> On Nov 29, 2017, at 6:19 AM, Hendrik Jaeger <[email protected]> wrote: > Since I have hardly thought about this topic (attacks against civilian > infrastructure), my thoughts are still rather unstructured, but I feel > it important to give you feedback, especially as I see no other > feedback on this list.
Thank you. It’s an area that we’ve been working to try to improve since the
1996 “Eligible Receiver” attacks, and I’m always happy to see public discussion.
> - what _exactly_ am I stating with my answers?
Your opinion of the relative priority of protecting (or not protecting) each of
these categories of infrastructure from cyber-attack by national governments
outside of the context of a declared war. That last part we can’t hope to do
anything about at this stage.
> - how will the results be used?
We are using the results to prioritize the types of infrastructure that are
explicitly called out for protection against attack in the draft norms. We
started with the phrase “the public core of the Internet” (contributed by the
Dutch foreign ministry) and the phrase “the central forwarding and naming
infrastructures of the Internet” (contributed by PCH and the IETF) and have
been trying to work toward a more broadly-informed expert consensus which is
also more specific.
Ultimately, if the norm is successful, cyber-offense military officers will
need to extract (“whitelist”) the IP addresses of these infrastructural
elements from the lists of IP addresses being attacked, so if the definition is
insufficiently specific, we risk it being ignored completely, or discounted as
unactionably vague. On the other hand, if it’s too specific, we risk loophole
interpretations.
> - By saying "I do not consider it necessary to include X in this
> protection from government attacks" do I not implicitly say "I
> consider it OK for governments to attack this infrastructure”?
Rankings to the left of the center on the slider do imply that, yes. While
rankings to the right of the center on the slider imply that you believe some
degree of protection, exclusion from attack, is warranted.
> - By saying "Governments should never attack Y", what are the
> implications for private law? Does one (not being a government) become
> a terrorist when one attacks Y, or is one still "just" a criminal?
The goal we’re working toward at this stage is a norm, rather than a treaty, so
somewhat less formal. Countries which abide by the norm would make efforts to
behave well themselves, and to use their own domestic laws to encourage the
people within their borders (because diplomacy is Westphalian) to also respect
the norm and the protections it describes.
So, although the original goal was to describe protections for civilian
infrastructure against government attack, the effort has shifted slightly to
encourage governments to also try to get their residents to not participate in
such attacks, either.
All in all, it seems like a good thing, and the consensus of the diplomats
involved was that that was not a poison-pill… it would not make adoption of
the norm less attractive to governments.
> - There are similar things in effect already, and there are a lot of
> players who simply do not care about it.
Perhaps similar, but there is no norm on this topic which enjoys any consensus.
The effort in the UN failed.
And if by “similar” you mean comparable-but-in-other-fields, like nuclear
nonproliferation, or climate protections, or non-use of landmines, sure, there
are lots of norms out there, and they all have different levels of adoption.
The most successful ones also tend to be the most obvious and the least
far-reaching. Those can serve as easy building-blocks toward more ambitious
agreements that can then follow, but couldn’t have been reached in a single
step.
> I don’t think Guantanamo is in any way in concordance with a lot of law.
A norm is not law. A norm encodes a common understanding of shared social
values. If a country’s government does not share those values, it won’t
ascribe to the norm, or it will do so in name only, but will not actually abide
by it. National governments are sovereign, and are only responsible to their
citizens if to anyone at all. That’s the unfortunate reality that we find
ourselves in. But the building-block we have is social ostracization. If a
country fails to abide by a widely-adopted norm, it finds itself isolated
diplomatically, and that has real costs in achieving its objectives. That’s
all the stick we have, but we have to fashion that stick, and in doing so, we
have to reasonably judge the compromise between making it too weak (which
allows governments to claim to abide by the norm while not actually improving
their behavior) versus making it too strong (which reduces consensus on its
adoption, and weakens its effect).
In that context, it’s important that we prioritize what we want to protect as
accurately as possible.
It turns out that experts on Internet infrastructure believe that “wealth
management” services do not require any special protections, whereas Internet
exchange points and the power grid do. No big surprise there. That’s not to
say that the 1% wouldn’t be awfully unhappy if they found their private bankers
to have been compromised, but it is to say that we don’t need to spend our own
effort on that particular battle while IXPs and the power grid still aren’t
protected.
> NSA and CIA don’t seem so very concerned about too many regulations
That’s not exactly how I’d put it. They employ a vast number of lawyers to
contrive baroque explanations for why what they’re doing is ok, for
radically-unrecognizable values of “ok.”
But yes, fundamentally, this effort pits the US, Russia, and China, against
pretty much all the other governments of the world. On the one side are a very
few countries which do not want to see their self-defined “right” to attack
other people at will called into question. On the other side are all the other
countries, which view the operation of the Internet as being critical to the
wellbeing of their people and the functioning of their economies, and don’t
want that undermined. There are a very few other countries which are on the
fence, but they’re not really diplomatically significant in the numbers that
we’re talking about here.
> How is this different?
When the CIA does a drone strike against a hospital, after having been duly
informed of the location of the hospital, the US government loses face, loses
friends, and loses diplomatic influence. That’s a violation of the Geneva
Conventions. In cyberspace, we have no equivalent of the Geneva Conventions,
which is recognized as holding sway by most nations. Thus when the
cyber-offense units of the US, Russian, and Chinese militaries conduct attacks
against civilian infrastructure, there’s little to no diplomatic consequence.
Gaining widespread adoption of a norm on cyber-offense is the first step toward
that goal.
>> It’s being taken seriously by governments
>
> Hahahahahahahahahaha
> Sorry, but I’d love to know which governments you are talking about.
Netherlands, Estonia, Singapore, India, France, Kenya, as a few examples that
are particularly active in the current effort. If you look at the previous
effort in the UN, you see the following countries participating:
2015: Belarus, Brazil, China, Colombia, Egypt, Estonia, France, Germany, Ghana,
Israel, Japan, Kenya, Malaysia, Mexico, Pakistan, the Republic of Korea, the
Russian Federation, Spain, the United Kingdom of Great Britain and Northern
Ireland and the United States of America.
2013: Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France,
Germany, India, Indonesia, Japan, the Russian Federation, the United Kingdom of
Great Britain and Northern Ireland and the United States of America.
2010: Belarus, Brazil, China, Estonia, France, Germany, India, Israel, Italy,
Qatar, the Republic of Korea, the Russian Federation, South Africa, the United
Kingdom of Great Britain and Northern Ireland and the United States of America.
Note that the three countries which don’t want to see consensus in this area
participated each time, and indeed, it proved impossible to reach consensus
under those conditions. When I say “taken seriously” I don’t mean that they
all agree, I mean that they think it’s important.
And I think it’s vastly more important to figure out what 90% of the world
agrees on, than what the US, Russia, and China, don’t disagree with.
>> cyber-attack X”). The other is addressing the question of what
>> infrastructures should be protected (i.e. what is the X that
>> shouldn’t be attacked). I’m chairing that second working group. The
>> main thing we’re delivering in Delhi is the result of a survey of
>> what infrastructure people think should be protected.
>
> To give my answer to that questions: all.
> Why should _any_ _civilian_ infrastructure _ever_ be a target for
> inter-national disputes at all? In how far is that ok?
I agree, and that’s exactly my motivation, and PCH’s organizational motivation.
However, we’re a small organization, and cannot reach “all” in a single step.
With the concurrence of many like-minded governments, however, we can advance
toward that goal by taking a number of smaller steps, and gathering momentum
along the way. The fact that the entire goal cannot be reached in a single
step is not a reason to avoid working toward the goal.
> If we do need rules, how about "don’t attack anyone"? And if anyone
> breaks that, one has to answer in a courtroom and bear the consequences
> of ones actions.
Unfortunately, Westphalia. And armies. So, it would be nice, but people with
guns don’t want to listen to us. And we can’t force them without stepping down
to their level. And I hope that’s not a compromise that any of us would make.
> It only takes a couple of minutes when one does not question the
> premise and actually thinks about this topic. Please be honest about
> this. You are chairing that working group. There is nothing easy about
> that topic.
Indeed, it’s a very difficult topic, and has taken a portion of my time and
effort for more than twenty years, now. Likewise, it’s taken the time and
effort of a number of other people. But we can’t expect everyone to put very
much time and effort into it, regardless of how right-thinking they may be on
the topic, because people have lives and work and those must be attended to.
So, I try to bring other people into the process when I have some degree of
confidence that the amount of their time that I’m asking for is an amount
that’s justified by the benefit, and is unlikely to be wasted. The survey
you’re seeing is a vastly-simplified one that’s distilled from the results of a
previous survey that had several hundred much more specific questions. A much
smaller number of people were able to afford the time to work through it, but
their contribution was very valuable, in that it allowed us to draft this
simpler one, based on its results.
When you say “question the premise,” do you mean the implicit premise that it’s
possible to assign relative priorities to the protection of these different
infrastructures, when you’d much rather none of them were attacked? Or do you
mean something else?
This isn’t an ideological position, it’s a pragmatic one. I think our ideology
is in agreement, in so far as I can tell from what you’ve written.
> I wonder: what is this process that will make my life easier?
If we succeed in achieving a norm, the diplomatic costs of violation of the
norm will place a disincentive on violators, and yield a relative reduction in
the number of national cyber-attacks we all have to cope with. Leaving us with
more time for our lives and work. For some of us, the amount of time invested,
particularly if it can be just a few minutes filling out a survey, can be
relatively quickly recouped in the event of even a modest success.
-Bill
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
