September 20, 2011

China, Russia Propose UN Cyber-Code

Concerns related to network- and cyber-security, which have increased rather dramatically in recent years, are reaching an all-new crescendo. Notwithstanding the sometimes-strident nationalist rhetoric of one or another country, what is missing from cyberspace are Geneva Convention-like international rules to standardize (and/or "govern") cyber-behavior.

And, lo (and behold), just over a week ago, on September the 12th, China, Russia, Tajikistan, and Uzbekistan asked the UN Secretary-General to circulate a proposed voluntary International Code of Conduct for Information Security at the 66th session of the General Assembly (taking place this week in NYC), and further called on UN member countries to consider the document as a framework around which to reach a near-term consensus on international norms and rules standardizing national behavior related to information, cyberspace and network security.


...Wait. China, Russia? Really? Aren't these the cyber-bad guys? Or, are they just the ones that get caught more often than others, or, could it be that they're just more regularly on the receiving end of Western-based media attention than other cyber-perps?...

...Ok, ok, leaving that cynical tidbit-for-thought aside for the nonce, what does the proposed Code suggest?

Well, as should be expected of any formal intergovernmental document, the preamble is chock full of "recalling," "reaffirming" and "recognizing" to set the stage for the actual proposals, but it's worthwhile to take note of some (not all) of the lofty and unobjectionable objectives outlined in the lead up to the actual (remarkably brief) proposed code. To wit:

- Recognizing the need to prevent the potential use of information and communication technologies (ICTs) for purposes that are inconsistent with the objectives of maintaining international stability and security, and may adversely affect the integrity of the infrastructure within States, to the detriment of their security...

- Highlighting the importance of the security, continuity and stability of the Internet, and the need to protect the Internet and other ICT networks from threats and vulnerabilities, and reaffirming the need for a common understanding of the issues of Internet security and for further cooperation at national and international level...

- Recognizing that confidence and security in the use of information and communications technologies are among the main pillars of the information society, and that a robust global culture of cyber-security needs to be encouraged, promoted, developed and vigorously implemented...

Good stuff. Good framework. What about the key elements of the proposed Code?

Well, each State voluntarily subscribing to the Code would pledge, among other things not related directly to network/cyber-security:

- Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security;

- Not to proliferate information weapons and related technologies;

- To endeavor to ensure the supply chain security of ICT products and services, prevent other states from using their resources, critical infrastructures, core technologies and other advantages, to undermine the right of the countries...or to threaten other countries' political, economic and social security.

- To lead all elements of society, including its information and communication private sectors, to understand their roles and responsibilities with regard to information security, in order to facilitate the creation of a culture of information security and the protection of critical information infrastructures.

Again, good stuff. Cyber-motherhood and broadband apple pie, as it were...

Hey, I'm the first to admit that rhetoric is little more than nothing in the absence of action and accountability, but that's no reason to look a rhetorical gift horse in the mouth. It is in all of our best interests and the interest of global commerce and security - physical and digital - to address the proliferation of cyber-threats. Any UN member country that rejects or ignores either the call for action or the proposed Code should at the very least be challenged to deliver an alternative.

This should be interesting to watch...

Meanwhile, in other news, Network World reported yesterday on an interview/Q&A with former cyber-security czar Richard Clarke. Clarke, who served in the State Department under Reagan, as chair of the Counter-terrorism Security Group and member of the National Security Council under Bush I, as National Coordinator for Security, Infrastructure Protection, and Counter-terrorism (the chief counter-terrorism adviser on the National Security Council) under Clinton, and Special Advisor to the President on Cyber-security under Bush II, had some interesting answers to some probing questions, including:

If you had the influence, what would you change to improve U.S. cybersecurity?

"...In a regulated industry -- finance, power and telecommunications -- I'd require all the software be vetted for all kinds of mistakes."

When the question of supply-chain security comes up, and with so much manufacturing coming from China, do you think there's reason to be concerned about security of products made in foreign countries where sometimes there are political tensions?

"My attitude is whether it comes from New York state or Shanghai, it probably has the same risk in software. There are people in the U.S. who can be bribed, too."

I think that pretty much sums it up folks: cyber-security is a global issue demanding global solutions - solutions that are agnostic to infrastructure provider and/or geography...

Stay tuned.

** cross-posted to Facebook from **