Battlefield Cyberspace Challenging for International Dialogue

Russia has tried to raise cybersecurity discussions to the international level (CD April 25 p3) for 10 years, a participant said. In 1998, U.S. officials suggested the discussions take place in ITU, the participant said. Others said the problem is political and should be discussed in the U.N., not the ITU, the participant said, noting that the talks reverted technical aspects. There’s no longer a question of where to discuss cybersecurity, he said. “These issues should be discussed everywhere.”

The Internet is “a very small part” of the cybersecurity focus, said Olivia Bosch, director of International Security and Communications. “The Internet relies on telecommunications,” she said. Information travels by wire and fiber lines, satellites, microwave dishes and other technologies, said Bosch, a participant in the NATO Science for Peace and Security program.

Cyberterrorism differs from cybercrime because critical energy, transportation, and telecom infrastructure is under government control even if it’s privately owned, controlled or run, Bosch said. Laws of armed conflict apply if cybertools are used in a military action, she said. Private ownership of critical infrastructure blurs the picture, she said. For example, affected governments would want to know of a private sector international information operation undertaken in response to a cyberincident, Bosch said. Another question is what constitutes an act of cyberwar in the absence of armed conflict, Bosch said.

More bulletless military interventions are expected, said Andrey Krutskikh, deputy director of the Department for Disarmament and Security Affairs in the Russian Ministry of Foreign Affairs. The most damage to Russia, Estonia or the U.S. would come from hacker attacks, not tanks or bombs, he said. For example, a country’s banking system can be wrecked only with a hacker attack, he said. Private operators have an obvious and growing role in providing security for service, transport or storage of weapons of mass destruction, including nuclear weapons, said a Russian participant. Does this trend add risk on the computer and telecom networks side, asked a Russian participant.

Maintaining and restoring service is the U.S. priority following conflict in cyberspace, the U.S. said. Because attackers can spoof locations and route through other nations, an investigation takes more time, the U.S. said. “As far as deterring cyberattacks from any source regardless of who they are, if you could come up with some kind of strategy or policy that would effectively do that, please let us know,” the U.S. said.

“We do not propose a strict treaty,” but international development of a cyberspace code of conduct, Krutskikh said. Soft legislation, a roadmap or rules of the road could serve as a model, he said. Preventive capacity matters more than new rules or regulatory fixes, a participant said.

Some idea is needed for what constitutes “technical harm” under the International Telecommunication Regulation’s article 9 proscribing efforts to harm communications networks in foreign countries, said Tony Rutkowski, VeriSign’s vice president of regulatory affairs and standards. Preventive measures in the telecom infrastructure can help prevent harm, Rutkowski said. Other measures deal with attacks after they happen, he said.

The Convention on Cybercrime wants network forensic tools in place, said a participant. The European Telecommunications Standards Institute Technical Committee on Lawful Interception is the only international forum doing work, the participant said. An ITU standardization study group on telecom security agreed April 18 to develop trace-back capabilities during the 2009 to 2012 study period, he said.