274 Matching Annotations
  1. Jun 2023
    1. Interesting discussion on ways to regulate AI use, and the role (limitations) of open source there, by Bruce Schneier and Waldo.

      It raises some interesting questions about accountability of the open source community. They argue, as many others, that OS community is too fluid to be regulated. I tend to disagree - OS community has many levels, and a certain OS component (say a GitHub code) gets picked up by others at certain points to push to a mass market for benefit (commercial or other). It is when such OS products are picked up that the risk explodes - and it is then when we see tangible entities (companies or orgs) that should be and are accountable for how they use the OS code and push it to mass market.

      I see an analogy with vulnerabilities in digital products, and the responsibility of OS community for the supply chain security. While each coder should be accountable, for individuals it probably boils down to ethics (as the effect of a single github product is very limited); but there are entities in this supply chain that integrate such components that clearly should be hold accountable.

      My comments below. It is an interesting question for Geneva Dialogue as well, not only for AI debates.

      cc ||JovanK|| ||anastasiyakATdiplomacy.edu||

    2. Now that the open-source community is remixing LLMs, it’s no longer possible to regulate the technology by dictating what research and development can be done;

      There is a certain analogy with security of the open source, and how to ensure that open source code, which ends up being integral part of commercial products, is secure at the outset. It might not be possible to hold every code-writer in the open source community accountable for vulnerabilities, but there are certain moments later on when that code is picked up and commercialised by others, which allow the window of accountability. It is similar with LLM: it is when a certain code is picked up by others (often for monetisation or some other benefit) that accountability exists as well.

    3. Open source isn’t very good at original innovations, but once an innovation is seen and picked up, the community can be a pretty overwhelming thing.

      It is exactly this 'pick up' which is a milestone to look at: this is when actors involved go beyond a single github contributor, and involve certain entities (organisations or companies) which put certain resources in the promotion and reach of the product they have integrated, in order to create a mass market effect. This is where accountability for development can be looked for as well.

    4. The only governance mechanism available to governments now is to regulate usage (and only for those who pay attention to the law), or to offer incentives to those (including startups, individuals, and small companies) who are now the drivers of innovation in the arena.

      Is it really so? While open source community is diverse and numerous (and often boils down to a single person), their products become significant when they are put together and to the market (whether for free or monetisation). In other words, the 'danger' is not in each piece of code itself, but once those pieces are integrated into a powerful and mass-used product. This means there are certain milestones when the risks become sufficiently big to address it - and those milestones also involve certain entities (typically companies or organisations) which benefit from the reach of the product in one way or another. Devil is in details: we need to closely monitor how and when open source products come to a mass market and cause a concern - and who are the main actors at that very point that could be hold accountable. This still belongs to 'development', and addresses the developers (or integrators), not the users.

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  2. Jan 2023
    1. A very interesting analysis of Starlink in context of Ukraine, how it works, advantages of Low-Earth Orbit (LEO) satellites as technology, and possible limitation. Many governance questions opened up in comments below related to space race and regulations, UN and ITU, national regulation, etc. Feel free to contribute/respond/comment. ||JovanK|| ||sorina|| ||Pavlina|| ||nikolabATdiplomacy.edu||

    2. which may explain why the island is accelerating efforts to develop its own satellite constellation

      Taiwan working on its own LEO constallation

    3. In future, service will be possible even in places with no convenient ground stations nearby; the next generation of satellites is intended to be able to pass messages between themselves, rather than sending them back down to the nearest ground station, creating a network which could be much more unevenly tethered to the Earth.

      Important future prospect, that minimises current limitations related to ground stations and their proximity!

    4. Some countries do not want Starlink services making the internet uncontrollable, and so do not allow the company to operate within their borders.

      A general regulatory challenge for internet access for developing countries - satellites going beyond borders. One can regulate the use of satellite dishes, but that's about it. Will countries look for regulations of satellite internet access through ITU for instance? (eg. Starlink can operate, but only through ground stations that are in our territory and working under our jurisdiction)

      ||sorina|| ||JovanK||

    5. Meanwhile other launch systems are either unavailable, undersized or have yet to get up and running. American rules stop Western companies from buying launch services from China, and since the war began launch contracts with Russia have been cancelled. OneWeb, which relied on Russian launchers for its launches until this year, now uses SpaceX’s Falcon 9 and a launcher developed by India.

      Space technology including launchers play important geopolitical element here. India seems to be entering the field as well. How about cosmodromes? Does EU have any option? ||nikolabATdiplomacy.edu||

    6. fully reusable spacecraft called Starship which would be capable of launching some 400 Starlinks at a time, and thus taking the constellation from thousands of satellites to tens of thousands. The long-delayed first attempt to get a Starship out into space and back is expected this year.

      Starlink initially looks at 12,000 total. Do they need even more? Estimations are that each satellite can last for 5-7 years, when it may go down and need to be replaced.

    7. SpaceX’s launch capacity. SpaceX has the world’s best satellite-launch system, the partially reusable Falcon 9 rocket. That allows it to launch satellites at an unmatchable rate. There were 61 Falcon-9 launches in 2022. The company is talking of getting its Falcon-9 launch rate up to two rockets a week this year, with one a week devoted to Starlink. Each such launch will add another 50 or so satellites.

      with new technologies, it is expected many more satellites would be launched at once.

    8. In November 2022 the EU agreed to begin developing its own low-orbit communications system, IRIS2

      Another aspect of digital sovereignty is the satellite infrastructure. It is not enough using Starlink or other commercial one even if cheaper/easier... One has to have own - so EU is going for that as well. It remains to be seen if it will be a commercial or rather state driven project (or, similarly to the EU cloud - a PPP+academia option).

    9. In 2020 China filed documents with the International Telecommunication Union, a UN body, for a 13,000-satellite constellation of its own

      What role does the ITU play when it comes to satellites licenses? Indeed, it seems Starlink also filed the application back in 2014. What sort of licenses are there, how is this decided, are they mandatory? Worth exploring this important part of the ITU role. ||sorina||

    10. Starlink’s use in Ukraine marks “the beginning of the end” for the value of anti-satellite missiles. “[It] turns out they’re only useful if your adversary relies on small numbers of really large/expensive satellites.”

      Interesting point

    11. And then there are the satellites themselves. America, China, India and Russia have missiles that can shoot satellites out of the sky. Again, though, using them would seem a severe escalation. It would also be a lot less useful against a constellation like Starlink than against older systems. Knocking out a single Starlink would achieve more or less nothing. If you want to damage the space-based bit of the system, you need to get rid of lots of them.

      Another military advantage of LEO - since there are many, one would need to bring many of them down to make effect. Resilience effect of the internet itself, in fact (signal gets rereouted through other satellites)

    12. Starlink satellites relay signals they receive to fairly nearby “ground stations”

      Importantly, satellites only 'forward' the signal to the ground internet infrastructure - much like the mobile telecom towers do for mobile phones. Thus, user' satellite dishes communicate via satellites with 'ground stations' that are connected to the internet backbone (see illustration: https://dgtlinfra.com/wp-content/uploads/2020/12/How-Does-Starlink-Work-1024x576.png).

      Due to satellites orbiting the earth, to be able to operate they also need ground stations in relative proximity to the used dishes (ie when a user activates the dish, and it communicates to the satellite nearby, the satellite has to have a ground station within its sight as well to be able to forward the signal). Here is an interesting live map of Starlink satelites (hexagons and white dots) and ground stations (red dots): https://satellitemap.space/?constellation=starlink&norad=53556

      While dishes can be in a 'territory out of control' (eg. Ukraine, or Iran if someone smuggles it and uses), ground stations can be in nearby countries under political control/partnership. This enables full control of the internet content (e.g. content filtering or other) by friendly state/Starlink.

      But, users of dishes can be prosecuted, or targeted by missiles upon using the uplink (basically whenever a dish sends something to the satellite, when it has to beam a signal upwards towards the sky - it is discoverable).

      PS Very useful overview of satellites technologies and options, including Starlink: https://dgtlinfra.com/elon-musk-starlink-and-satellite-broadband/

    13. Most satellite communications make use of big satellites which orbit up at 36,000km. Perched at such a height a satellite seems to sit still in the sky, and that vantage allows it to serve users spread across very large areas. But even if such a satellite is big, the amount of bandwidth it can allocate to each user is often quite limited. The orbits used by Starlink’s much smaller satellites are far lower: around 550km. This means that the time between a given satellite rising above the horizon and setting again is just minutes. To make sure coverage is continuous thus requires a great many satellites, which is a hassle. But because each satellite is serving only a small area the bandwidth per user can be high. And the system’s latency—the time taken for signals to get up to a satellite and back down to Earth—is much lower than for high-flying satellites. High latencies can prevent software from working as it should, says Iain Muirhead, a space researcher at the University of Manchester. With software, rather than just voice links, increasingly used for tasks like controlling artillery fire, avoiding glitches caused by high latency is a big advantage.

      Useful explanation of why Starlink (and LEO for that mater) is superior to high-orbit conventional satellites:

      • it is closer to the Earth thus having much smaller latency (commercial tests say 20-40ms in practice at user end, comparing to cca 0.5s for GeoStationary Orbit satellites)
      • because it's so many satellites rather than a single or few, one LEO satellite can serve less people and thus provides bigger bandwidth, at level of 'broadband' (commercial tests say 50-200Mbps/10-20Mbps) It's advantage is thus primarily in number of satelites which are in tens of thousands; previously, each GSO was under a particular point on Earth and serving only those people all time.
      • Since LEO orbit around Earth very fast (completing a full earth orbit in under one hour), they can possibly provide connectivity everywhere, even the poles
    14. Cyber-attacks like the one aimed at Ukraine’s legacy satellite system on February 24th are one possibility. So far, though, similar sallies against Starlink appear to have been ineffective, in part thanks to SpaceX’s ability to quickly update the system’s software. Dave Tremper, director of electronic warfare for the Office of the Secretary of Defence, has said the speed of the software response he witnessed to one attack was “eye-watering”.

      Why is Starlink better at cybersecurity than ViaSat? 'Ability to quickly update system's software' shouldn't be different with traditional satellites. Yet, Starlink has indeed not been breached/compromised (and one can bet that Russians put lots of energy on that) Worth exploring further.

    15. In September the Russian delegation to a UN working group on space security hinted that, despite its status as a nominally civilian system, Starlink might be considered a legitimate military target under international humanitarian law—which is probably a fair assessment.

      Interesting - explicit discussion in UN OEWG on Reducing Space Threats whether Starlink is/could be a military target under the international law. No such discussion were ever raised in UN OEWG cyber - eg. would Starlink/ViaSat be a legitimate target of cyberattack during war (not least because Russia and fellows deny the use of cyber for militarisation/as weapon). Worth following further? ||Pavlina|| ||JovanK||

    16. Russia’s armed forces have lots of electronic-warfare equipment that can locate, jam or spoof radio emissions. But the Starlink signals are strong compared with those from higher flying satellites, which makes jamming them harder. And the way that the dishes use sophisticated electronics to create narrow, tightly focused beams that follow satellites through the sky like invisible searchlights provides further resistance to interference.

      Since Starlink is closer to users, it's signal is strong. Dishes communicate with more than one satellite, and change beams accordingly. This is hard to jam

    17. Each hop added time and confusion. In today’s Ukraine, he notes, he could simply have accessed the live drone feed himself. Such frustrations led the Pentagon to start talking of “Joint All-Domain Command and Control” (JADC2, for those keeping score at home)

      connecting military equipment, services, people to communicate directly

    18. An hour before Russia launched its attack, its hackers sought to disable thousands of modems associated with the terminals which provide access to the main satellite used by Ukraine’s army and government, among many other clients

      ViaSat hack

    19. By May around 150,000 people were using the system every day
    20. off-grid high-bandwidth internet access to consumers in 45 countries

      Starlink offers services to 45 countries

    21. The Starlink constellation currently consists of 3,335 active satellites; roughly half of all working satellites are Starlinks

      Thus there is total cca 7000 LEO satellites in 2023, half of which is Starlink. Pace of launching is growing (see below)

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  3. Dec 2022
    1. Unnecessarily negative and sarcastic article, even though it brings some interesting and useful info.

    2. many commercial projects are based on tokamaks—an established approach that goes back to the 1950s. This heats the deuterium-tritium mixture into a plasma rather than freezing it into a pellet, and does the compressing magnetically. Breakthroughs in magnet technology, in particular, have enabled this renaissance

      Interesting alternative to lasers. Solutions might be out of where we look for them typically

    3. there are now real ideas and real firms with real money pursuing it in the private sector

      I wouldn't underestimate this trend - and the impact such 'small' news can have on investments. Elon Musk managed to compete (and win) over NASA in space flights, satellites, etc. Once buzz and investments are there, scientific and tech breakthrough can be exponential.

      Main question is: is there sufficient commercial interest to invest in this (ie who and how can earn money on long run with limitless energy)?

    4. fusion power is 30 years away—and always will be

      Good one :)

    5. observation that it releases no CO2 is true also of nuclear fission, solar energy and wind power, all of which are actual, developed technologies

      Quite sarcastic in a wrong way; one can't compare the two sources - and no one says one should replace another.

    6. which is radioactive and has a half-life of 12 years, has to be synthesised

      Not clear if there is a particular challenge with this syntesis? Otherwise - so what

    7. But this approach can be a power source only if the energy released exceeds not merely that incident on the pellet, but rather that employed to generate the beams.

      Goal: to create more than gross invested plus various losses in transport etc - not more than just the power of laser beams

    8. the NIF’s researchers have released more energy from an imploding pellet than was inserted by the laser beams

      Details of this particular 'success'

    9. In one of NIF’s pellets it is done by the convergence on the pellet of 192 beams from a powerful laser. In both cases the aim is to overcome the mutual electrical repulsion of the positively charged nuclei of the atoms, and push those nuclei close enough to one another for a different fundamental force, the strong nuclear force (which operates only at short ranges) to take over.

      How it works

    10. Do this to enough pairs of atoms and you get a lot of energy—and a big bang

      Interesting to learn about the origins. It also shows the difference: investing more energy input than output is acceptable for a bomb, but not for power plant; thus, a specific challenge.

    11. But a useful step towards electricity generation by fusion it is not

      Too negative I would say. It might not be such a step as it is claimed to be, but to say that it's not a useful step might be too far?

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  4. Oct 2022
    1. Could the UN Framework Convention on Climate Change be an approach to a global Cyber Framework Convention? Few thoughts here. Thanks Asoke for the idea! PS I made public comments, so that we could possibly involve others to comment as well in future.

      ||asokemATdiplomacy.edu|| ||Pavlina|| ||JovanK||

    2. The UNFCCC is a “Rio Convention”, one of two opened for signature at the “Rio Earth Summit” in 1992.

      There could be an umbrella related to various digital policy issues (cybercrime at least, if not also LAWS, and some IG topics like human rights). But, it would be additionally complex (if not impossible) to do such a cluster. But, there should be some mechanism that can connect all these dots (and future and emerging - like negotiations on AI).

    3. Parties wanted more certainty on impacts of and vulnerability to climate change

      In cyber, we are through with this, and could move to mitigation already.

    4. The Convention acknowledges the vulnerability of all countries to the effects of climate change and calls for special efforts to ease the consequences, especially in developing countries which lack the resources to do so on their own.

      This is the same in cyber.

    5. Sets a lofty but specific goal.

      This would be trickier for cyber, as there seems to be nothing as a specific goal discussed so far. How to define it? It could bind states to clarify and agree on (in future) how existing international law applies - ie find the way for it to apply; leaving it to further negotiations on regular basis to clarify bit by bit, through additional Protocols?

      Or, should it be related to something quantitatively measurable, like number of attacks or loss, etc? This may be tricky to measure since, unlike global scientific measurements on the environment which can't be hidden by states, here, some aspects about attacks can be hidden by states to ensure deniability.

      Can we borrow anything from other disarmament or other peace and security treaties for this mater?

    6. Charts the beginnings of a path to strike a delicate balance.

      This remains important for cybersecurity as well. Thinking about cybersecurity generally slows down digitalisation (though without it, digitalisation might bring more challenges than benefits).

      While environment seems to be at the opposite side of development, cybersecurity can actually be seen as an enabler of development, and might be easier to make countries accept both (thus not striking 'a balance' in essence).

      But in practice, it is sort of a balance of investment and pace in digitalisation vs/and cybersecurity, because there are limited funds and thus priorities.

    7. Keeps tabs on the problem and what's being done about it.

      Current OEWG is shaping 'National survey' (proposed by Mexico) which may further turn into a more complex and substantial reporting mechanism.

      PoA is proposing a regular review process.

      Perhaps combining the two - and asking multistkeholder venues (esp. academia?) to come up with measurement/assessment methodology of the progress (also linked to the concrete goal of the treaty above)?

    8. providing financial support for action on climate change-- above and beyond any financial assistance they already provide to these countries

      OEWG and GGE had capacity building as one of the key pillars. Yet, funding was not directly discussed; rather, support to developing countries to be able to implement the agreed norms. This is a solid basis.

      There might not need to be specific fund for cybersecurity. Instead, digitalisation funds should be extended/used for this. Perhaps, a more direct link between development aid and cybersecurity can be made. On one hand, it obliges developed countries to not only export digitalisation, but also security. On the other, it obliges developing countries to take both.

    9. Puts the onus on developed countries to lead the way.

      Here, it is rather the P5+ that can lead the way, as it is about armament and stability.

      Should they have a particular role, by leading by the example? Most state-backed attacks are linked to a handful of countries - how to put the onus on them (and how to make this list without going into a tricky bit on attribution)?

      Certainly, developed countries would have greater capacities for offense and defence. But, they would also be more vulnerable since they are more digitalised.

    10. Recognized that there was a problem.

      OEWG and GGE already recognised 'emerging threats' clearly, and there is a broad agreement. It could cover still some more threats which are not recognised openly (like exploitation of vulnerabilities). It could bind member states to act in the interests of human safety and international peace.

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

    1. criminal use

      cybercrime emphasised only, other issues not

    2. Security of and in the use of ICTs

      always interesting to observe the terminology. SCO for instance uses 'international information security' and 'threats in the information space, creating a safe, fair and open information space'

    3. contacts and exchanges

      this can be indications of what we can expect as CBMs to be developed (following good practices from the UN, OSCE, ASEAN on contact points, etc)

    4. on the basis

      interestingly, 'sovereignty' is not mentioned here, unlike in SCO. why?

    5. Sharing information, best practicesand raising awarenessin the field of security

      This is currently the only somewhat clear CBM (or two - sharing information, and raising awareness), but still underdeveloped

    6. dialogue on confidence-building

      Seems it's still in the early stage, as no specific measures exist yet. Worth following further as it develops (since members are also some states that are members of ASEAN, we can expect certain spill-over and ideas on CBMs from there possibly)

    7. reducing misunderstanding

      wording also used in UN and OSCE as a goal

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  5. Sep 2022
    1. European Convention.


    2. legally binding mechanism that ensures solidarity.

      important emphasis

    3. new initiative on mental health

      interesting and useful

    4. If we want to be credible when we ask candidate countries to strengthen their democracies, we must also eradicate corruption at home

      internal EU challenges

    5. Many of us have taken democracy for granted for too long
    6. These lies are toxic for our democracies

      This really reminds me so much of the rethorics of China, Russia and Balkan autocrats. Am I missing something? ||JovanK||

    7. a university in Amsterdam shut down an allegedly independent research centre, which was actually funded by Chinese entities.

      No independent research centres in China, Russia, ... funded by EU?

    8. Their disinformation is spreading from the internet to the halls of our universities.

      Disinformation is fastly climbing the ladder of importance

    9. Foreign entities are funding institutes that undermine our values

      Like? BTW one could equally put this in mouth of Putin, Xi, or Erdogan

    10. In this spirit, President Biden and I will convene a leaders' meeting to review and announce implementation projects.

      First reference to the US

    11. great challenges of this century, such as climate change and digitalisation.

      the two leading challenges of the century: climate and digital (yet not much said on digital at all here)

    12. European Political Community


    13. So I want the people of the Western Balkans, of Ukraine, Moldova and Georgia to know

      Georgia in

    14. This starts with those countries that are already on the path to our Union. We must be at their side every step of the way.

      focus on pre-accession regions

    15. core group of our like-minded partners: our friends in every single democratic nation on this globe

      following the US policy of blocks

    16. Let's make sure that the future of industry is made in Europe.


    17. European Sovereignty Fund.
    18. Last year I announced the European Chips Act. And the first chips gigafactory will break ground in the coming months.

      interesting pattern

    19. European Critical Raw Materials Act


    20. one country dominates the market

      Russia or China?

    21. Today, China controls the global processing industry. Almost 90 % of rare earths and 60 % of lithium are processed in China.
    22. nd for this reason, I intend to put forward for ratification the agreements with Chile, Mexico and New Zealand. And advance negotiations with key partners like Australia and India.

      Will they respect environmental aspects?

    23. Trade that embraces workers' rights and the highest environmental standards is possible with like-minded partners

      Seeing how things work in Serbia with western companies, I am not really convinced

    24. Lithium

      for bateries

    25. rare earths

      for microchips

    26. raw materials

      focus on raw materials (dominantly held out of EU, many of which in Russia)

    27. As a first important step, we need to speed up and facilitate the recognition of qualifications also of third country nationals.


    28. It is financing new wind turbines and solar parks, high-speed trains and energy-saving renovations.
    29. The summer of 2022 will be remembered as a turning point.

      this is certainly true

    30. Norway.

      Norway was not so keen in the recent past. Now, they might need to play along, but probably asking for some benefits in future

    31. But in these times it is wrong to receive extraordinary record profits benefitting from war and on the back of consumers.

      important change

    32. proposing a cap on the revenues of companies that produce electricity at a low cost.
    33. Last year, Russian gas accounted for 40% of our gas imports. Today it's down to 9% pipeline gas.
    34. US, Norway, Algeria
    35. we agreed on joint storage. We are at 84% now: we are overshooting our target.
    36. But dependency on Russian fossil fuels comes at a much higher price. We have to get rid of this dependency all over Europe.
    37. We will bring Ukraine into our European free roaming area.

      Fast-track free roaming. Balkans might be furious, but then again it makes sense

    38. In March, we connected successfully Ukraine to our electricity grid. It was initially planned for 2024. But we did it within two weeks. And today, Ukraine is exporting electricity to us.


    39. Ukraine is already a rising tech hub and home to many innovative young companies. So I want us to mobilise the full power of our Single Market to help accelerate growth and create opportunities.

      Ukraine recognised as a tech hub

    40. The Russian military is taking chips from dishwashers and refrigerators to fix their military hardware, because they ran out of semiconductors.

      hm... likely in future, but - really, to put this into the speech?!

    41. And you have given hope to all of us.

      It is much about EU, not (only) about Ukraine

    42. Putin

      Direct name. I don't remember this ever. Yet, a signal it's about Putin, not Russia.

    43. our response was united, determined and immediate

      Longer term it might be tough and different, though

    44. months

      Rather years...

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  6. Aug 2022
    1. AI and other new technologies will increase strategic instability.

      Another important element that the document realises: link between cybersecurity and AI. This is missing in OEWG discussions. There will need to be links of OEWG with AI-related processes like LAWS as well - or, at least, diplomats will need to be aware of all those other related processes.

    2. The United States has historically separated cyber and information security, but American adversaries have traditionally not distinguished between the two. In their view, the confidentiality, integrity, and assurance of computer networks are integral—and in some sense subordinate—to the battle over information spaces, and cyberattacks enabled significant capabilities in information operations. Numerous Russian documents and strategies describe cyber operations as integral to information security. After the creation of U.S. Cyber Command (CYBERCOM), at a meeting of Russian and U.S. defense officials, one Russian officer reportedly derided the lack of information warfare in Cyber Command’s mission. General Nikolai Makarov told his counterparts, “One uses information to destroy nations, not networks.”

      A well presented crucial difference between the two paradigms. Yet, this gap is vanishing. In a way, Russians (to the extent they were behind disinformation campaigns) managed to change the US position to accept the same paradigm.

      Could this close-to-common understanding that both networks and information are part of the dialogue change the course of future negotiations, and perhaps even allow for more space for comprimise as everyone discusses the same issues?

      ||Pavlina|| ||AndrijanaG|| ||JovanK||

    3. Zero days are expensive to buy and develop. They have historically been deployed by state-backed groups, yet in 2021 one-third of all hacking groups exploiting zero days were financially motivated criminals.48

      Important point: what used to be a privilege of big states in terms of offensive cyber capabilities (esp. weapons) is not any more - there are powerful criminal groups, dark researchers, international vulnerability brokers, and even legit businesses like NSO that offer tools and 'as a service' sophisticated attacks and tools. Though, most sophisticated and stealth attacks require more than that: lots of skills and (conventional) intelligence - resources that not many states have.

    4. The risk is not just financial. Ransomware attacks have paralyzed local governments, school districts, and hospitals. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for thirty hours, and the University of Vermont Medical Center furloughed or reassigned about three hundred employees after an attack on the hospital’s networks. Homeland Security officials worried that ransomware attacks on voter registration systems could disrupt the 2020 elections. In May 2022, the new president of Costa Rica, Rodrigo Chaves Robles, declared a national emergency after a ransomware attack by the Conti gang crippled the Finance and Labor Ministry as well as the customs agency. The group also posted stolen files to the dark web to extort the government to pay the ransom.

      Useful examples of ransomware effects ||AndrijanaG||


      Interesting breakdown of main attacks against US, including types and attributed sources ||AndrijanaG|| ||teodoramATnetwork.diplomacy.edu|| ||Pavlina||

    6. These types of attacks were, however, the exceptions. Over the last decade, most cyber operations have been attacks that violate sovereignty but remain below the threshold for the use of force or armed attack

      This is very true: most cyber attacks are sophisticated, multi-months, covert, serving for disruption or espionage, not for causing physical damage. This is changing somewhat with the power of ransomware, which caused tangible (though not physical) damage in cases like Colonial pipeline, Costa Rica state of emergency, etc.

    7. The U.S. withdrawal from the Trans-Pacific Partnership and continued aversion to multilateral trade agreements severely limit its ability to shape the rules guiding digital trade. Although the digital chapters of the U.S.-Korea Free Trade Agreement (KORUS) and the U.S.-Mexico-Canada Agreement (USMCA), as well as the U.S.-Japan Digital Trade Agreement, have strong protections for cross-border data flows, the United States has been sidelined as other trade groups come together. The Regional Comprehensive Economic Partnership (RCEP), an agreement among fifteen countries in the Asia-Pacific, for example, represents 30 percent of global gross domestic product (GDP) and entered into force without the United States on January 1, 2022. RCEP’s provisions regarding data localization, restrictions on cross-border data flows, and policies that champion domestic industry are, however, weak

      Useful overview of digital trade bilateral and multilateral processes where US is involved ||MariliaM||

    8. The United States has taken itself out of the game on digital trade.

      ||MariliaM|| What say you about this?

    9. For many years, this global internet served U.S. interests, and U.S. leaders often called for countries to embrace an open internet or risk being left behind. But this utopian vision became just that: a vision, not the reality. Instead, over time the internet became less free, more fragmented, and less secure. Authoritarian regimes have managed to limit its use by those who might weaken their hold and have learned how to use it to further repress would-be or actual opponents.

      A sobering thought: internet is not a mechanism of US foreign policy any more; rather, 'adversaries' are using it against US values more and more. Open internet is a utopia, it says.

    10. Analysis of the US cyber foreign policy, co-signed by the future US Cyber Ambassador just weeks ago. It signals what we can expect from the US digital foreign policy in the next years.

      In a nutshell, they recognise that their strategy of an open internet that would change autocratic societies has failed, that in reality internet is backfiring against US priorities through insecurity, disinformation, etc etc. They seem to give up on the single open internet, and opt for an open internet among like-minded. Importantly, they suggest a change of narrative from 'human rights' to 'free flow of data' to be able to bring on board also those countries that might not be fully democratic or for human rights only (esp. big states like Brazil, India, South Africa). In this regards, they opt for dialogue (read: concessions) with EU on privacy/GDPR and big tech…

      Further comments below.

    11. Develop the expertise for cyber foreign policy

      Cyber foreign policy is becoming recognised as an increasingly important field. It is not only for diplomats and decision makers, but increasingly for businesses and their officials as well - like CISOs which need to understand geopolitical momentum and consequences this has on the security of their systems...

    12. domestic intelligence gap

      What should this be about?

    13. offering incentives for internet service providers (ISPs) and cloud providers to reduce malicious activity within their infrastructure

      Adding more liability to businesses to clean their portions. This may bring in limitations by ISPs and cloud providers on the use of encryption, or allow them to do DPI to scan the packages. It may be tricky with regards to freedoms in some aspects.

    14. greater transparency about defend forward actions

      Also a very important proposal: greater transparency about weapons (exploits, vulnerabilities) and how these are collected and managed (that's VEP above) + about operations (who and how can deploy those and other tools, in what circumstances, under whose authorization, against what targets, etc)

      This was already raised at the OEWG through the Geneva Dialogue contribution.

    15. Develop coalition-wide practices for the Vulnerabilities Equities Process (VEP).

      It is good there is recognition that vulnerabilities are among key challenges. Current US VEP is a good and positive example, but not sufficiently transparent. It is not expected that US 'adversaries' will do the same, but they expect at least partners.

      Yet, an open question will be how to make sure other parties are not exploiting vulnerabilities (and thus having advantages)? It would have to be done as combination of a) more secure products by partners (security by design practices)<br> b) stricter supply chain control to avoid vulnerabilities in imported products c) strengthening vulnerability disclosure processes and policies, as well as resources/capabilities (eg. finding ways to lure Chinese researchers to report vuln. to western institutions in spite of Chinese law)

    16. Declare norms against destructive attacks on election and financial systems.

      Possible further norms. Though the more norms they have, the bigger limitations the US will have on their possible offensive operations referred to above and below. ||AndrijanaG|| ||Pavlina||

    17. Create an international cybercrime center

      This is very strange and confusing. What should such a center do? Would it be a law enforcement body (but then there is interpol...)? Or forensics support? Or awareness and capacity building? ||AndrijanaG|| ||bojanakATnetwork.diplomacy.edu||

    18. Agree to and adopt a shared policy on digital privacy that is interopera-ble with Europe’s General Data Protection Regulation (GDPR).• Resolve outstanding issues on U.S.-European Union (EU) data transfers.

      US would need to find a way to agree on privacy, data, big tech issues with EU

    19. its policy for digital competition with the broader enterprise of national security strategy

      Washington to link its digital competition (economic and trade policies) with national security. Another signal that digital trade and data flow will be more strongly linked to national security.

      ||JovanK|| ||MariliaM||

    20. balance more targeted diplomatic and economic pressure on adversaries, as well as more disruptive cyber operations, with clear statements about self-imposed restraint on specific types of targets

      when it comes to adversaries, a combination of economic pressure and 'disruptive' (read also: offensive?) cyber operations - while respecting the OEWG/GGE norms endorsed by partners

      Question is if partners (esp. beyond EU - eg. India, Brazil) would accept that offensive approach of the US against their adversaries - even if respecting the norms and int. law?

    21. consolidate a coalition of allies and friends around a vision of the internet

      In other words, if internet has to fragment, let's make sure we get the biggest part of it ruled by a common set of rules that support democratic values.

    22. Cybercrime is a national security risk

      This is an important recognition: cybercrime used to be discussed separately from national security and int. peace and security. This won't be possible any more, because tools, tactics and procedures are similar (eg. ransomware, exploits), and resources of perpetrators are similar (eg. organised criminal groups) or adversaries are linked or work together (eg. APT groups with states).

      In that sense, keeping global dialogue about cybercrime fully separated from peace and stability won't be possible any more; there will need to be links.

      ||AndrijanaG|| ||Pavlina|| ||bojanakATnetwork.diplomacy.edu|| ||teodoramATnetwork.diplomacy.edu||

    23. Indictments and sanctions have been ineffective in stopping state-backed hackers.

      Another rather blunt recognition: indictments and sanctions don't work when it comes to deterrence. Yet, some believe they are powerful as part of a set of measures. (There is certain broader question about the effectiveness of sanctions, though)

    24. Norms are more useful in binding friends together than in constraining adversaries

      An interesting and well articulated point: US should make sure that friends and partners (in broader sense - esp. swing states) adhere to norms. They can't expect that Russia and China will adhere, so for them they might need a different approach (combining multiple options as discussed elsewhere in the document)

    25. The United States can no longer treat cyber and information opera-tions as two separate domains

      Another merging area: information warfare and cyber conflict. For long, the US has been pushing back strongly not to bring discussions about content into cybersecurity discussions. It was the main difference between the US and Russia/China in understanding the scope. As content becomes weapon in full sense, this won't be possible any more. Likely, US will bring the two together in discussions with like-minded partners, but not (yet) in global negotiations where their 'adversaries' are present.

      ||AndrijanaG|| ||Pavlina|| ||asokemATdiplomacy.edu||

    26. Increased digitization increases vulnerability,

      As we would put it: "Whatever is connected can be hacked". The paper proposes further cooperation on reducing (and disclosing) vulnerabilities, and has some good points on zero-day exploits and various groups of adversaries.

      ||AndrijanaG|| ||Pavlina||

    27. Data is a source of geopolitical power and competition and is seen as central to economic and national security.

      Re-focusing from (promoting) values of an open society to (promoting) data flow and economic aspects

      ||MariliaM|| ||GingerP||

    28. U.S. policies promoting an open, global internet have failed, and Wash-ington will be unable to stop or reverse the trend toward fragmentation.

      Fragmentation can not be prevented.

    29. As former Japanese Prime Minister Shinzo Abe put it, the goal should be to establish “data flows with trust,” not to promote Western-style democracy

      The key of the suggested new framing: it is not about western values of openness and human rights (that might not be acceptable by everyone) - it is about free and trusted data flow. This boils down to economy, and might be more broadly understood and endorsed.

      With Fick's background of enterpreneurship, and some signals in this document, as well as with composition of third departments of the bureau which deal with 'other' issues (norms, int.orgs, human rights), should we expect that his priority agenda will be digital trade? Thus, that we will see high importance of WTO and other digital trade negotiations (at least with 'like-minded' and swing states) in the future State Department agenda? ||MariliaM|| ||JovanK|| ||GingerP||

    30. The era of the global internet is over

      A clear and provocative thought, coming from the US. ||JovanK|| ||MariliaM|| ||sorina|| ||GingerP||

    31. Frankly, U.S. policy toward cyberspace and the internet has failed to keep up. The United States desperately needs a new foreign policy that confronts head on the consequences of a fragmented and dangerous internet.

      A blunt recognition that the former US approach to an open internet has failed. Also, a call for a new digital foreign policy.

      ||JovanK|| ||sorina||

    32. known cyber campaign to cause physical damage

      Same old vocabulary: Stuxnet, which destroyed a facility, was 'cyber campaign' ('to cause physical damage'), not 'an attack'. Yet, Iranian strike against Saudi Aramco (just a line below) is 'attack'.

      [Maybe it's only to me, but this is the same pattern of 'campaign' (and not 'attack' or 'aggression') against Iraq or Yugoslavia, yet 'aggression' (and not 'special operation') about Russia's strike against Ukraine.]

    33. Nathaniel Fick

      Nathaniel Fick is a likely future US cyber ambassador (ie ambassador at large, to lead the Cyber Bureau of the State Department). The report was prepared in July, when he was already the candidate. Thus, we can probably read this as his programme - or at least that he is not against it.

    34. Foreign Policy for a Fragmented Internet

      The title already signals what the paper confirms: US should/will accept that single internet is no more a reality.

  7. Jul 2022
    1. less than two weeks after CYBERCOM disrupted Trickbot’s operations, Microsoft engaged in operations toward that same end. Microsoft has previously coordinated botnet disruptive operations with the FBI, including the 2013 operations against the Citadel and ZeroAccess botnets and the recent disruption of the Zloader botnet.

      (continuation of the previous comment)

    2. Its Digital Crimes Unit applies legal and technical solutions to identify, investigate, and disrupt malware-facilitated cybercrime and nation-state-sponsored activity.

      This, and the example below, of Microsoft's actions against malicious infrastructure are worth exploring in greater details. Part of it was taking over malicious domains - that is somewhat legal and certainly welcomed. But were there any 'penetrations' and exploits? I doubt so.

    3. Many U.S. private-sector companies have strong corporate incentives to support conformance with proposed prohibitive norms. Some also have the capacity, capability, and legal standing to engage in responsible, exploitation-based activities.

      A very interesting - and, indeed, dangerous - claim that companies have legal standing to engage in 'responsible, exploitation-based activities' against malicious actors.

      Does Microsoft really have legal ground to exploit any system (be in malicious or not) in another state - or even in US? (Not to ask if this goes against its own philosophy against exploiting vulnerabilities and vulnerable systems)

      Do Huawei or Kaspersky have legal grounds to exploit systems in the NL or US - systems that they, or their governments, deem as malicious? What would the US say in such occasion (even if they dismantle C2 based in US - which is, btw, host of majority of malicious C2s)?

      From the US defence perspective, this is, of course, very acceptable. From an international perspective - including legal and diplomatic - this is very problematic. It could actually put private sector actors on list of 'non grata' for many other countries, as they will be seen in breaching sovereignty of states. It is counter-productive.

      This is not to say that such cooperation - and overall 'defence forward' - against malicious actors is a wrong way to go. It is not about 'if', but about 'how': if it is unilaterally done by the US (and allies), it resembles the US political and military dominance of the 21st century - its understanding of a role of international policeman. We have seen where that lead geopolitically.

      It is much better to approach this 'new approach' through garnering broader international support for such actions - even through the UN. It is slower ,but more legit and with less risks for escalations and further political polarisation.

      ||JovanK|| ||Pavlina|| WDYT - from legal and political perspective?

    4. CYBERCOM’s hunt-forward operations enable anticipatory resilience by discovering adversary malware, techniques, tactics, and procedures as well as indicators of compromise and releasing this information through VirusTotal and Cybersecurity and Infrastructure Security Agency (CISA) alerts to inoculate U.S. companies from malicious cyber activity.

      This is, however, different from active attacks: this is information sharing, which is - no doubt - very efficient and needed

    5. The FBI itself recently removed the CyclopsBlink C2 malware associated with a Russian APT-built botnet off of thousands of devices before it was activated toward malicious ends. It also closed the external management ports being exploited to access the C2 malware.

      Another useful example

    6. or example, to preclude technical disruption and interference in the 2020 U.S. elections, CYBERCOM reportedly engaged in an operation to temporarily disrupt what was then the world’s largest botnet: Trickbot.

      Useful example

    7. The U.S. Department of Defense’s defend forward cyber strategy as operationalized by U.S. Cyber Command’s (CYBERCOM) doctrine of persistent engagement embodies the notion of achieving security through responsible, persistent exploitation-based operations, campaigns, and activities.

      Link to US 'defence forward'

    8. Cultivating conformance through a cyber persistence-based approach should aim to coordinate campaigns among government agencies with cyber capabilities and authorities and, where possible, with private-sector actors that have legal standing to engage in such behavior

      Another explanation of 'cyber persistence' concept

    9. overt naming and shaming, which seeks to exert such pressures to achieve conformance, may be counterproductive to stability

      Valid point - naming and shaming attacks a reputation (and often without publicly valid evidences), which doesn't help de-escalation

    10. Covert operations scholarship suggests that secrecy dampens risks of instability by reducing potential pressures from domestic or other audiences and by allowing states to manage reputational concerns. Leveraging the “open secrecy” of persistent cyber campaigns is thus not just a more promising approach but also a more prudent one.

      Interesting point on covert operations, and the importance of reputation! When it comes to espionage and eventually striking malicious infrastructure, this may make sense. But if the strike spills over to an infrastructure that is critical or public (say: adversaries use a hijacked public infrastructure of a country - a hospital network or other - as part of their C2) covert wouldn't be covert any more, and could actually be both embarrassing and dangerous.

    11. It is time better spent tacitly communicating to the malicious source by exposing, disrupting, and contesting threatening behaviors.

      One 'problem' with many such analysis is that they only observe the US perspective. This is not healthy even from the military point of view, and let alone from diplomatic point of view (norms) which should strive towards a compromise.

      Let's put ourselves in the shoes of Russians, or Chine. For them, the threat is not cyber groups, but Microsoft, for instance. Microsoft is vulnerable; Microsoft is dominating the market and imposing solutions; Microsoft is engaging against their sovereignty... Whether we agree or not with this stand, we have to understand their view. Using this strategy, Russians would legitimately act against a threat to them: Microsoft. Or Cyber peace institute. Or any other institution which they deem causes a threat to them.

      If we 'legitimise' intrusion into other systems as defence, it may have a counter-effect of escalations, and setting erroneous precedents.

    12. revealing publicly indicators and warnings of malicious activity, the techniques, tactics, and procedures associated therewith, and malicious malware itself that was discovered after an opponent’s intrusion or in anticipation of one

      This is a second part of suggested strategy - besides attacking malicious actors: it boils down to publishing the know details about the threat actor and threat infrastructure, and sharing all this intelligence among various actors. This info exchange indeed is a cornerstone of better protection.

    13. set security conditions in one’s favor by exploiting adversary vulnerabilities and reducing the potential for exploitation of one’s own

      This might look meaningful from the US perspective. But if you would put this in the mouth of, say, Russians - the US would be heavily against it. So 'it is in the eye of a beholder'. It is rather a military (zero-sum) than a diplomatic strategy (win-win).

    14. exploiting and then closing a vulnerability for the sole purpose of removing malicious malware

      In theory, this looks smart: you attack the attackers. There are good examples of successful campaigns (also illustrated below).

      In practice, it is not so smart: any exploitation of an existing vulnerability involves developing an exploit - usually a sophisticated one, if developed by the US security services, say. That exploit can leak (as we have seen before, from CIA stockpiles), and can get in hands of malicious actors including petty criminals (we have seen that as well).

      That's why 'closing a vulnerability' is done to prevent? Can't work. Even though 'zero days' are most dangerous ones, most exploited vulnerabilities are actually years (and even decades long) - a CISA list of most exploited vulnerabilities, which it publishes regularly to motivate CI sector to patch, shows just that. Thus there is no way to instantly close an old vulnerability around the world (even in US) - and creating a powerful exploit for it doesn't help at all. If it is about a zero-day exploit, it is certainly welcomed that it would be reported to a vendor which would immediately patch it - but again, the existing exploit is even more dangerous, since patching process will take years.

      In a word - very dangerous strategy.

    15. persist and responsibly leverage exploitation-based activities that preclude, inhibit, or otherwise constrain behaviors inconsistent with proposed prohibitive norms.

      Basically using activities that inhibit irresponsible behaviour

    16. cyber persistence, which manifests as a threat through the malicious exploitation of cyber vulnerabilities.

      new concept explained below - basically, 'defence forward' ie a) attacking malicious groups and infrastructure preemtively and b) sharing publicly information about those structures and attacks

    17. All three mechanisms have a poor track record, in isolation and in combination, for cultivating conformance by malicious state and non-state actors with proposed prohibitive peacetime cyber norms.

      Gut-feeling is that this is right - there is no high adherence to cybernoms. Here, an Oxford article is added to support this argument

    18. Martha Finnemore and Duncan Hollis outline three discrete mechanisms for cultivating conformance: persuasion, socialization, and incentives (positive and negative inducements).

      Useful resource by respected authors in the field: three ways that conformance is cultivated now - persuasion, socialisation, and incentives

    19. Unlike the U.N. GGE and OEWG products, the GCSC report proposes prohibitive norms addressing ongoing destabilizing behaviors.

      Good point that GCSC norms are more 'down to earth' and reflect actual problems

    20. States are engaging in a range of cyber behaviors that undermine peace and stability, but these proposed prohibitive norms do not address those behaviors. There is no reported instance of states engaging in cyber operations against another state’s cyber emergency response teams or using their teams for malicious purposes. And, although states have targeted critical infrastructure in armed conflict and non-state actors have done so in peacetime, the proposed prohibitive norms are not framed in a manner addressing that context or those actors, respectively.

      Interesting observation: that current prohibitive norms of GGE/OEWG actually mis-shoot. Example on CERTs is a good one: while this norm is important - it doesn't reflect the reality (there were no documented cases. The one on CI, however, doesn't stay: this is the major issue between US and Russia - it is a valid norm.

    21. Interesting blog that comments on lack of conformance of states to cyber norms: that OEWG/GGE norms don't reflect the reality of attacks, while GCSC which reflect better are not in the game; and on three ways conformance is currently cultivated (persuasion, socialization, and incentives) - all three failing.

      Then, it proposes 'a new way' which should complement this process of turning norms into customary law - by inhibiting the ability for misbehavior/irresponsible behaviour . This should be done through 'defence forward': actively disrupting malicious groups and their systems (malware, botnet C2 infrastructure, etc) before they strike (includling through exploitation of vulnerabilities!), and publicly disclosing the information about such operations. To them, this would support better conformity to norms (by preventing them to misbehave?)

      There is a number of valid points in the doc. But, there are also many problematic ones; to start with - do you, by preventing someone to misbehave, actually promote adherence to norms? Or are these two distinct issues - norms, and defence/military strategy.

      I added number of comments throughout.

      ||Pavlina|| ||AndrijanaG|| ||JovanK||

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  8. Jun 2022
    1. We express our concerns on the risk, and ethical dilemma related to Artificial Intelligence, such as privacy, manipulation, bias, human-robot interaction, employment, effects and singularity among others. We encourage BRICS members to work together to deal with such concerns, sharing best practices, conduct comparative study on the subject toward developing a common governance approach which would guide BRICS members on Ethical and responsible use of Artificial Intelligence while facilitating the development of AI.

      BRICS cooperation on AI. Nothing too specific (unlike in some other fields). Interesting that they spend space to address concerns ||JovanK|| ||sorina||

    2. Digital BRICS Task Force (DBTF) and the decision to hold the Digital BRICS Forum in 2022. We encourage the BRICS Institute of Future Networks and the DBTF to make suitable working plans at an early date, and carry out cooperation on R&D and application of new and emerging technologies.

      BRICS cooperation on emerging tech, including 'Institute for future networks' ||JovanK|| ||sorina||

    3. 38. We recognize the dynamism of the digital economy in mitigating the impact of COVID-19 and enabling global economic recovery.

      BRICS Declaration - para. on digital trade ||MariliaM||

    4. cyber

      single mention of 'cyber'

    Created with Sketch.