In the third installment of the FOC Working Group 1 (WG1) blog series, working group members Jochai Ben-Avie – Internet Policy Manager at Mozilla – and Simone Halink – Senior Policy Officer Internet Freedom at the Dutch Ministry of Foreign Affairs – discuss how international policy debates on cyber security need to evolve and improve in order to meet today’s challenges. They do so against the background of the so-called “London Process” conference sequence, and in particular, its next edition – the Global Conference on Cyberspace – which will take place in The Hague on April 16th and 17th, 2015.
From hacks of some of the world’s largest corporations (think Target, Home Depot), to critical vulnerabilities in widely used open source software like Heartbleed and Shellshock, to connected carmakers being woefully unprepared to identify and mitigate attacks, to companies like Sony exercising bad security hygiene even after previously suffering a major attack, the challenges to securing the internet and those who use it have never seemed greater.
Yet, none of these examples or many of the other exploits that have dominated the public imagination and conversation in recent years align with traditional government cyber security paradigms. Instead, government conversations about cyber security tend to focus on critical infrastructure, information sharing, and “cyber” as a military domain alongside air, land, sea, and space. While it is perhaps to be expected that government paradigms would focus on government action, there’s an increasing recognition that cyber security is a shared responsibility between governments, companies, the technical community, and users.
Against this background, this blog discusses how — in the opinion of the authors — international policy debates on cyber security need to evolve and improve in order to meet today’s challenges. To this purpose, they give three recommendations: a) affirming the need and identifying opportunities for greater multistakeholderism in cyber security making fora, b) broadening the scope of cyber security paradigms to focus on securing users, and c) focusing on proactive, preventative security measures and improving cyber security defenses. The blog then looks at how these recommendations are beginning to be implemented in the world’s largest intergovernmental cyber security conference, the so-called “London Process”, of which the next instalment – the Global Conference on Cyberspace – will take place in The Hague on 16 and 17 April, 2015.
AN AGENDA FOR THE INTERNATIONAL CYBER SECURITY DEBATE: REVISITING THE PARADIGM
To meet the challenges facing the free and open Internet and its users, it is key that international debates on cyber security address the following three issues
a) Affirm the need for multistakeholderism and inclusivity of all actors involved in keeping the internet free, open and secure, and identify areas for action
Multistakeholderism has long been acknowledged as best practice in internet policymaking, particularly in managing technical aspects of the net. However, the development of cyber security policies and practices have often been segregated into parallel tracks, governments talking to governments, companies to companies, etc., with minimal involvement of broader public interest groups. Participation in decision-making about and defense of the Internet needs to reflect the diversity of the Internet, including the interests of all users as well as all stakeholders involved in protecting the Web.
Civil society in particular has a critical role to play in keeping the Internet open and secure. Yet our ongoing research as part of the Freedom Online Coalition’s Working Group “An Internet Free and Secure” has revealed very few meaningful opportunities for civil society to participate in fora where cyber security issues are discussed. This needs to change. International fora should identify opportunities for greater multistakeholder action and collaboration in discussions, deliberations, and decision-making. The Freedom Online Coalition’s Working Group will present a set of principles or recommendations -including recommendations on how greater multistakeholder engagement should take shape- at the next Freedom Online Conference in Ulaanbaatar, Mongolia, on May 4th and 5th 2015.
b) Broaden the scope of cyber security paradigms to focus on securing users
As our global dependence on the Internet has grown, so too have the threats to openness, privacy, and security. Today’s cyber security challenges go far beyond securing the electric grid or preventing an attack on transit systems. The internet is a global public resource, and current paradigms and strategies must expand to include all users and all parts of the Internet. Individuals’ security and privacy are fundamental, and cannot be treated as optional in a modern cyber security paradigm. Simply put, securing the online experience of users’ needs to be a central focus.
Practically speaking, this shift in focus highlights the importance of serious and broad cooperation amongst many different kinds of actors and lends itself to different types of interventions, increased attention on creating incentives and processes to improve user privacy and security, and a greater emphasis on improving privacy and security architecture by design.
c) Focus on proactive, preventative security measures and improving cyber security defences
At the same time, governments, industry, the technical community and civil society also need to focus on collaboratively and proactively improving security defenses, rather than just relying on “detect and respond” approaches that dominate the conversation today. Such a proactive approach would include interventions to reduce the impact of the major sources of cyber security vulnerabilities, such as the widespread use of unpatched operating systems, the lack of transport encryption (like HTTPS) by default on many websites, or the prevalence of insecure passwords and bad password management.
In this vein, Mozilla’s Delphi Project seeks to bring together some of the leading minds in cyber security to identify and prioritize concrete threats and solutions. The resulting report, to be published later this year, will be a guide and reference point to develop positive, affirmative agendas for cyber security change built on grounded facts and the recommendations of experts. We hope GCCS participants take a similar approach to identifying proactive security strategies and solutions to defend the free and open Web.
It is good to see that many of these recommendations are already being taken aboard in the planning of the Global Conference on Cyber Space (GCCS), the next installment of the London Process intergovernmental meetings on cyber security. (Full disclosure: Simone is part of the GCCS organizing team). The following section provides some history on the London Process and explores some of the plans for this next iteration.
THE LONDON PROCESS AND THE GLOBAL CONFERENCE ON CYBERSPACE 2015 (GCCS)
Recognizing both the growing number of cyber security threats and the need to engage a variety of stakeholders in mitigating them, the UK Foreign Minister at the time, Mr. William Hague convened the London Conference on Cyberspace in 2011, a largely interministerial gathering with discussions on cyber security, cybercrime, international peace and security, economic growth and development, and social benefits of cyberspace. Underlying these thematic conversations was a goal of bringing more countries together to agree on the need both for better articulated “norms of acceptable behavior” and a commitment to work collaboratively to protect the potential and security of the internet.
While no “London Agenda” of agreed upon principles emerged, the London Conference provided a strong foundation for the next meeting in Budapest in 2012, where many of the more than 60 governments in attendance put forward differing proposals for “rules of the road in cyberspace,” although here too no consensus was reached. The Budapest Conference was followed in 2013 by a similar gathering in Seoul, in what has since become known as “the London Process.” Taking this process of normative development a step further, the Chair’s summary of the Seoul Conference on Cyberspace included a Framework that synthesized principles and guidelines from a wide range of other documents.
The London Process is also notable for bringing many countries from the Global South into the process of developing cyber security norms, and at a relatively high diplomatic level at that. Indeed, in Seoul, more than 90 governments attended, more than half of whom sent a representative at the ministerial level or higher. At the same time, even as the Seoul Framework noted the “essential contribution” that civil society and other stakeholders make to “the ongoing development of the Internet and the enrichment of society using the Internet”, the London Process has historically been dominated by governments with very little participation by civil society.
The next installment of the London Process, the Global Conference on Cyberspace (GCCS), will take place in the Hague on 16 and 17 April of this year. With around 1,300 expected participants and delegations from more than 100 governments, it is set to be the biggest and most inclusive conference of the series yet.
Key objectives of the GCCS are promoting practical cooperation between different stakeholders in cyberspace, developing norms for responsible behavior, and enhancing capacity building and knowledge exchange. It is interesting to see how the actions taken to further these add to the London Process and answer to the recommendations made above:
a) Affirm the need for multistakeholderism and inclusivity of all actors involved in keeping the internet free, open and secure, and identify areas for action
The GCCS organizers have invested in increased multistakeholder engagement and in facilitating balanced and diverse civil society participation through an open online application process. They will also invite civil society participants to have a voice in core elements of the conference agenda. An Advisory Board established to increase civil society engagement in the conference selected around 250 applicants to attend the GCCS, of which 110 receive funding.
To increase effective participation of civil society in GCCS and other cyber security fora, this year’s conference will feature a capacity building training program developed in collaboration with Global Partners Digital to familiarize participants of the conference with main issues on the conference agenda as well as the broader cyber security debates. This program will take the form of an online curriculum and a pre-event occurring on 14 and 15 April immediately preceding the GCCS.
b) Broaden the scope of cyber security paradigms to focus on securing users
The Netherlands is an active player in promoting online freedom, both as the founder of the Freedom Online Coalition and by actively promoting an international debate on the right to privacy in the digital age. The Netherlands included the theme ‘Privacy and Freedom’ as a new element on the program of the London Process as it believes that this theme is an integral and essential part of the broad debate on cyberspace. This panel will address the question of what different stakeholders could do to ensure that, in five years’ time, citizens can benefit from technological changes while retaining control over their data and safeguarding a free and open internet that generates economic growth. By formulating concrete policy recommendations on these issues, the Netherlands hopes to push the international debate on privacy forward.
c) Focus on proactive, preventative security measures and improving cyber security defenses
The GCCS wants to emphasize the need for more capacity building, exchanges of best practice, and strengthened international cooperation. Alongside the civil society capacity building pre-conference the Netherlands will launch an initiative to promote capacity building in cyber as a key priority for the international community.
Another area that will be emphasized during the GCCS is engagement and empowerment of Cyber Emergency Response Teams (CERTs) and Cyber Security Incident Response Teams (CSIRTs), which play a crucial role in defending the Internet on a day-to-day basis. To this end, and connected to the Global Conference on Cyber Space, the Dutch National Cyber Security Centre is also organizing the ONE conference, which is specifically aimed at cyber security professionals and members of Cyber Emergency Response Teams (CERTs) on 13 and 14 April, 2015.
CONCLUSION: HOW SHOULD THE INTERNATIONAL CYBER SECURITY DEBATE PROCEED?
Even as all sectors of society grow increasingly dependent on the open Web, challenges to securing the Internet and its users have become even more significant and ubiquitous. While addressing these challenges can be daunting, trying to solve these issues in isolation or without taking into account the experiences of Internet users or the need to improve security defenses makes this task even harder.
To assist governments, companies, the technical community, civil society, and other actors in meeting today’s cyber security challenges, the FOC Working Group on an Internet Open and Secure will continue to develop both a map of where cyber security policy discussions are occurring, as well as articulate principles and recommendations that should be included in cyber security policy to ensure it respects human rights and engages all stakeholders.
The GCCS is taking serious steps to make this discussion inclusive by inviting all stakeholders to the table equally, by making freedom and privacy a central part of the agenda, and by putting a strong emphasis on capacity building so that we can collaboratively build the internet we want. As such, at least procedurally, the GCCS sets an important example. We hope that future editions of the London Process and other national, regional, and international cyber security fora will follow suit.
The views expressed in this blog represent the views of individual authors, and do not represent the views of the Freedom Online Coalition or its members.