As mentioned earlier, I attended the
Cyber Conflict Law and Policy Conference in Tallinn last week. The event was organized by the CCD COE and took place in Swissotel from 9-11 September. About 150 attendees from about two dozen countries discussed issues like the applicability of the Law of Armed Conflict, legal frameworks etc. I will try to briefly summarize by sessions.
Setting the StageThe conference opened with a keynote speech by the President of Estonia,
Mr Toomas Hendrik Ilves. He stressed the need to adapt the defense thinking (including legal frameworks) to the changes in technology. He illustrated the point with medieval defensive structures in Tallinn, which were useless in fending off air raids during WWII. He also talked about the need for collective cyber defence. An important idea was that in NATO, as far as cyber defence is concerned, we should focus more on Article 4 (consultation among nations) today, so that if and when Article 5 (collective self-defence) is ever needed, there is already some consensus.
Next speaker was
MG Glynne Hines, Director of NATO HQ C3 Staff. He pointed out the need for
consistent legal advice and the usefulness of embedding lawyers in a cyber defence organization. He alsp briefly touched upon some changes in NATO that were initiated by the lessons learned from the 2007 cyber attacks against Estonia: adoption of NATO cyber defence policy and concept, accelerated development of
NCIRC and the NATO cyber defence exercise.
Ms Eneken Tikk of the CCD COE, the content organizer for the conference, introduced a draft Framework for International Cyber Security (FICS), which was developed in cooperation with George Mason University Center for Infrastructure Protection (GMU CIP). Basically, they are a collection of abstract models/slides that should be helpful in reaching a common understanding about the issue.
Country Reports on Cyber Security Strategy
Ms Heli Tiirmaa-Klaar from Estonian MoD gave a brief overview of the 2007 April-May events, as well as the pervasiveness of e-services in Estonia. She then proceeded to introduce the Estonian
Cyber Security Strategy. Some more points from her talk: cyber attacks pose a new asymmetric threat against critical infrastructure and the development of cyber defence capabilities is very uneven across different states.
Dr Per Oscarson from the
Swedish Civil Contingencies Agency gave an overview about his organisation and the Swedish approach to national cyber security. It seems the Swedes have at least in theory a model for planning cyber security, consisting of two main parts: the strategy (vision and strategic directions) and the action plan (explicit objectives and measures).
WCDR Adrian Frost from UK MoD proceeded by giving a quick overview of the British approach. Apparently, UK considers cyber as one of the five domains (air, land, sea, space and cyber), similar to some thoughts I have heard from USAF in recent years. He briefly introduced the UK Cyber Security Strategy (approved 23 June), which aims to secure UK advantage in cyberspace by reducing risk (public), exploiting opportunities (industry) and improving knowledge, capabilities and decision-making (international).
Autopsy of a Cyber ConflictProfessor Daniel Ryan from the US National Defense University gave an interesting talk about the lawyer's look at a cyber incident. Specifically, he addressed the issue that there are regular incidents (handled as per SOP or ignored) and then there are INCIDENTs that really matter. In the latter case, one needs to determine if it is an attack (or accident, technical failure etc.), who is behind the attack (attribution) and who can/should respond to the attack (law enforcement, intelligence, military, lawyers).
Next,
Dr Bret Michael from the US Naval Postgraduate School addressed various cyber conflict issues from a more technical viewpoint. Among his points was the claim that c
loud computing will change the way we work and will introduce new security challenges. An interesting thought was the martial arts analogy - in cyber defence we should not focus on rigid and forceful response (
karate), but rely more on the flexibility and use of the opponent's strength (
aikido).
Unfortunately I had to leave early that day and I didn't catch
Mr Joe Weiss' (Industry Expert and Control Systems) talk on industrial control systems, but I heard that he gave an insightful presentation on the vulnerabilities associated with the systems that uphold modern society.
Cyber Security Institutionalized - Pieces of an Effective Defence ModelThe second day started with
Ms Eneken Tikk's talk on international organization's legal and policy approaches to cyber incidents. Sha listed the numerous laws, regulations and directives that various IOs have produced to deal with cyber security matters. To limit the scope, she briefly examined the documents that focus on data protection and concluded that while there are a lot of regulations in place, they tend to be stovepiped and there is not enough practice in using the breadth of tools available. She also discussed the different approaches that have been taken in various EU countries on data protection.
Ms Yurie Ito from ICANN, formerly of JP-CERT gave a presentation about recent developments in ICANN, with regard to security. Unfortunately she did not have enough time to delve deeper into her slides on Conficker, as I am sure her insight would have been valuable.
Ms Maeve Dion from GMU CIP addressed public-private partnerships and national input to international cyber security. She touched various points, including the many areas of law that deal with aspects of cyber, informal vs formal networks in cyber defence, developing strategy and risk analysis methodologies.
The day ended with three working groups that discussed FICS and cyber law/policy issues.
Enhanced FICSThe final day started with
Professor Derek Jinks from US Naval War College. His talk was on the Law of Armed Conflict (LoAC) and the military perspective. He pointed out that LoAC is not there to minimize "war" as an official status of affairs, but to minimize organized violence. Another good point was that "armed" does not imply any physical properties or mechanics, but rather organized application of violence. He further explored the concept of armed attack, as it is often used in the definition of armed conflict. He noted that armed attack is subject to various conditions, such as
severity (death or substantial destruction of property), s
tatus of the attacker (according to UN terms, attacker is state, but in practice it is often a non-state actor that may or may not have state sponsorship),
status of the target (again, old rules dictate the state as target, whereas in practice, any entity that the state can claim sovereignty over, incl. citizens), necessity, proportionality, time-proximity etc. He also raised some interesting questions about new concepts like cyber occupation (displacing civil authority by means of cyber attacks). A very good talk indeed, even though he did not have enough time to go into all the details.
Next came
Dr Thomas Ramsauer from German Ministry of Interior. His talk focused on the law enforcement perspective, but he also revisited some LoAC questions. He used a nice model of cyber conflicts, where you have the damage to target on one axis and organization of the attackers on the other. Then, as damage and level of organization increase, one progresses from cyber crime to cyber terrorism to cyber war. While I don't think it is that simple, it is a nice and visual way of presenting the idea. He also briefly touched the Schmitt test and the concept of attributing "private attacks" to a state actor. An interesting thought was that in order to limit collateral damage to civilians, commanders in future wars may be obliged to prefer cyber attacks over traditional means of warfare.
Mr Lauri Almann from Aare Raig Attorneys-at-Law (former undersecretary of defence of Estonia) gave a talk on national defence law from the government perspective. He focused on factors of decision making, which consisted of four one-dimensional axis': secret-public, fast-slow, international-national and professional-emotional. He proposed that in cyber conflicts, the first of all these pairs is the relevant (used) property. I am not sure I agree. Secrecy in international environments seems to exlude the fast property and often the professional property as well. He closed by noting that there is not much need to exercise the technical community (as they perform the cyber defence mission daily), but educate and train the legal and political community, who only get involved when things get hot [and potentially profitable - author's note].
Professor Lilian Edwards from University of Sheffield provided a brief glimpse into the information society law and the user perspective. She noted that laws should always set a balance between security and privacy. The problems appear when the balance varies from law to law and over different jurisdictions.
The conference ended by comments of the observers as well as summaries of the working group results. A couple of points that stuck were the slide on the spectrum of state-sponsorship by
Jason Healey (US Cyber Conflict Studies Association) and the idea that some sort of International Cyber Tribunal may be needed [not sure how much success other international tribunals have had].
Finally,
Mr John Bumgarner from the US Cyber Consequences Unit gave a short overview of their recent report on the lessons learned from the Georgia cyber attacks in 2008. Unfortunately, the report is not public, so his notes were fairly general and added little new insight to the events in Georgia. It's a shame, as he possesses a wealth of knowledge on the subject. I understand his position, but it is yet another example of classification issues diminishing the value of research.
Disclaimer: I hope I did not do injustice to anyone by misunderstanding or missing key issues in their talk.
Overall, the conference was a success and I am looking forward to the next one. I had the chance to talk to many interesting people on the sidelines and I also met some old friends. The cyber scene is very small indeed.