‘Unpacking’ technical attribution and challenges for ensuring stability in cyberspace

Submission to 2021–2025 UN Open-Ended Working Group (OEWG) on security of and in the use of information and communications technologies

O ciberespaço: os desafios da formação de normas

The rules of appropriate conduct in cyberspace have always been a discussion throughout the various years, especially between States. With the rapid expansion of cyberspace, the creation of an international regime for the conduct of States became necessary, however, the many different vulnerabilities, actors, and even definitions made the consensus process difficult. The attributional question of cyberspace, however, was the question that most impeded the process. Technical advances in this area, along with the use of legal standards of proof made public attribution possible and more common. This paper seeks to investigate the link between public attribution with what is possibly an embryo of an international regime for cyberspace with a case study of NotPetya as emblematic of this trend.Keywords: Cyberspace; Public Attribution; International Regimes.As regras de conduta apropriadas no ciberespaço sempre foram uma grande discussão ao longo dos anos, especialmente entre os Estados. A rápida expansão do ciberespaço tornou necessária a criação de um regime internacional para a conduta dos Estados, no entanto, as diversas vulnerabilidades existentes, atores e até definições diferentes dificultam o processo de consenso. A questão de atribuição de cyber incidentes, no entanto, era a questão que mais impedia o processo. Com avanços técnicos nesta área juntamente com a utilização de processos investigativos legais, atribuição pública está se tornando mais comum. Este estudo investiga a ligação entre atribuição pública e o que é possivelmente um novo regime no ciberespaço, utilizando um breve estudo de caso do NotPetya e como este é emblemático desta nova tendência.Palavras-Chave: Ciberespaço; Atribuição Pública; Regimes Internacionais

The Myth of Cyberwar: Bringing War in Cyberspace Back Down to Earth

Cyberwar has been described as a revolution in military affairs, a transformation of technology and doctrine capable of overturning the prevailing world order. This characterization of the threat from cyberwar, however, reflects a common tendency to conflate means and ends; studying what could happen in cyberspace (or anywhere else) makes little sense without considering how conflict over the internet is going to realize objectives commonly addressed by terrestrial warfare. To supplant established modes of conflict, cyberwar must be capable of furthering the political ends to which force or threats of force are commonly applied, something that in major respects cyberwar fails to do. As such, conflict over the internet is much more likely to serve as an adjunct to, rather than a substitute for, existing modes of terrestrial force. Indeed, rather than threatening existing political hierarchies, cyberwar is much more likely to simply augment the advantages of status quo powers. </jats:p

Privatized Cybersecurity Law

Tech companies have gradually and informally assumed the role of international lawmakers on global cybersecurity issues. But while it might seem as if the international community and Internet users are the direct beneficiaries of private tech industries’ involvement in making law, there are many questions about this endeavor that require a thorough examination. The end goal and risks associated with such ventures are largely obscure and unexplored. This Article provides an analysis of how tech companies are effectively becoming regulators on global cybersecurity, based on states’ inability to overcome geopolitical divides on how cyberspace ought to be regulated globally. This Article looks primarily at three separate proposals representing the larger trend of the privatization of cybersecurity law: the Digital Geneva Convention, the Cyber Red Cross, and the Cybersecurity Tech Accord. These, as well as other initiatives, reflect the gradual and uncontested assimilation of private tech companies into the machinery of international lawmaking. This Article argues that state governments, civil society organizations, Internet users, and other stakeholders need to step back and carefully evaluate the dangers of ceding too much lawmaking control and authority to the private tech sector. These private actors, while not yet on an equal footing to states, are increasingly displacing states as they seek to create their own privatized and unaccountable version of cybersecurity law

Attack and Defense Strategies in Cyber War Involving Production and Stockpiling of Zero-Day Cyber Exploits

Two players strike balances between allocating resources for defense and production of zero-day exploits. Production is further allocated into cyberattack or stockpiling. Applying the Cobb Douglas expected utility function for equivalent players, an analytical solution is determined where each player’s expected utility is inverse U shaped in each player’s unit defense cost. More generally, simulations illustrate the impact of varying nine parameter values relative to a benchmark. Increasing a player’s unit costs of defense or development of zero-days benefits the opposing player. Increasing the contest intensities over the two players’ assets causes the players to increase their efforts until their resources are fully exploited and they receive zero expected utility. Decreasing the Cobb Douglas output elasticity for a player’s stockpiling of zero-days causes its attack to increase and its expected utility to eventually reach a maximum, while the opposing player’s expected utility reaches a minimum. Altering the Cobb Douglas output elasticities for a player’s attack or defense contests towards their maxima or minima causes maximum expected utility for both players.publishedVersio

On the Peace and Security Implications of Cybercrime: A Call for an Integrated Perspective

Criminal cyberattacks have skyrocketed in the past decade, with ransomware attacks during the pandemic being a prime example. While private corporations remain the main targets and headlines are often dominated by the financial cost, public institutions and services are increasingly affected. Governments across the globe are working on combatting cybercrime. However, they often do not see eye-to-eye, with geopolitical tensions complicating the search for effective multilateral remedies further. In this research report, we focus on the threat that cybercrime poses to peace and security, which is rarely addressed. We examine the potential of cybercrime to exacerbate state-internal conflicts, for example by fuelling war economies or by weakening social coherence and stability. Various actors sharing similar, possibly even identical, approaches to compromising adversarial computer systems is another threat that we assess, as it has the potential to cause unintended escalation. Similarly, cyber vigilantism and hack-backs, whether conducted by private actors or corporate entities, can also endanger state agency and the rule of law. While an international treaty, as for example currently being discussed at the UN, could be a valuable step toward curbing cybercriminal behaviour, we also reflect on possible negative side effects - from increased domestic surveillance to repression of opposition. Lastly, we argue for an integrated perspective, combining various knowledge bases and research methodologies to counter direct and indirect limitations of research, particularly pertaining to data availability but also analytical concepts