The Rules of Cyberspace Just Got A Bit Clearer

Uploaded on 2015-10-07 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

The UN's new recommendations guiding state activity in cyberspace break new ground in three important areas.

The United Nations Group of Governmental Experts on Information Security (GGE) agreed to consensus document laying out its recommendations to guide state activity in cyberspace. Politico.com called the document a “breakthrough” because it enshrines a series of norms that the US government has been promoting. At the time the article was published, it was hard to determine whether the champagne popping was necessary given that report wasn’t made public. Late last month, the UN released the text of the 2015 GGE report.

As with many UN reports, this one is filled with recycled language from previous reports and General Assembly resolutions. The sections that speak to the threats in cyberspace, the need for confidence building measures, and the importance of capacity building are largely pilfered from the 2013 report and don’t really convey anything new. However, there are some exceptions. 

The US was successful in getting its preferred norms with respect to critical infrastructure–States should respond to requests for assistance, and refrain from cyber activity that intentionally damages or impairs critical infrastructure or computer emergency response teams–adopted by the group. On the surface, getting everyone to agree to not attack critical infrastructure is great. But it’s hard to see what additional clarification this new norm provides. 

Each state classifies critical infrastructure differently–the United States has sixteen sectors, Japan has thirteen, Canada has ten, Germany has nine–and many of these sectors are defined so broadly, that any disruptive or destructive cyber incident is likely to affect some form of critical infrastructure. For example, the North Korea incident against Sony was probably an attack against critical infrastructure, given that the US Department of Homeland Security classifies motion picture studies as part of it’s commercial facilities sector. Moreover there’s already a norm against disruptive or destructive cyber activities. It’s called Article 2(4) of the United Nations Charter, which prohibits the threat or use of force.

Despite the lack of new insight on the protection of critical infrastructure, the GGE report breaks new ground in three important areas.

First, the report explicitly references the possible applicability of the international legal principles of humanity, necessity, proportionality, and distinction, though the wording of the text makes it unclear whether the group reached consensus on whether they actually apply to state activity in cyberspace or merely noted their existence. 
The US seems to interpret it as endorsing the applicability of these principles to cyberspace, but the Chinese in particular have avoided doing so in the past. At the 2012-2013 GGE, the Chinese blocked any attempt to reference humanitarian law principles in that group’s report on the basis that endorsing their applicability would legitimize armed conflict in cyberspace. If the 2014-2015 group endorsed necessity, proportionality, and distinction, it would represent a considerable shift in China’s position.

Second, the report notes that states should substantiate public accusations of state-sponsored cyber activity, and that “the indication that an ICT activity was launched or otherwise originates from a State’s territory … may be insufficient in itself to attribute the activity to that state.” While this may seem obvious to anyone who cursorily follows the blog, the text was probably inserted at China’s request to get other states to stop accusing it of malicious cyber activity. China regularly asserts that accusing it without proof is “irresponsible and unscientific,” and may be trying to promote a norm against public attribution without strong evidence. The United States has signalled that it is willing to name and shame states that engage in destructive activity (e.g. North Korea), steal intellectual property for commercial gain (e.g. the five PLA indices), and to establish deterrence. In the future, the United States may need to provide more concrete evidence than the “trust us” approach it’s used in the past.

Third, the report recommends that states “should respond to appropriate requests for assistance by another state whose critical infrastructure is subject to malicious ICT acts.” This recommendation may seem banal, but it’s pretty significant. Many states have established national computer emergency response teams (CERTs) to act as focal points to coordinate national and international responses to cyber incidents. 

Oftentimes, one national CERTs’ request for assistance from another can go unanswered for days, allowing malicious traffic that could be terminated to go unabated. In the case of the 24/7 point-of-contact network established by the G8 to combat cybercrime, many of the national points of contact don’t even pick up the phone. Creating an expectation that requests for assistance will be answered may actually pressure some into responding. 
DefenseOne: http://bit.ly/1JPSTx6

 

« Where’s The Money in Data?
Snowden : Smartphones Can Be Remotely Controlled »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

National Agency for the Security of Information Systems (ANSSI) - France

National Agency for the Security of Information Systems (ANSSI) - France

The role of Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) is to foster a coordinated, ambitious, pro-active response to cybersecurity issues in France.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

Momentum Cyber

Momentum Cyber

Momentum Cyber provides world-class M&A and strategic advice combined with unparalleled senior-level access to the Cybersecurity ecosystem.

GK8

GK8

GK8 is a cyber security company that offers a high security custodian technology for managing and safeguarding digital assets. Secure, Compliant and Practical.

Consensys

Consensys

ConsenSys is a global blockchain company. We develop enterprise applications, invest in startups, build developer tools, and offer blockchain education.

Base Cyber Security

Base Cyber Security

Base Cyber Security is an information and cyber security talent service provider and career specialist.

Nemko

Nemko

Nemko offers testing, inspection, and certification services worldwide, mainly concerning products and systems, but also for machinery, installations, and personnel.

Calyptix Security

Calyptix Security

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology.

SafeTech Informatics & Consulting

SafeTech Informatics & Consulting

Safetech's OTShield detects, prevents and analyses cyber-attacks in SCADA and Industrial IoT systems by utilising state of the art deception techniques.

Securolytics

Securolytics

Securolytics offers the simplest, most complete and affordable IoT security for all organizations. Securolytics quickly identifies unmanaged devices to reduce security and compliance risks.

Prancer

Prancer

Prancer is the industry's first cloud-native, self-service SAAS platform for automated security validation and penetration testing in the cloud.

NetGain Technologies

NetGain Technologies

NetGain Technologies helps small to medium-sized businesses gain access to expert IT talent. We provide strategies that use technology as a driving force behind business growth.

Vancord

Vancord

Vancord is an information and security technology company that works in collaboration with clients to support their infrastructure and data security needs for today and tomorrow.

Knownsec

Knownsec

Knownsec provides customers with cloud defense, cloud monitoring, and cloud mapping products and services with "AI + security big data" as the underlying capability.

Haiku

Haiku

Haiku stands at the forefront of cybersecurity upskilling, leveraging video games to immerse you in a flow state for accelerated, enduring learning.

Vivid Computing Solutions

Vivid Computing Solutions

At Vivid Computing Solutions we provide comprehensive solutions that keep your business running efficiently and securely.