Pugwash Workshop on cyber security and resilience against emerging national and international threats

Pugwash

On March 31st – April 1st 2022 Pugwash hosted an online workshop on Cyber security and resilience against emerging national and international threats.

The workshop was organised as a continuation of the discussion on the Risk to Peace and Stability from the Cyber Domain and it was the fourth in the series of Pugwash cyber-workshops concerning the ICT and international security since 2018, gathering a total of about 70 experts and practitioners from Europe, North and South America, and Asia, focusing on a broad set of specific themes. This meeting convened the experts and academics in computer science and security, artificial intelligence, political scientists, as well as diplomats.

Discussed topics include:

  1. Cyber security of the Nuclear Command and Control
  2. Cyber diplomacy and multi-stakeholder approach
  3. Cyber Warfare and conflict
  4. Information Operations
  5. Emerging treats (AI, LAWS)

Brief summary of Main Discussion Points includes the following significant points:

  1. The communication infrastructures between relevant national authorities (governments, agencies, etc.) have to be available during conflict times, through secure and reliable communication lines and backups, to allow exchange of information to avoid misinterpretations of events and as a confidence building measure, essential to conflict termination.
  • We support Multi-stakeholder approach to global security, as followed by the UN cyber-OEWG (Open Ended Working Group) and complimentary to the UN cyber-GGE (Group of Governmental Experts) which includes a limited participations of a few nation states. This approach appears a step forward in the international debate, it involves very relevant non-state actors/entities within the global cyber ecosystem allowing a multi and interdisciplinary intrinsic view, with participation from the private sector, technical communities and academia, regional organizations and civil society. To improve the cyber ecosystem, we need to ensure accountability and liability at the national level by the developers of software concerning the security of their products, for example, through mandatory government-supported bug bounty programs or other economic measures.
  • The problem of reliable attribution of cyber-attacks has been analysed through some past events, underlining possible overlapping of law enforcement and national security domains. Is attribution a technical activity only (packet level), or does it also include additional information (from intelligence) which may not be accessible? Showing proof can be highly problematic and unlikely to be agreed to by nation-states. Is attribution at the intelligence level less difficult than at law enforcement level? In particular, attribution in real time is a very difficult task; for a fully definitive attribution, significant time is needed for the analysis process, including sources of intelligence.

Session 3 also included a discussion on Machine Learning for Critical Infrastructures attack and defence. To train Machine Learning for intrusion detection, more comprehensive information exchange is needed about cyber-attacks. However, ML cannot be fully trusted at the current stage, due to explainability challenges.

  • Information operations are not equal to fake news, as fake news is not directly related to propaganda and disinformation. There is a high importance of bots in spreading the misleading information, and tools for their detection have to be developed.

In general, the term “fake news” is an abused one, as the content may be relevant to very different activities and goals, from disinformation, to consensus building, defamation, to influence attitudes and manipulate perceptions, emotions and behaviour; Real fake news (i.e. mistakes made by media) are sporadic and irrelevant; focus should be given to the specific context of each particular event in order to identify the proper scope.

This trend of propaganda and disinformation is worsened by the growing use and sophistication of so-called “Deepfakes”.

  • Advantages and drawbacks of Autonomous Weapon Systems (AWS) and use of Artificial Intelligence (AI) in military decision-making have been discussed, including danger of destabilization/escalation in crisis scenarios.  AI-powered AWS, similarly to other systems developed on the basis of machine learning, face the challenges of explainability and brittleness outside narrowly defined conditions of use. False positives are not acceptable when taking a “life or death” decision. The legal and political debates are lagging behind technological developments and often are still at the stage of defining “autonomy” of such systems.

The idea of imposing meaningful human control (MHC) on AWS is widely shared in political and diplomatic communities, but the actual contents of this relatively vague requirement still stand in need of clarification. Given the wide variety of AWS and their prospected contexts of use, it seems that one size of MHC will not fit all AWS. Any international agreement based on this idea needs proper limitations, scope, and detailed requirements for exerting genuine MHC over AWS, otherwise it will lack operational contents

Possible implications of AI on nuclear deterrence policies have been also discussed. These may arise from AI-powered, autonomously navigating underwater unmanned vehicles (UUV) identifying and trailing submarines armed with ballistic missiles, or from AWS having the potential to tilt conventional military balance on the battlefield and to provide adversaries with new incentives to threat the use of nuclear weapons to avoid defeat.

Based on the series of discussions, the following recommendations and areas for further exploration and elaboration have been identified.

Key suggestions, introduced by the workshop include:

  • Nuclear cyber nexus
  • Cyber warfare and Cyber diplomacy: Pugwash contribution to the UN cyber-Open Ended Working Group (OEWG)
  • Emerging technologies and AWS

These topics will be addressed at the next Pugwash International Conference in Doha or in future Pugwash initiatives.

Cybersecurity is not limited by local or national borders and is a global issue, where nobody is safe until the weakest link is safe.

Authors
Gian Piero Siroli, Pugwash lead on cyber security issues
Götz Neuneck, Pugwash Council
Paolo Cotta Ramusino, Pugwash Secretary-General
Stanislav Abaimov, rapporteur

DOCUMENTATION LINKS