ARF Workshop on cyber capacity building; Beijing, China; July 28, 2015;
Michele Markoff remarks for panel session on “Developments of Cyberspace and Emerging Challenges”
- Thank you for the opportunity to discuss developments of cyberspace and emerging challenges.
- Since our last ARF workshop on cyber issues, in Malaysia last year, we have seen an increasing variety of cyber threats and incidents. We have also continued to make progress in our international community’s approach to address these concerns.
- First, I’d like to briefly address the U.S. perspective on recent cyber incidents and trends.
Incidents and trends
- We all face increasing risks from state and non-state actors that conduct malicious cyber activity for unacceptable ends, including stealing trade secrets or personal information for commercial or financial gain, interfering with the exercise of freedom of expression, and intentionally damaging critical infrastructure. North Korea’s cyber attack on Sony Pictures Entertainment demonstrated the potential coercive effects of such activity. The recent targeted distributed denial of service attack against the code-sharing website Github and other cloud-based services highlights a new and worrying trend of cyber capabilities being used from abroad, which can have a negative impact on the enjoyment of freedom of expression within another country – in this instance, the United States.
- We are all increasingly dependent on networked information systems for the daily functioning of our societies. With that dependency has come increasing concern about new and existing vulnerabilities, the exploitation of which can make individuals targets of criminal actors operating on the Internet, and can now affect whole populations through threats to cyber- enabled infrastructures. These threats, we believe, can constitute threats to national security.
- As the U.S. Director of National Intelligence recently noted, the “likelihood of a catastrophic attack from any particular actor is remote at this time,” we are likely to see “an ongoing series of low-to-moderate level cyber attacks from a variety of sources” that will, over time, “impose costs on U.S. economic competitiveness and national security.” Given the global, interconnected nature of cyberspace, these threats and potential costs are not unique to the United States but are relevant and should be of concern to the international community as a whole.
- These issues are being addressed in a wide variety of venues, including technical standards groups and other multistakeholder organizations looking at how to strengthen the security of the Internet’s architecture. We proceed from the perspective that the Internet and its associated networks are neither owned nor controlled by States. Rather than trying to regulate or control it, we view the role of states as one of many stewards – that is, caretakers, who work with all other stakeholders to ensure that this resource is available to all to reap positive benefits and rewards. This inclusive concept forms the basis for the multi stakeholder process and reflects the reality of how the Internet functions today.
Role of states / International cyber stability / norms
- As one of these stewards, States must recognize our role(s) and focus our work on potential “value-add” contributions. In that respect, we recognize that States do have a well-established and important role to play with regard to facilitating transnational cooperation and seeking to prevent conflict and promote international stability. This role extends to the security of networked information systems.
- In this regard, the United States believes that the international community must work toward a framework of strategic international cyber stability: a more peaceful environment where all states are able to positively exploit the benefits of cyberspace and where there are benefits to cooperation and avoiding conflict and little incentive for states to disrupt or attack one another.
- There are two pillars to our approach: the development of international consensus on norms and principles of responsible state behavior in cyberspace and the development and implementation of practical cyber confidence building measures.
- We continue to make great strides in deepening common understandings around the application of international law to state behavior in cyberspace. The 2013 UN GGE report was a landmark achievement which affirmed the applicability of existing international law, including the UN charter, to state conduct in cyberspace. The recently concluded 2014-2015 GGE also resulted in consensus. The group made progress on issues related to international law: affirming the applicability of the inherent right to self-defense as recognized in Article 51 of the Charter, and noting the law of armed conflict’s fundamental principles of humanity, necessity, proportionality, and distinction.
- We also made important progress in building consensus on norms and principles of responsible state behavior in cyberspace. The 2015 report’s most significant achievement was its recommendations for voluntary norms of State behavior designed for peacetime. These included several concepts championed by the United States, such as the protection of critical infrastructure, the protection of computer incident response teams, and cooperation between States in responding to appropriate requests in mitigating malicious cyber activity emanating from their territory. Another important norm calls on States to seek to prevent the proliferation of cyber tools that can be used for malicious purposes. All of these measures, if observed, can contribute substantially to conflict prevention and stability in times of peace.
- These efforts do not conclude with this GGE round. We will continue to promote a broad consensus on how international law applies to State behavior in cyberspace wherever possible, engaging all receptive international partners. We will also continue to pursue an international consensus on a norm against State-sponsored cyber-enabled theft of intellectual property, trade secrets and other sensitive business information for commercial gain. This is a problem that predates cyberspace but has become much more acute because of the tremendous amounts of data that travel on networks or resides on servers. This activity, like some of the other issues addressed by the GGE’s recommended norms, also has the potential to rise to the level of a national security concern.
CBMs and ARF cyber work
- In addition to our work on norms, cyber CBMs have the potential to contribute substantially to international cyber stability. CBMs have been used for decades to build confidence, reduce risk and increase transparency in other areas of transnational concern. In order to develop the international framework for a technology which has no external observables and cannot not be seen, cannot be counted, and where state capabilities cannot be easily assessed, we need to develop some confidence that normal operating behavior by states is somewhat predictable. Otherwise, any activity in cyberspace could cause unintended reactions, miscalculation or misattribution – thus increasing risk of unintended conflict.
- Given the ARF’s objective to “make significant contributions to efforts towards confidence-building and preventative diplomacy in the Asia-Pacific region” (agreed in 1994), we believe that the ARF has an important role to play in the development of regional cyber CBMs – a critical component of this framework of international cyber stability.
- We are satisfied with the consensus that has been reached following many months of negotiation on the ARF Work Plan on Security of and in the use of Information and Communications Technologies (ICTs). We look forward to its finalization at the ARF Ministerial meeting taking place next week. We believe that this Work Plan emphasizes the issues of common concern in the region where there are opportunities to make constructive progress in regional stability.
- We are prepared to continue working with willing ARF partners in the development of regional cyber confidence building measures to reduce risk and promote regional stability – an area of clear and established regional interest. The ARF Work Plan provides us with a number of tasks to focus our future work. In particular, the recommendation to develop a regional contact group to facilitate policy and technical communication about transnational cyber incidents seems ripe for productive discussion and implementation. We are currently working with Singapore on the development of the agenda for the next ARF Cyber Confidence Building Measures workshop this October, where we will aim to make progress on this set of activities.
ARF cyber work and cyber capacity building
- This workshop today is focused on cyber capacity building, which is an incredibly important topic. We should all recognize that all ARF member states will need to have the capacity to implement the cyber CBMs we are hoping to develop. Because our CBMs are voluntary, their effective implementation depends on the efforts and capacity of individual member states. Therefore, we should support the area of cyber capacity building linked directly to the tasks laid out for us in the ARF ICT security work plan. We should recognize that this is an important and complementary area for our work and I welcome the discussion happening today.
- Several years ago, the United Nations General Assembly put forward a cyber self-assessment tool in UNGA resolution 64/211. This resolution recommended that States develop a basic set of cyber capabilities and responsibilities. Some of these include:
- An understanding of the state’s cybersecurity needs and strategies for addressing them;
- A clear identification of key stakeholders with a role in cybersecurity and critical information infrastructure protection;
- Mechanisms for public-private cooperation on cybersecurity as well as formal and informal venues for government-industry collaboration on policy development;
- Coordination mechanisms for cyber incident management and recovery;
- Updated procedural and substantive legal frameworks for combatting cybercrime; and
- Efforts to develop a culture of cybersecurity.
- As we look to implementing ARF regional cyber CBMs, ARF member states should also be encouraging each other to carry out such a self-assessment and implement recommended steps in this regard.
- The need for capacity building and exchange of expertise on cyber issues is rapidly becoming one of the most important topics on the international cyber agenda. We will continue to work with all willing partners to strengthen the international community’s ability to keep cyberspace open, interoperable, secure and reliable.
- Thanks again for the opportunity to speak today. As I have explained, we are all working at a formative time in the effort to promote international peace and security in cyberspace. The ARF plays a critical role in this global effort.