OSCE Experts: Cyber/ICT Security



median outreach officer at the OSCE the Organization for Security and Cooperation in Europe and you join us today from our headquarters in Vienna now in recent years the OSCE and it's 57 participating states have been at the forefront of global efforts to lower the risk of a cyber conflict between two or more countries and I'm joined today by Ben Hillier he's our cyber security officer at the OSCE transnational threats Department Ben we'll talk a little bit more about the OSCE s work in just in just a moment but first democratic elections being hacked city is plunged into darkness by power cuts and personal data and even huge amounts of money being stolen in electronic breaches cyber conflicts are already a reality aren't they well I would agree with that though we have to be very careful when we say it's a conflict or not but what certainly is true is that we are seeing cyber attacks more more puppy-sized in the media and also I think it is true to say that states are making more use of cyber capabilities and it makes sense for them they are relatively cheap and they can have quite a significant impact and they're very stealth it's not very easy to identify who's behind such activities especially if they're below the threshold of an armed attack but the question is is it a conflict and I think here we have to be very careful because accomplish traditional sense has two opponents battlefield 2 clearly designated armies and when it comes to cyber the lines are a bit more blurred also because cyberspace of course is shared I mean we are using cyberspace you and I businesses governments and many more and cyber has been a very you know a force for good and to say that there's a conflict on cyberspace maybe might be overstating it but certainly what it is true is that states are using more and more cyber capabilities as part of their strategic toolbox nevertheless cyber conflicts are very dangerous and what makes them particularly dangerous then I think the biggest challenge we have still as the problem of attribution we have some technical means to attribute cyber activities but more often than not these sort of activities are routed through many different territories in countries so to track back beyond reasonable doubt who's behind such activities is rather difficult and makes it also difficult to hold to account a potential perpetrator and then by default that makes it quite interesting for evildoers terrorists criminals but also States if they want to achieve something which is potentially below the radar and another difficulty is that we're not quite sure at what point a sigh of activity constitutes an armed attack and the international law or whether it's just preparing the ground potentially for a future techni or is it just good old espionage that happy a problem that we had for over you know centuries and that is not illegitimate or illegal per se so that makes it quite difficult to deal with the challenge internationally so miscalculation let's say seems to be one of the biggest threats here is this what the OSCE is specifically working to address absolutely the biggest fear is that a cyber incident can escalate between two or more states because of a miserable or miscalculation more often than not what we observe is that states have a disagreement over cyber activities so activity already have tense relations over other things such as the resources so more often than not it would be probably neighbors that already have tense relations pointing the finger at each other when there's a significant cyber text say for instance on a critical infrastructure and that would accuse each other that can quickly escalate in the absence of foolproof evidence so what the OSI participating states have done is to come up with measures practical measures to try to prevent the escalation over cyber incidents and essentially they agreed on 16 practical confidence-building measures that can be broadly put into three baskets CBMs that allow states to read each other better and the intentions by creating transparency dedicated communication lines Christ the communication lines to reach out to each other to clarify incidents before hitting back basically kind of give diplomacy a chance and the third category is to enhance national resilience to cyber incidents and the idea here is that you build trust because cyber of course goes transporter and if you don't do a homework on your national systems you are danger to everyone else so you have an interest to protect young systems for everyone else and these are this is in a nutshell what the CBMs are focusing on so is the aim to kind of create guidelines for what is acceptable and not acceptable behavior by states in cyberspace tangent and the key here is that our measures really focus on allowing States display an ohms based behavior in cyberspace and norms and international law is treated and looked at in the UN Framework what the OCS does is creating a mechanism underpinning this norm space regime what I want to say is for instance if states digress from good behavior in cyberspace the CBMs do kick in the communication lines the crisis communication mechanisms efforts to defuse potential tensions so it's basically there and mechanism when the enormous breakdown and you kind of come back to enormous based cyberspace been you've already touched on the challenge of attribution but nevertheless is it not important to find out who carried out a cyberattack absolutely and of course if you look at the legal approach is always important and essential to know who exactly is behind a crime or an incident the challenge here our thing is that in cyberspace we need to distinguish between three different kinds of attribution and challenges a we have technical attributes which is kind of going okay I mean states have found ways to technically prove at some point who might be find it then you've got legal attribution obviously needs to stand up in court and then you have political attribution whether you make the call and accuse some other country for instance of meddling in your own domestic affairs now the question is what kind of attribution is in your interest when it comes to state use of the information communication technologies against other states political attribution or calling someone out might not always be in your interest for instance it could expose some of your weaknesses and you could attract copycat attackers so you have to be very careful whether a of course he's interested in what who's behind it but how do you publicize it and is it in your interest to bring it up with another country for instance that you know has a much larger cyber Arsenal than yourself so it's it's a sovereign decision and a servant decision to call out potential perpetrators or to resolve a situation through other means and here the OSI offers an alternative pathways to use diplomacy to ask another state please seize those activities or indeed ask another state through our channels to help assist to see certain activities that are believed to come from a third party and so that's what the CBN's are exactly for okay so attribution I guess is a very complex challenge but and perhaps even more fundamental or basic challenge is its terminology that states don't seem to be able to agree on what kind of terms of vocabulary to use when talking about cyberspace and I've noticed spent on I'm sure members of our audience have also that you use the term cyber ICT security ICT of course being information communication technology but why cyber ICT security and not just cyber security you know that is a wonderful question and I'm really pleased that he asked that terminology in concept when it comes to cyber is one of the most contentious issues and here we see a clear east-west divide finally which is quite you know natural for the OSI context I guess and if you would ask western states what they would like to protect would say some security and what they refer to here is really the software the hardware the machinery bit mites and you know everything that enables cyberspace and the Internet and if you asked experts maybe from a more Eastern country and they would say they're more interested in looking at yes hardware and software but equally important is content content can also be a danger to society and what about that so they're having a more comprehensive view on what security is and what happened in the OSI context is a compromise for the first time in fact where they said okay for the sake of compromise to secure cyberspace to prevent escalation of conflict from the use of cyber capabilities let's just say for the moment cyber ICT security we're both happy with it at the same time let's endeavour to work out what we mean by each terms and then if you look at our CBMs actually that deal with cyber we have a CPM line that talks about technology the attempt by states to look at you know well how do we describe certain things and that's important because if there is indeed a crisis you want to make sure that you speak the same language that you understand each other so this is one of the key elements if I say before for for the CBMs Japan we we have the CBMs the confidence-building measures but the threat of cyber conflict doesn't seem to have gone away what's what's next well if I would know I would say probably not sitting here and this very lovely chair and what's next for the OSI certainly what states have decided at the last Ministerial Council is to continue implementing those measures those measures that really are non-political it's an everyone's interest to be able to communicate in a crisis it's in everyone's interest to protect critical infrastructure from certain attacks from cyberattacks for the sake of the citizens and so they're made a commitment to implement those measures to prevent escalation despite ideological differences and I think that really is in this world day in age in our political environment the way you need to focus on practical measures that allow you to come back from the verge of something worse and this is what the OSI CBMs to offer needless to say whether or not states implement those measures is up to every state and it's a sovereign decision and of course in this connection you also has to ask the question if you create communication channels do you want to pick up the phone if there's a crisis or not and this is what it boils down do you want to be reached if you have cyber capabilities or when they're being used that's something only states can answer but what we are making sure here is that these measures work that they're implemented and that they're practical and useful for States if they're so wish to use them so what activities is the OSCE undertaking at the moment actually funnily enough today we started with one activity which is a communications check testing the availability of focal points of participating States if there would be such a crisis and what states have done they appointed the policy focal points for each state that is the contact person in a large cyberattack that could threaten to destabilize relations between states and that would be the first call so what we do from time to time is to check how available are they would there be having the right people on the national level they could rely on to give a whole-of-government response to another state for instance the technical community how quick is that communication and how deep can a conversation go so we're testing that frequently another thing we are doing is to do awareness raising you wouldn't believe how in many countries cyber still really perceived as a technical issue coding and as we see now it's not it's a policy issue it affects international peace and security so it's diplomats and policymakers that need to deal with this issue and the CBMs who are created exactly for that in the end of the day if there's a massive cyber attack on a critical infrastructure that threatens to destabilize it relations between states it's not gonna be the technical people making decisions it's gonna be policy makers decision makers and how we're gonna how are they going to reach out to us each other well they can use the CBMs those communication lines for the first time which we didn't have before in a structured manner so we're moving away and what we're trying to raise that awareness in countries to make them understand look it's no longer good enough to just think that's nerds you know these are the techies and that deal with this know this is affecting everyone everyone's taking part in cyber and this everyone's responsibility to keep it safe and decision-makers need to make decisions and need to be able to use the tools that they have created so in short I guess watch this space thank you very much Ben for talking us through this very complex and fast evolving security challenge and thank you for joining our Facebook live today I'm chip Sharma and if you want to learn more about our work in this area please head to our website that's wo SCE dot 0 RG thank you once again for joining in and goodbye you

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *