Interesting discussion on ways to regulate AI use, and the role (limitations) of open source there, by Bruce Schneier and Waldo.

It raises some interesting questions about accountability of the open source community. They argue, as many others, that OS community is too fluid to be regulated. I tend to disagree - OS community has many levels, and a certain OS component (say a GitHub code) gets picked up by others at certain points to push to a mass market for benefit (commercial or other). It is when such OS products are picked up that the risk explodes - and it is then when we see tangible entities (companies or orgs) that should be and are accountable for how they use the OS code and push it to mass market.

I see an analogy with vulnerabilities in digital products, and the responsibility of OS community for the supply chain security. While each coder should be accountable, for individuals it probably boils down to ethics (as the effect of a single github product is very limited); but there are entities in this supply chain that integrate such components that clearly should be hold accountable.

My comments below. It is an interesting question for Geneva Dialogue as well, not only for AI debates.

cc ||JovanK|| ||anastasiyakATdiplomacy.edu||

There is a certain analogy with security of the open source, and how to ensure that open source code, which ends up being integral part of commercial products, is secure at the outset. It might not be possible to hold every code-writer in the open source community accountable for vulnerabilities, but there are certain moments later on when that code is picked up and commercialised by others, which allow the window of accountability. It is similar with LLM: it is when a certain code is picked up by others (often for monetisation or some other benefit) that accountability exists as well.

It is exactly this 'pick up' which is a milestone to look at: this is when actors involved go beyond a single github contributor, and involve certain entities (organisations or companies) which put certain resources in the promotion and reach of the product they have integrated, in order to create a mass market effect. This is where accountability for development can be looked for as well.

Is it really so? While open source community is diverse and numerous (and often boils down to a single person), their products become significant when they are put together and to the market (whether for free or monetisation). In other words, the 'danger' is not in each piece of code itself, but once those pieces are integrated into a powerful and mass-used product. This means there are certain milestones when the risks become sufficiently big to address it - and those milestones also involve certain entities (typically companies or organisations) which benefit from the reach of the product in one way or another. Devil is in details: we need to closely monitor how and when open source products come to a mass market and cause a concern - and who are the main actors at that very point that could be hold accountable. This still belongs to 'development', and addresses the developers (or integrators), not the users.

A very interesting analysis of Starlink in context of Ukraine, how it works, advantages of Low-Earth Orbit (LEO) satellites as technology, and possible limitation. Many governance questions opened up in comments below related to space race and regulations, UN and ITU, national regulation, etc. Feel free to contribute/respond/comment. ||JovanK|| ||sorina|| ||Pavlina|| ||nikolabATdiplomacy.edu||

Taiwan working on its own LEO constallation

Important future prospect, that minimises current limitations related to ground stations and their proximity!

A general regulatory challenge for internet access for developing countries - satellites going beyond borders. One can regulate the use of satellite dishes, but that's about it. Will countries look for regulations of satellite internet access through ITU for instance? (eg. Starlink can operate, but only through ground stations that are in our territory and working under our jurisdiction)

||sorina|| ||JovanK||

Space technology including launchers play important geopolitical element here. India seems to be entering the field as well. How about cosmodromes? Does EU have any option? ||nikolabATdiplomacy.edu||

Starlink initially looks at 12,000 total. Do they need even more? Estimations are that each satellite can last for 5-7 years, when it may go down and need to be replaced.

with new technologies, it is expected many more satellites would be launched at once.

Another aspect of digital sovereignty is the satellite infrastructure. It is not enough using Starlink or other commercial one even if cheaper/easier... One has to have own - so EU is going for that as well. It remains to be seen if it will be a commercial or rather state driven project (or, similarly to the EU cloud - a PPP+academia option).

What role does the ITU play when it comes to satellites licenses? Indeed, it seems Starlink also filed the application back in 2014. What sort of licenses are there, how is this decided, are they mandatory? Worth exploring this important part of the ITU role. ||sorina||

Interesting point

Another military advantage of LEO - since there are many, one would need to bring many of them down to make effect. Resilience effect of the internet itself, in fact (signal gets rereouted through other satellites)

Importantly, satellites only 'forward' the signal to the ground internet infrastructure - much like the mobile telecom towers do for mobile phones. Thus, user' satellite dishes communicate via satellites with 'ground stations' that are connected to the internet backbone (see illustration: https://dgtlinfra.com/wp-content/uploads/2020/12/How-Does-Starlink-Work-1024x576.png).

Due to satellites orbiting the earth, to be able to operate they also need ground stations in relative proximity to the used dishes (ie when a user activates the dish, and it communicates to the satellite nearby, the satellite has to have a ground station within its sight as well to be able to forward the signal). Here is an interesting live map of Starlink satelites (hexagons and white dots) and ground stations (red dots): https://satellitemap.space/?constellation=starlink&norad=53556

While dishes can be in a 'territory out of control' (eg. Ukraine, or Iran if someone smuggles it and uses), ground stations can be in nearby countries under political control/partnership. This enables full control of the internet content (e.g. content filtering or other) by friendly state/Starlink.

But, users of dishes can be prosecuted, or targeted by missiles upon using the uplink (basically whenever a dish sends something to the satellite, when it has to beam a signal upwards towards the sky - it is discoverable).

PS Very useful overview of satellites technologies and options, including Starlink: https://dgtlinfra.com/elon-musk-starlink-and-satellite-broadband/

Useful explanation of why Starlink (and LEO for that mater) is superior to high-orbit conventional satellites:

• it is closer to the Earth thus having much smaller latency (commercial tests say 20-40ms in practice at user end, comparing to cca 0.5s for GeoStationary Orbit satellites)
• because it's so many satellites rather than a single or few, one LEO satellite can serve less people and thus provides bigger bandwidth, at level of 'broadband' (commercial tests say 50-200Mbps/10-20Mbps) It's advantage is thus primarily in number of satelites which are in tens of thousands; previously, each GSO was under a particular point on Earth and serving only those people all time.
• Since LEO orbit around Earth very fast (completing a full earth orbit in under one hour), they can possibly provide connectivity everywhere, even the poles

Why is Starlink better at cybersecurity than ViaSat? 'Ability to quickly update system's software' shouldn't be different with traditional satellites. Yet, Starlink has indeed not been breached/compromised (and one can bet that Russians put lots of energy on that) Worth exploring further.

Interesting - explicit discussion in UN OEWG on Reducing Space Threats whether Starlink is/could be a military target under the international law. No such discussion were ever raised in UN OEWG cyber - eg. would Starlink/ViaSat be a legitimate target of cyberattack during war (not least because Russia and fellows deny the use of cyber for militarisation/as weapon). Worth following further? ||Pavlina|| ||JovanK||

Since Starlink is closer to users, it's signal is strong. Dishes communicate with more than one satellite, and change beams accordingly. This is hard to jam

connecting military equipment, services, people to communicate directly

ViaSat hack

Starlink offers services to 45 countries

Thus there is total cca 7000 LEO satellites in 2023, half of which is Starlink. Pace of launching is growing (see below)

Unnecessarily negative and sarcastic article, even though it brings some interesting and useful info.

Interesting alternative to lasers. Solutions might be out of where we look for them typically

I wouldn't underestimate this trend - and the impact such 'small' news can have on investments. Elon Musk managed to compete (and win) over NASA in space flights, satellites, etc. Once buzz and investments are there, scientific and tech breakthrough can be exponential.

Main question is: is there sufficient commercial interest to invest in this (ie who and how can earn money on long run with limitless energy)?

Good one :)

Quite sarcastic in a wrong way; one can't compare the two sources - and no one says one should replace another.

Not clear if there is a particular challenge with this syntesis? Otherwise - so what

Goal: to create more than gross invested plus various losses in transport etc - not more than just the power of laser beams

Details of this particular 'success'

How it works

Interesting to learn about the origins. It also shows the difference: investing more energy input than output is acceptable for a bomb, but not for power plant; thus, a specific challenge.

Too negative I would say. It might not be such a step as it is claimed to be, but to say that it's not a useful step might be too far?

Could the UN Framework Convention on Climate Change be an approach to a global Cyber Framework Convention? Few thoughts here. Thanks Asoke for the idea! PS I made public comments, so that we could possibly involve others to comment as well in future.

||asokemATdiplomacy.edu|| ||Pavlina|| ||JovanK||

There could be an umbrella related to various digital policy issues (cybercrime at least, if not also LAWS, and some IG topics like human rights). But, it would be additionally complex (if not impossible) to do such a cluster. But, there should be some mechanism that can connect all these dots (and future and emerging - like negotiations on AI).

In cyber, we are through with this, and could move to mitigation already.

This is the same in cyber.

This would be trickier for cyber, as there seems to be nothing as a specific goal discussed so far. How to define it? It could bind states to clarify and agree on (in future) how existing international law applies - ie find the way for it to apply; leaving it to further negotiations on regular basis to clarify bit by bit, through additional Protocols?

Or, should it be related to something quantitatively measurable, like number of attacks or loss, etc? This may be tricky to measure since, unlike global scientific measurements on the environment which can't be hidden by states, here, some aspects about attacks can be hidden by states to ensure deniability.

Can we borrow anything from other disarmament or other peace and security treaties for this mater?

This remains important for cybersecurity as well. Thinking about cybersecurity generally slows down digitalisation (though without it, digitalisation might bring more challenges than benefits).

While environment seems to be at the opposite side of development, cybersecurity can actually be seen as an enabler of development, and might be easier to make countries accept both (thus not striking 'a balance' in essence).

But in practice, it is sort of a balance of investment and pace in digitalisation vs/and cybersecurity, because there are limited funds and thus priorities.

Current OEWG is shaping 'National survey' (proposed by Mexico) which may further turn into a more complex and substantial reporting mechanism.

PoA is proposing a regular review process.

Perhaps combining the two - and asking multistkeholder venues (esp. academia?) to come up with measurement/assessment methodology of the progress (also linked to the concrete goal of the treaty above)?

OEWG and GGE had capacity building as one of the key pillars. Yet, funding was not directly discussed; rather, support to developing countries to be able to implement the agreed norms. This is a solid basis.

There might not need to be specific fund for cybersecurity. Instead, digitalisation funds should be extended/used for this. Perhaps, a more direct link between development aid and cybersecurity can be made. On one hand, it obliges developed countries to not only export digitalisation, but also security. On the other, it obliges developing countries to take both.

Here, it is rather the P5+ that can lead the way, as it is about armament and stability.

Should they have a particular role, by leading by the example? Most state-backed attacks are linked to a handful of countries - how to put the onus on them (and how to make this list without going into a tricky bit on attribution)?

Certainly, developed countries would have greater capacities for offense and defence. But, they would also be more vulnerable since they are more digitalised.

OEWG and GGE already recognised 'emerging threats' clearly, and there is a broad agreement. It could cover still some more threats which are not recognised openly (like exploitation of vulnerabilities). It could bind member states to act in the interests of human safety and international peace.

cybercrime emphasised only, other issues not

always interesting to observe the terminology. SCO for instance uses 'international information security' and 'threats in the information space, creating a safe, fair and open information space'

this can be indications of what we can expect as CBMs to be developed (following good practices from the UN, OSCE, ASEAN on contact points, etc)

interestingly, 'sovereignty' is not mentioned here, unlike in SCO. why?

This is currently the only somewhat clear CBM (or two - sharing information, and raising awareness), but still underdeveloped

Seems it's still in the early stage, as no specific measures exist yet. Worth following further as it develops (since members are also some states that are members of ASEAN, we can expect certain spill-over and ideas on CBMs from there possibly)

wording also used in UN and OSCE as a goal

more?

important emphasis

interesting and useful

internal EU challenges

This really reminds me so much of the rethorics of China, Russia and Balkan autocrats. Am I missing something? ||JovanK||

No independent research centres in China, Russia, ... funded by EU?

Disinformation is fastly climbing the ladder of importance

Like? BTW one could equally put this in mouth of Putin, Xi, or Erdogan

First reference to the US

the two leading challenges of the century: climate and digital (yet not much said on digital at all here)

EU+?

Georgia in

focus on pre-accession regions

following the US policy of blocks

ambitious

interesting pattern

new

Russia or China?

Will they respect environmental aspects?

Seeing how things work in Serbia with western companies, I am not really convinced

for bateries

for microchips

focus on raw materials (dominantly held out of EU, many of which in Russia)

important

this is certainly true

Norway was not so keen in the recent past. Now, they might need to play along, but probably asking for some benefits in future

important change

Fast-track free roaming. Balkans might be furious, but then again it makes sense

interesting

Ukraine recognised as a tech hub

hm... likely in future, but - really, to put this into the speech?!

It is much about EU, not (only) about Ukraine

Direct name. I don't remember this ever. Yet, a signal it's about Putin, not Russia.

Longer term it might be tough and different, though

Rather years...

Another important element that the document realises: link between cybersecurity and AI. This is missing in OEWG discussions. There will need to be links of OEWG with AI-related processes like LAWS as well - or, at least, diplomats will need to be aware of all those other related processes.

A well presented crucial difference between the two paradigms. Yet, this gap is vanishing. In a way, Russians (to the extent they were behind disinformation campaigns) managed to change the US position to accept the same paradigm.

Could this close-to-common understanding that both networks and information are part of the dialogue change the course of future negotiations, and perhaps even allow for more space for comprimise as everyone discusses the same issues?

||Pavlina|| ||AndrijanaG|| ||JovanK||

Important point: what used to be a privilege of big states in terms of offensive cyber capabilities (esp. weapons) is not any more - there are powerful criminal groups, dark researchers, international vulnerability brokers, and even legit businesses like NSO that offer tools and 'as a service' sophisticated attacks and tools. Though, most sophisticated and stealth attacks require more than that: lots of skills and (conventional) intelligence - resources that not many states have.

Useful examples of ransomware effects ||AndrijanaG||

Interesting breakdown of main attacks against US, including types and attributed sources ||AndrijanaG|| ||teodoramATnetwork.diplomacy.edu|| ||Pavlina||

This is very true: most cyber attacks are sophisticated, multi-months, covert, serving for disruption or espionage, not for causing physical damage. This is changing somewhat with the power of ransomware, which caused tangible (though not physical) damage in cases like Colonial pipeline, Costa Rica state of emergency, etc.

Useful overview of digital trade bilateral and multilateral processes where US is involved ||MariliaM||

||MariliaM|| What say you about this?

A sobering thought: internet is not a mechanism of US foreign policy any more; rather, 'adversaries' are using it against US values more and more. Open internet is a utopia, it says.

Analysis of the US cyber foreign policy, co-signed by the future US Cyber Ambassador just weeks ago. It signals what we can expect from the US digital foreign policy in the next years.

In a nutshell, they recognise that their strategy of an open internet that would change autocratic societies has failed, that in reality internet is backfiring against US priorities through insecurity, disinformation, etc etc. They seem to give up on the single open internet, and opt for an open internet among like-minded. Importantly, they suggest a change of narrative from 'human rights' to 'free flow of data' to be able to bring on board also those countries that might not be fully democratic or for human rights only (esp. big states like Brazil, India, South Africa). In this regards, they opt for dialogue (read: concessions) with EU on privacy/GDPR and big tech…

Further comments below.

Cyber foreign policy is becoming recognised as an increasingly important field. It is not only for diplomats and decision makers, but increasingly for businesses and their officials as well - like CISOs which need to understand geopolitical momentum and consequences this has on the security of their systems...

What should this be about?

Adding more liability to businesses to clean their portions. This may bring in limitations by ISPs and cloud providers on the use of encryption, or allow them to do DPI to scan the packages. It may be tricky with regards to freedoms in some aspects.

Also a very important proposal: greater transparency about weapons (exploits, vulnerabilities) and how these are collected and managed (that's VEP above) + about operations (who and how can deploy those and other tools, in what circumstances, under whose authorization, against what targets, etc)

This was already raised at the OEWG through the Geneva Dialogue contribution.

It is good there is recognition that vulnerabilities are among key challenges. Current US VEP is a good and positive example, but not sufficiently transparent. It is not expected that US 'adversaries' will do the same, but they expect at least partners.

Yet, an open question will be how to make sure other parties are not exploiting vulnerabilities (and thus having advantages)? It would have to be done as combination of a) more secure products by partners (security by design practices)<br> b) stricter supply chain control to avoid vulnerabilities in imported products c) strengthening vulnerability disclosure processes and policies, as well as resources/capabilities (eg. finding ways to lure Chinese researchers to report vuln. to western institutions in spite of Chinese law)

Possible further norms. Though the more norms they have, the bigger limitations the US will have on their possible offensive operations referred to above and below. ||AndrijanaG|| ||Pavlina||

This is very strange and confusing. What should such a center do? Would it be a law enforcement body (but then there is interpol...)? Or forensics support? Or awareness and capacity building? ||AndrijanaG|| ||bojanakATnetwork.diplomacy.edu||

US would need to find a way to agree on privacy, data, big tech issues with EU

Washington to link its digital competition (economic and trade policies) with national security. Another signal that digital trade and data flow will be more strongly linked to national security.

||JovanK|| ||MariliaM||

when it comes to adversaries, a combination of economic pressure and 'disruptive' (read also: offensive?) cyber operations - while respecting the OEWG/GGE norms endorsed by partners

Question is if partners (esp. beyond EU - eg. India, Brazil) would accept that offensive approach of the US against their adversaries - even if respecting the norms and int. law?

In other words, if internet has to fragment, let's make sure we get the biggest part of it ruled by a common set of rules that support democratic values.

This is an important recognition: cybercrime used to be discussed separately from national security and int. peace and security. This won't be possible any more, because tools, tactics and procedures are similar (eg. ransomware, exploits), and resources of perpetrators are similar (eg. organised criminal groups) or adversaries are linked or work together (eg. APT groups with states).

In that sense, keeping global dialogue about cybercrime fully separated from peace and stability won't be possible any more; there will need to be links.

||AndrijanaG|| ||Pavlina|| ||bojanakATnetwork.diplomacy.edu|| ||teodoramATnetwork.diplomacy.edu||

Another rather blunt recognition: indictments and sanctions don't work when it comes to deterrence. Yet, some believe they are powerful as part of a set of measures. (There is certain broader question about the effectiveness of sanctions, though)

An interesting and well articulated point: US should make sure that friends and partners (in broader sense - esp. swing states) adhere to norms. They can't expect that Russia and China will adhere, so for them they might need a different approach (combining multiple options as discussed elsewhere in the document)

Another merging area: information warfare and cyber conflict. For long, the US has been pushing back strongly not to bring discussions about content into cybersecurity discussions. It was the main difference between the US and Russia/China in understanding the scope. As content becomes weapon in full sense, this won't be possible any more. Likely, US will bring the two together in discussions with like-minded partners, but not (yet) in global negotiations where their 'adversaries' are present.

||AndrijanaG|| ||Pavlina|| ||asokemATdiplomacy.edu||

As we would put it: "Whatever is connected can be hacked". The paper proposes further cooperation on reducing (and disclosing) vulnerabilities, and has some good points on zero-day exploits and various groups of adversaries.

||AndrijanaG|| ||Pavlina||

Re-focusing from (promoting) values of an open society to (promoting) data flow and economic aspects

||MariliaM|| ||GingerP||

Fragmentation can not be prevented.

The key of the suggested new framing: it is not about western values of openness and human rights (that might not be acceptable by everyone) - it is about free and trusted data flow. This boils down to economy, and might be more broadly understood and endorsed.

With Fick's background of enterpreneurship, and some signals in this document, as well as with composition of third departments of the bureau which deal with 'other' issues (norms, int.orgs, human rights), should we expect that his priority agenda will be digital trade? Thus, that we will see high importance of WTO and other digital trade negotiations (at least with 'like-minded' and swing states) in the future State Department agenda? ||MariliaM|| ||JovanK|| ||GingerP||

A clear and provocative thought, coming from the US. ||JovanK|| ||MariliaM|| ||sorina|| ||GingerP||

A blunt recognition that the former US approach to an open internet has failed. Also, a call for a new digital foreign policy.

||JovanK|| ||sorina||

Same old vocabulary: Stuxnet, which destroyed a facility, was 'cyber campaign' ('to cause physical damage'), not 'an attack'. Yet, Iranian strike against Saudi Aramco (just a line below) is 'attack'.

[Maybe it's only to me, but this is the same pattern of 'campaign' (and not 'attack' or 'aggression') against Iraq or Yugoslavia, yet 'aggression' (and not 'special operation') about Russia's strike against Ukraine.]

Nathaniel Fick is a likely future US cyber ambassador (ie ambassador at large, to lead the Cyber Bureau of the State Department). The report was prepared in July, when he was already the candidate. Thus, we can probably read this as his programme - or at least that he is not against it.

The title already signals what the paper confirms: US should/will accept that single internet is no more a reality.

(continuation of the previous comment)

This, and the example below, of Microsoft's actions against malicious infrastructure are worth exploring in greater details. Part of it was taking over malicious domains - that is somewhat legal and certainly welcomed. But were there any 'penetrations' and exploits? I doubt so.

A very interesting - and, indeed, dangerous - claim that companies have legal standing to engage in 'responsible, exploitation-based activities' against malicious actors.

Does Microsoft really have legal ground to exploit any system (be in malicious or not) in another state - or even in US? (Not to ask if this goes against its own philosophy against exploiting vulnerabilities and vulnerable systems)

Do Huawei or Kaspersky have legal grounds to exploit systems in the NL or US - systems that they, or their governments, deem as malicious? What would the US say in such occasion (even if they dismantle C2 based in US - which is, btw, host of majority of malicious C2s)?

From the US defence perspective, this is, of course, very acceptable. From an international perspective - including legal and diplomatic - this is very problematic. It could actually put private sector actors on list of 'non grata' for many other countries, as they will be seen in breaching sovereignty of states. It is counter-productive.

This is not to say that such cooperation - and overall 'defence forward' - against malicious actors is a wrong way to go. It is not about 'if', but about 'how': if it is unilaterally done by the US (and allies), it resembles the US political and military dominance of the 21st century - its understanding of a role of international policeman. We have seen where that lead geopolitically.

It is much better to approach this 'new approach' through garnering broader international support for such actions - even through the UN. It is slower ,but more legit and with less risks for escalations and further political polarisation.

||JovanK|| ||Pavlina|| WDYT - from legal and political perspective?

This is, however, different from active attacks: this is information sharing, which is - no doubt - very efficient and needed

Another useful example

Useful example

Link to US 'defence forward'

Another explanation of 'cyber persistence' concept

Valid point - naming and shaming attacks a reputation (and often without publicly valid evidences), which doesn't help de-escalation

Interesting point on covert operations, and the importance of reputation! When it comes to espionage and eventually striking malicious infrastructure, this may make sense. But if the strike spills over to an infrastructure that is critical or public (say: adversaries use a hijacked public infrastructure of a country - a hospital network or other - as part of their C2) covert wouldn't be covert any more, and could actually be both embarrassing and dangerous.

One 'problem' with many such analysis is that they only observe the US perspective. This is not healthy even from the military point of view, and let alone from diplomatic point of view (norms) which should strive towards a compromise.

Let's put ourselves in the shoes of Russians, or Chine. For them, the threat is not cyber groups, but Microsoft, for instance. Microsoft is vulnerable; Microsoft is dominating the market and imposing solutions; Microsoft is engaging against their sovereignty... Whether we agree or not with this stand, we have to understand their view. Using this strategy, Russians would legitimately act against a threat to them: Microsoft. Or Cyber peace institute. Or any other institution which they deem causes a threat to them.

If we 'legitimise' intrusion into other systems as defence, it may have a counter-effect of escalations, and setting erroneous precedents.

This is a second part of suggested strategy - besides attacking malicious actors: it boils down to publishing the know details about the threat actor and threat infrastructure, and sharing all this intelligence among various actors. This info exchange indeed is a cornerstone of better protection.

This might look meaningful from the US perspective. But if you would put this in the mouth of, say, Russians - the US would be heavily against it. So 'it is in the eye of a beholder'. It is rather a military (zero-sum) than a diplomatic strategy (win-win).

In theory, this looks smart: you attack the attackers. There are good examples of successful campaigns (also illustrated below).

In practice, it is not so smart: any exploitation of an existing vulnerability involves developing an exploit - usually a sophisticated one, if developed by the US security services, say. That exploit can leak (as we have seen before, from CIA stockpiles), and can get in hands of malicious actors including petty criminals (we have seen that as well).

That's why 'closing a vulnerability' is done to prevent? Can't work. Even though 'zero days' are most dangerous ones, most exploited vulnerabilities are actually years (and even decades long) - a CISA list of most exploited vulnerabilities, which it publishes regularly to motivate CI sector to patch, shows just that. Thus there is no way to instantly close an old vulnerability around the world (even in US) - and creating a powerful exploit for it doesn't help at all. If it is about a zero-day exploit, it is certainly welcomed that it would be reported to a vendor which would immediately patch it - but again, the existing exploit is even more dangerous, since patching process will take years.

In a word - very dangerous strategy.

Basically using activities that inhibit irresponsible behaviour

new concept explained below - basically, 'defence forward' ie a) attacking malicious groups and infrastructure preemtively and b) sharing publicly information about those structures and attacks

Gut-feeling is that this is right - there is no high adherence to cybernoms. Here, an Oxford article is added to support this argument

Useful resource by respected authors in the field: three ways that conformance is cultivated now - persuasion, socialisation, and incentives

Good point that GCSC norms are more 'down to earth' and reflect actual problems

Interesting observation: that current prohibitive norms of GGE/OEWG actually mis-shoot. Example on CERTs is a good one: while this norm is important - it doesn't reflect the reality (there were no documented cases. The one on CI, however, doesn't stay: this is the major issue between US and Russia - it is a valid norm.

Interesting blog that comments on lack of conformance of states to cyber norms: that OEWG/GGE norms don't reflect the reality of attacks, while GCSC which reflect better are not in the game; and on three ways conformance is currently cultivated (persuasion, socialization, and incentives) - all three failing.

Then, it proposes 'a new way' which should complement this process of turning norms into customary law - by inhibiting the ability for misbehavior/irresponsible behaviour . This should be done through 'defence forward': actively disrupting malicious groups and their systems (malware, botnet C2 infrastructure, etc) before they strike (includling through exploitation of vulnerabilities!), and publicly disclosing the information about such operations. To them, this would support better conformity to norms (by preventing them to misbehave?)

There is a number of valid points in the doc. But, there are also many problematic ones; to start with - do you, by preventing someone to misbehave, actually promote adherence to norms? Or are these two distinct issues - norms, and defence/military strategy.

I added number of comments throughout.

||Pavlina|| ||AndrijanaG|| ||JovanK||

BRICS cooperation on AI. Nothing too specific (unlike in some other fields). Interesting that they spend space to address concerns ||JovanK|| ||sorina||

BRICS cooperation on emerging tech, including 'Institute for future networks' ||JovanK|| ||sorina||

BRICS Declaration - para. on digital trade ||MariliaM||

single mention of 'cyber'

This seems to be a new approach.. GGE was initially about 'IT in the Context of International Security'; in 2019 with a push of US (along with OEWG) it became 'State behaviour in cyberspace in the context of international security', while OEWG remained IT and int. security.

Re. use of data collection (and, perhaps, cyber breaches and leaks into Russian networks?) to prosecure for crimes in Ukraine?

Place for discussion on the multistakeholder internet sanctions proposal ||MariliaM|| ||JovanK|| ||AndrijanaG|| ||sorina|| ||StephanieBP||

It is important to clarify if this proposal is only about IP and domains? If so, than the 'norms' for blacklisting exist already for security; problem is propaganda - but one can't set the norms on this so easily (it is about the content, not the IP addresses)

Again this may be well suited for years-long governance processes. When sanctions are imposed, this is done in severe war cases where decisions need to be taken almost instantly.

One way is to pre-define rules, and be prompt with applications - almost like an alghoritm (smart contracts?). Problem is that each war/conflict has its own context, and assessment of violation of some norms (what norms?) is not streightforward.

While this entire proposal is legit, it seems irrational/not implementable.

Maybe a better way /next step is to

• develop some guidelines in MS fashion
• develop proposals for assessment and bringing decisions
• impact governments to, in future, consult with those mechanisms and MS community (while not expecting that MS community will decide) As long as MS community has clearer arguments, govs may be more inclined to listen (at least in the West)

This is a very hard task: the entire OEWG debate is now about how to assess violations of norms. In this case, we don't talk about only cyber-norms but various political norms, international law, etc as an argument for sanctions - this is not a technical decision (though it could well be multistakeholder)

Left to the choice of organisations to subscribe and implement - voluntary

Again, who decides on what is sanctioned? The proposal is not clear on this. That is not a technical issue - implementation may be technical.

These are a very engineering fora. The concept of engineering approach makes sense in implementation (eg. when combating spam and IP blacklists) - but the main question is who decides what blacklists are, and how?

In security/technology, it is rather clear (you can quantify certain attacks or spam or packets coming from an IP or ASN), but here it is a human and political filter.

• How do you quantify and measure the malicious impact?
• Who gets to decide?

This goes well in line with strategic positions of the West. But, will the West (governments) now say 'this goes to far'?

This sounds legit, but is hardly possible - MS governance takes years to build any mechanisms and decisions; during wars, decisions have to be taken on hourly basis...

Here it explains - and it explains it well, I would say

Interesting wording 'does not land itself'. Or multistakeholder governance doesn't allow unilateral decisions? or?

Legitimate targets of operations. But, it gets very tricky in digital times to say what is military (as we see cyberattacks for instance running from civilian servers; or sanctions being evaded through other channels) and certainly what is propaganda (it's not just specific broadcasters - and not everything done by those broadcastrs is propaganda (eg some might be fundamental information), but also social media, etc). How to distinguish?

This is a general concern, to what extent sanctions are useful at all in various circumstances. As with every other 'weapon', economic sanctions should follow proportionality and necessity.

Very interesting text which talks about the limits of further scaling of transistors on a chip. Will we soon have to live with the same iPhone for 10 years or more?

In a nutshell, as we approach 2nm technology (TSMC is working on 3nm), we will face limitations of physics, where we won't be able to scale further with the current technology. The semiconductor technology that we developed since 50s reaches its ends.

We will need a tectonic innovation (quantum perhaps? but it also relies on current semiconductors' technology in some proposals). Otherwise, we won't be able to get faster chips any more.

How will this impact the development of chips and geopolitics around this? How will this impact innovations?

||JovanK||

Tech development of developing countries is crucial for China - export demands there are increasing

This is the key: US markets want China in!

Is that not even less possible today? Innovation and production is not only in the IPR, but also in human capacities and labour - and this is where the West (still) dominates

Taiwan is in an interesting situation. Probably the only thing that ties the US support to it is semiconductors. If they give it away to US or others, they have no safeguards any more; at the same time, they are forced to give bits away by developing TSMC factories in US (though not the key technology), to avoid Intel and others catching up... It is a be or not to be for Taiwan.

This depends on manufacturing equipment, where US, Japan and NL dominate

This is the key, but not just for China - there is a global bottleneck with only Samsung and TSMC being able to produce them

I think this Rubicon has been crossed already, and not just in US-China relations: states understand they can't rely on the global supply chain any more (due to both China and the US). Is there a way back for this trust anyhow? ||JovanK|| ||MariliaM||

Could this be the next rift in the western positions - on where chip export rules should be drafted? ||JovanK|| ||MariliaM||

What is the NL and EU position on this?! ASML is Dutch ||JovanK||

Yet Quad has no producers of high-end semiconductors - Taiwan or S Korea

Understanding chips as 'dual use technology' may be an overstretch. It is rather a commodity, though scarce (and not for natural reasons like oil, but for purely political and investment reasons related to know-how and production)

Does this trade and export of semiconductors generally fall under the existing WTO rules? If so, were WTO rules broken by the US policy? ||JovanK|| ||MariliaM||

Is it only in US, or the EU and others have it high on the agenda? While EU is making steps for independence on this grounds as well, is it actually still hoping (and pushing) for a global supply chain and the end of US export policy/foreign affairs push?

About US IoT cybersecurity improvement act 2020

It will be important to follow China's attitude towards ORAN. Currently, it seems ORAN is not as efficient as proprietary - but this is likely to change. At some point, Huawei model may become less 'sellable' (ultimately, operators around the world decide on profit, especially when difference is big). Will Chinese industry ultimately turn to ORAN to some extent? Also, will China try to 'emphasise' some of the weaknesses of ORAN, eg. through cyberattacks against its virtualised elements? ||JovanK|| ||sorina|| ||AndrijanaG||

This is certain. It provides business advantages to operators, allows blooming new market, reduces dependencies, and has political impact. It will unbundle RAN dependencies and supply chain. Yet, it has drawbacks that we have to study.

Another possible drawback of ORAN: ensuring interoperability of various vendors, in contrast to responsibility of big vendors (similar challenge to open source software). Open question: how can this impact security (similar to open source security issues)?

(Current) Drawback of ORAN: Performance

Politics influence uptake of ORAN as well: eg. Huawei ban

Benefits of software-driven RAN: fine-tuning the performaces in real time, including though AI

Another benefit of ORAN for operators: moving away from hardware dependencies and lack of flexibility to update the network, towards software-driven RAN which are more flexible, updatable, and allow options for re-calibrating the network in realtime

Benefit of ORAN options for operators: they can fine-tune network architecture, vendors, dependencies, costs

Important issue to study. Argument that more open standards bring more risks is somewhat true: it is harder to create attacks against more closed and specialised networks (plus, an attack against Huawei's network couldn't be applied to Ericsson's, etc) - but obscurity is not really a cure for security (most experts don't believe in 'security by obscurity'). More important element is that much of the functionality of ORAN will be moved to software and cloud, much like other ordinary services. This makes core telecom networks more 'ordinary', and prone to common cyber-attacks and vulnerabilities related to common digital networks. It is important to further study those risks. ||AndrijanaG|| ||VladaR||