207 Matching Annotations
  1. Last 7 days
    1. European Convention.


    2. legally binding mechanism that ensures solidarity.

      important emphasis

    3. new initiative on mental health

      interesting and useful

    4. If we want to be credible when we ask candidate countries to strengthen their democracies, we must also eradicate corruption at home

      internal EU challenges

    5. These lies are toxic for our democracies

      This really reminds me so much of the rethorics of China, Russia and Balkan autocrats. Am I missing something? ||JovanK||

    6. a university in Amsterdam shut down an allegedly independent research centre, which was actually funded by Chinese entities.

      No independent research centres in China, Russia, ... funded by EU?

    7. Their disinformation is spreading from the internet to the halls of our universities.

      Disinformation is fastly climbing the ladder of importance

    8. Foreign entities are funding institutes that undermine our values

      Like? BTW one could equally put this in mouth of Putin, Xi, or Erdogan

    9. In this spirit, President Biden and I will convene a leaders' meeting to review and announce implementation projects.

      First reference to the US

    10. great challenges of this century, such as climate change and digitalisation.

      the two leading challenges of the century: climate and digital (yet not much said on digital at all here)

    11. European Political Community


    12. So I want the people of the Western Balkans, of Ukraine, Moldova and Georgia to know

      Georgia in

    13. This starts with those countries that are already on the path to our Union. We must be at their side every step of the way.

      focus on pre-accession regions

    14. core group of our like-minded partners: our friends in every single democratic nation on this globe

      following the US policy of blocks

    15. Let's make sure that the future of industry is made in Europe.


    16. Last year I announced the European Chips Act. And the first chips gigafactory will break ground in the coming months.

      interesting pattern

    17. European Critical Raw Materials Act


    18. one country dominates the market

      Russia or China?

    19. nd for this reason, I intend to put forward for ratification the agreements with Chile, Mexico and New Zealand. And advance negotiations with key partners like Australia and India.

      Will they respect environmental aspects?

    20. Trade that embraces workers' rights and the highest environmental standards is possible with like-minded partners

      Seeing how things work in Serbia with western companies, I am not really convinced

    21. Lithium

      for bateries

    22. rare earths

      for microchips

    23. raw materials

      focus on raw materials (dominantly held out of EU, many of which in Russia)

    24. As a first important step, we need to speed up and facilitate the recognition of qualifications also of third country nationals.


    25. The summer of 2022 will be remembered as a turning point.

      this is certainly true

    26. Norway.

      Norway was not so keen in the recent past. Now, they might need to play along, but probably asking for some benefits in future

    27. But in these times it is wrong to receive extraordinary record profits benefitting from war and on the back of consumers.

      important change

    28. We will bring Ukraine into our European free roaming area.

      Fast-track free roaming. Balkans might be furious, but then again it makes sense

    29. In March, we connected successfully Ukraine to our electricity grid. It was initially planned for 2024. But we did it within two weeks. And today, Ukraine is exporting electricity to us.


    30. Ukraine is already a rising tech hub and home to many innovative young companies. So I want us to mobilise the full power of our Single Market to help accelerate growth and create opportunities.

      Ukraine recognised as a tech hub

    31. The Russian military is taking chips from dishwashers and refrigerators to fix their military hardware, because they ran out of semiconductors.

      hm... likely in future, but - really, to put this into the speech?!

    32. And you have given hope to all of us.

      It is much about EU, not (only) about Ukraine

    33. Putin

      Direct name. I don't remember this ever. Yet, a signal it's about Putin, not Russia.

    34. our response was united, determined and immediate

      Longer term it might be tough and different, though

    35. months

      Rather years...

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  2. Aug 2022
    1. AI and other new technologies will increase strategic instability.

      Another important element that the document realises: link between cybersecurity and AI. This is missing in OEWG discussions. There will need to be links of OEWG with AI-related processes like LAWS as well - or, at least, diplomats will need to be aware of all those other related processes.

    2. The United States has historically separated cyber and information security, but American adversaries have traditionally not distinguished between the two. In their view, the confidentiality, integrity, and assurance of computer networks are integral—and in some sense subordinate—to the battle over information spaces, and cyberattacks enabled significant capabilities in information operations. Numerous Russian documents and strategies describe cyber operations as integral to information security. After the creation of U.S. Cyber Command (CYBERCOM), at a meeting of Russian and U.S. defense officials, one Russian officer reportedly derided the lack of information warfare in Cyber Command’s mission. General Nikolai Makarov told his counterparts, “One uses information to destroy nations, not networks.”

      A well presented crucial difference between the two paradigms. Yet, this gap is vanishing. In a way, Russians (to the extent they were behind disinformation campaigns) managed to change the US position to accept the same paradigm.

      Could this close-to-common understanding that both networks and information are part of the dialogue change the course of future negotiations, and perhaps even allow for more space for comprimise as everyone discusses the same issues?

      ||Pavlina|| ||AndrijanaG|| ||JovanK||

    3. Zero days are expensive to buy and develop. They have historically been deployed by state-backed groups, yet in 2021 one-third of all hacking groups exploiting zero days were financially motivated criminals.48

      Important point: what used to be a privilege of big states in terms of offensive cyber capabilities (esp. weapons) is not any more - there are powerful criminal groups, dark researchers, international vulnerability brokers, and even legit businesses like NSO that offer tools and 'as a service' sophisticated attacks and tools. Though, most sophisticated and stealth attacks require more than that: lots of skills and (conventional) intelligence - resources that not many states have.

    4. The risk is not just financial. Ransomware attacks have paralyzed local governments, school districts, and hospitals. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for thirty hours, and the University of Vermont Medical Center furloughed or reassigned about three hundred employees after an attack on the hospital’s networks. Homeland Security officials worried that ransomware attacks on voter registration systems could disrupt the 2020 elections. In May 2022, the new president of Costa Rica, Rodrigo Chaves Robles, declared a national emergency after a ransomware attack by the Conti gang crippled the Finance and Labor Ministry as well as the customs agency. The group also posted stolen files to the dark web to extort the government to pay the ransom.

      Useful examples of ransomware effects ||AndrijanaG||


      Interesting breakdown of main attacks against US, including types and attributed sources ||AndrijanaG|| ||teodoramATnetwork.diplomacy.edu|| ||Pavlina||

    6. These types of attacks were, however, the exceptions. Over the last decade, most cyber operations have been attacks that violate sovereignty but remain below the threshold for the use of force or armed attack

      This is very true: most cyber attacks are sophisticated, multi-months, covert, serving for disruption or espionage, not for causing physical damage. This is changing somewhat with the power of ransomware, which caused tangible (though not physical) damage in cases like Colonial pipeline, Costa Rica state of emergency, etc.

    7. The U.S. withdrawal from the Trans-Pacific Partnership and continued aversion to multilateral trade agreements severely limit its ability to shape the rules guiding digital trade. Although the digital chapters of the U.S.-Korea Free Trade Agreement (KORUS) and the U.S.-Mexico-Canada Agreement (USMCA), as well as the U.S.-Japan Digital Trade Agreement, have strong protections for cross-border data flows, the United States has been sidelined as other trade groups come together. The Regional Comprehensive Economic Partnership (RCEP), an agreement among fifteen countries in the Asia-Pacific, for example, represents 30 percent of global gross domestic product (GDP) and entered into force without the United States on January 1, 2022. RCEP’s provisions regarding data localization, restrictions on cross-border data flows, and policies that champion domestic industry are, however, weak

      Useful overview of digital trade bilateral and multilateral processes where US is involved ||MariliaM||

    8. The United States has taken itself out of the game on digital trade.

      ||MariliaM|| What say you about this?

    9. For many years, this global internet served U.S. interests, and U.S. leaders often called for countries to embrace an open internet or risk being left behind. But this utopian vision became just that: a vision, not the reality. Instead, over time the internet became less free, more fragmented, and less secure. Authoritarian regimes have managed to limit its use by those who might weaken their hold and have learned how to use it to further repress would-be or actual opponents.

      A sobering thought: internet is not a mechanism of US foreign policy any more; rather, 'adversaries' are using it against US values more and more. Open internet is a utopia, it says.

    10. Analysis of the US cyber foreign policy, co-signed by the future US Cyber Ambassador just weeks ago. It signals what we can expect from the US digital foreign policy in the next years.

      In a nutshell, they recognise that their strategy of an open internet that would change autocratic societies has failed, that in reality internet is backfiring against US priorities through insecurity, disinformation, etc etc. They seem to give up on the single open internet, and opt for an open internet among like-minded. Importantly, they suggest a change of narrative from 'human rights' to 'free flow of data' to be able to bring on board also those countries that might not be fully democratic or for human rights only (esp. big states like Brazil, India, South Africa). In this regards, they opt for dialogue (read: concessions) with EU on privacy/GDPR and big tech…

      Further comments below.

    11. Develop the expertise for cyber foreign policy

      Cyber foreign policy is becoming recognised as an increasingly important field. It is not only for diplomats and decision makers, but increasingly for businesses and their officials as well - like CISOs which need to understand geopolitical momentum and consequences this has on the security of their systems...

    12. domestic intelligence gap

      What should this be about?

    13. offering incentives for internet service providers (ISPs) and cloud providers to reduce malicious activity within their infrastructure

      Adding more liability to businesses to clean their portions. This may bring in limitations by ISPs and cloud providers on the use of encryption, or allow them to do DPI to scan the packages. It may be tricky with regards to freedoms in some aspects.

    14. greater transparency about defend forward actions

      Also a very important proposal: greater transparency about weapons (exploits, vulnerabilities) and how these are collected and managed (that's VEP above) + about operations (who and how can deploy those and other tools, in what circumstances, under whose authorization, against what targets, etc)

      This was already raised at the OEWG through the Geneva Dialogue contribution.

    15. Develop coalition-wide practices for the Vulnerabilities Equities Process (VEP).

      It is good there is recognition that vulnerabilities are among key challenges. Current US VEP is a good and positive example, but not sufficiently transparent. It is not expected that US 'adversaries' will do the same, but they expect at least partners.

      Yet, an open question will be how to make sure other parties are not exploiting vulnerabilities (and thus having advantages)? It would have to be done as combination of a) more secure products by partners (security by design practices)<br> b) stricter supply chain control to avoid vulnerabilities in imported products c) strengthening vulnerability disclosure processes and policies, as well as resources/capabilities (eg. finding ways to lure Chinese researchers to report vuln. to western institutions in spite of Chinese law)

    16. Declare norms against destructive attacks on election and financial systems.

      Possible further norms. Though the more norms they have, the bigger limitations the US will have on their possible offensive operations referred to above and below. ||AndrijanaG|| ||Pavlina||

    17. Create an international cybercrime center

      This is very strange and confusing. What should such a center do? Would it be a law enforcement body (but then there is interpol...)? Or forensics support? Or awareness and capacity building? ||AndrijanaG|| ||bojanakATnetwork.diplomacy.edu||

    18. Agree to and adopt a shared policy on digital privacy that is interopera-ble with Europe’s General Data Protection Regulation (GDPR).• Resolve outstanding issues on U.S.-European Union (EU) data transfers.

      US would need to find a way to agree on privacy, data, big tech issues with EU

    19. its policy for digital competition with the broader enterprise of national security strategy

      Washington to link its digital competition (economic and trade policies) with national security. Another signal that digital trade and data flow will be more strongly linked to national security.

      ||JovanK|| ||MariliaM||

    20. balance more targeted diplomatic and economic pressure on adversaries, as well as more disruptive cyber operations, with clear statements about self-imposed restraint on specific types of targets

      when it comes to adversaries, a combination of economic pressure and 'disruptive' (read also: offensive?) cyber operations - while respecting the OEWG/GGE norms endorsed by partners

      Question is if partners (esp. beyond EU - eg. India, Brazil) would accept that offensive approach of the US against their adversaries - even if respecting the norms and int. law?

    21. consolidate a coalition of allies and friends around a vision of the internet

      In other words, if internet has to fragment, let's make sure we get the biggest part of it ruled by a common set of rules that support democratic values.

    22. Cybercrime is a national security risk

      This is an important recognition: cybercrime used to be discussed separately from national security and int. peace and security. This won't be possible any more, because tools, tactics and procedures are similar (eg. ransomware, exploits), and resources of perpetrators are similar (eg. organised criminal groups) or adversaries are linked or work together (eg. APT groups with states).

      In that sense, keeping global dialogue about cybercrime fully separated from peace and stability won't be possible any more; there will need to be links.

      ||AndrijanaG|| ||Pavlina|| ||bojanakATnetwork.diplomacy.edu|| ||teodoramATnetwork.diplomacy.edu||

    23. Indictments and sanctions have been ineffective in stopping state-backed hackers.

      Another rather blunt recognition: indictments and sanctions don't work when it comes to deterrence. Yet, some believe they are powerful as part of a set of measures. (There is certain broader question about the effectiveness of sanctions, though)

    24. Norms are more useful in binding friends together than in constraining adversaries

      An interesting and well articulated point: US should make sure that friends and partners (in broader sense - esp. swing states) adhere to norms. They can't expect that Russia and China will adhere, so for them they might need a different approach (combining multiple options as discussed elsewhere in the document)

    25. The United States can no longer treat cyber and information opera-tions as two separate domains

      Another merging area: information warfare and cyber conflict. For long, the US has been pushing back strongly not to bring discussions about content into cybersecurity discussions. It was the main difference between the US and Russia/China in understanding the scope. As content becomes weapon in full sense, this won't be possible any more. Likely, US will bring the two together in discussions with like-minded partners, but not (yet) in global negotiations where their 'adversaries' are present.

      ||AndrijanaG|| ||Pavlina|| ||asokemATdiplomacy.edu||

    26. Increased digitization increases vulnerability,

      As we would put it: "Whatever is connected can be hacked". The paper proposes further cooperation on reducing (and disclosing) vulnerabilities, and has some good points on zero-day exploits and various groups of adversaries.

      ||AndrijanaG|| ||Pavlina||

    27. Data is a source of geopolitical power and competition and is seen as central to economic and national security.

      Re-focusing from (promoting) values of an open society to (promoting) data flow and economic aspects

      ||MariliaM|| ||GingerP||

    28. U.S. policies promoting an open, global internet have failed, and Wash-ington will be unable to stop or reverse the trend toward fragmentation.

      Fragmentation can not be prevented.

    29. As former Japanese Prime Minister Shinzo Abe put it, the goal should be to establish “data flows with trust,” not to promote Western-style democracy

      The key of the suggested new framing: it is not about western values of openness and human rights (that might not be acceptable by everyone) - it is about free and trusted data flow. This boils down to economy, and might be more broadly understood and endorsed.

      With Fick's background of enterpreneurship, and some signals in this document, as well as with composition of third departments of the bureau which deal with 'other' issues (norms, int.orgs, human rights), should we expect that his priority agenda will be digital trade? Thus, that we will see high importance of WTO and other digital trade negotiations (at least with 'like-minded' and swing states) in the future State Department agenda? ||MariliaM|| ||JovanK|| ||GingerP||

    30. The era of the global internet is over

      A clear and provocative thought, coming from the US. ||JovanK|| ||MariliaM|| ||sorina|| ||GingerP||

    31. Frankly, U.S. policy toward cyberspace and the internet has failed to keep up. The United States desperately needs a new foreign policy that confronts head on the consequences of a fragmented and dangerous internet.

      A blunt recognition that the former US approach to an open internet has failed. Also, a call for a new digital foreign policy.

      ||JovanK|| ||sorina||

    32. known cyber campaign to cause physical damage

      Same old vocabulary: Stuxnet, which destroyed a facility, was 'cyber campaign' ('to cause physical damage'), not 'an attack'. Yet, Iranian strike against Saudi Aramco (just a line below) is 'attack'.

      [Maybe it's only to me, but this is the same pattern of 'campaign' (and not 'attack' or 'aggression') against Iraq or Yugoslavia, yet 'aggression' (and not 'special operation') about Russia's strike against Ukraine.]

    33. Nathaniel Fick

      Nathaniel Fick is a likely future US cyber ambassador (ie ambassador at large, to lead the Cyber Bureau of the State Department). The report was prepared in July, when he was already the candidate. Thus, we can probably read this as his programme - or at least that he is not against it.

    34. Foreign Policy for a Fragmented Internet

      The title already signals what the paper confirms: US should/will accept that single internet is no more a reality.

  3. Jul 2022
    1. less than two weeks after CYBERCOM disrupted Trickbot’s operations, Microsoft engaged in operations toward that same end. Microsoft has previously coordinated botnet disruptive operations with the FBI, including the 2013 operations against the Citadel and ZeroAccess botnets and the recent disruption of the Zloader botnet.

      (continuation of the previous comment)

    2. Its Digital Crimes Unit applies legal and technical solutions to identify, investigate, and disrupt malware-facilitated cybercrime and nation-state-sponsored activity.

      This, and the example below, of Microsoft's actions against malicious infrastructure are worth exploring in greater details. Part of it was taking over malicious domains - that is somewhat legal and certainly welcomed. But were there any 'penetrations' and exploits? I doubt so.

    3. Many U.S. private-sector companies have strong corporate incentives to support conformance with proposed prohibitive norms. Some also have the capacity, capability, and legal standing to engage in responsible, exploitation-based activities.

      A very interesting - and, indeed, dangerous - claim that companies have legal standing to engage in 'responsible, exploitation-based activities' against malicious actors.

      Does Microsoft really have legal ground to exploit any system (be in malicious or not) in another state - or even in US? (Not to ask if this goes against its own philosophy against exploiting vulnerabilities and vulnerable systems)

      Do Huawei or Kaspersky have legal grounds to exploit systems in the NL or US - systems that they, or their governments, deem as malicious? What would the US say in such occasion (even if they dismantle C2 based in US - which is, btw, host of majority of malicious C2s)?

      From the US defence perspective, this is, of course, very acceptable. From an international perspective - including legal and diplomatic - this is very problematic. It could actually put private sector actors on list of 'non grata' for many other countries, as they will be seen in breaching sovereignty of states. It is counter-productive.

      This is not to say that such cooperation - and overall 'defence forward' - against malicious actors is a wrong way to go. It is not about 'if', but about 'how': if it is unilaterally done by the US (and allies), it resembles the US political and military dominance of the 21st century - its understanding of a role of international policeman. We have seen where that lead geopolitically.

      It is much better to approach this 'new approach' through garnering broader international support for such actions - even through the UN. It is slower ,but more legit and with less risks for escalations and further political polarisation.

      ||JovanK|| ||Pavlina|| WDYT - from legal and political perspective?

    4. CYBERCOM’s hunt-forward operations enable anticipatory resilience by discovering adversary malware, techniques, tactics, and procedures as well as indicators of compromise and releasing this information through VirusTotal and Cybersecurity and Infrastructure Security Agency (CISA) alerts to inoculate U.S. companies from malicious cyber activity.

      This is, however, different from active attacks: this is information sharing, which is - no doubt - very efficient and needed

    5. The FBI itself recently removed the CyclopsBlink C2 malware associated with a Russian APT-built botnet off of thousands of devices before it was activated toward malicious ends. It also closed the external management ports being exploited to access the C2 malware.

      Another useful example

    6. or example, to preclude technical disruption and interference in the 2020 U.S. elections, CYBERCOM reportedly engaged in an operation to temporarily disrupt what was then the world’s largest botnet: Trickbot.

      Useful example

    7. The U.S. Department of Defense’s defend forward cyber strategy as operationalized by U.S. Cyber Command’s (CYBERCOM) doctrine of persistent engagement embodies the notion of achieving security through responsible, persistent exploitation-based operations, campaigns, and activities.

      Link to US 'defence forward'

    8. Cultivating conformance through a cyber persistence-based approach should aim to coordinate campaigns among government agencies with cyber capabilities and authorities and, where possible, with private-sector actors that have legal standing to engage in such behavior

      Another explanation of 'cyber persistence' concept

    9. overt naming and shaming, which seeks to exert such pressures to achieve conformance, may be counterproductive to stability

      Valid point - naming and shaming attacks a reputation (and often without publicly valid evidences), which doesn't help de-escalation

    10. Covert operations scholarship suggests that secrecy dampens risks of instability by reducing potential pressures from domestic or other audiences and by allowing states to manage reputational concerns. Leveraging the “open secrecy” of persistent cyber campaigns is thus not just a more promising approach but also a more prudent one.

      Interesting point on covert operations, and the importance of reputation! When it comes to espionage and eventually striking malicious infrastructure, this may make sense. But if the strike spills over to an infrastructure that is critical or public (say: adversaries use a hijacked public infrastructure of a country - a hospital network or other - as part of their C2) covert wouldn't be covert any more, and could actually be both embarrassing and dangerous.

    11. It is time better spent tacitly communicating to the malicious source by exposing, disrupting, and contesting threatening behaviors.

      One 'problem' with many such analysis is that they only observe the US perspective. This is not healthy even from the military point of view, and let alone from diplomatic point of view (norms) which should strive towards a compromise.

      Let's put ourselves in the shoes of Russians, or Chine. For them, the threat is not cyber groups, but Microsoft, for instance. Microsoft is vulnerable; Microsoft is dominating the market and imposing solutions; Microsoft is engaging against their sovereignty... Whether we agree or not with this stand, we have to understand their view. Using this strategy, Russians would legitimately act against a threat to them: Microsoft. Or Cyber peace institute. Or any other institution which they deem causes a threat to them.

      If we 'legitimise' intrusion into other systems as defence, it may have a counter-effect of escalations, and setting erroneous precedents.

    12. revealing publicly indicators and warnings of malicious activity, the techniques, tactics, and procedures associated therewith, and malicious malware itself that was discovered after an opponent’s intrusion or in anticipation of one

      This is a second part of suggested strategy - besides attacking malicious actors: it boils down to publishing the know details about the threat actor and threat infrastructure, and sharing all this intelligence among various actors. This info exchange indeed is a cornerstone of better protection.

    13. set security conditions in one’s favor by exploiting adversary vulnerabilities and reducing the potential for exploitation of one’s own

      This might look meaningful from the US perspective. But if you would put this in the mouth of, say, Russians - the US would be heavily against it. So 'it is in the eye of a beholder'. It is rather a military (zero-sum) than a diplomatic strategy (win-win).

    14. exploiting and then closing a vulnerability for the sole purpose of removing malicious malware

      In theory, this looks smart: you attack the attackers. There are good examples of successful campaigns (also illustrated below).

      In practice, it is not so smart: any exploitation of an existing vulnerability involves developing an exploit - usually a sophisticated one, if developed by the US security services, say. That exploit can leak (as we have seen before, from CIA stockpiles), and can get in hands of malicious actors including petty criminals (we have seen that as well).

      That's why 'closing a vulnerability' is done to prevent? Can't work. Even though 'zero days' are most dangerous ones, most exploited vulnerabilities are actually years (and even decades long) - a CISA list of most exploited vulnerabilities, which it publishes regularly to motivate CI sector to patch, shows just that. Thus there is no way to instantly close an old vulnerability around the world (even in US) - and creating a powerful exploit for it doesn't help at all. If it is about a zero-day exploit, it is certainly welcomed that it would be reported to a vendor which would immediately patch it - but again, the existing exploit is even more dangerous, since patching process will take years.

      In a word - very dangerous strategy.

    15. persist and responsibly leverage exploitation-based activities that preclude, inhibit, or otherwise constrain behaviors inconsistent with proposed prohibitive norms.

      Basically using activities that inhibit irresponsible behaviour

    16. cyber persistence, which manifests as a threat through the malicious exploitation of cyber vulnerabilities.

      new concept explained below - basically, 'defence forward' ie a) attacking malicious groups and infrastructure preemtively and b) sharing publicly information about those structures and attacks

    17. All three mechanisms have a poor track record, in isolation and in combination, for cultivating conformance by malicious state and non-state actors with proposed prohibitive peacetime cyber norms.

      Gut-feeling is that this is right - there is no high adherence to cybernoms. Here, an Oxford article is added to support this argument

    18. Martha Finnemore and Duncan Hollis outline three discrete mechanisms for cultivating conformance: persuasion, socialization, and incentives (positive and negative inducements).

      Useful resource by respected authors in the field: three ways that conformance is cultivated now - persuasion, socialisation, and incentives

    19. Unlike the U.N. GGE and OEWG products, the GCSC report proposes prohibitive norms addressing ongoing destabilizing behaviors.

      Good point that GCSC norms are more 'down to earth' and reflect actual problems

    20. States are engaging in a range of cyber behaviors that undermine peace and stability, but these proposed prohibitive norms do not address those behaviors. There is no reported instance of states engaging in cyber operations against another state’s cyber emergency response teams or using their teams for malicious purposes. And, although states have targeted critical infrastructure in armed conflict and non-state actors have done so in peacetime, the proposed prohibitive norms are not framed in a manner addressing that context or those actors, respectively.

      Interesting observation: that current prohibitive norms of GGE/OEWG actually mis-shoot. Example on CERTs is a good one: while this norm is important - it doesn't reflect the reality (there were no documented cases. The one on CI, however, doesn't stay: this is the major issue between US and Russia - it is a valid norm.

    21. Interesting blog that comments on lack of conformance of states to cyber norms: that OEWG/GGE norms don't reflect the reality of attacks, while GCSC which reflect better are not in the game; and on three ways conformance is currently cultivated (persuasion, socialization, and incentives) - all three failing.

      Then, it proposes 'a new way' which should complement this process of turning norms into customary law - by inhibiting the ability for misbehavior/irresponsible behaviour . This should be done through 'defence forward': actively disrupting malicious groups and their systems (malware, botnet C2 infrastructure, etc) before they strike (includling through exploitation of vulnerabilities!), and publicly disclosing the information about such operations. To them, this would support better conformity to norms (by preventing them to misbehave?)

      There is a number of valid points in the doc. But, there are also many problematic ones; to start with - do you, by preventing someone to misbehave, actually promote adherence to norms? Or are these two distinct issues - norms, and defence/military strategy.

      I added number of comments throughout.

      ||Pavlina|| ||AndrijanaG|| ||JovanK||

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  4. Jun 2022
    1. We express our concerns on the risk, and ethical dilemma related to Artificial Intelligence, such as privacy, manipulation, bias, human-robot interaction, employment, effects and singularity among others. We encourage BRICS members to work together to deal with such concerns, sharing best practices, conduct comparative study on the subject toward developing a common governance approach which would guide BRICS members on Ethical and responsible use of Artificial Intelligence while facilitating the development of AI.

      BRICS cooperation on AI. Nothing too specific (unlike in some other fields). Interesting that they spend space to address concerns ||JovanK|| ||sorina||

    2. Digital BRICS Task Force (DBTF) and the decision to hold the Digital BRICS Forum in 2022. We encourage the BRICS Institute of Future Networks and the DBTF to make suitable working plans at an early date, and carry out cooperation on R&D and application of new and emerging technologies.

      BRICS cooperation on emerging tech, including 'Institute for future networks' ||JovanK|| ||sorina||

    3. 38. We recognize the dynamism of the digital economy in mitigating the impact of COVID-19 and enabling global economic recovery.

      BRICS Declaration - para. on digital trade ||MariliaM||

    4. cyber

      single mention of 'cyber'

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  5. May 2022
    1. digital technology and international peace and security

      This seems to be a new approach.. GGE was initially about 'IT in the Context of International Security'; in 2019 with a push of US (along with OEWG) it became 'State behaviour in cyberspace in the context of international security', while OEWG remained IT and int. security.

    2. have prosecutors collect evidence to build cases for war crimes,

      Re. use of data collection (and, perhaps, cyber breaches and leaks into Russian networks?) to prosecure for crimes in Ukraine?

  6. Mar 2022
    1. Place for discussion on the multistakeholder internet sanctions proposal ||MariliaM|| ||JovanK|| ||AndrijanaG|| ||sorina|| ||StephanieBP||

    2. whether the IP addresses and domain names of the Russian military and its propaganda organs should be sanctioned

      It is important to clarify if this proposal is only about IP and domains? If so, than the 'norms' for blacklisting exist already for security; problem is propaganda - but one can't set the norms on this so easily (it is about the content, not the IP addresses)

    3. consensus-driven process

      Again this may be well suited for years-long governance processes. When sanctions are imposed, this is done in severe war cases where decisions need to be taken almost instantly.

      One way is to pre-define rules, and be prompt with applications - almost like an alghoritm (smart contracts?). Problem is that each war/conflict has its own context, and assessment of violation of some norms (what norms?) is not streightforward.

      While this entire proposal is legit, it seems irrational/not implementable.

      Maybe a better way /next step is to

      • develop some guidelines in MS fashion
      • develop proposals for assessment and bringing decisions
      • impact governments to, in future, consult with those mechanisms and MS community (while not expecting that MS community will decide) As long as MS community has clearer arguments, govs may be more inclined to listen (at least in the West)
    4. assess violations of international norms

      This is a very hard task: the entire OEWG debate is now about how to assess violations of norms. In this case, we don't talk about only cyber-norms but various political norms, international law, etc as an argument for sanctions - this is not a technical decision (though it could well be multistakeholder)

    5. organization that chooses to subscribe to the principles and their outcome

      Left to the choice of organisations to subscribe and implement - voluntary

    6. anctioned IP addresses and domain nam

      Again, who decides on what is sanctioned? The proposal is not clear on this. That is not a technical issue - implementation may be technical.

    7. imilar in scale to NSP-Sec or Outages,

      These are a very engineering fora. The concept of engineering approach makes sense in implementation (eg. when combating spam and IP blacklists) - but the main question is who decides what blacklists are, and how?

      In security/technology, it is rather clear (you can quantify certain attacks or spam or packets coming from an IP or ASN), but here it is a human and political filter.

      • How do you quantify and measure the malicious impact?
      • Who gets to decide?
    8. responsibility of the global Internet governance community to weigh the costs and risks of sanctions

      This goes well in line with strategic positions of the West. But, will the West (governments) now say 'this goes to far'?

    9. Internet governance community may wish to consider in its deliberative processes

      This sounds legit, but is hardly possible - MS governance takes years to build any mechanisms and decisions; during wars, decisions have to be taken on hourly basis...

    10. It is inappropriate and counterproductive for governments to attempt to compel Internet governance mechanisms to impose sanctions outside of the community’s multistakeholder decision-making process

      Here it explains - and it explains it well, I would say

    11. currently does not easily lend itself to the imposition of sanctions in national conflicts

      Interesting wording 'does not land itself'. Or multistakeholder governance doesn't allow unilateral decisions? or?

    12. Military and propaganda agencies and their information infrastructure are potential targets of sanctions

      Legitimate targets of operations. But, it gets very tricky in digital times to say what is military (as we see cyberattacks for instance running from civilian servers; or sanctions being evaded through other channels) and certainly what is propaganda (it's not just specific broadcasters - and not everything done by those broadcastrs is propaganda (eg some might be fundamental information), but also social media, etc). How to distinguish?

    13. The effectiveness of sanctions should be evaluated relative to predefined goals

      This is a general concern, to what extent sanctions are useful at all in various circumstances. As with every other 'weapon', economic sanctions should follow proportionality and necessity.

    Created with Sketch. Visit annotations in context

    Created with Sketch. Annotators

    Created with Sketch. URL

  7. Feb 2022
    1. Very interesting text which talks about the limits of further scaling of transistors on a chip. Will we soon have to live with the same iPhone for 10 years or more?

      In a nutshell, as we approach 2nm technology (TSMC is working on 3nm), we will face limitations of physics, where we won't be able to scale further with the current technology. The semiconductor technology that we developed since 50s reaches its ends.

      We will need a tectonic innovation (quantum perhaps? but it also relies on current semiconductors' technology in some proposals). Otherwise, we won't be able to get faster chips any more.

      How will this impact the development of chips and geopolitics around this? How will this impact innovations?


    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

    1. The proportion of global chips sold by China is rising (see chart 1)

      Tech development of developing countries is crucial for China - export demands there are increasing

    2. America’s own semiconductor toolmakers still count China as one of their biggest markets

      This is the key: US markets want China in!

    3. focus on protecting trade secrets

      Is that not even less possible today? Innovation and production is not only in the IPR, but also in human capacities and labour - and this is where the West (still) dominates

    4. “Many are sceptical because they’re not sure whether or not Biden will be around,” says Richard Thurston, once the top lawyer at the Taiwan Semiconductor Manufacturing Company (TSMC)

      Taiwan is in an interesting situation. Probably the only thing that ties the US support to it is semiconductors. If they give it away to US or others, they have no safeguards any more; at the same time, they are forced to give bits away by developing TSMC factories in US (though not the key technology), to avoid Intel and others catching up... It is a be or not to be for Taiwan.

    5. Likewise SMIC can get older chipmaking tools but not the latest versions that can be used for chips that go into iPhones and self-driving cars

      This depends on manufacturing equipment, where US, Japan and NL dominate

    6. access to chips and chipmaking tools above a certain level of sophistication

      This is the key, but not just for China - there is a global bottleneck with only Samsung and TSMC being able to produce them

    7. prospect of American-Chinese chip trade ever reviving

      I think this Rubicon has been crossed already, and not just in US-China relations: states understand they can't rely on the global supply chain any more (due to both China and the US). Is there a way back for this trust anyhow? ||JovanK|| ||MariliaM||

    8. The Europeans and the Japanese both want a more formal multilateral approach

      Could this be the next rift in the western positions - on where chip export rules should be drafted? ||JovanK|| ||MariliaM||

    9. had been poised to sell its most sophisticated tools to SMIC, China’s biggest and beefiest chipmaker. Japanese and American officials rounded on the Dutch government, which duly refused to give ASML a licence to export its cutting-edge machines to SMIC

      What is the NL and EU position on this?! ASML is Dutch ||JovanK||

    10. Quad, a club of countries that embraces America, Australia, India and Japan

      Yet Quad has no producers of high-end semiconductors - Taiwan or S Korea

    11. Wassenaar so that it might help control the trade in semiconductors. But few expect it to play that role, not least because Russia is a member

      Understanding chips as 'dual use technology' may be an overstretch. It is rather a commodity, though scarce (and not for natural reasons like oil, but for purely political and investment reasons related to know-how and production)

    12. policy over the trade in chips and the equipment and material

      Does this trade and export of semiconductors generally fall under the existing WTO rules? If so, were WTO rules broken by the US policy? ||JovanK|| ||MariliaM||

    13. in 25 years he has never seen semiconductors so consistently top the diplomatic agenda

      Is it only in US, or the EU and others have it high on the agenda? While EU is making steps for independence on this grounds as well, is it actually still hoping (and pushing) for a global supply chain and the end of US export policy/foreign affairs push?

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

  8. Jan 2022
    1. the U.S. government passed a sweeping cybersecurity bill called the Internet of Things Cybersecurity Improvement Act of 2020 at the very tail end of that year. The law is a more flexible and adaptable approach to cybersecurity than previous laws. Crucially, it requires the National Institute of Standards and Technology to establish best practices that other government agencies must then follow when purchasing IoT devices. The initial rules unveiled by NIST in 2021 include requiring an over-the-air update option for devices and unique device IDs. And while the law pertains only to devices purchased by the U.S. government, there’s little reason to suspect it won’t have ongoing and broad effects on the IoT industry. Companies will likely include NIST’s cybersecurity requirements in all of its devices, whether selling to the U.S. government or elsewhere.

      About US IoT cybersecurity improvement act 2020

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

    1. Of the big three vendors, only Huawei is not a member, citing its belief that Open RAN systems cannot perform as well as the company's proprietary systems

      It will be important to follow China's attitude towards ORAN. Currently, it seems ORAN is not as efficient as proprietary - but this is likely to change. At some point, Huawei model may become less 'sellable' (ultimately, operators around the world decide on profit, especially when difference is big). Will Chinese industry ultimately turn to ORAN to some extent? Also, will China try to 'emphasise' some of the weaknesses of ORAN, eg. through cyberattacks against its virtualised elements? ||JovanK|| ||sorina|| ||AndrijanaG||

    2. Open RAN is here to stay.

      This is certain. It provides business advantages to operators, allows blooming new market, reduces dependencies, and has political impact. It will unbundle RAN dependencies and supply chain. Yet, it has drawbacks that we have to study.

    3. When an operator buys an end-to-end system from Nokia or Ericsson or Huawei, it also knows it can depend on that vendor to support the network when problems crop up. Not so with Open RAN deployments, where no single vendor is likely to claim responsibility for interoperability issues. Larger operators will likely be able to support their own Open RAN networks, but smaller operators may be reliant on companies like Mavenir, which have positioned themselves as system integrators.

      Another possible drawback of ORAN: ensuring interoperability of various vendors, in contrast to responsibility of big vendors (similar challenge to open source software). Open question: how can this impact security (similar to open source security issues)?

    4. Rakuten, in particular, faced some initial setbacks when its Open RAN network's performance didn't match the performance of a traditional end-to-end system

      (Current) Drawback of ORAN: Performance

    5. After a mandate from the British government to strip all Huawei components from wireless networks, England-based Vodafone is replacing those components in its own networks with Open RAN equivalents. Because of similar mandates, local operators in the United States, such as Idaho-based Inland Cellular, are doing the same.

      Politics influence uptake of ORAN as well: eg. Huawei ban

    6. RAN Intelligent Controller. The RIC collects data from the RAN components of dozens or hundreds of base stations at once and uses machine-learning techniques to reconfigure network operations in real time.

      Benefits of software-driven RAN: fine-tuning the performaces in real time, including though AI

    7. Every generation of our networks basically rely on special-purpose hardware with tightly coupled software. So every time we need to have an upgrade, or new release, or new fractional release, it takes years." In order to move away from a hardware-centric attitude, the O-RAN Alliance is also encouraging the wireless industry to incorporate more software into the RAN. Software-defined networks, which replace traditional hardware components with programmable software equivalents, are more flexible.

      Another benefit of ORAN for operators: moving away from hardware dependencies and lack of flexibility to update the network, towards software-driven RAN which are more flexible, updatable, and allow options for re-calibrating the network in realtime

    8. The goal in creating open standards for multiple kinds of splits is that operators can then purchase better-tailored components for the specific kind of network they're building. For example, an operator might opt for Split 8 for a large-scale deployment requiring a lot of radios. This split allows the radios to be as “dumb," and therefore cheap, as possible because all of the processing happens in the centralized unit.

      Benefit of ORAN options for operators: they can fine-tune network architecture, vendors, dependencies, costs

    9. inevitably create more points in the network for cyberattacks

      Important issue to study. Argument that more open standards bring more risks is somewhat true: it is harder to create attacks against more closed and specialised networks (plus, an attack against Huawei's network couldn't be applied to Ericsson's, etc) - but obscurity is not really a cure for security (most experts don't believe in 'security by obscurity'). More important element is that much of the functionality of ORAN will be moved to software and cloud, much like other ordinary services. This makes core telecom networks more 'ordinary', and prone to common cyber-attacks and vulnerabilities related to common digital networks. It is important to further study those risks. ||AndrijanaG|| ||VladaR||

    10. Open RAN makes it easier to focus on developing new software without worrying about losing potential customers intimidated by the task of integrating the tech into their wider networks

      ORAN opens up advancement of software solutions for 5G networks - key to virtualisation

    11. A very good reading that explains technical details (in light language) of O-RAN and future of 5G/6G networks in terms of software virtualisation, supply chain diversification, pros and cons. Useful for DW on 5G, for ITP course, our work on standards, etc ||GingerP|| ||sorina|| ||JovanK|| ||VladaR||

    12. Proposed Open RAN Functional Splits

      Great visual of ORAN split options

    13. Open RAN is making it possible to pick and choose different RAN components from different vendors

      Result of fragmentation of the RAN technology into smaller functions

    14. New wireless generations maintain backward compatibility, so that, for example, a 5G phone can operate on a 4G network when it's not within range of any 5G cells. So as operators build out their 5G deployments, they're mostly sticking with a single vendor's proprietary tech to ensure a smooth transition.

      Another reason why telecom operators get bound to major 5G operators for longer - and they want to avoid this

    15. In current 5G systems, the baseband unit splits those tasks between a distributed unit and a centralized unit. Open RAN concepts hope to build on that split to create more flexible, thinly sliced RANs.

      The key of the technical aspect of ORAN: to break down the technical structure into smaller pieces, based on functions pieces perform. This can dummer (and cheaper) radio units vs smarter baseband units (which can also be more based on software), or vice-versa as described below in the text

    16. RAN is the most expensive part of an operator's deployment," says Sridhar Rajagopal, the vice president of technology and strategy at Mavenir, a Texas-based company that provides end-to-end network software. “It takes almost 60, 70 percent of the deployment costs."

      Important: RAN takes vast majority of costs.

    17. they see Open RAN as a necessary tightening of the specifications to prevent big vendors from tacking their proprietary techniques onto the interfaces, thereby locking wireless operators into single-vendor networks

      So it's not so much about ensuring interoperability, as it is to avoid big players to lock them up

    18. O-RAN Alliance members hope Open RAN can plug the gaps created by 3GPP's specifications

      ORAN opens the network to diversity, but it doesn't necessarily help interoperability?

    19. there is currently no guarantee that a radio manufactured by one vendor will be interoperable with a baseband unit manufactured by another vendor.

      In spite of existing standards, there is no one who can guarantee that standards make products of various vendors fully interoperable. Later in the text, it says that this remains sort of a challenge with ORAN as well - as network gets more diversified in terms of vendors, more vendors should be 'hold to account' for interoperability. ||sorina||

    20. The group formed in 2018, when five operators—AT&T, China Mobile, Deutsche Telekom, NTT Docomo, and Orange—joined to spearhead more industry development of Open RAN.

      ORAN emerged from the challenge of telecom operators which were bound to one of the three providers - and often remain locked for years.Politics didn't seem to play much at the time (though Huawei bans contributed, in UK and US, to the boost of ORAN) - but may capitalise from it.

    Created with Sketch. Visit annotations in context

    Created with Sketch. Tags

    Created with Sketch. Annotators

    Created with Sketch. URL

    1. Smartphone users in China

      It's not only about China and US, but all the others that would have to choose 'binary'.

    2. concepts like privacy, security, or sustainability

      These concepts are very broad. Devil is in details, as examples below show. It will get increasingly complex to understand how each bit of technology (like examples below) impact values and principles!

    3. The European Union has previously passed laws protecting personal data and privacy such as the General Data Protection Regulation (GDPR).

      Linked to above: should laws be embeded into standards? Or, rather, standards could enable implementation of law, but leaving it open whether this is used or not?

    4. personal liberty, data security, and privacy in Europe, and if we wish our new technologies to support those views, it needs to be baked into the technology

      This is important: attempts to enshrine various political/societal values into standards (be it by US, EU, or China). This seems to be new, and game-changing - it's not about market and efficiency of technology (only) any more. ||JovanK|| ||sorina||

    5. will drop

      Will Huawei and China have anything from fragmentation of standards? On contrary - same as US, they will loose the global markets they want to dominate (and particularly developed countries which are mainly close to US).

    6. Sources that IEEE Spectrum spoke to noted how the move increased tensions in the wireless industry,

      Now this is a real concern, I would say - the US steps against Huawei, rather than Chinese expected push for standards dominance (same as everyone else does).

    7. There is a lot of money, prestige, and influence in the offing for a company that gets the tech it's been championing into the standards.

      So, what's really new there?

    8. autonomous vehicles and holographic displays

      Interestingly, this was the same challenge for 5G: what will it really be used for, that current networks can't allow? And autonomous vehicles are one of examples for 5G; so what's new? There will be many speculations about why 6G is really needed (also as a business model), that 5G can't give (beyond mere speculations).

    9. spectrum sharing

      This will maintain the main role of ITU - esp. this interplay with satellites and frequencies. There is an intrinsic political component in it: states' regulators are the ones that determine national spectrum allocation, based on intern. agreements in ITU. This is unlikely to change.