> On Nov 29, 2017, at 6:19 AM, Hendrik Jaeger <swi...@henk.geekmail.org> wrote:
> Since I have hardly thought about this topic (attacks against civilian
> infrastructure), my thoughts are still rather unstructured, but I feel
> it important to give you feedback, especially as I see no other
> feedback on this list.

Thank you.  It’s an area that we’ve been working to try to improve since the 
1996 “Eligible Receiver” attacks, and I’m always happy to see public discussion.

> - what _exactly_ am I stating with my answers?

Your opinion of the relative priority of protecting (or not protecting) each of 
these categories of infrastructure from cyber-attack by national governments 
outside of the context of a declared war.  That last part we can’t hope to do 
anything about at this stage.

> - how will the results be used?

We are using the results to prioritize the types of infrastructure that are 
explicitly called out for protection against attack in the draft norms.  We 
started with the phrase “the public core of the Internet” (contributed by the 
Dutch foreign ministry) and the phrase “the central forwarding and naming 
infrastructures of the Internet” (contributed by PCH and the IETF) and have 
been trying to work toward a more broadly-informed expert consensus which is 
also more specific.

Ultimately, if the norm is successful, cyber-offense military officers will 
need to extract (“whitelist”) the IP addresses of these infrastructural 
elements from the lists of IP addresses being attacked, so if the definition is 
insufficiently specific, we risk it being ignored completely, or discounted as 
unactionably vague.  On the other hand, if it’s too specific, we risk loophole 

> - By saying "I do not consider it necessary to include X in this
>  protection from government attacks" do I not implicitly say "I
>  consider it OK for governments to attack this infrastructure”?

Rankings to the left of the center on the slider do imply that, yes.  While 
rankings to the right of the center on the slider imply that you believe some 
degree of protection, exclusion from attack, is warranted.

> - By saying "Governments should never attack Y", what are the
>  implications for private law? Does one (not being a government) become
>  a terrorist when one attacks Y, or is one still "just" a criminal?

The goal we’re working toward at this stage is a norm, rather than a treaty, so 
somewhat less formal.  Countries which abide by the norm would make efforts to 
behave well themselves, and to use their own domestic laws to encourage the 
people within their borders (because diplomacy is Westphalian) to also respect 
the norm and the protections it describes.

So, although the original goal was to describe protections for civilian 
infrastructure against government attack, the effort has shifted slightly to 
encourage governments to also try to get their residents to not participate in 
such attacks, either.

All in all, it seems like a good thing, and the consensus of the diplomats 
involved was that that was not a poison-pill…  it would not make adoption of 
the norm less attractive to governments.

> - There are similar things in effect already, and there are a lot of
>  players who simply do not care about it.

Perhaps similar, but there is no norm on this topic which enjoys any consensus. 
 The effort in the UN failed.

And if by “similar” you mean comparable-but-in-other-fields, like nuclear 
nonproliferation, or climate protections, or non-use of landmines, sure, there 
are lots of norms out there, and they all have different levels of adoption.  
The most successful ones also tend to be the most obvious and the least 
far-reaching.  Those can serve as easy building-blocks toward more ambitious 
agreements that can then follow, but couldn’t have been reached in a single 

> I don’t think Guantanamo is in any way in concordance with a lot of law.

A norm is not law.  A norm encodes a common understanding of shared social 
values.  If a country’s government does not share those values, it won’t 
ascribe to the norm, or it will do so in name only, but will not actually abide 
by it.  National governments are sovereign, and are only responsible to their 
citizens if to anyone at all.  That’s the unfortunate reality that we find 
ourselves in.  But the building-block we have is social ostracization.  If a 
country fails to abide by a widely-adopted norm, it finds itself isolated 
diplomatically, and that has real costs in achieving its objectives.  That’s 
all the stick we have, but we have to fashion that stick, and in doing so, we 
have to reasonably judge the compromise between making it too weak (which 
allows governments to claim to abide by the norm while not actually improving 
their behavior) versus making it too strong (which reduces consensus on its 
adoption, and weakens its effect).

In that context, it’s important that we prioritize what we want to protect as 
accurately as possible.

It turns out that experts on Internet infrastructure believe that “wealth 
management” services do not require any special protections, whereas Internet 
exchange points and the power grid do.  No big surprise there.  That’s not to 
say that the 1% wouldn’t be awfully unhappy if they found their private bankers 
to have been compromised, but it is to say that we don’t need to spend our own 
effort on that particular battle while IXPs and the power grid still aren’t 

> NSA and CIA don’t seem so very concerned about too many regulations

That’s not exactly how I’d put it.  They employ a vast number of lawyers to 
contrive baroque explanations for why what they’re doing is ok, for 
radically-unrecognizable values of “ok.”

But yes, fundamentally, this effort pits the US, Russia, and China, against 
pretty much all the other governments of the world.  On the one side are a very 
few countries which do not want to see their self-defined “right” to attack 
other people at will called into question.  On the other side are all the other 
countries, which view the operation of the Internet as being critical to the 
wellbeing of their people and the functioning of their economies, and don’t 
want that undermined.  There are a very few other countries which are on the 
fence, but they’re not really diplomatically significant in the numbers that 
we’re talking about here.

> How is this different?

When the CIA does a drone strike against a hospital, after having been duly 
informed of the location of the hospital, the US government loses face, loses 
friends, and loses diplomatic influence.  That’s a violation of the Geneva 
Conventions.  In cyberspace, we have no equivalent of the Geneva Conventions, 
which is recognized as holding sway by most nations.  Thus when the 
cyber-offense units of the US, Russian, and Chinese militaries conduct attacks 
against civilian infrastructure, there’s little to no diplomatic consequence.  
Gaining widespread adoption of a norm on cyber-offense is the first step toward 
that goal.

>> It’s being taken seriously by governments
> Hahahahahahahahahaha
> Sorry, but I’d love to know which governments you are talking about.

Netherlands, Estonia, Singapore, India, France, Kenya, as a few examples that 
are particularly active in the current effort.  If you look at the previous 
effort in the UN, you see the following countries participating:

2015: Belarus, Brazil, China, Colombia, Egypt, Estonia, France, Germany, Ghana, 
Israel, Japan, Kenya, Malaysia, Mexico, Pakistan, the Republic of Korea, the 
Russian Federation, Spain, the United Kingdom of Great Britain and Northern 
Ireland and the United States of America.

2013: Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France, 
Germany, India, Indonesia, Japan, the Russian Federation, the United Kingdom of 
Great Britain and Northern Ireland and the United States of America.

2010: Belarus, Brazil, China, Estonia, France, Germany, India, Israel, Italy, 
Qatar, the Republic of Korea, the Russian Federation, South Africa, the United 
Kingdom of Great Britain and Northern Ireland and the United States of America.

Note that the three countries which don’t want to see consensus in this area 
participated each time, and indeed, it proved impossible to reach consensus 
under those conditions.  When I say “taken seriously” I don’t mean that they 
all agree, I mean that they think it’s important.

And I think it’s vastly more important to figure out what 90% of the world 
agrees on, than what the US, Russia, and China, don’t disagree with.

>> cyber-attack X”).  The other is addressing the question of what
>> infrastructures should be protected (i.e. what is the X that
>> shouldn’t be attacked). I’m chairing that second working group. The
>> main thing we’re delivering in Delhi is the result of a survey of
>> what infrastructure people think should be protected.
> To give my answer to that questions: all.
> Why should _any_ _civilian_ infrastructure _ever_ be a target for
> inter-national disputes at all? In how far is that ok?

I agree, and that’s exactly my motivation, and PCH’s organizational motivation. 
 However, we’re a small organization, and cannot reach “all” in a single step.  
With the concurrence of many like-minded governments, however, we can advance 
toward that goal by taking a number of smaller steps, and gathering momentum 
along the way.  The fact that the entire goal cannot be reached in a single 
step is not a reason to avoid working toward the goal.

> If we do need rules, how about "don’t attack anyone"? And if anyone
> breaks that, one has to answer in a courtroom and bear the consequences
> of ones actions.

Unfortunately, Westphalia.  And armies.  So, it would be nice, but people with 
guns don’t want to listen to us.  And we can’t force them without stepping down 
to their level.  And I hope that’s not a compromise that any of us would make.

> It only takes a couple of minutes when one does not question the
> premise and actually thinks about this topic. Please be honest about
> this. You are chairing that working group. There is nothing easy about
> that topic.

Indeed, it’s a very difficult topic, and has taken a portion of my time and 
effort for more than twenty years, now.  Likewise, it’s taken the time and 
effort of a number of other people.  But we can’t expect everyone to put very 
much time and effort into it, regardless of how right-thinking they may be on 
the topic, because people have lives and work and those must be attended to.  
So, I try to bring other people into the process when I have some degree of 
confidence that the amount of their time that I’m asking for is an amount 
that’s justified by the benefit, and is unlikely to be wasted.  The survey 
you’re seeing is a vastly-simplified one that’s distilled from the results of a 
previous survey that had several hundred much more specific questions.  A much 
smaller number of people were able to afford the time to work through it, but 
their contribution was very valuable, in that it allowed us to draft this 
simpler one, based on its results.

When you say “question the premise,” do you mean the implicit premise that it’s 
possible to assign relative priorities to the protection of these different 
infrastructures, when you’d much rather none of them were attacked?  Or do you 
mean something else?

This isn’t an ideological position, it’s a pragmatic one.  I think our ideology 
is in agreement, in so far as I can tell from what you’ve written.

> I wonder: what is this process that will make my life easier?

If we succeed in achieving a norm, the diplomatic costs of violation of the 
norm will place a disincentive on violators, and yield a relative reduction in 
the number of national cyber-attacks we all have to cope with.  Leaving us with 
more time for our lives and work.  For some of us, the amount of time invested, 
particularly if it can be just a few minutes filling out a survey, can be 
relatively quickly recouped in the event of even a modest success.


Attachment: signature.asc
Description: Message signed with OpenPGP

swinog mailing list

Antwort per Email an