. They worked quite well until the conflict erupted in Ukraine.

However, some Western experts have already criticized the idea of an informal non-aggression pact in respect to bank information systems as “unrealistic.” Replying to Krutskikh and Streltsov in an article published as part of analytical materials released by the Tallinn-based NATO Cooperative Cyber Defense Centre of Excellence (CCD COE) in May 2015, Wolff Heintschel von Heinegg, a military law expert at European University Viadrina in Frankfurt, Germany, made three arguments against an agreement protecting critical infrastructure facilities from cyber attacks. His chief argument was that most countries had already drawn up lists of targets among their enemies’ facilities, and if such targets were legitimate from the viewpoint of military law, nothing could prevent them from attacking those facilities, if necessary, in the event of armed conflict.

But this argument has a serious flaw in logic since it describes the possibilities and legal limits of states’ behavior only in time of war. This approach can be relevant (but again not unconditionally) for such facilities as nuclear power plants or military command posts and their IT infrastructure, against which cyber attacks by countries or intermediaries occur very rarely in peacetime. This is not the case with cyber attacks on banking infrastructure, which is one of the key targets for such actions in peacetime. There has been a steady rise in the number of incidents involving advanced persistent threats that require resources available only to big companies or government agencies.

A series of DDoS attacks using the infrastructure of hacked cloud data centers powered by Amazon and Google affected several major U.S. banks from September 2012 to March 2013, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, Capital One, and HSBC. Given the scale of the attacks and the level of their coordination, as well as the extremely complex way of channeling DDoS traffic, some U.S. experts and media outlets blatantly accused Iran, whose nuclear program was at the center of an international diplomatic crisis at that time. However, the Americans did not produce any technical, let alone legally valid, proof of Iran’s guilt. Yet they almost never do in such cases.

Another series of attacks supposedly involving government intermediaries targeted JPMorgan Chase & Co. and several other leading U.S. financial organizations such as Citigroup, HSBC Holdings, E-Trade, and Regions Financial Corporation. The attacks launched throughout 2014 were quite unusual in that they did not steal money from bank accounts, but the personal data of both individuals and corporate clients. Responsibility for the attacks was ascribed to a team of hackers connected with a government contractor, namely Russia.

It is not possible to expose the involvement of countries or intermediaries in attacks on banks, but it is an undeniable fact that the range of technical capabilities used for such actions is constantly growing, and as long as their origin remains unknown, the likelihood of such attacks will continue to increase. Therefore, preventing cyber attacks on banking infrastructure cannot be limited to wartime only.

Heintschel von Heinegg also argues that a formalized agreement between countries, whereby they pledge not to attack critical infrastructure facilities, will not work, and therefore cannot be achieved without comprehensive verification mechanisms. In his opinion, establishing such mechanisms is also unrealistic since there is no way to differentiate between malicious programs in cyberspace and harmless software and hardware.

These assertions raise questions. First of all, in the case of banks it must not necessarily be a formalized agreement. Furthermore, there are technical means to verify the absence of attacks on banks. Technically, they are similar to those established by the abovementioned Russian-U.S. agreements for exchanging information on cyber incidents, with a focus on information exchanges between specialized CERTs/CIRTs. Actually, such centers exist not only in the U.S, which has its own Computer Incident Response Teams (for example, Bank of America’s CIRT) and specialized industry structures (Financial Services Information Sharing and Analysis Center or FS-ISAC), but also in many other countries.

The problem lies elsewhere, mainly with the lack of sufficient trust, which prevents key cyber powers from voluntarily complying with this political norm. Disclosing information about incidents remains a sensitive issue for banks, since successful attacks can damage their reputation. This problem adds to the lack of trust between countries because of political factors. Will the Central Bank of Russia agree to share with its American colleagues information about a successful attack on its intranet or on Sberbank’s corporate network in the current political situation? And will the Americans want to share information about incidents with the Chinese, whom they suspect of co-planning most of the advanced persistent threats to U.S. government institutions and private corporations?  

Another problem that makes a hypothetical agreement doubtful is the differences in national bank regulations, including restrictions on the disclosure of information regarding the security of banks and other financial institutions. Effective information exchanges about incidents in bank networks may require some countries to change their national legislation, which will complicate the process immensely. Exchanges where every party provides as much and only that kind of information it can provide could result in unequal benefits from such exchanges and throw them into doubt. So there are reasons for the skepticism about a political construct designed to prevent attacks on banks’ IT infrastructure, but they are a bit different from what Western experts cite.

PEACE TO NUCLEAR FACILITIES!

Moving slowly in developing rules of conduct for countries in cyberspace is not limited to agreements in the banking sector. Work has been underway in parallel for some time to step up international cooperation to ensure the cybersecurity of peaceful nuclear facilities. Debate over the need for new international, including legal, instruments for countering cyber threats to nuclear facilities intensified after the discovery of the Stuxnet worm in 2010 and has been gaining momentum ever since.

However, most initiatives come from experts and do not receive unequivocal official support even though governments show interest in these issues and often encourage discussion. The IAEA-sponsored International Conference on Computer Security in a Nuclear World, which took place from June 1-4, 2015, was the latest milestone in this discussion. Most reports and debates at the conference revealed a considerable gap between the views of experts and how cybersecurity in the nuclear industry is understood by states and inter-governmental organizations. Governments are much more cautious in assessing prospects for close international cooperation and developing new mechanisms in this sphere.

The reasons are clear. The nuclear industry is a very sensitive element of national security, which limits information exchanges on nuclear incidents and transboundary assistance in their investigation. The concept of multilateral sharing of experiences can only be applied in the nuclear industry to a limited extent since the degree of equipment and technical process standardization in this sector is not very high, and the global market is divided among a relatively small number of suppliers, who as a rule clearly belong to a particular country.

Finally, the “standard” set of confidence-building measures established by Russian-U.S. agreements and the OSCE is not fully applicable to the nuclear industry, where threat models and scenarios differ from DDoS attacks on banking infrastructure. Since industrial networks at nuclear facilities are physically isolated, they are vulnerable to stealthy targeted attacks over a long period of time. Moreover, such attacks exploit the human factor by spreading from the business network to the industrial segment, or are related to incidents caused by software and hardware bugs implanted into supplied equipment. As a result, around-the-clock traffic monitoring, which is a key element of CERT interaction when it comes to threats spread via the Internet, is not always practicable in this sector.

More attention should be paid to improving the competence and training of personnel in the field of information security, as well as certification and testing of software and hardware at nuclear facilities for vulnerabilities. Finally, there are a number of specific issues on the agenda, such as developing and adopting encryption standards for data transmitted via intranet, including from/to automatic process control systems at nuclear facilities. As a developer and owner of advanced nuclear safety practices and one of the trendsetters in the field of international information security, Russia could initiate joint international efforts to ensure cybersecurity at civilian nuclear facilities. 

SMALL STEPS LEAD TO BIG ACHIVEMENTS

In order to understand what kind of solution is the most suitable for the international community, including Russia, so that all parties can reach an initial agreement on the rules of conduct in cyberspace, let us describe the perfect one. Based on the tactic of taking small steps, the main goal should be to secure not only the practical usefulness of the proposed mechanism, but also the very possibility of consensus within a group of cyber powers —“step zero” as the basis for broadening the scope of agreements in the future. In our opinion, there are several criteria that could facilitate the consensus.

  1. The object of an agreement specified to the fullest extent possible and unambiguously understood. Bilateral agreements between Russia and the U.S., the signing of which has been stalled at least for a year because of disagreement over just one term, is an excellent illustration of how conceptual and terminological differences complicate the search for consensus. ICT infrastructure operated by each negotiating country, preferably identical or at least as uniform as possible, could be an ideal object.
  2. The object is “technical” as much as possible and unpoliticized. The content of online communication or regulation of propaganda on the Internet in peacetime or during war cannot serve as the object of a “pilot” agreement on the rules of conduct in cyberspace, as it will inevitably raise the issues of human rights, freedom of information, information sovereignty, and other politicized questions on which no broad international consensus can be achieved at this point in principle. The more pure technology there is in the object, the better the chances to come to agreement.
  3. The scope of an agreement as narrow as possible at the initial stage. Experience shows that all-embracing initiatives regulating cyberspace produce the “reverse logrolling” effect: even if a document contains important and constructive proposals on certain issues (as was the case with the documents put forth by Russia), attempts to cover a broad agenda at once will lead most negotiators to find unacceptable provisions and consequently reject the entire set of initiatives.
  4. A critical object. Countries will not have enough stimuli to establish a legal precedent by voluntarily agreeing to observe the rules of responsible conduct in cyberspace if the object (and subject) of such rules is of little value to their economies and national security. Ideally, states should negotiate the security of certain technical assets that are critical to all negotiating parties.
  5. Equal incentives for the contracting parties and no zero-win approaches. States negotiating a code of conduct in cyberspace should benefit equally from compliance with it and be objectively motivated to ensure such compliance. Consensus is hardly possible when the subject of an agreement infringes upon the vital interests of one contracting party in favor of the others.
  6. Both official and hidden interests also exist. One should not expect the U.S. to ban transborder unauthorized data collection or exterritorial preventive cyber operations anytime soon. Likewise, China will hardly approve an agreement that bans intellectual property theft from computer networks and systems. Undeclared interests must be taken into account even if they are not quite legitimate or fail to live up to the spirit of international law.
  7. Verification at no excessive cost. Effective verification and monitoring of compliance with the agreements reached are vital for their implementation and subsequent development. But verifying compliance with the rules of conduct in cyberspace should not create excessive financial, technical, administrative, and legal costs for states, including those less developed technologically.

ELECTRONIC NON-AGGRESSION PACT

Other than banks and nuclear power plants, what infrastructure facilities or sectors meet these criteria? A possible solution is a norm banning attacks on the global infrastructure of the Internet itself, namely the so-called unique identifiers (UID). There is a globally hierarchized infrastructure complex that makes up the Internet architecture, provides for interconnected communication, and delivers TCP/IP packets worldwide. 

The UID system includes several key components:

  • Global hierarchical domain name system (DNS);
  • Internet number resource distribution system that includes:

                   –     Global IP address distribution system;
                   –     Autonomous System Numbers (ASN);

  • Port number and Internet protocol registers.

The system of unique identifiers, the only truly global Internet infrastructure, is hierarchized; that is, not divided by national borders or any other territorial segments. Another unique feature of the UID system is that its security, stability, and fault tolerance are not the responsibility of individual countries, but of the global technical community and its structures. However, all states and territories with no exception benefit equally and unconditionally from the stable, safe, and fault-free operation of this system. Moreover, virtually all members of the international community, with the possible exception of North Korea, are critically dependent on the proper and smooth operation of the World Wide Web’s infrastructure.

Neither the UID system nor its critical elements, such as DNS root servers, have so far been crippled by purposefully hostile actions, but this does not mean that such attacks are impossible. An interstate agreement to avoid attacks on the top, global level of this infrastructure could become a constructive step emphasizing the importance of stable, safe, and fault-free operation of the UID system. Such agreement will not affect anyone’s “hidden” interests: the system is global and it is practically impossible to attack its upper level for the sole purpose of harming just one country. Neither Iran, nor Russia, nor the U.S., nor China, nor any other country is interested in the freedom of hostile actions against the global Internet infrastructure.

An agreement on mutual guarantees of non-interference in the operation of the UID system can have additional value for Russia and other countries in terms of advancing national interests. One of Russia’s chief concerns about Internet governance is that an excessive amount of control over critical business processes and Internet infrastructure is concentrated with organizations operating in U.S. jurisdiction as well as those of the federal government. In July 2014, the impact of this factor on Russia’s security was studied during an exercise held by the Communications Ministry jointly with the Federal Security Service, the Federal Guard Service, the Defense Ministry, the Interior Ministry, the MSK-IX Internet Exchange Point, and the National Coordination Center for TLD.RU/.РФ. The results of the exercise were reviewed at a special meeting of the Russian Security Council.

The exercise involved several scenarios, including “an external hostile impact” to disrupt the operations of the Russian segment of the Internet. Presidential aide Igor Shuvalov said the exercise had revealed “insufficient stability” of the Russian Internet. He also noted that Internet infrastructure governance mechanisms, including DNS and the number resource distribution system, were still controlled by the U.S. 

An agreement on non-interference in the operation of the UID system could prove instrumental for increasing trust between Russia and the U.S. and, to some extent, serve as a compromise on what the Internet infrastructure governance architecture should look like. Russia needs guarantees that the U.S. government will not use its administrative and legal instruments to exert pressure on technical organizations that operate the UID system in order to harm Russia’s interests.

A political agreement on non-interference in the work of the UID system could provide the guarantees Russia is seeking. Non-interference can mean more than a ban on such hostile actions as attacks, bug activation, and other methods that disrupt the work of infrastructure. This part is rather obvious and raises no questions. Establishing a broader interpretation of the term ‘non-interference’ to include a ban on administrative and legal methods of interference in the work of the technical community’s structures operating DNS and the number resource distribution system could be just as beneficial, at least for Russia.  

The expert community is already actively discussing the need for a code of conduct in cyberspace with regard to the global Internet infrastructure. Nothing prevents Russia from including them in its package of initiatives and approaches concerning the responsible conduct of countries in cyberspace. In addition to protecting banks and nuclear facilities from cyber attacks, approving this initiative would serve the national interests of Russia and mark a step forward in international cooperation in the field of cybersecurity.

} Page 1 of 5