The 9th International Conference on Cyber Conflict (CyCon) took place from 30 May to 2 June, in Tallinn, Estonia. The conference is annually organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and brings together decision-makers and experts from government, military and industry fields.
The main theme of the 9th CyCon was ‘defending the core’. Among other objectives, the conference aimed to enhance the understanding of the definition of the ‘core’ elements in cybersecurity, the main threats posed to them and how they could be better protected, from legal, technical and military standpoints.
The protection of the core critical Internet infrastructures was the theme of one of the CyCon panels. This issue has been raised in several forums, such as the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE), which produces reports that help to set the agenda and carry significant influence in the field of global cybersecurity. In its discussions, the UN GGE explored the possibility of defining a core infrastructure that should be off-limits and should not be considered a valid target in the case of military conflicts.
In the CyCon panel, speakers expressed the difficulty to neatly define which elements could be considered part of this ‘core’. Prof. Dennis Broeders, Senior Researcher at Dutch Scientific Council for Government Policy, argued that there is a ‘public core of the Internet’ composed of certain elements, such as the domain name system (DNS), which play a crucial role in the integrity and availability of the Internet and therefore, deserve special protection. The findings of his research were published in the report ‘The Public Core of the Internet: an International Agenda for Internet Governance’. Mr Paul Vixie, CEO of Farsight Security, pondered that platforms responsible for the dynamism of the world economy should probably be protected as well, including e-commerce sites, such as Amazon. Sandro Gaycken, Director of Digital Society Institute at ESMT Berlin, agreed that the financial system has points of vulnerabilities that could be used to disrupt the world economy, and these threats should be given priority.
The importance of protecting the private sector from attacks was highlighted in the presentation by the Mr Paul Nicholas, Senior Director of Global Security Strategy of Microsoft. He emphasised the magnitude of the digital transformation, and the fact that many sectors, such as transportation, are actually becoming digital, based on information technology (IT). This rapid change can be disruptive and dangerous: vulnerabilities in automated systems, crime, conflict, ‘weaponisation’ and the recent increase in governmental investment in offensive operations raise insecurity. According to Microsoft, one possible response is the negotiation of a Digital Geneva Convention, to be applied in times of peace. He explained that the convention would be about preventing conflict, not controlling content, rebuffing some criticism to the idea. The proposal would be based on 3 pillars: the development of a legally binding agreement (a Digital Geneva Convention); an accord among the technology industry; and the creation of an organisation for the attribution of cyber-attacks.
Microsoft had expressed its initial ideas about the attribution organisation in the report ‘From Articulation to Implementation: Enabling progress on cybersecurity norms’, published in 2016, which suggested that the International Atomic Energy Agency could be a model for such a body. The ideas were further refined by the RAND corporation, with the support of Microsoft, in a recently published study ‘Stateless Attribution: Toward International Accountability in Cyberspace. Among other recommendations, it suggests that the attribution organisations should be managed and operated independently from states. One of the reasons for that is the fact that states could make public attribution claims for political purposes and usually do not reveal the source of the information gathered by their intelligence bodies.
CyCon included in its programme other thought-provoking presentations. One of them was delivered by Mr Ralph Langner, from the The Langner Group. He opined that most of the tools and approaches adopted in cybersecurity nowadays, such as patches, antivirus and risk management, are outdated and insufficient in the current environment of technological change. Other techniques should be employed, such as crowdsourcing for early detection, security automation – which is essential for the scalability of cybersecurity in the context of overstretched human resources – and advanced analytics of hybrid systems.
The use of data analytics and machine learning in support of cybersecurity were also analysed in other presentations. One of them explained the use of data analytics for the early detection of internal cyber-attacks, that breached the perimeter of an organisation. The second presented an example of how cognitive computing (AI) can be used in the field of cybersecurity to improve the analysis of large volumes of structured and unstructured data. A live demo of a cognitive computing solution was presented.
The interplay between security and privacy online was the main topic of one of the workshops. It provided an overview of case law on the theme, and also some reflections for the future, based on behavioural, governance and normative changes that would inject transparency into security discussions, build sustainable relationships between privacy and security (which are now construed in an ad hoc basis,) and re-define cyberspace as a common good.
CyCon participants could also learn more about the goals and the future work of the Global Commission on the Stability of Cyberspace (GCSC). The GCSC was created with the aim to develop proposals for norms and policies to enhance international security and stability and guide responsible state and non-state behavior in cyberspace. It is composed by 26 commissioners, covering a wide range of background and expertise, and chaired by Ms Marina Kaljurand, Former Estonian Foreign Minister.
Finally, the conference also provided an opportunity for an interactive debate about the book ‘Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations’. The book expands on the first edition of the Tallinn Manual by extending its coverage of the international law governing cyber operations to peacetime legal regimes.
CyCon provided a mix of research-based analysis and pragmatic policy-oriented approaches. It is a cutting-edge and forward looking conference that helps to disseminate knowledge and set the agenda of cybersecurity discussions.