The 9 principles

Emergency services: the European Emergency Number Association provides cybersecurity guidelines to ensure the safety of citizens

Recent cyberattacks around the world, including against hospitals, remind us about the need to be better prepared. Public safety organizations are not exempt from these ever-evolving cyber risks. When emergency call centers suffer cyberattacks, interference with first response from rescue organizations can result in the death of individuals.

The European Emergency Number Association (EENA) believes that, for the safety of citizens, it is essential to ensure public safety services remain uninterrupted. To protect critical infrastructure and sensitive information, emergency services must implement appropriate and effective safeguards.

After the WannaCry ransomware attacks in 2017, EENA launched its Cybersecurity Working Group to help share best practices and develop a set of concrete, specific recommendations for emergency response organisations. The group held a dedicated webinar and published cybersecurity guidelines. The importance of this issue has been highlighted at the annual EENA Conference for several years and during the EENA Members Workshop 2018. Recommendations include the need to include cybersecurity as part of general risk assessment, train employees, implement technological solutions, and perform vulnerability tests and cyber incident exercises.

European Emergency Number Association (EENA)

Protecting the Domain Name System: French company Nameshield ensures identity integrity and resilience

Protecting the availability and the integrity of the public core of the Internet requires close cooperation between different types of actors, including non-profit organization ICANN (Internet Corporation for Assigned Names and Numbers) and private companies such as Nameshield. An independent French company, Nameshield ensures identity integrity and resilience on the Internet with its own caste-based, resilient DNS infrastructures.

Cornerstone of the Web, the Domain Name System (DNS) serves as the Internet directory. This protocol translates a domain name into an IP address, based on a database distributed on thousands of machines. If the DNS falls because of data corruption or a denial of service attack, websites and emails become inaccessible.

It is crucial to guarantee the protection and availability of DNS. A new protocol, DNSSEC, has thus been developed with the support of ICANN to address vulnerabilities in the DNS. Other solutions can help ensure identity resilience, such as Registry Lock or SSL certificates. By protecting data on domain name identity cards and providing a high availability service, Nameshield contributes to the second principle of the Paris Call and protects the public core of the Internet.

Nameshield

Public Core CoI: the Hague Centre for Strategic Studies will lead a community of interest on protecting the public core of the Internet

Responding to threats against the core protocols and services of the global Internet requires the cooperation of the full range of stakeholders. Most of the infrastructure, services, and products underpinning it are privately-owned, or governed and maintained by the civil society functioning as a technical community.

Whilst the idea of protecting the core Internet functions has a longer history, the notion only recently became the subject of various norm proposals, most notably by the Global Commission on the Stability of Cyberspace (GCSC), which was initiated by the The Hague Centre for Strategic Studies (HCSS). Building on the GCSC Report “Advancing Cyberstability” which calls for the adoption of specific “Communities of Interest”, HCSS will lead a “Community of Interest on Protecting the Public Core of the Internet” (Public Core CoI). This concerted multistakeholder initiative will gather committed supporters for the general principle of protecting the public core in a regular working group.

This group will likely examine the need to further refine the concept, discuss propagation, and explore options for implementation and monitoring of the principle as well as related norms. It will convene key stakeholders to raise awareness of the threats against the core Internet protocols and functions, develop best practices and policy proposals for adoption and implementation, and advance common understandings of violations of the principle. Organizations interested in joining the Public Core CoI can write to cyber@hcss.nl.

The Hague Centre for Strategic Studies

Protecting the integrity of democratic elections: The Transatlantic Commission on Election Integrity (TCEI) helps advancing solutions

Election interference is a major threat to the universal right of people to take part in the democratic process. Still, democratic governments and technology companies around the world are scrambling to meet the challenges of the latest election meddling tactics and technologies. This is a global phenomenon, with instances of election interference seen in countries from Mexico to North-Macedonia, Ukraine to Kenya, Taiwan to Turkey.

Yet, attacks and coordinated manipulation are no longer coming from foreign malign powers alone: increasingly, the cross-border disinformation playbook is used by domestic actors trying to sow division and polarization in both authoritarian and democratic contexts.

The TCEI brings together committed and eminent persons from different backgrounds with one shared goal: to ensure people decide freely, based on independent information, who should represent them. Transatlantic and bipartisan in nature, the TCEI seeks to share best practice between decision-makers and institutions across the democratic world, raise public awareness about the risks of interference while applying on the ground new models and technologies to empower civil society and governments to defend democracy. The TCEI is an initiative of the Alliance of Democracies Foundation founded by Anders Fogh Rasmussen in 2017.

Transatlantic Commission on Election Integrity

Countering election interference:the Alliance for Securing Democracy, the Government of Canada and Microsoft are working to prevent malign interference by foreign actors

The Alliance for Securing Democracy (ASD), the Government of Canada, and Microsoft are working together to strenghten the collective capacity to prevent malign interference by foreign actors aimed at undermining electoral processes through malicious cyber activities.

Throughout 2020, they brought the global community together through the organization of multistakeholder workshops, each one addressing a critical topic related to preventing interference in electoral processes. During these workshops, key observations, ideas and effective practices were collected from a diverse group of experts, practitioners and stakeholders.

Summaries of these practices are available here: https://www.canada.ca/en/democratic-institutions/services/paris-call-trust-security-cyberspace.html.

A more in-depth compendium is planned for the first quarter of 2021.

Microsoft, the Alliance for Securing Democracy and the Government of Canada

Protecting software distributed under open source licenses: the Linux Foundation supports communities that share their knowledge

In a world whose dynamics are based on sharing of knowledge, the free software model and the application of free software licenses become increasingly important. Open source software is equipped with legal tools such as copyleft to frame the involvement on a cooperative basis and a reciprocal gift-giving logic, to produce highly performing software and to prevent private appropriation of codes or theft of intellectual property, since what is voluntarily shared cannot be re-appropriated.

The open source software model offers a way to reconcile private individual interest and collective efficiency: it is not a question of abandoning intellectual authorship, but to allow reuse of the free software created under the condition that any new version can also circulate freely. Hence intellectual property shared under such licenses spreads more quickly in the industrial fabric and benefits from network effects, which support the push for creating standards that evolve around it and its promoters.

With over 1,000 corporate members worldwide, The Linux Foundation provides strong support to open source communities through financial and intellectual resources, infrastructure, services, events, and training. Working together, the Linux Foundation and its projects form one of the most ambitious and successful investments in the creation of shared technology: the collective value of the code in Linux Foundation projects is estimated at roughly US$16 billion.

Balancing between protection and access in face of new digital threats: the Center for Internet & Society India participates in international negotiations on intellectual property

Managing intellectual property (IP) in the cyberspace raises numerous challenges. It is necessary for companies and authors to protect IP in the digital world, which fuels innovation, differentiation and revenue. Copyrights, patents and trademarks are an important part of the digital landscape.

As malware and malicious practices develop, companies and individuals may suffer loss due to IP theft or infringement and need to develop more sophisticated protection systems. At the same time, access to information plays an important role in terms of education and innovation. The evolving information infrastructure and new threats may upset the balance between the two.

In India, the Center for Internet and Society defends the position that the balance between protection and access must be re-calibrated in the cyberspace. As such, the Center has participated in negotiations taking place at regional and international levels through the Regional Comprehensive Economic Partnership agreement (RCEP) and the World Intellectual Property Organization Standing Committee on Copyright and Related-rights (WIPO-SCCR). In addition, the Center conducts its own empirical research on IP and ICT.

The Centre for Internet & Society India

Fighting malware at the roots: YesWeHack organises Bug Bounty programmes to disclose and correct vulnerabilities before malicious tools get in

Bug Bounty programmes reward individuals who report security vulnerabilities. Participants who discover insufficiencies in hardware or software report to the organising entity (“the vendor”) so that corrective measures can be taken.

By bridging the gap between vulnerability discoverers and vendors, Bug Bounty programmes allow the structuration of a Coordinated Vulnerability Disclosure (CVD) process. It prevents state and non-state actors from stockpiling vulnerabilities and limits the development of vulnerability-oriented black markets. In turn, it curbs the proliferation of malicious ICT practices and tools which feed on vulnerabilities.

YesWeHack, Europe’s Bug Bounty leader, promotes proactive vulnerability disclosure by organising public and private Bug Bounty programmes. It also offers such programmes to NGOs and civic tech associations to improve the security of their infrastructures. By mobilising a community of ethical hackers and contributing to a harmonious CVD approach, YesWeHack limits entry points available to malicious ICT tools.

YesWeHack

ICT/OT supply chain integrity: Carnegie Endowment for International Peace presents government and corporations with recommendations

The Carnegie Endowment has released a report on ICT supply chain integrity authored by Ariel E. Levite. It calls for urgent action to arrest the current trends undermining trust in digital products and services and fracturing the global ICT supply chain.

Strengthening the security of digital products and services throughout their supply chain is a key principle of the Paris Call as malicious actors can threaten governments, industry and individuals by attacking the weakest point on the chain, with negative consequences in terms of geopolitics, espionage, trade, and consumer protection. Cooperative efforts are needed to restore confidence in the integrity of supply chains.

In particular, the new report underscores the importance of complimentary governmental and corporate actions to enhance the integrity of the ICT/OT supply chain through a combination of commission and omission, elaborating on practical obligations both should undertake toward that end. It sets up comprehensive objective criteria for qualification of Trustworthy Suppliers, and proposes mechanisms to verify compliance with the trustworthiness criteria and an incentive structure to reward those who assume and fulfill their commitments.

Read the Carnegie Endowment’s report

Charter of Trust: member companies strengthen cybersecurity along the entire supply chain of their products and services

The digital world is changing everything. Today, billions of devices are connected through the Internet of Things. While this creates great opportunities, it also harbors great risks. To make the digital world more secure, partners from industry have joined forces with the Charter of Trust.

The Charter of Trust is a unique initiative now gathering 16 leading global companies –with a cooperation that has reached significant milestones toward cybersecurity and has ambitious goals for the future. The Charter calls for binding rules and standards to build trust in cybersecurity and further advance digitalization.

After two years of work, members have achieved a lot, especially regarding the security of digital processes, products and services. In their businesses, they successfully strengthened cybersecurity along the entire supply chain and established “Security by Default” as a must-have product feature. The Charter of Trust provides its members with an aligned view on security along the digital supply chain and has defined 12 baseline cybersecurity supply chain requirements.

Members of the Charter of Trust are committed to build capacity on this important matter, as well as on other principles outlined in the Paris Call. They commit not only to providing advanced training for their workforce but also for business and society.They also continue to firmly anchor cybersecurity on the agenda at the highest political level –locally and globally.

Charter of Trust

Global Transparency Initiative: cybersecurity and anti-virus provider Kaspersky implements a unique approach for higher transparency and verifiable trust in cybersecurity

Users need to know that their data will be protected and that they can trust the security of the digital products and services they purchase – whether it is a smartphone, a laptop, a mobile application, or a cybersecurity solution. In order to earn their customers’ trust, companies need to constantly improve their transparency and accountability in the cyberspace.

Kaspersky’s Global Transparence Initiative (GTI) puts into effect a set of clear verification and risk-minimization measures to increase users’ confidence and ensure that cybersecurity solutions meet and exceed corporate data security and protection standards.

Measures implemented by Kaspersky range from data care (relocation of data processing and data storage to Switzerland for the utmost data protection and security) to verification (secure and reliable engineering practices confirmed through independent third-party assessment) and vulnerabilities management (responsible cooperation with security researchers through Kaspersky’s Bug Bounty Program with awards of up to $100k for the most critical security flaws).

The GTI also puts into place Transparency Centers, dedicated security facilities for greater confidence in and knowledge of cybersecurity products through Kaspersky’s specifically developed ‘three-layer’ approach to security briefings and external reviews of the company’s source code, software updates and threat detection rules.

Transparency Centers

Seguros en la red: the Equatorian Cybersecurity Association promotes cyber hygiene to kids in Ecuador

Children and adolescents study, play and interact for hours online. But like every new world to discover, the cyberspace presents a series of risks that they need to know about.

The Ecuadorian Cybersecurity Association (AECI) launched the “Seguros en la Red” (“Secure on the net”) project to teach children about responsible use of ICTs and associated risks. AECI created playful characters, who give girls and boys a minimum level of education in order to nurture, foster and promote a culture of digital security. Named “Cyber” and “Alerto”, these fictional characters introduce children to cyberspace with its resources and opportunities but also its dangers.

Awareness, culture and prevention are the three pillars around which AECI aims at creating an ecosystem of digital security programs, in conjunction with educational institutions, public and private organizations.

Ecuadorian Cybersecurity Association – Asociación Ecuatoriana de Ciberseguridad (AECI)

Hack-back, active defense, and countermeasures: the Cybersecurity Tech Accord starts a conversation on definitions and best practices

As the frequency and severity of global cyber threats grow, defenders are investing in new and innovative techniques to protect themselves. However, not all measures being developed are purely defensive: increasingly talk has been around more intrusive “active defense” techniques – with hack back the most prominent example.

The Cybersecurity Tech Accord signatories strongly supported the decision to include Principle 8 in the Paris Call, which rightly introduces a general prevention on hacking back for non-state actors. However, this is an area fraught with ambiguity, and they believe further elaboration is needed to set clear boundaries around intent, authority, and intrusiveness before government and private actors can implement it.

It is particularly critical to ensure the prohibition does not capture positive cybersecurity techniques, such as penetration testing. To this end, the Tech Accord signatories are committed to working together to support effective implementation of the Paris Call principle on hack back, including by highlighting potential definitions and best practices.

They will start the discussions with a meeting at the Internet Governance Forum in Berlin, where they hope to gather views of not just industry, but civil society on this critical topic. Organizations interested in participating in this effort can send an email to info@cybertechaccord.org.

Tech Accord

Selecting a contact point (POC) in each State to exchange information on ICT-related incidents: along with other countries, France operationalizes confidence-building measures within the OSCE

The Organization for Security and Co-operation in Europe tackles various cyber threats including cybercrimes and the use of the Internet for terrorist purposes. A key focus is on the development of confidence building measures (CBM) between participating states to reduce the risks of conflict. Sixteen CBMs have been adopted, which aim at enhancing interstate cooperation, transparency and predictability to reduce risks of misperception and escalation.

One of these measures requires that participating States nominate a contact point to facilitate pertinent communications and dialogue on ICT-related incidents and coordinate responses. France is one of the lead countries to operationalize this measure, including through communication checks and exercises. Exchanges of information and communication between States can stop an unintentional conflict by defusing potential tensions and stopping or slowing down the spiral of escalation.

Regional organizations such as the OSCE are ideal platforms for building confidence in cyberspace, as they have often been conceived for conflict prevention and offer practical expertise with CBMs. So far, some successful “comcheck” exercises have been launched by the OSCE secretariat, which underline the utility of such measures in order to reinforce stability in cyberspace through a continuous dialogue between States.

OSCE – Cyber/ICT Security

Preventing the ultimate realization of the cyber risk: the Nuclear Threat Initiative gathers technicians from the nuclear industry so they can equip themselves

Nuclear systems, be they civilian or military, contain digital components. The risk of them being compromised is thus present. A successful cyberattack on nuclear weapons or related systems could have catastrophic consequences. Among scenarios studied by the Nuclear Threat Initiative are those in which a cyberattack could lead to a nuclear launch as a result of false warnings or miscalculation, increase the risk of unauthorized use of a nuclear weapon, and undermine confidence in the nuclear deterrent, affecting strategic stability.

The Nuclear Threat Initiative NGO aims at improving and reinforcing cybersecurity practices at nuclear facilities, by bringing together the global technical cyber-nuclear community in the Cyber Nuclear Forum to facilitate information exchange and foster a network of relationships upon which nuclear operators can draw for advice and assistance.

It also supports studies aiming at providing recommendations for cybersecurity practices at nuclear facilities. For instance, through a comparison of regulatory requirements necessary to protect nuclear facilities against cyber attacks in five nuclear-armed countries. But also through forward-looking approaches for protecting nuclear facilities from cyber attacks that could lead to the theft of weapons-usable nuclear materials or an act of radiological sabotage.

CyberNuclearForum — Nuclear Threat Initiative