The Global Commission on the Stability of Cyber Space (GCSC), set up by The Hague Center for Strategic Studies and East-West Institute (EWI) in March 2017, in the Munich Security Conference will shortly release its report on norms of responsible state behaviour in November 2019 (www.ewi.ngo). After several meetings in different parts of the world, engaging with multi-stakeholders, relying on the norms developed by the UN GGE, G7, G20, ISOC, IGF, Net-Mundial, and the previous Bildt Commission, GCSC will unveil its package of norms in order to ensure that the cyber-space is used for economic growth and development. State and non-state actors will be expected to follow these norms.

The proposed norms are as follows (cybersecurity.org):-

1. Norm to avoid tampering,
2. Norm against commandeering of ICT devices into botnets,
3. Norm for states to create a vulnerabilities equity process,
4. Norm to reduce and mitigate significant vulnerabilities,
5. Norm on basic cyber hygiene as foundational defense,
6. Norm against offensive cyber operations by non-state actors,
7. Call to protect the public core of the Internet,
8. Call to protect the electoral infrastructure.

All of these norms, and more have been discussed and proposed by many of the above noted fora, and individual companies like Microsoft, for keeping cyber space safe and secure. It’s well understood that norms are not enforceable, and that a treaty is far away. An example, often cited is that the UN Convention on the Law of the Sea (UNCLOS) Treaty was signed in 1994, though the sea as global commons was at the center of trade wars and military supremacy among powers of that era, for over three centuries. Nations and their traders and merchants required safe navigation not only from pirates and rogue armies, but also from the state powers. But then it was also an arena of military supremacy to control the world, establish colonies, plunder their riches to carry back to the European powers.

Cyber is only a few decades old! But the world cannot afford several decades, not to talk of centuries, to sign a global cyber treaty for economic growth and development, for minimising crime and surveillance through the rule of international law in cyber space. The norms need to be augmented by necessary instruments, however loose, even at this stage of norms creation. In my view, there are two points, which have a strong bearing on the safety and stability of cyber space, must be addressed in the norms. These are more in the nature of instruments that need to be created, along with the norms.

One: Attribution of cyber attacks, especially the ones which have the potential of causing major harm, including loss of life. And attribution has to be beyond doubt, acceptable to global community, through the neutrality and power of an international entity to be established for the purpose. This alone will have the power of giving some teeth to norms, in the form of using diplomatic toolbox of sanctions, and ‘naming and shaming’ the state and non-state actors. Else, the world would be caught in claims and counter claims of the United States (US) and North Korea witnessed in the case of attack on Sony Pictures. The escalation between the nations was avoidable if such an attribution entity existed.

Two: Trust in global Information and Communication Technologie (ICT) supply chain, or lack thereof, over the last few months has manifested itself in the 5G rollout ugly face, by linking cyber security with national security, leading to major trade issues, and attempts at dividing the world into the West-led, or China-led technology for 5G infrastructure rollout. It has been addressed as part of a paper on Technology Nationalism by the EWI – a global think tank – in its recently concluded cyber security roundtable on September 3-4, 2019 in Palo Alto.

All the six norms, and the calls to protect the core of the Internet and the electoral infrastructure are directed at the state and non-state actors. How effective can they be? These are expectations of good behaviour! States may try to comply with the norms or try to be seen to be doing so, but what about non-state actors? Most of those, who engage in cyber attacks are rogue groups, working for profit, or as mercenaries, or hiding under the garb of ‘political or religious causes’, unless, of course a state is the sponsor. States cannot control them. So, the norms should exclude non-state actors; these be confined to states only, with the expectation that they will act against non-state actors in their territories.

Physical world attacks, with abundantly visible evidence, can neither be prevented, nor culprits be brought to justice, even though rule of international laws is applicable. Any number of examples can be cited from recent happenings around the world. To expect them to comply with these cyber space norms, is an ostrich policy. More so, when states camouflage their acts of subversion of adversaries by using non-state actors. Examples are galore - China for spying, stealing Intellectual Property Rights (IPR) for economic gain, surveillance to control people; Russia, Iran, Pakistan and many others for attacks on critical information infrastructures (CII), and disrupting electoral processes; the West for surveillance for counter-terrorism and national security - Estonia, Georgia, Iran nuclear program, elections in the US, India, Germany, Brexit in the UK, and so on. The unleashing of Wannacry by non-state actors brought many hospitals, banks, rail ticketing systems to a halt, with demands for ransom-ware. While attack vectors were known, the attackers weren’t. It’s imperative that both the attacker, and the way vulnerabilities are exploited, be unearthed. Attribution and the vulnerability equity process, and cyber weapons, emerge as critical elements of norms enforceability.

Attribution to attackers, however requires irrefutable evidence that is acceptable to the international community. Microsoft proposal of setting up an International Attribution Center (IAC), comprised of private sector experts from different countries merits attention. Such an IAC can be under the oversight of governments. Its findings based on ICT forensic evidence, and context including geopolitical events, vetted by the oversight board may find acceptance by the international community. This could help in taking appropriate action against the rogue actors – state and non-state – as maybe agreed upon, for example, through a diplomatic toolbox such as the one being proposed by the European Union (EU). IAC may be seen as akin to the International Atomic Energy Agency (IAEA), which has to perform the task of identifying the nuclear fuel enrichment sites/programs in countries accused of, or thought to be, developing nuclear weapons.

That lack of trust in global supply chain, can be a major flashpoint was, and continues to be, all too visible in the now famous ‘5G and Huawei’ cyber security concerns raised by the US as they have played out in the global arena. 5G cyber security concerns are couched in national security garb, and that technology supremacy and a trade war likely are at the heart of the US decision to not allow Huawei in its 5G infrastructure rollout. In May 2019, the US government placed Huawei on the Commerce Department's Entity List, banning the tech company from buying critical parts it needs from US producers. While the current trade war between the US and China is underway, it's this brewing tech war that has the potential to reshape the world order. The US government is fuelling fears that Huawei, through its 5G networks, will engage in surveillance on behalf of the Chinese government. In an effort to shape the world order, the US has gone to the extent of using Cold War terms for the next generation networks that nations will be building. Secretary of State Mike Pompeo has struck a cautionary note to the world leaders arguing that the Internet, ".... has to be a system that has Western values embedded in it, with rule of law, property right protections, transparency, openness. It can’t be a system that is based on the principles of an authoritarian, Communist regime.” The world is sought to be divided between US-led or China-led 5G infrastructure!

The issues at stake are - race to supremacy in next gen technologies; US vs China, and reshaping the world order by raising the debate of trust in ICT supply chain to geopolitical and ‘values’ in the Internet; communist surveillance totalitarian values vs democracy, freedom of expression, rule of law, privacy, and more as per liberal traditions of the west. So, is it about trust in global supply chain? The EWI Technology Nationalism paper proposes some trust measures such as ‘self-attestation by industry or third-party assessment’ plus contractual clauses for procurement requirement. Huawei has offered to do so, but not found acceptable by the US. The paper also proposes ‘Global Regional Testing Centres’ based on mutually agreed testing criteria, objectives and methodology; process for testing organisations. But the question is how different will this be from Common Criteria (CC) Labs? Why CC Labs haven’t worked?

The CC focus is on security specs, not on whether a product is secure; it reviews documentation, but does not conduct source code inspection. However, where a vendor such as Microsoft offers source code inspection, does it enhance trust level in that particular product or the entire company? EWI paper has proposed ‘Transparency Centres’ where code inspection of larger companies like Microsoft, Kaspersky, Huawei, Cisco may be conducted by experts of governments with their own tools on vendor source code. Huawei’s Cyber Security Evaluation Centre (HCSC) is an example. In addition, declaratory Letter of Management/Board guaranteeing that no hidden or harmful functions are present in the ICT product, has also been proposed.

In this context, it’s worth reviewing the experience of Microsoft which offered Windows operating system (OS) source code, both to China and India. It requires creation of massive infrastructure with an army of operating system developers, recruiting and retaining them since new upgrades are released by Microsoft almost every day, given the discovery of new vulnerabilities, and development of patches to fix them. But then the patches could hide backdoors! So, it requires continuous testing by the national centre. India never took the offer, while China is reported to have set up such a centre! Did it help China increase trust in the Microsoft OS code? Did it also help China steal code and intellectual property rights (IPR)?

Yet another part of the EWI proposal is to establish the Global Conformance Program for product testing & certification with a global reach. EU cyber security certification network is in the works, and presents a good option.

Can these proposals work to enhance trust in supply chain?

In the context of 5G infrastructure rollout in different countries, Huawei has made all of these offers. But the US finds them unacceptable. Interestingly, the US also believes that the entire anti-virus suite of Kaspersky contains backdoors, and, therefore, it is forbidden from being deployed in the US government networks. So, is this a company trust issue, or a country trust issue? Way back in 2011, Microsoft policy paper on trust in global ICT supply chain had broken the trust issues into three levels - product, company, country. Recent actions by the US government all point to complete distrust at country level – China for Huawei in 5G rollout, Russia for Kaspersky in AV software deployment.

This view gets reinforced by rejection of more voluntary offers by Huawei. Thomas Friedman, in his Op-Ed in NYT on September 11, 2019, titled “Huawei has a proposal to help end the U.S.-China Trade War”, reports that he met Ren Zhengfei, Founder and CEO, Huawei, on latter’s invitation in Huawei headquarters in Shenzhen, and that in the interview Ren was “ready, for the first time, to license the entire Huawei 5G platform to any American company that wants to manufacture it and install it and operate it, completely independent of Huawei.” He quotes Ren as “open to sharing technologies and techniques with US companies, so that they can build up their own 5G industry ... that would create a balanced situation between China, the US and Europe ... American companies can also modify our 5G technologies to meet their security requirements ... (even) change the software code. In that case, the US will be assured of information security.” A company cannot go farther than this in trying to inspire trust in the ICT supply chain. Such a commitment more than fulfils the trust recommendations in the EWI report.

If the US Justice Department doesn’t accept this, then the ostensible cyber security and national security concerns will point only to trade war – global trade war in the realm of geopolitics. With Huawei in the Entity List, many US companies like Google, Microsoft, Intel, Qualcomm, Apple stand to lose since they can no longer do business with the former. Surely these companies want to know the truth, with proof and hard evidence from intelligence that Huawei has indeed planted backdoors. If none is forthcoming, will the US should take up Ren on his above offer?

Brad Smith, President, Microsoft, told Bloomberg Business Week that Huawei should not have been banned “without a sound basis in fact, logic, and the rule of law”. He expects more transparency from US authorities on the security concerns in Huawei products about what intelligence agencies know, as he said, “Great, show us what you know so we can decide for ourselves. That’s the way this country works,” (South China Morning Post – SCMP, September 9, 2019, “Trump’s blacklisting of Huawei is unfair and un-American, Microsoft president says - Microsoft’s Brad Smith warns Washington’s trade restrictions could expand beyond Huawei, threatening the US firm’s global competitiveness). After the ban, some 130 applications from US companies have been received by the authorities for sale to Huawei. Microsoft has stopped shipping Windows OS for laptops and content-related services to Huawei after Google stopped Android sales for new phones. All things point to trade war. Not a cyber security or national security concern! Will the news of China buying soy and other agricultural products from the US, as reported by the media on September 14, 2019, ease 5G and related technology sales between the US and Chinese companies?

In all this drama of cyber security and national security, distrust in global ICT supply chain appears to be distrust in a country. No matter what the ways of promoting trust at product or company levels through trust centres for source codes, or declaration by vendors or other measures proposed in the Technology Nationalism paper, country level trust is a geopolitical matter. Can the norms help matters? Anybody’s guess!

Earlier, on August 9, 2019 President Trump told reporters, "We're not going to do business with Huawei. We're not doing business with them ....that doesn't mean we won't agree to something if and when we make a trade deal.” Trump is clear that the US would not do business with Huawei, but that could change if there was a trade deal! 5G is not a national security, but a trade issue, and also perhaps a technology supremacy race.

Countries to make own technologies if global supply chain not trusted

Another conclusion that can be drawn from this distrust in supply chain is that countries will prefer to have own technologies, even though it may appear to be nearly impossible. Not everyone can have their own chips, operating systems, semi-conductors, encryption codes, search engines, social media, 5G phones/base stations/routers, cloud platforms and much more. But poles will emerge – US and China – around which countries will have to gravitate. How long will it take? Today, China produces only 16 percent of semi-conductors it consumes. It wants to be self-reliant in semi-conductors in a decade or so – 40 percent by 2020 and 70 percent by 2025 – along with other core ICT technologies as part of its Make in China 2025 project. West thinks it’s a declaration of its intent to dominate all emerging technologies to be a superpower in the tech world. Critics question whether it’s worthwhile, since as a manufacturing base it consumes more than half of world-wide production, which it then re-exports to the global markets. So, why try to be self reliant in one area, namely semi-conductors, since global market can or may become even more distrustful of China as a country because the products will then include nearly all components made in China! But China has a different take on this.

China believes that the US actions of putting Huawei on the Entity List have shown fault lines between the two economies, especially in the global supply chain which has exposed China’s dependence on American technology for key pillars of its economy. This threat is most evident in semi-conductors; Huawei can no longer buy chips from American companies like Intel and Qualcomm. The trade war has shown that the Trump administration is willing to block Chinese access to everything from software to semi-conductors and much more to contain China’s rise.

An article titled “Chinese Subway Car Maker Targeted Over U.S. Fears of ‘Spy Trains’” in New York Times of September 15, 2019, highlights that the manufacturing facilities of CRRC – a Chinese state-owned company - in Chicago and Boston has attracted the attention of US Congress amid “growing fears about China’s economic ambitions and its potential to track and spy on Americans.” A law is in making that will bar the company from competing for new contracts in the US, even though only bare steel cars will be manufactured in China, while rest of the wiring will be done in the plants in Chicago and Boston. How will these subway cars pose greater espionage threat than everything else that China makes and sells in the US, including laptops, phones and home appliances? So, is the fear really, as in the case of Huawei, about concerns regarding technological dominance by China’s authoritarian government? Distrust of a country in the global supply chain, which has no solution! No norm can work.

What can work to secure cyber space?

It’s time to have a relook at some of the Microsoft policy papers. I think these can provide more practical guidance. Digital Geneva Convention, Tech Accord among Global Technology companies, and IAC to govern states’ behaviour in cyber space have good pointers to a workable solution. Since it’s not possible to expect non-state actors to behave, this should be left to states to govern them in their respective territories, as is the case in physical space of all global commons, with the expectation that rule of international law will be the norm. I suggest the following for consideration. (https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.00018k1n01i3tfomwyo20tis4co2l)

1. States to refrain from attacking critical infrastructures such as hospitals, electric companies (impacting safety and security of citizens); systems whose destruction could damage global economy (e.g. int’l financial transactions), or otherwise cause major global destruction (cloud services); hacking personal accounts or private data held by journalists and private citizens involved in electoral processes; using ICT to steal IP of private companies and trade secrets for competitive advantage; inserting or requiring ‘backdoors’ in mass-market commercial technology products. (GCSC Norms include these)
2. States’ vulnerability equity process and cyber weapons; states must have a clear and open policy for acquiring, retaining, securing, using and reporting of vulnerabilities; on restraint in developing cyber weapons that are limited precise and not reusable with complete state control; to limit proliferation of cyber weapons; to limit engagement in cyber offensive operations to avoid creating damage to civilian infrastructure; to assist private sector to detect, respond, and recover in the face of cyber attacks, and enable response and recovery through CERTs. (GCSC Norms include these)
3. Technical accord among global technology companies, to protect people in cyberspace around five objectives. Global companies to pledge; GCSC Norms include these (https://dig.watch/sites/default/files/Policy-Paper-Industry-Accord.pdf) (https://blogs.microsoft.com/on-the-issues/2018/04/17/34-companies-stand-up-for-cybersecurity-with-a-tech-accord/):-
No assistance for offensive cyber operations; against infrastructure of any customer anywhere in the world; no assistance to adversely impact COTS;
1. Assistance to protect customers everywhere through patches etc; Collaboration to bolster first-response efforts through proactive efforts to defend against and to minimize the duration of such attacks;
2. Support governments’ response efforts to identify, prevent, detect, respond to, and recover from cyber incidents;
3. Coordinate to address vulnerabilities and security issues through coordinated way of reporting and handling of vulnerabilities;
4. Fighting the proliferation of vulnerabilities.

Incidentally, the Microsoft Cyber Tech Accord reached over 100 signatories by May 10, 2019. The question will, however, remain whether governments will have national security laws to force their own companies to install backdoors, overriding their commitment to the tech accord. (https://www.meritalk.com/articles/cybersecurity-tech-accord-reaches-100-signatories/)

4. International Cyberattack Attribution Organization to strengthen trust online (GCSC Norms don’t include this). Major cyber attacks appear to have been sponsored by the governments, but it’s the private computer security experts who know how to find and analyze the highly technical evidence, point to the need for IAC, “The world needs a new form of cyber defense – an organization that can receive all this evidence, analyze it, and credibly and publically identify bad actors, thus permitting governments to take further action.” (https://www.microsoft.com/en-us/cybersecurity/content-hub/an-attribution-organization-to-strengthen-trust-online):-
1. The attribution organization should be primarily made up of private sector experts in cyber forensics and related disciplines, who can analyse the technologies and techniques of a cyber attack;
2. Should have a mechanism to work with governments;
3. Independence, transparency, and diverse geographic representation will be essential. A robust peer review process will be required to ensure its findings are examined and confirmed by other cyber security experts. Data and findings to be shared with international community;
4. Focus must be attribution of major infrastructure attacks, not incident response or enforcement;
5. Primary purpose to identify and attribute state of state-sponsored cyber attacks and present technical evidence to governments, enterprises and the public. Only responsible for identification of attackers. Political and diplomatic responses will be left to the governments.

Trusted attribution organization is key to securing cyberspace, while technical accord among global companies can ensure no backdoors. States agreeing to norms of good behaviour that they will not sponsor attacks on Confederation of Indian Industry (CII), and will declare their vulnerability equity process so as to have global visibility into cyber weapons, will have a positive impact on stability of cyberspace. A Microsoft note, in the aftermath of the Munich Security Conference 2018, observed that “... the attribution of responsibility for cyber attacks, fundamentally underpins the concept of applying international law to cyberspace, if we cannot know who is responsible for a cyber attack we cannot hold them to account ... not having some kind of international, non-governmental platform focused on cyberspace (enabling best practice, exchanging information, examining the forensics around the attacks) will undermine future efforts to protect civilians in cyberspace.” (https://www.microsoft.com/en- us/cybersecurity/blog-hub/filling-the-gaps-in-international-law-is-essential-to-making-cyberspace-a-safer-place)

It’s interesting to note that a recent paper, “The Law & Politics of Cyber attack Attribution” by Kristen Eichensehr in University of California, Los Angeles (UCLA) Law Review, Vol. 67 (forthcoming 2020) written on September 15, 2019 makes a strong case for attribution of cyber attacks which “requires identifying those responsible for bad acts, prominently including states, and accurate attribution is a crucial predicate in contexts as diverse as criminal indictments, insurance coverage disputes, and cyber war.” It does debate issues related to institutional design for cyber attack attribution. It suggests that even if a centralized attribution centre is created, decentralized attribution activities should continue. (https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3453804)

EWI’s effort of bringing Microsoft and Huawei – from two adversarial countries – on its platform for enhancing trust in cyberspace, over the last few years is noteworthy. Its seminal papers on global supply chain by making a list of standard security questions that must be put to all companies before deciding on buying products, rather than guesswork and relying on fears of threats and backdoors, puts cyber security in proper perspective. Technology Nationalism paper is a deep analysis of fears of threats in platforms that a country may have from another, or be driven to develop its own. Trust in supply chain has limitations because national security and trade issues obliterate it completely. So, attribution to attackers is a way to reduce fears of threat. Trade then will be governed by bilateral or plurilateral trade concerns of nations, not by fears of spying.

Conclusion

Recent events around 5G and Huawei have clearly brought to the fore the race for technological supremacy, and advancing trade war in the name of national security. While no cyber security concerns, in the form of identified backdoors in Huawei products, have been made public, whipping of Huawei has been raised to a frenzy by the US government and some of its allies. The norm of trust in global supply chain through technology testing centres, examining source codes for backdoors does not seem to find any consideration. It’s a trust issue of a country, not a company or its products. Threat of espionage and surveillance of whole nations has taken centre stage in the discourse. From cyber, it moves to national security, to trade issues. Entire companies are banned from operating in the US, nor trading is permitted with the US companies. Retaliatory action by China is no less. Companies like Microsoft, Apple, Google, Qualcomm, Intel are feeling the pressure. US is bringing laws even to ban buying of subway cars from a Chinese company. China is getting ready with similar laws in the name of cyber security.

What’s at the heart of cyberspace threats or fears of attacks? That nation states will attack others directly or through non-state actors. All of these are known to have plausible deniability, because evidence is never acceptable to attackers. Attribution is, therefore, the key issue. It’s precisely this that the Microsoft proposal of IAC addresses. An international attribution centre, comprised of private sector experts, under the oversight of governments, to collect and analyse evidence involved in attacks – serious cyber attacks – to present definitive attribution to attackers. Nation states and/or non-state actors patronised by them to carry out the attacks should then be dealt with in accordance with the diplomatic toolbox that the agreed norms may prescribe; better still under the rules of international law.

Global companies to sign a technical accord as noted above. No installation of backdoors, no proliferation of vulnerabilities, immediate release of patches, irrespective of any pressures of any country’s government. The companies will provide all support immediately to victims to contain the damage of any attacks in any country. This is easy to achieve, since the global ICT companies stand to benefit from such an accord. That over 100 companies have already signed shows their intent to do business in all countries, without being pressurised by any government.

While it’ll be good to have trust in global supply chain, as noted above it’ll be hard to come by, because the trust issues in products and companies get elevated to trade issues in the name of national security, even if global companies agree to get their products and codes reviewed and tested by global testing centres. It gets raised to distrust in a country, with advocacy for US-led or China-led technology rollout. 5G is just the beginning. More will follow: clouds platforms, Internet of Things (IoT), encryption, AI and ML, quantum computing and so on. Retaliatory actions will not remain confined to ICT only; they will spill over to all areas.

A way to trust global supply chain has to be found. Nations have to agree to norms that include this; but the other side of this coin of trust will have to be attribution. If attribution to attackers is found by IAC, and evidence points to backdoors installed in a product by a company – on its own volition or under pressure of a government – international action against the company or nation should be the only way forward.

Does a country like India have a choice to choose a bloc to align with? Or should it attempt to build some of the platforms itself by encouraging start-ups, and investing in R&D? With our market size, increasing Internet penetration, and focus on digital economy, this option has to be supported by government policies, at least in a few niche areas. It may be noted though that in semi-conductors, R&D investments are huge and chances of failure are equally huge. An expert in China noted that the country’s current expenditure level was a drop in the ocean compared with global industry leaders like Intel, which spends US$13 billion a year on R&D. That compares with the 140 billion Yuan (US$19.5 billion) in the 13th Five-Year Plan that runs through 2016 to 2020 and the 200 billion Yuan that the state-backed China Integrated Circuit Industry Investment Fund is raising. “Without matching the investment levels, it’s hard to believe we can close the gap in technology,” says Xie, former Vice President, Semi-conductor Manufacturing International Corporation, headquartered in Shanghai.

So, the choices for R&D and start-ups for indigenous development of technology, if any, have to be wisely made by the industry and the government working closely.

(Dr. Kamlesh Bajaj was the Founder CEO, DSCI; and Founder Director, CERT-In. He is a Distinguished Fellow at East West Institute, a global think tank and Adjunct Professor, NIIT University, Neemrana)

(The paper is the author’s individual scholastic articulation. The author certifies that the article/paper is original in content, unpublished and it has not been submitted for publication/web upload elsewhere, and that the facts and figures quoted are duly referenced, as needed, and are believed to be correct). (The paper does not necessarily represent the organisational stance... More >>

---

Image Source: https://consoltech.com/wp-content/uploads/2018/07/cybersecurity-for-the-enterprise.jpg