> On Nov 15, 2017, at 12:33, Mark Blackman <[email protected]
>> Are the sort of people who would consider attacking private-sector
>> infrastructure the sort of people who will pay any attention to any
>> form of globally managed legislation, policy or regulation? Maybe
>> you’re proposing this would be a mechanism for turning it into
>> state-level legislation, policy or regulation?
Bill gave what I think is a great "big picture" reply, below.
I would add a more micro-level anecdote.
Last year the UK passed the Investigatory Powers Act 2016, which amongst
other things created legal powers for the intelligence and security
agencies to hack into computer systems. On LINX's behalf, I lobbied for
an exemption or partial exemption for critical infrastructure.
In the end we won a compromise: although we did not get a clear
exemption on the face of the Act (my best-case outcome, but beyond what
I realistically expected to be able to achieve), we did manage to get it
written into the Code of Practice that
"any application for an equipment interference warrant that relates
to equipment associated with critical national infrastructure should
contain a specific assessment of any risks to that equipment and the
steps taken to appropriately minimise that risk".
That's a long way short of my best case scenario, but certainly better
than nothing. The Code of Practice is legally binding.
There are, however, a number of graduated steps between what we won and
my best-case outcome, that could have provided stronger protection. It's
a spectrum.
Had there been an international agreement or declaration, of the type
that Bill is negotiating, to which the UK was signed up, I would
certainly have used it when lobbying that point, and it might have made
it easier to obtain what we did and maybe - just possibly - we might
have got a bit further along the spectrum of protection than we actually
achieved.
Malcolm.
On 15/11/2017 12:51, Bill Woodcock wrote:
> Not exactly... a diplomatic norm is a commonly-accepted agreement as to
> expected behavior. It’s essentially a step short of a treaty.
>
> The problem here is that the US, Russia, and China all want to preserve
> their “right” to conduct offensive cyber operations against anyone they
> want, any time they want, without it rising to the level of a diplomatic
> incident. Pretty much everyone else (but most actively the Dutch,
> Singaporeans, and French) agree that this is unacceptable behavior. But
> until diplomats agree on a definition of what exactly is unacceptable,
> when it’s unacceptable, in what context it’s unacceptable, by whom it’s
> unacceptable, and against whom it’s unacceptable, there isn’t sufficient
> consensus to constitute a norm.
>
> Once there’s a norm that’s clear and understandable for governments to
> agree to, we can start picking up momentum. When a lot of governments
> agree to it, violating it will become more and more diplomatically
> costly for the few governments that do.
>
> This is the stick. There has to be an opportunity cost incurred by
> governments that attack private sector infrastructure.
>
> That’s what we’re working towards.
>
> -Bill
>
>
--
Malcolm Hutty | tel: +44 20 7645 3523
Head of Public Affairs | Read the LINX Public Affairs blog
London Internet Exchange | http://publicaffairs.linx.net/
London Internet Exchange Ltd
Monument Place, 24 Monument Street London EC3R 8AJ
Company Registered in England No. 3137929
Trinity Court, Trinity Street, Peterborough PE1 1DA
