Friday, July 7, 2017

Reflections on the GGE "failure"


Despite years of discussion and study, some participants continue to contend that is it premature to make such a determination and, in fact, seem to want to walk back progress made in previous GGE reports. I am coming to the unfortunate conclusion that those who are unwilling to affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions. That is a dangerous and unsupportable view, and it is one that I unequivocally reject. - Michele G. Markoff, Deputy Coordinator for Cyber Issues 

The key thing to understand about the State Department team negotiating this is they appear to be SURPRISED that things fell apart. But it was entirely predictable, at least to the five people who read this blog.

The factors that weigh like a millstone around the neck of our cyber diplomacy efforts, including our efforts in the UN, and NATO, and bilaterally, are all quite loud.

Internal Incohesion

The United States and every other country have many competing views internally and no way of solving any of the equities issues. The "Kaspersky" example is the most recent example of this. Assume Kaspersky did something equally bad as Huawei and ZTE - but something you can't prove without killing a source, which you are unwilling to do. Likewise, are we willing to say that whatever we are accusing Kasperksy of, in secret, we don't do ourselves? 

The Kaspersky dilemma continues even beyond that: We can either fail to act on whatever they did, which means we have no deterrence on anything ever (our current position), or we can unilaterally act without public justification, which acknowledges a completely balkanized internet forever. 

As many people have pointed out, information security rules that governments enforce (i.e. no crypto we can't crack, we must see your source code, etc.) are essentially massively powerful trade barriers.

On every issue, we, and every other country, are split. 

Misunderstanding around the Role of Non-Nation-States

Google and Microsoft have been most vocal about needing a new position when it comes to how technology companies are treated. But Twitter is also engaged in a lawsuit against the US Government. And the entire information security community is still extremely hostile to any implementation of the Wassenaar Arrangements cyber tools agenda (negotiated by Michele Markoff, I think!).

The big danger is this: When the information security community and big companies are resisting government efforts in one area, it poisons all other areas of communication. We are trying to drag these companies and their associated technical community along a road like a recalcitrant horse and we are surprised we are not making headway. It means when we have our IC make claims about attribution of cyber attacks, it is met with a standard of disbelief. 

Likewise, we still, for whatever reason, feel we have an edge when it comes to many areas where we (the USG) do not. Google attributed the WannaCry attacks to NK weeks before the IC was able to publish their document on it. DHS's "indicators of compromise" on recent malware (including the Russian DNC malware) has been amateur-grade.

On many of these issues, nation-states are no longer speaking with a voice of authority and we have failed to recognize this.

The equities issues are also ruinous, and we have yet to have a public policy on even the most obvious and easy ones: 

  • Yes/No/Sometimes: The United States should be able to go to a small US-based accounting software firm and say "We would like you to attach the following trojan to your next software update for this customer". 
  • Yes/No/Sometimes: The US should interdict a shipment of Cisco routers to add hardware to it. 

So many articles full of hyperbole have been written about the exploits the ShadowBrokers stole from the USG (allegedly) that even when we get the equities issues right, it looks wrong. Microsoft is without any reasonable argument on vulnerabilities equities, but that doesn't mean every part of every company's threat model has to include the US Government.

Attempt at "Large Principle Agreement" without Understanding the Tech

The aim of modern cyber norms is to be able to literally codify your agreements. Cyber decisions get made by autonomous code and need to be stated in that level of clarity. What this means is that if the standard database of "IP"->"Country" mapping (Maxminds) says you are in Iran, then you are in Iran!

If you try to do what the GGE did, you get exactly what happened at GGE - people are happy to agree on a large sweeping statement but only one where they define every word in it differently than you do and then later take it back.

You will often see claims of "Let's not attack critical infrastructure" and "Let's not attack CERTs" are examples of norms - but imagine how you would code those in real life! You can't! The Tallinn documents are also full of nonsensical items like "Cyber boobie traps" and other ports from previous domains which cannot be represented as code, and hence are obviously not going to stand up over time. 

What this points to is that we should be building our cyber norms process out of technical standards, with a thin layer of policy, not massive policy documents with a technology afterthought. 


If you and your wife disagree on the definition of the term "cheating" then you're both happy to agree that cheating is bad. But if you then later go on to try to define the term in such a way that it doesn't apply to cigar related events and in a sense gerrymanders your activities as "OK" retroactively, your wife is going to pull out of the whole agreement and it's not confusing or surprising why. That's what happened at the GGE and in all of our cyber norms efforts. 

No comments:

Post a Comment