Home / Blogs

What's New In the Field of Cybersecurity Cooperation

Veni Markovski

The last few months have shown a number of signs that cooperation in cyberspace is not just necessary, but it is vital for the survival of the Internet as we know it.

There is no need to provide links to all the articles and news stories that talk about the dangers of cyberattacks on the infrastructure in the USA or other countries — you can find plenty of them.

There were stories about Russian authorities speaking on banning Gmail, Skype and other services that use encryption. There were accusations by Google that China has hacked into accounts of US governmental officials. There were stories about the European Union trying to build an EU computer and emergency response team (CERT). And there were stories about hackers getting personal data from Sony, from Citi bank, breaking into the RSA algorithm, etc., etc.

There were also stories about the newly published US Strategy on international cyberspace. And there were stories about new legislation, mainly in the US, to deal with the cyberthreats. Not talking about the stories telling that the US military may use conventional force to fight with cyberattacks*.

What misses really in these stories is the answer to the question "So, what?" Indeed, having all this information, one may only ask themselves, "What can be done to minimize the damages, deal with the criminals, and at the same time avoid the option of isolating, or even shutting down the Internet?".

The key word is cooperation.

It is not new — among the first documented attempts of many governments to meet and talk on cybersecurity cooperation is the international meeting in Sofia, Bulgaria in 2003, as you can see here (in English).

One may even note that even the Budapest Convention on Cybercrime is also an attempt by many governments to reach an agreement on how to deal with cyber criminals. Some countries have joined, but some countries have shown lack of desire to even consider joining.

Internet is the hot word in many conversations — there are national, regional and international conferences and conversations going on constantly. People talk about connecting the next billion to the Net, about providing high speed access to developing countries, and about controlling the Internet. Most recently, French President Sarkozy invited a number of Internet geeks and businessmen to talk about the future of the Internet at the last G8 meeting in France.

But what is missing from all these talks, are concrete results.
Every specialist has an opinion, and while they are all trying to navigate between each others opinions, nothing happens. There are powerful business, non-profits and government entities, based in the key countries — US, Russia, China, to name a few, which are competing for the attention of the policy makers, but not much is really happening.

And one might be surprised, that the urging now comes from governments, rather than from the businesses. Big international business seems to not be much interested in encouraging international cooperation in the field of cybersecurity and combating cybercrime.

Governments and parliaments worldwide do exactly the opposite: they regularly come with initiatives, but without the support of the business, and the usual lack of confidence from non-profits, these initiatives can't really fly.

Of course, some of the initiatives of the governments are also not viable. Recently there have been talks about either trying to push forward the Budapest convention to be signed and ratified by other countries, or that there's a need of a new Cyber treaty, which should be created under the UN, or perhaps under the ITU. While it is tempting to believe that these options are both good, the reality might prove differently.

The Budapest convention remains still as a monument of the western countries' desire to somehow both regulate, and take into account the basic human right principles. The UN has shown that it might take ages to reach an agreement on any issue. The ITU has its own internal issues, with increased budget problems, lack of enough expertise, and attempts to change its scope of activities from telecommunications only to include some of the modern technologies, and these alone do not give it enough power to do something "real", regardless of the desire of the ITU Secretary-General to move the cybersecurity agenda forward.

Bilateral talks are one possible, quick and easy to achieve solution. And while some argue that there is no way to reach bilateral agreements between each and every country, what they miss is, that actually it is not necessary to reach such agreements between each and every country. The good example could come from the main players — China, Russia, USA, EU, but also Turkey, Ukraine, Brazil. And reaching a general understanding on the terms and conditions for an agreement might be very helpful to other countries, which would like to join the efforts of the "big ones". A possible platform for reaching such agreements might be G8, G20 or the OECD. Alternatively, the OECD could actually prepare the draft framework of agreement to be accepted by any interested state.

Once such agreements are in place, and result in lowering cybercrime traffic between the participating countries, there will be no better example for the others.

While there is no need to go into details right at this moment in what such an agreement might include, there are at least several key issues, which it has to have, among them:

  • Education and training of law-enforcement, judges, prosecutors in how to combat cybercrime.
  • Without proper education and training, no matter how good the national or international legal framework is, there will be no success in lowering the level of cybercrime.
  • Support to national parliaments with legal expertise on introducing/changing the adequate legislation, mainly the Penal/Criminal Code
  • If cybercrime is not defined in the Penal code, then it is not a crime, so it can't be punished.
  • Bringing public awareness.

If the people of a certain country are thinking that cybercrime does not concern them, because they don't have enough users, or developed credit card system, or because the victims are overseas, that needs to be addressed. Losses from cybercrime are not imminent to the countries where the victims are (today, that's mainly US and EU), but because of insecure business environment, certain countries are just excluded from the innovation and investment wave.

This article is based on extensive research and communication in the last couple of years.

Some serious efforts in the field of cybersecurity cooperation were made by the US administration in 2003, but the real work started with the Obama administration (with the International Strategy for Cyberspace, the National Cybersecurity Initiative, and back to the first days of his presidency, with the 60-day cyberspace policy review, which produced a number of documents).

The USA efforts were quickly followed by some major countries, and regional organizations, among them attention must be paid to:

  • the Shanghai Cooperation Organization and their document (in Russian) on cooperation in ensuring international information security, which was recently ratified by the required four countries, and is now in force.
  • the efforts of the European Union to define properly its cyber policy. The EU and European Commission efforts have faced some constraints, but they are moving again slightly, with coming hearings in the European Parliament, and decision to enhance the role of ENISA. One must notice also the work of the GGE (Governmental Group of Experts) — a body that reported to UN Secretary-General on cybersecurity issues. Some of their work is reflected in opinions, expressed by the chair of the group, Russian foreign ministry official Mr. Andrey Krutskikh (see for example here, in Russian).

In summary, there's a lot of new stuff happening in this area, but the efforts so far are not far reaching to the extent required by the stage of development of the Internet. Losses of online companies grow bigger, but they are addressed mainly through insurance companies and financial institutions. Many consider securing cyberspace as building better firewalls, and enhancing the security of their networks.

* Something I wrote about in 1998, as published in the Bulgarian Military Journal, issue 5. (in Bulgarian, use Google Translate to get the sense)

Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

The issue isnt who is already collaborating Suresh Ramasubramanian  –  Jun 28, 2011 8:40 AM PDT

That would basically include the participants in several of the frameworks you named, plus participants in other groupings, including (quite likely) some that are closed / confidential etc.

The problem is that you will see a lot of cybercrime activity from nations that are not engaged in these frameworks, as well .. and that have so far not been very active in their engagement in any kind of multistakeholder effort.  You will also see such activity from nations that have not been reached out to / lack capacity etc etc.

The actual malicious activity may of course originate in an entirely different country, but the abused resource (be it a botted PC, open relay, bank used to process pill spammer payments etc) may be in such a country as I mentioned above.

I said as much in previous papers ..and so have other authors Suresh Ramasubramanian  –  Jun 28, 2011 8:46 AM PDT

Multiple papers by the OECD, ITU, APECTEL SPSG etc - all saying much the same thing, advocating multistakeholder models of international cooperation.

[To be entirely fair, even the ITU's currently suggested model is multistakeholder, admittedly with a rather different set of stakeholders - nation states - having more say in these issues]

A new model for cooperation Wout de Natris  –  Jul 01, 2011 3:00 PM PDT

Well written, Veni. I've been saying this for quite some time now, ever since the OECD anti-spam toolkit of 2006. Things are changing, Cyber Security Councils are springing up everywhere. Over the past two years I have become convinced that it is not about getting people into the same room, but working on their preconceptions (of each other and of cooperation) and then work on changing the course of things. The Cyber Crime Working Party at RIPE NCC may be a first example of how to go about these changes. Is it the model for the future? That could well be.

Do you have ideas beyond your introduction? If so, so do I and I'm on Skype.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias