Geneva workshop on Cyber Security and Warfare

On 19-20 December 2018 Pugwash held a workshop in Geneva, co-sponsored and hosted by the Geneva Center for Security Policy (GCSP), on the topic of cyber security and warfare. The meeting gathered together 20 experts and practitioners for a broad set of discussions. An underlying theme was to understand how cyber-attacks might trigger or exacerbate conflict at the international level, particularly where it concerns the core Pugwash interests in the nuclear and WMD realm. The goal of this preliminary meeting, held at a particularly difficult climate for arms control in general, was to discuss the scope of where Pugwash can make an impact in a future program of work.

Read the full Geneva Cyber Workshop Report

Summary of Ideas for further exploration and elaboration

While reinforcement and implementation of existing or future norms and obligations in the cyber realms is a key task for the international community, focus was given to thinking of future CBMs for reducing tension and mitigating conflict, and considering measures that would avoid potentially catastrophic events.

  • International database of national points of contact for addressing cyber security threats and actions. Establishing national contact points for cyber incidents (“cyber defense centers”) could provide a coordination mechanism (for example through hot-lines) to facilitate State interactions regarding the tracing, assessment, and attribution of various cyber-attacks and activities. Such an infrastructure could foster cooperation at a bilateral or multilateral level, including regional arrangements, of State actors; the technical level cooperation (through CERTs for example) would be scaled up at the inter-State level.
  • Alternative centers and capability of communications and analysis relying on public-private partnerships. As a model, there exists already networks of such communications at academic or private levels, showing that it is technically feasible.
  • Encourage the sharing of Indicators of Compromise (IoC) via established methods (e.g. MISP[1] or similar tools), maybe through a trusted entity for cyber-threat intelligence sharing at the international level, taking the business impact for security companies into account.
  • Make mandatory the publication of vulnerabilities for the sake of improving the defense of critical infrastructures but also normal constituencies and citizens.
  • Put in place national and international “Bug-bounty” programs, with defined revenues on first findings, proportional to distribution of the vulnerable software, paid by the corresponding manufacture in case of proprietary software and by a central pool for open source software, in collaboration to already established organizations (e.g. MITRE[2], CVE[3]).
  • Endorse the integrity of encryption protocols by opposing any process of weakening (e.g. by backdoors, reduced key-length, shared decryption keys, etc.).
  • Explore how to prohibit the proliferation of cyber-weapons (e.g. malware) and the pre-emptive deployment of those for later offensive usage.
  • Large-scale publication of incident reporting in cyber-attacks.
  • Analyze which approaches/tools of arms control are relevant for the cyber sphere and focus on the distinctive characteristics of this warfare domain. In this context, the experiences and possible lessons of other regimes should be considered (e.g. the Biological Weapons Convention).
  • Development of P-5 work/statement on “Cyber and Nuclear Forces”.
  • Reiterated commitment of existing IHL obligations on the non-attack of nuclear or critical infrastructures and non military targets.

[1] MISP – Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

[2] Mitre Corporation

[3] CVE – Common Vulnerabilities and Exposures