Global Cybersecurity Norms

www.cyberscoop.com/cyber-norms-united-nations-gge-state-department/

Fresh off the release of its national cybersecurity strategy, the Trump administration gauged interest at the United Nations in restarting talks on global cybersecurity norms. The negotiations, which collapsed last year amid reported acrimony among the U.S., Russia and others, aim to set limits on government-backed hacking at a time when offensive operations are abundant.

At a meeting Friday with representatives of more than 20 countries, Deputy Secretary of State John J. Sullivan raised the prospect of restarting the norms dialogue at the U.N. Group of Government Experts (GGE), according to a State Department statement.  Sullivan told reporters the department hopes to reconvene the GGE “to define norms of behavior that states will abide by and, if they don’t, to impose consequences.”

Worth a read. I remain skeptical governments, especially the U.S., can achieve anything meaningful.

Also on:

Diplomacy and Defense

Diplomacy and Defense in Cyber Space:

The strength of our society rests on the strength of our IT. In a world where everything is connected—phones, cars, houses, electric grids, supermarkets, hospitals, financial systems and satellites—everything can be disrupted, if not destroyed. For several years, cyber threats have featured at the top of the risk assessments of government ministers, diplomats, intelligence officials and military leaders. What is missing in these debates is a grand strategic vision. Cyber diplomacy and cyber defense should become the bread and butter of our foreign and security policy debates.

(Via Lawfare)

The article is taken from a talk given to EU Foreign Ministers. It is geared toward the political and legal. The overuse of “cyber-” to an extent I haven’t seen in a long time removes much of the import at first glance. As it is, the presentation doesn’t say much particularly new.

However, the presentation restates some excellent points:

  • How do and which legal frameworks apply?
  • How do sovereign and international laws apply?
  • What is the role of attribution?
  • How do political and military organizations work together?

None are addressed particularly well. Far from a criticism, I like this talk because it brings these points up again without prescription.

The oddball bit, in a good way, is the section titled “Cyber Security Exercises”.

Let me be plain: I STRONGLY agree with this. I think the talk provides an excellent prescription:

What is important here is that cyber exercises should not be the playground of only the ministers of defence. Cyber security and cyber defence go beyond the military community boundaries. Thus, cyber security should also be exercised by other ministers, including the ministers of foreign affairs, as most real world crisis in the future will have cyber components, to which political and diplomatic response will be required in addition to technical response.

Yes! Ministers and Departments and every other governmental organization needs to take responsibility for their own security and not passively wait for law enforcement, military, or intelligence agencies to do it for them.

The conclusion:

As digital is the new normal, there are boundaries of acceptable state behaviour in cyberspace, just as there are everywhere else. States have to be clear about how international law obligations bind us. Each of our like-minded nations individually should be open and clear in setting out the rules it feels bound by. Staying silent means accepting that cyberspace is a grey area and a dangerous place. We must not allow that to happen – we should work together and take united steps to ensure that future generations do not question why nothing was done when so much was at stake.

As skeptical as I am about governments’ ability to do much of anything, I am open to being surprised by something that balances security, privacy, civil liberties & freedoms, and business needs.

Also on:

Flavored eel bones: a crunchy yummy snack

Flavored eel bones: a crunchy yummy snack:

I’m no stranger to eating bones. As a child I was like a cat hearing the lid being peeled off a can and flying into the kitchen to see what’s for dinner. Every time my mother opened some canned salmon, there I’d be, standing by her side waiting for her to drop some of those soft, greasy, salty fish bones into my hands. But I haven’t done that in years.

Fast forward to the other day, when I came across a bag of similar-looking bones in my local supermarket here in Japan. A quick look and I noticed they weren’t salmon bones, nor were they soft or greasy. They were eel bones.

Dry roasted eel bones, in fact. The package tells me they are chock full of calcium, vitamins A, B2, D, and E. Who needs potato chips when for 200 yen you can get 26 grams of eel bones to nosh on? Not only that, but Kyomaru makes several different flavors, too: spicy, salt, soy sauce, wasabi, and sweet sesame seed flavored.

(Via Boing Boing)

Ohhh. Something to look for this weekend!

Also on:

Notes on the Bloomberg Supermicro supply chain hack story

Notes on the Bloomberg Supermicro supply chain hack story:

Bloomberg has a story how Chinese intelligence inserted secret chips into servers bound for America. There are a couple issues with the story I wanted to address.

The story is based on anonymous sources, and not even good anonymous sources. An example is this attribution:

a person briefed on evidence gathered during the probe says

That means somebody not even involved, but somebody who heard a rumor. It also doesn’t the person even had sufficient expertise to understand what they were being briefed about.

The technical detail that’s missing from the story is that the supply chain is already messed up with fake chips rather than malicious chips. Reputable vendors spend a lot of time ensuring quality, reliability, tolerances, ability to withstand harsh environments, and so on. Even the simplest of chips can command a price premium when they are well made.

(Via Errata Security)

The truth on this story is still revealing itself. I do know that I already tire of it.

Robert Graham’s article is the strongest critique of the Bloomberg story I’ve read. My skeptical nature tends to agree with him until more facts are known.

Also on: