Cyberwar, Critical Network Protection Targeted in U.N. Talks

Russia is the proponent of the talks, a diplomat said. The U.S. was the only country to oppose the meetings, Cuba said in a letter to U.N. Secretary General Ban Ki-moon, but 178 countries supported the decision to hold the talks. The effort isn’t the first, said Marc Henauer, head of the Swiss government agency for critical network protection. The subject is very broad, he said, and there’s no silver bullet. U.S. executives and participants at an April 2008 disarmament workshop said Russia wanted a treaty to cover information security (CD April 25/08 p3).

Positions this week are likely already deadlocked. Countries filed preparatory statements with the U.N. secretary general for the private talks that continue through July. Cuba criticized the U.S. in a letter to the secretary general for conducting what it said is a broadcasting “war.” Terrorist elements use U.S.-sponsored broadcasts “to incite sabotage, political attacks and assassination,” Cuba said.

Cuba can’t access services on “many websites” from .cu domains, it said. The U.S. Office of Foreign Assets Control recently blocked .com domains related to Cuba. Microsoft discontinued Windows Live Messenger IM for Cuba and other countries because of the U.S. embargo, that country said. Cisco, SolidWorks and Symantec also deny access from the .cu domain name, it said, and Cuba is prevented from connecting to the fiber cables surrounding the country.

Cyberwarfare may soon become a usual factor in military operations, Brazil said in a letter to U.N., and terrorists may also use it. The international community should consider the possible need for disarmament and non-proliferation regimes and international law, the country said. A code of conduct may be needed for information weapons, Brazil said, and a guarantee that all countries have equal rights in protecting their homeland against cyberattacks.

Hostile cyberactions aren’t considered the same as conventional aggression under international law, Mali wrote the U.N. Countries could consider a cybermilitary operation as an aggression if the aim is to disrupt another country’s military facilities, destroy defensive and economic capacity or violate the country’s territorial sovereignty, Mali said.

Spain said the main terrorist threats are attacks against critical information systems or the Internet itself. The Internet can also be used for organizing and carrying out terrorist attacks and campaigns, Spain said. Harmonized legislation and international police cooperation is crucial for combating terrorist and other criminal groups on the Internet, the nation said. Countries should sign a convention similar to the International Convention for the Safety of Life at Sea to spur prosecution of Internet crimes, it said.

Military information technology operations are increasingly used as a substitute for destruction, electromagnetic jamming, physical intrusion or covert network control, Mali said. The threat of espionage, sabotage, foreign interference or political violence can be orchestrated by a foreign government or a terrorist group, the nation said. Tracing the origin of a cyberattack is “particularly difficult,” it said.

Draft ITU-T and International Organization for Standardization specifications may figure into solutions to some of the proposals, said Tony Rutkowski with Netmagic Associates. A voluntary global cybersecurity information exchange framework aims for trusted exchange of incident forensics, especially between national computer emergency response teams, Rutkowski said. The specs were developed in the National Institute of Standards and Technology, European Telecommunications Standards Institute, IETF, 3GPP, Liberty Alliance and others.

A similar group of governmental experts met in 2004 and 2005, but couldn’t agree on a final report. A Freedom of Information Act (FOIA) request by Warren Communications News, publisher of Communications Daily, to the U.K. did not result in any meeting documents used for the meetings. Two of our January 2009 FOIA requests to the U.S. State Department have not been fulfilled. The State Department didn’t reply to a request for information about this week’s meeting.

In April 2008, the former chairman of the group said Russia wanted a cyberspace code of conduct, not a “strict treaty” (CD April 28/08 p10). Soft legislation, a roadmap or rules-of-the-road could be used as a model, said Andrey Krutskikh, deputy director of the Department for Disarmament and Security Affairs in the Russian Ministry of Foreign Affairs. Krutskikh did not respond to a request for comment. -- Scott Billquist

U.N. Meeting Notes …

“A new supranational approach” is needed to help stem the rise in Internet-based crimes, Kazakhstan said in preparation for a U.N. meeting on information security. Kazakhstan noted a rise in computer attacks globally and from the Kazakh Internet community. Countries should create an international convention on information security that has combating cybercrime as a main focus, Kazakhstan said. ----

A new international agency is needed to assess and monitor problems in data and telecom protection, Mexico said in preparation for a U.N. meeting this week on information security. The agency should recommend solutions and raise awareness between governments, it said. Thailand wants a coordinating body to spur international cooperation. The body should set policies for joint actions to combat “inappropriate information,” security and prevention, the nation said. A coordinating mechanism is needed “to set the direction and policy” that will achieve national information security, it said.