Skip to main content

Proceedings of a Workshop on Deterring Cyberattacks Informing Strategies and Developing Options for U.S. Policy (2010) / Chapter Skim
Currently Skimming:

Cyber Security and International Agreements--Abraham D. Sofaer, David Clark, and Whitfield Diffie
Pages 179-206

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 179...
... efforts to deter cyberattacks and exploita tion -- though formally advocating international cooperation -- are based almost exclusively on unilateral measures.2 Whether cyberdeterrence through these methods can provide an adequate level of cyber security for U.S. users is, in the view of the NRC Committee on Deterring Cyberattacks (hereinafter "Committee")
Read the entire page →
From page 180...
... The potential utility of international cybersecurity agreements deserves to be carefully examined. International agreements covering other transnational activities, including armed conflict, communi cations, air and sea transportation, health, agriculture, and commerce, among other areas, have been widely adopted by states to enhance safety and efficiency through processes that could well be useful in regulating cyber activities.
Read the entire page →
From page 181...
... As the most wired nation on Earth, we offer the most targets of significance, yet our cyber-defenses are woefully lacking."6 Howard Schmidt, White House Cyber Security advisor, agrees that cyber threats exist, but denies we are in a "war"; others similarly criticize such statements as exaggeration.7 It is widely agreed, however, that various vulnerabilities and forms of hostility have exposed cyber systems, including the Internet, to attack and infiltration, inflicting substantial costs in the form of financial losses and defensive measures and creating even more substantial, future dangers to the nation's critical infrastructures.8 President Obama's 2009 Cyberspace Policy Review concludes: "a growing array of state and non-state actors such as terrorists and international criminal groups are targeting U.S. citizens, commerce, critical infrastructure, and government.
Read the entire page →
From page 182...
... , which attempts to coordinate the activities of both government and private Computer Emergency Response Teams ("CERTs") and is also working on cyber security standards; 13 While state-sponsored attacks are often difficult to detect, for more than a decade states have used cyber warfare in retaliation to physical warfare or acts of aggression.
Read the entire page →
From page 183...
... and the International Organization for Standardization ("ISO") , which together as non-governmental organizations, through their Joint Technical Committee, have developed information security standards for all types of organizations including one that addresses the development of information security management systems and the security controls that protect information assets (ISO/IEC 27001:2005)
Read the entire page →
From page 184...
... , created in March 2009, approved a subcommittee on "international cyberspace policy efforts (the International sub-IPC) composed of officials from the Departments of Commerce, Defense, Homeland Security, Justice, State, and Treasury, the Office of the U.S.
Read the entire page →
From page 185...
... International agreements that potentially bear upon cyber-security activities also include treaties (the UN Charter and Geneva Conventions) and universally accepted rules of conduct (customary law)
Read the entire page →
From page 186...
... involvement, including in particular the ITU's plans.25 Acting pursuant to annual calls by the UN General Assembly for greater international cooperation in dealing with cyber threats, and after numerous conferences and studies by a variety of private, national, regional and international groups, the ITU convened a World Summit on the Information Society ("WSIS") at which governments and world leaders called on the ITU to become the sole "Facilitator of Action" in what was designated Action Line 5: "Building confidence and security in the use of ICTs [Information and Communications Technologies]
Read the entire page →
From page 187...
... It is pursuing its perceived role through a broad range of activities in cyber security education and in the development and promulgation of a comprehensive array of plans and protocols intended to create a secure cyber infrastructure by dealing with cyber crime, technical standards, security requirements, capacity building, and even the promotion of child on-line safety.26 The GCA calls for continued involvement of all existing stakeholders in the cybersecurity effort. At the same time, however, it clearly signals its determination to seek the implementation of standards issued by its own standards development body (ITU-D)
Read the entire page →
From page 188...
... 30 In addition, conferences supported by the UN, individual governments, regional organizations, and others have been held on several occasions at various places in the world, resulting in calls for increased international cooperation to deal with threats to cyber security.31 On January 6, 2006, the GA adopted Resolution 60/45, calling among other things for the appointment by the Secretary General of "a group of governmental experts, to be established in 2009 on the basis of equitable geographical distribution," to continue to study "existing and potential threats in the sphere of information security and possible cooperative measures to address them," and "to submit a report on the results of this study to the General Assembly at its sixty-fifth session." The Group of Governmental Experts representing 15 states, including China, India, Russia, and the U.S., met four times and on July 10, 2010 issued a report summarizing the threats currently faced by Information and Communication Technologies ("ICTs") , and recommending the following "further steps for the development of confidence-building and other measures to reduce the risk of misperception resulting from ICT disruptions": 1.
Read the entire page →
From page 189...
... A 2009 GAO Report on national cybersecurity strategy called for an international agree ment and a global cyber strategy.35 In September 2009, Senator Dianne Feinstein called for an international agreement regulating cyber warfare much like regular warfare: In addition, the government must consider that effective cyber security inside the United States will re quire stronger diplomatic efforts and an international agreement on what will and will not be tolerated in cyberspace. An international framework on cyber warfare, much like international conventions on traditional warfare, is needed to govern this rapidly growing field.
Read the entire page →
From page 190...
... (and others) to refrain from seeking international agreements beyond the CEC.
Read the entire page →
From page 191...
... They cannot be overcome by invoking sweeping generalities about the values of international cooperation. They do not, however, preclude international agreements on many aspects of cyber security.
Read the entire page →
From page 192...
... The committee has also been assured that the Defense Department is proceeding with appropriate caution and care regarding military operations in cyberspace." 43 Comprehensive discussions of the application of existing international law to cyber warfare include the paper prepared for the current NRC study by Michael Schmitt, "Cyber Operations in International Law: The Use of Force, Collective Security, SelfDefense and Armed Conflicts" (NRC, 2010) ; and Scott J
Read the entire page →
From page 193...
... allies, in NATO for example, rather than through a multilateral arrangement with states that have different agendas and are less trusted. Given the difficulties in negotiating international agreements related to cyber war, that subject -- though important and appropriate -- should probably be handled separately from discussions on the ways in which states could cooperate in enhancing cyber security through the regulation of non-state conduct.
Read the entire page →
From page 194...
... Decentralized answers to these questions help us get along." 47 On the other hand, agreement to some content restrictions may be necessary to achieve agreement on cyber infrastructure protection. In such situations, it may be possible to separate such restrictions from infrastructure-protection provisions in order to allow parties to opt into or out of content requirements.
Read the entire page →
From page 195...
... 49 Expressly recognizing such authority over cyber activities should be avoided, though with the realization that states will still have the power to regulate within their territories. Consensus should be possible, in fact, on including in any cyber-security agreement a reference to widely approved UN conventions bearing upon privacy and human rights, which may in the long run prove helpful in achieving progress on such issues.
Read the entire page →
From page 196...
... . information Sharing A common feature of international agreements is a commitment to share information considered useful or essential by the parties.
Read the entire page →
From page 197...
... . law Enforcement Cooperation Thousands of international agreements, bilateral and multilateral, provide for various forms of law enforcement cooperation.
Read the entire page →
From page 198...
... , but are given other names at other IGOs, such as "codes" or simply "rules." These "rules" are often intended to enhance security, safety, and efficiency, objectives that states would seek in negotiating any cyber security agreement. ICAO's SARPs, for example, deal with such matters as airworthiness, registration and identification of aircraft, navigational aids, airports, licensing of pilots and engineers, collection and exchange of meteorological information, investigation of accidents, and other matters "concerned with the safety, regularity, and efficiency of air navigations as may from time to time appear appropriate." The "rules" adopted by IGOs rarely constitute "law" in the sense of enforceable obligations.
Read the entire page →
From page 199...
... . For measures taken regarding international cooperation, see Chapter II (spe cifically section 1 Article 24 for extradition, Article 27 for provisions regarding mutual assistance requests)
Read the entire page →
From page 200...
... . Enforcement measures International agreements often leave the power to enforce their requirements to the states that join the regimes they operate.
Read the entire page →
From page 201...
... 3. Administrative Structure and Powers The third set of issues that must be addressed in fashioning international agreements regarding transnational activities, including cyber security, are the administrative arrangements and allocations of authority to perform the functions agreed.
Read the entire page →
From page 202...
... . maintaining Priate, Professional Control oer Cyber Security Standards Perhaps the most fundamental of all issues in considering whether to support international agree ments that allocate significant functions related to cyber systems to an IGO is who would participate in developing and approving standards, and how the IGO would relate to existing organizations such as the IETF, ETSI, and ICANN.
Read the entire page →
From page 203...
... . Speed and Flexibility States can, in fashioning an international agreement, take into account the special needs and characteristics of the activities to be affected.
Read the entire page →
From page 204...
... To deal with this problem, international cyber security norms and standards established by declaration, by treaty, or through rules, should be expressed in terms of the results sought, rather than as mandating the use of specific technologies or procedures. The ITU is aware of this potential problem, and has indicated that its proposals will avoid rigid requirements likely soon to be outdated.
Read the entire page →
From page 205...
... Efforts to extend the reach of a multilateral cyber security agreement to areas of activity where no true international consensus exists seem especially likely to do more harm than good. The potential costs and uncertainties in securing international agreements, and particularly of utiliz ing UN mechanisms, can be limited through procedural measures and careful planning.
Read the entire page →
From page 206...
... In the process, the U.S. and other states could enhance security in several areas of cyber activities by authorizing an IGO to perform the many, useful roles such institutions have performed in other areas of transnational activities, while providing governmental backing for rules proposed by the private, professional groups that have made this area of transnational activity so economically produc tive and socially transformative.
Read the entire page →

Key Terms

  • international cooperation
  • international agreements
  • cyber warfare
  • deterring cyberattacks
  • cyber infrastructure

  • whitfield diffie
  • david clark
  • international agreement
  • cyberspace policy
  • human rights

  • policy review
  • cyber activities
  • security standards
  • law enforcement
  • enhance cyber

  • cyber war
  • cyber insecurity
  • armed conflict
  • civil aviation
  • international law

  • information security
  • security agreement
  • technical standards
  • critical infrastructure
  • transnational activities

  • parties agree
  • secure cyber
  • cyber threats
  • enhance security
  • interoperability standards


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.