The International Cybersecurity Dialogue held its fifth roundtable in Budapest Friday evening, October 5, 2012 following our participation in the Second International Conference on Cyberspace.  We are proud to recognize ICD corporate sponsor Trend Micro for their support of our Hungarian program with special thanks to Chief Technology Officer Raimund Genes, who joined us from Germany to participate in ICD V.

The ICD dinner discussion on Developing Norms in the Vacuum of Cyberspace with Hungarian government leaders, international government and business leaders was exceptionally dynamic and the setting in the Fisherman’s Bastion Restaurant overlooking the city was magnificent.  Board member Andrew Crocker, Chief Operations Officer CyByl Technologies Ltd. flew in from the UK for the occasion.

Regarding my thoughts from the dinner on Friday night, firstly I want to say how productive I thought it was. Invariably at such functions trying to start or maintain a dialogue during the dinner is like pulling teeth. This was certainly not the case last Friday. Everyone participated freely and constructively, which to say the least is extremely encouraging.

The main points that I thought emerged from the discussions were:

1. Accountability. More emphasis should be put on “Who” should be accountable. The general consensus was that the miscreant is not the only one to blame. ISP’s, software companies, DNS providers and hosting companies all have some responsibility. In the past, we have seen “knee jerk” reactions to incidents, with preposterous laws or restrictions being proposed or even implemented.  It was thought that Government and policy makers are not addressing the problem fully due to a lack of understanding of “who” is culpable.
2. Stuxnet remains the elephant in the room and both industry and policy makers have not addressed the full implications of its release into the “wild.” Critical infrastructures of numerous nations are still at risk due to the lack of action regarding Stuxnet and the variations that have followed. The simple three-digit password used by the SCADA system has not been addressed. The reliance on SCADA has not been addressed. These are points that appeared to concern the people on our table.
3. One area that jumped out at me was the fact that the one government official/advisor (name withheld) who had a great deal of knowledge in this field was reaching “breaking” point due to the lack of knowledge of other ministers who would base their decisions on other factors and not the advice he was giving them. This to me was the core of what ICD is trying to address. In this example, we had a man with considerable knowledge advising but not being listened to fully. We as a group need to help facilitate better dialogue and in some cases, help to change the attitude of both the policy makers and the technologists so they are more open and receptive to each other.

Discussants drilled down to issues of governance, e-crime, education, awareness, accountability, threats and opportunities undergirding the concept of Norms with the following observations as quoted.

On governance of the internet 

President Ilves’ PPNGOP discussed Public- Private NGO Partnership indicating the importance of transnational organizations (like ICD) being engaged.

It is technically feasible to control the Internet. But would we want that?

The developing world is not participating in the dialogue. The third world is not the place for cyber.

Turkey and Japan have required ISPs to block spammers, something not done in rest of the world.

If we go down path of regulation then we must hold China up as best example of how to accomplish that!

On e-crime

Could major cyber-criminal organizations have sent delegates to the Budapest Conference on Cyberspace? Yes, and that is fine. We want them to know what we are doing. It will increase their costs to react to our actions.

$400 billion dollars has been lost to cybercrime. There 2 billion IT users and 300,000,000 have been hacked. Each hacked file sells from $130-$150.”

On awareness and education

One perspective: We cannot rely on “security awareness” to solve anything.

Another: US and Canada working jointly on the Stop-Think-Connect campaign.

Cyber security is a massive field. We need to break it down into sub areas of expertise.

We share your commitment to improving the protection of our SCADA control systems.  It is essential to reduce the vulnerabilities in critical infrastructures of energy, finance, transportation, telecommunication everywhere.

Eighty percent of the problems are due to human error or human ignorance.

We need to close the digital divide. The EU has committed to capacity building.

Education in cyber begins in our elementary schools; we need to promote more programs at the adult level.

On accountability

The possibility was raised that the summer 2012 power outages in India were caused by a Stuxnet derivative that infected many Siemens control systems. Could India sue the US for damages? Very important point to consider: could the introduction/use of cyber weapons cause collateral damage that would incur liability for the creators?

Why should industry be held accountable for hacking? These are criminal acts.

It is critical for governments to consider the private sector’s perspective; we have responsibility for 90% of the internet.

On threats and opportunities

Security best practices do not address today’s experience. How can we change what we do today from a tactical perspective? What are some technical solutions?

It is critical to develop international rules of engagement.

Is there or should there be a self- defense rule for cybersecurity?

Traditional sovereignty may not work in cyberspace.
Notes from Budapest ICD dinner discussion convened under the Chatham house rule, thus “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”