5-6 SILICON VALLEY World Cyberspace Cooperation Summit IV NOVEMBER. World Cyberspace Cooperation EXECUTIVE!SUMMARY!

Transcription

1

2 READ MORE 5-6 ORGANIZED BY: PARTNERS: NOVEMBER World Cyberspace Cooperation Summit IV Learn more about EWI s cybersecurity work and read all our reports at Measuring the Cybersecurity Problem Building Trust in Cyberspace Cyber Detente Between the United States and China Priority International Communications The Internet Health Model for Cybersecurity Mobilizing for International Action Fighting Spam to Build Trust Critical Terminology Foundations Working Towards Rules for Governing Cyber Conflict Protecting the Digital Economy EXECUTIVESUMMARY SILICON VALLEY 2013 World Cyberspace Cooperation Summit IV cybersummit.info #cybersummit2013

3 EXECUTIVESUMMARY ByKARLFREDERICKRAUSCHER&ZHOUYONGLIN[ ] T he hacking issueisaserious'challengeforthefuturefriendshipandtheprosperityofchinaandtheunited States.Unlikesuperpowersbefore,history stwolargesteconomiesareintimatelyintertwinedandmutually reliantincyberspace.informationandcommunicationstechnologyict)ispervasivelyappliedtomedical care and social life, industry and trade, research and education, and law enforcement and national security, to nameafew.thetechnologiesthatchinaandtheunitedstatesarenowsoreliantuponarerapidlyadvancingin boththepowertheywieldandthecomplexitytheybring,thusmakingusmoreandmorevulnerable.chinaand theunitedstatesaremutuallyreliantuponictproductsthataremadebyeachother.whiletheu.s.hasaunique graspofthetechnologysupplychainwithitsresearchanddevelopmentleadershipincoresoftwareandhardware platforms,chinaiscatchingup.theyaresocloseintheirintegratedrelianceoneachother,thateachcaneasily doharmtotheother 'devastatingharm.unfortunately,inthepastyears,chinaandtheu.s.haveseenthetrust in their relationship suffer. The current situation is thus one of growing instability for China and the U.S. with regardtocybersecurity. Arisingfromavarietyofmotivations,includingcrime,politicsandcuriosity,agrowingnumberofharmfulactivities areconductedinthecyberspacewearesomuchrelyingupon.suchharmfulhackingthreatensthesafetyand prosperityoftheworld.fromapurenumbersperspective,thenetworksofchinaandtheu.s.havemanyinternet Protocol IP) addresses, and thus have many potential sources of malicious activity, as well as many potential targets. Among all written and spoken words on the subject, the suspicions and blames have taken on the strongestvoicefortherelationshipofchinaandtheu.s.yetweknowthatsuchanapproachcanneversolvesuch difficult problems. On the contrary, such accusations and arguments have fueled escalations so that the relationshipisnowstrained,makingevenroutinedialogueapprehensive,ratherthancomfortableandconfident. PresidentsObamaandXihaveplacedcybersecurityontheirbilateralagenda,andfrontandcenterisdamaging hacking. 1 Theproblemsincludetheexfiltrationofcommerciallysensitivedata,accessintooperationsofcritical infrastructure and national security assets, the militarization of cyberspace, unequal scrutiny of behaviors in cyberspaceandthedependenceontheother ssystemsinitscriticalinfrastructures.thejointproblemstatement wasagreedas: 2 ForChinaandtheUnitedStates,thefollowingareunacceptable:i)theperceivedcorebeliefsofeachother for what is permissible behavior in cyberspace, ii) the proliferation of compromises being made to each other sassetsincyberspace,andiii)theunsettleddispositionsofidentifiedincidentsofcompromisesthat haveaffectedeachother sassets. PRACTICALMEASURESTOSTEMHARMFULHACKING 1 1 Remarks'by'President'Obama'and'President'Xi'Jinping'of'the'People's'Republic'of'China'After'Bilateral'Meeting,SunnylandsRetreat,Rancho Mirage,California,8June Section2.2,Problem'Description.

4 PRACTICALMEASURESTOSTEMHARMFULHACKING 2 Whatiscommonisthatneithersideiscomfortablewiththepoliciesandpracticesoftheother.Bothsidesalso recognizethatharmfulhackingisnotachinaeu.s.issue,asitisanissuenowfortheworld. This report was prepared to help these two countries get out of this predicament. This report was prepared throughtheagilityofatrack2bilateralapproach,withtheinsightsofover150volunteersubjectmatterexperts with profound experience and knowledge of policy, technology, business and law, as relevant to cybersecurity. FacilitatedbytheInternetSocietyofChinaISC)andtheEastWestInstituteEWI)thisresearchreportanswerstwo questions: 1. How'do'we'build'trust'between'China'and'the'U.S.'in'cyberspace?' 2. What'practical'countermeasures'can'we'take'to'improve'the'safety'of'cyberspace?'' ThisreportsubmitstenimmediatelyactionableRecommendations,whichifimplemented,willestablishpractical conversationsandrelationshipsthatcanslowtherateofdestabilizationaroundthissubject,and,withcontinued applicationthenreversethetrend sdirectiontoonethatisfavorablesection4). Together,thefirstfourrecommendationssupportaTotalTrustManagementTTM)systemthatassuresareliable assessmentfigure1).withthissysteminplace,genuinetrustcanthriveandeachpartycanhaveconfidencein theirassessment.thissystemwillalsodetectwheneitherpartyisdemonstratingbehaviorthatisnottrustworthy, and likewise enable a party to have confidence in its judgment that there is insufficient evidence that their interestsarebeingprotected. The TTM system is equally applicable for a wide range of topics, including international cooperation in fighting crime, international cooperation in tracking down malicious hackers, protection of humanitarian interests, protection of commercial intellectual property and norms of behavior in cyberspace. The first set of recommendationscanbesummarizedas: RecommendationNo.1Stated&Policy Thefirststeptobuildingtrustissettingexpectations.Thisfirstrecommendationcallsongovernments, businessesandotherorganizationstostateclearlytheirinterestsandpracticesincyberspace. RecommendationNo.2Policy&Deployment Oncepolicyisstated,thesecondstepinbuildingtrustcanbegin:movingfromwordstoactions.This recommendationcallsongovernments,businessesandotherorganizationstodeploythepoliciesthey espouse.

5 Can we trust what is done? Can we trust what is said? I. Stated Policy II. Policy Deployment III. Performance Evaluation Can we trust what is seen? IV. Corrective Action Can we trust the response? KARL%FREDERICK%RAUSCHER%%2013% Figure1.TotalTrust ManagementModel, withtrustquestions. RecommendationNo.3Performance&Measurement Once policy is stated and deployed, then the third step in building trust can begin: engaging stakeholderswhoperceiveanapparentfailureinpolicyoritsdeployment.thisrecommendationcalls forcooperationinanalyzingincidentsoffailedpolicyoritsdeployment. RecommendationNo.4Corrective&Action The response to failures in stated policy or its deployment are a key indicator of an organziation s trustworthiness,whetheritbeagovenementagency,abusiness,orotherwise.correctiveactionsare tangiblewaysthatshowseriouscommitmenttostatedpolicy. 3 Each party is evaluated based on adherence to its stated policy and plan of action. 4 If implemented, these recommendationswillcleartheair.stakeholderswillhaveconfidenceineachotherbasedontheirobservations from a pattern of what is said, done and seen. This cycle of meaningful dialogue and engagement will in turn producetangibleprogressatvariouslevelsinconfidencebuildingandriskreduction,withtheaimofproducingan upwardspiralofreinforcingcooperationandtrust. Thesimpletruthisthattheessential asks inthesefirstfourrecommendationsareactuallyquitebasic.yetthe presentdaychinaeu.s.crisisoverhackingisevidenceofhowthesebasicshavebeenneglected.intheunfortunate casewhereeitheroneorbothsidesisunwillingtocommittothesebasics,discussionsonmoreadvancedsubjects canbedelusional;givingafalsesenseofsafetyforwhichthereisnofoundation.thusthettmsystemcanhelp inform both parties and stakeholders of a status of good health, improving health, deteriorating health or bad health.thettmsystemisanalternativetobrinkmanship,i.e.deteriorationofconfidencethatisreinforcedbythe negativecycleofnonecooperationandmisinformation. An element of the analysis was the Landscape of Interests in Cyberspace framework, which enabled focused analysis of three primary interests, and their interactions Figure 2, Section 2.4.1, Landscape' of' Interests). By examining the interests, we categorize the information systems into 7 groups. Different groups have different involvementwithcybersecurity.onemajorconclusionfromthisanalysisisagreementthathumanitarianassetsin cyberspacedeservespecialprotection.asecondmajorconclusionisthatgovernments,businesses,andother entitieswithnationalsecuritymissionsshouldacknowledgethehigherriskcreatedwhenconductinginternational espionage. PRACTICALMEASURESTOSTEMHARMFULHACKING 3 3 i.e.,recommendationno.4,corrective'action,anticipatesregularneedstoadjuststatedpolicyandpolicydeploymentplans. 4 Atitscore,theTTMsystemdescribedaboveisanempiricalmethodofarrivingatthetruth,butonethatallowsforhumanimperfectionsalong theway.

6 Security Humanitarian Universe of Interests Figure3. Landscape ofinterests in Commercial KARL%FREDERICK%RAUSCHER%%2013% Figure2.Landscape ofinterestsincyberspace. 5 PRACTICALMEASURESTOSTEMHARMFULHACKING 4 Cyberspace. 5 AnotherelementoftheanalysiswastheModelofHarmfulHackingandDefenseseeFigure3,page5),which suggeststhekindsofcountermeasuresthatcanaddressattacksandimprovesecurity. Basedontheaboveanalysis,anothersixrecommendationsweredevelopedtoprovideadditionalguidancethat complimentsthefirstsetofrecommendationsbyemphasizingspecificcriticalareasrequiringspecialattention: RecommendationNo.5 Separate&Critical&Humanitarian&Assets Thisrecommendationcallsforqualifiedhumanitarianentitiestoarticulatetheirinterestsandtoseek separationoftheirassetsincyberspace. RecommendationNo.6 De:Clutter&Espionage&Expectations Thisrecommendationacknowledgestheexpectationthatnationalsecurityeorientedassets,becauseof their potential for hostility, are elevated as targets for espionage by foreign interests. This factor suggests a differentiation between incidents experienced by national security interests and other entities. RecommendationNo.7 Summon&a&Roundtable&of&Subject&Matter&Experts Thisrecommendationcallsonworldeclasssubjectmatterexpertsfrombothcountriestocreateanew modeofcollaboration,andasaresourceforobjectiveanalysisandassessment. RecommendationNo.8 Continuous&Approach&Status&Indicator Thisrecommendationcallsforaprovisionalcapabilitytomonitor,assessandreportonthestatusof eachofthesecrucialcomponents.itwillprovideareliable,independentassessmentofthehealthof thedialogueandcooperation. RecommendationNo.9 Prepare&Sufficiently,&React&Quickly&and&Summarize&Seriously. This recommendation calls for transformation of the harmful hacking responses from one that is primarilyreactivetoonethatisproeactive,andincludessettinggoalsthatdefinesufficientpreparation andresponse. 5 Rauscher,KarlFrederick,Written'Statement'for'the'United'States'Congress'House'Committee'on'Foreign'Affairs,'Hearing'on' Asia:'The'Cyber' Security'Battleground,23July2013.

7 Defense Phase Preparation Responding Follow-up Make policy to Continuously remove First, recover normal encourage good and resources that can be business operations; punish bad actions; used by hackers; Investigate and punish Deploy resources to Monitor attacks and the bad actors; Task build defense capability; abnormal behaviors; Learn from each Remove the possibility Send warnings and alerts incident to improve for abuse of internal and stop the attacks preparation and resources and functions quickly. response. Hacking Task Make the [im]moral choice to hack; Prepare the attack techniques; Evaluate benefits and risks. Carry out the attacks to take down the target, steal data, commit fraud, etc. Use multiple network and server hops; Erase hacking tracks. Phase Preparation Implementation Escape Figure3.ModelofHarmfulHackingandDefense. RecommendationNo.10Launch&Parallel&Bilateral&Collaboration&on&Government&and&Industry&Levels& This recommendation calls for industry level collaboration to supplement the new cooperation undertakenatthegovernmentallevel.industrytechnicalexpertiseandbusinessinsightsarerequired tocombattheharmfulhackingthatisoutofcontrol. ThisreportalsopresentsvoluntaryBestPractices,whichprovidecomplimentarysupporttotheRecommendations Section 5). The Best Practices development was informed by the Eight Ingredient Framework and intrinsic vulnerabilityanalysissection2.5.2)andthelifecycleofahacksection2.5.3).bestpracticeexamplesincludethe following: Thisbilateralreportcanbesummarizedstatisticallyasfollows: 1 Commonpurposetoreversethehackingthatisharmingourcountries 2 Thenumberinaseriesofbilateralreports 6 10 Recommendations >50 KeyObservationsfromanalyses >50 VoluntaryBestPractices PRACTICALMEASURESTOSTEMHARMFULHACKING 5 >150 Contributingsubjectmatterexpertsandstakeholders >2,000 Yearsofcombinedexperienceofcontributingexpertsandstakeholders >100,000 Analysispointswithdeterminationsmade 6 Rauscher,KarlFrederick,Zhou,Yonglin,ChinaRU.S.'Bilateral'on'Cybersecurity:''Fighting'Spam'to'Build'Trust,EastWestInstituteandInternet SocietyofChina:2011.

8 6 PRACTICALMEASURESTOSTEMHARMFULHACKING Thisreportisnotatypicalpolicypaper,norareitsideas inthesky.rather,itisadocumentthatincludesthe practical, downtoearth guidanceessentialforsolvingtheharmfulhackingproblem.thecharacterofthisreport maybemorelikenedtothatofamusicalscoreforasymphonyorchestra,wheredistinctcontributionsarecalled forfromadiverserangeoftalents;ifeachperformsinharmonywiththeother,theresultsareawesome.those whocareaboutthecyberrelationship,andthosewhocareaboutthesecurityandprosperityofthecyberspace, areencouragedtoreadandreferencethisreport. NotefromtheAuthors We'are'deeply'appreciative'of'the'many'subject'matter'experts'who'have' contributed'to'this'report.'please'see'their'names'in'the'full'report,'to'be' published'at'

9 World Cyberspace Cooperation Summit IV SILICON VALLEY 2013 cybersummit.info #cybersummit2013 This report indicates that China and the U.S. can make joint efforts for a safe and secure cyber space. I support concrete actions like this." CAI Mingzhao While the U.S and China may approach cyberspace from different political and cultural vantage points, both nations have a fundamental stake in an Internet that is secure and trustworthy. This report frames a way forward that builds trust in a deliberate and verifiable manner. ORGANIZED BY: PRACTICALMEASURESTOSTEMHARMFULHACKING 7 Michael Chertoff PARTNERS: