The world at stake23 January 2020
As threats to cybersecurity rise, international collaboration is vital to ensure adequate security measures are taken. Nations and companies have made declarations of unity and partnership, but how realistic is this aim? Andrew Tunnicliffe finds out with cyber experts Drew Mitnick of AccessNow and Paul Hingley, Siemens’ UK business unit manager for data services.
The internet is at risk. Malicious actors are clashing online, using digital products as weapons,” warned French President Emmanuel Macron in November 2018. His comments weren’t particularly groundbreaking, but they gave new impetus to those who have argued against the militarisation of cyberspace.
“We’ve allowed the enemies of liberty to gain prominence, casting away everything we fought long and hard for,” he added.
Speaking at the Paris Peace Forum, Macron announced more than 50 countries and 250 global organisations had endorsed an agreement to limit the use of cyberspace for hostile purposes, the Paris Call for Trust and Security in Cyberspace (Paris Call).
The Paris Call – keep cyberspace secure
“The Paris Call seems to have a series of commitments that the endorsers, at least, support,” says AccessNow’s Drew Mitnick, a cybersecurity and human rights expert. “It would limit some of the harms we’ve seen, things like preventing the spread of malicious ICT tools, for example, or ensuring your digital product is secure. Things that would benefit everyone and that have, at times, been challenged by the way some of the actors have treated them.”
The Paris Call requires signatories to increase resilience to malicious online activity, prevent electoral interference and trade secret violations, counter state-backed and ‘mercenary’ activity, and improve ‘cyber hygiene’ by bolstering the security of the internet and devices that connect to it through stronger international standards.
“A lot of emphasis is on the establishment of norms to prevent some of the harms that are arising, particularly in relation to the way states are using cyber-offensive operations, and even the private sector,” Mitnick continues.
Welcoming the announcement in a blog he wrote before speaking to us, he said, “While the deal is far from perfect, its commitments largely benefit users, including users at risk, and will reinforce valuable norms of behaviour online.”
The months following the Paris Call have seen further moves from signatories to work towards collaborative cybersecurity. The Kosciuszko Institute has released a report in partnership with Microsoft and PwC, titled ‘Cybersecurity Call: Defining Threats, Applying Solutions’. The report was released at the 2019 European Cybersecurity Forum (CYBERSEC) in Brussels, where cooperation was a major theme.
“European and transatlantic allies should be ready to respond to this threat with collective measures and through cooperation of like-minded governments, institutions and agencies as well as through partnerships with private and non-governmental entities,” said Izabela Albrycht, president of the CYBERSEC Forum.
Global cyber initiatives – the industry steps in
Cyberspace is fast becoming the next frontier for state actors and criminals wanting to cause harm. The Paris Call aims to address this, as does the Siemenslaunched Charter of Trust initiative to develop and implement rules for ensuring cybersecurity throughout the networked environment.
“The Charter was identified by Siemens in 2018,” explains Paul Hingley, the company’s business manager for data services in the UK. “As we move into this digital transformation of industry, we have to develop a trust model that our customers can buy into and understand, and feel confident their suppliers are looking at the overall holistic approach to security.”
Although its customers are increasingly aware of the threats they face through a more integrated and connected business, and the outside world, Hingley says there is more to be done, and the momentum needs to be ratcheted up. “Governments are understanding there is a digital transformation going on. But is business acting quickly enough? No, not yet.”
This is why standards need to be developed that are applicable to all. Speaking of the UK specifically, Hingley warns it will take something “catastrophic” before anything changes in a big way – something the Charter of Trust wants to avoid.
NSCS is established.
Noting recent high-profile cases of data breaches and malicious attacks, such as the 2017 WannaCry episode, he says openness is key. “The more people talk about this, the more they stand up and provide good competent information, the more the marketplace will gain an understanding of how they design and develop their levels of protection.”
Charter of Trust initiative is launched by Siemens at the Munich Security Conference.
Hingley says collaboration is vital and calls on the industry to embrace the principles of the charter, promoting them as a benchmark for the way industry and suppliers are taking security seriously.
EU states introduced laws to facilitate the implementation of the NIS Directive.
“To me, the Charter of Trust is a good vehicle to remove some of the conservatism from the digital transformation,” he adds. “Some companies are concerned about changing their digital footprint because of concerns of security. By dealing with companies providing services and solutions that are on the Charter of Trust, you get that consistency and confidence.”
Russia, China and the US fail to sign
Both the Charter of Trust and the Paris Call emphasise the need to work together in order to demilitarise the internet and promote peace online.
French President Emmanuel Macron announces the Paris Call at the Paris Peace Forum.
“Peace online is essential for the functionality of the various processes that require internet access,” says Mitnick. He warns that if the issue of online, and in many cases device, security isn’t addressed, users may lose trust and migrate away from platforms that aren’t seen to be doing enough.
The Kosciuszko Institute released the report ‘Cybersecurity Call: Defining Threats, Applying Solutions’ at CYBERSEC 2019 in Brussels.
“Without creating trust in security, there are big human rights harms and economic losses. There is also a risk to international relations with the way countries engage with each other.”
That suggestion is, perhaps, borne out by the failure of the US, China and Russia to support the Paris Call, which aims to restrict how nation states use the internet and other cyber means to threaten critical national infrastructure, and spy on citizens and on each other. Without their support, questions have been raised as to how effective the agreement really can be.
NSCS host the CYBERUK conference in Glasgow.
However, that failure to endorse is just part of the picture for Mitnick. “I think it more identifies where there is support for the commitments within the Paris Call,” he says. China and Russia have thrown their weight behind UN initiatives that, he argues, simply aren’t as robust. “They have this idea of a stronger UN-focused approach, which would not, at least in the work we’ve seen, provide the same kind of principles focused on human rights.”
Is cybersecurity being used as a disguise?
Some commentators have argued there are countries that don’t have the interests of a safer cyberspace at heart.
Mitnick goes further, pointing out that a few are using the guise of cybersecurity to further their own ambitions by introducing measures they claim promote safety and security. “We can speculate as to how these powers are being used, but without more transparency we can’t have an effective conversation about whether they are used appropriately.”
He believes that some states are using powers to sweep up data and surveil citizens. It is here, he says, the Paris Call needs to go further. “The Call talked about private sector hacking, but didn’t talk about government hacking, although it was implied. There is room for the Paris Call to address some of these questions,” he says.
Finding that balance is a challenge, and often open to interpretation. In May 2018, EU states were required to introduce laws that facilitated the implementation of the NIS Directive, developed to increase levels of cybersecurity across the bloc. Like the Paris Call and Charter of Trust, the directive is intended to develop a culture of cybersecurity across borders, and cortical infrastructure sectors such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
One country succeeding in this, according to Siemens, is the UK. “The UK finds itself in quite a unique position,” Hingley says. “If you look at what it is doing with the National Cyber Security Centre (NCSC), it’s a massive step forward. The government has acted. The future of all governments within Europe is to look at that type of approach which allows states to react a lot more quickly.”
Established in 2016, the NCSC works collaboratively, responds to attacks and provides information. In April 2019 the organisation hosted the CYBERUK conference in Glasgow, which saw experts from the ‘Five Eyes’ intelligence agencies – the UK, Australia, New Zealand, Canada and the US – discuss global response to the threat.
Some remain cautious on the issue of being able to establish peace online, not least Mitnick. Although he is positive about much of what has been done, he flags the different approaches of some, and the risks posed by using the cybersecurity conversation as a weapon itself.“There are a number of governments that are perhaps not using this moment to engage with the international community as well as they should be. They are prioritising national sovereignty rather than collective security,” he says.