May - June 2011 Issue #937

EUROPENEWIn association with:

A New Europe Special Edition

CYBER SECURITY(C) SHOPPING2NULL

EPA|ANA

EDITOR

Dennis Kefalakos

dkefalakos@neurope.eu

CYBER SECURITY EDITION

EDITOR

Cillian Donnelly

cdonnelly@neurope.eu

SENIOR EDITORIAL TEAM

Kostis Geropoulos

(Energy & Russian Affairs)

kgeropoulos@neurope.eu

Andy Carling (EU Affairs)

acarling@neurope.eu

Ariti Alamanou (Legal Affairs)

aalamanou@neurope.eu

BRUSSELS HEADQUARTERS

Av. de Tervueren/Tervurenlaan 96, 1040 Brussels, BelgiumTel. +32 2 5390039 Fax +32 2 5390339info@neurope.eu

PUBLISHERS

BRUSSELS NEWS AGENCY SPRL

Av. de Tervueren/Tervurenlaan 96,

1040 Brussels, Belgium

Tel. +32 2 5390039

Fax +32 2 5390339

E-Mail: publisher@neurope.eu

EXTERNAL CONTRIBUTIONS

Signed Contributions express solely the views of the writers and do not neces-sarily reflect the opinion of the newspaper. NE is printed on recycled paper.N

EWEUROPE

© 2011 New Europe all rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted inany form by any means, electronic or otherwise, without the permission of New Europe’s publisher. ISSN number: 1106-8299

DIRECTOR

Alexandros Koronakis

akoronakis@neurope.eu

MARKETING & ADVERTISING

Ania Lara

alara@neurope.eu

EXECUTIVE LAYOUT PRODUCER

Suman Haque

suman@neurope.eu

SUBSCRIPTIONS & DISTRIBUTION

subscriptions@neurope.eu

Subscriptions are available worldwide

Security through international dialogue

Internet privacy is not about secrecy or hiding your identity, but

about the secure sharing information. According to Frédéric

Donck, the Director of the European Bureau of Internet Soci-

ety, an NGO dedicated to providing leadership on internet-re-

lated issues such as education and standards, the true meaning of

privacy on the internet is being able to “share data in a specific

context within a given scope”.

“Transparency is about knowing who you share your data with”,

he says. “It might be one website, it maybe others”. Either way,

the issue of online security and privacy, as he fully admits, is

highly complex. The internet needs to be kept open and demo-

cratic, but it also needs to be transparent. It needs to allow peo-

ple to conduct business in safety, while ensuring tough legal

controls for tackling nefarious uses of the web, such as child

pornography, hacking and identity theft. There will be no one

panacea for soothing all maladies.

On a general level, consumers need to have a balance between

not just security and privacy, but also a reliability of networks.

With information being sent over the web, and retained on dif-

ferent levels by browsers and sites, it is becoming increasingly

important that the user “has the capacity to control their own

data”. The question, then, says Donck, is “how to make the in-

ternet a 'trusting' place”.

It is a crucial question; not just for consumers, but also, vitally, for

businesses and the private sector. Consumers and businesses all

too casually engage with the internet or other mobile technolo-

gies these days – it is, after all, an accepted part of day-to-day liv-

ing – often not altogether aware of the amount of data, from IPs

and cookies, to names and financial details, that they potentially

transmit through sites and servers. Such concerns, that data is

open to theft, while websites remain insecure and vulnerable, has

pushed the issue of cyber security firmly on to the international

scene.

The views collected in these pages represent a variety of opinions

on the topic. They cover cyber security from a business solutions

point of view, from a legal perspective, and from the wider gov-

ernmental angle. The one thing they have in common is they all

add considerable expertise to the area; they pose tough questions

and offer some thoughts on solutions.

The Second Worldwide Cyber Security Summit offers an ex-

tension of these articles, a place to ask questions and debate.

Cyber security is, after all, a global issue, and without interna-

tional debate, and the establishing of a common 'rules of the

road', the highly complex issues that arise can not move forward,

only stall.

In association with:

May-June 201102Special Edition

NEW EUROPECyber Security

Consumers need to have a balancebetween not just security and

privacy, but also a reliability ofnetworks.

Cyber Security May - June 2011 03Special EditionNEW EUROPE

A renewed focus has emerged on risk ma-nagement and business continuity in theface of the more daring cyber crime at-tacks we have seen in the past year. Thetough question, now emerging at Boardlevel with increasing frequency, is this:Can the sheer scale of a cyber criminal at-tack bring down our business?

Private discussions in London in thelast month in preparation for the SecondWorldwide Cybersecurity Summit revealgrowing concern among business leadersthat risk management for cyber attackneeds to be re-evaluated at the enterpriselevel, embracing not just the security de-partment and the business continuityteams, but adopting a much broader per-spective rooted in technology trends andcustomer trust in the security of personaldata. What does a Wiki-leaks incident inthe business sector look like? Could a newStuxnet destroy substantial private sectorphysical assets? Will new mobile phonetechnology increase the vulnerability ofour business leaders and key employees tocompromise?

There is growing recognition that cyberemergency response coordination and in-formation sharing of incident data across

borders, reaching into Asia, the MiddleEast and Africa, and across the Atlantic,will be essential components of enterpriserisk management.

We need rules of the road for the cyberworld. Just two weeks ago, the United Sta-tes Government released its first interna-tional strategy for cybersecurity, whichstates that “Incident response will requireincreased collaboration and technical in-

formation sharing with the private sectorand international community. This workcannot be fully addressed by any singlenation or sector alone … Network stabi-lity is a cornerstone of our global prospe-rity, and securing those networks is morethan strictly a technical matter.”

The UK Foreign and CommonwealthOffice has just opened a new office ofCyber Policy. Governments around the

world are engaged in a revamp of nationalpolicy for information and network secu-rity, and this now includes for the firsttime explicit recognition that diplomacyis part of it.

International Breakthrough Groupsworking over three sessions at the SecondWorldwide Cybersecurity Summit willallow participants from business, govern-ment and academia from around theworld to shape the international respon-ses they think are needed, on issues suchas supply chain integrity, internationalpriority communications in an emergency,and trusted information sharing. After theSummit, the breakthrough groups willcontinue the process of refining policy re-commendations and devising strategies tohave them implemented.

The Summit is more than an event, it isworldwide cybersecurity. If you partici-pate, you will become part of the solution.

The Third Worldwide CybsersecuritySummit will be held in New Delhi onOctober 31 – November 1, 2012, with thesupport of the Indian government, NAS-SCOM (the premier organization that re-presents and sets the tone for public policyfor the Indian software industry), and theFederation of Indian Chambers of Com-merce and Industry.

The Next Attack? Cyber Risk Management

CREDIT: Carolina Georgatou

By Greg Austin

Greg AustinVice President EastWestInstitute

What does a Wiki-leaksincident in the business sectorlook like? Could a new Stuxnetdestroy substantial private sectorphysical assets?

A global problem calls fora global approach. This iswhy EWI, a 30-year oldinternational think tank,launched its worldwide cy-bersecurity initiative andsummit series.

“

”

A Global Approach:EWI’s Second Worldwide Cybersecurity Summit

06

As technology keeps out-pacing growth in policyand law-enforcement,cyber incidents and theneed for cybersecurity con-tinue to capture many in-dustries by surprise

“

”

by Vartan SarkissianCEO Knightsbridge

Cybersystems

The “Cyber-Jungle” 09

Businesses are slowlylearning that it is no longera case of securing the phys-ical devices but rather pro-tecting the data available tothem.

“

”

by Richard Knowlton Group Corporate Security

Director, Vodafone

Mobile access to Corporate Cyberspace:Benefits and risks

07

While governments tendto be fairly effective at im-plementing and enforcingpolicy, many have struggledto incorporate private sec-tor input into the policyprocess from the outset

“

”

by Ramses MartinezDirector of Information Security

for VeriSign Inc

Solving the Cyberse-curity Paradox

10

In the shared and inte-grated domain of the In-ternet, organizations,governments, and con-sumers face a myriad ofthreats

“

”

by Paul NicholasSenior Director, Microsoft

Trustworthy Computing

The Global InternetHealth Imperative

08

There is much loose talk about“cyber war” but if we restrict theterm to cyber actions that haveeffects outside cyberspace thatamplify or are equivalent tophysical violence, we are onlyjust beginning to see glimpses of cyber war

“

”

by Joseph S. NyeProfessor at Harvard and author

of The Future of Power . Anearlier version of the article

appeared in The InternationalHerald Tribune

Cyber Security andNational Security

11

Launching cyber attackswas easy, and it continuesto get even easier with pro-liferation of attack toolsthat can be accessed easilyover the Internet

“

”

by Kamlesh BajajCEO, Data Security Council of

India

Partnerships withincountries and acrossthe world

12

Of course, spam is still areal blight on the Internet,constituting at least 80% ofall email that is sent

“

”

by Michael O’ReirdanChairman of the Messaging

Anti-Abuse Working Group andDistinguished Engineer at

Comcast Corp

Why bother withbest practices?

17

While the opinions on theprobability andintensity of adigital war vary, it is neces-sary to adopt measures toprevent cyberspace conflicts

“

”

by Wolfgang Ischinger Chairman of the Munich Security Conference

and political adviser to Allianz SE

by Oliver Rolofs Press Spokesperson of

the Munich SecurityConference

Towards a new digi-tal security culture

18

Together, the papers lookfor ways to overcomemistrust and build theconfidence needed forglobal collaboration oncybersecurity.

“

”

by Alison KungEastWest Institute

New Ideas for a NewProblem: Papers onCybersecurity

13 Our CybersecurityAgenda The First Worldwide CybersecuritySummit was held May 3-5, 2010 inDallas, Texas

15

The emergence of cyberterrorism as a phenomenonhas demonstrated the ur-gent need for effectivelyregulating the samethrough legislative means

“

”

by Pavan DuggalAdvicate, Supreme Court of

India President, Cyberlaw AsiaPresident, Cyberlaws.net Head,

Pavan Duggal Associates

Cyber Terrorism -Some legal perspectives

19

May-June 201104 Index

A Special Edition:

by Andrew NagorskiVice president and director ofpublic policy at the EastWest

Institute and the author of TheGreatest Battle: Stalin, Hitler, and

the Desperate Struggle forMoscow That Changed the Course

of World War II. He wrote thisarticle for NEWSWEEK’s Polish

edition, NEWSWEEK Polska

While we obsessedover Russian spies,top diplomats were work-ing to stop a greater espi-onage problem

20

Due to the pecu-liar physical reality

of cyberspace, the vastmajority of cyber attacks cannot beeasily attributed to definite actors.Even when it is possible to identifya specific country as the origin of anattack, pinpointing the attackers canbe very difficult.

“

”

by Alexander KlimburgFellow Austrian Institute for

International Affairs

Building Confidencein Cyberspace

23 Undersea Cables:EndangeredBackbone of the Informa-tion Age

24-25

The Pentagon called cyber-space a “domain,” and de-scribed cyber warfare as“the fifth domain of war-fare after land, sea, air, andspace”

“

”

by Franz-Stefan GadyAn associate at the EastWest

Institute

Lost in Translation –Doctrines and Diplo-matic Efforts in Cyberspace

22

Sites like Face-book, whichallow and en-

courage engagementbetween teens, both

through messaging and photos,fosters the ability to create a pub-lic image that may or may not re-flect the in-person reality

“

”

by April RudinCEO, The Rudin Group

Why parents must beon top of their kidsonline

26

Child pornography hasbecome a signature crimeof cyberspace. Organizedcrime has become involvedin the manufacture and saleof child pornographic im-ages

“

”

by John CarrChildren’s Charities’ Coalition

on Internet Safety

A blot on the landscape

27

Existing stan-dards in thearea of cyber-

crime legislation need to beadapted to the new develop-ments in information technol-ogy and cybercrime that haveemerged over the last decade

“

”

by Dr. Tatiana TropinaEWI Cybercrime Legal Working

Group

Proposal for a newglobal legal frame-work/Treaty on Cyber crime

30

The most seri-ous global cy-

berattacks in therecent year, have revealed thatalmost nobody is investigatedand prosecuted, and nobodyhas been sentenced for thoseacts

“

”

by Judge SteinSchjolberg

An International Crim-inal Court or Tribunalfor Cyberspace (ICTC)

28

Paraphrasing the old say-ing on the Colt Revolver, itis indeed true that "Godcreated man; cyberspacemade them equal

“

”

by Franz-Stefan GadyAn associate at the EastWest

Institute

From the MiddleAges to the CyberAge: Non-State Actors

31

It must be understood that paint-ing a red cross on an ambulanceor hospital does not actually pre-vent it from being attacked by abelligerent party. All the emblemdoes is alert the parties about thenature of the intended target

“

”

by Stu GoldmanExpert for the EastWest

Institute’s International PriorityCommunications Policy

breakthrough effort

The Distinctive emblemprinciple in cyberspace

29

Three Decades ofMaking the World aSafer and Better Place

32

05May-June 2011Index

Cyber Security

May-June 201106Special Edition

NEW EUROPE

If you follow cybersecurity in the news, youknow that every day personal data is stolenfrom websites and thousands of attacks are la-unched on computer systems worldwide. Aglobal problem calls for a global approach. Thisis why EWI, a 30-year old international thinktank, launched its worldwide cybersecurity ini-tiative and summit series.

At the Second Worldwide Cybersecu-rity Summit, to be held in London July 1-2, EWI will bring together more than 300top industry, government and technical ex-perts from more than 30 countries to forgeinternational, private-public solutions forprotecting cyberspace.

Sir Michael Rake, Chairman BT Groupplc, will deliver the summit’s first-day keynoteaddress securing cyberspace. On the summit’ssecond day, first U.S. Homeland Security Se-cretary Tom Ridge, President & CEO of RidgeGlobal, will deliver a keynote address on inter-national pathways to cybersecurity, after an in-troduction by noted Harvard professor JosephNye.

Other key speakers will include: Scott Ch-arney of Microsoft; Senior Advisor to DeloitteLLP; Lt. General Harry D. Raduege, Jr.(USAF ret.) Chairman, Deloitte Center forCyber Innovation; Natalya Kaspersky of Ka-spersky Lab; former U.S. Homeland SecuritySecretary Michael Chertoff, Chertoff Group;Matthew Kirk of Vodafone; Martin Suther-land of BAE Systems Detica; and KamleshBajaj of the Data Security Council of India.

Throughout the summit, government andindustry panelists will speak about how privatesector leadership can help forge private-publiccooperation on cybersecurity.

“We need a completely new model of cor-

porate leadership on public policy to securecyber systems and protect personal data,” saysEWI Vice President Greg Austin. “The viabi-lity of the digital economy depends on it.”

While the panels will provide valuable in-sights, much of the work of the summit will beaccomplished by “breakthrough groups” –small, international groups of experts each de-dicated to solving a specific cybersecurity pro-blem. One working group will explore how toprotect the undersea cables that carry 97% ofinternet traffic, and another is looking for waysto ensure emergency communications after di-sasters. Several groups will continue ongoingEWI-led bilateral processes.

At the Second Worldwide Security Sum-mit, EWI will release the first joint U.S.-Chinacybersecurity report, Fighting Spam to BuildTrust. Spam, the first topic in an ongoing col-laboration between this bilateral team of ex-perts, can be dramatically reduced throughinternational collaboration and adherence tokey best practices, according to the report.

Another breakthrough group will continueU.S.-Russia talks on forging “rules of the road”for cyber conflict. This group releasing the firstjoint U.S.-Russian report on cybersecurity,which garnered much attention at last Februa-

ry’s Munich Security Conference.At the summit, luncheons will feature en-

gaging talks. Award-winning journalist MishaGlenny, author of the forthcoming book DarkMarket: Cyberthieves, Cybercops and You, willbe the luncheon speaker on the summit’s firstday. On the second day, Charney will deliver atalk based on Microsoft’s Trustworthy Com-puting initiative.

The summit will also offer ample time forleaders to network, building the personal con-nections that are so vital to forging cooperationacross borders and sectors. This kind of trust-building has constituted the core of EWI’swork for the past thirty years.

Founded during the Cold War, EWI’s sta-ted mission is to make the world a safer andbetter place. Thanks to an extensive global net-work, EWI is able to convene leaders from go-vernment, business and civil society to helpsolve the world’s toughest security problems,like protecting cyberspace.

EWI launched the Worldwide Cybersecu-rity Initiative in 2009 because the team wasconcerned about a lack of meaningful publicdiscussion on protecting cyberspace. That callresonated with key stakeholders. In 2010,EWI’s Worldwide Cybersecurity Initiative en-

gaged more than 1,000 leaders from business,government and civil society. EWI’s govern-ment partners include Russia, China, India, theUnited State and the European Union, and theinitiative’s corporate sponsors include AT&T,Deloitte, Microsoft, Goldmans Sachs, Voda-fone, BAE Systems and Huawei.

A year ago, at the First Worldwide Cy-bersecurity Summit held in Dallas, Texas,EWI brought together more than 400 tech-nical experts, policy elites and national secu-rity officials from the world’s most digitallyadvanced countries.

There, participants worked toward prac-tical solutions for securing the internet. Thebreakthrough groups and bilateral processesbegun in Dallas form the basis for the SecondWorldwide Cybersecurity Summit in Lon-don. EWI’s third Worldwide CybersecuritySummit will be held in Delhi in October2012.

As past summit participants know, EWI’ssummits are more than an inspirational speechesand engaging discussions. Rather, they provide areal opportunity for a high-powered, diversegroup of participants to be a part of an ongoingprocess to forge real solutions. Solutions to pro-tect a resource vital to us all: cyberspace.

A Global Approach: EWI’s Second Worldwide Cybersecurity Summit

Cyber Security

A global problem calls for a global approach. This is whyEWI, a 30-year old international think tank, launched its

worldwide cybersecurity initiative and summit series.

Cyber Security May - June 2011 07Special EditionNEW EUROPE

Efficient mobile communications are increasin-gly driving the success of modern business as ourworkforces become more mobile and we storeever more corporate data in the cloud.

While this brings huge business benefits interms of improving efficiency and productivity, thesafe use of mobile devices to access corporate cy-berspace requires a deeper understanding of thesecurity risks involved.

Supported by the proliferation of high-endconsumer technology such as smartphones, ta-blets and netbooks, the adoption of personal, mo-bile technology in the corporate environment isincreasingly common. These products are chan-ging the views of both customers and enterprisesabout what can be accomplished with a mobiledevice to achieve a wide range of business bene-fits such as flexible working initiatives and betterinformation sharing.

It is hardly surprising that this new genera-tion of powerful, personal mobile devices has en-tered the enterprise space. Employees look tothem as business aids and, in some cases, as repla-cements for traditional computing tools such asnotebooks and desktop PCs. Indeed some busi-ness leaders argue that personal devices used forcorporate activity can actually lower costs for theorganisation - particularly if the employees arepurchasing the devices, software and accessorieswith their own money.

Enhanced device performance, faster mobilenetwork speeds and improved coverage have allhelped to ensure that more and more personal andbusiness data - from online banking to socialmedia activity – is being stored on handhelds.And as mobile devices increasingly access corpo-rate databases through cloud computing services,they can provide a convenient worm hole into the

cyber heart of the business. So it is important to recognise that personal

mobile devices in the workplace also raise specificsecurity challenges.

As the value of data stored on these deviceshas increased, the number of operating systems isconsolidating. And this has had the net effect ofdiverting hackers’ attention from the traditionallymore lucrative environment of PCs to mobile de-vices. Hackers relish the chance to access biggerspoils from the growing number of devices on thesame operating system, and so we expect thenumber of security attacks to grow.

The use of apps on personal devices has addedto the complexity. We see more and more cases ofmalicious apps designed to harvest data from mo-bile devices, and this provides a clear example ofwhere employees may use their devices for a so-cial reason while inadvertently threatening thecorporate network.

By their very nature, mobile devices are easy tomisplace and hard to track on corporate networks.And employees can access corporate data fromanywhere rather than the controlled environmentoffered by a fixed line workstation.

So it is clear that it is crucial to use mobile de-vices in a way that boosts productivity while safe-guarding enterprise security and sensitivecustomer data. In this way security is a businessenabler rather than a roadblock.

One of the key challenges is that these de-vices undermine the traditional model of secu-ring an enterprise by surrounding it with ahefty firewall. In the complex new world of cy-berspace, businesses need to be open enoughfor partners to access information if required,while coping with a proliferation of differentdevices seeking access in line with the user’s se-curity permissions. And personal devices alsoneed to comply with company policies such as

length of password and encryption. Internally, Vodafone faces the same security

challenges as other enterprises. With over 630different types of enterprise-enabled handsets, allworking on various operating platforms, we’veworked hard to keep security at a premium. Thelearning curve has proved invaluable in helpingour own business customers.

Even in the context of cyberspace, it is im-portant to remember that one of the weakest linksremains the human factor. Clever security relieson adopting a holistic approach that encompassesawareness, education, process and technology.While data loss and viruses pose huge threats, it isusually human error that causes devices to go mis-sing, infected files to be downloaded or passwordsto be lost or stolen. With so many different waysfor loss or infection to happen, it has become cru-cial to pay attention to the roles employees play inkeeping cyber businesses secure.

Recent research by the IT Policy ComplianceGroup indicates that a staggering 75 per cent of allsecurity breaches are down to individuals. So Vo-dafone focuses a lot of attention on education,awareness and policy.

Businesses are slowly learning that it is no lon-ger a case of securing the physical devices but ra-ther protecting the data available to them.Minimising risk by improving process, prioriti-sing threats, and accepting limitations is the onlyway for enterprises to effectively defend their ope-rations without snuffing out the benefits mobileworking offers.

Another learning has been that the industryshould not fall into the trap of trying to protectmobile devices in the same way as it does with thetraditional computer. Corporate IT teams can tooeasily lose control of mobile devices while legalframeworks make it hard to demarcate betweenpersonal and corporate use and data. It is crucial

to respect employees’ privacy through solutionsthat can differentiate between the corporate andthe personal to safeguard both corporate data andemployee privacy.

For an enterprise, the loss of sensitive dataoften has a far greater impact on the businessthan the value of the device. Even if no one mi-suses the data, the business still risks a fine forbreaking data protection laws. And as smart-phones become more powerful and ubiquitous,criminal organisations are seeing them as a wayto gain entry to potentially greater spoils. Forthis reason remote lock and wipe technologyplays an essential role in stopping corporatedata from being mined by criminals.

Companies might decide on a do-it-yourself approach to security but this requires aparticular mind set and the ability to reverse-en-gineer situations, keeping abreast of potential th-reats while maintaining a deep understanding ofinternal IT processes. Security that can accom-modate the new mobile imperative requires a highlevel of specialist knowledge and expertise thatmost enterprises, particularly small businesses, justcannot provide. As a result, the concept of deli-vering security as a managed service is gainingmore and more traction.

It is clear that corporate cyberspace willincreasingly be accessed by a proliferation ofmobile devices. Today's consumer trends areyet to peak, which means that the pressure forchange in most organisations will only inten-sify. Businesses that react thoughtfully anddecisively now will reap benefits for the rest ofthe mobility era and beyond. Furthermore,as accessing data over mobiles becomes evermore pervasive, compliance and risk mitiga-tion will also force companies to ensure mo-bile devices connected to the companynetwork are appropriately secured.

Mobile access to Corporate Cyberspace: Benefits and risks

CREDIT: EPA/PETER STEFFEN

ByRichard Knowlton

Richard Knowlton Group Corporate Secu-rity Director, Vodafone

Businessesare slowly

learning that it isno longer a case of

securing thephysical devices

but ratherprotecting the data

available to them.

May-June 201108Special Edition

NEW EUROPE

The Internet now reaches a global popu-lation of approximately two billion peo-ple. As more people, computers anddevices come online, cyber threats havegrown more sophisticated in their abilitiesto gather sensitive data, disrupt criticaloperations, or conduct fraud. As anotherbillion people come online in 2015, cy-bersecurity and the overall health of theInternet becomes a key element in natio-nal, economic, and civil society. Protectionhas become not just an individual concernof securing devices, but more of an ecosy-stem and societal concern. The founda-tions of modern society are becomingdigital and governments around the worldhave expressed concern that the criticalinformation infrastructures that supporttheir countries could be targeted.

In the shared and integrated domainof the Internet, organizations, govern-ments, and consumers face a myriad of th-reats.

These threats are anything but staticand are often characterized as technicallyadvanced, persistent, well-funded, andmotivated by profit or strategic advantage.In response, many countries have soughtto improve critical information infra-structure policy, to build effective infor-mation sharing and collaborationcapabilities that addresses threats and vul-nerabilities, and to coordinate on respon-

ses to increasing complex cyber incidents. There is a growing awareness and sup-

port for increased international collabora-tion on cybersecurity. Many industriesand corporations, including Microsoft, areinvesting in such efforts to help govern-ments, industry, and individuals better re-duce and manage risks that result fromthe uncertainty of the rapidly changingthreat landscape.

In October 2010, Scott Charney, cor-porate vice president of Microsoft’s Tru-stworthy Computing Group, released awhitepaper Collective Defense: ApplyingPublic Health Models to the Internet co-vering cyber threats, a proposal for ado-pting a public health model for Internetsecurity, and current international, natio-nal, and private sector efforts to promoteor use collective defense to help protectconsumers. At the EastWest Institute’s(EWI) Second Worldwide CybersecuritySummit, breakthrough group sessionsprovide an opportunity for leaders to con-vene with global industry and governmentcounterparts and drive collective action onimportant cybersecurity issues like GlobalInternet Health.

At EWI, the concept of InternetHealth will grow beyond the proposalstage in the form of a BreakthroughGroup session entitled Collective Actionto Improve Global Internet Health. In thesession, senior experts from Microsoftmeet with cyber security policy leaders

and security strategists from governmentsand leading global technology companiesto examine the current state of the Inter-net ecosystem and collaborate on ways toimprove consumer device health and helpreduce security risks for users, vendors,service providers, governments, and criti-cal infrastructures.

The group will address current Inter-net health challenges, review of the stateof current efforts, and diagnose major ob-stacles and work together to identify keypolicy, economic, social and technical mi-lestones necessary to accelerate interna-tional progress towards a healthier andsafer ecosystem. The EWI breakout groupexpects to publish initial recommenda-tions later this year.

Microsoft is also participating in cy-bersecurity breakthrough groups drivingprogress in other key areas such as:

• Measuring the Cybersecurity Problem

• Protecting Youth – Building a Glo-bal Culture of Digital Citizenship

• Entanglement of Protected Entitiesin Cyberspace

• Cyber Conflict Policy• Worldwide Cyber Response

Coordination• Developing Supply Chain IntegrityAdditionally, Scott Charney presents a

keynote that examines Cyber SupplyChain Risk Management.

Cyber security will remain a top prio-rity for governments, policymakers, andcitizens around the world, especially asthey continue to increase their reliance oninformation and communications techno-logies. During the past year, numerous cy-bersecurity bills have been drafted forconsideration by the U.S. Congress, eachone aimed at trying to reduce risk and im-prove the overall health or security of thecritical information infrastructure. Whilecomprehensive legislation has not yetbeen enacted policy makers are deepeningtheir commitments to improve cybersecu-rity and reduce risk at the national level.Internationally, governments in Australia,Brazil, Canada, China, Germany, India,Poland and the U.K. all have launched ini-tiatives, offices, and programs to protectcyberspace. In addition the EuropeanUnion and the International Telecommu-nications Union have also been driving ef-forts to expand and enhance internationalcybersecurity efforts.

The EWI summit provides an im-portant platform for policy makers andthought leaders to come together andshare ideas about and build constructiveengagement models that improve cybersecurity. As cybersecurity threats conti-nue to evolve, Microsoft values this op-portunity to work together withgovernments and industry at the Ea-stWest Institute summit to create a saferand more trusted Internet.

The Global Internet Health Imperative: Industry andGovernment Leaders Collaborate for Change

Paul NicholasSenior Director, Microsoft TrustworthyComputing

By Paul Nicholas

Cyber Security

In theshared and

integrated domainof the Internet,organizations,

governments, andconsumers face amyriad of threats

Cyber Security May - June 2011 09Special EditionNEW EUROPE

Over the last few years the world has seen un-precedented growth in interconnectivity andinterdependence, fundamentally altering theway we live. These changes have manifestedthemselves into increased dependence on cy-berspace, directly affecting the way we con-duct our businesses and run our governments,concurrently transforming identities, culturesand international relations. Along with intro-ducing many positive changes, today’s ‘cyber-era’ has been accompanied with manycomplications, creating new vulnerabilitiesand threats. Where once cyberspace charac-teristics and the subsequent security measureswere treated in a linear fashion (i.e. direct so-lutions to definable threats), now they are in-creasingly seen as being more ‘quantum’ intheir nature. Just as in quantum physics, whe-reby a world of atoms constantly react dyna-mically with each other on a small scale withlarge repercussions. Having a quantum cyber-space and hence cybersecurity means that weare progressively dealing with numerous un-predictable and complex actions and conse-quences affecting the wider aspects of ourworld.

As technology keeps outpacing growth inpolicy and law-enforcement, cyber incidentsand the need for cybersecurity continue to ca-pture many industries by surprise. The latestpublicly documented cyber incidents such asthe Sony PS3 hack or the Stuxnet attack onIranian industrial organisations have demon-strated that cybersecurity truly extends beyondthe world of PC viruses and financial scams.Although industry data is still rare, many in-

cidences are not reported. Research has shownthat out of known incidences in 2009, 700million people were affected by 2,300 dataleaks, 70% of these leaks were caused by insi-ders where the average cost of each incidenthas reached over EUR 1.5 million (KPMG,Forrester). When such incidents are made pu-blic, companies lose an average of 6.5% oftheir customer base. (Ponemon Institute). Theabove is an example of how a simple data leakcan damage productivity, market value, harmcustomers and other factors.

So what is the cyber threat landscape evol-ving into? Firstly, the ability to pose a cyberthreat is continually shifting to the masses.This is largely seen as a result of more peoplehaving access to inexpensive technology andaccess to the Internet (from cheaper compu-ters to having access to large cloud-based pro-cessing power). Even those with a very basicknowledge of computers may purchase hac-king tools and manuals online. Secondly, mar-kets for stolen credit cards, personal data oridentities are easily accessed and keep multi-plying. Most of these markets are illegal wherethousands of credit card numbers may be pur-chased for as little as a price of a cinema tic-ket. In the meantime, similar but legal marketsare created by the sale of private data collectedvia services such as social networks or shop-ping websites for advertising purposes. Th-irdly, we are seeing a continual evolution ofmore complex methods of hacking and orga-nized cybercrime. In some cases various gro-ups have been found to collaborate even acrosscountries (while security and law enforcementgroups are unable to do so). Fourthly, as moreof our activities (cars, pace-makers, gas-coo-

kers) get plugged into cyberspace, the morethese threats increase. Cyber threats and vul-nerabilities will always exist as our global anddigital world evolves. Over the last few yearswe have seen more activity in cybersecurity asa response to the above characteristics. Com-panies and governments are now officially re-cognising cybersecurity as a primary concern.

As seat belts or insurance are considered ne-cessary or legally enforced in many countries, somust certain cybersecurity measures. Today’scyber-era is proving to have more of a resem-blance to a cyber-jungle, where numerousplayers and stakeholders are colliding and com-peting for their interests and survival. Neverth-eless, the cybersecurity landscape requires a basicroad-map of policies, international agreements,legal frameworks, standards and relationships.So what will be included on this road?

First, exercises or structures helping createPrivate Public Partnerships (PPP) are crucialin the advancement of cybersecurity. Cyber-space is mostly controlled by private compa-nies but needs the support and partnership ofthe government in order to create the appro-priate policies and legal frameworks.

The second element needed is a platformfor international cooperation between go-vernments and corporations. Organisationslike the EastWest Institute are continually re-defining these platforms, where such relation-ships including PPP models can be forged.

The third element is the enhancement ofthe cybersecurity sector. Although technologyis a crucial element in cybersecurity, it is nowclear that the mere installation and monito-ring of devices and software are inadequate intoday’s cyber-jungle. In addition to techno-

logy, an organization may require clearly defi-ned policies/governance, procedures, testing,training, legal advice, insurance, inci-dence/emergency response abilities, manage-ment and maintenance, amongst many otherneeds. As the industry progresses, govern-ments need to provide necessary subsidies andsupport platforms to enhance the develop-ment of this critical industry, including a pro-cess to safely ease export/import barriers andlimitation.

The fourth element is the economics ofcybersecurity. How does one charge for secu-rity? How does one value a security breach orthe collective impact on an economy, espe-cially when data is unavailable and companiesare unwilling to share information? How doesa CEO decide the value of security withintheir corporation? The above questions are leftunanswered in many instances and hence cre-ate a market inefficiency where many techno-logies and products are either under orover-priced.

The combination of the above four willneed to be applied differently for each scena-rio. Each will present different set of challen-ges, requirements and consequences. As weproceed into this new era, individuals, busi-ness and governments must evolve their exi-stence in cyberspace to match the newcyber-era, understanding that the nature ofthe world is much more complex than previ-ously perceived. New approaches are neededto create uniquely tailored cybersecurity road-maps for each entity and scenario. In doing so,appropriate methods needs to be observed andapplied to continually help shape the much-needed rules of the road for our new era.

The “Cyber-Jungle”CREDIT: Chris Lott

ByVartan Sarkissian

Vartan SarkissianCEO KnightsbridgeCybersystems

Astechnology

keeps outpacinggrowth in policy

and law-enforcement, cyber

incidents and theneed for

cybersecuritycontinue to capturemany industries by

surprise

May-June 201110Special Edition

NEW EUROPE

If there is a fundamental paradox of cyberse-curity policymaking, it is that the institutionsthat make the policies aren’t the ones prima-rily responsible for carrying them out. With so much of the obligation for safeguar-ding the world’s critical infrastructure restingin the hands of the private sector, the chal-lenge for policymakers and industry leadersis to continually identify and improve mech-anisms for engagement, collaboration andpublic-private partnership.

In the United States, it is estimated that85 percent of the nation’s critical infrastruc-ture is either owned or managed by private-sector organizations. While that percentagesurely differs from country-to-country andcontinent-to-continent, the reality is thateverywhere in the world, private sector ac-tors have an enormous responsibility foroperating and safeguarding critical Internetinfrastructure.

From ISPs and router manufacturers toinfrastructure and DNS providers, industryand private organizations control and operateinnumerable critical – and potentially vulne-rable – components of the global network ar-chitecture. All of these providers representpotential attack vectors for cyber criminalsand terrorists, and as we all know in a net-worked and interconnected world, it onlytakes one weak point to compromise thewhole system.

Making matters even more complex is theborderless nature of Internet communicationand Internet crime. Just as nation states arecompelled to work collaboratively to addresscyber threats that have no respect for national

boundaries, Internet infrastructure providerscannot afford the luxury of simply focusingexclusively on their own defined service areas,because they know from experience that th-reats can come from anywhere.

It is difficult enough to develop andmaintain effective mechanisms for multilate-ral national cooperation, and similar mecha-nisms for cross border industry collaboration,but the challenge doesn’t stop there. Not onlyto private sector operators have to communi-cate with other private sector operators andgovernments have to communicate with go-vernments, but both groups must seek effec-tive ways to communicate with one another.

And this isn’t just a question of baselineinformation sharing, or top-down command-and-control by governments. While govern-ments tend to be fairly effective atimplementing and enforcing policy, manyhave struggled to incorporate private sectorinput into the policy process from the outset.Ineffective or incomplete communicationearly on in the policymaking process can leadto ineffective – or worse – counterproductivecybersecurity policy.

The relationship between governmentand industry, much like the multilateral rela-tionships between governments themselves,needs to be a two-way street, in order to allowgovernment to tap into the enormous reposi-tory of data and experience possessed by theprivate sector technologists who stand on thefront lines of the global battle over cyberse-curity.

For a company like Verisign, one of thebenefits of operating a vital component of theInternet’s critical infrastructure is that we areable to observe, track and research attacks in

real time, as we witness them striking the net-work. Even as we work to mitigate the effectsof the daily – and sometimes hourly – probesand attacks on our network, we are collectingextremely valuable information about theirorigins, destructive capacity and potential we-aknesses. This is information policymakersneed to possess in order to develop a full pic-ture of the cybersecurity landscape.

The good news is that both governmentsand the private sector infrastructure operatorshave done much of the hard work of develo-ping effective forums for collaboration – atleast on an industry-to-industry and govern-ment-to-government basis.

Speaking for industry, one of the mostimpressive examples of the private sector’s ca-pacity to collaborate came in response to oneof the most serious and pervasive threats theInternet has ever faced: the widespread andinsidious Conficker worm. In anticipation ofthe potential havoc expected to be wreakedby the Cornficker B variant, an industry-ledeffort called the Cornficker Working Groupcame together to address the problem.

Pooling the resources and expertise ofsome of the world’s leading software, Inter-net and cybersecurity companies, the Confic-ker Working Group, represented anunprecedented unified response to what hadthe potential to be a globally destructive eventfor the Internet. Together the group helpedto prevent Conficker B from delivering mostof its destructive payload, protecting them-selves, governments and most importantly,Internet users, in the process.

We have also witnessed an emergence inrecent years of effective forums for multi-stakeholder engagement on cybersecurity

and other issues of critical importance tothe Internet. The Internet GovernanceForum (IGF), which is entering the secondhalf of its first decade in existence, has pro-vided a unique and effective place for go-vernments, industry and civil society tocollaborate, share information and discusspolicy best practices. And although not di-rectly focused on cybersecurity, the multi-stakeholder Internet Corporation forAssigned Names and Numbers (ICANN)has also proven an effective forum for go-vernments, industry and technologists tocome together on key cybersecurity issues –such as the deployment of DNSSEC.

In the United States, one forum thatcould be readily replicated around the worldhas been the President’s National SecurityTelecommunications Advisory Committee.Comprised of senior leaders from the nation’slargest telecommunications and infrastructurecompanies, NSTAC is charged with advisingthe President on how best to safeguard thenation’s critical infrastructure.

Programs like NSTAC help to ensurethat governments are able to take advantageof the very latest information and advance-ments developed by the technologists on thefront lines of the global battle to protect cri-tical Internet infrastructure. And just as com-panies work together to resolve threats, somesavvy governments are adopting each others’best practices to ensure that they are doingeverything they can to enhance cybersecurity.

Around the world governments and pri-vate sector leaders have come up with a rangeof creative solutions to resolve the cybersecu-rity paradox. Now it simply falls to us to putthose solutions in place.

Solving the Cybersecurity Paradox: Toward Effective Public Private Engagement

Ramses MartinezDirector of InformationSecurity for VeriSign Inc

CREDIT: EPA/PETER DASILVA

By Ramses Martinez

Cyber Security

Whilegovernments

tend to be fairlyeffective at

implementing andenforcing policy, many

have struggled toincorporate private

sector input into thepolicy process from

the outset

Cyber Security May - June 2011 11Special EditionNEW EUROPE

Until recently, the issue of cyber security haslargely been the domain of computer geeksand specialists. When the internet was cre-ated forty years ago, this small communitywas like a virtual village of people who kneweach other, and they designed a system withlittle attention to security. Now that is ch-anging. President Obama has declaredcyber security a top priority. When BritishPrime Minister David Cameron spoke atthe annual Munich Security Conference inFebruary, he stressed the importance ofcyber security, and it was a major issue at theApril meeting of the Trilateral Commissionin Washington. The EastWest Institute isholding it second major cyber conference inLondon in June.

The commercial Web is only two de-cades old, and as British Foreign SecretaryWilliam Hague reminded the Munichconference, it has exploded from 16 mil-lion users in 1995 to 1.7 billion userstoday. This burgeoning interdependencehas created great opportunities and greatvulnerabilities. Security experts wrestlingwith cyber issues are at about the samestage in understanding the implications ofthis new technology as nuclear expertswere in the early years after the first nu-clear explosions.

The cyber domain is a volatile man-made environment. As an advisory panelof defense scientists explained, “peoplebuilt all the pieces,” but “the cyber-uni-verse is complex well beyond anyone’s un-derstanding and exhibits behavior that no

one predicted, and sometimes can’t evenbe explained well.” Unlike atoms, humanadversaries are purposeful and intelligent.Mountains and oceans are hard to move,but portions of cyberspace can be turnedon and off at the click of a mouse. It is ch-eaper and quicker to move electrons acrossthe globe than to move large ships longdistances through the friction of salt water.The costs of developing multiple carriertask forces and submarine fleets createenormous barriers to entry and make itpossible to speak of American naval do-minance. In contrast, the barriers to entryin the cyber domain are so low that non-state actors and small states can play si-gnificant roles at low levels of cost.

In my book, The Future of Power, Idescribe diffusion of power away from go-vernments as one of the great power shiftsin this century. Cyberspace is a perfectexample of a broader trend. The largestpowers are unlikely to be able to dominate

this domain as much as they have otherslike sea, air or space. While they have gre-ater resources, they also have greater vul-nerabilities, and at this stage in thedevelopment of the technology, offensedominates defense in cyberspace. TheUnited States, Russia, Britain, France, andChina have greater capacity than otherstate and non-state actors, but it makeslittle sense to speak of dominance in cyberspace. If anything, dependence on complexcyber systems for support of military andeconomic activities creates new vulnerabi-lities in large states that can be exploitedby non state actors.

There is much loose talk about “cyberwar” but if we restrict the term to cyberactions that have effects outside cyber-space that amplify or are equivalent to ph-ysical violence, we are only just beginningto see glimpses of cyber war – for in-stance in the denial of service attacks thataccompanied the conventional war in Ge-

orgia in 2008, or the recent sabotage ofIranian centrifuges by the Stuxnet worm.

If one treats most hacktivism as mostlya nuisance, there are four major categoriesof cyber threats to national security, eachwith a different time horizon and withdifferent (in principle) solutions: cyberwar and economic espionage are thus farlargely associated with states, and cybercrime and cyber terrorism are mostly as-sociated with non-state actors. For theUnited States, at the present time, the hi-ghest costs come from the espionage andcrime, but over the next decade or so, warand terrorism may become greater threats.Moreover, as alliances and tactics evolveamong different actors, the categories mayincreasingly overlap. As described by for-mer Director of National IntelligenceMike McConnell: “Sooner or later, terrorgroups will achieve cyber-sophistication.It’s like nuclear proliferation, only far ea-sier.” At this stage, however, according toPresident Obama’s 2009 cyber review,theft of intellectual property by other sta-tes (and corporations) is the highest im-mediate cost. Not only does it result incurrent economic losses, but by destroyingcompetitive advantage, it jeopardizes fu-ture hard power.

Security experts are far from certainwhat terms like “offense, defense, deter-rence, or the laws of war” mean in thecyber realm. We are only at the early sta-ges of developing a strategy. And publicunderstanding lags even further behind.That is why we need more public discus-sion of cyber security.

Cyber Security and National Security

By Joseph S. Nye, Jr.

Joseph S. Nye Professor at Harvardand author of The Fu-ture of Power . Anearlier version of thearticle appeared in TheInternational HeraldTribune.

There is much loose talk about“cyber war” but if we restrict theterm to cyber actions that haveeffects outside cyberspace thatamplify or are equivalent to physicalviolence, we are only just beginningto see glimpses of cyber war

May-June 201112Special Edition

NEW EUROPECyber Security

Unlike the physical world that is limited bygeographical boundaries of space, cyber-space continues to expand since its size isproportional to the activities that are car-ried through it. Broadband deployment isleading to increased Internet penetration;more and more innovative applications aregetting launched, and delivered via multiplenew devices, over wireless networks. Cy-berspace continues to be plagued with everincreasing vulnerabilities in various plat-forms that are connected to the Internet;these are exploited by criminals who carryout identity theft and financial frauds, stealcorporate information and intellectualproperty, conduct espionage to steal mili-tary secrets and recruit criminals and fun-damentalists to carry out terrorist activities.Attacks on critical infrastructures are alsoexpanding.

Challenges in cyberspace continue to bethe same, namely proving attribution is dif-ficult; collecting irrefutable evidence andseeking the cooperation of law enforcementagencies across the nation states to bringcriminals to justice is difficult. It is diffi-cult to link nation-states with non-statesactors who may be used by the former tolaunch espionage and other forms of attackagainst countries. Launching cyber attackswas easy, and it continues to get even easierwith proliferation of attack tools that canbe accessed easily over the Internet, andpropagated faster using the same broad-band that nations are building for global e-commerce.

No wonder that countries are coming up

with policies for securing their cyberspace,even though it is known to them that in-ternational cooperation is essential for se-curing their own cyberspace. Nationscontinue to develop cyber attack capabili-ties with a view to dominating cyberspace,even though it is known that unilateraldominance of cyberspace is not achievableby any country. It is here that the role ofEast West Institute assumes great impor-tance. The first worldwide Cyber SecuritySummit of East West Institute put thefocus on international cooperation and theSummit tried to identify major areas whereinternational cooperation is possible. Thesecond Summit in London will continuethe process and will involve even greaternumber of security professionals, policymakers, diplomats and others from a muchlarger number of countries.

Like the cyberspace policy in the US, theUK and other countries, government ofIndia announced its draft cyber securitypolicy in April, 2011. DSCI drew the at-tention of the government to the fact thatthe infrastructures are owned and operatedby the private sector, and that the cyber-space passes through various legal jurisdic-tions all over the world. It has proposedthat the government should engage the pri-vate sector for cyber security through ef-fective public-private partnership modelswith clearl roles for government and in-dustry. Government should also create ap-propriate incentives to generate collectiveaction. It should promote the implementa-tion of reasonable security practices, inci-dent management, information sharingmechanisms, and continuously educate

both corporate and home users about cybersecurity. It is a tall order which calls forhigh level of cooperation between the pub-lic and private sectors.

DSCI is an industry initiative that is fo-cused on promoting data protection; it isdeveloping best practices for security andpromoting their implementation by the in-dustry. DSCI believes that a sound dataprotection regime and industry’s adherenceto the best security practices is incompletewithout a robust technological and admin-istrative capacity in place. This requiresbuilding capacity of Law EnforcementAgencies, prosecutors and judiciary in un-derstanding cyber forensics. With this inview, DSCI has established several Cyberlabs across India to train police officers,prosecutors and judicial officers in cyberforensics and has, over the years, trainedmore than 7500 police personnel in cybercrime investigations.

To standardize the operating proceduresfor cyber crime investigation, DSCI hasprepared a Cyber Crime InvestigationManual, which is based on its experience ofoperating the Cyber Labs and workingwith the police in handling many of thecyber crimes over the last few years. ThisManual is distributed to all the Police Sta-tions across the country, to help officerscollect the cyber forensics data and prose-cute cybercriminals under the appropriateSections of the IT (Amendment) Act,2008, IPC etc.

Cyber Security in India is a part of thelarger global issue since the cyberspace hasno boundaries. But, DSCI is aware thatdata security is but a part of cyber security.

It, therefore, contributes to government ef-forts in training officials at various levels incyber security technologies; it provides in-puts to the government on evolving an ap-propriate cyber security policy in thecountry. DSCI also works with interna-tional bodies on data protection and globalthink-tanks like East West Institute to de-velop rules of the road in cyber conflicts,collaboration of law-enforcement agenciesacross borders to track cyber criminals.

DSCI takes a proactive role for “policyenablement” that affects ICT – Strong En-gagement & Enactment through the Gov-ernment. DSCI is a member of committeesand groups formed by Government ofIndia, and other regulatory bodies and as-sociations in India and abroad. It is regu-larly invited to review, comment on, andmake recommendations for building regu-lations that promote global data flows.DSCI conducts outreach programs to edu-cate the industry and create awareness ondevelopments and challenges in data pro-tection, and provides a platform to the in-dustry for voicing their concerns andsuggestions. It conducts industry-wide sur-veys and publishes reports, organizes dataprotection awareness seminars, workshops,projects, interactions and other necessaryinitiatives for outreach and public advocacy.DSCI believes that international coopera-tion in fighting spam; building data shar-ing mechanisms, especially on incidents;cooperation among LEAs to collect cyberforensics data to help identify criminals areas important as making organizations se-cure through the development and imple-mentation of best practices.

Partnerships within countries and across the world – key to securing cyberspace

ByKamlesh Bajaj

Launchingcyber attacks

was easy, and itcontinues to get even

easier withproliferation of

attack tools that canbe accessed easilyover the Internet

EPA/ULRICH PERREY

Kamlesh BajajCEO, Data SecurityCouncil of India

Cyber Security May - June 2011 13Special EditionNEW EUROPE

New Ideas for a New Problem: Papers on Cybersecurity

How can we fight online child pornographyworldwide? How do computer emergency re-sponse teams combat cross-border cyber threats?Is there a global cyber arms race going on rightnow? These are just some of the questions posedby the 28 papers that will be presented in theEastWest Institute’s Call for Papers and PosterSession at the Second Worldwide CybersecuritySummit, in London on June 1-2, 2011.

In partnership with its technical co-sponsor, theIEEE, EWI issued the call for papers to intro-duce innovative, practical ideas related to interna-tional cybersecurity policy In line with EWI’s“think and do” approach, the process seeks to fos-ter problem solving and solution recommenda-tions for difficult international and consequentialpolicy gaps in cyberspace, such as the internation-ally-focused Agreements, Standards, Policies andRegulations (ASPR) gaps. Following IEEE’s rig-orous review process and publication standards,EWI formed an ASPR Program Committee ofinternational experts and stakeholders to peer-re-view and edit the papers. Together, the paperslook for ways to overcome mistrust and build theconfidence needed for global collaboration on cy-bersecurity.

Industry, government and academic expertsfrom nine countries, including the United King-dom, Malaysia, Pakistan, Italy, and China, con-tributed papers to EWI’s summit. Theparticipating authors cover the following topics:q Worldwide governance, frameworks and

protocols for day-to-day behavior in cyberspace,policing cyberspace and the conduct of cyber con-flict.qWorldwide reliability and resilience of the

digital supply chain, infrastructure and emergingcapabilities (e.g., the mobile ecosystem).qWorldwide response to cyber crisis (e.g., in-

ternational priority communications, and trustedinformation sharing).qWorldwide cybersecurity awareness and ed-

ucation (e.g., protecting youth, regulating spam

and creating the private public partnerships needto secure the global economy).

Here is a taste of some key papers that will becovered at the Summit:

In “New Approaches to Dealing with OnlineChild Pornography,” John Carr from the Chil-dren’s Charities’ Coalition on Internet Safety inthe United Kingdom outlines how the growth ofthe internet has allowed for the large increase inchild abuse images and, indirectly, organizedcrime.

Because child pornography is relatively easy toaccess, Carr writes, criminals are more apt to thinkof the Internet as a lawless place, where it’s easy toevade punishment. Carr concludes that it is nothelpful to insist on judicial review before any ac-tion against the images is taken. Instead, a systemof “notice and take down” that employs blockingpending deletion would remove child pornogra-phy more efficiently. By deploying a blocking anddeleting system in more countries, Carr believeswe can effectively address the prevalence of childabuse images.

Kevin Newmeyer from the Center for Hemi-spheric Defense Studies in the United States pro-poses a model for international internetgovernance modeled on the Financial ActionTask Force (FATF), an intergovernmental policygroup that has been successful in counteringmoney laundering. As a global collaboration be-tween economic leaders, FATF establishes globalstandards and employs a mutual evaluationprocess to combat terrorist financing and moneylaundering. Newmeyer suggests that a FATF-style cybersecurity body can be created to employworldwide internet governance based on FATF’sbest practices, regional sub-groups, and threat ofblacklisting. Because of the similarities betweenthe financial network and cyberspace, such amodel would work to combine private and pub-lic sector efforts in fighting abuse. Ultimatelythough, as Newmeyer notes, the key to the successof this body will be the commitment and politi-cal will of the body’s member states.

“The Organisation of Islamic Conference-

Computer Emergency Response Team (OIC-CERT),” presented by Rahayu A. Ahmad andMohd Shamir Hashim of CyberSecurity Malay-isa, illustrates how international cooperation canaddress vulnerabilities in the Information andCommunication (ICT) systems and network in-frastructures, and combat cyber threats. Interna-tional collaboration is essential, as cyber threatsand crimes are not confined to countries’ physicalboundaries. With members from eighteen coun-tries, the OIC-CERT counters cross-bordercyber threats and shares intelligence, research, andbest practices to help protect critical informationinfrastructures in member countries. As Ahmadand Hashim note, the body works to strengthenand improve these countries’ information security,drawing foreign investment to their homes andprotecting their systems from cost-inducing se-curity breaches.

Stefano Zanero and Federico Maggi of Po-litecnico di Milano in Italy acknowledge thegrowing vulnerabilities of the Internet in “Is theFuture Web more Insecure? Distractions and So-lutions of New-old Security issues and Measures.”The rise of cloud computing and replacement ofold physical disks with space quotas have intro-duced new vulnerabilities, according to the au-thors. As described by Zanero and Maggi, cloudsare the modern form of mainframes available ona pay-per-use basis and equipped with virtualstorage disks. In their paper, the authors focus onone of cloud computing’s key components, webservices, and claim that current countermeasuresto cyber threats are inefficient in protecting webservices. By the means of a simple running exam-ple, they show that ordinary anomaly-basedchecks have difficulty in detecting attacks againstinjection vulnerabilities. The paper proposes sev-eral simple modifications to current countermea-sures that would allow them to fight off newattacks. As more and more businesses employcloud computing, Zanero and Maggi write, theseinsufficiencies in security measures must be ad-dressed The new, growing challenges in cyberse-curity have also led to new perspectives on cyber

conflict. Through comparative analyses of states’policy developments and case studies of actualcyber conflict events, Eli Jellenc of VeriSign in theU.K. classifies the reality of cyber conflict as a “veryactive and rapidly escalating cyber arms race.” In“Current Realities of Cyber Conflict: The OpenSecret of the Global Cyber Arms Race,” Jellencwrites that because of the arms race dynamic, noorganization or country is currently capable ofmitigating the uncertainties of cyber conflict. AsJellenc concludes, the uncertainties will only con-tinue to increase with the growing complexity ofthe global information grid, creating unprece-dented implications for the development of thestrategy and conduct of cyber conflict.

Covering the legal aspect of cybersecurity, Yux-iao Li and Jinghong Xu investigate the “Legisla-tion Concerning the Protection of the Right toOnline Privacy in China: A Comparative Studywith EU.” In a comparative study with the Euro-pean Union, the authors examine existing laws reg-ulating the protection of online privacy inmainland China. The authors write that, in mod-ern China, the right to online privacy is a new con-cept, adding that in ancient China, the right toprivacy was limited the ruling class. To protect in-ternet users rights more broadly, the authors sug-gest that mainland China infer laws andregulations from the EU legal system. Using theEU legal system as a model, the authors outlinepossible improvements for Chinese laws and reg-ulations, such as strengthening constitutional pro-tection for online users and a more detailed andunified protection of theright to privacy under thecivil law system. EWI’s Call for Papers and PosterSession seeks to provide a lively exchange of tech-nical and policy knowledge to foster new ideas incybersecurity. This opportunity presents perspec-tives and recommendations that foster concrete in-ternational cooperation on ASPR. After beingpresented to attendees at EWI’s Second World-wide Cybersecurity Summit, the papers will bepublished in IEEE XPlore Digital Library and EIIndex. To learn about these papers and more, keepyour eyes on EWI’s website, www.ewi.info.

By Alison Kung

Alison KungEastWest Institute

Together,the papers

look for ways toovercome mistrust

and build theconfidence needed

for globalcollaboration on

cybersecurity

ADVERTISEMENT

Cyber Security May - June 2011 15Special EditionNEW EUROPE

At the summit, EWI brought togethermore than 400 technical experts, policyelites and national security officials fromthe Cyber40, including the United States,China, India, Russia and Estonia. Parti-cipants worked to identify problems andsolutions for seven crucial sectors of theInternet: information and communica-tions technology; financial services; es-sential government services; energy;transportation; and national security.

In Dallas, we learned that by bringingtogether a broad spectrum of experts, cle-arly framing the issues and guiding the di-scussion toward realisticrecommendations, we can foster interna-tional cooperation. But we also realizedthat it will be difficult to develop globalagreements, standards, policies and regu-lations (ASPR) due to a lack of trust.

In some ways, the Dallas summit re-vealed the current limitations of cyber le-gislation. We left with the clearimpression it could take years to arrive ata global treaty on cybersecurity, sincemany states are not ready for it – and pe-rhaps never will be. As a result, we beganto consider voluntary agreements in theprivate sector and international standardsas avenues to change. We decided that thebest approach is to target concrete, speci-fic problems while “speaking to the big is-sues.” he feasibility of the solution from abusiness and policy perspective. gestedworldwide communications network. Butduring the large-scale crises, priority in-formation doesn’t always make it thro-ugh… and crises are just when it mattersmost. purchase. Which retailer? The bankwouldn’t tell him. Why not? Because if a

popular retailer were linked with a secu-rity breach, they could lose customers, justas if a Wall Street trading company admitsit’s been hacked, the negative affect on itsreputation could be devastating to thetrust needed in its operations. For Karl,this story represents a lost opportunity: ifthis information were reported, we coulduse it to better understand the real pro-blems individuals, financial institutions,government agencies and retail stores arehaving right now. Since we lack even anapproximate sense of how many breachesoccur, there is insufficient motivation toprovoke effective measures to correct theproblems. smaller start-ups alike wouldbe burdened by overly-rigid internationalregulations. So we are working to promoteinternational standards – a measurablescale like a thermometer – that govern-

ments and businesses can use to assess theintegrity of products and services.

Worldwide Cyber Emergency Response Coordination CapabilityIf the cyber equivalent of Pearl Har-

bor strikes, there is a response in place…up to a point. While many countries andcompanies have Computer EmergencyResponse or Readiness Teams (CERTs)capable of dealing with worms and viruslike Stuxnet, there is still a big gap in ourability to respond to a major cyber emer-gency. For one, most African and Eurasiancountries are excluded from this networkof teams. For another, the person-to-person network is still too inefficient torespond swiftly and decisively to a majorcyber emergency.

Our Cybersecurity AgendaThe First Worldwide Cybersecurity Summit was held May 3-5, 2010 in Dallas, Texas

ADVERTISEMENT

The joint China-United States report Fighting Spam to Build Trust will be presented during the London Summit. It is thefirst product of talks between Chinese and United States experts convened by EWI. Fighting Spam to Build Trust will present voluntary best practices for reducing spam which accounts for about 90 per centof email traffic. The recommendations will include: processes for creating international protocols aimed to differentiate le-gitimate messages from spam; a call for educating consumers about the risk of botnets; and measures for discouraging spam,such as encouraging ISPs in both countries to use feedback loops.

Cyber Security May - June 2011 17Special EditionNEW EUROPE

Junk email is really yesterday’s problem. Todaythere is a bigger problem facing the Internet,affecting the growth of online economies, andtaxing ISPs (Internet Service Providers) acrossthe globe as they strive to provide reliable andhassle-free service to their subscribers ¬¬– andthat problem is botnets and the individual bots,or malware code, that make them up. Thesenetworks of infected computers are no longerthe domain of amateur hackers seeking gloryand kudos from their peers, but are run as ex-tremely serious, profit-or-loss businesses basedon models that mirror legitimate institutions.

By compromising large numbers of in-dividual machines, these powerful and abh-orrent networks, each controlled by a centralbotmaster, are able to wreck incredible da-mage on the Internet. Individual subscri-bers with inflected machines can have theircredentials stolen. Botnets are often used toattack websites and extort a site’s owner bylaunching Distributed Denial of Service(DDOS) attacks. They send massive amo-unts of spam, which often carry malware toinfect new machines and assault more un-suspecting end-users. Botnets undermineconfidence in the Internet and damage itsviability as a platform for international com-merce. The bot issue is not an intractableone, but like spam, the solution will come inmanaging, not curing, it. This is based on re-cent industry experience. The MessagingAnti-Abuse Working Group (MAAWG)was formed in 2004 to combat the problemof messaging exploitation in the form ofspam, which was threatening to overwhelm

the email systems in existence at the time.Since then, and due to its members workingclosely together, there has been massive pro-gress in reducing the amount of abusiveemails that get through to the end user, andmany best practices for suppressing messa-ging abuse have been developed.

Of course, spam is still a real blight onthe Internet, constituting at least 80% of allemail that is sent. Stopping this deluge fromreaching end users costs ISPs a fortune insoftware, hardware and staff resources. Ho-wever, as a result of these efforts, the amountof spam most end users with a reputable ISPnow see in their mailbox is miniscule.

This has been achieved by ISPs workingtogether and implementing best practicesthat have been developed over time atMAAWG. One of the most important ofthese is on the management of port 25. Thiswork has been referenced by many ISPs tojustify the control of this port, which in turnhas led to a significant downturn in theamount of spam sent from subscribers’ com-puters.

The ISPs in the organization are nowworking together to take on bots. A com-

mon problem around the globe, estimatedrates of bot infection vary from 10-15% inlarge broadband networks of more develo-ped countries to much higher infection ratesin emerging economies where security is lessof a focus for both subscribers and the ISPsthemselves.

MAAWG has now grown to more than300 members, including large and smallISPs, large reputable commercial senders ofemail and vendors of messaging hardwareand software. Its international membershipspans Europe, India, Japan, South Americaand the United States. A few years ago, theinitial ISP work in MAAWG against botstook shape as published best practices gui-ding network operators on basic methodo-logies to deal with bots, how to best notifytheir end users about possible infections, andhow to instruct subscribers on techniques toremediate the problem.

The approach in the organization today,however, is starting to shift toward gatheringaccurate information about the nature of theproblem. At the moment, very few networkoperators are actually measuring the scale ofbotnet infections, although this is changing

as more ISPs realize the inherent businessthreat. Much of the so-called “accurate in-formation” available today has been genera-ted by academics or companies thatgenerally do not run networks and, as such,are challenged in gaining access to enoughdata to generate statistically valid models ofthe problem.

However, information gathering is notthe only issue. There are few common defi-nitions in use, terms mean different thingsto different industry segments, there is noteven a commonly agreed upon definition ofwhat a bot actually is or how long on ave-rage they exist. Until these and other metricsare clarified, it will be hard to produce accu-rate and actionable statistics to measure theproblem and, thus, to determine when pro-gress is being made.

Defining these metrics in acceptable in-dustry terminology is a task being addressedby a group within MAAWG. Once accom-plished, this effort will be of great value toboth ISPs and to the ISP ecosystem, inclu-ding the regulatory bodies and legislatorsthat are so exercised by the problem.

It is unlikely that a magic wand can bewaved to make bots go away; they are justthe tools that a cyber criminal uses in placeof the jemmy or gun brandished by a “reallife” thug. Best practices devised by pragma-tic experts are key to managing bots, and thisis where the experts at MAAWG excel.MAAWG has proven effective in doing thisto deal with spam. There is no reason todoubt this same collaborative group also willbe key to finding the most effective appro-aches to managing the bot problem.

Why bother with best practices? Or why global collaborationis faster (and more effective) than a speeding bullet

By Michael O’Reirdan

Michael O’Reirdan

Chairman of the Messaging Anti-AbuseWorking Group andDistinguished Engineerat Comcast Corp

Of course, spam is still a real blighton the Internet, constituting at least80% of all email that is sent

May-June 201118Special Edition

NEW EUROPECyber Security

The attackers came out of the blue. Andtheir coup resulted in the largest datatheft in the history of computer technol-ogy. In April, hackers used the internet toenter Sony’s data processing center, stoleone hundred million customer data andescaped unidentified. Their loot were names, addresses andbank details. Daily assaults and attackson government and commercial networkshave turned into cyberspace routine. TheSony hackers may not have had politicalmotives. However, the case exemplifiesthat concerns that were ridiculed as merescience fiction a few years ago havequickly turned into a new challenge forinternational legal affairs and securitypolicy.

The cyberwar era has begun and, overthe past few years, cyberspace has becomean increasingly important arena for fight-ing out political, military and economicconflicts.

Almost anything can happen in globalcyberspace. Just like in asymmetric war-fare scenarios, there are no borders, noclearly defined theater of operations andno combatants in the virtual combat zone.It is no longer possible to identify the at-tacker, or differentiate between crime, ter-rorism, covert warfare and espionage.Cyberspace is as ample as the threat sce-narios and speculations around it; what’smore, any digital incident is referred to ascyber war rather thoughtlessly.

In the first place, not everything la-belled as ‘war’ is actually war. It is danger-ous to have nothing but a vague notion ofa possible cyber attack and immediatelyclaim there is a ‘war’ going on.

Thus, verbal disarmament is essential.We need to introduce a stricter differenti-ation of terms and categorize the differ-ent types of conflict in cyberspace anddefine them precisely according to theharm they cause. A successful internet at-tack, no matter how serious, does not nec-essarily constitute a massive cyber attack.Based on this approach, it is possible toassess existing dangers and their effects,

delegate responsibilities, implement pre-ventive and reactive countermeasures andinitiate necessary criminal investigations.In practice, this means that the police andlegal authorities are the first institutionsto be concerned with ‘data thieves’; thenext resort is to raise the army’s mobiliza-tion level in order to prepare for a cybercounterattack.

It is undisputed that a serious cyber at-tack can inflict enormous damage upon anation’s security and infrastructure. Butare these digital weapons really capable ofallowing a country to dominate an adver-sary ? This will not happen any time soon.Virtual capabilities will not really replaceconventional military operations. Mostcyber attacks will be criminal acts, or willbe intended for espionage purposes or willserve to send a ‘virtual warning’ to irksomestates. Estonia and Georgia which are as-sumed to have suffered cyber attacks in2007 and 2008 are typical examples ofthis assessment.

While the opinions on the probabilityand intensity of a digital war vary, it isnecessary to adopt measures to preventcyberspace conflicts. Close cooperationwith other nations and organizations will

be an integral part of a preventive inter-national cybersecurity strategy. To provideglobal digital security in the 21st century,the following aspects have to be consid-ered:

1. These threats do not fit the nationalsecurity logic well because conventionalresponse capabilities reach their limits inthis area. The main problem is the lack ofclarity concerning the attackers and theirmotives in the case of any cyber incident.There is a potential danger that counteror retaliation measures be directed againstthe wrong target. For more clarity, it isnecessary to carefully investigate the inci-dent. This means that it is almost alwaysthe law enforcement community thatshould act first within a framework ofcyber forensics yet to be enhanced – andnot the defense community.

2. The potential cyber vulnerability ofmodern societies is a global challenge re-quiring transnational solutions. The firststep towards a new era of internationalcooperation is the creation of legal and in-stitutional instruments for an interna-tional dialog on norms of behavior andconfidence-building measures. Cyberse-curity may be enhanced by harmonizing

the law and the exchange of informationto facilitate the prosecution of perpetra-tors of cybercrime, by developing interna-tional information security standards andcommon law enforcement standards. Inaddition, creating and expanding multi-lateral conventions on the application ofthe Geneva and Hague conventions oncyberspace issues, as suggested by theEast-West Institute, could be another im-portant step.

3. Only close coordination and interna-tional cooperation between countries, so-cieties and the global economy willprovide an acceptable cybersecurity stan-dard. In order to maintain a cybersecuritynetwork and operate effectively on the in-ternational level, there has to be close co-operation and a clear distribution ofresponsibilities on the national and inter-national level. Suitable instruments to thisend could be to enhance the role of na-tional authorities such as the Cyber Czarof the US National Security Council or toestablish internationally cooperating bod-ies that could be associated with the In-ternational Telecommunication Unit(ITU), for instance.

It is paramount to understand that theinternet is the global lifeline of the 21stcentury and a key infrastructure whosestability and security must be ensured.High cybersecurity standards for govern-mental, social, economic and critical in-frastructures have to be met nationally aswell as internationally in order to preventcyberwar threats by means of a new secu-rity culture built on trust and cooperation.It is vitally important that the secondglobal cyber summit of the East-West In-stitute in London will focus on thesequestions.

Towards a new digital security culture

By Wolfgang Ischinger and Oliver Rolofs

Wolfgang Ischinger Chairman of the Mu-nich Security Conferenceand political adviser toAllianz SE

Oliver Rolofs Press Spokesperson of theMunich Security Con-ference and an Associateof a cybersecurity projectat stiftung neue verant-wortung, a Berlin-based think tank.

While the opinions on the probabilityand intensity of a digital war vary, it isnecessary to adopt measures to preventcyberspace conflicts

[12:24:15 PM] quarsan: CREDIT: EPA/ANDY RAIN

Cyber Security May - June 2011 19Special EditionNEW EUROPE

Cyber terrorism refers to the phenomenon ofmisusing computers, computer systems, compu-ter networks, computer resources and commu-nication devices for the purposes of committingterrorist activities or for doing activities targetedat computers, computer systems, computer net-works, computer resources and communicationdevices for the purposes of striking terror andfear in the hearts of the group of people, com-munities, societies and nations.

The emergence of cyber terrorism as a phe-nomenon has demonstrated the urgent need foreffectively regulating the same through legislativemeans.

India saw the 26/11 Mumbai attacks as thefirst real indicator event demonstrating thatcyber terrorism has come at the very doorstep ofIndia.

The 26/11 Mumbai attacks propelled theGovernment of India into action. Consequently,within one month of the 26/11 Mumbai attacksin 2008, the Parliament of India had approvedthe Information Technology (Amendment) Act,2008.

One of the crowning glories of the Infor-mation Technology (Amendment) Act, 2008,which came into effect from October 27, 2009,was regarding declaring cyber terrorism as a hei-nous cyber crime.

The new amendments have brought in anew provision being Section 66F in the Infor-mation Technology Act,2000 which is dedicatedto giving a legal definition to the offence of cyberterrorism.

Cyber terrorism has been defined in the wi-dest possible terms under the Indian Cyberlaw.

There are two broad categorization of activities,which qualify within the offence of cyber terro-rism.

These two broad categorization of activitiesare as follows:

(A) any activity done with intent to thre-aten the unity, integrity, security or sovereigntyof India or to strike terror in the people or anysection of the people by—

(i) denying or cause the denial of access toany person authorized to access computer reso-urce; or

(ii) attempting to penetrate or access a com-puter resource without authorisation or excee-ding authorised access; or

(iii) introducing or causing to introduce anycomputer contaminant; and by means of suchconduct causes or is likely to cause death or in-juries to persons or damage to or destruction ofproperty or disrupts or knowing that it is likelyto cause damage or disruption of supplies or ser-

vices essential to the life of the community or ad-versely affect the critical information infrastruc-ture specified under section 70, or

(B) any activity of knowingly or intentionallypenetrating or accessing a computer resource wi-thout authorisation or exceeding authorised ac-cess, and by means of such conduct obtainingaccess to information, data or computer databasethat is restricted for reasons for the security ofthe State or foreign relations, or any restrictedinformation, data or computer database, with re-asons to believe that such information, data orcomputer database so obtained may be used tocause or likely to cause injury to the interests ofthe sovereignty and integrity of India, the secu-rity of the State, friendly relations with foreignStates, public order, decency or morality, or in re-lation to contempt of court, defamation or inci-tement to an offence, or to the advantage of anyforeign nation, group of individuals or otherwise.

If any of the two categories of activities takeplace using computers, computer systems, com-puter networks, computer resources and com-munication devices, then the same come withinthe offence of cyber terrorism.

Cyber terrorism has been declared as a hei-nous cyber crime punishable with imprisonmentwhich may extend to imprisonment for life.

From a perusal of the aforesaid definition ofcyber terrorism, it is clear that India has possiblyone of the widest possible known legal defini-tions of the offence of cyber terrorism.

While India needs to be lauded for decla-ring cyber terrorism as a heinous cyber crime, yetthere are huge challenges, in terms of investiga-tion and prosecutions of cyber terrorism cases.This is primarily so because given the fact thatInternet has made geography history, there are

huge challenges in terms of collation of appro-priate electronic evidence spread over networksaccessible in different jurisdictions and provingthe same, in accordance with law under the In-dian legal processes.

There is further a need for coming up withdetailed presumptions which would enable farmore expeditious trials in cyber terrorism rela-ted cases. Further, there needs to be appropriatesecondary legislation in the form of rules and re-gulations that need to be specifically prepared tostrengthen the hands of the Government andthe prosecution, while prosecuting cyber terrorcases.There is also need for coming up with di-stinct cyber terror courts who could deal withsuch cases pertaining to cyber terrorism.

In conclusion, it can definitely be stated thatIndia is at entering in a new era of growth andparadigm shifts. The recent hackings of CBIwebsite in first week of December, 2010 has de-monstrated in no uncertain terms that cyber warand cyber terrorism are sisters and can be initia-ted anywhere on the Internet, by any legal en-tity. India needs to have adequate preparationsin terms of appropriate backup strategies andplans on how to deal with the consequences ofcyber terrorist attacks. Further, lot of steps needto be taken proactively by the Indian nation so asto be fully geared to deal with any cyber terror re-lated issue.

At the end of the day, there is a need for in-culcating a culture of security amongst all rele-vant stakeholders so that people are far moreprepared in their awareness and thought proces-ses while they deal with security related issues onthe Internet. It will be interesting to see growthof jurisprudence around cyber terrorism as timepasses by.

Cyber Terrorism - Some legal perspectives

By Pavan Duggal

Pavan Duggal

Advicate, SupremeCourt of India President, CyberlawAsiaPresident, Cyberlaws.netHead, Pavan DuggalAssociates

The emergence of cyber terrorism

as a phenomenon hasdemonstrated theurgent need foreffectively regulatingthe same throughlegislative means

May-June 201120Special Edition

NEW EUROPE

Spies. When 11 Russian sleeper agents werediscovered living in the United States—andthen sent home in exchange for their coun-terparts—it was hard to resist the sexy espio-nage tale with echoes of the Cold War. Butwhile we’ve fixated on Anna Chapman andher cohorts, top diplomats were working on awonkier but more important advance in spy-craft. This month, experts from 15 countriesagreed to begin serious negotiations on esta-blishing international norms on cybersecurity.This story is far more significant in the longrun because, without basic agreements aboutcyberspace, cyberattacks, and even cyberwarscould become a daily danger.

Sure, spy stories are irresistible—particu-larly when a sexy redhead like Chapman isinvolved and there are plenty of racy photosto titillate readers. It’s also true that the pressmay have been too quick to write off the Rus-sian sleeper agents as a bunch of bunglerswho accomplished nothing. We don’t knowwhat support roles they may have had formore serious operations; human intelligencecan still trump electronic spying in many si-tuations, and spying will always be with us.

But, increasingly, international relationswill be shaped by new challenges that requirenew tactics—and new assumptions aboutwhere we can and should cooperate, evenwith former enemies. Look at the United Na-tions group of experts that overcame at leastsome of their mutual suspicions to take a firststep toward international cooperation on cy-bersecurity last week. After years of talks thatwent nowhere, they—United States, Russia,China, India, and several others—agreed to

begin discussing ways to exchange informa-tion about national cyberstrategies, streng-then protection of computer systems aroundthe world, including in less-developed coun-tries, and even set some ground rules on cy-berwarfare. Other nations in attendance maynot be G7 economies, but online they are po-werhouses: Israel, Brazil, South Korea, andEstonia.

The idea that Russian and Estonian ex-perts, in particular, could join forces to issuecybersecurity recommendations would havesounded absurd until recently. Just three yearsago, Estonia was the target of a massive cy-berattack, which now is held up as Exhibit Awhen it comes to cyberwarfare. The Esto-nians, and much of the rest of the world, wereconvinced that this was an attack orchestratedby the Kremlin in retaliation for Tallinn’s de-cision to remove a World War II memorialhonoring Red Army troops. Moscow andlocal Russians were furious about this “dese-cration,” and there were violent clashes in thestreets. Although the Russian authorities de-nied any involvement, the concerted cyberat-tacks on Estonia’s government andprivate-sector Web sites, designed to cripplethe country’s digital infrastructure, certainlylooked like angry and organized retaliation.

What’s changed? Those hard feelings ha-ven’t disappeared, but there’s a growing reali-zation that no country can protect itself fromcyberattacks on its own. One key problem isattribution—the inability to definitely pin-point the source of an assault. Terrorists, cri-minals, and political groups can now launchsophisticated salvos using “botnets”—armiesof computers around the world that they havecommandeered without the knowledge of the

people who own those machines. That makesit hard to prove—and easy to deny—any sta-te’s role in a specific cyberattack. And itmakes everyone and everything, includingcritical infrastructure such as transportationand electricity grids, vulnerable.

That’s why not just Estonia but also theUnited States is increasingly interested infinding a way to work with Russia and theother key players. It won’t be easy. For morethan a decade, Russia has pushed for abroad international cybersecurity treaty toestablish norms on these issues. As in thecase of China, Washington and manyhuman-rights organizations have opposedanything that looked like an excuse to limitpolitical freedoms on the Internet—and totrack dissidents. The latest compromise lan-guage suggests that the Obama administra-tion wants to find a formula to addresscommon security concerns while skirtingsuch disagreements. Some experts arguethat countries, like individuals, could joinprotected Internet networks, where all com-munications are sourced. That would go along way toward instituting a system of de-terrence, since cyberaggressors inside thesenetworks would be instantly identifiable.There could still be a larger, more WildWest-style Internet, but anyone operatingthere would be doing so at their own risk.

It’s hard enough for each country to comeup with its own coherent national cyberstra-tegy. President Obama has called this a highpriority, but The Washington Post’s “Top Se-cret America” series last week vividly demon-strated how unwieldy the U.S.national-security apparatus has become, espe-cially since the terrorist attacks on Septem-

ber 11, 2001. According to the report, some1,271 government organizations and 1,931private companies are involved in counterter-rorism and other national-security programs;an estimated 854,000 people hold “Top Se-cret” security clearances. That whole world isdependent, of course, on the most modern,complex computer communications. Yet topintelligence officials openly admit that theyhaven’t been able to produce a coherent set ofpolicies, including a way to organize respon-ses to cyberwarfare. “Frankly, it hasn’t beenbrought together in a unified approach,” CIADirector Leon Panetta declared in the Wa-shington Post series.

Take that problem and add the comple-xity of coordinating cybersecurity measureson the international level and you begin to seethe magnitude of the problem. But in the vir-tual world where national boundaries areoften meaningless, international cooperationon cybersecurity isn’t a choice; it’s a necessity.We’re especially vulnerable to this kind of at-tack: imagine 24 hours when your computersat work and at home would be out of service,when you can’t get money from your ATM,when electricity stops flowing, when planesstop flying—you get the picture. Everythingdepends on computers these days, and every-thing can be targeted.

Our near-total digital dependence under-pins the governmental, financial, economic,energy and every other structure. If we can’tbuild the kind of safety measures that are sodesperately needed into this virtual world thatis no longer separable from our physicalworld, we are all in trouble. In that case, evenspicy tales of female spies won’t be enough todistract us from the consequences.

While we obsessed over Russian spies, top diplomatswere working to stop a greater espionage problem

Andrew NagorskiVice president and di-rector of public policy atthe EastWest Instituteand the author of TheGreatest Battle: Stalin,Hitler, and the Desper-ate Struggle for MoscowThat Changed theCourse of World War II.He wrote this article forNEWSWEEK’s Polishedition, NEWSWEEKPolska.

CREDIT: EPA/FRANCK ROBICHON

By Andrew Nagorski

Cyber Security

ADVERTISEMENT

May-June 201122Special Edition

NEW EUROPE

There is much talk about the militariza-tion of cyber space with Russians, Chi-nese, and Americans accusing each otherof triggering a cyber “arms race”. At thesame time, policy makers in many coun-tries are calling for “rules of the road” toregulate cyber conflict. However, due tothe novelty of the threat and policy ma-kers’ inexperience with this rapidly chan-ging new field, cyber diplomacy is rifewith misunderstandings among majorcyber nations. Take the example of thesupposedly “militarization of cyberspace”by the United State - an often heard cli-ché.

Ever since the establishment of CyberCommand in May 2010 to defend Ame-rican military networks and attack othercountries’ systems, the U.S. military hasdominated the discourse on cybersecurityin the United States. The Pentagon calledcyberspace a “domain,” and describedcyber warfare as “the fifth domain of war-fare after land, sea, air, and space.” Thischaracterization implies that cyberspace asa “domain” can be protected from intru-sion, and offensive and defensive militarystrategies can be devised to protect thisspace.

Indeed, if one scans policy papers fromleading institutions of higher militaryeducation in the United States, one oftenencounters concepts such as “first strikecapabilities,” “windows of vulnerability,”and “cyber deterrence.” A lot of this mili-tary thinking is derived from the debatesurrounding nuclear strategy in the 1950s

as confirmed by a former senior WhiteHouse official: “In the 1950s to 1960s, ci-vilians—many of them outside of the go-vernment—came up with a complexstrategy for the use of nuclear weapons.This strategy was then debated publiclyand later incorporated into national po-licy…Today, planning for cyberwar is at asimilar stage.” This implies that the Uni-ted States military must lead in the fieldsimilar to the nuclear standoff during theCold War.

The former commander of the AirForce's Cyberspace Command, Lt. Gen.Robert J. "Bob" Elder, stated his prioritiesin cyberspace: “First, we must control thedomain," he said. "This is about operatio-nal freedom of action. We have to be ableto protect the electromagnetic spectrumwe use to communicate with each other,for example. We have to protect the elec-tronics that we use to establish that do-main, and we have to protect thosenetworks. Conversely, we want to have thecapability to deny those things to our ad-versaries."

The descriptions above can be widelymisinterpreted and create inherent ten-sions as visible, for example, in U.S.-Chinarelations. Since the publication of the1999 book Unrestricted Warfare, by twocolonels of the People’s Liberation Army,cyber warfare has been one of the mosttalked about subjects in U.S.-China mili-tary relations, largely triggered by the Uni-ted States, which at the beginningmistakenly took this publication to be of-ficial Chinese military doctrine. Thewake-up calls for the Chinese military

were the First Gulf War and the NATOKosovo Air Campaign. Both illustratedthe overwhelming conventional superio-rity of the United States and the efficiencyof its revolution in military affairs (RMA)based on smart weapons and network cen-tric warfare. To counter the United States’dominance in a future conflict over Tai-wan, China started its own RMA andbegan to develop cyber weapons (‘asym-metric, disruptive technologies’) to exploitweak spots in U.S. defenses and critical in-frastructure. China’s main idea was to de-grade an enemies’ information flow—the‘center of gravity’ of network centric war-fare as practiced by the United States.

According to both Russian and Chi-nese analysts recently interviewed, thespecific mission of the Cyber Commandto dominate cyberspace and guarantee fre-edom of maneuver narrows the diplomaticleverage of the United States, reduces theability to foster partnerships in other cy-bersecurity areas, and ‘radicalizes’ the re-sponse of countries such as China andRussia in countering the perceived tech-nological superiority of the United States.The doctrine of dominance sent shockwaves through China and other countriessuch as Russia, accelerating the “arms racein cyberspace,” and hastened the emphasison developing additional asymmetric ca-pabilities within the Chinese and Russianmilitaries.

What is important to realize, however,is that the United States’ doctrine of cyberdominance does only apply in military si-tuations and in times of war – a fact mi-sunderstood in both Russia and China.

The military doctrine of cyber dominanceis comparable to the NATO doctrine ofair supremacy, which NATO defines as“that degree of air superiority wherein theopposing air force is incapable of effectiveinterference.” Both the Chinese and Rus-sian Air Force have similar doctrines but ithas not been a subject of diplomatic de-bate for a good two decades, since they arenaturally applicable only in times of war.

The recently published InternationalStrategy for Cyberspace – Prosperity, Se-curity, and Openness in a NetworkedWorld” outlines the United States’ defen-sive objective: “The United States will,along with other nations, encourage re-sponsible behavior and oppose those whowould seek to disrupt networks and sy-stems, dissuading and deterring maliciousactors and reserving the right to defendthese vital national assets as necessary andappropriate.”

This responsible behavior, however,cannot be achieved when there are someinherent misunderstandings among na-tions, who each accuse each other of at-tempting to dominate a space while atthe same time seeking closer cooperationin protecting it. The United States,China, and Russia rather sooner thanlater have to start a military to militarydialogue to reduce some of these misun-derstandings. While the novelty of cyberdiplomacy makes it often difficult to de-couple military from diplomatic activi-ties, there has to be an increased effort tocollaborate; otherwise, conversations aro-und cyberwarfare will remain “lost intranslation.”

Lost in Translation – Doctrines and Diplomatic Efforts in Cyberspace

By Franz-Stefan Gady

Cyber Security

Franz-Stefan GadyAn associate at theEastWest Institute

ThePentagon

called cyberspace a“domain,” and

described cyberwarfare as “thefifth domain of

warfare after land,sea, air, and space”

Cyber Security May - June 2011 23Special EditionNEW EUROPE

Its official: Cold War policies are back in fa-shion. That quintessential institution of ColdWar diplomacy, the OSCE, recently provided astage for the return of one its proudest legaciesin international security – the so-called “Con-fidence Building Measures” (CBMs). Duringthe Cold War, CBMs encompassed various in-struments ranging from military observer pro-grams to that epitome of the Cold War, theWashington DC- Moscow “Red Telephone”.The objective was to help international diplo-macy adapt to the game-changing properties ofnuclear warfare and reduce the risk of “acciden-tal” war. Now, similar measures are being di-scussed to help account for another paradigmshift in international security. In a recent two-day cybersecurity conference held in Vienna, ex-perts and diplomats from various nationalitiesall evoked the totemic CBMs as being the so-lution to a problem whose existence most see-med acknowledge: the threat of “loss ofescalation control,” or “inadvertent confronta-tion.” Or put more bluntly: the threat of acci-dental cyberwar.

Is an “accidental cyberwar” really a threat, andare CBMs the answer? There are no missile trailsin cyberspace and attributing cyber-attacks,especially while an attack is underway, can be vir-tually impossible. Due to the peculiar physicalreality of cyberspace, the vast majority of cyberattacks cannot be easily attributed to definite ac-tors. Even when it is possible to identify a speci-fic country as the origin of an attack, pinpointingthe attackers can be very difficult. While it hasbecome routine to distinguish between cybercrime, cyber terrorism and cyber warfare, in rea-

lity the actors cannot be so clearly segmented.Often a cyber terror or cyber crime group canact as a proxy for a government’s activity.

Cyber crime – in particular cyber espionage –has taken on enormous dimensions. It has beenclaimed that the total economic costs of cybercrime could be as high as USD 1 trillion a year.It is often however unclear if the presumedcyber criminals launching the attacks are alwaysacting for themselves, or operating as proxies onbehalf of state cyber warriors. What is certain isthat some nation-states have clearly sought tobenefit from the “plausible deniability” of non-state proxy attacks – especially within cyberespionage. This approach however represents aserious risk to global security.

The problem is that cyber espionage-type at-tacks are often required for a full-blown cyber-war attack. The same channels that are used toexfiltrate (i.e. extract) terrabytes of informationcan be used to plant malicious code that cancripple networks and bring down critical infra-structure such as power generation, financial sy-stems, and communications. These attacks can

be conducted through “back doors” that theseattackers leave in the same systems. They can beused – by the same attacker, or someone else –to launch much more serious attacks then sim-ply the theft of information. Cyber crime canthus be a perquisite for cyber war.

The nightmare scenario is that a serious cyberattack (equivalent to a “physical armed attack”)could be conducted through a cyber espionagenetwork usually associated with a non-statehacker group. How could the targeted countrydifferentiate between a deliberate attack by anunfriendly government and a rouge “cyber ter-rorist” operation? The speed of action in cyber-space means that there is considerable scope formisunderstanding – with potentially very seri-ous consequences.

The Confidence Building Measures propo-sed in Vienna varied. There was wide-spreadagreement for the need for a new type of “hotline” – for secure crisis communication betweengovernments – and for regular exchanges bet-ween the national Computer Emergency Re-sponse Teams. Other CBMs proposed also

included a common threat assessment, cyber“capacity building” for less developed countriesand support for global public private partnersh-ips. Few of these CBMs, however, directly ad-dress the danger of non-state proxies. Althoughnot considered CBMs per se, “norms of beha-viour” for state actors in cyberspace could go farto help address this problem. There are pre-sently a number of diplomatic discussions aimedat the same goal: reducing the scope for mi-sunderstanding in cyberspace by defining com-mon “rules of the road” on how state conflict incyberspace should be managed. Reducing proxyactivity is often a key issue.

Norms, unlike treaties, do not need to be en-forced. Nonetheless, they should still be com-plied with. Monitoring compliance depends onspecificities of the rules and norms in question.As far as the use of non-state proxies is concer-ned there is at least one option: the institution ofa “name and shame” regime where consistentoffenders are regularly presented to the interna-tional media as what they really are: a seriousthreat to world peace. Liberal democratic civilsociety has often done exactly that, and has al-ready played a significant role in widely publici-sing serious cyber attacks and making plausibleattribution. By building on these efforts it couldbe possible to do for cyber conflict what the RedCross did for the Geneva Convention and limitnot only the casualties in any potential futurecyber conflict, but also reduce the chance thatthe conflict might occur to begin with. Until theissue of non-state proxies are solved the uncer-tainty involved in the new era of cyber conflictis not comparable to the uncertainty involved inearly stages of the Cold War nuclear stand-off.It is much worse.

Building Confidence in Cyberspace CREDIT: EPA/JOECHEN LUEBKE

By Alexander Klimburg

Alexander KlimburgFellow Austrian Insti-tute for InternationalAffairs

Due to the peculiar physical reality ofcyberspace, the vast majority of cyber

attacks cannot be easily attributed todefinite actors. Even when it is possible toidentify a specific country as the origin ofan attack, pinpointing the attackers can bevery difficult.

May-June 201124Special Edition

NEW EUROPECyber Security

The IssueGiven the marked increase in our daily de-

pendence on communications technology, as-toundingly few are aware of the realities—andvulnerabilities—of the infrastructure that sup-ports our global connectivity.

Banking, mobile communication, transporta-tion, news media, and countless other hallmarksof our daily lives have become inextricably tied toundersea cables that criss-cross the ocean floors.In fact, over 99% of intercontinental communi-cations traffic is carried through these means;satellites, often incorrectly believed to be the maincarriers of the Internet, do not even come close tomeeting the rising demands of internationalcommunications. Bandwidth demands are in-creasing at an astounding rate; Hong Kong dou-bles its dependence on international underseacables every 18 months. New technologies arepushing these cables to previously unimaginedlevels of use; at peak usage hours, Netflix stream-ing accounts for 1/5 of downstream Internet traf-fic. Our financial systems are developing anirrevocable dependence on this connectivity; eachday, trillions of dollars are traded across these ca-bles. Because of the increasing dependence onthese cables systems, the potential consequencesof a system failure are ever increasing. As StephenMalphrus of the Federal Reserve puts it, “whencommunications networks go down, the financialservices sector does not ‘grind to a halt,’ rather itsnaps to a halt.”

Cables: In DepthGiven this profound dependence, it would be

reasonable to expect an ordered, systemic processfor overseeing these cables and that the interna-

tional community is presently working to ensurethat this increasingly necessary global cable in-frastructure is secure. Unfortunately, such an as-sumption of security would be far from the truth.As it currently stands, 95% of the cables are pri-vately owned and maintained, leaving little directcontrol in the hands of governments. And whilemost cables are widely dispersed, there are threesignificant clusters of cables that threaten inter-national economic stability. These cable clusters(found in the Luzon Straight, the Suez Canal-Red Sea-Mandab Straight passage, and theStraight of Malacca) have been formed mainlyfrom geo-political contraints rather than for op-timum design principles. Taking these factors intoaccount, the reality becomes clear: the world’seconomy is vitally dependent on an ever-vulner-able system. The status quo puts international sta-bility at risk. There are numerous potential causesof cable outages, and the probabilities of their oc-currence differ drastically. In a reliable cable sys-tem, there is an indirect correlation between theprobability and severity of a crisis occurring in theundersea cable network. For example, a coordi-nated attack would engender the most severeconsequences, but such an event has the lowestlikelihood of occurring. Conversely, deep-seafishing tearing a communications cable (ac-counting for 48% of outages according to themost recent data) is currently the most prevalentcause of network failure, yet due to its managea-bility it poses a much lower risk to global eco-nomic stability. There is a spectrum of potentialthreats to the integrity of this infrastructure; thefact that we have yet to experience a higher-dam-age scenario does not excuse a lack of prepara-tion. The existing problems posed by historiccases, coupled with the potential damages of aworst-case scenario, warrant thorough prepara-

tion on the part of the international community.The state of international politics plays a sig-

nificant role in this situation. As mentioned ear-lier, the three major cable chokepoints, whichdrastically increase the potential damage causedby an outage of the cables at one of these points,are mainly the result of political differences. TheLuzon Straight cable cluster, for example, existsdue to the ongoing political differences betweenChina and Taiwan. A clear demand exists for anundersea cable running North-South throughthe Taiwan straight, but the ongoing political ten-sions between these two parties are preventingsuch a cable from being laid. This puts HongKong, and the region as a whole, at an acute dis-advantage. For example, the 2006 Heng-Chunearthquake, a disaster that impaired the cablecluster, critically disrupted communications in theregion for a two-month period. The other choke-points follow a similar mold, existing as the resultof political unwillingness of countries in the Ara-bian Peninsula to cooperate. It is clear that, in ad-dition to preparing for physical damage, fosteringa more cooperative political environment is es-sential to attaining the geographic diversityneeded. New cables must be laid to prevent po-tentially devastating outages.

Recognizing the significance of strengtheningthis crucial yet largely unknown infrastructure, theEastWest Institute decided to apply its estab-lished method of convening diverse parties toachieve tangible international results to this ever-changing field of cybersecurity. In 2009, EWI’sWorldwide Cybersecurity Initiative was put inmotion.

ROGUCCIOn April 24, 2009 the EastWest Institute held

the kickoff meeting for the cybersecurity initiativeat the Federal Reserve. It was at this meeting thatthe issue of undersea cables made the list for theinitiative’s focus areas. At one point during thesession, a former senior presidential advisorwarned against attempting to correct the prob-lems posed by the undersea cable network. It wasa worthy cause, she held, but the problems aresimply too large. Such an undertaking, one thatwould require all kinds of cooperation from allover the world, has already been attempted and itresulted in an abject failure. In spite of the daunt-ing challenges, the EastWest Institute deemedthe situation too important to ignore.

In the report of this kickoff meeting, the con-cept of a Global Undersea CommunicationCable Infrastructure (abbreviated to GUCCI)was introduced. This report, the result of collab-oration between the Institute of Electrical andElectronics Engineers (IEEE) and EWI, coinedGUCCI as a new approach to tackling the prob-lems posed by undersea cables. Instead of treat-ing the cables as numerous individual problems,this new perspective would view the network asan aggregate whole. The view turned out to begame changer. Analyzing the system as a wholeallows for a structural reframing of the challengeposed. For example, natural disasters are very rareevents when considering a single cable line, butoccur with some regularity when considering thegreater network. The nature of this problemchanges drastically when viewed within this newcontext, allowing for a new set of possible solu-tions. Using GUCCI, it is possible to approachstructural deficiencies from a global standpoint,bringing together international players from gov-ernment and the private sector to address the en-tire undersea cable network.

It was decided that the essence of the process

Undersea Cables: Endangered

Cyber Security May - June 2011 25Special EditionNEW EUROPE

Backbone of the Information Age

should consist of three parts: a study, a summit,and a report, all designed to address the issue fromthis new perspective. Called ROGUCCI (Reli-ability of GUCCI), the study brought together aworld-class knowledge base to develop mean-ingful guidance on the matter. It focused on threeoverarching goals: to examine the reliability of theinfrastructure at a global level, to assess the im-pacts of infrastructure failure, especially in the fi-nancial sector, and to provide guidance on howto improve the current system. It was also decidedthat the study would focus on securing cables, notpreventing threats. The reasoning behind this isthat while there is no limit to the number andkind of possible external threats to these cables,but there are precisely eight “ingredients” thatmake up GUCCI, which can be monitored, an-alyzed, and improved with relative ease. These are:power, environment, hardware, software, payload,network, human activity, and policy. In short, thelogic goes, it is more efficient to focus on whatcan be controlled (these finite ingredients) thanfocusing on the unpredictable (e.g. natural disas-ters and terrorism).

Following the study, the ROGUCCI Summit

was held. Hosted by the IEEE and EWI in co-operation with the Dubai International FinanceCentre, the summit brought together expertsfrom the fields of science, commerce, and engi-neering to capture 100 “key observations,” and tocreate a set of twelve specific recommendations, tobe implemented by governments, stakeholders,and the private sector. The United Arab Emi-rates was chosen for two major reasons: first, thecountry had been seriously impacted during a2008 undersea cable outage, a fact which servedas a sobering reminder of the seriousness of theissue at hand (at the summit, attendees were givena tour of one of the repair boats used to repairdamaged cables in the wake of the outage, pro-viding a first-hand look at a critical piece ofGUCCI infrastructure.) Secondly, the UAE’semerging presence as an important player in in-ternational finance highlighted the report’s em-phasis of the undersea cable infrastructure’simpact on global commerce.

The ROGUCCI summit was an unprece-dented success. Deemed a historical event, onecapturing a “shift to a greater awareness of ourglobal communities dependence on a hidden in-

frastructure” by the Porthcurno Telegraph Mu-seum located near Cornwall, England, the sum-mit produced twelve recommendations for theinternational community. They urge greater in-ternational cooperation, information sharing, andpreparedness. In the wake of these mandates, theEastWest Institute’s goal is to build upon thisfoundation laid by ROGUCCI and ensure thatthe next steps taken are the right ones. The East-West Institute continues to act as a bridge amongthe many international players necessary toachieve progress on the GUCCI front, ensuringthat our vulnerable cyber infrastructure meets theever-rising demands of today’s world.

Next StepsIn the months since the ROGUCCI summit,

EWI has pursued the cable agenda by reachingout to government and financial sector leaders inIndia, China, and Hong Kong to discuss one ofthe network’s most urgent needs: the assuranceof fast, efficient cable repair in the event of cabledamage. There are a limited number of specialvessels suited for cable repair. When multiple cuts

occur, the constraint of limited resources resultsin extended periods of cable system downtime.

Many of the ROGUCCI Recommendationshave already been implemented. Internationalprivate sector fora have stepped up to changetheir charter in line with guidance for new in-dustry governance and information sharing, andgovernments are reviewing the need for encour-aging geographically diverse routes and for pro-viding more speedy approvals for repairs ships toenter territorial waters.

In addition, the upcoming 2nd World Cy-bersecurity Summit in London, a meeting oftop cybersecurity experts and policymakers, willcontinue to hold the security of our underseacable infrastructure as a priority in pursuing thebroader cybersecurity agenda. There is stillmuch work to be done, work that will requiresubstantial international cooperation betweenthe public and private sectors. Should the manyresponsible parties come to work effectively, thepromise of a secure international cyber infra-structure will be fulfilled. If not, the stability ofglobal communications and financial marketswill remain at risk.

May-June 201126Special Edition

NEW EUROPE

As the mother of teenage boys and a mar-keting professional in the digital age, there ispressure on me to adopt the latest techno-logy and advise others on its usage! I blog,tweet, have a Facebook page and maintaina LinkedIn profile. I am a relationship con-nector by nature, so am continually urgingothers (especially my age-peers) to "join theonline conversation" in social media. Addi-tionally, I encourage my teenage kids to goonline, blog, tweet, etc., as well. The highschool that my boys attend uses "smart bo-ards," which communicate with the stu-dent's laptop computers. Each student sitsin front of a laptop used for note-taking andresearch in real-time during class discus-sions. We are one wired family!

Recently, I went to a conference thatmade me rethink everything that I have everwritten, said and advocated about the Inter-net. I had a visceral, emotional reaction to theinformation presented at the InternationalYouth and Technology Forum on Digital Ci-tizenship, hosted by The EastWest Institute's(EWI) Worldwide Cybersecurity Initiativeand Columbia University. This conferencewas the brainchild of John Kluge, Jr., whoruns the Digital Safety and Citizenship pro-gram for EWI. John is the son of John Kluge,the founder of Metromedia, a multibillion-dollar, early-on media empire. In his NewYork Times obituary from September 2010,John Kluge, Sr. is described as a man who "sa-vored the chance to move into new areas ofhigh technology. He had no patience forthose he called 'self-important corporationtypes cut out of the same cookie cutter' who

tended to stick to what was safe." Similarly,John Jr. attacks today's technology issues likecyber security with the same ferocity as hisfamous father. One of the "boldest" aspects ofthis conference was the platform that encou-raged the raising of questions that often don'thave good answers.

I was simply unprepared and stunned bythe issues raised at this forum. While theentire program was impactful, let me high-light one of the panels that was particularlydisturbing. As the mother of teen boys, I am"sheltered" from the particularly viciousangst that teenage girls feel about their self-image and their continual worry about howthey look to boys. More often than not, Iam reminding my boys to care for their ap-pearance, whereas most girls are continually"maintaining themselves" and don't need tobe reminded! Sites like Facebook, whichallow and encourage engagement betweenteens, both through messaging and photos,fosters the ability to create a public imagethat may or may not reflect the in-personreality. Without boundaries and oversight,giving technology to teens is like putting aweapon in untrained hands. This confe-rence and one panel in particular highligh-

ted some of the dark side to being authen-tic and open via social media.

The panel was entitled "Child Testi-mony" and was facilitated by Margie Wang,Vice President of Finance Services and Te-chnology for Girl Scouts of America. GirlScouts themselves were the panelists. Thesegirls were my own children's ages, and theirvoices were clear, impactful and authentic.Naturally, the conversation centered on Face-book and other types of social media. Thesegirls put out the questions, "Why don't girlsfeel comfortable having an online personathat lines up with the real-life girl? Why is itthat you must appear happy, confident, suc-cessful, beautiful, smart and successful in the24/7 Facebook world? Why can't girls just bethemselves?"

"Child Testimony" blew me away! Theyalso discussed being literally addicted to Fa-cebook and its social games, like Farmville.One honest Girl Scout panelist admitted tohaving called her mother at home during theschool day to log onto her account and waterher Farmville crops! Beyond this shock wasanother conversation led by Margie Wang.She brought up topics like "terms of service"and a teen's ability to understand what it

means. And, generationally, most parents areneither tech- nor internet-savvy enough toappropriately and wisely advise their own kidson safe surfing. Margie wisely asked the au-dience whether it might be a better idea tohave all privacy settings set to "block" as a de-fault so that they must be consciously "un-blocked." Teens are innocently postingpictures, private information and their loca-tions while IT professionals are thinking ofhow best to "steal" and "link" and take ad-vantage of the lack of sophistication in kno-wledge of privacy settings, cookies and thelike! Girl Scouts need to learn about softwarecookies!

Bravo and a shout-out to John Kluge ona job well done! It is incumbent on us parentsto take an active role in learning about tech-nology and very closely monitoring the on-line escapades of our own children. There istracking software available and more, but in-sist that you be Facebook friends with yourown kids and engage in conversation withthem about what may be questionable to post.Be proactive and look at what other kids aredoing and saying. Be involved in your own fa-mily's social conversation, as it's happeningnow without you!

Why parents must be on top of their kids online

April RudinCEO, The RudinGroup

CREDIT: tweakfest

By April Rudin

Cyber Security

Sites like Facebook, which allow and encourage engagementbetween teens, both through messaging and photos, fosters the

ability to create a public image that may or may not reflect the in-person reality

Cyber Security May - June 2011 27Special EditionNEW EUROPE

According to a distinguished British childprotection expert, Sir William Utting , priorto the arrival of the internet child pornogra-phy was principally the product of a cottageindustry. The volumes of pictures in circula-tion were small. A typical arrest in the UKand many other countries might yield ahandful of images. To acquire them a personwith an interest had either already to be partof an existing paedophile ring or take sub-stantial personal risks to locate one.

The internet changed that situation in avery dramatic way.

Child pornography has become a signa-ture crime of cyberspace.Organized crime hasbecome involved in the manufacture and saleof child pornographic images. Through acycle of constant downloading, exchangingand re-uploading the traffic in illegal imagesis likely to be measured in billions per annum.No nation is exempt.

Sexually abused children are among theweakest and most desperate members of so-ciety. Thus if society cannot find a way tobring these children a remedy we have trulyfailed in a major humanitarian duty. Part ofthe remedy, whoever and wherever these ch-ildren are, must involve the removal fromview of the evidence of their humiliation asfast as possible. Failure to do so compoundsthe injury and creates other contingentharms.

In several countries when a child porno-graphic image is identified on a particularweb site within their own jurisdiction it canbe deleted and removed from public view wi-thin one hour. This has been achieved thro-

ugh the development of a system of noticeand take down.

However, in other jurisdictions imageshave still been available at the same web ad-dress a year or more after notification to therelevant authorities. The reasons for this aremany and varied but the continued availabi-lity of the image represents a potential harmin every other jurisdiction wherethe picturemight still be viewed. To deal with this a smallbut growing number of countries have deve-loped the practice of blocking access pendingdeletion.

The argument about how to achieve theswifter removal of child pornography at so-urce, and about the legitimacy of blockingpending deletion, pitches analogue thinkingand practices against the new realities whichhave been ushered in by the internet and thewider digital environment. Scale, speed andjurisdiction are at the root of the challenges.

In an ideal world either the volume of il-legal images which needed to be adjudicatedupon were so small, or the number of judgesand court houses available were so abundantthat there would be no need to develop anynew ways of processing what otherwiseought to be fairly routine processes. But we

are a very long way from that kind of equili-brium.

However, Judges working in courtroomsare not the only agencies which can satisfac-torily administer a system which is bound bytransparent, fair, enforceable and appealablerules which entirely conform with human ri-ghts laws and other key legal principles. Inthe field of child abuse images around theworld a series of Hotlines have emergedwhich do precisely that. We need a lot moreof them.

With blocking, or deletion for that mat-ter, there is an obvious potential for systems tobe misused for political or other purposeswhich are not in any way associated withchild protection. However that is a separateand different challenge which needs to be ad-dressed through the creation of strong scru-tiny or supervisory regimes which aredemonstrably and obviously independent.

It is true there are ways around web bloc-king and there are alternative, non-web basedtechnologies which can be used to obtain ac-cess to the same or very similar images. Butthat is hardly an argument for saying the ima-ges on the web can therefore be ignored.Equally, arguing that deletion is the only an-

swer and that blocking should not be consi-dered is bizarre. That is effectively saying theimages should remain available to everybodyuntil they are available to nobody.

Obviously everything that can be doneshould be done to get overseas hosts to deletethe images at source as quickly as possible.But we cannot allow the continued availabi-lity of these images on the web to be deter-mined, in effect, by the speed of reaction ofthe most indifferent or technologically un-derdeveloped nations.

Is blocking disproportionate? Proportio-nality, like beauty, is in the eye of the behol-der. Where is the evidence that blockingworks? In 2009 the UK’s largest ISP, BT, cal-culated that its blocking system was preven-ting up to 40,000 attempts per day to reachillegal addresses containing child abuse ima-ges. Grossed up to cover the whole of the UKconsumer network that means blocking inthe UK is preventing up to 58 million at-tempts per year. A very high proportion ofthese were undoubtedly generated by botnetsand other automated systems but many willnot have been. Whatever their source everyone of them was illegal and ought not to havehappened.

A blot on the landscape: child pornography on the internet

John CarrChildren’s Charities’Coalition on InternetSafety

CREDIT: EPA/KOTE RODRIGO

By John Carr Child pornography has become a signature crime ofcyberspace. Organized crime has become involved in the

manufacture and sale of child pornographic images

May-June 201128Special Edition

NEW EUROPECyber Security

In the prospect of an international criminalcourt lies the promise of universal justice. Wi-thout an international court or tribunal for de-aling with the most serious cybercrimes ofglobal concern, many serious cyberattacks willgo unpunished.

The most serious global cyberattacks in therecent year, have revealed that almost nobody isinvestigated and prosecuted, and nobody hasbeen sentenced for those acts. The UK, Cana-dian, South Korean, French and Australian go-vernments may have suffered from globalcyberattacks, in addition to regional organiza-tions such as the European Union.

Such acts need to be included in a globaltreaty or a set of treaties, and investigated andprosecuted before an international criminalcourt or tribunal.

International lawCyberspace, as the fifth common space,

after land, sea, air and outer space, is in greatneed for coordination, cooperation and legalmeasures among all nations. It is necessary tomake the international community aware ofthe need for a global response to the urgentand increasing global cyberattacks. Peace, ju-stice and security in cyberspace should be pro-tected by international law through a treaty ora set of treaties under the United Nations.

Critical communication and informationinfrastructures of a sovereign State are veryvulnerable, both for the governmental institu-tions and the private industry, and a cyberat-tack may have the most serious and destructiveconsequences.

An International Criminal Courtor Tribunal for Cyberspace (ICTC)The most serious cybercrimes and cyberat-

tacks of global concern should be investigatedand prosecuted based on international law, andsentenced by an international court or tribunalfor Cyberspace.

This may also be vital for the global cyber-crime deterrence. An effective deterrence maybe one of the primary goals for establishing apermanent court or tribunal. It will be a signalfrom the United Nations and the global com-munity that global cyberattacks are no longertolerated.

The international criminal court or tribu-nal will go into action when national criminaljustice institutions are unwilling or unable toact on the most serious cybercrimes of globalconcern.

Provisions may be included in the list ofcrimes within the jurisdiction of the Interna-tional Criminal Court (ICC) in The Hague.An alternative solution may be to establish aspecial International Criminal Court for Cy-berspace as a subdivision of ICC, or as a sepa-rate International Criminal Tribunal forCyberspace (ICTC) based on a United NationsSecurity Council decision. An InternationalCriminal Tribunal for Cyberspace may be sea-ted in The Hague, since it may be a natural ch-oice with all international courts inside, or inthe urban area of this city But as an alternativein Singapore, where the INTERPOL ClobalComplex (IGC) will be established and opera-tional in 2013/14 especially on enhancing pre-paredness to effectively counter cybercrime.

The Tribunal has concurrent jurisdiction inrelation to national courts, but may claim pri-

macy over national courts and take over inve-stigations and proceeding at any stage.

Investigation of the most seriouscybercrimes of global consernThe Prosecutor at the ICTC shall be responsible

for the investigation and prosecution of the most se-rious cybercrimes of global concern, and have thepower to seek the most efficient assistance in the in-vestigation of global cyberattacks.

A Global Virtual Taskforce should be esta-blished for the assistance to the ProsecutorsOffice. It may include law enforcements, IN-TERPOL, and key stakeholders of the globalICT`s private industry and sector, and NGO´s.It will be necessary for the prevention and in-vestigation of global cybercrimes, especially fordelivering fast time responses to cyberattacks,that may result in effective investigative mea-sures and arrests.

INTERPOL has since the 1980s been theleading international police organization onknowledge about and global cooperation oncomputer crime and cybercrime investigation.

It is very important that the investigatorsof cybercrimes may swiftly seize digital evi-dence while most of the evidence is still intact.

INTERPOL has in 2010 established theINTERPOL Global Complex (IGC), based inSingapore. It is expected to go into full opera-tion in 2013/14, and to employ a staff of about300 people, to help law enforcement aroundthe world, especially in enhancing preparednessto effectively counter cybercrime.

A Global Virtual Taskforce could be over-seen by a joint Strategic Working Group.

An International Criminal Court orTribunal for Cyberspace (ICTC)

CREDIT: Francisco Huguenin-Virchaux Uhlfelder

By Judge Stein Schjolberg

Judge Stein Schjolberg

Themost

serious globalcyberattacksin the recent

year, haverevealed that

almostnobody is

investigatedand

prosecuted,and nobody

has beensentenced for

those acts

Cyber Security May - June 2011 29Special EditionNEW EUROPE

Just as a Red Cross designates a protected en-tity in the physical world, is it feasible to usespecial markers to designate protected zonesin cyberspace?

The Geneva and Hague Conventions di-rect that protected entities, protected person-nel and protected vehicles be marked in aclearly visible and distinctive way. Further,the Conventions establish specific standardsfor the distinctive emblem itself (i.e. RedCross, Red Crescent), instruction for its ap-plication, and consequences for its misuse. Abelligerent party's ability to recognize a de-clared protected entity is vital to compliancewith the Conventions. This recommendationproposes analogous markers.

The recommendation can be implemen-ted by several different methods, which rangefrom:

A. Simple self-declaration without va-lidation by the addition of an agreed uponextension to the URL (exampleasite.com/nsz).

This scheme provides a label, but an at-tacker can ignore the label and attack thesite regardless. This methodology does notrequire any changes to the Internet and canbe accomplished with little cost and incon-venience. A consensus attacker looking at theURL would see the extension and may optfor not attacking this site. If the attacker wasusing resolved IP addresses then a reverselook up could be employed to provide theURLs which can then be examined.

B. A dedicated domain with the require-ment of registration and qualification

(asite@nsz).This method provides a label that has

been validated by the DNS registration pro-cess to meet the agreed upon criteria for qua-lifying for the status of the protected entity.This approach requires creation and main-tenance of such a new generic top level do-main, and will imply incurring respectivecosts, as well as the administrative costs as-sociated with the qualification of requests forregistration. The qualified sites would incurthe inconvenience of changing their currentURL to a new one and addressing the conti-nued use of their prior non protected URL.The consensus attacker would have morefaith that this is a valid URL over that of aself-declaration. If the attacker was usingresolved IP addresses then a reverse look upcould be employed to provide the URL. Thisscheme provides a label but an attacker canignore the label and attack the site regardless.

C. A separate net within the Internet sothat the IP addresses are in a block and can be

so identified.With this scheme not only would a top

level domain be employed as a label but theresulting IP assignment would be in a dedi-cated block so that the IP address can be re-cognized as being protected without areverse lookup. This is the most costly of allthe schemes herein, as it requires the pro-tected site be relocated to a protected blockof physical addresses. The cost would be si-gnificant, and still does not offer protectionfrom an attacker who chooses to ignore theprotected status. Meanwhile, the existence ofsuch a separate net would have a certain im-peding/disruptive effect on the fundamentaloperational principles of the Internet.

It should be noted that these implemen-tations are not mutually exclusive and cancoexist.

For the purposes of this example NSZ isused to stand for "no strike zone". Any cur-rently vacant designation could be agreedupon. While the simplest implementation

is to have one designation, if there is a needfor differentiation, then multiple labels couldbe used. The more labels used result in theability to select which categories not to at-tack but at the penalty of a more complex de-termination algorithm simply because of thenumber of terms to consider.

D. Any other schemes that should beevaluated.

It must be understood that painting a redcross on an ambulance or hospital does notactually prevent it from being attacked by abelligerent party. All the emblem does is alertthe parties about the nature of the intendedtarget. The belligerent party must then de-cide what action to take or not to take. Thesame hold true in cyberspace in that we fullyrealize that such an emblem does not in andof itself convey any actual protection otherthan alerting a belligerent party. We also re-alize that depending on the scheme selec-ted, the application of the emblem may bediluted if there are no controls on who mayuse it or the scheme may be some burden-some that it is not followed.

While many in our community mayargue that in today's world this scheme is oflimited usefulness. That may well be true, butany level of protection it can offer is betterthan none. We are all aware that in the realworld the Red Cross is ignored in some ho-stile situations, but few would argue for its re-moval from the scene and from the GenevaConventions. Until we have a more idealworld where deliberate attacks on all sitesare banned in cyberspace, perhaps such anemblem can offer some level of identificationfor avoidance of an attack.

The Distinctive emblem principle in cyberspace

By Stu Goldman

Stu Goldman Expert for the East-West Institute’s Inter-national PriorityCommunications Pol-icy breakthrough effort

It must be understood that painting ared cross on an ambulance or hospitaldoes not actually prevent it from beingattacked by a belligerent party. All theemblem does is alertthe parties about the nature of theintended target.

May-June 201130Special Edition

NEW EUROPECyber Security

Development of the international standardsfor harmonisation of national legal frame-works is a vital element infighting cyber-crime. Ten years after the Council ofEurope Convention on Cybercrime wasopened for signature, the international com-munity still faces a number of challenges inreaching consensus on global legal solutionsto address crimes in global information net-works.

It has already become obvious that, insome areas, consensus is very hard to ach-ieve: for example, the controversially deba-ted Article 32b of the Convention onCybercrime deterred some jurisdictionsfrom joining the treaty. Some issues thathave been widely discussed in recent years,like cyberterrorism or cyberwarfare, are stillvery sensitive: depending on the legal andcultural backgrounds, approaches to thelegal solutions may vary significantly. Mo-reover, there is still no agreed definition of“terrorism” at an international level, and ap-proaches to this term may differ even wi-thin one country, let alone among differentjurisdictions .

At the same time, existing standards inthe area of cybercrime legislation need to beadapted to the new developments in infor-mation technology and cybercrime thathave emerged over the last decade: cloudcomputing, identity theft, social networkingcrimes and scams, to name but a few.

A new approach to the internationalstandards to fight cybercrime shall adequa-tely balance the abovementioned challen-ges. Instead of creating unnecessary

competition to the accepted rules, the goalis to supplement existing standards and de-velop them by covering new threats. Thus,on the one hand, the new standards shalltake into account those legal tools that havebeen recognised. On the other hand, the de-velopment of the set of principles to fightcybercrime shall revise the drawbacks ofexisting approaches, including controversialissues such as Article32b of COE Conven-tion or cyberterrorism, and avoid conflictsbetween national jurisdictions.

One of the goals of the EWI LegalWorking Group on Cybercrime is to deve-lop a set of proposals for a new treaty tofight crimes in cyberspace. The WorkingGroup has concluded that the following setof principles can be discussed for develop-ment of the proposal.

SUBSTANTIVE CRIMINAL LAW1) A set of proper and sufficient defini-

tions shall be agreed in a way compatiblewiththe existing international approachesfor the following:

• “Computer”• “Computer system”• “Computer data”• “Content data”• “Traffic data”• “Service provider”

2) The set of standards shall includeprovisions covering the most commonforms of cybercrime in a way compatiblewith the internationally recognised appro-aches:

• Illegal access to a computer system• Illegal interception of non-public tran-

smissions• Data interference• System interference• Misuse of devices• Computer-related forgery• Computer-related fraud• Offences related to child pornography • SPAM• Identity theft

3) A proposal for criminalisation ofCIA offences shall not modify the existingapproaches that are widely accepted andimplemented by many states in order toavoid unnecessary competition.

4) The minimal set of standards shallnot include controversial issues:

• Cyberterrorism• Cyberwar and Cyberwarfare. To crimi-

nalise massive attacks against critical in-frastructures, aggravated circu mstancesor qualified data/systems interferenceprovision can be developed.

PROCEDURAL INSTRUMENTS1) The proposed treaty shall include the

existing procedural instruments that are al-ready applied by many states:

• Expedited preservation of stored com-puter data

• Expedited preservation and partial di-sclosure of traffic data

• Production order• Provisions on search and seizure in-

struments • Lawful collection of traffic data • Lawful interception of content data

2) A treaty may include as an option thefollowing provisions with the possibility forreservation:

• Registration obligation• Use of remote forensic software and

sophisticated technical instrumentswith the possibility to limit them onlyto the certain types of serious crimes.

3) A set of procedural instruments shallbe developed in compliance with the inter-nationally recognised fundamental rights ofthe suspects.

JURISDICTION AND INTERNA-TIONAL CO-OPERATION1) A treaty shall develop existing regu-

lations on jurisdiction, providing the set ofcriteria that will enable the establishment ofa sufficient link to claim the jurisdiction forcyber-offences, such as: the location of data,the existence of any effect in the prosecu-ting country; the existence of certain effectsin the prosecuting country; the intention ofthe perpetrator to affect a certain country.

2) The standards for international co-operation should reflect international ap-proaches to mutual legal assistance infighting cybercrime.

3) A treaty shall include provisions onthe creation of a designated 24/7 point ofcontact for requests.

4) A treaty shall not include controver-sial provisions such as provisions on trans-border searches (Article 32b of Council ofEurope Convention on Cybercrime).

Proposal for a new global legal framework/Treatyon Cyber crime: A set of principles

Dr. Tatiana TropinaEWI Cybercrime LegalWorking Group

Dr. Tatiana Tropina

Existingstandards in

the area of cybercrimelegislation need to be

adapted to the newdevelopments in

information technologyand cybercrime that

have emerged over thelast decade

Cyber Security May - June 2011 31Special EditionNEW EUROPE

Cyberspace in the proliferation of non-stateactors is a "force multiplier", accelerating andamplifying a process that started decades ago.Non-state actors, however, pose a unique pro-blem in cyberspace due to their nebulous,aloof character; the difficulty of tracking theirmovements; and the immense destructivepower that skillful hackers can yield upon net-works and other critical infrastructure. Para-phrasing the old saying on the Colt Revolver,it is indeed true that "God created man; cy-berspace made them equal." Every expertagrees that if we do not want to have a cyberWild West we need "rules of the road" and asheriff enforcing these rules in our dealingswith non-state actors.

The legal frameworks based on the Westph-alia system, however, appear inadequate. As oneof the principal authors of a study by the Ea-stWest Institute (EWI) entitled "Working to-wards Rules for Governing Cyber Conflict:Rendering the Geneva and Hague Conven-tions in Cyberspace," Karl Rauscher, states,"Today, nearly all critical civilian infrastructureis online from the electricity grids that supporthospitals to the systems that guide passengerplanes through the air. And, by and large, it isnot protected by international norms."

To address this issue, the EWI report posesfive distinct questions meant to act as a cata-lyst for first steps towards a broad dialogue onthis topics and eventual new legal regimes:

• Can protected critical humanitarian infra-structure entities be "detangled" from non-protected entities in cyberspace?

• Just as a Red Cross designates a protected

entity, is it feasible to use special markers todesignate protected zones in cyberspace?

• Should we reinterpret convention princi-ples in light of the fact that cyber warriors areoften non-state actors?

• Are certain cyber weapons analogous toweapons banned by the Geneva Protocol?

• Given the difficulties with an agreed-upondefinition for cyber war, should there be athird, "other-than-war" mode for cyberspace?

Due to a lack of space, my focus is on one of

the questions: Should we reinterpret conven-tion principles in light of the fact that cyberwarriors are often non-state actors? My an-swer would be that a reevaluation of princi-ples is a starting point, but any new form oflegislation based on the primacy of the statewill only yield partial results. It is just as im-portant to agree to an individual code of con-duct - a set of rules to which hackers, scriptkiddies, and state-sponsored attackers holdthemselves accountable. In short and withoutbathos, we need a personal code of chivalry forcyberspace.

During the Middle Ages, the Holy RomanEmpire of German Nations and the churchyielded tremendous legal and moral power onnon-state warriors: the medieval knights. Boththe Holy Roman Empire and the Roman Ca-tholic Church (both also non-state actors)took an active interest in medieval warfare andinstilled a code of conduct and rules into me-dieval warfare that found its way into the me-dieval code of chivalry. For example, althoughthe precise nature of the verdict is now conte-sted by some historians, Pope Innocent II du-ring the Second Lateran Council banned theuse of crossbows against Christians in battle.This was largely upheld during most of themiddle ages. Long-range weapons during theHigh Middle Ages were frowned upon andvery often not used in battle since their usagecarried a dishonorable stigma.

With the difficult task of tracing culprits incyberspace, the problems of installing commonauthentication mechanisms across borders, ofdeterring acts of aggression, and installing anindividual sense of responsibility are crucial.Just like in the analogue world, we will never be

able to guarantee peace and justice in cyber-space; we will always have criminals, scam ar-tists, and aggressors. In the Middle Ages, thechivalrous code could not prohibit the out-break of the plague, peasant revolts, the rapeand pillage of the Crusades, or even the usageof cross and longbows during sieges. The code,however, did instill a basic sense of what is ap-propriate and inappropriate into the knightsand warfare, and as the writing of St. ThomasAquinas shows, inspired some fundamentalphilosophical deliberations on the justness andinjustice of war and the conduct in war. Mostmedieval lords and knights (apart from theirawe of God) upheld the code of chivalry beca-use it guaranteed their standing in society. Asthe status of cyber warriors incrementally in-creases, they also will have a vested interest invindicating their status.

Transferring a similar code of conduct tothe individual cyber warrior in cyberspace canbe tricky. It remains to be seen whether othermajor stakeholders will follow suit and formthe critical mass necessary to impose a new setof self-regulating rules in cyberspace; howe-ver, the joint Russia-US initiative, led by ex-perts of these two cyber superpowers in thisfield, may be the first stepping stone towardsraising awareness of these complicated issues.There is no doubt that an updated version ofthe Geneva Convention will be needed tocombat the lawlessness of cyberspace, and theEWI report is a sound basis for an initial di-scussion. As outlined above, however, read-dressing the shortcomings of the Geneva andHague Conventions without emphasizing thecrucial importance of the individual in cyber-space will produce limited results.

From the Middle Ages to the Cyber Age: Non-State Actors

EPA/EVERETT KENNEDY BROWN

By Franz-Stefan Gady

Franz-Stefan GadyAn associate at theEastWest Institute

Paraphrasingthe old

saying on theColt Revolver, itis indeed truethat "Godcreated man;cyberspace madethem equal."

ADVERTISEMENT