[Joint House and Senate Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
115th Congress Printed for the use of the
1st Session Commission on Security and Cooperation in Europe
_________________________________________________________________________
Building Cyber Confidence Between
Adversaries: Can the OSCE Help
Establish Rules of the Road?
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
SEPTEMBER 28, 2017
Briefing of the
Commission on Security and Cooperation in Europe
_________________________________________________________________________
Washington: 2017
Commission on Security and Cooperation in Europe
234 Ford House Office Building
Washington, DC 20515
202-225-1901
[email protected]
http://www.csce.gov
@HelsinkiComm
Legislative Branch Commissioners
HOUSE SENATE
CHRISTOPHER H. SMITH, New Jersey ROGER WICKER, Mississippi,
Co-Chairman Chairman
ALCEE L. HASTINGS, Florida BENJAMIN L. CARDIN. Maryland
ROBERT B. ADERHOLT, Alabama JOHN BOOZMAN, Arkansas
MICHAEL C. BURGESS, Texas CORY GARDNER, Colorado
STEVE COHEN, Tennessee MARCO RUBIO, Florida
RICHARD HUDSON, North Carolina JEANNE SHAHEEN, New Hampshire
RANDY HULTGREN, Illinois THOM TILLIS, North Carolina
SHEILA JACKSON LEE, Texas TOM UDALL, New Mexico
GWEN MOORE, Wisconsin SHELDON WHITEHOUSE, Rhode Island
Executive Branch Commissioners
DEPARTMENT OF STATE
DEPARTMENT OF DEFENSE
DEPARTMENT OF COMMERCE
[II]
ABOUT THE ORGANIZATION FOR SECURITY AND COOPERATION IN EUROPE
The Helsinki process, formally titled the Conference on Security
and Cooperation in Europe, traces its origin to the signing of the
Helsinki Final Act in Finland on August 1, 1975, by the leaders of 33
European countries, the United States and Canada. As of January 1,
1995, the Helsinki process was renamed the Organization for Security
and Cooperation in Europe [OSCE]. The membership of the OSCE has
expanded to 56 participating States, reflecting the breakup of the
Soviet Union, Czechoslovakia, and Yugoslavia.
The OSCE Secretariat is in Vienna, Austria, where weekly meetings
of the participating States' permanent representatives are held. In
addition, specialized seminars and meetings are convened in various
locations. Periodic consultations are held among Senior Officials,
Ministers and Heads of State or Government.
Although the OSCE continues to engage in standard setting in the
fields of military security, economic and environmental cooperation,
and human rights and humanitarian concerns, the Organization is
primarily focused on initiatives designed to prevent, manage and
resolve conflict within and among the participating States. The
Organization deploys numerous missions and field activities located in
Southeastern and Eastern Europe, the Caucasus, and Central Asia. The
website of the OSCE is: .
ABOUT THE ORGANIZATION FOR SECURITY AND COOPERATION IN EUROPE
The Commission on Security and Cooperation in Europe, also known as
the Helsinki Commission, is a U.S. Government agency created in 1976 to
monitor and encourage compliance by the participating States with their
OSCE commitments, with a particular emphasis on human rights.
The Commission consists of nine members from the United States
Senate, nine members from the House of Representatives, and one member
each from the Departments of State, Defense and Commerce. The positions
of Chair and Co-Chair rotate between the Senate and House every two
years, when a new Congress convenes. A professional staff assists the
Commissioners in their work.
In fulfilling its mandate, the Commission gathers and disseminates
relevant information to the U.S. Congress and the public by convening
hearings, issuing reports that reflect the views of Members of the
Commission and/or its staff, and providing details about the activities
of the Helsinki process and developments in OSCE participating States.
The Commission also contributes to the formulation and execution of
U.S. policy regarding the OSCE, including through Member and staff
participation on U.S. Delegations to OSCE meetings. Members of the
Commission have regular contact with parliamentarians, government
officials, representatives of non-governmental organizations, and
private individuals from participating States. The website of the
Commission is: .
Building Cyber Confidence Between
Adversaries: Can the OSCE Help
Establish Rules of the Road?
____________
September 28, 2017
Page
PARTICIPANTS
Alex Tiersky, Policy Advisor, Commission on Security and Cooperation in Europe ......... 1
Stacy L. Hope, Director of Communications, Commission on Security and Cooperation in
Europe ............................................................................... 15
Tim Maurer, Co-Director and Fellow, Cyber Policy Initiative, Carnegie Endowment for
International Peace .................................................................. 3
Jaisha Wray, Acting Deputy Director, Emerging Security Challenges Office, Bureau of
Arms Control, Verification and Compliance, U.S. Department of State .................. 6
Dr. Alex Crowther, Senior Research Fellow, Center for Strategic Research, National De-
fense University ..................................................................... 9
[IV]
Building Cyber Confidence Between
Adversaries: Can the OSCE Help
Establish Rules of the Road?
----------
September 28, 2017
Commission on Security and Cooperation in Europe
Washington, DC
The briefing was held at 2:04 p.m. in Room 385, Russell Senate
Office Building, Washington, DC, Alex Tiersky, Policy Advisor,
Commission on Security and Cooperation in Europe, moderating.
Panelists present: Alex Tiersky, Policy Advisor, Commission on
Security and Cooperation in Europe; Stacy L. Hope, Director of
Communications, Commission on Security and Cooperation in Europe; Tim
Maurer, Co-Director and Fellow, Cyber Policy Initiative, Carnegie
Endowment for International Peace; Jaisha Wray, Acting Deputy Director,
Emerging Security Challenges Office, Bureau of Arms Control,
Verification and Compliance, U.S. Department of State; and Dr. Alex
Crowther, Senior Research Fellow, Center for Strategic Research,
National Defense University.
Mr. Tiersky. Ladies and gentlemen, we will get started with our
briefing. As you may have noticed from our ``Matrix''-like poster
outside, we're here for a discussion on cyber diplomacy. More
specifically, this is a U.S. Helsinki Commission briefing on ``Building
Cyber Confidence Between Adversaries: Can the OSCE Help Establish Rules
of the Road?'' And on behalf of the Commission Chairman Senator Roger
Wicker and the Co-Chairman Congressman Chris Smith, I would like to
officially welcome you to this discussion.
For those of you who may not know the Helsinki Commission very
well, the Commission is mandated by law to track the commitments made
by the signatories of the 1975 Helsinki Final Act. A great deal of that
1975 Helsinki Final Act had to do with transparency and confidence
building in order to reduce tensions and provide increased
predictability and security in a very tense European zone during that
time, in the thick of the Cold War. The Commission has been tracking
these commitments throughout its history, with a strong focus on human
rights, of course, as well as the security challenges that in recent
years have grown in their intensity in Europe. And the Commission has
equally increased its attention to some of these challenges.
Now, obviously, we are here today to talk about state-based cyber
threats to security and what might be done about those. But it's clear,
I think, to all of us that they're an increasingly dominant part of the
global security landscape. The Commission is tracking a process at the
Organization for Security and Cooperation in Europe, the OSCE, which is
an organization that essentially flowed from the 1975 Helsinki Final
Act process. And at the OSCE in recent years, diplomats and experts
have been seeking to play a leading role in the international system in
the development of confidence-building measures between states to
reduce the risk of cyber conflict. These discussions feature voluntary
agreements among the participating states that include, quite
crucially, the United States and Russia.
The measures that have been agreed to are designed to--and here I'm
going to read an OSCE document if you'll allow me for just a moment--
they're designed to enable states to read another state's posturing in
cyberspace and draw red lines. They're designed to allow for timely
communication and cooperation, including to defuse potential tensions
emerging from the use of information and communication technologies,
another word--a buzzword for cyberspace--and they're designed to
promote trusted cyber neighborhoods through enhanced national
preparedness.
Those who are tracking the OSCE would suggest that this process has
been one of the few bright lights in what has otherwise been a very
difficult period for the organization. So we are here today to rely
upon this all-star panel to help us understand what are confidence-
building measures, what are our norms, how do they relate to each other
in the field of cyberspace, what's happening at the U.N., what's
happening at the OSCE on these issues, and ultimately, what difference
could this make in the real world?
As I mentioned, this is an all-star cast. They're obviously
technical experts, and I will push for them to be as non-technical as
possible--and forgive me in advance if I need to interrupt you to
explain some terminology, some particularly wonky term. They're
extraordinarily distinguished individuals.
We will first hear from Tim Maurer. Tim is from the Carnegie
Endowment for International Peace. He's the co-director of the Cyber
Policy Initiative there. He's going to talk us through state-based
threat, and he's going to explain to us confidence-building measures
and how they might be useful against this threat. And I think he'll
give us a bit of a short historical overview of how this relates to the
U.N. and the genesis, and what goes in which direction.
We will secondly hear from Jaisha Wray, who is the acting deputy
director of the Emerging Security Challenges Office in the Bureau of
Arms Control Verification and Compliance at the U.S. Department of
State. I'd like to thank the administration for providing a witness
today, and someone clearly that's as expert and well placed to talk to
us about this as Jaisha. She will provide us with some official views
on where the value is in this process, and the latest on what's going
on in these fora today.
Finally, we'll hear from Dr. Alex Crowther, who is a senior
research fellow at the Center for Strategic Research in the National
Defense University. He'll be batting clean-up for us. He gets to talk
about more or less whatever he would like to in reaction to the
previous panelists, but also he has a particular perspective on some of
the harder security challenges that are implied by these discussions.
So before I hand it over to Tim to start our substantive
discussion, I need to make sure to let you know that we are live on
Facebook right now, and that stream is at Facebook.com/
HelsinkiCommission. If you're tweeting this discussion, you're welcome
to do so, but use the hashtag @HelsinkiComm. We are able to take
questions on social media, if anyone who's watching on Facebook would
like to send in some questions. Please do that, and someone will signal
those to me as appropriate. And then just to let everyone know, there
will be a transcript available of this event within a few days on our
website.
So, Tim, please kick us off. Give us the overview.
Mr. Maurer. Great. Thanks, Alex, and thanks to all of you joining
us. We'll be talking about cyber diplomacy which, as you, I'm sure, are
familiar with, has gained attention and risen on the agenda,
particularly in the past few weeks, but also certainly in the past few
years. I'm going to start off by briefly talking about the state-based
threat, and then we'll talk about this concept of confidence-building
measures, which dates back to the Cold War, and why there's also this
effort now underway to use it in the context of cybersecurity, which is
not evident, right?
I'll walk you through the utility of the confidence-building
measures, or CBMs for short, and then I'll tie to the broader
discussion at the U.N. in terms of trying to develop the rules of the
road. And there's also connection to the G-20, which in 2015 the heads
of state for the first time included a specific reference to this U.N.
process in their outcome document at the time.
So to start, what's the threat landscape when it comes to state-
based threats? When we talk about cybersecurity, it's helpful to put
into context that cyber operations can have a variety of effects. Cyber
operations range from espionage to profit-driven malicious activity to
political and military activity. As you all know, hacking and cyber
operations, as we use it today, are essentially initially coming out of
the intelligence world, and were initially designed to steal data. As
more and more devices connected to the internet, and the internet
proliferated as a network and became the backbone for the economy but
also for military systems and other systems that are politically
relevant, all of a sudden, the operators in the national security
agencies realized that there were other effects that they were able to
cause.
One of the main inflection points for this now 30 years of history
of cyber conflict, so to say, or conflict that included a cyber
component, is probably the 2007 DDoS attack that occurred in Estonia
and was the first incident that kind of made front page news and
brought this issue back to the attention of a lot of people. You had a
community back in the 1990s that focused on cybersecurity, but after 9/
11 and the terrorist attacks a lot of those people shifted their
attention to counterterrorism. And I would argue it wasn't until 2007
that it really started to come back into people's minds and in terms of
headlines.
2008 was also the year where during the war between Georgia and
Russia you saw for the first time how offensive cyber capabilities were
used during a conventional conflict on the ground, and how the two
could be married. In fact, Chris Demchak coined the term ``cybered
conflict'' as a result of that, suggesting the notion that we should
rather think about cybered than cyber conflict, because her argument is
that what we are likely to see is conventional war and conflict be
married with hacking capabilities.
As you all know, in the last five years there's only been
deterioration in the security environment. We've had the Sony hack,
where for the first time you had the United States President--in this
case President Obama--who went in front of public television cameras
and accused North Korea for having hacked Sony Entertainment Pictures
and subsequently resulting in several movie theaters in the United
States pulling a movie that was critical of the North Korean leader.
That was a significant escalation, I think, when we look back in terms
of the history of how states have been using it, because it takes a lot
for the president of the most powerful country in the world to go on
public television and accuse another country of this type of activity.
You also have more destructive attacks, actual destruction that
took place. For example, the Saudi Aramco attack, where you had the
malware that was wiping the hard drives of the Saudi Arabian oil
company that significantly impacted their operation to the extent that
the single company that had been hit with this malware had to purchase
and replace its hard drives, and had such an impact that the price of
the hard drives from anybody else was increasing because of the sudden
surge in demand for the hard drives that had to be replaced. So apart
from the actual impact, you had secondary effects that took place.
To mention a couple of others--we are all familiar with Stuxnet,
the malware that was found to have infiltrated the Iranian nuclear
enrichment facility. That was clearly a critical point in time in terms
of the state use of these tools, because it showed that hacking is now
also being used to target some of the most sensitive and most critical
systems for international security and national security. Last year the
U.S. Government unsealed a range of indictments, including one in which
the Department of Justice had indicted seven Iranian hackers for having
targeted U.S. financial institutions in 2012 and 2013. And you had a
group of essentially seven people in their mid-20s to late 30s who
stand accused of having used DDoS attacks and targeting a range of U.S.
financial institutions, causing significant economic damage.
So, long story short, the last decade has seen a significant
increase in state-based threats, using offensive cyber capabilities.
James Clapper testified last year on the record that there are now 30-
plus countries that are developing offensive cyber capabilities. And
many of these countries consider cyberspace a new operational domain to
further their political and military aims. At the same time, there's
little transparency about how these countries think about using these
capabilities and what their doctrines are, and what their underlying
strategies are. In fact, many countries don't even agree on the same
terminology. For example, in the Russian Federation and China they use
the term information security and have a much broader approach for how
they think about this, compared to the U.S.
That is where I'm now transitioning to the confidence-building
measures, which back in the Cold War were essentially the tool to avoid
accidental escalation. I'm putting the emphasis on the adjective
``accidental'' because sometimes, obviously, there is deliberate
escalation as part of a political conflict. But during the Cold War,
the Soviet Union and the U.S. realized that there was also a
significant risk of accidental escalation that neither side intended,
either because the other side was misinterpreting a signal that was
being sent or just as a result of an accident. And that became the
foundation for a range of measures put in place to reduce the risk of
this kind of escalation, and to create this regime of confidence-
building measures for the two sides.
I think the best example is the red telephone between the Kremlin
and the White House, that I think is featured in several movies. I
don't think it's actually red, but it became a Hollywood meme.
Dr. Crowther. But it's still functional.
Mr. Maurer. It still works. [Laughter.] So the reason why I think
for the past few years there's been a focus on CBMs in the cyber
context as well is because it's a new domain, there's a lot of
uncertainty. There's a lot of intransparency. And these confidence-
building measures that you've seen come out of the OSCE in 2013 and
2016 put a particular focus on trying to reduce some of that
uncertainty. And there's value just in the fact that sharing of
doctrines, where, if you like, sharing of doctrines, what is the real
impact of that? Like, can you just send that in the email? It actually
does have a real impact because this is such a new domain and the
uncertainty of how states think about this.
I'd also like to point out, just as I come to the end, that the
initial confidence-building measures were not driven necessarily by the
diplomats. They actually came out of the military community, as Thomas
Schelling reminds us. They were a necessity that military commanders
realized, to really try to reduce the escalatory dynamics and the
potential for accidents to occur. So this is something where there's a
lot of history and tradition also coming from the military community.
Now, to tie it to the broader discussion at the U.N., the OSCE's
work--and I'm sure we'll hear more about this in greater detail in
terms of what has come out of the OSCE in 2013 and 2016--this is part
of a broader effort of the international community to create a regime
for how states use offensive cyber operations. The OSCE has always been
focused on much more practical mechanisms and terms to create more
confidence and to create more transparency. But there's a higher-level
effort that's been taking place at the U.N., where the international
community is trying to come to a consensus and understanding for what
is appropriate behavior, what states are permitted to do when it comes
to the use of offensive cyber operations, and where do we draw the
lines. What are things we can all agree on, that should not take place?
This is an effort that dates back to the late 1990s, when the
Russian Federation proposed a bilateral treaty between the U.S. and
Russia which, for a number of reasons, the U.S. has objected to, which
continued to be very valid today. And the U.S., in response, developed
this framework for voluntary norms, particularly in peace time, to
create more of a regime and to create boundaries for what appropriate
behavior could look like. Final sentence on that, this process at the
U.N. has produced two significant reports that are the most advanced in
terms of providing insight into how the international community is
currently thinking about what constitutes appropriate behavior. I
encourage you all to take a look at that.
The bad news is, in spite of the progress that's been made in the
last several years, the security environment has continued to
deteriorate. And this process at the U.N. collapsed in June when the
latest group of governmental experts--the fifth iteration of it--failed
to come to a consensus document. And there is now a big debate about
where to go next. And I'm happy to discuss this more in detail after
the event or on the margins of it. But I hope that provides some good
overview of the CBMs, the OSCE, and----
Mr. Tiersky. Thanks, Tim. That was excellent. That was exactly what
I was hoping for. As I said, I'm going to put you on the spot, though.
I'm fairly certainly that 90 percent of our audience knows what a DDoS
attack is, but if you could give us 10, 15 seconds on a DDoS attack,
which you mentioned several times.
Mr. Maurer. Thank you. Yes, of course. So DDoS stands for
Distributed Denial of Service attack. And it's essentially--remember
the phone prank as a teenager, you try to call somebody repeatedly at
the house so they wouldn't be able to use the phone? Think of that as
the equivalent for what a DDoS attack is in cyberspace. It's
essentially somebody who uses a number of machines that the malicious
actor controls. And it floods the system that's the target with so many
pings that the system can't process normally anymore. So if you target
a website, the website will be inaccessible because it receives so many
requests that it can no longer be processed, and therefore the website
is down. That might seem not like a big deal if you're thinking about--
I don't know, pick your favorite website for, maybe, cooking. But it
becomes a much bigger deal if you're thinking, for example, a
government website at a time of crisis, or for a banking website. If
the banking website is down and you can't actually make transfer,
that's actual money loss for the bank.
So the last escalation we've seen of DDoS attack was the Dyn
attack, where a significant amount of the internet on the East Coast
went offline for a long period of time, because as more and more
devices like your fridge and your webcams become connected to the
internet, the number of devices that can be used for these flooding
attacks significantly increases and poses a bigger threat.
Mr. Tiersky. Thank you for that. And of course, you mentioned that
in the context of Estonia, which I think was a such a remarkable
example, particularly given the leadership Estonia has taken in terms
of its citizens' ability to interact with government online. And I
think that was a big part of why it was so impactful on Estonia.
You laid out for us the threat very compellingly. You described a
history of confidence-building measures and their importance in
particular as they regard the risks of accidental conflict or
accidental escalation of conflict. And then I think you left us with a
sense that the process of the development of norms at the United
Nations was largely driven by the United States in response to an
initial Russian proposal, but that it now may be languishing. And it
faces a bit of an uncertain future. Have I captured more or less?
Great.
Let us move over to Jaisha for her comments. Thank you.
Ms. Wray. Thank you, Alex, and good afternoon, everyone. I'd like
to start off by thanking the Helsinki Commission for inviting me to
speak on this very important, but perhaps not so well known topic
today.
The United States has worked for the past decade to promote
stability in cyberspace through the development and promotion of a
framework of responsible state behavior. And our approach has been
focused on building international consensus on what constitutes
responsible state behavior in cyberspace. And this includes consensus
on the applicability of international law as well as consensus on the
development of norms of responsible state behavior. In addition to
norm-setting, we have also focused on the development and
implementation of practical confidence-building measures for cyber to
reduce the risk that cyber incidents will result in misperceptions,
escalation and potential conflict.
And while CBMs are being developed multilaterally, as Tim
mentioned, through the U.N. group of governmental experts, they're also
being developed through regional security organizations, such as the
Organization for Security and Cooperation for Europe, the OSCE. I have
participated in many meetings of the OSCE informal working group on
cyber, which began just six years ago. And I look forward to sharing
U.S. perspectives on the work of this very important body. I'll also
discuss the importance of cyber CBMs, the role of regional security
organizations and their development, and the current state of play in
the OSCE cyber informal working group.
As I mentioned in my introduction, cyber confidence-building
measures can play an important role in building stability in
cyberspace. CBMs are particularly helpful in the cyber domain, since
cyberspace and military cyber capabilities have a number of unique
characteristics that make them potentially destabilizing. First of all,
there's a lack of external observables, which means that states have no
real tactical warning of when an incident is about to occur. Next, even
when a state knows that there is a foreign actor's presence on their
systems, they might not have a clear understanding of that state's
intentions. And finally, information and communication technologies, or
ICTs, are ubiquitous, meaning that we are all vulnerable to some
extent.
These characteristics heighten the possibility that a cyber
incident will result in misperception, escalation, or even outright
conflict. In short, confidence-building measures are meant to reduce
the risk of misunderstandings or conflict between states stemming from
cyber incidents. We see three types of CBMs particularly useful in the
cyber arena. The first type is transparency measures, which are aimed
at reducing uncertainty about states' intentions in cyberspace.
Now, I think you all received a packet when you came in today, and
the OSCE's cyber CBMs that have been developed are inside your packet.
And one of them, which is CBM 7, is that participating states will
voluntarily share information on their national organization
strategies, policies and programs relevant to the security of and use
of ICTs.
The second type of CBMs are cooperative measures, which are meant
to provide states with channels to work together cooperatively to
respond to or manage tensions related to cyber incidents. And there are
plenty of examples of cooperative measures in the OSCE cyber CBMs as
well. One is CBM 3, which says that participating states will, on a
voluntary basis, hold consultations in order to reduce the risk of
misperception and of the possible emergence of political or military
tensions that may stem from the use of ICTs.
Finally, there are stability measures, which in the cyber
environment are measures of self-restraint. And there are many
stability measures in the Group of Government Experts [GGE] reports
that Tim mentioned. But as of now, the OSCE CBMs do not include
stability measures.
Now, I'll discuss regional security organizations and the role that
they play in the development of cyber CBMs. These organizations can
play a critical role in conflict prevention through providing a venue
for capacity building as well as the sharing of best practices. As a
result, we are pleased to see that many of these regional security
organizations have begun discussing cyber. And the United States
participates in the cyber-related discussions of the OSCE, as well as
the ASEAN Regional Forum and the Organization of American States.
We view regional security organizations as key places to discuss
cyber issues because even in the age of the global internet we believe
that many of the tensions that could implicate state use of cyber
capabilities are likely to be regional in nature. Further, many of the
vulnerabilities--like cross-border interdependencies within critical
infrastructure--are likely to be regional or sub-regional in nature as
well. The role of regional security organizations--like the OSCE--is to
help states manage shared security concerns.
And it makes sense to build on their experience in doing this in
other domains to address the specific risks of cyberspace. A benefit of
discussing cyber and regional organizations is that these organizations
are able to address the particularities of that region's security
concerns and issues. In addition, these organizations are able to shape
their efforts based on local conditions as well as the comparative
advantages and institutional competencies of the organization. And
finally, different regions may balance their priorities differently--
whether it's developing CBMs or endorsing principles or building
capacity.
We also believe that regional confidence-building measures can play
an important role in universalizing the consensus reached in the
multilateral organization, such as the U.N. Group of Governmental
Experts. And it's not by coincidence if you put the OSCE CBMs side-by-
side to the Group of Governmental Experts report that you'll notice
many of the CBMs are similar or complementary in nature. Since the
inception of the informal working group on cyber in the OSCE, which I
mentioned, just six years ago, so it's fairly new, the OSCE had made
groundbreaking progress to advance cyber confidence-building measures
and stability. In some ways this isn't surprising, since building
confidence lies at the very heart of what the OSCE does.
The OSCE-participating states have adopted two different sets of
confidence-building measures. The first set was adopted in 2013, and
that focuses on official points of contact and building communication
lines to prevent possible tensions resulting from cyber incidents. The
second set was adopted just last year in 2016, and that focuses on
further enhancing the cooperative mechanisms between participating
states; for example, to effectively mitigate cyberattacks on critical
infrastructure that could affect one or more participating states.
The challenge, of course, once a CBM has been agreed to, is
meaningful implementation. And I emphasize the word ``meaningful''
here. As an example, one of the CBMs states that participating states
will nominate a point of contact to facilitate pertinent communication
and dialogue on security of and in the use of ICTs. Now, it's one thing
to have each state provide a policy point of contact, but it's another
to have all of those points of contact know exactly what to do when
they receive a call about a cyber incident.
So as a result, it's essential that all participating states have
the correct contacts within their own governments, as well as the
procedures in place to be able to respond to or make such a call.
Successful implementation of the CBMs requires shared experiences
regarding how individual CBMs will work in practice, as well as
awareness raising within individual governments, and finally capacity
building, which may be necessary in some cases. And this is exactly
what the OSCE and others, including the United States, are working on
right now. In fact, just last week I was in Uzbekistan for a conference
on the implementation of the cyber confidence-building measures to
raise awareness in that sub-region.
Other recent positive steps towards implementation have been two
recent communication checks. During these checks, the OSCE secretariat
sends an email to each of the participating states to test the
responses from the officials listed on the point of contact list. And
we recently did a scenario-based exercise as well to see how states
would respond to a particular incident.
In conclusion, the United States has been pleased with the progress
of the OSCE cyber informal working group in its swift development and
its work on a range of cyber confidence-building measures. However,
there's still work to be done on the implementation and we look forward
continuing to play an active role as the work of this body moves
forward.
Thank you.
Mr. Tiersky. Thank you, Jaisha. That was an excellent overview of
USG policy and perspective on the ongoing processes. I guess one
element that I take from where you ended up was the implementation
challenges that we face are really underlined by the fact that we are
still trying to get the right person to answer the phone call when the
OSCE secretariat does a test of this system. So as you pointed out, one
of the confidence-building measures really is just a directory of who
to talk to if you have a problem, if you think another participating
state of the OSCE is creating conditions that are threatening in
cyberspace. Just getting that telephone or email directory to work is a
challenge. That, I think, to me at least, suggests kind of the nascent
nature of these confidence-building measures and the need to continue
to do more in that respect.
Ms. Wray. That was the first step. But our second communications
check took it one step further, to ask the policy points of contact to
reach back within their own governments and to form a coordinated
response back to the OSCE secretariat. So I would say we're at the next
step on that one in terms of implementation.
Mr. Tiersky. And, thus, building their own capacity to coordinate.
Ms. Wray. Exactly.
Mr. Tiersky. That's great. Thank you for that clarification. Let me
ask you one more technical term, since I put Tim on the spot for his
DDoS. Why do we talk about ICTs in the international format? Whereas in
this context we'd be more comfortable saying ``cyberspace'' or
something of this sort?
Ms. Wray. That lies in the 57 participating states and the
terminology that they feel most comfortable with. So while ``cyber'' is
what the United States uses, we mentioned earlier that there's no real
set of definitions. But we have been able to agree internationally
through the U.N. and through the OSCE that information and
communication technologies for the U.S. is relatively the same thing as
cyber.
Mr. Tiersky. Very good. Thank you. Dr. Crowther, if you would.
Dr. Crowther. Alex, thank you very much for this invitation to the
Helsinki Commission. Thank you, everybody, for sharing your afternoon
with us. I'd like to start with talking just for a second about China
and Russia, because although we don't have to sympathize with their
point of view, we do have to empathize or understand their point of
view, because they're the ones who are provoking a lot of this. China
feels that bad things happen when the little people get too much
information. And so they talk about their responsible use of
information because irresponsible use of information is when you give
too much information to the little people. The Russians, on the other
hand, feel that they've been directly attacked by us. They feel that
our criticism of their 2012 election was a direct attack at Putin's
validity as the leader of Russia. And so they feel that we're
conducting hybrid operations against them in order to achieve regime
change.
The OSCE is important in this because most organizations have
stopped talking to Russia in the wake of the 2014 seizure of Crimea.
Only the Norwegians, NATO, the U.S. and U.N. really are talking to the
Russians anymore. But history has shown us that in these times of
tension, it's very important to continue discussing things. The 1932
departure of Japan from the League of Nations is sometimes seen as one
of the precursors for World War II, because it forced the Japanese out
and then we no longer had a platform with which to talk to them. Over
the years, we've continued to talk to the Cubans, we've continued to
talk to the North Koreans, we've continued to talk to the Russians. So
it's really important that we continue to do this. The OSCE is a vital
platform for continuing that discussion.
It's a wonderful platform also because all 29 NATO allies are in
it, 21 Partnership for Peace nations, and then there's seven other
smaller nations from Europe that are in it. So when you talk to the
OSCE, you're reaching from Canada over into Uzbekistan. It's a
tremendous swath of the globe that's covered by this. We heard two
people talk about the Group of Government Experts--the GGE talks about
norms, and the OSCE seeks to operationalize that through the use of
confidence-building measures. They've--and I think it was Tim that
mentioned it--they've had two tranches of confidence-building measures.
You heard Jaisha mention several of them, and there are several more. I
don't want to read them to you, but they're all available to you in
your packets.
The most important consensus coming out of the GGE is that
international law applies in cyberspace, because before that the
Russians and the Chinese--essentially their point of view was
cyberspace is a Wild West because it's so new and different that normal
laws don't count. So in the 2015 GGE everybody agreed, we reached
consensus that international law runs writ in cyberspace. That means
cyber intelligence is an intelligence operation. Cybercrime is a
criminal operation. So you don't need an entire new chunk of the United
States code to cover this because crime is already covered in Title 18.
You just have to modify Title 18 to take into account cybercrime.
Everybody's admission that international law is applicable in
cyberspace was a huge leap forward.
From the perspective of the Department of Defense, the OSCE rules
are a very important venue to talk to the Russians, because, as I
mentioned, few organizations are talking with the Russians. And even
ones that are aren't doing that much. For instance, the NATO-Russia
Council has met twice in the last year. And my buddies are telling me
not much came out of that. But the OSCE is really a trifecta for the
Department of Defense. Number one, they get to talk to the Russians and
reiterate what they're saying in private to the Russians. Number two,
they get to say it in front of all of the other 28 NATO allies, which
reinforces what NATO says within NATO. And number three, it hits all
those other Partnership for Peace countries and the smaller countries,
which is our opportunity to ensure that they understand what our point
of view is and where we should be at.
From NATO's perspective, NATO does agree that international law
applies in cyberspace. They welcome voluntary norms and confidence-
building measures. And they want to see a norms-based predictable and
secure global cyberspace. And they see CBMs through the OSCE as a way
to achieve that. You can see how important the OSCE is to NATO. NATO
has three international organizations that they partner with--the
United Nations, the European Union and the OSCE. So you can see that
it's extremely important to them.
Tim mentioned cyber conflict. I've been doing a lot of work on what
is the cyber domain recently. And interestingly enough, although there
are pure cyber operations--like the Shamoon virus for the Saudi Aramco
attack in 2012--what's become more popular are cyber-enabled
operations. What you saw in Georgia was a conventional land and air
operation enabled by cyber operations. You're going to see more and
more--with the informationization of our society--you're going to see
more and more of our intelligence operations, information operations,
and conventional and special operations being cyber-enabled, until
someday it's just going to be totally suffused and you're not even
going to talk about cyber-enabled operations because everything is
going to be cyber-enabled.
And Tim mentioned in passing the Internet of Things and the attack
on the grid in the northeastern United States last year. This is super
important. They went in through a camera--the kind of camera that hangs
on your computer screen. The problem is, when you buy a smart device,
when you ask for a smart refrigerator, you say: I would like a
refrigerator that tells me when I'm out of milk. You don't say: I would
like a refrigerator that seamlessly integrates into my home
cybersecurity system. The people who are making these things are not
building security in from the very beginning. And so as the number of
smart devices in our homes proliferates, we have more and more attack
surfaces and it makes us more and more vulnerable. So with that, the
OSCE vitally important and a great platform for confidence-building
measures.
Mr. Tiersky. Thank you, Alex. That was a terrific endorsement of
the value of the OSCE going forward, and certainly something that I
think the Helsinki Commission would get behind, in terms of the value
that we see in these discussions that take place in Vienna and then, of
course, in other places.
I want to throw some red meat on the table for us to kind of bat
around, but I'll very shortly turn to the audience for your questions,
so please gather your thoughts in that respect. And I also want to give
you a chance to react to anything that you've heard from each other
before we go too far.
But I think we can't have this conversation in a kind of honest way
without really addressing the elephant in the room, which is the
Russian offensive cyber activities that have been widely reported and
widely discussed. I was just recently scrolling headlines again, and I
was reminded that--this is only in public reports--Russia was accused
of hacking the OSCE itself in December of last year. We also know that
the Russian leadership is accused of not observing various arms control
treaties, such as the Conventional Forces in Europe Treaty, the INF
treaty--the Open Skies Treaty is the one that's been in the headlines
the last couple of days. Certainly, confidence-building measures in
political military affairs, like the Vienna document and their major
exercises in Russia and Belarus that they were just having last week.
So I put this on the table for my colleagues here to chew over, and
I will phrase this in a provocative way--what confidence can we have
that confidence-building measures that are developed in this process
will be treated differently by the Russians? And if there is not
confidence that these confidence-building measures will be treated
differently by the Russians, is there still value in the process as a
whole? And can you put your finger on what that value is? And over what
time frame might that value manifest? Would anyone like to take a first
crack at that?
Dr. Crowther. I can.
Mr. Tiersky. Please.
Dr. Crowther. The problem is you can't prove a negative. If they
were cleaving to these, we might not know it. Part of the problem goes
back to--and I'll expand on what I said earlier--the Russians feel like
we're conducting hybrid operations against them. I stopped there. The
corollary to that is they're conducting counter-American hybrid
operations, from their perspective. They believe that they are
performing these offensive cyber operations to counter our hybrid
operations. But we think they're doing hybrid operations. So we can't
figure out how to counter their operations because we don't understand
that they're doing counter hybrid operations. So we're actually doing
counter-counter hybrid operations, which is kind of hard to wrap your
head around, which is one of the problems that we're having. We just
don't understand what they're doing, so we can't stop it.
I would propose to you that the Russians have always played fast
and loose with the rules. You can track a lot of their behavior, if you
want to look at how they do information operations and stuff like that,
actually goes back into the 1800s. They've been doing these types of
information operations--maskirovka, deception is hardwired into the
Russian culture. So they're going to continue to do this kind of stuff.
Confidence-building measures actually are kind of our only hope.
There's a yin and yang to it, right? We have to have confidence-
building measures, but at the same time we have to practice deterrence.
And deterrence consists of two parts--coercion and denial. We have to
get a lot better at doing denial back home so that they will see their
operations as being fruitless.
Mr. Tiersky. Tim, please.
Mr. Maurer. Let me jump in--when in 2013 the OSCE agreed to the
confidence-building measures, that only occurred several months after
the United States and Russia came to a bilateral agreement, in the
spring of 2013. And you had the White House together with the Kremlin
agreeing on a bilateral set of confidence-building measures. The White
House has put out a fact sheet, so some information is available on
what that agreement entailed. I do think that the events of last year,
in terms of what that means for the bilateral relationship and the
efforts of the OSCE, raise a big question to what extent it undermines
trust in Russian commitments over the long term. I do think, from our
perspective, from the U.S. perspective, there is a big question mark to
what extent there is good faith when you negotiate with Russian
counterparts, given some of these events.
But on the flip side, a concern that I think we've had at Carnegie
and that has been informing a lot of our work is, in order for these
agreements and norms that have been agreed to to be effective, they
need to be also slightly more specific in terms of how they're actually
being implemented, and what we mean by them. And without a certain
degree of specificity--and I'm not talking about red lines, which is
obviously a whole different discussion of the pros and cons of
identifying red lines--but the level that some of these agreements are
at right now is still fairly vague and general. We talk about critical
infrastructure in the GGE report, right? And if you look at different
countries, different countries define their critical infrastructure
very differently based on where they sit and what is particularly
important for their economy.
One question, I think, that came up as a result of what happened
last year, is to what extent election infrastructure is considered
critical infrastructure across the board. So is that covered by the
very norm? The similar question arose when the electrical grid in
Ukraine was targeted. You actually had, since Stuxnet, the first real
cyberattack, in the sense that for six hours power went out in Western
Ukraine. And some people said that's a violation of the norms that were
agreed to at the U.N. GGE because it's targeting civilians. Well, it
turns out actually the United States Government considers Ukraine to be
currently in an international armed conflict, and therefore it wasn't a
violation of the norms.
But you also talk to several U.S. officials who say, no, it was a
violation of the norms. So even within the U.S. and the OSCE we don't
seem to have a consensus on what a violation of the norm actually looks
like. I think there's a bigger question here in terms of moving
forward, also for the OSCE, and the practical implementation of what's
been agreed to, that we need to get a little bit more specific so both
sides understand when the line is crossed and what the implications are
of that.
Mr. Tiersky. Thanks, Tim.
Jaisha, I'd like to move to something a little more abstract for
you, although it relates to Russia in the sense that one of the
challenges that is often talked about in the context of cyber that
makes it different than other domains is the problem of attribution.
How does the problem of attribution, or knowing where an attack comes
from, feature into these discussions on confidence-building measures or
norms? Is it a part of what's being discussed in diplomacy when you're
in these meetings in the informal working group in Vienna?
Ms. Wray. You can't avoid the attribution factor, which is somewhat
more challenging for some countries than others. But where these
confidence-building measures come into play is after a state does have
the attribution. Then it's a matter of: What are the next steps? What
are the resources available to reach out to where the incident appears
to be emanating? It provides a resource once the attribution step is
crossed.
Mr. Tiersky. Anybody want to comment on attribution?
Dr. Crowther. If you read reports like the Mandiant report on
Advanced Persistent Threat 1, they have shown that you can actually
trace things back to an IP address or an individual computer. The hard
part is who does that computer belong to and who's actually operating
that computer.
Mr. Maurer. I think we are spending way too much time talking about
whether attribution is possible or not because, apart from the national
security context, law enforcement agencies for decades now have been
able to arrest cyber criminals. So, if you look at the U.S. Secret
Service, the FBI, for decades now have been arresting particularly
criminals from Eastern Europe, and the only reason they were able to do
that, and then for them to actually go to jail in the U.S., is because
they were able to do the attribution that was required to also meet the
standard that's required in U.S. courts for somebody to go do jail.
I think that there was a bit of a longtime debate about whether
it's possible that shifted to how long it takes for attribution to
actually be possible. And as Jaisha just pointed out, I think the
debate needs to move much more in a direction of what are the
implications of asymmetric attribution capabilities--meaning, yes, it
is possible for a certain number of states, especially those that can
combine signals intelligence and forensics with human intelligence and
having spies in certain countries, to corroborate what they're hearing
and to figure out who was actually behind it--and what is the
implication of that for countries who will not have that capability,
and what are the implications of that for the coalition and the
alliance--the NATO alliance. Because if we have a NATO partner that
requests, for example, assistance from the U.S. Government when it
comes to attribution, there are always tradeoffs involved from an
intelligence perspective, because if you share that information you
might burn an intelligence source. And it gets even more complicated if
you move beyond NATO and the alliance framework when it comes to
international incidents with countries that might not be a partner or
ally, where you might have to have a briefing on the Security Council
and demonstrate what happened. So I think that those are some of the
looming questions when it comes to attribution moving forward.
Mr. Tiersky. From my perspective, that brings us back to a point
that Jaisha made, which is the potential utility of regional
organizations like the OSCE to help build the capacity of countries to
engage perhaps not on something as what I would say high level as
digital forensic attribution, but even just to engage in the
discussions on cyber policy. Do I have that right?
Ms. Wray. In terms of capacity building, exactly--we just last week
were in Uzbekistan, and the first step with some governments is just
raising awareness on what the CBMs are, and capacity-building in terms
of helping to understand how you need to organize within your own
government, and make sure that all the agencies are aware of the CBMs
and the processes that should be in place should an incident occur.
Mr. Tiersky. Ladies and gentlemen, I have a zillion more questions,
but I would love to hear from you or perhaps any of our Facebook users.
Does anyone have something they would like to put on the table? Yes,
please, in the back. Because of our video feed, if you wouldn't mind
coming to the microphone, that would be very helpful for us, thanks.
And if you could identify yourself, appreciate it. Attribution, of
course. [Laughter.]
Questioner. I'm Diana Parr from Representative Ted Lieu's office.
Question about the incident management part. You said there's a lot
of confusion on, do the different countries actually have a mechanism
for communicating with each other. So you looked at the ransomware
attacks like WannaCry and Petya, and the ability for these different
international countries to communicate between each other about the
fact that this malware's coming is really important. And the
government's put in the CTIIC and the NCCIC that DHS manages. Is
anything happening in that area to formalize it? And is anybody leading
that from a country perspective?
Mr. Maurer. I think this relates to the capacity-building efforts
that Jaisha mentioned, where the computer emergency response teams--
that there's now a growing number of national computer emergency
response teams that are for each state set up to essentially help with
the communication in terms of that. But there remains huge confusion,
even in Europe, where some of the anecdotes that after the ransomware
attacks happened, where companies called institutions that they
shouldn't be calling for cyber kind of incidents.
So one is building the institutions where many countries still
don't have a CERT that they should be setting up, so that they have a
point of contact. But then, even if there is a point of contact in the
CERT, in some countries there are three or five people who are working
part time because they don't have the resources to actually manufacture
that.
And then, multinational companies, they have their own teams who
don't really rely on these institutions. So I think that's where
essentially that will be moving in the future in terms of the capacity
building.
Questioner. OK. Thanks.
Dr. Crowther. That's one of the things that makes the OSCE useful,
is among their confidence-building measures are requirements for the 57
different signatories to be talking to each other, and requirements for
them to share data on threats and things like that. So 57 of the 193 or
196 countries in the world, depending on what list you use, are
theoretically operating off the same script.
Tim mentions that there's some confusion, but I would propose that
there's confusion in the United States. There isn't a single phone
number in the United States to call either. This is kind of an ongoing
type of thing.
Ms. Wray. And this OSCE points-of-contact list is more government-
to-government. There's also the cert-to-cert and law enforcement
channels. But through the OSCE, each state has been asked to provide a
policy point of contact and a technical point of contact in case they
want to try to reach out from a state perspective regarding an incident
that rises to the level of national security concern.
Mr. Tiersky. Thank you. That was a great question.
Yes, please.
Questioner. Good afternoon. My name is Erin Dumbacher with the
Nuclear Threat Initiative.
I'm curious if you could talk a little bit about whether you see in
the critical infrastructure space potential for additional, or perhaps
even more concrete and even more technical, confidence-building
measures. In the past, you know, starting with scientist or
technologist to technologist has worked globally. Is there an
opportunity to focus on the industrial control side of things first,
before we focus on everything else?
Ms. Wray. Well, our focus has been now on implementation rather
than the development of additional confidence-building measures.
There's a degree of flexibility with the current confidence-building
measures. For example, number 12 discusses workshops and seminars and
roundtables, so I think there is a degree of flexibility of who could
be involved and the specific topics there. So in the future, perhaps.
Mr. Maurer. At Carnegie we've been doing some thinking about what
could be avenues to further advance the ongoing discussions, and
particularly in light of the fact that earlier this year, in June, this
group of governmental experts at the U.N. didn't produce a new report.
And we for the past years have worked specifically on financial
stability and cybersecurity, with the assumption being that that might
be an area where there's a lot of common interest, even with countries
where we might disagree on many other issues. We've actually put forth
a proposal that this might be an area where we could make further
progress, given the common interest--financial instability is something
that most countries don't want--and whether you can build more
cooperation on that particular issue to tackle the threat and threat
actors that might still have an interest to potentially do this kind of
thing. So that goes back to the earlier comment about trying to get a
little bit more specific on what certain agreements mean operationally
and moving that forward.
Ms. Wray. I'd also encourage you to look at the CBM 15, which is
focused just on critical infrastructure and engaging various aspects,
including industrial-control systems and raising awareness on that
importance, sharing national views. And I think the OSCE is very
focused on the importance of critical infrastructure and the need to
increase confidence in that specific arena.
Mr. Tiersky. I understand we have a couple of questions coming from
our Facebook feed, and I would like to take both of those at once.
Ms. Hope. Hi. The first question, I think, was covered in your last
answer, so thanks very much. You've preempted one of our online
questioners.
The second question is from Geoff. He asks, establishing norms and
confidence-building measures may work well for nation states, but what
diplomatic tools are available to mitigate the threat of nonstate
actors, such as terrorist groups and criminal networks, from using
cyber weapons against us?
Mr. Tiersky. Excellent question from Geoff. I'm sure our panelists
will want to jump on. So what about nonstate actors? I would add not
only the question of how does the diplomatic process address the threat
from nonstate actors, but also flip it on its head and what nonstate
actors, including the private sector--how do they participate in the
diplomatic process productively?
Let's start first with the threat and kick that around a bit.
Please, Alex.
Dr. Crowther. The good news, getting back to my previous comment
about international law does run writ in cyberspace: Terror and crime
are against the law. We all have codes. All of the countries have
legislation that defines what is a crime and what is terror. That's
working pretty well.
Part of the problem is, obviously the diplomatic side of things
doesn't bring in terrorists or crimes, but, like the Budapest
convention, which started out as a European thing but is now global, is
a convention that defines certain cybercrimes. And their goal is to
kind of define the spectrum of crimes. The Tallinn Manual, of which the
second version just came out, also talks about operations in
cyberspace, both in an in-war context but also not-in-war context. So
they talk about that as well. But the anonymity of cyberspace really
kind of super-empowers terrorists and criminal organizations.
Ms. Wray. Regarding terrorist use of the internet, on the
diplomatic front we are working cooperatively with other governments to
ensure that we can protect our networks, to defend against incidents
coming from terrorist use of the internet. But bringing this back to
the OSCE an example where we might be able to see the CBMs in place is
that if there was an incident that appeared to be emanating from
another state's territory, and you called that state and they weren't
aware of it because it wasn't a government activity, it could be an
opportunity for those states to work together to mitigate the incident.
So it could be that it's a proxy incident. And just because I am
making a call to another government does not mean that I am blaming
them. I'm calling to inquire and see if we can share information about
the incident.
Mr. Tiersky. Let's talk about the second piece of that, then, that
I raised, which is the good nonstate actors, so to speak. What is the
involvement of public-private partnerships? You know, help us
understand to what extent relationships between governments and the
private sector feature into any of these discussions, certainly into
implementation of these confidence-building measures.
Mr. Maurer. I think there are a couple of components to that. And
the first one is, unlike probably any other security realm, you have
private companies that have investigative teams that can conduct
attribution at a very similar level to governments and probably better
than most countries. So you have your security companies that have been
detecting malicious activity in their published reports and that put
that out in the limelight and often expose state-sponsored malicious
activity, which you don't really see in many other spaces.
You don't really see a lot of other security environments where a
covert operation might be exposed other than through an investigative
journalist. But when it comes to cybersecurity, you have all of these
companies that have an incentive model, a market-driven, profit-driven
model, to put out these reports and to expose essentially what are
covert operations by states. So that is one that I think is an
important factor here.
The other one is, you have an entire industry that's based on
identifying vulnerabilities and trying to find the vulnerabilities and
then to patch them that are used for offensive cyber operations. So
while, on the one hand, you have the arms race among countries now to
develop offensive capabilities, you have this private-sector
disarmament race of essentially private companies trying to find these
vulnerabilities and to match them, and thereby disarming the access
point that has been developed to deploy certain payloads for offensive
cyber operations.
And then the third one that I'd mention is that a lot of the major
internet companies have a visibility into a network that a lot of
governments don't have. And in order to get a full comprehensive
picture, the two need to be talking to each other to really understand
what is happening, because many malicious actors don't just target an
individual company, but they might target multiple companies.
And there have been incidents where one company has been hacked and
the company's like, oh, I got hacked, but I don't really need to report
it because they can't really do much with just our information. But
another company has been hacked as well and thought the same thing. And
if you put the two together, the malicious actor actually had a lot of
information that was a lot more useful by combining the two. And that
requires kind of a coordination both within the companies, but then
also with the government, to really understand what kind of campaign is
going on and what has happened.
Ms. Wray. I'll highlight that in the lead up to the latest round of
the U.N. Group of Governmental Experts, the United States and the
Netherlands sponsored a series of workshops that were hosted by the
U.N. Institute for Disarmament Research and CSIS on some of these
issues related to norms and international law and confidence-building
measures that involved industry and academia and a wide range of
participants to seek input in advance of the formal U.N. governmental
group, which includes only governmentally designated experts.
The OSCE informal working group is also a governmental meeting.
But, that said, one of the newest CBMs in the last year's tranche, CBM
14, talks about promoting public-private partnerships. So that is
something where the OSCE does want to focus in the future. And I'll
note that in the workshop I attended last week, we had some folks from
the private sector and academia in attendance as well. We are seeking
to involve our industry partners as well as academia in these
discussions as much as possible.
Dr. Crowther. Both in North America and in Europe, 90 percent of
the internet is in private-sector hands. The United States, the
European Union and NATO all have very strong efforts to build public-
private partnerships. And the United States also, when the U.S.
Government talks about internet governance, we prefer a multi-
stakeholder approach. And we tend to involve the private sector in that
as well, where they're actually invited in as voting members of
whatever organization it is.
Mr. Tiersky. Great. Let me go back out to the audience, if anyone
has a question they'd like our brilliant panel to bat around.
Questioner. This is kind of a more general philosophical question.
In view of the name of the organization, the word cooperation sticks
out at me. I was just noticing Uzbekistan, Turkmenistan, Tajikistan,
Serbia, Turkey and Russia.
What is going on in the organization as they meet to deal with the
relative un-aspect of the cooperation of these nations, particularly in
light of this latest struggle with the cyber issue? Now, I know some of
those nations mentioned are kind of who-cares countries, I guess, when
it comes to the technology aspect of this. But I'm assuming they have
some influence because of their membership.
Mr. Tiersky. Thanks. Actually, that may be a question that I would
have a couple of thoughts on myself, as someone who's regularly out at
the OSCE. And I think it's broader than just the question on cyber that
we've asked the panelists to discuss, but I will want the panelists to,
if they have any words.
The value of the OSCE is precisely in the fact that it is the
organization of 57 participating states, from Canada all the way to
Russia, where the participating states have agreed, in founding the
organization and in signing up to a number of very basic commitments,
that include respecting the territorial integrity of other countries,
respecting their sovereignty, respecting their ability to choose their
own security alliances, but also on basic principles that human rights
are important and a concern to all.
This is a place where that discussion happens on a weekly basis,
where countries are expected to hold each other to account for not
living up to those commitments, whether it be on human rights, on
military transparency, and now increasingly on some of these cyber
confidence-building measures, where they are discussed on a regular
basis.
I don't think anyone on the panel is suggesting that everything is
an easy discussion in Vienna or in most other international fora. But I
think, from the Helsinki Commission perspective, we certainly see the
value of an ongoing dialogue, in particular where we disagree. We need
to make sure people remember the principles that the organization is
founded on and that all of the 57 participating states have signed up
to.
So having given that bumper-sticker full-throated endorsement,
would anyone like to comment further on that? Thanks.
Ms. Wray. Now, we've managed to maintain a working relationship
with all 57 OSCE participating states through the Cyber Informal
Working Group and managed to get consensus twice on the various
confidence-building measures. And I think we're lucky in a sense that
the issue is relatively technical and it's focused on reducing
misperceptions and figuring out procedures if there were to be an
incident. We've been able to keep it at a fairly technical level and
make really groundbreaking progress.
Mr. Tiersky. You mentioned, Jaisha, that the U.S. Government's
intent to develop confidence-building measures in ICTs, information
communication technologies, was not limited to the OSCE but that the
United States also participates in the ASEAN Regional Forum and the
Organization for American States.
It's my perception that the OSCE is kind of the head of the class,
as it were, in terms of the regional organizations that are actually
working on this issue. Why is that? And I'd like others to comment if
they would wish to.
Ms. Wray. Well, we started earlier through the OSCE process. We
have a bit of a head start. We also have an able secretariat, which is
hugely useful in terms of moving us along through our implementation
and priorities, whereas the ASEAN Regional Forum does not have a
secretariat.
And so while the other two regional groups are a bit behind, we're
trying to do work between the regions. For example, there was a
workshop in the spring in Seoul with the ASEAN Regional Forum and the
OSCE to kind of provide lessons learned from the OSCE, as the ASEAN
Regional Forum begins to develop their own confidence-building
measures. I think efforts like that will be important to ensure that
all of these regional groups make progress.
Dr. Crowther. I'm actually helping the Organization of American
States with theirs. I'm running a two-day get-together in Miami next
month, as a matter of fact, to do that. But if you think about these
different organizations, who are the four major cyber actors in the
world? U.S., Russia, China and Europe. Well, three of the four are in
the OSCE. And that's the only organization that has three of the four.
And that's why I think the most way forward is happening there.
Mr. Tiersky. Audience, last chance for questions. And then I'm
going to challenge the panel with a last big-picture question.
Questioner. Hi. I'm Lauren Williams. I'm a reporter with FCW.
I have two questions. One, has there been any discussion of when a
cyberattack warrants a kinetic attack, or vice versa, since we're
moving to a space where all operations are going to become one?
My second question has more to do with modernization. We talked a
little bit about asymmetrical capabilities. And I want to know where
that fits in, particularly with DOD and how we're working with other
countries on that, and making sure that we can protect ourselves but
also other countries being on the same level--or if it's, I guess,
making sure that we don't get to, like, a nuclear arms race, but in
cyberspace.
Mr. Tiersky. I suppose both of those questions would relate to the
concept of escalation from cyber to kinetic. Well, I suppose that
needn't necessarily be an escalation, but certainly not getting into an
arms race in cyber.
Alex, you seem eager to jump. Please.
Dr. Crowther. So in the 2011 U.S. International Strategy for
Cyberspace, it says that we will reserve the right to respond in any
way that we see fit, including all the elements of national power--
diplomatic, information, military and economic--understanding that the
military is a last resort.
There's a lot of discussion about this in the international-law
crowd, as you could imagine. The prevailing definition of when
something crosses the line of being an armed attack under the U.N.
charter is when the cyber operation has the same effect as a kinetic
operation. If you drop a bomb on a village and it destroys buildings
and kills people, that's clearly an attack, right, an armed attack. If
you open the sluice gate of a dam and it washes away the village and
destroys buildings and kills people, that's clearly an armed attack
because it achieves the same effect.
There are differing opinions out there on when that threshold is
triggered. And I must say the Russians are doing a very competent job
of operating in what is known as the gray zone, which is very
specifically designed to stay under a threshold which would trigger a
military response.
In reference to helping other countries, unfortunately, because
cyber is new and because everybody is building their cyber
capabilities, it's kind of like building the car while driving it.
There's not a whole lot of additional capacity left over to do
building-partner-capacity type things. So there's a long list of
partners that have asked for help and that we want to help, but it's
very difficult to generate the additional cyber resources to help them
out. That is being looked at both by Cyber Command, by the Office of
the Secretary of Defense, and each of the combatant commands as well.
And European Command is working with partners. NATO also has a capacity
to help build partner capacity within the alliance.
Mr. Maurer. And just on the point of the capabilities and the
asymmetric threat, I think that's already happening. And we're already
seeing this arms race taking place where North Korea, just being in the
news in the last two or three years, is the latest state that has been
escalating, how aggressive it's become in using hacking.
For example, prior to offensive cyber capabilities, we were worried
about the North Korean conflict becoming global once it would get
ICBMs. Hacking has now made this conflict global because you can
reach--geography doesn't really matter anymore in terms of the reach
you can have. And the cost of these tools is nothing compared to
conventional weaponry that were to be built.
I think right now what we're seeing is that most nonstate actors
are profit-driven rather than politically active. It's more a question
of intent and who would have an intent to really exploit the kind of
vulnerabilities that currently exist. But there are certainly nonstate
actors out there that are very capable. In terms of how this might
progress, I'm more worried about how the nonstate-actor threat will
evolve compared to some of the state-based, and how states will use
nonstate actors to project power as proxies.
Ms. Wray. Regarding whether these bodies are talking about kinetic
attacks, the purpose of the OSCE Cyber Informal Working Group is to
kind of prevent that from happening in the first place. We're very
focused on the other end, and what can we do to prevent a conflict
before it reaches that stage?
And then, with regard to capacity-building, where we're focused in
that realm can be at the very basic level, so it's helping other
countries write a cybersecurity strategy or helping them investigate
cybercrimes. We use that as a tool to ensure the internet is more
secure, interoperable and reliable.
Mr. Tiersky. Wonderful.
I am going to pose a final challenge, but I'm going to pose it to
the speakers on my right, because it's a challenge about talking about
U.S. policy and what it should be.
What I would like Tim and Alex to chew on is, earlier in our
conversation Alex referred to CBMs as our only hope, or our last best
hope. Tell me what you think is the best-case scenario and the worst-
case scenario for the development of CBMs and of norms for the next
decade. And what does that depend on?
What I would like you to comment on, I think, in that rubric is the
extent to which U.S. leadership is a driving factor in this field.
Would either of you care to start?
Dr. Crowther. Sure. The best-case scenario is that the U.S., the
Europeans, the Chinese and the Russians all agree on confidence-
building measures, they adopt transparency, and they swear and adhere
to that they will never attack critical infrastructure.
The worst-case scenario is that nobody pays any attention to any
confidence-building measures and just kind of runs amok, attacking each
other's intellectual property, financial systems and other critical
infrastructure at will. I don't really see that one happening because
everybody's got critical infrastructure. So if you start--and I hate to
equate it to nuclear warfare, but when you start dropping nukes on
somebody else, they start dropping them on you. So if country A starts
attacking the critical infrastructure of country B, what's to prevent
country B from attacking the critical infrastructure of country A? So
it's more of a mutually assured destruction scenario.
U.S. leadership is key in this whole thing. The executive branch,
of course, is working this. The State Department is doing wonderful
things with, for instance, the Group of Government Experts and
everything like that; Chris Painter's old office. Department of Defense
is working on it. Congress could help out with this as well by
essentially--remember earlier I said deterrence is coercion and denial.
So the congressional role I would see more of supporting the denial
part at home; for instance, mandating Internet of Things standards for
security, or mandating kindergarten-through-12 cyber-hygiene education.
We could do things back home. And then that way, if everybody knows
not to click on that phishing attack, that link--90 percent of
successful cyberattacks come from phishing attacks. If every American
knew not to click on the link and didn't click on the link, we would be
much less vulnerable than we are today.
Mr. Maurer. I think it was Joe Nye who, a couple of years ago, came
up with the phrase ``mutually assured vulnerability'' as the concept
that might be underlying this field, and that that mutually assured
vulnerability is actually one of the reasons why there might be
restraint in the area, because there's such great interdependence that
the type of operation that might be launched would backfire on the
source of the malicious activity.
So in terms of best-case scenarios, my hope is that there will be
much greater understanding of these interdependencies. Sometimes I have
the impression that we are still in the very early stages of really
understanding how the network operates and what is really connected to
it and what happens if you do X and Y, and it might happen in Z, which
you never expected. And that includes, I think, some of the leading
countries in this; so a better understanding on that.
Second, I think right now what is blocking further progress is the
insistence of some countries to combine what back in the 1970s with the
Helsinki Accords were separate buckets. We had the bucket on security
and you had the bucket on human rights and you had the bucket on
security that was negotiated and had an outcome. And you had the bucket
on human rights that had an outcome.
And some governments, who define information security much broader,
to include things like content, and who are viewing information
security as essentially the control of information, is combining and
bundling these two buckets, which makes it impossible to make much more
progress and substantial progress on the actual security side. And they
do this because they have a concern about the stability of their
domestic regime, which they prioritize over the security threat.
My concern is, looking at the security environment in the last
decade, it's continued to deteriorate. The cost is going up. You've
seen Maersk and another company who just reported that each company
suffered a $300 million loss as a result of the ransomware earlier this
year; two single companies suffering a loss each of $300 million a year
because of a single malware that was locking out their systems.
So my hope is that these countries that have prioritized their
domestic-stability concerns for reasons that make sense from their
perspective will agree to decouple them out of the realization that the
security risk that is tied to the technology is so great that we need
to make further progress on the real security part of that.
Mr. Tiersky. Great. Without putting Jaisha on the spot, I'd like to
offer you the opportunity for any final thoughts on what you've heard
today.
Ms. Wray. Well, thanks again for the opportunity to participate in
this panel. Like I said before, some of these issues are not widely
known, so I think it's important to raise awareness on the work the
OSCE is doing as well as the really landmark reports that the U.N.
Group of Governmental Experts have produced. And even though the last
session was not able to reach consensus, it does not take away from the
importance of these reports that reached consensus in the past. And the
United States looks forward to continuing to work with the
international community on these important issues.
And I'll note in particular one of our key priorities is trying to
reach consensus on how international law applies in cyberspace.
Thank you.
Mr. Tiersky. I'd like to thank the panel. These kinds of
discussions are absolutely crucial towards informing the work of the
Helsinki Commission and that of our members, both in their capacities
as commissioners with us but also in their other roles as members of
Congress and crucial committees that are making important decisions on
a lot of this, but also our direct involvement in some of the
discussions ongoing in Vienna.
Please, audience, join me in thanking our panel in the customary
way.[Applause.] Thank you all for joining us. And thank you, Facebook,
for providing some excellent questions as well.
This concludes the briefing.
[Whereupon, at 3:28 p.m., the briefing ended.]
[all]
This is an official publication of the Commission on
Security and Cooperation in Europe.
* * *
This publication is intended to document
developments and trends in participating
States of the Organization for Security
and Cooperation in Europe (OSCE).
* * *
All Commission publications may be freely reproduced,
in any form, with appropriate credit. The Commission
encourages the widest possible dissemination of its
publications.
* * *
www.csce.gov @HelsinkiComm
The Commission's Web site provides access
to the latest press releases and reports,
as well as hearings and briefings. Using the
Commission's electronic subscription service, readers are
able to receive press releases, articles, and other
materials by topic or countries of particular interest.
Please subscribe today.