[governance] Multiplication of virus cases built by and for states ...

[michael gurstein]

Hi Alejandro...

Answers interspersed below...

-----Original Message-----
From: Dr. Alejandro Pisanty Baruch [mailto:apisan at unam.mx] 
Sent: Friday, August 10, 2012 11:06 PM
To: governance at lists.igcaucus.org; michael gurstein
Subject: RE: [governance] Multiplication of virus cases built by and for
states ...

Michael,

your proposal for the IGC to deal with virus and other cybersecurity attacks
under the label "enhanced " brings to mind a couple of questions, which
would be useful to absolve before trying to get into a discussion:

1. in what way do your first elements of proposal ("need for global
consolidated action at the policy/legal level") relate to (differ from, are
similar to) the proposals before the ITU for WCIT that the ITRs begin to
include cybersecurity? A corollary: how successful (more, equally, less) do
you forecast this to be?

[MG>] I'm not sure that it does differ from this my point is that this is a
realistic, practical and quite immediate set of issues which we as CS might
want to be developing a position on. I have no idea how successful this
initiative might be at the WCIT but my suspicion is that there is a lot more
incentive for success in this area across more national governments than in
areas such as those we are currently discussing in the IGC and that
"enhanced cooperation" in this area might lead to "enhanced cooperation" in
other areas as well.


2. what assets are under risk, what is the risk/cost/benefit equation for
them? A discussion of this type of subject can be very productive if it
identifies assets, quantifies their value, quantifies the risk, the
attacker's potential conduct, and the vulnerabilities; then for each risk
identified quantifies probability and impact, which are orthogonal
coordinates; and then runs the successive disciplines of risk avoidance,
transfer, detection, mitigation, response, damage repair, and business or
operational continuity. SOP for pros in the field.
 
[MG>] Well for a start there is apparently a risk in the instance below to
the integrity of the global banking system (and perhaps as important the
risk of the perception of risk to the global banking system)... I'm not sure
what the quantitative measure of that would be but if you add to that risks
to the electrical grid, the infrastructure dependent on the electrical grid
(water supply, pipelines etc.etc.) the risk would seem to be shall we say,
rather large and would give large quantitative factors to each of the other
elements you are pointing to in your #2 above.


3. the statement that started this thread refers to "virus cases built by
and for states." That is a strong statement. Scholars, strategists,
officials, and tacticians, civil and military, dealing with the problem
called "cyberwar" are pretty much stuck right now with the problems of
attribution of the attack, proportional response, and rules generally known
under "Geneva convention" like "response to an act of war must be
proportional to the attack, not damage non-combatants", and so on. Wouldn't
it be useful to go through the state of the art before embarking in this? 

[MG>] Certainly that would be one way to start but I see no particular
reason why one couldn't start at the other end i.e. the "outcomes" of these
virus cases rather than trying to determine the "inputs" to them which may
be rather more difficult to identify.


4. limiting the response of whoever goes into the fray to "manage for the
outcomes" may be a bit lame. Paradoxically going any further takes you to 1,
2, and 3 above. 

[MG>] Sorry I don't understand what you are saying here.


5. a useful exercise, which you already started, is "removing the Internet"
from the problem. You went to SALT for precedent. Does it apply? does it
scale? Can you create a global agreement that includes all non-state actors?
a g[MG>] global cyberpolice, or at least global cyberbluehelmets? Bots to
undo the damage of state-directed virus inflicted on the general population
only, like... repairing damaged water supplies? Open field for the wildest
imagination.

[MG>] I've no idea of the modalities that might be identified for achieving
an effective response... there are presumably many, some involving Sci Fi
remedies others not... But threats of the magnitude indicated would seem to
me to be such as to focus the mind and stimulate the imagination and
evidently tates seem to be taking these risks very seriously especially
since we have already seen a few limited examples of (to carry forward the
SALT analogy) nuclear "incidents" with the threat of many many more
including from non-State actors.


6. in a form similar to today's formulations but in the 2003-2005 timeframe,
the WGIG debated this issue. What work is needed to update the conclusions
from then? (let's hope the discussion, if any ensues, doesn't have it's own
"it feels like 2004" moment!)

[MG>] My suspicion is that the earlier discussion may, at least to many,
have been rather more speculative whereas we/they would now be dealing with
concrete and moderately visible examples.

Best,

M

Yours,

Alejandro Pisanty

! !! !!! !!!!
NEW PHONE NUMBER - NUEVO NÚMERO DE TELÉFONO



+52-1-5541444475 FROM ABROAD

+525541444475 DESDE MÉXICO

SMS +525541444475
     Dr. Alejandro Pisanty
UNAM, Av. Universidad 3000, 04510 Mexico DF Mexico

Blog: http://pisanty.blogspot.com
LinkedIn: http://www.linkedin.com/in/pisanty
Unete al grupo UNAM en LinkedIn,
http://www.linkedin.com/e/gis/22285/4A106C0C8614
Twitter: http://twitter.com/apisanty
---->> Unete a ISOC Mexico, http://www.isoc.org
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .

________________________________________
Desde: governance-request at lists.igcaucus.org
[governance-request at lists.igcaucus.org] en nombre de michael gurstein
[gurstein at gmail.com] Enviado el: viernes, 10 de agosto de 2012 16:35
Hasta: governance at lists.igcaucus.org
Asunto: RE: [governance] Multiplication of virus cases built by and for
states ...

The other threads may have exhausted themselves by now but I'm seeing in
this another area of possible interest from the perspective of "enhanced
cooperation".  As I understand it in the area of viruses, worms etc.etc.
there is a "spy vs. spy" syndrome at work... The "bad guys" (or seemingly in
some cases "the good guys") launch something into the wild and then the
opposite side moves forward to counter this and then the other side counters
and so on and so on... This is all played out in the technical/security
domain with the policy folks urging their side onward ever onward...

With these viruses as below (and including Stuxnet etc.) we seem to be
moving into Sci Fi domains where one side (or the other)  is in a position
to wreck catastrophe on the other side (and v.v.) with us helplessly sitting
in the middle watching crucial infrastructure (electricity, water, digital
communications etc.) being increasinly threatened with "executive action"
i.e. assassination...

The need for global consolidated action at the policy/legal level is almost
certainly the only way in which some modicum of security might be achieved
(some sort of electronic version of the SALT treaty for example)
particularly since the possibility (likelihood) of wildcard non-state actors
being parties to the sabotage and thus making it in the interests of all
state actors to achieve some measure of control in the area.

I have no idea what the solution might be here but I would expect that it
would involve some considerable measure of technical intervention
("management of the Internet"?) combined with policy driven international
state to state agreements presumably with the active involvement of both the
technical and non-technical private sector and civil society (to try to keep
the overall process "honest...

Perhaps rather than trying to square the circle of management of the inputs
(digital flows) it might be easier as a way into (or around) the Global
Internet Governance area to look to manage for the outcomes since as we are
beginning to realize if these go seriously awry they could quite easily
affect the digital space and thus personal well-being of all of us rather
more immediately and with greater damage than some of the other issue areas
we have been discussing -- wherever we might reside -- assuming that we are
all connected to the same Internet.

Comments?

Mike

-----Original Message-----
From: governance-request at lists.igcaucus.org
[mailto:governance-request at lists.igcaucus.org] On Behalf Of
karim.attoumanimohamed at ties.itu.int
Sent: Friday, August 10, 2012 7:24 AM
To: governance at lists.igcaucus.org
Subject: [governance] Multiplication of virus cases built by and for states
...

Gauss – Nation-state cyber-surveillance meets banking Trojan
http://www.securelist.com/en/blog?weblogid=208193767

Gauss, a new virus (or worm because its decryption is not done) was
identified by Kaspersky. The fourth after Stuxnet, Flame and Duqu.

I wondered if it's not time sounding the alarm because it could be that many
more malware exist but those who created them or the victims do not dare
talk about for their image and of sovereignty reasons.

What benefits can be envisaged for end users in what appears to be a
cybernetics war that started  before it was predicted by experts.

Where countries may protest at global level? I believe that ICT governance
is truly threatened and we may be surprized by all implications as for now
it's clear that everything is possible in the cyberspace.

Karim ATTOUMANI MOHAMED, Comoros





=


-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t