International collaboration on cybersecurity: the Paris Call and beyond
The French president has launched an initiative to tackle malicious actors in cyberspace, backed by some 50 nations. International collaboration is essential for cybersecurity, but can it be achieved? Andrew Tunnicliffe talks to cyber experts to find out.
“The Internet is at risk. Malicious actors are clashing online, using digital products as weapons,” warned French President Emmanuel Macron in late 2018. “We've allowed the enemies of liberty to gain prominence, casting away everything we fought long and hard for."
His comments weren’t particularly ground-breaking, but they gave new impetus to those who have argued against the militarisation of cyberspace.
Speaking at the Paris Peace Forum, Macron announced more than 50 countries and 250 global organisations had endorsed an agreement to limit the use of cyberspace for hostile purposes, the Paris Call for Trust and Security in Cyberspace (Paris Call).
The Paris Call: keeping cyberspace secure
“The Paris Call seems to have a series of commitments that the endorsers, at least, support,” says AccessNow’s Drew Mitnick, a cybersecurity and human rights expert. “It would limit some of the harms we’ve seen, things like preventing the spread of malicious ICT tools, for example, or ensuing your digital product is secure. Things that would benefit everyone and that have, at times, been challenged by the way some of the actors have treated them.”
The Paris Call requires signatories to increase resilience to malicious online activity, prevent electoral interference and trade secret violations, counter state-backed and ‘mercenary’ activity, and improve ‘cyber hygiene’ by bolstering the security of the Internet and devices that connect to it through stronger international standards.
“A lot of emphasis is on the establishment of norms to prevent some of the harms that are arising, particularly in relation to the way states are using cyber offensive operations, and even the private sector,” Mitnick continues.
Welcoming the announcement in a blog he wrote before speaking to us, he said: “While the deal is far from perfect, its commitments largely benefit users, including users at risk, and will reinforce valuable norms of behaviour online.”
Global cyber initiatives: the industry steps in
Cyberspace is fast becoming the next frontier for state actors and criminals wanting to cause harm. The Paris Call aims to address this, as does the Siemens-launched Charter of Trust initiative to develop and implement rules for ensuring cybersecurity throughout the networked environment.
“The Charter was identified by Siemens about two or three years ago,” explains the company’s Paul Hingley, business unit manager for data services and product solutions and security officer in the UK. “As we move into this digital transformation of industry, we have to develop a trust model that our customers can buy into, understand, and feel confident their suppliers are looking at the overall holistic approach to security.”
Although its customers are increasingly aware of the threats they face through a more integrated and connected business, and the outside world, Hingley says there is more to be done, and the momentum needs to be ratcheted up. “Governments are understanding there is a digital transformation going on. But is business acting quickly enough? No, not yet.”
“It will take something ‘catastrophic’ before anything changes in a significant way.”
This is why standards need to be developed that are applicable to all. Speaking of the UK specifically, Hingley warns it will take something “catastrophic” before anything changes in a significant way – something the Charter of Trust wants to avoid.
Noting recent high profile cases of data breaches and malicious attacks such as the WannaCry episode, he says openness is key. “The more people talk about this, the more they stand up and provide good competent information, the more the marketplace will gain an understanding of how they design and develop their levels of protection.”
Hingley says collaboration is vital and calls on industry to embrace the principles of the charter, promoting them as a benchmark for the way industry and suppliers into industry are taking security seriously.
“To me, the Charter of Trust is a good vehicle to remove some of the conservatism from the digital transformation,” he adds. “Some companies are concerned about changing their digital footprint because of concerns of security. By dealing with companies providing services and solutions that are on the Charter of Trust, you get that consistency and confidence.”
Russia, China, and the US fail to sign
Both the Charter of Trust and the Paris Call emphasise the need to work together in order to demilitarise the Internet and promote peace online.
“Peace online is essential for the functionality of the various processes that require Internet access,” says Mitnick. He warns that if the issue of online, and in many cases, device security isn’t addressed, users may lose trust and migrate away from platforms that aren’t seen to be doing enough.
“Without creating trust in security… there are big human rights harms and economic losses. There is also a risk to international relations with the way countries engage with each other.”
“Without the support of Russia, China and the US, questions have been raised as to how effective the agreement really can be.”
That suggestion is, perhaps, borne out by the failure of the US, China, and Russia to support the Paris Call, which aims to restrict how nation states use the Internet and other cyber means to threaten critical national infrastructure, spy on citizens, and on each other. Without their support, questions have been raised as to how effective the agreement really can be.
However, that failure to endorse is just part of the picture for Mitnick. “I think it more identifies where there is support for the commitments within the Paris Call,” he says.
China and Russia have thrown their weight behind UN initiatives that, he argues, simply aren’t as robust. “They have this idea of a stronger UN-focussed approach, which would not, at least in the work we’ve seen, provide the same kind of principles focussed on human rights.”
Is cybersecurity being used as a disguise?
Some commentators have argued there are countries that don’t have the interests of a safer cyberspace at heart.
Mitnick goes further, pointing out that a few are using the guise of cybersecurity to further their own ambitions by introducing measures they claim promote safety and security. “We can speculate as to how these powers are being used, but without more transparency we can’t have an effective conversation about whether they are used appropriately.”
He believes that some states are using powers to sweep up data and surveil citizens. It is here, he says, the Paris Call needs to go further. “The call talked about private sector hacking, but didn’t talk about government hacking, although it was implied. There is room for the Paris Call to address some of these questions,” he says.
“There are a number of governments which are perhaps not using this moment to engage with the international community as well as they should be.”
Finding that balance is a challenge, and often open to interpretation. In May 2018, EU states were required introduce laws which facilitated the implementation of the NIS Directive, developed to increase levels of cybersecurity across the bloc. Like the Paris Call and Charter of Trust, the directive is intended to develop a culture of cybersecurity across borders, and cortical infrastructure sectors such as such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
One country succeeding in this, according to Siemens, is the UK. “The UK finds itself in quite a unique position,” Hingley says. “If you look at what it is doing with the National Cyber Security Centre, it’s a massive step forward. The government has acted. The future of all governments within Europe is to look at that type of approach, which allows states to react a lot more quickly.”
Some remain cautious on the issue of being able to establish peace online, not least Mitnick. Although he is positive about much of what has been done, he flags the different approaches of some, and the risks posed by using the cybersecurity conversation as a weapon itself.
“There are a number of governments, which are perhaps not using this moment to engage with the international community as well as they should be. They are prioritising national sovereignty… rather than collective security,” he says.