[governance] Multiplication of virus cases built by and for states ...

Dr. Alejandro Pisanty Baruch apisan at unam.mx
Fri Aug 10 23:05:47 EDT 2012 

Michael,

your proposal for the IGC to deal with virus and other cybersecurity attacks under the label "enhanced cooperation" brings to mind a couple of questions, which would be useful to absolve before trying to get into a discussion:

1. in what way do your first elements of proposal ("need for global consolidated action at the policy/legal level") relate to (differ from, are similar to) the proposals before the ITU for WCIT that the ITRs begin to include cybersecurity? A corollary: how successful (more, equally, less) do you forecast this to be?

2. what assets are under risk, what is the risk/cost/benefit equation for them? A discussion of this type of subject can be very productive if it identifies assets, quantifies their value, quantifies the risk, the attacker's potential conduct, and the vulnerabilities; then for each risk identified quantifies probability and impact, which are orthogonal coordinates; and then runs the successive disciplines of risk avoidance, transfer, detection, mitigation, response, damage repair, and business or operational continuity. SOP for pros in the field. 

3. the statement that started this thread refers to "virus cases built by and for states." That is a strong statement. Scholars, strategists, officials, and tacticians, civil and military, dealing with the problem called "cyberwar" are pretty much stuck right now with the problems of attribution of the attack, proportional response, and rules generally known under "Geneva convention" like "response to an act of war must be proportional to the attack, not damage non-combatants", and so on. Wouldn't it be useful to go through the state of the art before embarking in this? 

4. limiting the response of whoever goes into the fray to "manage for the outcomes" may be a bit lame. Paradoxically going any further takes you to 1, 2, and 3 above. 

5. a useful exercise, which you already started, is "removing the Internet" from the problem. You went to SALT for precedent. Does it apply? does it scale? Can you create a global agreement that includes all non-state actors? a global cyberpolice, or at least global cyberbluehelmets? Bots to undo the damage of state-directed virus inflicted on the general population only, like... repairing damaged water supplies? Open field for the wildest imagination.

6. in a form similar to today's formulations but in the 2003-2005 timeframe, the WGIG debated this issue. What work is needed to update the conclusions from then? (let's hope the discussion, if any ensues, doesn't have it's own "it feels like 2004" moment!)

Yours,

Alejandro Pisanty

! !! !!! !!!!
NEW PHONE NUMBER - NUEVO NÚMERO DE TELÉFONO



+52-1-5541444475 FROM ABROAD

+525541444475 DESDE MÉXICO

SMS +525541444475
     Dr. Alejandro Pisanty
UNAM, Av. Universidad 3000, 04510 Mexico DF Mexico

Blog: http://pisanty.blogspot.com
LinkedIn: http://www.linkedin.com/in/pisanty
Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614
Twitter: http://twitter.com/apisanty
---->> Unete a ISOC Mexico, http://www.isoc.org
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

________________________________________
Desde: governance-request at lists.igcaucus.org [governance-request at lists.igcaucus.org] en nombre de michael gurstein [gurstein at gmail.com]
Enviado el: viernes, 10 de agosto de 2012 16:35
Hasta: governance at lists.igcaucus.org
Asunto: RE: [governance] Multiplication of virus cases built by and for states ...

The other threads may have exhausted themselves by now but I'm seeing in this another area of possible interest from the perspective of "enhanced cooperation".  As I understand it in the area of viruses, worms etc.etc. there is a "spy vs. spy" syndrome at work... The "bad guys" (or seemingly in some cases "the good guys") launch something into the wild and then the opposite side moves forward to counter this and then the other side counters and so on and so on... This is all played out in the technical/security domain with the policy folks urging their side onward ever onward...

With these viruses as below (and including Stuxnet etc.) we seem to be moving into Sci Fi domains where one side (or the other)  is in a position to wreck catastrophe on the other side (and v.v.) with us helplessly sitting in the middle watching crucial infrastructure (electricity, water, digital communications etc.) being increasinly threatened with "executive action" i.e. assassination...

The need for global consolidated action at the policy/legal level is almost certainly the only way in which some modicum of security might be achieved (some sort of electronic version of the SALT treaty for example) particularly since the possibility (likelihood) of wildcard non-state actors being parties to the sabotage and thus making it in the interests of all state actors to achieve some measure of control in the area.

I have no idea what the solution might be here but I would expect that it would involve some considerable measure of technical intervention ("management of the Internet"?) combined with policy driven international state to state agreements presumably with the active involvement of both the technical and non-technical private sector and civil society (to try to keep the overall process "honest...

Perhaps rather than trying to square the circle of management of the inputs  (digital flows) it might be easier as a way into (or around) the Global Internet Governance area to look to manage for the outcomes since as we are beginning to realize if these go seriously awry they could quite easily affect the digital space and thus personal well-being of all of us rather more immediately and with greater damage than some of the other issue areas we have been discussing -- wherever we might reside -- assuming that we are all connected to the same Internet.

Comments?

Mike

-----Original Message-----
From: governance-request at lists.igcaucus.org [mailto:governance-request at lists.igcaucus.org] On Behalf Of karim.attoumanimohamed at ties.itu.int
Sent: Friday, August 10, 2012 7:24 AM
To: governance at lists.igcaucus.org
Subject: [governance] Multiplication of virus cases built by and for states ...

Gauss – Nation-state cyber-surveillance meets banking Trojan
http://www.securelist.com/en/blog?weblogid=208193767

Gauss, a new virus (or worm because its decryption is not done) was identified by Kaspersky. The fourth after Stuxnet, Flame and Duqu.

I wondered if it's not time sounding the alarm because it could be that many more malware exist but those who created them or the victims do not dare talk about for their image and of sovereignty reasons.

What benefits can be envisaged for end users in what appears to be a cybernetics war that started  before it was predicted by experts.

Where countries may protest at global level? I believe that ICT governance is truly threatened and we may be surprized by all implications as for now it's clear that everything is possible in the cyberspace.

Karim ATTOUMANI MOHAMED, Comoros






-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list