Interesting discussion on ways to regulate AI use, and the role (limitations) of open source there, by Bruce Schneier and Waldo.

It raises some interesting questions about accountability of the open source community. They argue, as many others, that OS community is too fluid to be regulated. I tend to disagree - OS community has many levels, and a certain OS component (say a GitHub code) gets picked up by others at certain points to push to a mass market for benefit (commercial or other). It is when such OS products are picked up that the risk explodes - and it is then when we see tangible entities (companies or orgs) that should be and are accountable for how they use the OS code and push it to mass market.

I see an analogy with vulnerabilities in digital products, and the responsibility of OS community for the supply chain security. While each coder should be accountable, for individuals it probably boils down to ethics (as the effect of a single github product is very limited); but there are entities in this supply chain that integrate such components that clearly should be hold accountable.

My comments below. It is an interesting question for Geneva Dialogue as well, not only for AI debates.

cc ||JovanK|| ||anastasiyakATdiplomacy.edu||

Also a very important proposal: greater transparency about weapons (exploits, vulnerabilities) and how these are collected and managed (that's VEP above) + about operations (who and how can deploy those and other tools, in what circumstances, under whose authorization, against what targets, etc)

This was already raised at the OEWG through the Geneva Dialogue contribution.

It is good there is recognition that vulnerabilities are among key challenges. Current US VEP is a good and positive example, but not sufficiently transparent. It is not expected that US 'adversaries' will do the same, but they expect at least partners.

Yet, an open question will be how to make sure other parties are not exploiting vulnerabilities (and thus having advantages)? It would have to be done as combination of a) more secure products by partners (security by design practices)<br> b) stricter supply chain control to avoid vulnerabilities in imported products c) strengthening vulnerability disclosure processes and policies, as well as resources/capabilities (eg. finding ways to lure Chinese researchers to report vuln. to western institutions in spite of Chinese law)

This, and the example below, of Microsoft's actions against malicious infrastructure are worth exploring in greater details. Part of it was taking over malicious domains - that is somewhat legal and certainly welcomed. But were there any 'penetrations' and exploits? I doubt so.

A very interesting - and, indeed, dangerous - claim that companies have legal standing to engage in 'responsible, exploitation-based activities' against malicious actors.

Does Microsoft really have legal ground to exploit any system (be in malicious or not) in another state - or even in US? (Not to ask if this goes against its own philosophy against exploiting vulnerabilities and vulnerable systems)

Do Huawei or Kaspersky have legal grounds to exploit systems in the NL or US - systems that they, or their governments, deem as malicious? What would the US say in such occasion (even if they dismantle C2 based in US - which is, btw, host of majority of malicious C2s)?

From the US defence perspective, this is, of course, very acceptable. From an international perspective - including legal and diplomatic - this is very problematic. It could actually put private sector actors on list of 'non grata' for many other countries, as they will be seen in breaching sovereignty of states. It is counter-productive.

This is not to say that such cooperation - and overall 'defence forward' - against malicious actors is a wrong way to go. It is not about 'if', but about 'how': if it is unilaterally done by the US (and allies), it resembles the US political and military dominance of the 21st century - its understanding of a role of international policeman. We have seen where that lead geopolitically.

It is much better to approach this 'new approach' through garnering broader international support for such actions - even through the UN. It is slower ,but more legit and with less risks for escalations and further political polarisation.

||JovanK|| ||Pavlina|| WDYT - from legal and political perspective?

This is, however, different from active attacks: this is information sharing, which is - no doubt - very efficient and needed

One 'problem' with many such analysis is that they only observe the US perspective. This is not healthy even from the military point of view, and let alone from diplomatic point of view (norms) which should strive towards a compromise.

Let's put ourselves in the shoes of Russians, or Chine. For them, the threat is not cyber groups, but Microsoft, for instance. Microsoft is vulnerable; Microsoft is dominating the market and imposing solutions; Microsoft is engaging against their sovereignty... Whether we agree or not with this stand, we have to understand their view. Using this strategy, Russians would legitimately act against a threat to them: Microsoft. Or Cyber peace institute. Or any other institution which they deem causes a threat to them.

If we 'legitimise' intrusion into other systems as defence, it may have a counter-effect of escalations, and setting erroneous precedents.

This is a second part of suggested strategy - besides attacking malicious actors: it boils down to publishing the know details about the threat actor and threat infrastructure, and sharing all this intelligence among various actors. This info exchange indeed is a cornerstone of better protection.

In theory, this looks smart: you attack the attackers. There are good examples of successful campaigns (also illustrated below).

In practice, it is not so smart: any exploitation of an existing vulnerability involves developing an exploit - usually a sophisticated one, if developed by the US security services, say. That exploit can leak (as we have seen before, from CIA stockpiles), and can get in hands of malicious actors including petty criminals (we have seen that as well).

That's why 'closing a vulnerability' is done to prevent? Can't work. Even though 'zero days' are most dangerous ones, most exploited vulnerabilities are actually years (and even decades long) - a CISA list of most exploited vulnerabilities, which it publishes regularly to motivate CI sector to patch, shows just that. Thus there is no way to instantly close an old vulnerability around the world (even in US) - and creating a powerful exploit for it doesn't help at all. If it is about a zero-day exploit, it is certainly welcomed that it would be reported to a vendor which would immediately patch it - but again, the existing exploit is even more dangerous, since patching process will take years.

In a word - very dangerous strategy.

new concept explained below - basically, 'defence forward' ie a) attacking malicious groups and infrastructure preemtively and b) sharing publicly information about those structures and attacks

Interesting blog that comments on lack of conformance of states to cyber norms: that OEWG/GGE norms don't reflect the reality of attacks, while GCSC which reflect better are not in the game; and on three ways conformance is currently cultivated (persuasion, socialization, and incentives) - all three failing.

Then, it proposes 'a new way' which should complement this process of turning norms into customary law - by inhibiting the ability for misbehavior/irresponsible behaviour . This should be done through 'defence forward': actively disrupting malicious groups and their systems (malware, botnet C2 infrastructure, etc) before they strike (includling through exploitation of vulnerabilities!), and publicly disclosing the information about such operations. To them, this would support better conformity to norms (by preventing them to misbehave?)

There is a number of valid points in the doc. But, there are also many problematic ones; to start with - do you, by preventing someone to misbehave, actually promote adherence to norms? Or are these two distinct issues - norms, and defence/military strategy.

I added number of comments throughout.

||Pavlina|| ||AndrijanaG|| ||JovanK||

Interesting proposal by St Lucia, for a global vulnerability index, on the basis of which, countries would have access to development finance.

It is pity this language has not been stronger, and more explicit. In particular, exploiting vulnerabilities should have been explicitly mentioned as 'disturbing' - if not condemned (having in mind SolarWinds and other examples).

Exploiting a vulnerability against one system discloses the vulnerability of a whole classes of commercial systems to the broader public. This then ends up being exploited by criminals against other such systems around the world, thereby weakening the entire cyberspace.

While it may be understood to fall under "malicious use of ICT", it is important to clearly spell it out.

It is pity this language has not been stronger, and more explicit. In particular, exploiting vulnerabilities should have been explicitly mentioned as 'disturbing' - if not condemned (having in mind SolarWinds and other examples).

Exploiting a vulnerability against one system discloses the vulnerability of a whole classes of commercial systems to the broader public. This then ends up being exploited by criminals against other such systems around the world, thereby weakening the entire cyberspace.

While it may be understood to fall under "malicious use of ICT", it is important to clearly spell it out.