Multinational Cybersecurity Forum

 Multinational Cybersecurity Forum

Zichron Ya’akov, 5-7 November 2017

Summary of Discussions

• Introduction and points for further discussion
  

• Sunday, November 5, Session 1: Keynote, Dr. Eviatar Matania
  

• Monday, November 6, Sessions 2 and 3: Cyber Active Defense by the Private Sector and Cyber Active Defense- Policy Choices
  

• Monday, November 6, Session 4: Cyber Protection of Individuals and Small Business
  

• Monday, November 6, Session 5: Protecting the Political System from Hacking
  

• Tuesday, November 7, Session 6: Encryption Policy
  

• Tuesday, November 7, Session 7: Cybersecurity and Surveillance: Public/Private Interface

• Tuesday, November 7, Session 8: Government Hacking
  

• Tuesday, November 7, Session 9: Wrap-up
  

Introduction and points for further discussion

The Center for Cyber Law and Policy of Haifa University convened a high-level, multinational conference on cybersecurity between November 5 -7, 2017 in Zichron Ya’akov, with participants from academia, the private sector, government, and civil society joining from Australia, Germany, India, Israel and the United States (the list of participants is attached as Appendix 1).

Discussions focused on some of the difficult issues currently confronting regulators, practitioners and academicians. These included the development of norms at the national and international levels, the allocation of responsibility for cyber defense among governmental and private sector actors, dilemmas around private organizations’ hackbacks to hostile cyber activity, manipulation of electoral, political and other data; and encryption policy and data surveillance. The discussions reflected innovative thinking and approaches to these issues, as well as some of the frustrations around the difficulties in resolving them.

 Sunday, November 5, Session 1: Keynote, Dr. Eviatar Matania, Director-General of the Israel National Cyber Directorate

The conference opened on the evening of November 5^th with a keynote address given by Dr. Eviatar Matania, the head of Israel’s Cyber Directorate. Matania related the development of Israel’s cyber ecosystem and emphasized some of the regulatory mechanisms that have evolved since the founding of the National Cyber Bureau, which now constitutes part of the Directorate, by government decision in August 2011. In particular, Israel has developed a unique approach to critical infrastructure protection (which focuses on specific aspects of an organization’s network, and not necessarily the entire corporate computer system); sectoral cyber defense; and all-network defense at the national level. The establishment of CERT-IL in the Beersheva cyber hub is one example of the latter. Matania noted that the Directorate’s approach is to develop cybersecurity solutions that are operative at the national level, not sector-specific, vector-specific or tailored to particular technologies – a so-called “Iron Dome” approach, which protects the entire country rather than a specific asset. In thinking about shared agendas at the global level, Matania emphasized the importance of developing global norms, IoT standards and security that need to be forged together with industry actors, and common frameworks for threat mitigation. He welcomed further discussion at the international level and Israel’s participation in both multilateral and binational initiatives.

Monday, November 6, Sessions 2 and 3: Cyber Active Defense by the Private Sector and Cyber Active Defense- Policy Choices

Two sessions on November 6^th were devoted to the controversial issue of active defense in cyberspace on the part of private-sector organizations. The participants agreed that some of the key difficulties are the lack of clear international and national legal norms in for organizations considering the options for self-protection in confronting cyber threat vectors; the short time frame for responses (although it was noted some threat vectors are identifiable persistent over time); the problem of differentiating between cyber offense and defense; and the division of responsibilities and authorities between government and private sector actors. Governments worldwide have been unable to diminish hackers’ motivations for attacks, and the risk vectors continue to escalate. The private sector finds itself in a bind: governments don’t want to own all aspects of the cyber problem, and will not commit to responding to threats and attacks on behalf of companies. On the other hand, opening the use of countermeasures to non-governmental players will result in their use based on these actors’ limited ability to conduct attribution. The clear majority of private actors lack access to the sophisticated attribution tools and information available to government. Yet real vulnerabilities and exposures exist, as with Google’s Operation Aurora in the context of Chinese operations against that company.

The route of cyber insurance and investment in risk management is a bottomless pit in terms of expenses and budget, and there are few reasonable or reliable options at present. One of the analogies offered as a basis for building a more robust normative and operational response to these threats is that of maritime security and Letters of Marque. Not all participants accepted this analogy, noting the differences in the applicable normative framework and the current extra-legality of hackbacks. Private sector participants, in responding to this analogy, emphasized the problem of legal restraints on access to computers and other tools and processes that make hacking back difficult, as well as aspects of defense research. There is recognition of the problem of third-party collateral damage, yet private actors could be more efficient if they had more room to maneuver. One of the issues noted is the lack of definition and conceptualization of hackbacks, active defense, and offense. Several participants noted that there is a lack of clarity around these concepts at the operative and technical level, even before the normative boundaries come into play. For example, many attacks may be characterized as “one and done”, which creates an incentive for weak organizational security. Moreover, companies may create vulnerabilities so that they can draw in hostile attack vectors and then fight back on their own terms, with their own agendas. Governments are confused about their role and the capabilities that the private sector has. One participant suggested that governments may want to stay as far away as possible from the issue of active defense. Another advocated the approach that governments need to take clear responsibility for this public policy issue as a matter of risk reduction and conformity with public international law, which provides mechanisms for collective security and self-defense. The example was given of Israel having established a specific role for the government even at the level of technology and operations, as evidenced by CERT-IL and the broad mandate of the Cyber Authority. Two questions were raised on the part of participants for practitioners, regarding the specific guidance that the private sector seeks from the regulators (such as hard permissions, soft permissions, liability protections) and the degree to which hackbacks may err with its methods and targeting. The latter is a key piece of information for any policy discussion. If hackbacks bolster cybersecurity, that data is also relevant to the formation of policy, and should perhaps be supported by clear international norms. In any event, the technical community needs to be much more specific about the degree of freedom which they seek for hackback activities, and what the parameters for such activities should be.

Regarding the policy choices to be made, the discussion focused on the incentivization of options for hacking back, on the one hand; and refraining from it, on the other. Relying on insurance companies only rolls the ball back to the government regulators, and the incentives are also different for insurance companies and their clients. Several participants raised the issue of how to proceed with the public policy project of the normative treatment of hackbacks. One noted that a theory for how to proceed is critical: public security and safety is a public good, and we have been treating it so far as a private good. There are very clear public guarantees for public security in contexts other than cyberspace, but in the cyber context we need to focus our concerns and define what needs to be protected, to build up a richer and more textured sense of the choices to be made and their costs. Another mentioned that private security protection has been the guiding paradigm, yet there should also be a corporate social responsibility element that includes antitrust considerations. These are global issues, not only domestic ones. A third participant raised the topic of the ethics of hacking back, which is a type of retaliation and needs to be tempered with a professional (or other) set of ethics. Currently, many hackers simply don’t care about the ramifications of such activities. A fourth offered the idea that standards be developed for security professionals that would include ethical guidelines, including avoidance of damage to protected third parties. The session concluded with a proposal for a PPP mechanism of some form that would take on the task of clarifying understandings around hackbacks at the global level, with possible involvement of enforcement bodies such as the FBI and Europol. Care should be taken to avoid carving out rules for specific operators and enabling a “race to the bottom” for cyber fora that might be lax in enforcement against hackbacks that do not conform to agreed norms.

Monday, November 6, Session 4: Cyber Protection of Individuals and Small Business

Individuals and small businesses encounter issues that the bigger companies do not need to take into consideration. They are less pro-active about interaction with governments and regulators, and are often on the receiving end of cybersecurity educational projects and initiatives. The Israel Internet Association, an NGO, has launched one such initiative. Governments are sometimes slow to initiate such programs. Several participants discussed the “seat belt model” and “no smoking here model” of government regulation for safety issues, including cybersecurity. One participant advocated these regulatory approaches, which are based on public education and helpful in the context of individuals and small businesses. Others expressed the inappropriateness of such regulation in general, and in the cybersecurity context: there may be discomfort at government mandates of specific behaviors; and there is a danger of the regulator acting in a way that is too alarmist and thus ultimately ineffective. Another difference between the seat belt model and cybersecurity lies in the fact that safety belts are in cars in the first consumer market, and such is not currently the case for cybersecurity. It may be advisable to build it in to products and services more effectively, but there are separate market dynamics for standardization that depend upon market share. A final comment noted that there has not yet been “enough carnage” in cyberspace to tip the scales towards better deployment of available solutions, and the public is not sufficiently alarmed. One idea might be to work with consumer protection organizations and emergency services to develop the basics of cybersecurity at the national level.

Monday, November 6, Session 5: Protecting the Political System from Hacking

The initial speaker in the session noted that currently, we are only scratching the surface of the manipulation of content, including the buzzword description of “fake news”. The typology and analysis is currently being created, as well as the consciousness of these phenomena and the possibility of developing relevant norms. Care needs to be taken not to address these points in an exclusively Western way, as they are global in nature. They constitute a subset of the broader data security and cybersecurity normative framework, although there are already hybrid situations involving both manipulation of data and cybersecurity concerns. The elephant in the room is the question of how private companies who are the intermediaries of data manipulation should be treated. Another participant raised the issue of trust and truth in the digital age, and asked what a methodology for the analysis of fake news and its variants looks like, including the quantification of types of data. The point was made that poor journalism is a major jumping-off point for data manipulation for public consumption, and several participants emphasized the importance of bolstering the profession of journalism in terms of ethics and scope of reportage. The discussion then turned to the vulnerabilities of electoral systems that are cyber-enabled, and thus vulnerable to manipulation. The question arose of why electoral data should be treated differently from other types of data. The Indian national experience with electoral data was shared, as well as the Israeli approach (“paper ballots only”). Yet the solutions required for keeping the integrity of election processes and avoiding “information pollution” must be global. A final comment emphasized that the privatization of internet governance is a stumbling block to a global solution, and that greater transparency may not be possible at present. It was suggested that one path forward might be to re-introduce verification mechanisms and middle actors and consider a process of re-mediation, both for electoral data and information of other types.

Tuesday, November 7, Session 6: Encryption Policy 

The session began with a presentation on symmetric and asymmetric cryptography, and some of the issues arising from government intervention in encryption processes at various points, including backdoors that are accessible prior to encryption. There was discussion of the analogy of the locking of suitcases for airline travel, i.e., the unreasonableness of allowing private travelers to lock their suitcases in a way that would prevent security inspections (i.e., “encrypting” their suitcases). Three participants held that the analogy was not an appropriate one: the first because most passengers want to protect their possessions, not their privacy – and privacy is not the same as secrecy or security; the second because the correct metaphor that of locking up the engine of the plane, where the critical vulnerabilities lie; and the third because the integrity of the “suitcase” is also at stake – that is, passengers do not want items to be placed in their suitcases without their knowledge and agreement. The issue at stake is not only encryption, but the whole concept of the “trust architecture” of cyberspace. Regarding the construction of trust mechanisms in cyberspace, one participant quoted Chertoff as saying that “in open societies, we accept some serious limits on detecting bad guys doing bad things”, which can result in an overall skepticism or lack of public trust regarding cybersecurity. It was noted that there is also a gap in the available data around encryption: how many instances of personal data loss are in fact preventable by encryption, and how many requests to remove encryption by governments are actually implemented? Several participants discussed the different, often conflicting agendas of the three professional communities involved in the encryption debate: the technical community, law enforcement and policy makers. It was proposed that better communication needs to be developed among these communities, and more transparency regarding strategic agendas. For instance, the law enforcement community in the United States has a strategic plan for weakening systematic security by insisting on backdoors; while the encryption community is not planning for the long term and as a result will ultimately have to sacrifice its priorities. Nonetheless, there are also real, life-threatening consequences to ignoring the concerns of the law enforcement community, especially regarding terrorist activity. The private sector may also have to assume public responsibilities, and not be irrevocably focused on supplying the perfect product to consumers. The discussion concluded with a call for better communication among stakeholders, and a common understanding that a certain level of encryption is non-negotiable on the part of the technical community; while law enforcement requires exceptional access to protect lives. The final determination will be that of a reasonable, proportional risk assessment, but we are far from approaching that solution at present.

Tuesday, November 7, Session 7: Cybersecurity and Surveillance: Public/Private Interface

The initial presentation emphasized that many legal systems try to balance government surveillance and privacy in an optimal way, yet expectations of privacy are different in each society. The lawyers try to keep things proportional, and often opt for judicial review and oversight, with wiretapping without warrant to be permitted only in urgent or unusual cases. There are also solutions which are not legal per se: informal cooperation between government and private sector, such as described in the 2003 Birnhack and Elkin-Koren article on “The Invisible Handshake”. The handshake may be necessary, but it should not bypass constitutional safeguards. The second presenter proposed a model of “privacy-preserving surveillance”, in which those engaged with surveillance can get actionable information, but unnecessary data is not revealed (a better name may be “network monitoring”, to avoid raising the hackles of some in the technical community). One of the participants described the use of geo-fencing in Israel to aid in surveillance for counter-terrorism purposes. Detail was provided as to the modus operandi of various Israeli authorities with respect to surveillance and signals intelligence, and the differences between the Israeli Police operations and those of other public security bodies. The US and India procedures for surveillance were also shared. In general, there has been more public transparency around such procedures, although the capabilities for both surveillance and signals intelligence are constantly increasing. The issue of oversight for such surveillance was raised, especially when national borders are much less relevant. The private sector has stood up for more public transparency, but it would be better if government authorities took on this role. One of the private sector participants noted, however, that the state of affairs regarding cross-border issues is not sustainable, citing the Microsoft jurisdiction case currently before the US Supreme Court. The session ended with a call on the part of one of the participants to distinguish between mass surveillance and targeted surveillance, and to insist on more types of oversight.