What is cyber diplomacy?

What is cyber diplomacy?

Cyber diplomacy is the art, the science, and the means by which nations, groups, or individuals conduct their affairs in cyberspace, in ways to safeguard their interests and promote their political, economic, cultural or scientific relations, while maintaining peaceful relationships.

Cyber diplomacy involves the use of diplomatic tools and initiatives to achieve objectives in the complex and continuously evolving uncharted territory of cyberspace, as described in the national strategy for cyberspace. States use the shared and accepted rules, protocols, and behaviours, to facilitate interactions between global actors of the public and the private sector.

Cyber diplomacy must minimize the consequences of cyber aggression, cyber-attacks to the critical infrastructure, data breaches, cybercrime, cyber espionage, online theft, and offensive cyber operations carried out by state or non-state actors. Because of the nature of cyberspace, it is important to engage in cyber diplomacy rather than exclusively rely on cyber defense.

State and non-state actors are increasingly using cyberspace and the Internet for manipulation, disruption, fraud, extortion, data-theft, and money-laundering. Cyber-attacks like WannaCry harmed over 200.000 computers in 150 countries world-wide, and cost an estimated $4 billion.

The Internet has become an arena for geopolitical battles and the spread of disinformation. The political dimension is also important, as we have seen time and again in the US elections, the cyber-attacks against the Macron campaign, the German Bundestag and other parliaments and ministries.

The Paris Call for Trust and Security in Cyberspace

The Paris Call for Trust and Security in Cyberspace, launched on 12 November 2018 during the Paris Peace Forum, deals with emerging and insufficiently regulated cyber challenges. States, businesses (including Microsoft, Kaspersky, Siemens, Google, Facebook), professional associations and civil society organizations discuss to find solutions for the regulation in cyberspace, the practicability of international law, and the responsible behaviour of States.

11/11/2021 - The European Union and the United States have joined the Paris Call. Their decision will strengthen the Call and enable it to go further in the defence of stability in cyberspace.

The Paris Call for Trust and Security in Cyberspace: https://www.diplomatie.gouv.fr/en/french-foreign-policy/united-nations/multilateralism-a-principle-of-action-for-france/alliance-for-multilateralism/article/paris-call-for-trust-and-security-in-cyberspace

The 9 principles - The Paris Call for Trust and Security in Cyberspace

1. Protect individuals and infrastructure

Prevent and recover from malicious cyber activities that threaten or cause significant, indiscriminate or systemic harm to individuals and critical infrastructure.

Emergency services: the European Emergency Number Association provides cybersecurity guidelines to ensure the safety of citizens

Recent cyberattacks around the world, including against hospitals, remind us about the need to be better prepared. Public safety organizations are not exempt from these ever-evolving cyber risks. When emergency call centers suffer cyberattacks, interference with first response from rescue organizations can result in the death of individuals.

The European Emergency Number Association (EENA) believes that, for the safety of citizens, it is essential to ensure public safety services remain uninterrupted. To protect critical infrastructure and sensitive information, emergency services must implement appropriate and effective safeguards.

After the WannaCry ransomware attacks in 2017, EENA launched its Cybersecurity Working Group to help share best practices and develop a set of concrete, specific recommendations for emergency response organisations. The group held a dedicated webinar and published cybersecurity guidelines. The importance of this issue has been highlighted at the annual EENA Conference for several years and during the EENA Members Workshop 2018. Recommendations include the need to include cybersecurity as part of general risk assessment, train employees, implement technological solutions, and perform vulnerability tests and cyber incident exercises.

2. Protect the Internet

Prevent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet.

Protecting the Domain Name System: French company Nameshield ensures identity integrity and resilience

Protecting the availability and the integrity of the public core of the Internet requires close cooperation between different types of actors, including non-profit organization ICANN (Internet Corporation for Assigned Names and Numbers) and private companies such as Nameshield. An independent French company, Nameshield ensures identity integrity and resilience on the Internet with its own caste-based, resilient DNS infrastructures.

Cornerstone of the Web, the Domain Name System (DNS) serves as the Internet directory. This protocol translates a domain name into an IP address, based on a database distributed on thousands of machines. If the DNS falls because of data corruption or a denial of service attack, websites and emails become inaccessible.

It is crucial to guarantee the protection and availability of DNS. A new protocol, DNSSEC, has thus been developed with the support of ICANN to address vulnerabilities in the DNS. Other solutions can help ensure identity resilience, such as Registry Lock or SSL certificates. By protecting data on domain name identity cards and providing a high availability service, Nameshield contributes to the second principle of the Paris Call and protects the public core of the Internet.

3. Defend electoral processes

Strengthen our capacity to prevent malign interference by foreign actors aimed at undermining electoral processes through malicious cyber activities.

Protecting the integrity of democratic elections: The Transatlantic Commission on Election Integrity (TCEI) helps advancing solutions

Election interference is a major threat to the universal right of people to take part in the democratic process. Still, democratic governments and technology companies around the world are scrambling to meet the challenges of the latest election meddling tactics and technologies. This is a global phenomenon, with instances of election interference seen in countries from Mexico to North-Macedonia, Ukraine to Kenya, Taiwan to Turkey.

Yet, attacks and coordinated manipulation are no longer coming from foreign malign powers alone: increasingly, the cross-border disinformation playbook is used by domestic actors trying to sow division and polarization in both authoritarian and democratic contexts.

The TCEI brings together committed and eminent persons from different backgrounds with one shared goal: to ensure people decide freely, based on independent information, who should represent them. Transatlantic and bipartisan in nature, the TCEI seeks to share best practice between decision-makers and institutions across the democratic world, raise public awareness about the risks of interference while applying on the ground new models and technologies to empower civil society and governments to defend democracy. The TCEI is an initiative of the Alliance of Democracies Foundation founded by Anders Fogh Rasmussen in 2017.

4. Defend intellectual property

Prevent ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sector.

Protecting software distributed under open source licenses: the Linux Foundation supports communities that share their knowledge

In a world whose dynamics are based on sharing of knowledge, the free software model and the application of free software licenses become increasingly important. Open source software is equipped with legal tools such as copyleft to frame the involvement on a cooperative basis and a reciprocal gift-giving logic, to produce highly performing software and to prevent private appropriation of codes or theft of intellectual property, since what is voluntarily shared cannot be re-appropriated.

The open source software model offers a way to reconcile private individual interest and collective efficiency: it is not a question of abandoning intellectual authorship, but to allow reuse of the free software created under the condition that any new version can also circulate freely. Hence intellectual property shared under such licenses spreads more quickly in the industrial fabric and benefits from network effects, which support the push for creating standards that evolve around it and its promoters.

With over 1,000 corporate members worldwide, The Linux Foundation provides strong support to open source communities through financial and intellectual resources, infrastructure, services, events, and training. Working together, the Linux Foundation and its projects form one of the most ambitious and successful investments in the creation of shared technology: the collective value of the code in Linux Foundation projects is estimated at roughly US$16 billion.

5. Non-proliferation

Develop ways to prevent the proliferation of malicious software and practices intended to cause harm.

Fighting malware at the roots: YesWeHack organises Bug Bounty programmes to disclose and correct vulnerabilities before malicious tools get in

Bug Bounty programmes reward individuals who report security vulnerabilities. Participants who discover insufficiencies in hardware or software report to the organising entity (“the vendor”) so that corrective measures can be taken.

By bridging the gap between vulnerability discoverers and vendors, Bug Bounty programmes allow the structuration of a Coordinated Vulnerability Disclosure (CVD) process. It prevents state and non-state actors from stockpiling vulnerabilities and limits the development of vulnerability-oriented black markets. In turn, it curbs the proliferation of malicious ICT practices and tools which feed on vulnerabilities.

YesWeHack, Europe’s Bug Bounty leader, promotes proactive vulnerability disclosure by organising public and private Bug Bounty programmes. It also offers such programmes to NGOs and civic tech associations to improve the security of their infrastructures. By mobilising a community of ethical hackers and contributing to a harmonious CVD approach, YesWeHack limits entry points available to malicious ICT tools.

6. Lifecycle security

Strengthen the security of digital processes, products and services, throughout their lifecycle and supply chain.

ICT/OT supply chain integrity: Carnegie Endowment for International Peace presents government and corporations with recommendations

The Carnegie Endowment has released a report on ICT supply chain integrity authored by Ariel E. Levite. It calls for urgent action to arrest the current trends undermining trust in digital products and services and fracturing the global ICT supply chain.

Strengthening the security of digital products and services throughout their supply chain is a key principle of the Paris Call as malicious actors can threaten governments, industry and individuals by attacking the weakest point on the chain, with negative consequences in terms of geopolitics, espionage, trade, and consumer protection. Cooperative efforts are needed to restore confidence in the integrity of supply chains.

In particular, the new report underscores the importance of complimentary governmental and corporate actions to enhance the integrity of the ICT/OT supply chain through a combination of commission and omission, elaborating on practical obligations both should undertake toward that end. It sets up comprehensive objective criteria for qualification of Trustworthy Suppliers, and proposes mechanisms to verify compliance with the trustworthiness criteria and an incentive structure to reward those who assume and fulfill their commitments.

7. Cyber hygiene

Support efforts to strengthen an advanced cyber hygiene for all actors.

Seguros en la red: the Equatorian Cybersecurity Association promotes cyber hygiene to kids in Ecuador

Children and adolescents study, play and interact for hours online. But like every new world to discover, the cyberspace presents a series of risks that they need to know about.

The Ecuadorian Cybersecurity Association (AECI) launched the “Seguros en la Red” (“Secure on the net”) project to teach children about responsible use of ICTs and associated risks. AECI created playful characters, who give girls and boys a minimum level of education in order to nurture, foster and promote a culture of digital security. Named “Cyber” and “Alerto”, these fictional characters introduce children to cyberspace with its resources and opportunities but also its dangers.

Awareness, culture and prevention are the three pillars around which AECI aims at creating an ecosystem of digital security programs, in conjunction with educational institutions, public and private organizations.

8. No private hack back

Take steps to prevent non-State actors, including the private sector, from hacking-back, for their own purposes or those of other non-State actors.

Hack-back, active defense, and countermeasures: the Cybersecurity Tech Accord starts a conversation on definitions and best practices

As the frequency and severity of global cyber threats grow, defenders are investing in new and innovative techniques to protect themselves. However, not all measures being developed are purely defensive: increasingly talk has been around more intrusive “active defense” techniques – with hack back the most prominent example.

The Cybersecurity Tech Accord signatories strongly supported the decision to include Principle 8 in the Paris Call, which rightly introduces a general prevention on hacking back for non-state actors. However, this is an area fraught with ambiguity, and they believe further elaboration is needed to set clear boundaries around intent, authority, and intrusiveness before government and private actors can implement it.

It is particularly critical to ensure the prohibition does not capture positive cybersecurity techniques, such as penetration testing. To this end, the Tech Accord signatories are committed to working together to support effective implementation of the Paris Call principle on hack back, including by highlighting potential definitions and best practices.

They will start the discussions with a meeting at the Internet Governance Forum in Berlin, where they hope to gather views of not just industry, but civil society on this critical topic. Organizations interested in participating in this effort can send an email to info@cybertechaccord.org.

9. International norms

Promote the widespread acceptance and implementation of international norms of responsible behavior as well as confidence-building measures in cyberspace.

Selecting a contact point (POC) in each State to exchange information on ICT-related incidents: along with other countries, France operationalizes confidence-building measures within the OSCE

The Organization for Security and Co-operation in Europe tackles various cyber threats including cybercrimes and the use of the Internet for terrorist purposes. A key focus is on the development of confidence building measures (CBM) between participating states to reduce the risks of conflict. Sixteen CBMs have been adopted, which aim at enhancing interstate cooperation, transparency and predictability to reduce risks of misperception and escalation.

One of these measures requires that participating States nominate a contact point to facilitate pertinent communications and dialogue on ICT-related incidents and coordinate responses. France is one of the lead countries to operationalize this measure, including through communication checks and exercises. Exchanges of information and communication between States can stop an unintentional conflict by defusing potential tensions and stopping or slowing down the spiral of escalation.

Regional organizations such as the OSCE are ideal platforms for building confidence in cyberspace, as they have often been conceived for conflict prevention and offer practical expertise with CBMs. So far, some successful “comcheck” exercises have been launched by the OSCE secretariat, which underline the utility of such measures in order to reinforce stability in cyberspace through a continuous dialogue between States.