A Measure of Restraint in Cyberspace Reducing Risk to Civilian Nuclear Assets a Measure of Restraint in Cyberspace

MunichPrepared Security for Conference the 2014

A Measure of Restraint in Cyberspace Reducing Risk to Civilian Nuclear Assets A Measure of Restraint in Cyberspace

Reducing Risk to Civilian Nuclear Assets

With a preface by Mohamed ElBaradei

January 2014

This discussion paper has been prepared in the framework of the partnership between the EastWest Institute and the Information Security Institute of Moscow State University, which are both members of the International Cybersecurity Consortium. _

The views expressed in this publication do not necessarily reflect the position of the EastWest Institute, its Board of Directors or staff. _

The EastWest Institute seeks to make the world a safer place by addressing the seemingly intractable problems that threaten regional and global stability. Founded in 1980, EWI is an international, non-partisan organization with offices in New York, Brussels, Moscow and Washington. EWI’s track record has made it a global go-to place for building trust, influencing policies and delivering solutions. _

The EastWest Institute 11 East 26th Street, 20th Floor New York, NY 10010 U.S.A. +1-212-824-4100 _

[email protected] www.ewi.info A Measure of Restraint in Cyberspace 5 - PREFACE Nobel Peace Prize Lauerate Lauerate Prize Nobel Peace overnments and citizens are increasingly aware of and concerned about the po- and concerned of aware increasingly are and citizens overnments and man- natural combined of in the face assets civilian nuclear of fragility tential made In occurrences. this context, I find the growing development and deploy as a potential concern of nation-states by capabilities cyber offensive ment of

International Atomic Energy Agency; General Energy ElBaradei Director Atomic Mohamed Former International I recommend this report to the delegates of the 2014 in that forum. Nuclear underway already work the useful of as a continuation Security Hague this March Summit in The In this report, the EastWest Institute takes a refreshingly direct approach, drawing on the drawing approach, direct a refreshingly takes Institute the EastWest In this report, - re The arenas. non-cyber in negotiations control arms global of experiences successful cyber of in the uses restraint of a measure consider begin to that states port recommends assets. nuclear attack civilian to tools using those of possibility the foregoing by weaponry, - radioac of a release of that the probability agree While experts the public safety. to threat low, is relatively attack on such assets physical-cyber a combined through material tive be devastating. could such a release of the consequences G PREFACE e s pac A Me a su r e of Rest ra i n t Cybe r

Rancho Seco nuclear power plant outside Sacramento, California. A Measure of Restraint in Cyberspace 7 - - - FOREWORD - vibran the and benefits societal and economic unprecedented Internet’s the oday, economic and political influences: three by endangered are commerce global of cy and stability about domestic concerns protectionism, trade (including pressures cy infrastructure, critical to (threats concerns security about surveillance), anger

Bruce W. McConnell President W. Vice Institute Bruce Senior EastWest - will con Initiative, in Cyberspace Cooperation Global its through Institute, The EastWest the fu- that threaten issues of range on the entire progress meaningful facilitate tinue to this at the end of be found can about that initiative information More cyberspace. of ture report. The growth of cyber arsenals and the democratization of access to the technologies of of the technologies to access of and the democratization arsenals cyber of The growth comprehensive for than wait Rather short. that time is increasingly attack mean cyber Institute has the solutions, focused in EastWest this report on a specific adop- nextstep, - pro We during peacetime. weaponry cyber of in the uses restraint of a measure tion of as- attack civilian nuclear to tools using those of the possibility that nations forego pose from assets peaceful these insulate to steps concrete four recommends The report sets. include an to pleased is also EWI evolves. approach comprehensive attack while a more of Institute Security the Information in Russia, organization our partner from Afterword University. State Moscow Until now, most bilateral work to reduce cyber risk has been focused on confidence build- on confidence risk has been focused cyber reduce to work bilateral most Until now, a mul- On attacks. sharing about low-level and information such as hotlines ing measures, tilateral basis, the United Nations Group of Governmental Experts agreed last year - that comprehen A unclear. remains it applies but how in cyberspace, applies law international off. a long way remains approach sive In cabinet offices and leaders boardrooms, are asking whatcan maintain per it is important to be done is overdue, to interest of While this level address the “crisis.” cybersecurity prudent Nevertheless, militaries continue to develop offensive cyber Attack capabilities. not in- are Such capabilities than kinetic attacks. costly and less is safer via cyberspace rules, few are there where in an environment destabilizing however, are, They bad. herently - an acci and where misunderstandings, spark could attribution of the challenges where consequences. unintended serious have dent could ber-enabled crime and a growing cyber arms race), and the absence of effective national effective of and the absence arms race), cyber crime and a growing ber-enabled institutions. governance cyberspace and international Yet, criminals. cyber by day every done is damage economic significant Certainly, spective. “Stux The measured. and countable remain attacks destructive state-on-state serious - physi a to prior infrastructure cyber Georgia’s of up softening the and Iran, in attacks net” not commonplace. iconic, remain invasion cal T EXECUTIVE SUMMARY

n 2003, the G8 agreed in broad terms on quences resulting from cyber attacks on a common approach to the protection of nuclear facilities, progress to advance in- critical international economic and social tergovernmental collaboration to address Iassets from cyber attacks. The principles cyber risks to civil nuclear assets has been agreed upon have been reiterated in equally slow. In 2012, for instance, the U.S. Depart- broad terms by a number of regional orga- ment of State research team published a nizations. At the same time, the pressure paper, “Cyber Security for Nuclear Power from the testing and use of offensive cyber Plants” suggesting that existing UN Con- weapons by states, the threat of serious ventions be examined in order to identify terrorist attacks against civilian targets us- ways to “extend their provisions to include ing cyber means, and the demonstrated ca- domestic and international nuclear cyber- pabilities of cyber criminals dictate a need terrorism.”

e to quicken the pace of cooperation. Leading governments have articulated this need but At a technical level, the International Atom- have not succeeded in addressing the wide ic Energy Agency (IAEA) is working to im- s pac range of urgent challenges. prove international cooperation in the realm of cybersecurity for nuclear power plants, This paper proposes specific actions to working closely with the European Network reduce the cyber risks to civilian nuclear and Information Security Agency (ENISA). assets, given the grave consequences of These collaborative efforts will be further possible radiation release in certain cir- advanced at the 2015 IAEA Conference on cumstances of attack. Although the Stux- Cyber Security, which will provide an internet worm discovered at Iran’s Natanz nu- national forum for continued dialogue on clear enrichment facility in 2010 is the most how to prevent, detect, and resist emerging widely-publicized cyber attack against a cyber threats in the nuclear sector. In ad- nuclear facility, the number of less publi- dition, governments such as the UK, lead- cized attacks affecting the nuclear sector is ing corporations, and organizations like the constantly increasing. For example, seven World Institute for Nuclear Security (WINS) attacks inside the United States were re- have all been promoting the international

A Me a su r e of Rest ra i n t Cybe r ported to the U.S. Department of Home- sharing of best practice and capability im- land Security’s Industrial Control Systems provements for the protection of critical 8 Cyber Emergency Response Team (ICS- nuclear information systems and data. CERT) during the first half of 2013. This number is merely the tip of the iceberg, as In a parallel infrastructure—civil aviation— many nuclear operators around the world important progress has been made. Spe- do not report incidents, fearing the public cifically, at the 2010 Diplomatic Conference opinion backlash that can follow, or simply on Aviation Security in Beijing, 55 of 76 because they are unaware of the attacks. participating states supported new treaty obligations to forego the use of “techno- Despite potentially devastating conse- logical means,” including cyber, to attack A Measure of Restraint in Cyberspace 9 - - This paper proposes specific proposes This paper the cyber reduce actions to assetsnuclear civilian to risks consequences grave the given in release radiation possible of attack. of circumstances certain - Secu Nuclear 2014 The March The Hague should Summit in rity and among states open a debate with the purpose corporations agreement early promoting of attacks technological of that use against means) (including cyber civil nuclear of operation the safe should be in peacetime assets binding a legally by prohibited instrument. multilateral the should consider States a multilateral of establishment infor nuclear for center response high of incidents mation security severity. signed not yet that have States Statement Multilateral the 2012 Security Information on Nuclear Summit at the 2014 should do so their and publicize The Hague in position. states Summit, the 2014 to Prior - State signed the 2012 that have and widely ment should issue their of an assessment publicize the commit against performance to with a view made, they ments the of the value demonstrating non-signatories. to agreement 1. 2. 3. 4. Recommendations - - This report provides four specific- recom cyber nuclear strengthen mendations to The third Nuclear Security Summit, to be provides 2014, The Hague in March held in 31 summit, 2012 the At opportunity. a key signed the Multinational Statement states - repre that Security Information Nuclear on share to signatories by a commitment sents emphasizes The Statement practices. best with the IAEA working of the importance (specifically with itsComputer Security at and Nuclear International Facilities Nuclear the programs), Network Education Security - Standardiza for Organization International - Telecom and the International tion (ISO), Summit The 2014 Union (ITU). munication the to this work take to a chance provides next logical stage, moving beyond actual restraint. building to dence - confi civilian aircraft. The United States and Chi- States The United civilian aircraft. signed have to countries among 24 na are Bei- and 2010 Beijing Convention the 2010 other for an example setting jing Protocol, follow. to countries work broader as encourage as well security, If successful, in cyberspace. on stability here advocated restraint of the measures risk, cyber a serious not only reduce would na- of ability the demonstrate would they to commitment a concrete make tions to Work in cyberspace. their activities temper could sector nuclear civilian the with ing and busi- help governments subsequently for priorities determine better leaders ness the long haul in other sectors. Introduction the Tallinn Manual3 on the wartime rules for cyberspace has recently published a new study on peacetime rules.4 More than a ith broad agreement now se- While general agreements are desirable, a dozen states cured in the United Nations’ practical beginning may be to quarantine are now pursu- Group of Governmental Ex- selected critical information infrastructure Wperts (GGE) on Information (CII)5 from cyber attacks during peacetime ing offensive Security that the general principles of as a measure of restraint. There is an urgent cyber capa- international law apply in cyberspace,1 the need to reach consensus, as cyber attacks time is right to begin to operationalize the become more sophisticated and risks to es- bilities. This expected norms of behavior in relation to sential services continue to grow. cyberspace critical infrastructure (CI) protection. More than a dozen states are now pursuing of- militariza- fensive cyber capabilities. This cyberspace What Are the Cyber tion drives the militarization drives the urgent need to shield civilian critical infrastructure from Threats to Civil Nuclear urgent need to peacetime cyber incidents, whether by ac- Assets6 shield civilian cident or design. Among the first of those infrastructures deserving of such consider- critical infra- ation is civilian nuclear facilities, where a structure from cyber incident could lead to the release of ivil nuclear assets represent a spe- radioactive material in a densely populated cial case of critical infrastructure peacetime area. given the grave consequences of cyber inci- possible radiation release in cer- C 7 As discussed later, states and infrastruc- tain circumstances of attack. dents, whether ture operators are moving slowly towards by accident or international collaboration to help protect By 2014, the focus of international concern CI information assets. This collaboration regarding nuclear information security has design. has been stronger within alliances (such expanded to include possible attacks by as NATO) and tightly knit groups of states states. To date, the Stuxnet worm discov- such as the European Union. It has been ered at Iran’s Natanz nuclear enrichment

e weaker across big political divides involv- facility in 2010 is the most widely-publi- ing major powers, such as Russia, China, cized successful cyber attack against a nu- the United States, Pakistan, India, Iran clear facility. While there may be debate as s pac and Israel. Teams of international experts to whether Natanz is a “civil” nuclear facil- however have provided some recommen- ity, Stuxnet and its progeny could clearly be dations that will make this cooperation used against them. After exploiting several stronger. Specifically, in 2011, the EastWest vulnerabilities, the malware attacked the Institute (EWI) published a research paper supervisory control and data acquisition on updating The Hague and Geneva Con- (SCADA) systems at Natanz, resulting in ventions2 that encourages creating new the destruction of approximately one thou- agreements for the online environment; 3 Tallinn Manual on the International Law the GGE agreement is a step in the right dir- Applicable to Cyber Warfare. Edited by Michael Schmitt. ection. In parallel, the team that produced Cambridge University Press, 2013. Web. 8 Jan 2014. . 4 Peacetime Regime for State Activities in Cyberspace. International Law, International Relations and Diplomacy. Edited byKatharina Ziolkowski. NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, December 2013. A Me a su r e of Rest ra i n t Cybe r 1 UN Docs, A/68/98. Group of Governmental Web. 8 Jan 2014.< http://www.ccdcoe.org/466.html>. Experts on Developments in the Field of Information and 5 CII refers to the information systems, networks and 10 Telecommunications in the Context of International Security. data that support the safe or reliable operation of critical General Assembly. The United Nations, 24 Jun 2013. Web. infrastructure. 6 Jan 2014. ; Psaki, Jen. Statement on Consensus Achieved by the rubric includes radioactive material, nuclear material and UN Group of Governmental Experts On Cyber Issues U.S. civil nuclear facilities (power stations, enrichment facilities, Department of State, 7 Jun 2013. Web. 6 Jan 2014. . or store nuclear waste, and the specialist knowledge or 2 Rauscher, Karl and Andrey Korotkov, “Working information about these systems. It does not include the Towards Rules for Governing Cyber Conflict: Rendering the supply of electric power from nuclear power stations. Geneva and Hague Conventions in Cyberspace,” EastWest 7 Such a release is viewed as a low-probability, but a Institute, February 2011. high-consequence event. A Measure of Restraint in Cyberspace 11 Civil nuclear assets a represent special case criticalof infrastructure the grave given consequences possibleof radiation release in certain circumstances attack. of -

13 19 Oct

- Direc 16 15 Telegraph . BBC News, 20 Sep 2011. or simply because they they or simply because supra n 11. 14 Asia-Pacific 1 Around the same time as this inci- time as this the same Around 12 Ibid., Williams, Christopher. “Stuxnet-based cyber Goldman, 14 15 Clapper, James. “Statement for the Record: 16 13 12 “Japan defence firm MitsubishiHeavy in ating systems. Although this shift is a ne- ating systems. - safe long-term in improving step cessary with it new it brings and performance, ty be carefully that must vulnerabilities cyber in made been have steps Some addressed. digital systems introducing by this direction mitigate which helps basis, on a gradual with operators and provides the concern changing security adapt to time to more Industry Industry experts identified at least is there the specificof First, concern. areas three existing in many place that takes transition digital oper analog to from plants nuclear dent, dent, espionage tool Duqu infiltrated- com puter networks of several European firms the industry; in nuclear roles key that play - confiden steal to was attack the of purpose vulnerabilities and reveal tial information attacks. in later be exploited that could Worldwide Worldwide Threat Assessment Community,” Senate of Select the 12 Committee Mar US 2013. Web. on 8 Intelligence Jan Intelligence, 2014. . espionage espionage virus targets European firms.” 2011. Web. 8 technology/news/8836633/Stuxnet-based-cyber-espionage- Jan. 2014. . Web. Web. world-asia-pacific-14982906>. 8 Jan 2014.

8 . ICS_CERT Monitor, Incident Apr Response Activity. ICS_CERT Monitor, 11 “Brute Force Attacks on Internet-Facing Control 8 Sanger, David. “Obama Order Sped Up Wave of 9 According to its website, the Industrial Control 10 11 Goldman, David. “Hacker hits on U.S. power and deployed jointly by the United States and States the United by jointly deployed slow of objective with the apparent Israel nuclear of Iran’s ing the down development program. York Times Cyberattacks Against Iran,” Iran,” Against Cyberattacks 8 Jan. 2014. . “works (ICS-CERT) Team Response Emergency Cyber Systems to reduce risks within and across all critical sectors infrastructure by partnering with law enforcement agencies and the intelligence community and coordinatingefforts among Federal, state, local, and tribal systems governments owners, operators, and and vendors. control Additionally, ICS- CERT collaborates with international Computer and Emergency private Response sector Teams control (CERTs) systems-related to security share incidents and See http://ics-cert.us-cert.gov/. measures.” mitigation Systems,” Systems,” 2013, 2. Web. 8 Jan 2014. . nuclear targets spiked in 2012.” CNN Money, 9 Web. Jan 2013. 8 Jan technology/security/infrastructure-cyberattacks/>. 2014.

e Nevertheless, there has been some prog- and ratified/acceded by 41. Several of those ress. In 2003, the G8 Justice and Interior who have signed or ratified are not member Ministers adopted a broad set of 11 prin- states of the CoE (e.g. United States, Japan s pac ciples that member states are encouraged and Australia), but uptake is weak outside to consider when developing their national Western democracies.25 strategies to protect CII. These Principles for Protecting Critical Information Infra- Important multilateral work on enhancing structure are focused on improved warning CII protection (CIIP) has also been carried systems, training programs to personnel out in the European Union (EU). In 2009, from G8 member states and enhanced infor instance, the European Council adopted ternational cooperation and coordination a Communication on CIIP26 that led to the on the issue.21 In 2004, the UN General As- adoption of an action plan based on five pil- sembly adopted Resolution 58/19922 on lars that reveal a general commitment and the “Creation of a global culture of cyber- a determination to improve structures for

17 Ibid. 18 A good recent survey on this issue is Dave 23 Brunner, Elgin and Manuel Suter, International Clemente. “Cyber Security and Global Interdependence: CIIP Handbook 2008/2009. Swiss Federal Institute of What Is Critical?” Web. 8 Jan 2014. Royal Institute Technology Zurich, 492. Web. 8 Jan 2014. . chathamhouse.org/sites/default/files/public/Research/ 24 G8 Foreign Ministers’ Meeting Statement. Web. 12 International%20Security/0213pr_cyber.pdf>. 8 Jan 2014. . 20 Portnoy, Michael and Seymour Goodman. “Global 25 Many states, including Russia and China, have Initiatives to Secure Cyberspace: An Emerging Landscape.” declined calls to sign this convention. Springer, Dordrecht NL, 2009, 43. 26 “Proposal for a Directive of the European 21 G8 Principles for Protecting Critical Information Parliament and of the Council concerning measures to Infrastructures, Adopted by the G8 Justice & Interior ensure a high common level of network and information Ministers. May 2003. Web. 8 Jan 2014. . LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:P 22 A/Res/58/199, adopted 30 January 2004. DF>. A Measure of Restraint in Cyberspace 13 Many statesMany and regional organizations simply lack resources an have to at theimpact international level. ------How 34 . (2009). 8 Web. supra n 20, 48. Relating more dir more Relating 31

Journal of Energy Security 32 Other region-wide moves have have moves region-wide Other ASEAN Telecommunications and IT Ministers ASEAN Telecommunications 33 See In addition to such meetings on infor such meetings In addition to 35 31 Telecommunications and Information. Asia- and Goodman, 32 Portnoy 33 34 Koh, Collin, and Alvin Chew. “Critical Energy 35 Joint Ministerial Statement of the ASEAN-Japan ever, transnational cyber threats make the make threats cyber transnational ever, the and framework regional a of creation across procedures CIIP of harmonization and Japan imperative. boundaries national ASEAN have taken a joint lead cybersecurity regional cing the principle of in - advan of the purposes for measures cooperation 2013 September the During CI protection. Meeting on Cyber Secur Policy Ministerial reached ASEAN and Japan Cooperation, ity of senior encouraging agreement a new ficials to promote ASEAN’sin three joint main areas: efforts 1) to create a secure build a secure to 2) environment; business network; and communication information cybersecur for capacity enhance and 3) to - protec infrastructure critical including ity, tion. ectly to CII TEL protection, in 2002 issued included which Strategy, Cyber Security its - Informa of on the Security “Statement a Infrastructures”. Communications tion and work to members encouraged The Strategy and laws appropriate develop to APEC with guide- the following closely while policies on Convention CoE the out by laid lines Cybercrime. Pacific Economic Cooperation. Web. 15 Jan . by implementing appropriate policies and and policies appropriate implementing by strategies. cooperation mation security, ASEAN ASEAN also has a regional mation security, forum (ARF) to hold official consultations 2014, In issues. security and peace on Workshop a host is planning to ARF the on Cyber Confidence-Building Measures In East Asia, with the Singapore Declaration Declaration with the Singapore Asia, In East Asian Southeast of Association the 2003, of - insti its reform to moved Nations (ASEAN) - informa the with deal to structure tutional the for infrastructure critical of tion security first time. followed, and individual governments have have and individual governments followed, level. national the at strides made Meeting (TELMIN).ASEAN Jan Secretariat, 2012. 2014. economic-community/category/asean-telecommunications- Web. 8 . Infrastructure Protection: The Case Energy Network.” of Trans-ASEAN the Jan. 2014. . Ministerial policy Meeting on Cybersecurity ASEAN, 13 Cooperation. Sep 2013. Web. 8 Jan 2014. . ministerial - - - in re 28 Digital Digital Agenda “Policy on Critical Critical on “Policy see: This draft makes clear that clear makes This draft Moreover, it recommends an it recommends Moreover, 29 This communication was set set was communication This 30 27 Five pillars include: 1) Preparedness and 27 28 Downing, Emma. “Cyber Security – A 29 Impact New Assessment: Network and Information 30 Ibid. responses. out to coordinate measures to protect Eur protect to measures coordinate to out incidents cyber large-scale ope from Another intergovernmental organization organization Another intergovernmental - com ongoing an that has demonstrated information critical protect to mitment Economic Pacific Asia the is infrastructures - Tele The APEC group. Cooperation (APEC) Working and Information communications Group (TEL) was formed in - and informa telecommunications prove 1990 to im- region Asia-Pacific the in infrastructure tion increase in the capability of national CERTs national CERTs of in the capability increase Teams). Response Emergency (Computer the have which will directive, The proposed a mobilizer is more in the EU, law of force standards detailed of than imposer rather - obliga the general from apart or behaviors tions mentioned earlier. prevention: to ensureDetection andresponse: to provide adequate earlywarning preparedness mechanisms; 3) at Mitigation and levels;all recovery: to cooperation: CII; mechanisms 4) for International defense reinforce to 2) EU promote EU priorities internationally; and 5) Criteria for the ICT sector: to support the implementation of the Directive on the Identification and Designation of European information, more For Critical Infrastructures. Protection (CIIP).” Infrastructure Information . Europe for European Commission, 02 Jul Jan 2013. Web. 2014. 8 policy-critical-information-infrastructure-protection-ciip>. . the voluntary approach has not provided has not provided approach the voluntary within the Member results the necessary includ- CI operators, and it requires States, of providers “key and transport, ing energy, (e-commerce services society information as pub- as well networks), social platforms, adopt appropriate to lic administrations, and report risks security manage to steps the national competent to incidents serious authorities.” sponse to cyber attacks launched against against launched attacks cyber to sponse and in 2008 Georgia and in 2007 Estonia in cable a transcontinental of the break - the Euro 2012, June 12, On year. that same titled a resolution passed Parliament pean - Protec Infrastructure Information Critical tion: Towards Global Cybersecurity provides that the Commission action in the future for recommendations with specific CIIP field. In2013, on net directive a draft issued the Council Commissionthe and work and information security to be final- in 2014. ized aimed at enhancing transparency in cyber- Infrastructure.”40 Moreover, during the 67th In China, in space and fostering regional cooperation UN General Assembly, Chinese representa- 2012, the In- on cybersecurity issues.36 tive Wu Haitao stressed the need to prevent the information technology arena and outer formation Another Asian-based regional intergovern- space from becoming new battlefields. He Security Law mental organization, the Shanghai Cooper- observed that the threats to information se- ation Organization (SCO), which includes curity had become a challenge to the inter- Research Cen- Kazakhstan, China, the Kyrgyz Republic, national community; therefore the priority ter of the Xian Russia, Tajikistan and Uzbekistan as mem- was to formulate global rules to ensure that bers, embraced cybersecurity as an im- information technologies were used only Jiaotong Uni- portant aspect of its work in 2006.37 SCO for social and economic development.41 versity issued later undertook cooperation with the Black Lastly, on October 20, 2013, a Chinese rep- Sea Economic Cooperation (BSEC) with resentative to the United Nations, Liu Ying, a Blue Paper a purpose of protecting information and made a short statement to the First Com- on “China’s networks systems in the Black Sea area.38 mittee calling on states to cooperate in the Additionally, in 2009, an intergovernment- CII protection.42 Protection for al agreement on cooperation in providing information infrastructure security was Critical Infor- 40 This document does not give much insight into reached by SCO member states at the policy but it is essential reading for anyone working on mation Infra- Yekaterinburg Summit. This agreement that China’s cyber policies. Above all it demonstrates the structure.” came into effect in June 2011 after ratifica- relatively recent focus by China on a number of key policy tion by the six member states.39 SCO main- decisions affecting its information security. The document is a useful compendium. The paper is offered as a quick guide, tains quite high intensity in the diplomacy an “introductory note for the international community to

e of information security. understand China’s laws, regulations and policies for the protection of critical information infrastructure.” The research In China, in 2012, the Information Secur- center describes itself as the “executive body forChina’s Cloud s pac Computing Security Policy and Law Working Group.” It is the ity Law Research Center of the Xian Jiao- organizer for China’s Information Security Law Conference tong University issued a Blue Paper on and China’s Information Security Law Website. The paper “China’s Protection for Critical Information identified the following priority sectors: 1) government affairs information systems; 2) Communist Party affairs information systems; 3) livelihood sectors (finance, banking, taxation, customs, auditing, industry, commerce, social welfare, energy, communication and transportation, and national defense industry; 4) educational and governmental research institutes; and 5) public communications, such as radio and television. The composition of the working group which produced the paper is notable, with representatives from the Protection Bureau of the Ministry of Public 36 “ASEAN Regional Forum - Workshop on Cyber Security (its Lead Bureau), the First and Third Research Confidence Building Measures_2014. Concept Paper. Web. Institutes of the Ministry of Public Security, leading private 8 Jan 2014. . pdf. 14 37 Declaration of the Heads of the SCO Member 41 “Prospects for Nuclear-Weapon-Free World States on International Information Security, Shanghai, 15Jun Increasingly Illusive as ‘Tectonic Shifts’ From Unilateral 2006. For unofficial translation, see http://www.fidh.org/en/ Measures Affect Strategic Stability, First Committee Told,” Terrorism/Declaration-of-the-Heads-of-the. UN Press Office. General Assembly GA/DIS/3456, 16 Oct 38 Muresan, Liviu. “Energy Security-Critical 2013. Web. 8 Jan. 2014.. NATO Summit 2008. 15 Jan 2008. Web. 8 Jan 2014. . Security at the First Committee of the 68th Session of the 39 PIR Center Powerpoint, . china-un.org/eng/hyyfy/t1094491.htm>. A Measure of Restraint in Cyberspace 15 To date, very date, To concrete few have proposals been made address to to risks cyber civil nuclear through assets specific new multilateral agreements. ------Civil

49 Speak 47 Within academia, KCL KCL academia, Within 50 As part of their wider activ of part As In a news release summariz release a news In 51 48 “Deputy Prime Minister: isinformation power in Ibid. Hobbs, Hobbs, Christopher. “Nuclear Information Secu- Ibid.

49 50 Reding, Anais. “Making information security an 51 47 48 have have led work to develop a “Nuclear Infor mation Security Code of Conduct,” aimed Conduct,” of Code mation Security by the risk posed of awareness at raising - informa nuclear sensitive of the transfer and academic tion within the research communities. To advance its efforts, the UK government government the UK efforts, its advance To organizations, with international is working and the organizations non-governmental academic community. More the specifically, Foreign and Commonwealth Office is developing for GICNT partners an module online on Nuclear Information Security, of development the in IAEA the supporting on document series security nuclear new a “Protection and Confidentiality of tive Sensi- Information in Nuclear Security;” and has assisted the World Institute for Nucle- ar Security (WINS) in formulating - “Informa a on industry guide for practice best - Challenges Operations for tion Security Opportunities.” and ity, the UK government has also supported supported also has government UK the ity, initia- and training in educational the IAEA including security, nuclear promote to tives In College 2011 King’s information security. London (KCL) launched a two-week inter course development national professional aimed at education security in nuclear and culture security nuclear promoting in assisting through security, information - and train academic of the development have courses Four in this area. ing courses ing Clegg’s comments at the 2012 NSS, the NSS, 2012 the at comments Clegg’s ing infor that the stated British government from “ranges be secured mation that must improvise to how [to] sites, nuclear of maps secur border beat to how and [to] a device plans.” response and emergency ity rity Code of Conduct,” Global Partnership Meetings at the 2013. UK, 24th October Society, Royal (FCO).” policy security nuclear global the of part integral nuclear threat,” nuclear Deputy threat,” Prime Minister’s Office, UK, 27 Mar 2012. Web. 8 Jan 2014. . Service . Beta UK Government, 14 2014. Oct - 2013. . how to construct a viable device.” a viable construct to how ing at the 2012 Minister NSS, Nick UK Clegg declared: Deputy “In Prime nuclear power and that is power information issues, hor to be used can hands in the wrong rifying effect. That’s why the UK has been nuclear of security on the way the leading information.”

- - - - 45 43 The research The research 44 The UK government firmly The UK government 46 Pollard, Pollard, Kane. “The UK Contributionto the 2012 o date, very few concrete proposals proposals concrete few very o date, cyber address made to been have through assets civil nuclear to risks new specific multilateralagree-

43 Martellini, Maurizio, Thomas Shea, and Sandro 44 Ibid. Resolution, Council Convention Security “The UN 45 46 believes believes that: “Acquiring the is only half the challenge material a device construct to will fail Their efforts groups. terrorist for of the knowledge acquire also they unless Gaycken. Gaycken. “Cyber Security for Nuclear Power 8 Jan 2014. . on Suppression of Acts of Nuclear S/RES/1540 Terrorism,” . 2014. Jan 8 Web. (2004). See also UN Resolutionctc/specialmeetings/2012/docs/United%20Nations%20 1373 http://www.un.org/en/sc/ Security%20Council%20Resolution%201373%20(2001).pdf. Nuclear Security Summit.” PONI Spring Conference. 19 Apr 2012. Web. 8 Jan poni/120417_Pollard.pdf>. 2014.

e sponse unit in the nuclear information se- It has produced a series of documents that curity field is worthy of further review by the outline the fundamentals of nuclear cyber- international community. Moreover, this security, provide technical guidance and s pac proposal addresses the needs identified in offer specific recommendations. Recogniz- the unofficial U.S.-Russia joint policy as- ing the evolving nature of the threat and the sessment of October 2013, that encourages emergence of new targets such as control states to “build on the existing international and instrumentation systems and mobile instruments for warning, interdiction and computing devices, the IAEA plans to pro- consequence management of such acts in duce additional guidance documents on a nation-states.”56 rolling basis. Meanwhile, increased demand from member states for advanced training courses on information security and professional development has prompted the 52 “Nuclear security education award.” King’s Col- IAEA to schedule between six and nine of lege London, 18 Sep 2013. Web. 8 Jan 2014. . with other members of the field, as illustrat- 53 “UK-NL Nuclear Information Security Workshop.” ed by its participation in the “@tomic 2012” 06 Nov 2013. Web. 8 Jan 2014. . Security: Cyber Security Programme.” Web. 8 Jan 2014. 16 54 Ibid. . in The Hague.” Russian-Dutch Bilateral Seminar. 03 Sep 58 See http://www.iaea.org/NuclearPower/ 2013. Web. 8 Jan 2014. . NPE/day-2/4.cyber_security_introduction.pdf. 56 “Steps to Prevent Nuclear Terrorism: 59 For examples, see https://inlportal. Recommendations Based on the U.S.-Russia Joint Threat inl.gov/portal/server.pt?open=514&objID=1269 Assessment,” Belfer Center for Science and International &mode=2&featurestory=DA_62265 and http:// Affairs. Harvard University. Web. 15 Jan 2014. . enisa-cooperating-on-nuclear-cyber-security-with-iaea. A Measure of Restraint in Cyberspace 17 As states tocontinue globallydebate acceptable over-arching to approaches cybersecurity criticalof information infrastructure, important has progress beenalready made in one — area discrete civil aviation.

see Among 66 https://www. see 65 For For an excellent analysis of the two . For the text of the Convention, http://www.asil.org/insights/volume/15/ s states continue to debate debate to continue s states over-arching acceptable globally of cybersecurity to approaches infrastructure, information critical see http://www.icao.int/secretariat/legal/Docs/beijing_ 65 “Discussion of Recommendations to the Presi- 66 The text of the 2010 Convention on the other things, the new commitments oblige oblige commitments the new other things, “technological” criminalize to signatories and facilities on civil air navigation attacks aircraft in flight. The term- Ac attacks. include cyber does “technological attacks” Aviation Civil the International to cording to the main changes (ICAO), Organization with similar names treaties pre-existing treaties, treaties, unodc.org/tldb/en/2010_protocol_convention_unlawful_ . seizure_aircraft.html dent on Incentives for Critical Infrastructure Owners and Op- and Owners Infrastructure Critical for Incentives on dent Web.to 8 erations JoinVoluntary a Cybersecurity Program,” Jan 2014. . Suppression of Unlawful Acts Relatingto International Civil Aviation “was adopted with 55 14votesvotes in not favour, in favour” and the text of the 2010 Protocol Supplementary of Seizure Unlawful of Suppression the for Convention the to in not votes 13 favour, in votes 57 “with adopted was Aircraft Conference International the of the of Act “Final See favour.” on Air Law” (Diplomatic Conference Aviation on held Security) under the auspices of the International Civil Aviation Organization at Beijing from 30 August2010, to September 10 final_act_multi.pdf A A Possible Precedent: Precedent: Possible A Civil Aviation and its partners on this project is currently is currently this project on partners its and the United in initiatives by being validated issued 13636 Order Executive U.S. States. in 2013 imposes an obligation on the - - Na Technol and Standards of tional Institute ogy (NIST) to work with industry to set up - vol of the development for a framework and standards untary consensus-based and insurance both Notably, practices. best liability considerations were identified by as potential Commerce of Department U.S. - infra critical foster to incentives market cybersecurity. structure there has already been important progress been important progress has already there - valu A aviation. area—civil in one discrete Diplo- made at the 2010 was able pledge in Security Aviation on matic Conference states participating 76 55 of Beijing where (the commitments treaty new supported Beijing and 2010 Beijing Convention 2010 obligations augment existing to Protocol) aircraft. the hijacking of prevent to https://www.unodc.org/tldb/en/2010_convention_civil_ Protocol, the of text the For . aviation.html issue/3/september-11-inspired-aviation-counter-terrorism- convention-and-protocol.

- 61 62

A number of number of A 63 focused on the value of of on the value focused 64 and also the March 2013 meeting meeting 2013 March the also and 60 http://www.enisa.europa.eu/media/news-items/ 60 “@tomic 2012” was an international table-top 61 The purpose of the meeting was for the 62 WINS forforuman “provides those international 63 World Institute for Nuclear Security, Corporate recommendations, the of some of overview an For 64 exercise - the pro by generated recommendations the to which will be presented of some ject, Nuclear Industry Summit Working Group on Cyber Security at the 2014 Nuclear - Se Summit, curity exercise exercise focused on the prevention of nuclearterrorism. It included a cybersecurity component and was for the 2014 Nuclear Security Summit. part preparations of the European Union Agency Security for (ENISA) “to provide Network its expertise, and andguidance on the process for developing a computer security provide to Information incident response plan at a See nuclear/radiological facility.” enisa-cooperating-on-nuclear-cyber-security-with-iaea accountable for nuclear security to share and promote the https://www. See practices.” security best of implementation wins.org/index.php?article_id=61. Incentive Liability Mechanisms, and WINS Assurance Market Roundtable Report, in partnership with Centre for Science and Security Studies (CSSS), King’s 26 Apr 2013. Kingdom, London, United College London (KCL) see World Institute Nuclear at Security Cyber Increased for Incentives forRegulatory Nuclear Security, “MarketFacilities: The and Role of the Design2013. Threat,” Basis February with the European Network and - Informa tion Security Agency (ENISA) on “Incident Security Computer for Planning Response Events at Facilities.” Nuclear/Radiological - the afore to obstacles potential Despite mentioned proposals, the work of WINS creating a cyber design basis threat (DBT) (DBT) threat basis design cyber a creating that would promote better definitionof the - govern between responsibilities division of party Third operators. and nuclear ments certification of compliance with the return a direct operators nuclear give would DBT in security. on their investment (WINS) recently concluded an aimed at identifying project governance 18-month corporate promote to incentives market In one cybersecurity. spending on nuclear insurance, the from experts workshop, - conclud industries and nuclear cyber legal, indus- barriers, the many “despite ed that market by enhanced self-regulation try-led augment existing to is necessary incentives guidance IAEA regulations, government treaties.” and international The World Institute for Nuclear Security World Institute for Nuclear Security Nuclear for Institute World These collaborative efforts will be further will be further efforts collaborative These on Conference IAEA at the 2015 advanced an inter will provide which Cyber Security, dialogue on continued for national forum emerging resist and detect prevent, to how sector. nuclear in the threats cyber were the criminalization of the acts of using The 2014 Nuclear Security civil aircraft as weapons, using dangerous Summit: A Key Opportunity materials to attack aircraft or other targets, and directing cyber attacks on aircraft in Overall, the flight.67 A UN summary of international legal instruments to counter terrorism states he third Nuclear Security Summit statement that “a cyber attack on air navigation facili- will take place on March 24-25, represents a ties constitutes an offence” under the 2010 2014. It provides an opportunity to Beijing Convention.68 The United States build on the work of the previous commitment T and China are among 24 countries to have summit (Seoul 2012) in the area of infor- by signatories signed the treaties. mation security of civil nuclear facilities. During the 2012 summit, 31 states signed to share best Article 6 of the 2010 Protocol limits the ef- the Multinational Statement on Nuclear practices, but fect of the treaty to all situations other than Information Security71 based on an initial armed conflict. It specifically excludes “The draft by the UK. There are several positive avoids ad- activities of armed forces during an armed outcomes of this statement. First, signator- dressing issues conflict, as those terms are understood ies “are now drafting their own legislation to under international humanitarian law” and bring in the policies and codes of practice of criminaliza- “the activities undertaken by military forces suggested.”72 Second, parties to this agree- tion, deter- of a State in the exercise of their official du- ment have endorsed several general guide- ties.” The latter clause may exclude from the lines, one of which is “to enhance cyber se- rence, and ban those actions currently undertaken by curity measures concerning nuclear facili- prevention some states in cyberspace against civil avi- ties.” Third, signatories commit to action on ation, as long as the operation is undertak- “some or all” of 13 more specific prescrip- with regard to en by their armed forces. In his 2013 State tions targeting national governments, the attacks against of the Union address, President Obama al- nuclear industry and the nuclear scientific/ luded to such threats against civil aviation academic community and geared towards nuclear infor- from “enemies” of the United States. 69 the implementation of new or improved mation secu- guidelines, practices and training activities The 2012 Conference on Aviation Secur- within the domain of nuclear information rity. ity paid considerable attention to capacity security. Overall, the statement represents building, information sharing and exchange a commitment by signatories to share best of best practices, with a view to harmon- practices, but avoids addressing issues of izing national procedures. It also called for criminalization, deterrence, and prevention

e standardization of electronic transmission with regard to attacks against nuclear infor- of passenger information and requested mation security. ICAO to “further address emerging issues s pac such as air traffic management security The statement emphasizes the importance (i.e., the security of air navigation services of working with the IAEA (specifically with and facilities), landside security, and cyber its Computer Security at Nuclear Facilities threats.”70 and International Nuclear Security Educa- tion Network programs); the International Organization for Standardisation (ISO); and the International Telecommunication Union (ITU). Additionally, the document highlights UN Security Council Resolutions 1540 and 1887 as key international instruments that should have their information security-related elements implemented by 67 ICAO Briefing, “Administrative Package for Ratification of or Accession to the Convention onthe states. However, it does not suggest the Suppression of Unlawful Acts Relating to International Civil amendment of Resolution 1540 to address Aviation (Beijing Convention, 2010),” Web. 8 Jan 2014.

A Me a su r e of Rest ra i n t Cybe r nuclear cyber terrorism, as suggested by . 73 18 68 See “United Nations Actions to Counter port mentioned earlier. Terrorism,” http://www.un.org/en/terrorism/instruments. shtml. 69 For a discussion of and recommendation to address the ambiguous boundary between war and peace in cyberspace, see, Rauscher and Korotkov, “Working Towards Rules for Governing Cyber Conflict,” 25, 36-7. 71 For text, see http://www.whitehouse.gov/the- 70 Communique of the High-level Conference press-office/2012/03/27/nuclear-security-summit-seoul- on Aviation Security (HLCAS) held in Montréal from 12 to march-2012-multinational-statement-nuclear. 14 September 2012. For text, see http://www.icao.int/ 72 Reding, supra n 50. Meetings/anconf12/IPs/ANConf.12.IP.39.2.1.en.pdf. 73 Martellini, Shea and Gaycken, supra n 43. A Measure of Restraint in Cyberspace 19 We make amake We number of suggestions helpthat may strengthen international collaboration nuclearfor information as well security, as promote moves broader in stability to cyberspace. - - mechan such a multilateral need not may - prob would states developed less but ism, ably benefit fromthe existence of a global kind. some of CERT industry nuclear Recommendation 3: States that have not Statement Multilateral the 2012 signed yet on Nuclear Information Security should do and The Hague in Summit at the 2014 so position. their new publicize why arguments reasonable some are There is not viewed Statement the Multinational - a rela it is First, states. some by positively that in- commitments of set weak tively practices best of sharing beyond little volve the Second, development. and capability not is assets nuclear civil of administration but it is also issue sovereign only a domestic little to it does Third, one. a highly sensitive how balance, On attackers. possible deter ever, we believe that we believe the statement reflects ever, the a number of of principles stated already such as Russia, non-signatories, leading to stand also states These China and India. means available in increase an from benefit their develop and to practices best share to of standards and the safety capacities, facilities. with nuclear neighboring states Recommendation 4: Prior the 2012 signed that have states Summit, to the publi- and widely should issue Statement 2014 their performance of an assessment cize it in made they commitments the against of the value demonstrating to with a view non-signatories. to the agreement Nuclear information security is a signature but it age the information of issue security states Most little attention. too has received diplo- of an explosion from suffering are diplomacy multilateral in burdens matic to change climate from ranging on issues for has been little room There safety. food the on intrude to safety information nuclear in the Even leaders. many of agendas busy framework of the Nuclear Security three or Sum- two the among be to it needs mit, main issues on the table. What justifies an in wider public de- this issue of elevation and the it between the relationship is bates with the militarization dilemmas associated of cyberspace. Now is the perfect time for join the UK to with a commitment states a advance to campaign visibly in its more agenda. common - - - - ome significant has progress been made in the Specifically, CIIP area. Statement Multinational the 2012 on Nuclear Information Security

erenced above. It will build on the Russia- above. erenced up set to agreement bilateral States United - tech and communications an information mechanism response incident nology (ICT) risk reduction nuclear inside their existing states nuclear advanced most The center. This proposal will address a need will identified address This proposal special- American and Russian of a team by as ref advisors, government and senior ists Recommendation Recommendation 1: The March 2014 Nu- The Hague should Summit in Security clear - and corpora among states open a debate early promoting of tions with the purpose at technological of that use agreement - rea of plenty are there the one hand, On maximum retain to want states why sons forwartime flexibility situations interms of attack. of and means selection target lawful and pol- is a moral there the other hand, On be made about humani- to judgement itical potential of in wartime, even tarian impacts, at by radiation of amounts large of release Recommendation 2: States should a multilateral of establishment sider the - con - se information nuclear for center response high severity. of incidents curity recognized the threat of possible attack on possible of the threat recognized - sys control information-technology-based there Moreover, facilities. at nuclear tems the around development has been notable and practice best of sharing international protection the for improvements capability and systems information nuclear critical of leading such as the UK, Governments data. corporations, the IAEA and WINS have all nuclear In the civil their part. been playing international of the pace however, sector cat the potentially to relative collaboration with a successful risk associated astrophic num- a make We slow. too is attack cyber - help strength that may suggestions ber of nuclear for collaboration en international as promote as well security, information in cyberspace. stability to moves broader the against means) (including cyber tacks in facilities civil nuclear of operation safe a legally by should be prohibited peacetime instrument. binding multilateral station. power a nuclear like tacking targets S Conclusions and Recommendations AFTERWORD

Reflections and Supplementary Recommendation on the Subject

ith respect to Recommenda- • Recognize the misuse of ICT against tion 1, using the Beijing preced- nuclear facilities as an international ent as the basis for the crimin- crime. alization of cyber attacks and • Assist states that are victims of mis- W use of ICT against nuclear facilities, joint actions to prevent or prosecute cyber attacks, including through the exchange of including supporting the investigation intelligence information, we can note that of the facts in such cases. these are in almost complete accord with • Promote the development of insur- Russian policy. These attacks are covered ance covering breaches of security of by the relevant articles of the Criminal Code nuclear facilities as a result of mali- of the Russian Federation for the malicious cious use of ICT. use of software. Russia’s law enforcement • Create additional certification sys- agencies are working to identify, prevent tems for software and hardware in- and eliminate computer-related crime, in- tended for use in nuclear facilities. cluding in the field of nuclear safety. There is cooperation between the law enforce- Recommendations During Hostilities ment agencies of the Russian Federation and the law enforcement agencies of other • Create an inventory of the objects for countries through Interpol. In addition, the which military attack by ICTs is pro-

e signing of the Russian-American agree- hibited. ment on cooperation in the field of inter- • Make perfidy regarding the malicious national information security in 201374 is use of ICT an international crime. s pac also a part of Russia’s response. • Provide assistance, international cooperation and participation for neu- To increase the effectiveness of coopera- tral states in discovery of evidence of tion in the field of information security for violations of international humanitar- nuclear facilities it would seem appropriate ian law by malicious use of ICT in the to initiate discussion on the following pro- nuclear sphere. posals at the Nuclear Security Summit in The Hague in 2014:

Recommendations for Peacetime Dr. Anatoly Streltsov Information Security Institute • Identify information and communica- Moscow State University tion systems of nuclear facilities in cyberspace as systems protected under

A Me a su r e of Rest ra i n t Cybe r international humanitarian law, and provide an inventory of such systems. 20 • Consider the benefits of developing a monitoring system, based on national, regional and global capabilities, for violations of international humanitarian law involving the misuse of ICT against nuclear facilities.

74 Russia-U.S. Joint Statement on Confidence Building Cooperation, 17 June 2013 A Measure of Restraint in Cyberspace 21 - - - Создать Создать дополнительную систему сер- программных тификации и технических (аппаратных) средств информатизации, предполагаемых к установке на - ядер ные объекты. которые на объектов, перечень Создать военные атаки с использованием ИКТ запрещено. Признать вероломство в злонамерен ном использовании ИКТ - международ ным преступлением. Оказывать помощь, обеспечивать - меж дународное сотрудничество и тие нейтральных государств в учас области проведения расследований фактов на- рушения норм международного - гума нитарного права при злонамеренном использовании ИКТ против объектов сферы. ядерной Признать Признать международным преступле нием злонамеренное использование объектов. ядерных против ИКТ Оказывать помощь жертвам государствам злонамеренного - использова – ния ИКТ против ядерных объектов, том числе в и в области проведения рас- таких фактов. следования Cтраховать против рисков нарушения безопасности ядерных фактам объектов злонамеренного по - использова ния ИКТ. • • • • • • • Доктор Анатолий Стрельцов Анатолий Доктор Информационной Институт Проблем Безопасности, Московский Университет Государственный Рекомендации во Рекомендации военных действий время - - - - - екинский стандарт, - предусматрива ющий криминализацию кибератак и совместные действия по - предо твращению или судебному пре Рассмотреть Рассмотреть возможность и - целесооб разность разработки системы - монито ринга нарушения норм - международ ного права гуманитарного в отношении злонамеренного использования наци базе на объектов ядерных против ИКТ ональных, региональных и глобальных средств. Идентифицировать информационные и Идентифицировать коммуникационные системы ядерных объектов в киберпространстве и соста- вить Реестр таких систем как защищаемых международным систем, гумани тарным правом. • •

Рекомендации в мирное время Рекомендации П Предложения по дополнительной теме для координации для координации теме по дополнительной Предложения информационной обеспечения в области интересов объектов ядерных безопасности Для повышения эффективности сотрудничес следованию следованию кибератак, в том числе, обмена путем разведывательной информацией, во многом был выполнен Российской - Федера цией. Уголовный кодекс Российской рации Феде включает соответствующие статьи, по которым предусматривается наказание программ. вредоносных использование Пра- за воохранительные органы работают над вы- явлением, предупреждением и пресечением преступлений, в компьютерных том числе и в области безопасности ядерных объектов. На- лажено сотрудничество правоохранительных структур с Федерации - Российской правоохра нительными структурами других государств по линии Интерпола. Российская Федерация также подписала соглашение российско-американское (2013г.) по сотрудничеству в об- ласти обеспечения международной - инфор мационной безопасности. тва в области обеспечения информационной безопасности ядерных объектов - представля ется целесообразным инициировать начало обсуждения следующих вопросов на Самми- г.: 2014 безопасности в Гааге по ядерной те Acronyms

APEC Asia Pacific Economic Cooperation ASEAN Association of Southeast Asian Nations BSEC Black Sea Economic Cooperation CERT Computer Emergency Response Team CI critical infrastructure CII critical information infrastructure CoE Council of Europe DBT design basis threat ENISA European Network and Information Security Agency EWI EastWest Institute FCO Foreign and Commonwealth Office HTCSG High Tech Crime Sub Group GGE Group of Governmental Experts IAEA International Atomic Energy Agency ICAO International Civil Aviation Organization ICS-CERT Industrial Control Systems Cyber Emergency Response Team ICT information and communications technology

e ISO International Organization for Standardization ITU International Telecommunication Union KCL King’s College London s pac MHI Mitsubishi Heavy Industries NSIR Nuclear Security and Incident Response NSS Nuclear Security Summit SCADA supervisory control and data acquisition SCO Shanghai Cooperation Organization SMRs small modular reactors TEL Telecommunications and Information Working Group WINS World Institute for Nuclear Security A Me a su r e of Rest ra i n t Cybe r

22 A Measure of Restraint in Cyberspace 23 . l References - - Official Journal of the European Official Journal of the Officia . Department for Business, Innovation and Skills Business, Innovation for . Department Adopted by the G8 Justice & Interior Ministers & Interior the G8 Justice by Adopted . General Assembly. The United The United Assembly. . General . Senate Select Committee on Intelligence, 12 Mar 2013. Web. 2013. 12 Mar on Intelligence, Select Committee . Senate . Edited byKatharina Ziolkowski. NATO Cooperative Cyber Defence Centre of Centre Cyber Defence Cooperative NATO Ziolkowski. byKatharina . Edited . 8, 12 (Article 1), 14 Aug 2013. Web. 8 Jan 2014. . Web. 8 Jan 2014. . . 8, 12 (Article 1), 14 Aug 2013. “Prospects for Nuclear-Weapon-Free World Increasingly Illusive as ‘Tectonic Shifts’ From Unilateral Unilateral Shifts’ From as ‘Tectonic Illusive Increasingly World Nuclear-Weapon-Free for “Prospects Assembly GA/DIS/3456, Press Office. General UN Told,” Committee First Stability, Strategic Affect Measures 8 Jan. 2014. . 16 Oct 2013. Web. Tallinn Manual on the International Law Applicable to Cyber Warfare. Edited by Michael Schmitt. Edited Warfare. to Cyber Law Applicable Manual on the International Tallinn 8 Jan 2014. . “Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high to ensure concerning measures and of the Council Parliament of the European a Directive for “Proposal Feb Commission, Brussels, 07 European the Union,” security across and information of network level common 8 Jan 2014.. 2013. Web. Peacetime Regime for State Activities in Cyberspace. International Law, International Relations International Law, International Activities in Cyberspace. for State Regime Peacetime and Diplomacy . Europe Agenda for Digital (CIIP).” Protection Infrastructure Information on Critical “Policy 8 Jan 2014. . Martellini, Maurizio, Thomas Shea, and Sandro Gaycken. “Cyber Security for Nuclear Power Plants.” U.S. U.S. Plants.” Nuclear Power “Cyber Security for Gaycken. Thomas Shea, and Sandro Maurizio, Martellini, 8 Jan 2014. . Web. 23 Jan 2013. of State, Department >. 8 Jan 2014.. policy meeting.pdf asean-japan ministerial Statement/final_joint_statement May 2003. Web. 8 Jan 2014. . 2003. Web. May - . Worldwide Threat Assessment of the US Assessment Threat Worldwide the Record.” for “Statement James. Clapper, Community Intelligence deci The UK is taking in nuclear threat.” is power information “Deputy Prime Minister: and of the Council. “ Parliament 2013/40/EU of the European “Directive Infrastructures.” Information Critical Protecting Principles for “G8 Nations, 24 Jun 2013. Web. 6 Jan 2014. . Web. 6 Jun 2013. 24 Nations, 8 Jan 2014. . to- Nick Clegg said Prime Minister terrorism, Deputy tackle the threat of nuclear to sive action . Union Web. 8 Jan 2014. . A /68/98*. Group of Governmental Experts on Developments in the Field of Information and in the Field of Information Experts on Developments Governmental A /68/98*. Group of Security of International in the Context Telecommunications Global Cooperation In Cyberspace

“Cyberspace is the future of the human r a c e .” Strategic Objective non-governmental organizations, and the netizens themselves must also participate Zhang Li in shaping a common future. Director, To mitigate the negative consequences of global Internet fragmentation, the East- Progress is urgently needed in the near Chinese West Institute has launched the Global term—every month that passes without Center for Cooperation in Cyberspace Initiative. action raises the costs to society of the Contemporary current trends and of turning those trends The Challenge around. Without effective action, the future International safety and livelihoods of literally billions of young, new Internet users will be substan- Relations The Internet’s unprecedented economic tially degraded, increasing pressure on al- and societal benefits, and the vibrancy of ready fragile states. global electronic commerce, are endangered by government-erected barriers to the flow of information products and - ser The Opportunity vices. This development is driven by three influences: The Splinternet is an Internet whose capacity and effectiveness are weakened by

e • Political and Economic Concerns: barriers to efficient information transfer, Trade protectionism, concerns about threats to personal and public security, and domestic instability, and anger about unresolved conflicts around norms. The s pac surveillance create domestic political EastWest Institute will help to create insti- pressure for “localization.” tutions, processes and agreements that will • Security Concerns: Cyber attackers reduce the pressures driving fragmentation increasingly menace the delivery of and minimize its negative consequences. life-sustaining essential services, international cyber criminals go unpun- The Cooperation in Cyberspace initiative ished, and a cyber arms race threat- will convene and mobilize government and ens stability. private stakeholders around three object- • Weak Governance: National and in- ives that match the three influences driving ternational cyberspace governance fragmentation: institutions are slow, weak, isolated, or non-existent. 1. Economic Growth: Promote free trade in secure products, encour- If these three influences are not success- age the flow of information to

A Me a su r e of Rest ra i n t Cybe r fully managed, a militarized, fragmented promote education and innova- “Splinternet” will emerge to threaten global tion and promote limits on cyber 24 economic growth and fuel dangerous surveillance. regional and international instability. More- 2. Security and Stability: Work over, these interrelated influences cannot to mitigate cyber risks to critical be managed separately. Because the net- infrastructure, streamline mutual work connects everywhere, true cyberse- law enforcement assistance in curity will require the participation of all cyber-enabled crime and pro- key governments, including many in the mote measures of restraint in developing world. Private sector operators cyber weapons development and and suppliers, national and international deployment. A Measure of Restraint in Cyberspace 25 - Mitigation Approach Mitigation the benefits Promote secure to access of and services. products - con domestic Recognize the flow encourage cerns; promote to information of and innovation. education the Internationalize dialogue about limits. Influence protectionism Trade about do- Concerns instability mestic about surveillance Anger The EastWest - a widely-re McConnell, Bruce president, Institute’s and security policy cyberspace spected senior vice in experience of 25 years with over leader policy information sector public and private is leading organizations, and technology by complemented His skills are this effort. fellows, and staff cyber new and existing - volun of network along with an extensive and partners. teers The Work Ahead The Work In- in Cyberspace Cooperation The Global government and mobilizes convenes itiative ob- three around stakeholders and private the of the impact that will mitigate jectives and security growth, economic Splinternet: is or EWI governance. and sound stability working virtual and facilitating ganizing multi-national public of comprised groups sum- Two stakeholders. sector and private year each small and one large) (one mits and results and showcase will consolidate action. collective promote Objective: Economic Growth ------Facilitate Facilitate Governance: Sound - trans of and testing the design orderly, accountable, parent, and agile management inclusive that structures and governance and trust predictability increase in cyberspace. worthiness 3. The work needed to achieve a secure and a secure achieve needed to The work stable cyber aligns environment with EWI’s on seemingly takes The institute mission. unsolved, left that, problems intractable would result in serious conflict among and scale. or global a regional nations on within Over the past four years, EWI’s cyber - col and pri- public has integrated laboration serious several address to leadership vate it example, For in cyberspace. challenges inter catalyze to successfully has worked begun has now Institute The EastWest critical objectives three the achieve to work and its cyberspace of use the continued to Thesebenefits. interrelatedcap- programs corporate help top to ability on its italize see the world around and national leaders utiliz is EWI issues. of impact strategic the - com improve to arrangements national and spam, reduce security, munications build bilateral confidence and trust among and India. Russia China, the U.S., technology/policy of network global ing its experts and senior officialsresponsible for or and private in governments cyberspace part existing use will also EWI ganizations. working groups with civil society nerships partnerships, new and develop in this arena so as to maximize effectiveness and - environ - effi in a resource-constrained ciency inter of set a diverse It is engaging ment. and use provide who national companies cyberspace to serve their customers. No problems the solve can orcompany nation is true for alone; the same cyberspace of Institute. EastWest the including nonprofits, Objective: Security and Stability

Influence Mitigation Approach

Reduce cyber risks to critical infrastructure, e.g., enhance Threats to the delivery emergency preparedness, of essential services and increase confidence in the cyber supply chain.

Modernize mutual law Cyber-enabled crimes enforcement assistance go unpunished procedures for cyber- enabled crimes.

Promote measures of restraint, e.g., quarantine civil Cyber arms race nuclear facilities, undersea threatens stability cables, and financial ex- changes and clearinghouses from cyber attacks.

Objective: Sound Governance

Existing multi-lateral and multi-stakeholder institutions must be strengthened and their legitimacy enhanced. In some areas, new institutions may be needed. The working

e groups EWI forms to make progress toward the first two objectives will be “instrument- ed” to provide lessons about what works s pac in multi-national, multi-sector stakeholder collaboration. For each issue, the institute will create a transparent, accountable, orderly, inclusive, and agile working group. The program will create and test out proto- types of the organizations that are needed to manage global problems in cyberspace and in other domains. This experiential data will be supplemented by research on the strengths and weaknesses of existing international institutions and processes in cyber and other issue domains. The result will be a set of models for institutional design and operation that will serve the ef-

A Me a su r e of Rest ra i n t Cybe r fective, long-term governance and management of cyberspace. 26 A Measure of Restraint in Cyberspace 27 conducting interviews with government officials, academics and academics officials, with government interviews conducting emerging areas of global risks, threats and challenges. Greg is the author is the author Greg and challenges. threats risks, global of areas emerging on especially security, on international books highly reviewed several of including a PhD. relations, in international qualifications paradigm. In-country experience in Bosnia and Herzegovina, Estonia, Estonia, and Herzegovina, in Bosnia experience In-country paradigm. unique country’s each of understanding her with a better provided climate. political journalists, researching policy gaps in the current European cybersecurity cybersecurity European in the current gaps policy researching journalists, advisor at the Center for Strategic and International Studies. He received He received Studies. and International Strategic for at the Center advisor Policy Public for School the Evans from Administration Public of a Master affiliation, he maintains a faculty where Washington, of at the University University. Stanford from Sciences and a Bachelor of networking with public and private sectors around the world. He also He also the world. around sectors with public and private networking which Program, in Cyberspace Cooperation the institute’s manages in the field of political studies. He co-authored this paper as a member of paper as a member this co-authored He studies. of political in the field includes its Worldwide Cybersecurity Initiative. McConnell is also a senior a senior is also McConnell Initiative. Cybersecurity Worldwide its includes Office on UK conflict prevention policies. He has several post-graduate post-graduate several He has policies. prevention conflict on UK Office Greg Austin leads the institute‘s Policy Innovation Unit, whose purpose purpose whose Unit, Innovation Policy the institute‘s leads Austin Greg Eric Cappon is a recent honors graduate of Queen‘s University in Canada University Queen‘s of graduate honors Cappon is a recent Eric Institute‘s the EastWest for Coordinator is a Program Kostyuk Nadiya Bruce McConnell is responsible for leading EWI’s communications and communications EWI’s leading for is responsible McConnell Bruce Ukraine, Russia, Serbia, Sweden, Switzerland and the Czech Republic Republic and the Czech Switzerland Sweden, Serbia, Russia, Ukraine, About the Authors the Policy Innovation Unit at the EastWest Institute. Unit at the EastWest Innovation the Policy will be to identify and produce a stream of policy papers on new and on new papers policy of a stream identify and produce will be to Asia. In 2003-04, he led a major review for the United Kingdom Cabinet Kingdom the United for he led a major review In 2003-04, Asia. Worldwide Cybersecurity Initiative. She spent the past two years years two She spent the past Initiative. Cybersecurity Worldwide EastWest Institute Board of Directors

OFFICE OF THE CHAIRMEN OFFICERS MEMBERS

Ross Perot, Jr. (U.S.) John Edwin Mroz (U.S.) Martti Ahtisaari (Finland) Chairman President, Co-Founder and CEO Former Chairman EastWest Institute EastWest Institute EastWest Institute Chairman 2008 Nobel Peace Prize Laureate Hillwood Development Co. LLC R. William Ide III (U.S.) Former President of Finland Board of Directors Council and Secretary Dell Inc. Chair of the Executive Committee Tewodros Ashenafi (Ethiopia) EastWest Institute Chairman and CEO Armen Sarkissian (Armenia) Partner Southwest Energy (HK) Ltd. Vice Chairman McKenna Long and Aldridge LLP EastWest Institute Jerald T. Baldridge (U.S.) President Leo Schenker (U.S.) Chairman Eurasia House International Treasurer Republic Energy Inc. Former Prime Minister of EastWest Institute Armenia Former Senior Executive Peter Bonfield (U.K.) Vice President Chairman Central National-Gottesman Inc. NXP Semiconductors

Matt Bross (U.S.) Chairman and CEO IP Partners

Robert N. Campbell III (U.S.) Founder and CEO Campbell Global Services LLC

Peter Castenfelt (U.K.) Chairman Archipelago Enterprises Ltd.

Maria Livanos Cattaui (Switzerland) Former Secretary-General International Chamber of Commerce

Michael Chertoff (U.S.) Co-founder and Managing Principal Chertoff Group David Cohen (U.K.) Anurag Jain (India) Amb. Yousef Al Otaiba (U.A.E.) Chairman Chairman Ambassador F&C REIT Property Management Laurus Edutech Pvt. Ltd. Embassy of the United Arab Emirates in Washington, D.C. Joel Cowan (U.S.) Gen. (ret) James L. Jones (U.S.) Professor Former Advisor Admiral (ret) William A. Owens Georgia Institute of Technology U.S. National Security (U.S.) Former Supreme Allied Chairman Addison Fischer (U.S.) Commander AEA Holdings Asia Chairman and Co-Founder Europe Former Vice Chairman Planet Heritage Foundation Former Commandant U.S. Joint Chiefs of Staff Marine Corps Stephen B. Heintz (U.S.) Sarah Perot (U.S.) President Haifa Al Kaylani (Lebanon/ Director and Co-Chair for Rockefeller Brothers Fund Jordan.) Development Founder and Chairperson Dallas Center for Performing Arts Hu Yuandong (China) Arab International Women’s Forum Chief Representative Louise Richardson (U.S.) UNIDO ITPO-China Zuhal Kurt (Turkey) Principal CEO University of St. Andrews Emil Hubinak (Slovak Republic) Kurt Enterprises Chairman and CEO John Rogers (U.S.) Logomotion General (ret) T. Michael Managing Director Moseley (U.S.) Goldman Sachs and Co. John Hurley (U.S.) Moseley and Associates, LLC Managing Partner Former Chief of Staff Cavalry Asset Management United States Air Force

Amb. Wolfgang Ischinger F. Francis Najafi (U.S.) (Germany) CEO Chairman Pivotal Group Munich Security Conference Global Head of Amb. Tsuneo Nishida (Japan) Governmental Affairs Permanent Representative Allianz SE of Japan to the U.N.

Ralph Isham (U.S.) Ronald P. O’Hanley (U.S.) Managing Director President,Asset Management GH Venture Partners LLC and Corporate Services Fidelity Invesments George F. Russell, Jr. (U.S.) CO-FOUNDER DIRECTORS EMERITI Former Chairman EastWest Institute Ira D. Wallach* (U.S.) Jan Krzysztof Bielecki (Poland) Chairman Emeritus Former Chairman CEO Russell Investment Group Central National-Gottesman Inc. Bank Polska Kasa Opieki S.A. Founder Co-Founder Former Prime Minister of Poland Russell 20-20 EastWest Institute Emil Constantinescu (Romania) Ramzi H. Sanbar (U.K.) President Chairman CHAIRMEN EMERITI Institute for Regional Cooperation SDC Group Inc. and Conflict Prevention (INCOR) Berthold Beitz* (Germany) Former President of Romania Ikram ul-Majeed Sehgal President (Pakistan) Alfried Krupp von Bohlen William D. Dearstyne (U.S.) Chairman und Halbach-Stiftung Former Company Group Chairman Security & Management Johnson & Johnson Services Ltd. Ivan T. Berend (Hungary) Professor John W. Kluge* (U.S.) Amb. Kanwal Sibal (India) University of California, Los Angeles Former Chairman of the Board Former Foreign Secretary of India Metromedia International Group Francis Finlay (U.K.) Kevin Taweel (U.S.) Former Chairman Maria-Pia Kothbauer Chairman Clay Finlay LLC (Liechtenstein) Asurion Ambassador Hans-Dietrich Genscher Embassy of Liechtenstein to Amb. Pierre Vimont (France) (Germany) Austria, OSCE and the UN in Vienna Executive Secretary General Former Vice Chancellor and European External Action Service Minister of Foreign Affairs William E. Murray* (U.S.) Former Ambassador Former Chairman Embassy of the Republic of France Donald M. Kendall (U.S.) The Samuel Freeman Trust in Washington, D.C. Former Chairman and CEO PepsiCo. Inc. John J. Roberts (U.S.) Alexander Voloshin (Russia) Senior Advisor Chairman of the Board Whitney MacMillan (U.S.) American International Group (AIG) OJSC Uralkali Former Chairman and CEO Cargill Inc. Daniel Rose (U.S.) Amb. Zhou Wenzhong (China) Chairman Secretary-General Mark Maletz (U.S.) Rose Associates Inc. Boao Forum for Asia Chairman, Executive Committee EastWest Institute Mitchell I. Sonkin (U.S.) Senior Fellow Managing Director Harvard Business School MBIA Insurance Corporation NON-BOARD COMMITTEE MEMBERS Thorvald Stoltenberg (Norway) President Laurent Roux (U.S.) Norwegian Red Cross Founder Gallatin Wealth Mangement, LLC Liener Temerlin (U.S.) Chairman Hilton Smith, Jr. (U.S.) Temerlin Consulting President and CEO East Bay Co., LTD John C. Whitehead (U.S.) Former Co-Chairman Goldman Sachs Former U.S. Deputy Secretary of State

* Deceased EastWest Institute Policy Report Series

2013

Afghan Narcotrafficking Critical Terminology Foundations A Joint Threat Assessment Russia-U.S. Bilateral on Cybersecurity Policy Report 2013—1 [EN | RU] Policy Report 2011—3

The Path to Zero Enhancing Security in Afghanistan and Report of the 2013 Nuclear Discussion Forum Central Asia through Regional Policy Report 2013—2 Cooperation on Water Amu Darya Basin Consultation Report Threading the Needle Policy Report 2011—4 Proposals on U.S. and Chinese Actions on Arms Sales to Taiwan Fighting Spam to Build Trust Policy Report 2013—3 China-U.S. Bilateral on Cybersecurity Policy Report 2011—5 [EN | CH] Measuring the Cybersecurity Problem Policy Report 2013—4 Seeking Solutions for Afghanistan, Part 3 Policy Report 2011—6 Frank Communication & Sensible Cooperation to Stem Harmful Hacking Policy Report 2013—5 [EN | CH] 2010

2012 Economic Development and Security for Afghanistan Bridging the Fault Lines Increasing Jobs and Income with the Help Collective Security in Southwest Asia of the Gulf States Policy Report 2012—1 Policy Report 2010—1

Priority International Communications Making the Most of Afghanistan’s River Basins Staying Connected in Times of Crisis Opportunities for Regional Cooperation Policy Report 2012—2 Policy Report 2010—2

2011 The Reliability of Global Undersea Communications Cable Infrastructure Working Towards Rules for Policy Report 2010—3 Governing Cyber Conflict Rendering the Geneva and Hague Rights and Responsibilities in Cyberspace Conventions in Cyberspace Balancing the Need for Security and Liberty Policy Report 2011—1 [EN | RU] Policy Report 2010—4

Seeking Solutions for Afghanistan, Part 2 Seeking Solutions for Afghanistan, Part 1 Policy Report 2011—2 Policy Report 2010—5 Building Trust Delivering Solutions

Learn more at www.ewi.info

EWInstitute EastWestInstitute