• No results found

SDA - Cyber-Security - The Vexed Question of Global Rules

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "SDA - Cyber-Security - The Vexed Question of Global Rules"

Copied!
108
0
0

Loading.... (view fulltext now)

Download now ( 108 Page )

Full text

(1)Cyber-security: The vexed question of global rules An independent report on cyber-preparedness around the world. With the support of.

(2) About the report. This report is published as part of the Security & Defence Agenda's (SDA) cyber-security initiative. It is intended as a snapshot of current thinking around the world on the policy issues still to be resolved, and will form the basis of SDA debates and future research during 2012.. About the SDA. The SDA is Brussels’ only specialist security and defence think-tank. It is wholly independent and this year celebrates its 10th anniversary.. About the author. Brigid Grauman is an independent Brussels-based journalist whose work appears widely in international media like the Financial Times and The Wall Street Journal. She’s currently engaged on a number of projects for institutions, including the European Commission.. Report advisory board Jeff Moss, Vice-president and Chief Security Officer at ICANN and founder of the Black Hat and DEF CON computer hacker conferences Reinhard Priebe, Director for Internal Security, Directorate General for Home Affairs, European Commission Andrea Servida, Deputy Head of the Internet, Network and Information Security Unit, Information Society and Media Directorate General, European Commission Jamie Shea, Deputy Assistant Secretary General for Emerging Security Challenges at NATO Brooks Tigner, Editor and Chief Policy Analyst at Security Europe My thanks to all those who contributed to this report, both those I have quoted and those I have not. Special thanks to Melissa Hathaway and Jamie Shea for their helpful comments on my draft text, to McAfee's Dave Marcus, Phyllis Schneck and Sal Viveros, and to the SDA’s Pauline Massart and Igor Garcia-Tapia.. A Security & Defence Agenda report Author: Brigid Grauman Publisher: Geert Cami Date of publication: February 2012 The views expressed in this report are the personal opinions of individuals and do not necessarily represent the views of the Security & Defence Agenda, its members or partners. Reproduction of this report, in whole or in part, is permitted providing that full attribution is made to the author, the Security & Defence Agenda and to the source(s) in question, and provided that any such reproduction, whether in full or in part, is not sold unless incorporated in other works..

(3) Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 PART ONE Section I. Clearing the booby traps from the cyber-security minefield . . . . . . . . t5FSNJOPMPHZ$ZCFSXBSBOEDZCFSBUUBDLIBWFNBOZNFBOJOHT*UTUJNFUPTFUUMF POKVTUPOF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t.PWJOHJOUPVODIBSUFEXBUFST$ZCFSDSJNFQBZTCFDBVTFJUTQSPmUBCMF  MPXSJTLBOEBOPOZNPVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t5SVTUJTBNPTUFMVTJWFOPUJPO5IFJOUFSOFUXBTCVJMUPOUSVTU BOEUIBUTXIZJUTTP WVMOFSBCMF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Section II. Tracking the cyber-revolution: New threats and changing ethics . . t$SBDLJOH%VRV5IFWJSVTBENJSFECZFYQFSUT . . . . . . . . . . . . . . . . . . . . . . . . . . . t4IPVMEXFCFUBMLJOHPGBOFXFUIPT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t4NBSUQIPOFTQPTFTFDVSJUZDIBMMFOHFT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t$MPVEDPNQVUJOH5IFDIBMMFOHFTPGTFQBSBUJOHOFUXPSLGSPNDPOUFOU. . . . . . . . .. 6 6 8 9. 10 11 13 14 15. Section III. Cyber-defence strategies: The hottest debates and conditions for success. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 t%FWFMPQJOHBOPGGFOTJWFTUBODF$ZCFSDSJNFBOEQVOJTINFOU1SPUFDUJOHBO JODSFBTJOHMZJOUFHSBUFEHMPCBMTZTUFN)PXTBGFBSF4$"%"TZTUFNT /FUOFVUSBMJUZ 5PXBSETJOUFSOBUJPOBMSVMFT#VJMEJOHBNPSFTPMJEBSDIJUFDUVSF5BDLMJOHXFBLFTU MJOLDPVOUSJFT4FDVSJOHUIFTVQQMZDIBJO*ODSFBTJOHBXBSFOFTTPGUIFTDBMFPGUIF QSPCMFN5BLJOHBIPMJTUJDBQQSPBDI1SPNPUJOHEJBMPHVFCFUXFFOUFDIJFTBOE EFDJTJPONBLFST%FmOJOHUIFSPMFPGHPWFSONFOUT(PWFSONFOUTNVTUUBLFHSFBUFS DBSFXIFOUBLJOHBEWJDF*OGPSNBUJPOTIBSJOHBUBOJOUFSOBUJPOBMMFWFM5IJOLJOH EJGGFSFOUMZBCPVUDZCFSTFDVSJUZ3FEVDJOHTFDSFDZ)BSNPOJTJOHDPEFTBOEMBXT DJUJ[FOBXBSFOFTT%FmOJOHQSFFNQUJWFDZCFSBUUBDLT Section IV. The quest for rules and regulations to govern cyber-space . . . . . . . 22 t$ZCFSOPSNTBOEDPNNPOTFDVSJUZTUBOEBSET. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 t5IFEJGmDVMUJFTPGHPJOHHMPCBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 t"EBQUJOHFYJTUJOHSVMFT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 t5IFMBDLPGJOUFSOBUJPOBMNFDIBOJTNT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 t5IFiJNQPTTJCMFESFBNwPGBHMPCBMUSFBUZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 t"SFBMJTUJDBMUFSOBUJWFUPBQFBDFUSFBUZ$ZCFSDPOmEFODFNFBTVSFT . . . . . . . . . . .27 t5IFCPEJFTDPNQFUJOHUPHPWFSODZCFSTQBDF. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 t*OUFSOFUHPWFSOBODF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 t4UBOEBSEJTBUJPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 t-BXFOGPSDFNFOU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 t*OGPSNBUJPOTIBSJOH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30. 1.

(4) Cyber-security: The vexed question of global rules. Section V. Breaking down the walls between the cyber-communities. . . . . . . . t5IFHFOFSBUJPOEJWJEF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t*NQSPWJOHUSVTUCFUXFFOJOEVTUSZTUBLFIPMEFST . . . . . . . . . . . . . . . . . . . . . . . . . . . t0WFSDPNJOHUIFCBSSJFSTCFUXFFOSJWBMT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t"SFDZCFSDSJNFBOEDZCFSTFDVSJUZPOFBOEUIFTBNF . . . . . . . . . . . . . . . . . . . . t4UFQTUPXBSETHMPCBMTIBSJOH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 32 32 33 33 34 34. Section VI. The private sector’s privacy dilemma . . . . . . . . . . . . . . . . . . . . . . . . t8IZUIFQSJWBUFTFDUPSXPVMECFCFUUFSBEWJTFEUPTIBSFJOGPSNBUJPO . . . . . . . . . . t.BLJOHSFHVMBUJPOTUIBUNBLFTFOTFGPSFWFSZPOF . . . . . . . . . . . . . . . . . . . . . . . . . t5IFCMBNFHBNF'SPNTPGUXBSFDPNQBOJFTUPTFSWJDFQSPWJEFST XIPTIPVMECF SFTQPOTJCMFGPSXIBU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 35 35 36 37. Section VII. Bearing the costs of cyber-insecurity . . . . . . . . . . . . . . . . . . . . . . . . 38 t5IFJOTVSBODFTFDUPSXBLFTVQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Section VIII. Private citizens : issues of freedom and protection. . . . . . . . . . . . 42 t*OUFSOFUSFTQPOTJCJMJUZ'SPNQSJWBUFVTFSTUPDPSQPSBUFHJBOUT . . . . . . . . . . . . . . . . 43 t5IFDZCFSTFDVSJUZTLJMMTHBQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 PART TWO Section I. A worldwide brainstorming of experts. . . . . . . . . . . . . . . . . . . . . . . . . 45 t,FZBUUJUVEFT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Section II. Country-by-country stress tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 t"VTUSBMJB. . . . . . . . . 51 t"VTUSJB . . . . . . . . . . 52 t#SB[JM . . . . . . . . . . . 53 t$BOBEB . . . . . . . . . 54 t$IJOB. . . . . . . . . . . 55 t%FONBSL . . . . . . . . 57 t&TUPOJB . . . . . . . . . . 58 t5IF&VSPQFBO 6OJPO . . . . . . . . . . . 59. t'JOMBOE. . . . . . . . . . 61 t'SBODF . . . . . . . . . . 62 t(FSNBOZ . . . . . . . . 64 t*OEJB . . . . . . . . . . . 65 t*TSBFM . . . . . . . . . . . 66 t*UBMZ . . . . . . . . . . . . 67 t+BQBO . . . . . . . . . . . 68 t.FYJDP. . . . . . . . . . 70 t/"50. . . . . . . . . . . 71. t5IF/FUIFSMBOET . . 72 t1PMBOE . . . . . . . . . . 74 t3PNBOJB . . . . . . . . 75 t3VTTJB . . . . . . . . . . 76 t4QBJO . . . . . . . . . . . 78 t4XFEFO . . . . . . . . . 79 t6OJUFE,JOHEPN. . . 80 t6OJUFE/BUJPOT . . . . 82 t6OJUFE4UBUFT PG"NFSJDB . . . . . . . 83. Section III. Indices and glossaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 t$ZCFSTPVSDFTDPOUSJCVUPSTUPUIJTSFQPSU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 t(MPTTBSZPGPSHBOJTBUJPOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 t(MPTTBSZPGDPNQBOJFT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 AboutUIF4FDVSJUZ%FGFODF"HFOEB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103. 2.

(5) Part One. Introduction This report is made up of a survey of some 250 leading authorities worldwide and of interviews carried out in late 2011 and early 2012 with over 80 cyber-security experts in government, companies, international organisations and academia. It offers a global snapshot of current thinking about the cyber-threat and the measures that should be taken to defend against it, and assesses the way ahead. It is aimed at the influential layperson, and deliberately avoids specialised language. For the moment, the “bad guys” have the upper hand – whether they are attacking systems for industrial or political espionage reasons, or simply to steal money - because the lack of international agreements allows them to operate swiftly and mostly with impunity. Protecting data and systems against cyber-attack has so far been about dousing the flames, although recently the focus has been shifting towards more assertive self-protection. The preparation of this report has been greatly helped by Robert Lentz’s framework for measuring levels of cyber-security in governments and private companies. Lentz is President and CEO of Cyber Security Strategies, and has 34 years experience working for the U.S. government. His Cyber Security Maturity Model explains the five stages towards resilience against cyber-attack, through conventional threat to advanced persistent threat, and was used as the measurement tool for our country-by-country stress test in the second part of the report. Even if everyone accepts the need for standards, rules, laws, codes of conduct and maybe even a global treaty to protect cyber-space against cyber-crime, not everyone agrees on how to get there. The debate is also about who should make the rules, and to what extent dominance by the military is a good or a bad thing. The fact that cyber-space knows no borders implies that cyber-security is only as good as its weakest link, and that something must be done about unregulated countries that can offer a haven for cyber-criminals. The first part of this two-part report concentrates on the main issues that are slowing progress, starting with the absence of agreement on what we mean by terms like cyber-war or cyber-attack. It reflects sharp divisions over the rights of individuals and states in cyber-space. Most Western countries believe that freedom of access to the internet is a basic human right, and that he or she also has a right to privacy and security that should be protected by laws. UNESCO argues that the right to assemble in cyberspace comes under Article 19 of the Declaration of Human Rights. 3.

(6) Cyber-security: The vexed question of global rules. At the other end of the spectrum are those countries, like Russia and China, that favour a global treaty but nevertheless believe that access to the internet should be limited if it threatens regime stability, and that information can also be seen as a cyber-threat. For these countries, any state has the right to control content within its sovereign internet space. Linked to the rights and responsibilities of states is the thorny issue of attribution. There are those countries that say that attribution to a specific attacker is impossible, and that the focus has to be defence from attacks. Others argue that attribution is possible, but requires international cooperation, sharing of information and assistance from local authorities. Some states believe that cooperation is a threat to their sovereignty; others say they can’t be held responsible for the activities of individuals or private companies. And a number apparently fear openness because they don’t want to see restrictions on their political or military objectives. Some clear themes emerge from the report, and they are issues that need fairly urgent resolution. Among these is how and to what degree should a more proactive, some would say more bellicose, stance be developed both in the military and private arenas; the need for much greater international cooperation; introducing a more solid security architecture to the internet; and establishing cyber-confidence building measures as an easier alternative to any global treaty, or at least as a gapfiller until a treaty is agreed. The second part of this report are 21 country stress tests, complemented by findings from the global survey the SDA conducted in the autumn of 2011 among 250 top cyber-security specialists in 35 countries. They included government ministers, staff at international organisations, leading academics, think-tankers and IT specialists, and their views diverged widely on how to improve international cooperation in cyberspace, which over half of them now consider a global common like the sea or space. Everyone agrees that cyber-security presents a global rather than a national challenge. But how global should our attempts at a solution be? It would be my hope and that of the SDA that this report will help show where global thinking on cyber-security currently stands, and how to improve it. The following recommendations are a step in that direction. They are not directed at specific bodies or institutions, but are intended as a checklist for achieving international solutions to global regulatory questions. Brigid Grauman, February, 2012 4.

(7) Recommendations 1. Build trust between industry and government stakeholders by setting up bodies to share information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA).. 2. Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training.. 3. New problems and opportunities created by smart phones and cloud computing must be examined. Cloud computing needs an appropriate architecture to achieve optimum security levels.. 4. Prioritise information protection, knowing that no one size fits all. The three key goals that need to be achieved are confidentiality, integration and availability in different doses according to the situation.. 5. Consider establishing cyber-confidence building measures as an alternative to a global treaty, or at least as a stopgap measure, knowing that many countries view a treaty as unverifiable, unenforceable and impractical.. 6. Improve communication between the various communities, from policy-makers to technological experts to business leaders both at national and international levels.. 7. Enhance attribution capabilities by investing in new technologies, and establishing rules and standards.. 8. Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security.. 9. Despite the many practical hurdles in the way of transparency, both for private companies and for governments, find ways of establishing assurance – or trust – through the use of security mechanisms and processes.. 10. Move the ball forward and encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level. 5.

(8) Cyber-security: The vexed question of global rules. PART ONE Section I. Clearing the booby traps from the cyber-security minefield There is little agreement between experts and national authorities on terminology, and without that the prospects for regulating cyber-space are poor " DFOUSBM GFBUVSF PG UIF DZCFS SFWPMVUJPO JT UIBU OP POF BHSFFT PO UIF UFSNJOPMPHZ5IFSFTUIFMBOHVBHFPGUIFNJMJUBSZBOEUIFMBOHVBHFPGUIF HFFLT BOEBXJEFWBSJFUZPGJOUFSQSFUBUJPOTJOCFUXFFO5IFQMBDFUPTUBSU BOZ HMPCBM EJTDVTTJPO PO DZCFSTFDVSJUZ JT UIFSFGPSF UP BHSFF DPNNPO EFmOJUJPOT CVUTPGBSUIJTIBTOUIBQQFOFE "OEZFUJGXFBSFUPTFUVQTBGFUZSVMFTJOUIJTWBTUPDFBOPGHPPEBOECBE  PG HMPCBM JOUFSDPOOFDUJWJUZ UIBU PQFOT UIF EPPST FRVBMMZ UP FEVDBUJPOBM PQQPSUVOJUZBOEUPHMPCBMDSJNF XFIBWFUPBHSFFPOXIBUXFBSFUBMLJOH BCPVU%PXFXBOUUPUBLFUIFNPSFNJMJUBSZTUBODFPGUIF64 PSEPXFXBOU BDPOTFOTVTJOXIJDIBMMTUBLFIPMEFSTQBSUJDJQBUF &YQFSUTDPNQBSFUIFOFFEGPSSVMFTBOESFHVMBUJPOTUPUIPTFPGUIFSPBE*O UIFFBSMZEBZTPGUIFNPUPSDBS UIFGFXESJWFSTXIPUPPLUPUIFSPBEMFBSOFE BTUIFZXFOUBMPOH/PXBEBZT XFTOBQPOPVSTFBUCFMUTBMNPTUCZJOTUJODU 5IFSVMFTPGUIFSPBENBLFGPSTBGFSDBST TBGFSESJWFST TBGFSQFEFTUSJBOT 4PNFBSHVFUIBUUIFBQQSPBDIUPUIFJOUFSOFUTIPVMECFTJNJMBS. Terminology: Cyber-war and cyber-attacks have many meanings. It’s time to settle on just one 5IFUISFFEJTUJODUBDUJWJUJFTJODZCFSTQBDFBSFDZCFSFTQJPOBHF DZCFSDSJNF BOEDZCFSXBS FBDIXJUIJUTPXONPUJWBUJPOTBOEHPBMT$ZCFSXBSJTUIF NPTUDPOUFOUJPVT'PSNFS64DZCFSTFDVSJUZUTBS3JDIBSE$MBSLFEFTDSJCFT JOIJTCPPLCyber WarBO"NFSJDBO"SNBHFEEPOPGBJSDSBGUESPQQJOHGSPN UIF TLZ BOE DSBTIJOH TVCXBZT "MUIPVHI OPU FWFSZPOF TIBSFT UIJT DIJMMJOH WJTJPOPGUIFGVUVSF NBOZUBMLPGDZCFSBTBiXFBQPOPGNBTTEJTSVQUJPOw Stewart BakerJTDMFBSBCPVUXIBUIFNFBOTCZDZCFSXBS5IF4UFQUPF +PIOTPOQBSUOFSBOEGPSNFS"TTJTUBOU4FDSFUBSZPG)PNFMBOE4FDVSJUZVOEFS 1SFTJEFOU(FPSHF8#VTITBZTi5IFQFPQMFXIPQPPIQPPIDZCFSXBSEP 6.

(9) Part One. TPNBJOMZCZTBZJOHUIBUOPXBSUBLFTQMBDFJODZCFSTQBDFPOMZ5IBUTMJLF TBZJOHBJSXBSTPOMZUPPLQMBDFJOUIFBJS XIFOBJSXBSGBSFJTBMXBZTQBSUPG BMBSHFSCBUUMFw "DDPSEJOH UP #BLFS  JO B TUDFOUVSZ XBS DZCFSXFBQPOT NJHIU CF UIF mSTUEFQMPZFE BMPOFPSXJUIPUIFSXFBQPOTi*UTOPUVOMJLFBJSQPXFS wIF TBZTi$ZCFSXFBQPOTBMMPXZPVUPEPBCVODIPGUIJOHTUIBUMFBWFJUBMJUUMF BNCJHVPVTBTUPXIFUIFSPSOPUUIJTJTBTUBUFPGXBS"SFOPnZ[POFTBOBDU PGXBS &WFOJGJUXBTPOMZNPEFSBUFMZFGGFDUJWF UIFBUUBDLBHBJOTU(FPSHJB JOXBTBDZCFSXBSw Isaac Ben-Israel DZCFSTFDVSJUZBEWJTFSUP*TSBFMJ1SJNF.JOJTUFS#FOKBNJO /FUBOZBIV QVUTJUTVDDJODUMZ)FUBMLTPGUIFTQFDJmDTUIBUNBLFBDZCFSXBS i" DZCFSXBS DBO JOnJDU UIF TBNF UZQF PG EBNBHF BT B DPOWFOUJPOBM XBS *GZPVXBOUUPIJUBDPVOUSZTFWFSFMZZPVIJUJUTQPXFSBOEXBUFSTVQQMJFT $ZCFSUFDIOPMPHZDBOEPUIJTXJUIPVUTIPPUJOHBTJOHMFCVMMFUw. ”If you want to hit a country severely you hit its power and water supplies. Cyber technology can do this without shooting a single bullet.” Isaac Ben-Israel. 0UIFSTUIJOLXFIBWFOUZFUTFFOBDZCFSXBSMohd Noor AminJT$IBJSNBO PG UIF .BMBZTJBCBTFE /(0 *NQBDU *OUFSOBUJPOBM .VMUJMBUFSBM 1BSUOFSTIJQ "HBJOTU$ZCFS5ISFBUT )FQVUTJUEJGGFSFOUMZi*CFMJFWFUIBUXIBUIBQQFOFE JO(FPSHJBJOXBTBDPOWFOUJPOBMXBSXJUIPGGFOTJWFDZCFSFMFNFOUT 0VSWJFXJTUIBUXFIBWFOUZFUTFFOBQVSFBOETJHOJmDBOUDZCFSXBSw Tim Scully $&0PGTUSBUTFDBOE)FBEPG$ZCFS4FDVSJUZBU#"&4ZTUFNT "VTUSBMJB JOUSPEVDFTBOVBODF BOEUIBUJTUPVTFXPSETQSVEFOUMZTPBTOPU UPUVSODZCFSTQBDFJOUPBQPUFOUJBMCBUUMFmFMEi5IFPWFSVTFPGUIFUFSNT DZCFSXBS BOE XBSGBSF UFOET UP QVTI UIF DZCFSTFDVSJUZ QSPCMFN JOUP UIF HPWFSONFOUBOEEFGFODFTQIFSFT UIFSFCZQPUFOUJBMMZJHOPSJOHUIFJNQBDU PG UIF DZCFSUISFBU PO UIF QSJWBUF TFDUPS BOE DSFBUJOH BO JNCBMBODF JO HPWFSONFOUGVOEJOH*USZUPBWPJEUIFVTFPGUIFXPSETDZCFSXBSPSXBSGBSF BTUIFZDBOMFBEUPUIFNJMJUBSJTBUJPOPGDZCFSTQBDFw -FUT UIJOL JO UFSNT PG XIBU XF BMSFBEZ LOPX UP HFU PVS NJOET BSPVOE JU  TBZTJames Lewis %JSFDUPSPGUIF5FDIOPMPHZBOE1VCMJD1PMJDZQSPHSBNNF BUUIF$FOUFSGPS4USBUFHJDBOE*OUFSOBUJPOBM4UVEJFT $4*4 JO8BTIJOHUPO %$i*UTUJNFUPMPDBUFUIJOLJOHBCPVUDZCFSDPOnJDUJOUPUIFGSBNFXPSLPG FYJTUJOHJOUFSOBUJPOBMMBXBOETUSBUFHZ5IFBUUBDLBHBJOTU&TUPOJBXBTOPU BOBUUBDLBOEEJEOUUSJHHFS/"50T"SUJDMF *UXBTOPUBNJMJUBSZBDUJPOw * Article 5 of NATO’s Washington Treaty calls on its member states to collectively defend any NATO nation that is attacked 7.

(10) Cyber-security: The vexed question of global rules. Moving into uncharted waters: Cyber-crime pays because it’s profitable, low-risk and anonymous 6OMJLF UIF OVDMFBS UISFBU BOE PUIFST CFGPSF JU  UIF DZCFSUISFBU XBT VQPO VTXJUIMJUUMFXBSOJOHBOEIBEBWFSZTIPSUHFTUBUJPOQFSJPE"DDPSEJOHUP .D"GFF FWFSZZFBSTFFTPOFNJMMJPOOFXWJSVTFT GSPNXPSNTUPMPHJDCPNCT  BOEUIBUmHVSFJTDMJNCJOH5IFUISFBUTDPNFGSPNTPVSDFTSBOHJOHGSPNUIF DSJNJOBM POMJOF GSBVE OPX EXBSGT BMM PUIFS GPSNT PG GSBVE  PUIFS TUBUFT  VTVBMMZGPSSFBTPOTPGFTQJPOBHF BDSPTTUPQPMJUJDBMMZNPUJWBUFEIBDLUJWJTUT BOEUFSSPSJTUTXIPVTFJUNPTUMZGPSSFDSVJUNFOUQVSQPTFT 5ISFFGBDUPSTNBLFDZCFSDSJNFTPUBOUBMJTJOHGPSDSJNJOBMTCostin Raiu BO BOUJWJSVTFYQFSUBUUIF3VTTJBOTFDVSJUZDPNQBOZ,BTQFSTLZ-BC TBZTJUTB iUISFFIFBEFEIZESBw5IFmSTUJTUIBUJUTQSPmUBCMF5IFTFDPOEJTUIBUJUT MPXSJTL5IFUIJSEBOENPTUJNQPSUBOUJTUIBUJUTBOPOZNPVT"UUSJCVUJPOJT POFPGDZCFSDSJNFTUSJDLJFTUQSPCMFNT. “I try to avoid the use of the words cyber war or warfare as they can lead to the militarisation of cyber-space”. Tim Scully. i5IF DPSF QSPCMFN JT UIBU UIF DZCFSDSJNJOBM IBT HSFBUFS BHJMJUZ  MBSHF GVOEJOHTUSFBNTBOEOPMFHBMCPVOEBSJFTUPTIBSJOHJOGPSNBUJPO BOEDBO UIVT DIPSFPHSBQI XFMMPSDIFTUSBUFE BUUBDLT JOUP TZTUFNT w TBZT Phyllis Schneck $IJFG5FDIOPMPHZ0GmDFSGPS1VCMJD4FDUPSBU.D"GFFi5IFHPPE HVZTIBWFUPBUUFOENFFUJOHTBOEQVCMJTISFQPSUTUPFOBCMFFWFONJOJNBM EBUBTIBSJOHUPUSBDLUIFJSPQQPOFOU6OUJMXFDBOQPPMPVSEBUBBOEFRVJQ PVSQFPQMFBOENBDIJOFTXJUIJOUFMMJHFODF XFBSFQMBZJOHDIFTTXJUIPOMZ IBMGUIFQJFDFTw /PXUIBUDZCFSTQBDFNFBOTCPSEFSTOPMPOHFSNFBOBOZUIJOH DPVOUSJFT IBWFUPXPSLUPHFUIFSBTEPFTFWFSZPOFXIPDMBJNTBTUBLFJOJU"OEUIBU NFBOT EFDJTJPONBLFST BOE JOUFMMJHFODF TFSWJDFT EPXO UP UIF DJUJ[FO BU IPNFPOIJTPSIFSDPNQVUFSPSTNBSUQIPOF 8JUIDZCFSBUUBDLT UIFOVNCFSPGUBSHFUTJTBMNPTUMJNJUMFTT*UUPPLTPNF UPZFBSTBGUFSUIFBEWFOUPGUIFOVDMFBSBHFUPQVUBSNTDPOUSPMTZTUFNTJO QMBDF8FDBOQSPCBCMZFYQFDUUIFTFUUJOHVQPGBOJOUFSOBUJPOBMTZTUFNPG DZCFSSVMFTBOESFHVMBUJPOTUPUBLFUJNFUPP  i8FSF NPWJOH JOUP OFX UFSSJUPSZ w TBZT Alastair MacWillson  (MPCBM .BOBHJOH%JSFDUPSPG"DDFOUVSFTHMPCBMTFDVSJUZQSBDUJDFi5IFEZOBNJDT PGDZCFSJTNPWJOHTPGBTUoJUTJOUFOU JUTVTFTBOEUIFQBDFPGDIBOHF5IFSF. 8.

(11) Part One. BSFNBOZCVTJOFTTNPEFMT/PPOFIBTSFBMMZHPUUIFJSNJOEBSPVOEXIBUBMM UIJTSFBMMZNFBOTBOEXIBUXFTIPVMEEPBCPVUJUw )ZQF JT JOFWJUBCMF XJUI BOZ BUUBDL JOWPMWJOH USJMMJPOT PG DVSSFODZ MPTTFT  BMUIPVHIUIFmHVSFJTPGUFOQVSFFYUSBQPMBUJPO)PXEPZPVFWBMVBUFUIFMPTT PGBTPVSDFDPEF 0SUIFUIFGUPGJOUFMMFDUVBMQSPQFSUZ 8IBUBSFXFBDUVBMMZ EFGFOEJOH 8IBUEPXFOFFEUPQSPUFDU Lars Nicander XIPIFBETUIF$FOUSFGPS"TZNNFUSJD5ISFBU4UVEJFTBUUIF 4XFEJTI/BUJPOBM%FGFODF$PMMFHFCFMJFWFTUIFNBJOUISFBUJTQFOFUSBUJPO PG QPPSMZ QSPUFDUFE TZTUFNT i4UVYOFU w IF TBZT SFGFSSJOH UP UIF DPNQVUFS XPSN UIBU JO  EBNBHFE UIF DFOUSJGVHFT BU UIF /BOUB[ OVDMFBS QMBOU JO *SBO  iXBT NPSF BCPVU JOUFMMJHFODF HBUIFSJOH 5IBUT XIBU XF TIPVME CFXPSSZJOHBCPVUoRVBMJmFEUFSSPSJTUTHFUUJOHBDDFTTUPCBEMZQSPUFDUFE JOGPSNBUJPOTZTUFNT"MUIPVHIZPVOFFEUPCFBTUBUFBDUPSUPEPTPNFUIJOH SFBMMZEJGmDVMUw i*OTPNFDBTFT XIPDBSFTXIPEJEJU wTBZT$BOBEJBOFYQFSUBOEQSBDUJUJPOFS Rafal Rohozinskii8FOFFEUPBSSJWFBUBNPSFHSBEFEEFmOJUJPOPGDZCFS BUUBDLT/PXXFIBWFUIJTVOJWFSTBMXBZPGUBMLJOHBCPVUUIFN XIJDIEPFTOU BMMPXGPSEJGGFSFOUEFmOJUJPOTPGDVMQBCJMJUZ4PNFUJNFTXFKVTUXBOUUPLOPX XIBUKVSJTEJDUJPOUPIPMESFTQPOTJCMFw. Trust is a most elusive notion: The internet was built on trust, and that’s why it’s so vulnerable "T *TSBFMJ TFDVSJUZ BEWJTFS Isaac Ben-Israel TBZT  UIF NPTU WVMOFSBCMF UBSHFU GPS DZCFSBUUBDLT JT B DPVOUSZT DSJUJDBM JOGSBTUSVDUVSFT o QPXFS  XBUFS  UFMFDPNNVOJDBUJPOT USBOTQPSU IPTQJUBMT CBOLT*ONPTUDPVOUSJFT UIFTFBTTFUT BSF JO QSJWBUF IBOET  TP UIF DIBMMFOHF OPX JT UP EFWFMPQ B TUSPOH FOPVHI QSJWBUFQVCMJDQBSUOFSTIJQUPTFDVSFUIFTFTZTUFNT BOEUPDPOWJODFQFPQMFUP NBLFUIBUJOWFTUNFOU"OUJDJQBUJPOJTPGUFOTFFOBTBXBTUFPGNPOFZ 5IFJOUFSOFUXBTGBNPVTMZCVJMUPOUSVTU XJUIGFXTBGFHVBSETUPQSPUFDUJU &BSMZEBZIBDLFSTBUUBDLFETZTUFNTGPSUIFDIBMMFOHFUIFZQPTFE/PXJUT BCPVU NBLJOH NPOFZ BOE TUFBMJOH JOUFMMFDUVBM QSPQFSUZ BOE NJMJUBSZ BOE JOEVTUSJBMTFDSFUT#VUUSVTUJTTUJMMWFSZNVDIUIFPQFSBUJWFXPSE 4PNFQFPQMFDBMMJUiBTTVSBODFw8IBUBSFUIFTBGFHVBSETXFOFFEUPQVUVQUP NBLFTVSFXFDBOUSVTUUIFTZTUFNTXFVTFEBJMZ 4IPVMETPGUXBSFDPNQBOJFT CFIFMEMJBCMFGPSUIFJSQSPEVDUT 4IPVMEJOUFSOFUTFSWJDFQSPWJEFST )PXDBO XFNBLFTVSFUIFDPNQPOFOUTJOUIFFOUJSF*5DIBJOBSFUSVTUXPSUIZ %PFT DMPVEDPNQVUJOHHJWFSJTFUPJOTPMVCMFJTTVFTPGKVSJTEJDUJPO 4IPVMEXFCF DSFBUJOH JOUFSOBUJPOBM BHSFFNFOUT UP FTUBCMJTI XIP UBLFT SFTQPOTJCJMJUZ GPS TPWFSFJHO DZCFSTQBDF  (PPE CSBJOT BSPVOE UIF XPSME BSF UIJOLJOH BCPVU UIFTF JTTVFT /PU FWFSZPOF TIBSFT UIF TBNF WJFXT  CVU NPTU LOPX UIBU UIF JOUFSOFUJTIFSFUPTUBZBOEUIBUJUTBHMPCBMoOPUBOBUJPOBMoJTTVF. 9.

(12) Cyber-security: The vexed question of global rules. Section II. Tracking the cyber-revolution: New threats and changing ethics Time for a change of mindset How dangerous is the cyber-threat? Are we more vulnerable now, or are we developing promising new defensive technologies? 5IFOFBSVOBOJNPVTQFSDFQUJPOJTUIBUXFBSFNPSFWVMOFSBCMFUIBOCFGPSF 5IF OVNCFS PG TZTUFNT DPNJOH PO MJOF JT HSPXJOH FYQPOFOUJBMMZ BOE PVS SFMJBODFPOUFDIOPMPHJFTJODSFBTFTEBJMZ-BTUZFBS JOUFSOFUQJPOFFS7JOU$FSG GBNPVTMZTVHHFTUFEUIBUXFEPBNBTTJWFSFCPPUBOETUBSUBMMPWFSBHBJOJO BNPSFSFHVMBUFEFOWJSPONFOU CVUNPTUQFPQMFUIJOLUIBUTQJFJOUIFTLZ i"SFXFCFDPNJOHQBSUPGBUPUBMMZVOSFHVMBUFEEBUBSFWPMVUJPO wBTLT6, JOGPSNBUJPO BOE TFDVSJUZ MFDUVSFS Christopher Richardson 3JDIBSETPO EPFTOUUIJOLUIFQJDUVSFJTBTESBNBUJDBTTPNFQFPQMFQBJOUi5IFSFTBCJH EFHSFFPGIZQF8FEPOULOPXXIBUTSFBMMZIBQQFOJOHw)FTVHHFTUTUIBU XFBSFHJWFOBTLFXFEJEFBPGIPXNBOZJODJEFOUTSFBMMZPDDVS CPUIJOUIF QVCMJDBOEQSJWBUFTFDUPSTCFDBVTFPGTFDSFDZDPODFSOT)FOPUFTIPXGFX PGUIFNBOZTUVEFOUTIFUFBDIFTFWFSZZFBSIBWFTPGBSCFFOBUUBDLFE i:PV IBWF UIJT QFSDFQUJPO GSPN UIF QBQFST UIBU FWFSZUIJOH JT HSPXJOH XPSTF BOE XPSTF w TBZT Olivier Caleff  4FOJPS 4FDVSJUZ $POTVMUBOU BU UIF DPOTVMUBODZ%FWPUFBN iCVUJUTOPUWFSZEJGGFSFOUGSPNXIBUXFIBECFGPSF .PSFQFPQMFBSFDPOOFDUFE NPSFQFPQMFBSFUSZJOHUPHFUBSPVOETFDVSJUZ TZTUFNT NPSFQFPQMFBSFJOWPMWFEJOTFDVSJUZ XFIBWFNPSFUPPMTUPEFUFDU JTTVFT8FIBWFNPSFPGFWFSZUIJOH JODMVEJOHLOPXMFEHFw 8IBUFWFSUIFIZQF UIFSJTFJODZCFSDSJNFJTJOFWJUBCMZHPJOHUPTFFNPSF SVMFT  MBXT BOE MJNJUBUJPOT PO IPX QFPQMF DBO VTF UIF JOUFSOFU  8IBU  ZFBST BHP XBT B HFOUMFNFOT HSPVQ PG VTFST JT OPX B MVDSBUJWF BOE MPX FGGPSUQMBZJOHmFMEGPSDZCFSDSJNJOBMTi5IFJOUFSOFUBMMPXTBOZPOFUPTFOE BOZUIJOH BOZXIFSF BOE JU XJMM MJLFMZ HFU UIFSF w TBZT Phyllis Schneck PG .D"GFFi8FNVTUEFTUSPZUIFQSPmUFMFNFOUCZJNQSPWJOHPVSDPOUSPMPWFS UIFSPVUJOH EFMJWFSZBOEFYFDVUJPOPGNBMJDJPVTJOTUSVDUJPOT BOECMPDLUIF UISFBU4XJNNJOHQPPMTIBWFDIFNJDBMmMUFST/FUXPSLTBOEDPNQVUFSTOFFE JOUFMMJHFODFmMUFSTUPQSFWFOUFOFNZJOTUSVDUJPOTGSPNmOEJOHUIFJSUBSHFUw. 10.

(13) Part One. “Swimming pools have chemical filters. Networks and computers need intelligence filters.” Phyllis Schneck. "OPUIFS QSPCMFN JT UIBU UIF JOUSPEVDUJPO PG OFX UFDIOPMPHJFT CSJOHT VOGPSFTFFO DBVTFT BOE FGGFDUT 8IFO SFTFBSDIFST EFmOFE UIF QSPUPDPM CFIJOEUIFFNBJMTZTUFN UIFZEJEOUDPOTJEFSTQBNXBTBUISFBUCFDBVTF JUDPTUUPPNVDIUPTFOEBOFNBJMi#VUUFDIOPMPHZFWPMWFEBOETQBNUPPL PWFSCFDBVTFPGBXFBLOFTTJOUIFPSJHJOBMQSPUPDPM wTBZTMFBEJOH%BOJTI FYQFSUChristian Wernberg-Tougaardw5IBUTCFFOPOFPGUIFDBUDIFTPG UIF*5JOEVTUSZGPSBOVNCFSPGZFBST8FOFFEUPDPOTJEFSDBSFGVMMZIPXUP JNQMFNFOUOFXUFDIOPMPHZw 8FSOCFSH5PVHBBSESFDPNNFOETUIBUUIFiCFUUFSNJOETwJOUIFQVCMJDBOE QSJWBUFTFDUPSTHFUUPHFUIFSXJUISFTFBSDIFSTUPEJTDVTTUIFJNQBDUPGUPEBZT UFDIOPMPHZPOUPNPSSPXTXPSME 'PS NFO MJLF Richard Crowell  QSPGFTTPS BU UIF 64 /BWBM 8BS $PMMFHF JO/FXQPSU 3IPEF*TMBOE XFOFFEUPUIJOLDPPMIFBEFEMZBCPVUUIFOFX EPNBJOUIFDZCFSUISFBUSFQSFTFOUTUPVOEFSTUBOEUIFOFXSJTLTi8FSFBU UIFTBNFQPJOUXFXFSFJOUIFJOUFSXBSZFBST wIFTBZTi5IF 88* CBUUMF PG (BMMJQPMJ XBT B CJH GBJMVSF GPS UIF "MMJFT BOE JU UBVHIU VT OFWFS UP EP BNQIJCJPVTXBSGBSFBHBJO8FIBEUPTVDDFTTGVMMZMFBSOUPNPWFGSPNPOF EPNBJOUPBOPUIFS GSPNTFBUPMBOE5IBUTXIBUUIFUIJOLJOHXBTBMMBCPVUBU TFSWJDFDPMMFHFTJOUIFTBOET"OEXFWFSFBDIFEUIBUTUBHFBHBJOw i8FSF UIJOLJOH JODSFBTJOHMZ BCPVU CPVOEBSJFT BOE QSPUFDUJOH PVS PXO JOGPSNBUJPOCFUUFS wTBZT$SPXFMM#VUIFDPODFEFTUIBUBGUFSZFBSTJOUIF /BWZUISPVHIUIF$PME8BS IFIBTBNJOETFUUIBUJTSBEJDBMMZEJGGFSFOUGSPN IJTTPOTi.ZTPOTJEFBPGBDDFTTUPJOGPSNBUJPOJTNVDINPSFPQFOUIBU NJOF*UIJOLZPVOHQFPQMFOFFEUPUIJOLNPSFBCPVUXIBUUIFZQPTUPOUIF JOUFSOFU BOENZHFOFSBUJPOOFFETUPUIJOLNPSFPQFOMZw. Cracking Duqu, the virus admired by experts "UUIFUJNFPGXSJUJOHJOFBSMZ UIFNPUIFSPGBMM5SPKBOTJTDBMMFE%VRV 5IBU JT VOUJM UIF OFYU POF UVSOT VQ 'PS NBOZ QFPQMF MJLF Costin Raiu  HMPCBMEJSFDUPSGPS3FTFBSDIBOE"OBMZTJTBUUIF3VTTJBOTFDVSJUZDPNQBOZ ,BTQFSTLZ-BC UIJTXBTCZGBSUIFNPTUFYDJUJOHBUUBDLPGIJTDBSFFS 'PSTFWFSBMNPOUIT ,BTQFSTLZ-BCBOETFDVSJUZTPGUXBSFDPNQBOZ4ZNBOUFD IBWF CFFO TUVEZJOH %VRV UP USZ UP VOEFSTUBOE IPX UIF WJSVT PQFSBUFE. 11.

(14) Cyber-security: The vexed question of global rules. VOEFUFDUFEGPSGPVSZFBSTi6OEFSTUBOEJOHJUXJMMBMMPXVTUPEFTJHOUIFEBUB TFDVSJUZUFDIOPMPHJFTPGUIFGVUVSF wTBZT3BJV. “Young people need to think more about what they post on the internet, and my generation needs to think more openly”. Richard Crowell. 8IBUIBT%VRVUBVHIU3BJV  "NPOH PUIFS UIJOHT  UIBU UIF %VRV BOE 4UVYOFU XPSNT XFSF JOWFOUFE CZ UIF TBNF TPGUXBSF DPNQBOZ  BOE UIBU UIFZ TUSVDL GBS BOE XJEF JOmMUSBUJOH DPNQVUFST JO 'SBODF  UIF 6,  5BJXBO  (FSNBOZ  4PVUI "GSJDB  BOE FMTFXIFSF i8F TVTQFDU w TBZT 3BJV  iUIBU 4UVYOFUT GPDVTFE BUUBDL PO UIF OVDMFBSDFOUSJGVHFTJO*SBOXBTEPOFUIBOLTUPJOGPSNBUJPOQSFWJPVTMZTUPMFO CZ%VRVw 3BJVHSFBUMZBENJSFTUIFTLJMMTJOWPMWFEi%VRVVTFEFYDJUJOHUFDIOPMPHJFT JO CSBOE OFX XBZT .PTU 5SPKBOT TUFBM JOGPSNBUJPO BOE TFOE JU PO 8JUI %VRV FWFSZBDUJPOJTTQMJUJOUPTPNBOZDPNQPOFOUTUIBUZPVDBOUUFMMUIJT THE CYBER-SECURITY VENDOR’S VIEW. D. avid Marcus is Director of Advanced Research and Threat Intelligence at McAfee Labs, and writes his own blog. He’s not so much interested in what’s next after Duqu as curious as to its long-term potential repercussions. “The unique thing about Duqu is that it potentially targeted certificate authorities, and used stolen and forged certificates to create rogues that became whitelisted drivers. How is this potential in the attack going to evolve?” he asks. McAfee’s work, he says, gives him a vendor-specific way of looking at the universe. It’s all about protecting customers’ data and assets and ensuring safe communications, and about preventing bad things from happening. From his perspective, cyber-spies and cyber-criminals are in many ways much the same. “They may use exactly the same tools and techniques. Sometimes, the same attack can have both cyber-crime and cyber-espionage goals. Often, they differ only in how they intend to use the stolen data or IP.” Although Marcus recognises that smart phones and cloud computing raise issues of sovereignty, responsibility and ownership, he says they don’t. 12.

(15) Part One. JT B NBMJDJPVT BUUBDL 8IFO ZPV CSJOH UIF DPNQPOFOUT UPHFUIFS  UIFO JU PCWJPVTMZJTw 'PS ,BTQFSTLZ BOE PUIFS BOUJWJSVT MBCT  UIF DIBMMFOHF OPX JT UP DSFBUF QSPUFDUJPOBHBJOTUTJNJMBSUFDIOPMPHJFToUBLFOBQBSU UIFZTFFNJOOPDFOU  CVUQVUUPHFUIFSUIFZBSFWFSZEBOHFSPVT. Should we be talking of a new ethos? &WFSZPOF BHSFFT UIBU HBMMPQJOH DIBOHFT JO DZCFSTQBDF EPOU NFBO UIF TZTUFNIBTSFBDIFENBUVSJUZi"OJNNFOTFTFUPGDIBOHFTJTPOUIFXBZ wTBZT $4*4FYQFSU James Lewis iBOEUIBUJODMVEFTIPXUPQMBZPVUUIFFYUFOTJPO PG TPWFSFJHOUZ  DIBOHFT JO HPWFSOBODF BOE QFSIBQT FWFO SFDPOTJEFS PVS LJOEPGGSFFXIFFMJOHBQQSPBDIUPUIFJOUFSOFUw -BXTBOEJOUFSOBUJPOBMBHSFFNFOUTBSFLFZ TBZT4XFEFOTLars Nicander. i5P UBLF POF FYBNQMF XIFO &TUPOJB UVSOFE UP 3VTTJB GPS MFHBM BTTJTUBODF EVSJOHUIFDZCFSBUUBDLT 3VTTJBEFDMJOFEUPIFMQCFDBVTFUIFZIBEOU TJHOFEBOBHSFFNFOUUPQSPUFDUDSJUJDBMJOGSBTUSVDUVSF8FIBWFUPFYQBOE HPWFSOBODFTZTUFNTw 'PSJohn Meakin $IJFG4FDVSJUZ*OGPSNBUJPO0GmDFSBUPJMHJBOU#1 iUIFSFJT OPRVFTUJPOUIBUGSPNXIFSF*BNTJUUJOHBU#1UIFBEWFOUPGOFXUFDIOPMPHJFT. represent a truly new threat. They are evolutionary rather than revolutionary. “It’s the same types of threat thrown at an evolving technology. The problem is nobody is going to want to own responsibility for the data because it’s spread out geographically.” A self-styled “connectivity libertarian”, he says he struggles every day with the question of defining success conditions for good global cyber-security. “I’m a fan of self-policy,” he says, “but I realise the limitations of business and users regulating themselves.” In the meantime, he can’t see any country that has got its cyber-security act under control. “We are a collection of weak-link countries,” he says. One major problem is that too many companies, enterprises and governments are “busy figuring out technology from a year and a half ago. Technology develops before business gets a handle on it.” He isn't convinced government has the right perspective because most politicians and elected officials have such a limited understanding of technology, often due to their age. “They are not techies,” he says. “They have no idea how quickly technology changes, how volatile it is. At least the younger generation has an implicit understanding of how fast information changes hands, the nature of changing data.”. 13.

(16) Cyber-security: The vexed question of global rules. JTDBVTJOHVTUPDIBOHFPVSTFDVSJUZNPEFM5IFPMENPEFMPGJOUFSOFUTFDVSJUZ CBTJDBMMZTBJE A*UTTFDVSFCFDBVTFXFPXOJU8IFSFBTOPXUIFDIBMMFOHFJT IPXEPXFLFFQJUTFDVSFXIFOXFEPOUPXOUIFJOUFSOFU 8FNBZPXOUIF EBUBCVUXFEPOUPXOUIFJOUFSOFU8IFOXFEPOUPXOUIFEBUBTDPOUBJOFS  XIBUIBQQFOT 5IBUTSFBMMZJUJOBOVUTIFMMJOUFSNTPGDIBOHJOHFUIPTw 5IF OFX UIJOLJOH JO UIF *5 TFDVSJUZ DPNNVOJUZ JT UIBU OFX mSFXBMMT  OFX FODSZQUJPO BMHPSJUINT BOE TP GPSUI  BSF OPU FOPVHI UP NBLF QFPQMF GFFM TBGF i4P GBS JO &VSPQF  "NFSJDB BOE "TJB  XFWF CFFO GPDVTTJOH PO UIF NFDIBOJTNTSFRVJSFEUPQSPUFDUUIFOFXJOUFSOFUFOWJSPONFOU wTBZTJesus Luna  XIP MFBET B TFDVSJUZ SFTFBSDI HSPVQ BU UIF 5FDIOJDBM 6OJWFSTJUZ PG %BSNTUBEU JO (FSNBOZ  iCVU XFWF TUBSUFE UP SFBMJTF UIBU XF BMTP OFFE BTTVSBODFBCPVUUIPTFNFDIBOJTNTw "TTVSBODF JT BCPVU FTUBCMJTIJOH NFUSJDT BOE NFBTVSFNFOUT UP HFOFSBUF USVTUJOQSPUFDUJWFNFDIBOJTNTi'PSJOTUBODF ZPVQBZZPVS*41 JOUFSOFU TFSWJDFQSPWJEFS GPSJUTTFSWJDFT CVUIPXDBOZPVCFTVSFUIBUUIF*41T TFDVSJUZ NFDIBOJTNT BSF QSPUFDUJOH ZPV BHBJOTU NBMXBSF PS BOZ PUIFS DZCFSUISFBU )PXDBOZPVCFTVSFUIFZBSFQSPWJEJOHUIFSJHIUBTTVSBODF MFWFMT w-VOBBTLT "NPOH PUIFS TVDI HSPVQT  UIF $PNNPO "TTVSBODF .BUVSJUZ .PEFM $"..  BOE UIF $MPVE 4FDVSJUZ "MMJBODF $4"  UIBU DPVOU (PPHMF BOE .D"GFFBNPOHJUTNFNCFST BSFXPSLJOHPOUFDIOPMPHZBOEUFDIOJRVFT UIBUHJWFUIJTBTTVSBODF$"..PGGFSTHVJEBODFPOIPXNVDIUPJOWFTUJO TFDVSJUZCZVTJOHNFUSJDT PSUIFiFDPOPNJDTPGTFDVSJUZw4BZT-VOBA8F oUIFBDBEFNJDToIBWFCFFOEFWFMPQJOHUIFTFDVSJUZNFUSJDTUIBUXJMMHJWF UIJTBTTVSBODFw. Smart phones pose security challenges %FWFMPQNFOUTMJLFTNBSUQIPOFTBOEDMPVEDPNQVUJOHNFBOXFBSFTFFJOH B XIPMF OFX TFU PG QSPCMFNT MJOLFE UP JOUFSDPOOFDUJWJUZ BOE TPWFSFJHOUZ UIBUSFRVJSFOFXSFHVMBUJPOTBOEOFXUIJOLJOH&YQFSUTUBMLPGUIFJOUFSOFU PG UIJOHT BOE TFSWJDFT  BOE UIJOHT BSF TNBSU QIPOFT  BOESPJET NPCJMF PQFSBUJOHTZTUFNT UBCMFUTBOETFOTPST BOETFSWJDFTJODMVEJOHUIFDMPVE i5IF NPCJMF JOUFSOFU JT DIBOHJOH UIJOHT w TBZT $BOBEJBO FYQFSU Rafal Rohozinski i5IF OFYU UXP CJMMJPO VTFST XJMM CF DPOOFDUJOH GSPN NPCJMF EFWJDFT BOENBOZPGUIPTFEFWJDFTBSFJOEFWFMPQJOHDPVOUSJFT5IFTIFFS OVNCFSTBSFMJLFMZUPIBWFTPDJBMJNQBDUTMJLFnBTINPCT"MPUNPSFQPMJUJDT JTNJHSBUJOHUPDZCFSTQBDF XJUIQBSBMMFMDBMMTUPSFHVMBUFDZCFSTQBDF5IF HPWFSOBODFPGUIFJOUFSOFUBTBXIPMFJTSFJOWFTUJOHTUBUFTXJUIUIFBVUIPSJUZ UPSFHVMBUFDZCFSTQBDFw 5IFJTTVFJTBMTPBCPVUTFDVSJUZBOEQSJWBDZ"TNBSUDJUZPOFXJUITFOTPSTPO USBGmDMJHIUT TFOTPSTJODBST FMFDUSJDTNBSUHSJET QBUJFOUTXFBSJOHTFOTPSTo 14.

(17) Part One. SBJTFTNBOZOFXQSPCMFNTi8IBUJTQFSTPOBMJOGPSNBUJPOBOEIPXBSFXF HPJOHUPQSPUFDUUIFEBUBJOUIFTFEFWJDFT "SFUIFTFEFWJDFTSFBMMZHJWJOH VTUIFSJHIUTFDVSJUZBOEQSJWBDZMFWFMT w-VOBBTLT  i8FSF UBMLJOH BHBJO BCPVU BTTVSBODF w TBZT -VOB i8F OFFE B MPU NPSF MFHJTMBUJPO8FOFFEUPQVTIDPNQBOJFTUPFOGPSDFEBUBQSPUFDUJPONFDIBOJTNT UIBUQSPUFDUUIFQSJWBDZPGDJUJ[FOT5IF&6JTEPJOHRVJUFHPPEXPSLPOUIJT 5IJTJTHPJOHUPUBLFTPNFUJNFCVUUIFFBSMZTUFQTBSFCFJOHUBLFOw. Cloud computing: The challenges of separating network from content "T GPS DMPVE DPNQVUJOH  PVUTPVSDJOH UIF mMJOH PG EBUB IBT CFFO BSPVOE GPS  ZFBST 8IBUT OFX JT UIF HFPHSBQIJDBM TQSFBE PG UIJT TUPSBHF 5IF /BUJPOBM*OTUJUVUFPG4UBOEBSETBOE5FDIOPMPHZ /*45 QSPWJEFTUIFTUBOEBSE EFmOJUJPO GPS DMPVE DPNQVUJOH B SBQJE  POEFNBOE OFUXPSL BDDFTT UP B TIBSFEQPPMPGDPNQVUJOHSFTPVSDFT5IFTFBSFOPUJOUIFTUSBUPTQIFSFUIFZ BSFCBTJDBMMZIBOHBSTGVMMPGTFSWFST 0VUTPVSDJOH NFBOT DPOTJEFSBCMF DPTU TBWJOHT  BOE NBOZ DPNQBOJFT BSF OPXVTJOHJUGPSDPNQVUBUJPOBOEEBUBTUPSBHF#BOEXJEUITBSFOPXMBSHF FOPVHIUPUSBOTGFSMBSHFBNPVOUTPGEBUBUPEBUBTUPSBHFGBDJMJUJFT"NB[PO  F#BZ (PPHMF 'BDFCPPLBOEBMMUIFCJHOBNFTBSFPVUTPVSDJOHDPNQVUBUJPO UPDMPVE. “Cloud computing means separating the network from content in ways that didn’t exist before”. Rafal Rohozinski. i$MPVEDPNQVUJOHNFBOTTFQBSBUJOHUIFOFUXPSLGSPNDPOUFOUJOXBZTUIBU EJEOUFYJTUCFGPSF wTBZT3PIP[JOTLJi5IFMBXTXFIBWFHPWFSOJOHDPQZSJHIU BOE UFSSJUPSJBM TFDVSJUZ HFU TLFXFEw "NPOH PUIFS JTTVFT SBJTFE CZ DMPVE DPNQVUJOHJTUIFDPTUPGQSPDFTTJOHQPXFSBOEDPOOFDUJWJUZBOEUIFXIPMF JTTVFPGOFUOFVUSBMJUZ#VU-VOBXBSOTUIBUUIFTFOFXTUPSBHFGBDJMJUJFTHJWF SJTFUPQSPCMFNTPGTFDVSJUZBOEKVSJTEJDUJPOi8IPBSFZPVHPJOHUPTVFJG UIFSFTBQSPCMFN w (PPHMF  GPS JOTUBODF  LFFQT POF UIJSE PG JUT DMPVE JO $BOBEB i*T UIBU JOGPSNBUJPO TVCKFDU UP 64 PS $BOBEJBO MBX w BTLT 3PIP[JOTLJ $MPVE DPNQVUJOHDSFBUFTOFXRVFTUJPOTGPSUIFMBXZFSTi8IBUEPFTJUNFBOGSPN BMJBCJMJUZQPJOUPGWJFX )PXEPFTPOFIBOEMFEJGGFSFOUEBUBSFUFOUJPOBOE QSJWBDZMBXT 8IBUIBQQFOTXIFOEBUBTIJGUTMPDBUJPO 8IPEFUFSNJOFTUIF mOBMSFTUJOHQMBDFPGKVSJTEJDUJPO w 15.

(18) Cyber-security: The vexed question of global rules. Section III. Cyber-defence strategies: The hottest debates and conditions for success What are now the hottest debates in cyber-space defence strategies? Twenty themes emerged from the interviews conducted for this report 1. Developing an offensive stance 4FWFSBM DPVOUSJFT BSF GPSNVMBUJOH QMBOT UP SFTQPOE NPSF BHHSFTTJWFMZ UP DZCFSBUUBDLT BOEBSFNBLJOHJOWFTUNFOUTJOUIJTEJSFDUJPO5IF6,TOFX DZCFSTUSBUFHZSFMFBTFEJOMBUFCSJOHTVQUIFOPUJPOPGTFMGEFGFODF 5IJTNPSFCFMMJDPTFTUBODFBQQMJFTCPUIJOUIFNJMJUBSZBOEQSJWBUFBSFOBT William Beer %JSFDUPSPG*OGPSNBUJPOBOE$ZCFSTFDVSJUZ1SBDUJDFBU1X$  SFGFSTUPUIF6,T8IJUF1BQFSPG4FQUFNCFSUIBUTVHHFTUTDPNQBOJFT TIPVMECFNPSFWPDBMBOEVTFMFHBMNFBOTUPQSPUFDUUIFJSPSHBOJTBUJPOT i'PS JOTUBODF  JOTUFBE PG XSJUJOH PGG MPTTFT  UIFZ TIPVME JOWFTU JOUP BDUJWFMZ UBSHFUJOHUIPTFPSHBOJTBUJPOTUIBUIBWFCFFOBUUBDLJOHUIFN wIFTBZTi5IF PMEBQQSPBDIXBTA*XPOUUFMMQFPQMF/PXUIFBUUJUVEFJTA*MMVTFFWFSZMFHBM NFBOTBUNZEJTQPTBMUPQSPUFDUNZDPNQBOZw. 2. Rating countries’ offensive capabilities i&WFSZCPEZPOMZEJTDVTTFTPGGFOTJWFDZCFSTUSBUFHZWJBWFJMFESFGFSFODFTUP UIF3VTTJBOTBOEUIF$IJOFTFXJUIPVUBOZTUSPOH QVCMJD RVBOUJmBCMFQSPPG w TBZTDavid Marcus %JSFDUPSPG"EWBODF3FTFBSDIBOE5ISFBU*OUFMMJHFODF BU.D"GFF-BCTi/PPOFIBTTUFQQFECBDLBOETBJE MFUTUBLFUIFPS TP DPVOUSJFT XF UIJOL IBWF PGGFOTJWF DZCFS DBQBCJMJUJFT BOE HSBEF XIBU UIFZ BSF BOE IPX UIFZ EJGGFSw )F CFMJFWFT XF OFFE B DPVOUSZCZDPVOUSZ SBUJOHNFUIPEPMPHZGPSPGGFOTJWFDBQBCJMJUJFTBTXFMMBTEFGFOTJWF BOETBZT NPTU DZCFSTFDVSJUZ QSPGFTTJPOBMT QSFUUZ NVDI LOPX XIBU NPTU DPVOUSJFT BSFDBQBCMFPGEPJOHi*UTUIFDPVOUSJFTUIBUIBWFDZCFSPGGFOTJWFUSBJOJOH QSPHSBNNFTBUBNJMJUBSZPSHPWFSONFOUMFWFM JUTUIPTFUIBUDPOTJEFSDZCFS BTQBSUPGUIFXBSUIFBUSFw .BSDVTCFMJFWFTUIFSFDBOUCFTUSPOHBEFGFODFXJUIPVUBTPMJE RVBOUJmFE LOPXMFEHF PG PGGFOTJWF DBQBCJMJUJFT  BOE UIBU NPTU HPWFSONFOUT IBWF 16.

(19) Part One. EFWFMPQFEPSBSFEFWFMPQJOHDZCFSUPPMTBOEBUUBDLUPPMTi8FEBODFBSPVOE UIJT JTTVF CVU JT UIFSF SFBMMZ BOZ EJGGFSFODF CFUXFFO EFWFMPQJOH mHIUFST BOEDZCFSXFBQPOTJGUIFZBSFCPUIVTFEJOXBSGBSF &WFSZPOFCMBNFTUIF $IJOFTF GPS FWFSZUIJOH UPEBZ  CVU JG XFSF HPJOH UP QVTI GPS HPWFSONFOU SFHVMBUJPOT BOE QPMJDZ UIFO MFUT MBZ PVU XIP XF UIJOL IBT UIF UPQ DZCFS DBQBCJMJUJFT*EPVCUZPVDPVMEmOEBDPVOUSZUIBUJTOPUXPSLJOHPOJUw. 3. Protecting an increasingly integrated global system 8FBSFMPPLJOHBUBOJODSFBTJOHMZJOUFHSBUFEDZCFSXPSMEXJUINVDINPSF TZTUFNTIBSJOH BOE DSPTTCPSEFS TFSWJDFT  TVDI BT DMPVE DPNQVUJOH  BOE XFOFFEUIFTZTUFNUPCFGVODUJPOBMBOETBGFXIFSFWFSJUJTMPDBUFE i)PXEPXFQSPUFDUPVSJOGSBTUSVDUVSF wBTLT%BOJTITFDVSJUZFYQFSUChristian Wernberg-Tougaardi*UTHSFBUUPIBWFTIBSFETFSWJDFBOEDMPVE wIFTBZT  iCVUIPXEPXFQSPUFDUUIJTNVMUJGBDFUFETUSVDUVSF w *GBDPNQPOFOUXFSFUPCFBUUBDLFE PSJGBDPVOUSZXFSFUPCFDPNFVOTUBCMF  ZPVNJHIUGBDFBTFSJPVTDIBMMFOHF5IFEJTDVTTJPOCFUXFFOUIF&6BOEUIF 64SJHIUOPXBTLTTVDIRVFTUJPOTBT DBOZPVIBWFDMPVETFSWJDFTXJUIJO UIF EPNBJO PG UIF 64 1BUSJPU "DU XIJMF BMTP CFJOH VOEFS UIF &6T EBUB QSPUFDUJPOBDU . 4. How safe are SCADA systems? 4$"%"TZTUFNT LOPXOBT4VQFSWJTPSZ$POUSPMBOE%BUB"DRVJTJUJPO4ZTUFNT JO UIF 64  IBWF BMXBZT CFFO BSPVOE 5IFZ BSF UIF QIZTJDBM FMFNFOUT UIBU DPOUSPM QVNQT BOE CBSSFMT  BOE PUIFS JOGSBTUSVDUVSBM BOE JOEVTUSJBM QSPDFTTFT5IFDIBMMFOHFJTUIBUUIFZVTFEUPCFJTPMBUFETZTUFNTBOEOPX UIFZ BSF PGUFO DPOOFDUFE UP UIF JOUFSOFU PS BDDFTTJCMF VTJOH EBUB USBOTGFS EFWJDFTMJLF64#TUJDLT*ODSFBTJOHDPOOFDUJWJUZNFBOTNPSFWVMOFSBCJMJUZ i*GZPVDBODPOUSPMB4$"%"TZTUFN ZPVDPOUSPMUIFGBDJMJUZPSUIFJOEVTUSZ w TBZTBart Smedts 4FOJPS$BQUBJOBOE3FTFBSDI'FMMPXBU#FMHJVNT3PZBM )JHIFS *OTUJUVUF GPS %FGFODF i7JB 4$"%"  ZPV DBO DPOUSPM UIF FDPOPNJD XPSLPGBOZOBUJPO0ODFZPVSFBMJTFZPVIBWFBWJSVTPOB4$"%"TZTUFNPS UIFJOUFSOFUZPVDBOFYQFDUJUUPTQSFBEMJLFBOFQJEFNJDw  i.BOZ PG UIFTF TZTUFNT BSF VOQSFQBSFE GPS DZCFS BUUBDLT w TBZT Frank Asbeck  $PVOTFMMPS GPS 4FDVSJUZ BOE 4QBDF 1PMJDZ BU UIF &VSPQFBO &YUFSOBM"DUJPO4FSWJDFi"MPUPGEBNBHFDBOCFEPOFUISPVHIJHOPSBODF  DBSFMFTTOFTTPSNBMJDJPVTJOUFOUw-JLFPUIFSFYQFSUT IFCFMJFWFTXFOFFE UP UIJOL IBSE BCPVU IPX UIFTF OFX GBDUPST BGGFDU TZTUFNT QIZTJDBMMZ BOE UFDIOJDBMMZ BOEUIFOEFDJEFXIBUUPEPBCPVUJU. 17.

(20) Cyber-security: The vexed question of global rules. 5. Security versus privacy 5IFJTTVFJTXIFUIFSOFUXPSLEBUBMJLF*1BEESFTTFTJTDPOTJEFSFEQSJWBUF $ZCFSTFDVSJUZQSPWJEFSTOFFEUPUSBDLNBMXBSFVTJOHUIFTF*1BEESFTTFTJG UIFZBSFUPCMPDLBUUBDLT XIJDIJTWFSZEJGGFSFOUGSPNUIPTFXIPDPMMFDUUIF TBNFEBUBGPSNBSLFUJOHPSCFIBWJPVSUSBDLJOHQVSQPTFTi*OGBDU JGDZCFS TFDVSJUZ QSPWJEFST BOE OFUXPSL QSPWJEFST DBO VTF *1 BEESFTTFT UP USBDL NBMXBSF  XF CFMJFWF UIBU NPSF EBUB XJMM CF LFQU QSJWBUF w TBZT .D"GFFT Phyllis Schneck  iCFDBVTF XF XJMM CF NPSF TVDDFTTGVM BU QSFWFOUJOH UIF CBE HVZT GSPN DPNQVUFS JOUSVTJPO BOE VOBVUIPSJTFE BDDFTT UP QFSTPOBM JOGPSNBUJPO  mOBODJBM EBUB  JOUFMMFDUVBM QSPQFSUZ  BOE TZTUFNT UIBU DPOUSPM BOENPOJUPSQIZTJDBMJOGSBTUSVDUVSFw. 6. Net neutrality 5IFIFBUFEEFCBUFPWFSOFUOFVUSBMJUZJTBCPVUXIFUIFSCSPBECBOEQSPWJEFST TIPVMECFBMMPXFEUPFYFSUBWFUPPOBQQMJDBUJPOTUIBUVTFMBSHFBNPVOUTPG CBOEXJEUIPSEJTDSJNJOBUFBNPOHDPOUFOUQSPWJEFST#SB[JMBOE"SHFOUJOB  BNPOH PUIFST  BSF NPWJOH GPSXBSE XJUI OFU OFVUSBMJUZ BOE PQFOJOH UIFJS NBSLFUUPFWFSZPOF*OUIF64 UIFBSHVNFOUJTTIBSQMZEJWJEFE1SFTJEFOU #BSBDL0CBNBJTBCFMJFWFSJOJUi*OEVTUSJFTBSFDPNQMFUFMZBHBJOTUJU wTBZT Melissa Hathaway XIPSVOTUIFDPOTVMUBODZ)BUIBXBZ(MPCBM4USBUFHJFT BOE XBT GPSNFSMZ DZCFSBEWJTPS UP UIF %FQBSUNFOU PG )PNFMBOE 4FDVSJUZ i*NZTFMGEPOUUIJOLUIBUOFUOFVUSBMJUZJTBHPPEJEFB wTIFTBZTi*OEVTUSZ OFFETUPCFUIBUGSPOUMJOFPGEFGFODF*41T UIFDPOEVJUGPSEFMJWFSJOHDPOUFOU  TIPVMECFSFTQPOTJCMFGPSOPUEFMJWFSJOHTPNFDPOUFOUw. 7. Towards international rules 8JUI UIF JODSFBTJOH UISFBU PG TUBUFT FOHBHJOH JO NBMJDJPVT DZCFS BDUJWJUJFT BHBJOTUUIFDSJUJDBMJOGSBTUSVDUVSFPGPUIFSTUBUFT UIFOFFEGPSJOUFSOBUJPOBM DPPQFSBUJPOHSPXTEBJMZNPSFVSHFOUi8FOFFEUPQSFQBSFUIFCBUUMFmFME w TBZT Vytautas Butrimas  $IJFG $ZCFS4FDVSJUZ "EWJTPS BU -JUIVBOJBT .JOJTUSZPG%FGFODFi5IFSFBSFIPMFTJOUIFTZTUFNT8FOFFEUPSFEVDFUIF SJTLPGBOPUIFSTUBUFQMBDJOHTPNFUIJOHMJLFBMPHJDCPNCUIBUXPVMEDBVTF TZTUFNTUPTIVUEPXO5IFSFJTOPTVDIUIJOHBT[FSPSJTLCVUXFDBONBLF UIFSJTLBDDFQUBCMFw. 8. Building a more solid cyber architecture i8F BSF DMPTJOH UIF TUBCMF EPPS BGUFS UIF IPSTF IBT CPMUFE w BDDPSEJOH UP Christopher Richardson  MFDUVSFS GPS UIF 6, .JOJTUSZ PG %FGFODF 5IFDVSSFOUBEIPDBQQSPBDIUPSFHVMBUJPOJTOUHPJOHUPNBLFUIFDZCFS FOWJSPONFOUBTBGFQMBDFUPEPCVTJOFTTi5IFSFBSFUPPNBOZQFPQMFXJUI UPPNBOZWJFXT wIFTBZTi8FOFFEUPMPPLCFZPOEQBSUJDVMBSBUUBDLTBOE JNQSPWFBTTVSBODFw&YQFSUTUBMLPGJNQSPWJOHBTTFUNBOBHFNFOUTPBTUP LOPXXIBUXFBSFUSZJOHUPEFGFOEBOEDSFBUJOHBiQBUDIFEVQwFOWJSPONFOU i8FEPOUOFFEUPCFTDBSFECVUFEVDBUFE wTBZT3JDIBSETPO 18.

(21) Part One. /FXUFDIOPMPHZJTOPXGPDVTFECFMPXUIFPQFSBUJOHTZTUFN*UDPNNVOJDBUFT EJSFDUMZ XJUI UIF DPNQVUFS IBSEXBSF BOE DIJQT UP SFDPHOJTF NBMJDJPVT CFIBWJPVS BOE CF TNBSU FOPVHI OPU UP BMMPX JU  i5IF CVDL TUPQT IFSF w TBZT.D"GFFTPhyllis Schnecki5IJTJTUIFOFXFTUBOEEFFQFTUMBZFSBOE  UPHFUIFSXJUINPSFJOUFMMJHFODFJOUIFPUIFSMBZFST BLFZQBSUPGUIFGVUVSF PG DZCFSTFDVSJUZ $PNNVOJDBUJPO XJUI UIF IBSEXBSF JT UIF RVFFO PG UIF DIFTTCPBSEJUDBOTUPQUIFFOFNZBMNPTUJNNFEJBUFMZPSDPOUSPMBMPOHFS HBNF&JUIFSXBZ XFXJOw. 9. Tackling weakest-link countries i5IFDIBMMFOHFJOUIFEJHJUBMFDPOPNZJTUIBUOPDIBJOJTTUSPOHFSUIBOJUT XFBLFTU MJOL w TBZT Christian Wernberg-Tougaard PG UIF %BOJTI $PVODJM GPS(SFBUFS*54FDVSJUZ 8FBLFTUMJOLDPVOUSJFTBSFUIPTFXIFSFBCTFODFPGMFHJTMBUJPODSFBUFTIBWFOT GPSDZCFSDSJNJOBMT0OFWJFXJTUPUBLFUIFESBTUJDPQUJPOPGEJTDPOOFDUJOH UIFNGSPNUIFJOUFSOFU"OPUIFSJTUPVTFUPPMTUPmMUFSPVUJOUFSOFUQSPWJEFST GSPN UIBU DPVOUSZ " OVNCFS PG DPNQBOJFT JO UIF 64 CMPDL BMM *OUFSOFU 1SPUPDPM *1 GSPN$IJOB i5IFCFTUTPMVUJPO wTBZTCostin Riau EJSFDUPSGPS3FTFBSDIBOE"OBMZTJTBU ,BTQFSTLZ-BC iJTUPUSZUPJNQSPWFUIFFDPOPNJDTJUVBUJPOJOUIPTFDPVOUSJFT *OUFSOFUDSJNFJTBMXBZTDPOOFDUFEUPVOFNQMPZNFOUSBUFTw. 10. Securing the Internet supply chain "OFXEJTDVTTJPODFOUSFTPOUIFJTTVFPGTFDVSJOHUIFJOUFSOFUTVQQMZDIBJO  QBSUJDVMBSMZ JO TFOTJUJWF BSFBT PG HPWFSONFOU UIBU GPSN QBSU PG UIF DSJUJDBM OBUJPOBMJOGSBTUSVDUVSF5IJTJTBCPVUXIFSFZPVHFUZPVSIBSEXBSFEFWJDFT  SPPUFST TFSWFST TXJUDIFTBOETPPO$PVMENBMXBSFCFJOUSPEVDFEEVSJOH NBOVGBDUVSJOH  8JMM DPNQBOJFT XBOU UP XPSL POMZ XJUI DFSUBJO DPVOUSJFT  Alastair MacWillson PG "DDFOUVSF TBZT i5IJT DBO CF TFFO BT B GPSN PG QSPUFDUJPOJTN CVUJUNBZBMTPCFBCPVUQSVEFOUTFDVSJUZNFDIBOJTNTw. 11. Increasing awareness of the scale of the problem 8F OFFE HSFBUFS BXBSFOFTT BU BMM MFWFMT BOE JO BMM TFDUPST  BOE NPSF EJBMPHVFBMMBSPVOEi*UTOPUHPJOHUPIBQQFOPWFSOJHIUCVUXFOFFENVDI UJHIUFS QSJWBUFQVCMJD DPMMBCPSBUJPO BDSPTT CPSEFST BOE BDSPTT DVMUVSFTw 4BZTWilliam Beer EJSFDUPSJOGPSNBUJPOBOETFDVSJUZQSBDUJDF 1X$. 12. Taking a holistic approach Hamadoun Touré 4FDSFUBSZ(FOFSBMPGUIF*OUFSOBUJPOBM5FMFDPNNVOJDBUJPO 6OJPO *56 JTBEBNBOUi"TMPOHBTXFDBSSZPOUIJOLJOHUIBUUIFTPMVUJPOJT POMZUFDIOJDBMXFXPOUHFUBOZXIFSF8FOFFEBIPMJTUJDBQQSPBDIJOWPMWJOH 19.

(22) Cyber-security: The vexed question of global rules. MFHBM SFHVMBUPSZBOEUFDIOJDBMNFBTVSFT BTXFMMBTBOFUIJDBMBQQSPBDI8F BMTPOFFEBO*OUFHSBUFE4VQQMZ/FUXPSLXJUIJOBOJOUFSOBUJPOBMGSBNFXPSLw. 13. Defining the role of governments 5IF WJFX GSPN JOEVTUSZ JT UIBU UIFSF BSF UIJOHT UIBU HPWFSONFOUT DBO BOE TIPVMEEPUPJNQSPWFUIFPWFSBMMTUBUFPGTFDVSJUZ BOEUIJOHTUIFZTIPVMEOU BOE DBOOPU EP i(PWFSONFOUT TIPVME CF JOWPMWFE JO DPNNPOBMJUZ PWFS CPSEFST wTBZTJohn Meakin IFBEPGDZCFSTFDVSJUZBU#1 iCVUUIFZEPOU IBWFBSPMFUPQMBZJOUIFEFUBJMFEEJTQPTJUJPOPGTFDVSJUZNFDIBOJTNTBSPVOE BOZPOFFOUFSQSJTFTJOUFSOFUFTUBUFw. 14. Governments must take greater care when taking advice 8IP JT BEWJTJOH HPWFSONFOUT  "DDPSEJOH UP #1T .FBLJO  LFZ EFDJTJPO NBLJOHGPSVNTBSFQPQVMBUFEXJUIDBSFFSDJWJMTFSWBOUT QBSUJDVMBSMZJOUIF 64BOE UIF 6, .FBLJO BOE PUIFST MJLF IJN CFMJFWF UIBU EJBMPHVF BU UIF UPQOFFETNPSFFYQFSUTGSPNUIFACVZJOHTJEFPGUIFJOEVTUSZ BTXFMMBTJUT TFMMJOHTJEF. 15. Information-sharing at an international level 5IFSFJTOPTJOHMFJOUFSOBUJPOBMBHFODZPSCPEZXJUIUIFNBOEBUFUPEFBMXJUI DZCFSTFDVSJUZ "MTP  OBUJPOBM BOE SFHJPOBM PSHBOJTBUJPOT IBWF UP JNQSPWF DPPQFSBUJPO i4FDVSJUZ JT TP WBTU UIBU UIFSF JT B MPOH XBZ UP HP CFGPSF XF SFBDIUSVTU wTBZT*UBMJBODZCFSFYQFSUStefano Trumpy. i8F OFFE NPSF BOE NPSF JOGPSNBUJPO TIBSJOH w TBZT +BQBOT Suguru Yamaguchi  B MFBEJOH TQFDJBMJTU PO OFUXPSL TFDVSJUZ TZTUFNT i5IBUT UIF EJGmDVMUQBSU(MPCBMDPNQBOJFTBSFHPPEBUTIBSJOHJOGPSNBUJPO5IFZDPVME BDUBTDBUBMZTUTUPFODPVSBHFHPWFSONFOUTUPCFNPSFPQFOw. 16. Thinking differently about cyber-security $ZCFSTFDVSJUZBEWPDBUFTMJLF"VTUSBMJBOTim ScullyBSHVFUIBUXFBSFXSPOH UP QSPUFDU PVS JOUFSDPOOFDUFE TZTUFNT BU UIF FYQFOTF PG UIF JOGPSNBUJPO UIFZ DPOUBJO i3JHIU OPX  PVS NPEFM JT TZTUFNTDFOUSJD w IF TBZT i1SJWBUF BOE QVCMJD PSHBOJTBUJPOT BSF CFJOH BUUBDLFE BOE MBSHF BNPVOUT PG EBUB BSF CFJOH TUPMFO EFTQJUF USBEJUJPOBM CPVOEBSZ EFGFOTJWF NFBTVSFT  MJLF mSFXBMMT  BOUJWJSVT BOE JOUSVTJPO QSFWFOUJPO BOE EFUFDUJPO BQQMJDBUJPOTw )F BSHVFT UIBU XF TIPVME UIJOL JO UFSNT PG USPQIZ JOGPSNBUJPO i1FPQMF OFFEUPGPDVTPOQSPUFDUJOHUIFJSNPTUTFOTJUJWFJOGPSNBUJPOSBUIFSUIBOUIF TZTUFNJUTFMG wIFTBZTi4VCTFRVFOUTFHSFHBUJPOPGEBUBNJHIUFWFONFBO UIBUTPNFJOGPSNBUJPOJTBJSHBQQFEGSPNUIFJOUFSOFUJGJUTMPTTXFSFUPIBWF DBUBTUSPQIJDDPOTFRVFODFTw. 20.

(23) Part One. 17. Citizen awareness 5IFSFIBTUPCFNPSFXJEFTQSFBEBXBSFOFTTUIBUDZCFSTFDVSJUZTUBSUTXJUI FWFSZPOFTCFIBWJPVSBOEBXBSFOFTT'BSUPPNBOZQFPQMFBUBMMMFWFMTPG UIFIJFSBSDIZIBWFOUSFBMJTFEUIBUUIFZTIPVMEUBLFSFTQPOTJCJMJUZGPSUIFJS IPNFDPNQVUFSTBOEUIF*5TZTUFNBUXPSL*UTBCBUUMFUIBUXJMMOFWFSCF FOUJSFMZXPOi5IFSFXJMMBMXBZTCFTPNFPOFUPDMJDLPOBMJOLUIFZTIPVME OPU DMJDL PO w TBZT 4DVMMZ i)BDLFST FYQMPJU TPDJBM WVMOFSBCJMJUZ  UIBU JT XIZ TQFBSQIJTIJOHJTTPTVDDFTTGVMw. 18. Reducing secrecy 0WFSDMBTTJmDBUJPOPGEBUBTLFXTUIFQJDUVSFPGXIBUJTHPJOHPOi4FDSFDZ DPODFSOT BSF UIF CBOF PG DZCFSTFDVSJUZ w TBZT "VTUSJBO Alexander Klimburg  BOBMZTU XJUI UIF "VTUSJBO *OTUJUVUF GPS *OUFSOBUJPOBM "GGBJST i8F TIPVMEQVUNPSFTUPDLJOOPOTUBUFBUUSJCVUJPO TFDVSJUZUSVTUOFUXPSLTPVUTJEF HPWFSONFOU UPBUUSJCVUFDZCFSBUUBDLTw. 19. Harmonising codes and laws %JTDSFQBODJFT CFUXFFO DPEF BOE MBXT DBO MFBE UP BCVTF BOE TIPVME CF SFTPMWFEFlorian Walther TFOJPS*5TFDVSJUZDPOTVMUBOUBU$VSFTFD TBZTUIJT JTXIBUIBQQFOFEJO(FSNBOZXIFOUIFJOUFMMJHFODFTFSWJDFTXFSFGPVOE UP CF VTJOH TQZXBSF JO B NPSF JOUSVTJWF XBZ UIBO TQFMMFE CZ MBX  i5IF DPEFEFmOFEXIBUJUDPVMEEPBOEXIBUQPMJDFGPSDFTDPVMEEP CVUUIFMBX EJEOU wTBZT8BMUIFSi5IFQSPHSBNXBTNBLJOHUIFMBX BOEEFmOJOHXIBU XBTBOEXBTOPUQPTTJCMFw $ZCFSBUUBDLT DBO PGUFO CF TFFO XJUIJO OFUXPSL nPX QBUUFSOT  NVDI BT TUPSNT DBO CF TFFO GPSNJOH PO B XFBUIFS SBEBS NBQ  TBZT .D"GFFT Phyllis Schneck i5IF DPMMFDUJPO BOE DPSSFMBUJPO PG DZCFSEBUB SFRVJSFT JOUFSOBUJPOBMBHSFFNFOU wTIFTBZT iBOEJUTVSHFOUCFDBVTFUIFCBEHVZT BUQSFTFOUIBWFUIFBEWBOUBHF8JUIPVUUIFTFBHSFFNFOUT UIFJSCFIBWJPVSJT OPUBMXBZTTFFOJOUJNFUPUIXBSUBOBUUBDLw. 20. Defining pre-emptive cyber-attacks "OPUIFS EJGmDVMU RVFTUJPO JT IPX UP EFmOF QSFFNQUJWF DZCFSBUUBDLT 8IBU BSF UIFZ  )PX XPVME ZPV DPNF VQ XJUI UIF FWJEFODF  )PX TUSPOH DBOSFUBMJBUJPOCF 8IBUJTQSPQPSUJPOBUF i'VSUIFSNPSF ZPVDBOUBUUBDLJG ZPVIBWFOUmSTUQFOFUSBUFEUIFTZTUFN wTBZT Jamie Shea /"50T%FQVUZ "TTJTUBOU4FDSFUBSZ(FOFSBMGPS&NFSHJOH4FDVSJUZ$IBMMFOHFTi*UTBHBNF PG NJSSPST  MJLF UIF .FOJO 3JEHF BU .FTTJOFT JO  8IFSF JT UIF MJOF CFUXFFOEFGFODFBOEBHHSFTTJPO w. 21.

(24) Cyber-security: The vexed question of global rules. Section IV. The quest for rules and regulations to govern cyber-space It has taken the spectacular increase in cyber-attacks for political leaders in the United States, the European Union and parts of Asia to sit up and take stock of the costs involved and the loss in competitive positions. i*WF CFFO XPSLJOH JO DPNQVUFS TFDVSJUZ GPS  ZFBST w TBZT #1T $IJFG *OGPSNBUJPO 4FDVSJUZ 0GmDFS John Meakin  iBOE JUT SFBMMZ POMZ JO UIF MBTU UXPPSUISFFZFBSTUIBUQPMJDZNBLFSTIBWFCFHVOUPXBLFVQw 0OUIFPUIFSIBOE i*GUIFJOUFSOFUIBETUBSUFEXJUITFDVSJUZBOEDPOUSPMJO NJOEJUXPVMEOFWFSIBWFUBLFOPGG wTBZTAlastair MacWillson "DDFOUVSFT HMPCBMNBOBHJOHQBSUOFSPGHMPCBMTFDVSJUZi0OFPGJUTTUSFOHUIJTUIBUJUJT VOSFHVMBUFE*UTOPUJOBOZCPEZTJOUFSFTUUPSFHVMBUFw )F SFDBMMT IJT DPODFSO XIFO 64 1SFTJEFOU (FPSHF 8 #VTI XBOUFE UIF BVUIPSJUZ UP SFHVMBUF BOE NPOJUPS UIF JOUFSOFU VOEFS UIF 1BUSJPU "DU i)PXFWFS wIFBEET iDPNQBOJFTUIBUVTFUIFJOUFSOFUTIPVMECFNVDINPSF TFOTJUJWF UP UIF GBDU UIBU JUT BO PQFO IJHIXBZ 5IFZ OFFE UP JOWFTU JO UIF UFDIOPMPHZUIBUFOTVSFTUIFZLOPXXIPUIFZBSFEPJOHCVTJOFTTXJUIw "TUIFNFEJVNNBUVSFT UIFOFFEGPSHMPCBMSVMFTIBTHSPXOBOEUIFSFBSF OPXTPNFQPMJUJDBMHSPVQTBOEFDPOPNJDGPSVNTXPSMEXJEFBEESFTTJOH DZCFSTFDVSJUZJTTVFT *NQSPWJOH DPSQPSBUF HPWFSOBODF DPVME TPMWF B OVNCFS PG QSPCMFNT Christopher Richardson XIP MFDUVSFT BU UIF 6,T %FGFODF $PMMFHF PG $PNNVOJDBUJPOT BOE *OGPSNBUJPO 4ZTUFNT %$$*4  UIJOLT UIBU NBOZ DPNQBOJFT IPME PO UP EBUB UIFZ EPOU OFFE BOE UIBU TUSPOH JOUFSOBM BVEJUT TIPVME QVU B TUPQ UP UIJT i8F OFFE UP MPPL BU IPX XF SFHVMBUF EBUB NBOBHFNFOU BOE QSPUFDUJPO FWFSZXIFSF w IF TBZT &ODSZQUJOH MBSHF BNPVOUTPGEBUBEPFTOUNBLFTFOTFi8FXBOUTNBMMFSVOJUTPGEBUBBOEPOMZ XIBUJTOFDFTTBSZ8IZXFSF4POZSFDPSEJOH$77DPEFTPODSFEJUDBSET w )PXFMTFDBOXFNBLFUIJOHTTBGFS &TUBCMJTIJOHNBSLFUCFTUQSBDUJDFTJTB HPPEmSTUTUFQUIBUJTCPUIQSBDUJDBMBOEMPXDPTU BOEDBOCFJNQMFNFOUFE RVJDLMZ *O UIF &6  UIF NJTTJPO PG &/*4"  UIF &VSPQFBO /FUXPSL BOE *OGPSNBUJPO 4FDVSJUZ "HFODZ  JODMVEFT TIBSJOH UIJT LJOE PG JOGPSNBUJPO CFUXFFOUIFNFNCFSTUBUFT 22.

(25) Part One. Cyber norms and common security standards &/*4" BMTP XPSLT BU UIF DPNQMFY UBTL PG EFmOJOH TUBOEBSET i%JGGFSFOU &6 NFNCFS TUBUFT BSF BU EJGGFSFOU TUBHFT w TBZT UIF IFBE PG UIF UFDIOJDBM EFQBSUNFOU Steve Purser i" MPU PG PVS XPSL JT mSTU TFFJOH IPX DPVOUSJFT EFBMXJUIUIJOHT UIFOEFmOJOHDPNNPOTUBOEBSETw )PX EP ZPV FOTVSF UIBU UIFTF TUBOEBSET BSF PCTFSWFE  i:PV DBO FJUIFS JNQPTFUIFNPSMFUUIFNBSLFUTPSUUIJOHTPVU.BOZPSHBOJTBUJPOTOPXVTF UIF*40TUBOEBSEJGZPVIBWFUIBUMBCFMZPVIBWFDSFEJCJMJUZ8FDBO EPUIFTBNFXJUIUIFTFDVSJUZNBSLFUw 5IFXBZUPHP TBZTSFTFBSDIFSJesus LunaPGUIF%&&%4TFDVSJUZSFTFBSDI HSPVQJO(FSNBOZ JTUPFODPVSBHFJOEVTUSJBMBOEBDBEFNJDDPOTPSUJB JOUFSFTU HSPVQTBOETQFDJBMJTFEDPNNVOJUJFT UPTFUVQEFGBDUPTUBOEBSETUIBUTPPOFS PS MBUFS XJMM CFDPNF XJEFMZ BDDFQUFE 5IF DMPVE TFDVSJUZ BMMJBODF $".. $PNNPO "TTVSBODF .BUVSJUZ .PEFM  JT POF TVDI JOTUBODF i'PSUVOBUFMZ  TPNF QSJWBUF DPNQBOJFT SFBMJTF UIBU XPSLJOH XJUI DPNQFUJUPST DBO CFOFmU UIFN wTBZT-VOB)BWJOHJOUFSOBUJPOBMTUBOEBSETJTBOFDPOPNJDOFDFTTJUZ XFOFFEUFDIOPMPHZUIBUJTJOUFSPQFSBCMFCFUXFFODPVOUSJFT. The difficulties of going global /BUJPOBMTPWFSFJHOUZJTPOFUIJOH CVUJODZCFSTQBDFDPMMFDUJWFSFTQPOTJCJMJUZ DBOUCFBWPJEFE$PVOUSJFTBSPVOEUIFXPSMEIBWFTFUVQOBUJPOBM$&35T PS BSFJOUIFQSPDFTTPGEPJOHTP-BSHFDPNQBOJFTBOEQVCMJDJOTUJUVUJPOTIBWF BMTPTFUVQUIFTFSBQJESFTQPOTFUFBNTUPBDUJOFNFSHFODJFTBOEJOGPSN DJUJ[FOTBCPVUDPNQVUFSTFDVSJUZ BOEUIFZBSFBMTPJODSFBTJOHMZUBLJOHQBSU JOHMPCBMOFUXPSLTPG$&35T i*GZPVXBOUUPTIVUEPXOBCPUOFU ZPVMMCFMVDLZJGJUTJOZPVSPXODPVOUSZ w TBZT1VSTFSi*OUFSOBUJPOBMDPMMBCPSBUJPOJTFTTFOUJBM4FDVSJUZXJUIJOOBUJPOBM CPVOEBSJFT EPFTOU NBLF TFOTF &WFSZUIJOH JT HMPCBMMZ DPOOFDUFE " &VSPQFBOBQQSPBDIEPFTOUNBLFTFOTFVOMFTTBMJHOFEUPUIFBQQSPBDIPG JOUFSOBUJPOBMQBSUOFSTw #VUPQJOJPOTBCPVUIPXUPMFHJTMBUFWBSZ5IFSFBSFUIPTFXIPBSHVFUIBUUIF JOUFSOFUJTDIBOHJOHTPGBTUUIBUSFHVMBUJPOTXJMMOFWFSLFFQVQ PUIFSTXIP CFMJFWFMFHJTMBUJPOTUJnFTDSFBUJWJUZ BOEDPVOUSJFTUIBUXBOUUPFYFSUDPOUSPM PWFSDPOUFOU*TJUVOSFBMJTUJDUPFYQFDUHMPCBMSVMFTGPSDZCFSTFDVSJUZBOE DZCFSQSJWBDZ 1SPCBCMZ TBZTStewart Baker XIPXPSLFEGPS)PNFMBOE4FDVSJUZBOEJTOPX BQBSUOFSJOUIFMBXmSN4UFQUPF+PIOTPOi5IFSFTUPPNVDIBEWBOUBHF JOCSFBLJOHUIPTFSVMFTw)FJTIPTUJMFUPUIF&6TEBUBQSPUFDUJPOEJSFDUJWF  BJNFEBUSFHVMBUJOHUIFQSPDFTTJOHPGQFSTPOBMEBUB DBMMJOHJUBOBUUFNQUBU BiOFPDPMPOJBMJNQPTJUJPOPGQSJWBDZOPUJPOTPOUIFSFTUPGUIFXPSMEw. 23.

(26) Cyber-security: The vexed question of global rules. 5IFSJGUCFUXFFOUIF64BOEUIF&6POUIFQSPUFDUJPOPGQSJWBDZJTPOFCPOF PGDPOUFOUJPOCVUUIFSFBSFPUIFSTi8FTIPVMETUSJWFGPSHMPCBMSVMFT wTBZT Tim Scully $&0PG4USBUTFDBOE)FBEPG$ZCFS4FDVSJUZBU#"&4ZTUFNT "VTUSBMJB iUIPVHIUIFZXJMMCFEJGmDVMUUPBDIJFWFw-JLFNBOZ IFUIJOLTJU XPVMECFNVDIFBTJFSUPTUBSUXJUIHMPCBMTUBOEBSETUIBUQSPUFDUJOGPSNBUJPO BOEUPUSBJOBOEDFSUJGZDZCFSTFDVSJUZQSPGFTTJPOBMT Jaan Priisalu XIPIFBETUIF&TUPOJBO*OGPSNBUJPO4ZTUFNT"VUIPSJUZ UIJOLT XF XPOU HFU BOZXIFSF VOUJM UIF QPMJUJDBM BOE UIF UFDIOPMPHJDBM XPSMET VOEFSTUBOE XIBU UIF PUIFS JT TBZJOH i* TFF IVHF NJTVOEFSTUBOEJOHT JO FWFSZDPVOUSZ wIFTBZTi5IFUFDIOPMPHJDBMQFPQMFTDVMUVSFJTIPXUPVTF UIFOFUXPSLFGmDJFOUMZBOEUIFZVTVBMMZEPOUMJLFUPUBML"UUIFTBNFUJNF  ZPVIFBSQPMJUJDJBOTNBLJOHTUVQJEBOEBSSPHBOUTUBUFNFOUTBCPVUBQQMZJOH BOESFHVMBUJOHUIFMBXw i8F OFFE SVMFT BOE BHSFFNFOUT UP LFFQ UIF DZCFS XPSME SVOOJOH w TBZT Kamlesh Bajaj  $IJFG 4FDVSJUZ 0GmDFS BU *OEJBT %BUB 4FDVSJUZ $PVODJM i5IFQSPCMFNJTXIFOQPMJDZNBLFSTTUBSUUPSFHVMBUFXJUIPVUVOEFSTUBOEJOH UIF JTTVFTw 'PS #BKBK  UIFTF JTTVFT BSF OPU TPMFMZ BCPVU DPNQMJBODF i5IF DIBMMFOHFTQPTFECZUIFNPWFNFOUPGEBUBNFBOUIBUTUSJOHFOUDPNQMJBODF SFHVMBUJPOT BSFOU FOPVHI :PV NJHIU BQQMZ UIFN JO POF DPVOUSZ BOE QVU ZPVS PXO DPVOUSZ BU B EJTBEWBOUBHF 8F OFFE UP MPPL BU BMM TJEFT PG UIF BSHVNFOUw. IMPACT, THE CYBER-TALK PLATFORM With the fast spread of smart phones, including in the least developed countries, cyber-security is in the process of shifting east and south of the globe. Conventional wisdom dictated that cyber-security focus on the richer countries. That view is changing. If we are to avoid safe havens for criminals in countries with no cyber-laws, we urgently need to help those countries. Mohd Noor Amin, head of IMPACT, the cyber-security alliance headquartered in Malaysia, says “even the most sophisticated countries now realise you have to assist the poorer ones.” The ITU-backed platform has 137 member nations and brings together governments, academia, industry and international organisations from developed, developing and the least developed countries.. 24.

(27) Part One. Adapting existing rules %PUIFFYQFSUTUIJOLNBOZSVMFTBSFBMSFBEZIFSFXBJUJOHUPCFBEBQUFE 4PNFEP*ONBOZDBTFT JUNJHIUCFTJNQMFSUPFYUFOEUIFTDPQFPGFYJTUJOH MBXTUIBOUPSFXSJUFDSJNJOBMDPEFTGSPNTDSBUDIBOEEFTJHOOFXMFHJTMBUJPO  UIFZTBZi*UEPFTOUUBLFUIBUNVDIPGBOBEBQUBUJPOPGFYJTUJOHDSJNJOBMDPEFT UP UBLF FGGFDUJWF BDUJPO BHBJOTU DZCFSDSJNJOBMT w TBZT #1T John Meakin. i5IFQSPCMFNJTUIBUQMBZFSTPOUIFMBXFOGPSDFNFOUTJEF QSPTFDVUPSTBOE KVEHFTBSFPGUFOJHOPSBOUPGUIFXBZDPNQVUFSTZTUFNTXPSLw *GXFMPPLBUJOUFSOBUJPOBMUSFBUJFTMJLFUIF(FOFWB$POWFOUJPO NBOZFYJTUJOH SVMFTPGXBSNBZBMTPBQQMZUPDZCFSTQBDFi5IFSFBSFUIPTFXIPTBZDZCFS TQBDFJTUIFmGUIEJNFOTJPOPGXBSGBSF wTBZT"VTUSBMJBOTim Scullyi*OUIBU SFHBSE *NTVSFMBXZFSTDPVMEHPUISPVHITPNFPGUIFFYJTUJOHSVMFTBOE BQQMZUIFNBUBOJOUFSOBUJPOBMMFWFMUPDZCFSTQBDFw 5IFUIPSOZJTTVFPGBUUSJCVUJPONBZBQQFBSUPHFUJOUIFXBZ/PUTP TBZTVytautas Butrimas  -JUIVBOJBT $ZCFS4FDVSJUZ BEWJTFS BU UIF .JOJTUSZ PG %FGFODF i*U NBZCFUPPEJGmDVMUUPUSBDLEPXOUIFDPNQVUFSUPUIFWFSZBQBSUNFOU UIFWFSZ CVJMEJOH UIFWFSZQFSTPOXIPJTQSFTTJOHUIFFOUFSUIFLFZ CVUJUJTUFDIOJDBMMZ QPTTJCMFUPQJOQPJOUUIFDPVOUSZXIFSFUIFBUUBDLPSJHJOBUFEw )JT WJFX  TIBSFE CZ NBOZ  JT UIBU XF OFFE BO JOUFSOBUJPOBM BHSFFNFOU UIBU NBLFT FWFSZ DPVOUSZ SFTQPOTJCMF GPS JUT TPWFSFJHO DZCFSTQBDF BOE UIVT GPSDFE UP UBLF TVDI TUFQT BT CMPDLJOH JOGFDUFE DPNQVUFST GSPN UIF JOUFSOFUi:PVEBDUJOUIFTBNFXBZXJUIBDIPMFSBQBOEFNJD wIFTBZTi5IF BUUSJCVUJPOEFCBUFBMTPIBTJUTDBMDVMBUJOHBOEDZOJDBMTJEF4UBUFTUIBUXBOU UPLFFQUIFJSPQUJPOTPQFOXIFOTFFLJOHUPBDIJFWFBQPMJUJDBMPSNJMJUBSZ PCKFDUJWFBSFPQQPTFEUPBOZSFTUSBJOUPOUIFJSVTFPGDZCFSXFBQPOTw. “We are not a treaty, but a voluntary cooperation platform,” says Amin. “We tackle cooperation issues between countries in different jurisdictions. That cooperation is going to get stronger. Nobody wants cyber-crime to operate in their jurisdiction. The problem is not that nothing is being done, but that those governments with cyber-criminals working in their territory don’t know what is going on.” IMPACT runs an electronic platform jointly with the ITU involving law enforcement, ISPs, telecoms regulators and policy-makers. Amin believes that successful information-sharing among IMPACT members will not replace the benefits of an international treaty. “It’s a significant first step to getting people around the table. If business competitors can sit at the same table to do something good for the world, why can’t governments? A treaty would enhance levels of cooperation.”. 25.

(28) Cyber-security: The vexed question of global rules. The lack of international mechanisms 'PSUIFUJNFCFJOH UIFSFBSFOPJOUFSOBUJPOBMNFDIBOJTNTUIBUDPPSEJOBUF OBUJPOBM DZCFSEFGFODFT  JODMVEJOH JOUFMMJHFODF HBUIFSJOH "DDPSEJOH UP $BOBEJBO FYQFSU Rafal Rohozinski  UIF CFTU DPPSEJOBUJPO BOE FYQFSUJTF TIBSJOHTPGBSJTCFUXFFOUIF'JWF&ZFTo$BOBEB UIF64 UIF6, "VTUSBMJB BOE/FX;FBMBOEi5IFDPODFOUSJDDJSDMFTBSPVOEUIBUBSFUFOVPVT wIFTBZT i5IFZ JODMVEF /"50  UIF $PVODJM PG &VSPQF  BOE UIF $PMMFDUJWF 4FDVSJUZ 5SFBUZ0SHBOJ[BUJPO $450 w $PMPOFMEmilio Sanchez De Rojas XIPIFBETUIF%FQBSUNFOUPG4USBUFHZ BOE *OUFSOBUJPOBM 3FMBUJPOT BU 4QBJOT .JOJTUSZ PG %FGFODF  BSHVFT GPS B DPNQSFIFOTJWF BQQSPBDI UIBU XPVME JODMVEF BMM UIF NBJO BDUPST BOE PSHBOJTBUJPOToUIF6/ UIF0SHBOJTBUJPOGPS4FDVSJUZBOE$PPQFSBUJPOJO &VSPQF 04$&  UIF &6 BOE /"50  BT XFMM BT NVMUJOBUJPOBM CVTJOFTTFT EFBMJOH XJUI DZCFSTFDVSJUZ i#VU w IF TUSFTTFT  iUIFTF SVMFT IBWF UP CF BDDFQUFEOPUPOMZCZNBJOQPXFSTMJLF$IJOBBOE3VTTJB CVUBMTPCZNPSF DZCFS BHHSFTTJWF DPVOUSJFT MJLF /JHFSJB BOE PUIFST JO "GSJDB 8F OFFE UP SFBDIBDPNQSPNJTFCFUXFFOTFDVSJUZBOEGSFFEPNw +BQBOT Suguru Yamaguchi  GPSNFS BEWJTPS PO *OGPSNBUJPO 4FDVSJUZ UP UIF$BCJOFUPGUIF(PWFSONFOUPG+BQBOBOEBQSPGFTTPSBU/BSB*OTUJUVUF PG 4DJFODF BOE 5FDIOPMPHZ  CFMJFWFT B TNBMM mSTU TUFQ JT UIF #VEBQFTU $POWFOUJPO  UIF $PVODJM PG &VSPQFT DPOWFOUJPO PO DZCFSDSJNF  UIF mSTU JOUFSOBUJPOBM USFBUZ UP TFFL UP BEESFTT JOUFSOFU DSJNF  XIJDI IBT CFFO SBUJmFECZ+BQBO UIF64BOE$IJOB BNPOHPUIFSDPVOUSJFTi8FBSF FODPVSBHJOHNPSFDPVOUSJFTUPTJHOUIFUSFBUZ w:BNBHVDIJTBZT iCFDBVTF JU PGGFST B DPNQSFIFOTJWF GSBNFXPSL GPS DBQBCJMJUZ BOE DPMMBCPSBUJPOT JO JOWFTUJHBUJOH DZCFSDSJNF 4UBUFTQPOTPSFE BUUBDLT BSF B DSJNJOBM BDUJWJUZ BOESFRVJSFUIFTBNFDZCFSTFDVSJUZNFBTVSFTw. The “impossible dream” of a global treaty *O  CFGPSF UIF 6/T *56 *OUFSOBUJPOBM 5FMFDPNNVOJDBUJPOT 6OJPO  DPOGFSFODFJO.FYJDP 4FDSFUBSZ(FOFSBMHamadoun TouréTBJEIFXBOUFE BiDZCFSQFBDFUSFBUZw#VUGPSNBOZ TJNQMZBHSFFJOHPODPNNPOSVMFTBOE TFUUJOHVQBHMPCBMCPEZBSFBCJHFOPVHIDIBMMFOHF 'PSUIFNPSFIBXLJTI MJLF64MBXZFSStewart Baker BOJOUFSOBUJPOBMUSFBUZ JTBXBTUFPGUJNFi"UXPSTU JUXJMMEFMVEFXFTUFSODPVOUSJFTJOUPUIJOLJOHUIFZ IBWFTPNFQSPUFDUJPOBHBJOTUUBDUJDTUIBUIBWFCFFOVOJMBUFSBMMZBCBOEPOFE CZPUIFSUSFBUZTJHOBUPSJFT wIFTBZT 5IF-POEPO$POGFSFODFPO$ZCFSTQBDFJO/PWFNCFSXBOUFEUPCF UIFMBVODIJOHQBEGPSBOBHSFFNFOUPOEFTJHOJOHBDZCFSTFDVSJUZUSFBUZ  CVUUIBUXBTOPUUPCF5PPNBOZDPVOUSJFTEJEOUTIBSFUIFTBNFWJFXQPJOU i*N B SFBMJTU  TBZT Erik Frinking  XIP XPSLT GPS UIF $FOUSF PG 4USBUFHJD 4UVEJFT )$44  JO 5IF )BHVF  iBOE TP * TFSJPVTMZ EPVCU XF DBO IBWF B 26.

(29) Part One. HMPCBMMFHBMBHSFFNFOU$PEFTPGDPOEVDUBSFBMSFBEZBTPVSDFPGDPOnJDUT XJUIUIF3VTTJBOT $IJOFTFBOEPUIFSTw 8IFSFDZCFSDPOnJDUSBJTFTJUTVHMZIFBE 'SJOLJOHCFMJFWFTXFTIPVMEVTFUIF TBNFSVMFTPGFOHBHFNFOUTBTGPSDPOWFOUJPOBMXBSi3VMFTPGFOHBHFNFOU DBOCFBHSFFEBUBWFSZBCTUSBDUMFWFM CVUJUTIBSEUPTFFDPVOUSJFTBHSFF BUUIJTNPNFOUPOSVMFTBQQMZJOHUPPUIFSEPNBJOTw"OVNCFSPGDIBMMFOHFT DBOCFIBOEMFEJOGPSNBMMZ. “I seriously doubt we can have a global legal agreement. Codes of conduct are already a source of conflicts with the Russians, Chinese and others”. Erik Frinking. *GXFTFFDZCFSTFDVSJUZBTBOFUXPSLPGTBGFDPVOUSJFT TBZT#BLFS XFTIPVME UIJOLJOUFSNTPGBSPVHIXPSLJOHDPOTFOTVTUIBUUVSOTPVUMJFSTJOUPQBSJBIT i8FVTFEUPIBWFUIBUQSPCMFNXJUICBOLJOH"OVNCFSPGNPOFZMBVOEFSJOH DFOUSFT TBX PQQPSUVOJUJFT UP QSPmU GSPN OPU FOGPSDJOH NPOFZMBVOEFSJOH SVMFT w IF TBZT  i5IF CJHHFS mOBODJBM QBSUJDJQBOUT JO UIF HMPCBM mOBODJBM TZTUFNTIVOOFEUIFTFDPVOUSJFTQSFUUZFGGFDUJWFMZ SFEVDJOHUIFOVNCFSPG QMBDFTXIFSFZPVDBOIJEFNPOFZ4JNJMBSNFDIBOJTNDPVMECFBQQMJFEUP JTPMBUFDPVOUSJFTUIBUEPOUSFTQPOEUPJOWFTUJHBUJWFSFRVFTUTw i$ZCFSJTBEBOHFSPVTTQBDF wTBZTUIF*56T5PVS¹ iBOEXFNVTUDSFBUF B GSBNFXPSL PG DPPQFSBUJPO UP QSPUFDU CBTJD IVNBO SJHIUT (PWFSONFOUT IBWFUPDPNNJUUIFNTFMWFTOPUUPBUUBDLPOFBOPUIFS BOEXFNVTUTFUVQB GSBNFXPSLDPPQFSBUJPOUPBSSFTUDSJNJOBMTXIFSFWFSUIFZBSF"SFXFSFBEZ GPSTVDIBOFHPUJBUJPO 8FEPOUIBWFBDIPJDFXFWFHPUUPEPJUGPSUIF TBGFUZPGPVSDIJMESFO PVSCVTJOFTTFTBOEPVSDPVOUSJFTw. A realistic alternative to a peace treaty: Cyber-confidence measures "OVNCFSPGTDIPMBST JODMVEJOHJames LewisPGUIF$4*4 1BVM$PSOJTI  QSPGFTTPS PG *OUFSOBUJPOBM 4FDVSJUZ BU UIF 6OJWFSTJUZ PG #BUI  BOE 5IFSFTB )JUDIFOT %JSFDUPSPGUIF6/*OTUJUVUFGPS%JTBSNBNFOU3FTFBSDI 6/*%*3  IBWFCFFOXPSLJOHPOEFTJHOJOHDZCFSDPOmEFODFNFBTVSFTi"USFBUZJTOU HPJOH UP XPSL w TBZT -FXJT i5IFSF BSF UPP NBOZ WFSJmDBUJPO  DPNQMJBODF BOEEFmOJUJPOBMQSPCMFNTw $ZCFSDPOmEFODFCVJMEJOHNFBTVSFTJODMVEF iBHSFFJOHPOOPSNTUPTUSVDUVSF FYQFDUBUJPOT BCPVU TUBUF CFIBWJPVS w TBZT -FXJT i:PV XBOU USBOTQBSFODZ  QBSUJDVMBSMZ GPS OBUJPOBM EPDUSJOF PO IPX UP VTF DZCFSBUUBDLT JO B NJMJUBSZ DPOUFYU.PTUDPVOUSJFTIBWFUIFTFEPDUSJOFTCVUEPOUUBMLBCPVUUIFNw 27.

(30) Cyber-security: The vexed question of global rules. "NPOHPUIFSUIJOHT $#.TJODMVEFMBXFOGPSDFNFOUDPPQFSBUJPOBHBJOTUUIF VTFPGQSPYZGPSDFTi5IF3VTTJBOTBOEUIF$IJOFTFVTFQSPYJFT wTBZT-FXJT  iDJUJ[FOTBDUJOHBUUIFCFIFTUPGHPWFSONFOU"USBEJUJPOBMBSNTDPOUSPMUSFBUZ UIBU SFTUSJDUT UFDIOPMPHZ XPOU XPSL CFDBVTF UIF XFBQPOT BSF TPNFUJNFT UFFOBHFSTXJUIMBQUPQT)PXDBOZPVTFUVQBUSFBUZJOUIJTDPOUFYU w5IF NFBTVSFTXPVMEJODMVEFTVDIDPNNJUNFOUTBTTIBSJOHJOGPSNBUJPOPOUIJSE QBSUZUISFBUT BOEUBLJOHSFTQPOTJCJMJUZGPSBDUJWJUJFTPGJOEJWJEVBMTSFTJEFOU JO ZPVS PXO UFSSJUPSZ $ZCFSDPOmEFODF NFBTVSFT BSF DVSSFOUMZ CFJOH EJTDVTTFEBUUIF0&$%BOEUIF6/ -FXJT JT TDBUIJOH BCPVU UIF BVUVNO  -POEPO $POGFSFODF PO $ZCFS 4QBDF i" HJBOU NJTTFE PQQPSUVOJUZ w BT IF QVUT JU 8JUI GPMMPXVQT JO #VEBQFTUJOBOEJO4PVUI,PSFBUIFZFBSBGUFS IFIPQFTMFTTPOTXJMM IBWFCFFOMFBSOFEJOXIBUIFTFFTBTBTFSJPVTQSPCMFNPGOBSSBUJWFBOE VOEFSTUBOEJOHPGUIFJTTVFTi1FPQMFIBWFUPTUPQTBZJOHUIBUBGSFFBOEPQFO JOUFSOFU QSPEVDFT XFBMUI 5IF EFWFMPQNFOU BHFOEB JT B nBXFE DPODFQU $IJOBJTOPUGSFFBOEJUTFFNTUPCFEPJOHKVTUmOFw"TIFTFFTJU -POEPO iEBODFEHJOHFSMZBSPVOEWBMVFT wBOEBWPJEFEUIFBSHVNFOUBTUPXIZB TFDVSFJOUFSOFUCBTFEPOEFNPDSBUJDWBMVFTTFSWFTBMMDPVOUSJFTJOUFSFTUT i5IBUXBTUIFQSPWFSCJBMFMFQIBOUJOUIFSPPNFWFSZPOFUSJFEUPJHOPSFw. The bodies competing to govern cyber-space 5IFJOUFSOFUJTBNFTTZQMBZJOHmFME SVOCZBQBUDIXPSLPGPSHBOJTBUJPOT  BOEEJGGFSFOUDPVOUSJFTIBWFEJGGFSFOUWJFXTBCPVUXIPTIPVMECFJODIBSHF %PXFXBOUNPSFHPWFSONFOUDPOUSPM 0SEPXFXBOUUPBWPJEUIBUBUBMM DPTU 0SEPXFTJNQMZXBOUUPTFFHPWFSONFOUTHFUTPNFUIJOHNPWJOH "OE IPXEPXFGPMMPXBCPVODJOHCBMM 5IFCJHQJDUVSFQPMJDZJTQSJODJQBMMZJOUIFIBOETPGUIF&6 /"50 UIF6/BOE "1&$ UIF"TJB1BDJmD&DPOPNJD$PPQFSBUJPO&WFSZZFBS UIF6/T*OUFSOFU HPWFSOBODF'PSVN *(' PGGFSTBNVMUJTUBLFIPMEFSTUBMLJOHTIPQ*UTBMJWFMZ BOEEFNPDSBUJD#BCFMT5PXFS*OUIFDBDPQIPOZPGOBUJPOT *OEJB #SB[JMBOE 4PVUI"GSJDBIBWFDBMMFEGPSBOFXHMPCBMCPEZUPDPOUSPMUIFJOUFSOFU$IJOB BOE3VTTJBXBOUUIF6/(FOFSBM"TTFNCMZUPBEPQUUIFJS*OUFSOBUJPOBM$PEF PG$POEVDUGPS*OGPSNBUJPO4FDVSJUZUIBUXPVMEHJWFHPWFSONFOUTNPSFPGB SPMFUPQMBZ BOEHSFBUFSDPOUSPMPODPOUFOU 5IFTFDPVOUSJFTXPVMEMJLFUIF6/hT*OUFSOBUJPOBM5FMFDPNNVOJDBUJPO6OJPO *56  UP IBWF B TVQFSWJTPSZ SPMF  TPNFUIJOH mSNMZ SFTJTUFE CZ UIF 64 BOE PUIFS8FTUFSODPVOUSJFTi5IF6/JTBGPSVNBOEOPUUIFSJHIUQMBDFUPNBLF EFDJTJPOT wTBZTFrank Asbeck $PVOTFMMPSGPS4FDVSJUZBOE4QBDF1PMJDZBUUIF &VSPQFBO&YUFSOBM"DUJPO4FSWJDF UIF&6TGPSFJHOEJQMPNBUJDBSNi8FBSF MJWJOHJOBOFOWJSPONFOUXIFSFXFOFFEQSBHNBUJDBOETPDJBMMZBDDFQUBCMF TPMVUJPOTRVJDLMZ8FDBOUHFUJOUPOFHPUJBUJPOTUIBUUBLFEFDBEFTw .BOZ8FTUFSOHPWFSONFOUTQSFGFSBNVMUJTUBLFIPMEFSBQQSPBDI MJLFUIBU QSPNPUFECZUIF0SHBOJTBUJPOGPS&DPOPNJD$PPQFSBUJPOBOE%FWFMPQNFOU 28.

References

Download now ( PDF - 108 Page - 2.47 MB )

Related documents

Welcome to Artevelde University College

Artevelde University College offers a range of English taught semester programmes in the fields of social work, education, business management, health care and

Tax Law’s Loss Obsession

that any built-in gain or loss that is not recognized at the time of the contribution is, instead, recognized at the time of a future transaction, the built-in gain or loss will

Multiple aPDT sessions on periodontitis in rats treated with chemotherapy: Histomorphometrical, Immunohistochemical, Imunological and Microbiological Analyses.

Based on the results of this study, it was concluded that multiple sessions of aPDT as an adjunct or alternative therapy promote a reduction of

Choosing important health outcomes for comparative effectiveness research: 4th annual update to a systematic review of core outcome sets for research

Title Choosing important health outcomes for comparative effectiveness research: 4th annual update to a systematic review of core outcome sets for research.. Author(s)

Comprehensive Evaluation of Treatment and Outcomes of Low-Grade Diffuse Gliomas

In summary, outcomes for low-grade gliomas in most of United States is at or beyond reported in clinical trials and the use of adjuvant therapy may be associated with survival

Efek Pretreatment Microwave-NaOH pada Tepung Gedebog Pisang Kepok terhadap Yield Selulosa

Penelitian ini bertujuan untuk mengetahui pengaruh gelombang microwave terhadap kandungan selulosa tepung ( gedebog ) pisang kepok dan mengetahui pengaruh lama

An Infusion of Quality and Safety STAT!

Assuring the call light is within reach of the patient prior to leaving the bed side Adheres to CDC hand washing guidelines including:. Wears no artificial nail or nail extenders

ECONOMICS THE FUTURE OF LONG-TERM LNG CONTRACTS. Peter R Hartley

After developing a model that illustrates these trade-offs, we argue that increased LNG market liquidity is likely to encourage much greater volume and destination flexibility