Content

Matthias Schulze, The State of Cyber Arms Control. An International Vulnerabilities Equities Process as the Way to go Forward? in:

S&F Sicherheit und Frieden, page 17 - 21

S+F, Volume 38 (2020), Issue 1, ISSN: 0175-274X, ISSN online: 0175-274x, https://doi.org/10.5771/0175-274X-2020-1-17

Browse Volumes and Issues: S&F Sicherheit und Frieden

Bibliographic information
PDF download Citation download Share
S+F (38� Jg�) 1/2020 | 17 Schulze, The State of Cyber Arms Control | T H E M E N S C H W E R P U N K T DOI: 10�5771/0175-274X-2020-1-17 1. Introduction Since the late 1990s, there have been multiple efforts to restrict collateral damage from cyber attacks. One approach is adopting international law and the law of armed conflict for the cyber domain (UN Governmental Group of Experts and Tallinn Manual Process). Closely connected are initiatives to establish informal, non binding norms of appropriate state behavior in cyber space (Henriksen, 2019). Another approach focuses on establishing trust and Confidence Building Measures (Pawlak, 2016). There are industry initiatives such as the Microsoft Digital Geneva Convention and first bilateral cyber treaties. No substantial ground has been gained in terms of cyber arms control regimes. There is certainly demand for such a regime since quantitatively and qualitatively the collateral damage of cyber attacks is rising, and cyber crime is causing an annual damage of billions of dollars and cyber espionage, intellectual property theft and cyber enabled influence operations have become a nuisance in international affairs (Nye, 2015). A full fledged international cyber regime or treaty defining binding rules of behavior is nowhere in sight. The scope of the article is to give an overview of current debates about cyber arms control regimes. The research question of the first section is: what factors inhibit the transfer of traditional arms control models to the cyber domain? Three inhibitors are identified: an unclear object of regulation, lacking means of verification, and lacking political will. Because of these inhibitors, cyber experts proposed to refocus arms control not on cyber weapons, but on their ammunition – zero day vulnerabilities in hard and software (Mallory 2019). Experts proposed an International Vulnerabilities Equities Process (IVEP), modeled after national VEP processes. With these VEP governments decide whether to use zero day vulnerabilities for own cyber offense, or whether to disclose them to the software vendor, increasing cyber defense. However, to this date, there is no explanation on how an IVEP could actually look like. The article takes this very first step and tries to answer this question by proposing two different models. It then assesses some implementation challenges. It is the hope that the assessment serves as a groundwork to trigger future analysis and debate, thus moving the abstract international discussion about a cyber regime forward. 2. Challenges to Cyber-Arms Control Regimes: Literature Review Arms control regimes historically have multiple goals, such as to ban or reduce certain types of weapons (disarmament) or military behavior (like testing, use or deployment) to prevent conflict and try to limit the acceleration and the cost of arms races (Reinhold & Reuter, 2019, p. 209). They also aim to reduce uncertainty, mistrust and security dilemmas between states. Scholars proposed to use traditional arms control regimes as a blueprint model for cyber arms control. Models discussed include the nuclear arms control regime (Borghard & Lonergan, 2018), which is generally regarded as impractical because unlike nuclear arsenals, cheap and easy to conceal malware stockpiles cannot be effectively measured (Nye, 2015). Others propose to utilize the Comprehensive Test Ban Treaty (CTBT), which restricts the testing of nuclear explosions. The CTBT features a joint monitoring system which allows measuring compliance, even for smaller states with little measuring capability. Eilstrup Sangiovanni argues that this might help to overcome the attribution problem, i.e. difficulties of identifying the originator of a cyber attack, often due to unequal cyber forensic capabilities of states (Eilstrup Sangiovanni, 2018). A joint monitoring system refers to a proposal of an international attribution agency that would analyze cyber incidents and would try to collectively “name and blame” culprits (Davis, 2017). Others propose to use the Geneva Protocol (Dumbacher, 2018) or the later Biological and Toxin Weapons Convention (BWC) that ban the use of chemical and biological weapons (Fidler, 2015; Reinhold & Reuter, 2019). These regimes face comparable issues as the cyber domain, i.e. the dual use nature, easy proliferation and issues of attribution, verification, compliance. Geers argues that the Chemical Weapons The State of Cyber Arms Control. An International Vulnerabilities Equities Process as the Way to go Forward?* Matthias Schulze Abstract: Although the threat of cyber conflict is rising at the moment, not much ground has been gained with cyber arms control regimes. The article analyses proposals for cyber arms control, modelled after traditional arms control regimes. It finds that challenges of the digital domain, issues of regime verification and the lack of political will are big inhibitors in transferring these to the cyber domain. To overcome these inhibitors, cyber experts proposed a new type of regime focusing on Zero day vulnerabilities. Since nobody so far explained how a so called International Vulnerabilities Equities Process (IVEP) could look like, the article picks up the task, and presents two models with their advantages and shortcomings. The article concludes that the IVEP proposal holds some promise, but due to many open questions, it is currently not feasible as a policy option. Keywords: International Vulnerability Equities Process, arms control, cyber security, zero day vulnerability Schlagwörter: International Vulnerability Equities Process, Rüstungskontrolle, Cyber Sicherheit, Sicherheitslücken * This article has been double blind peer reviewed. The author is grateful for the constructive feedback by the anonymous reviewers. SuF_01_20_Inhalt_3.Umbruch.indd 17 24.06.20 14:14 T H E M E N S C H W E R P U N K T  | Schulze, The State of Cyber Arms Control 18 | S+F (38� Jg�) 1/2020 further complicate things (Borghard & Lonergan, 2017, p. 465). Everyone with sufficient knowledge can write malware on any computer around the world (Geers, 2010, p. 550). Malware is cheap and being sold on a thriving black market (Ablon, Libicki, & Golay, 2014). Additionally, there is a gray market where the traditional arms industry develops and sells malware to the highest bidder (Burgers & Robinson, 2018). Malware is easy to conceal, highly intangible, can be easily copied and cannot be destroyed. Because of these properties, proliferation is easy and permanent dismantling of software unfeasible. For states to agree to a cyber regime, the cost and benefit calculus of verification systems must hold up (Eilstrup Sangiovanni, 2018, p. 391). A cyber verification regime might come with unacceptable costs since it would technically imply a global surveillance infrastructure that monitors what is happening on every single digital device on the planet. Global surveillance programs (Ruhrmann, 2015, p. 572) that do a deep packet inspection of dataflows at large Internet choke points could serve that function (Geers, 2010). Likewise, infrastructures for active cyber defense, i.e. observing adversary behavior and capability at his/her network could serve a similar function (Schulze & Herpig, 2018). Active defense in foreign networks, even for verification or compliance monitoring, would be highly intrusive. It would run diametrically against cyber security initiatives by states, which is keeping adversaries outside of their networks. The cost of compliance with such a verification system, thus, might be higher than the actual reduction of risk that follows from such a mechanism, especially for highly digitized economies (Ford, 2010). The third inhibiting factor is the lack of political will. Many states regard cyber space as an offense dominant environment (Eilstrup Sangiovanni, 2018, p. 384). Therefore, states do not perceive it to be in their self interest to restrict their offensive cyber capabilities (Dumbacher, 2018). Historically, shock situations, like the Cuban Missile crisis sometimes lead to increased political will. It is unclear whether or not such a situation is likely to occur. “Cyber weapons” are simply not dangerous enough, at least compared to nuclear weapons (Burgers & Robinson, 2018). Even if political momentum for regulation arises, it is unlikely that states will restrict their cyber espionage activities. States historically lack the will to restrict peacetime espionage, which is why it is neither explicitly condoned nor condemned in international law (Radsan, 2007). Cyber attacks and cyber espionage share many characteristics and cannot be meaningfully separated from another (Lindsay, 2013, p. 370). The intrusion chain between the two is nearly identical and only the effect of the payload differs. Because of the modular nature of malware, an espionage operation can turn into a destructive payload just with a click of a button (Buchanan, 2017, pp. 84–85). This has implications for verification. If cyber espionage and destructive cyber attacks cannot be technically separated from one another, any regime trying to restrict one type of behavior should logically restrict the other as well – or it would include major blind spots. Most states will not give up their cyber espionage capacity because it increases their strategic posture by generating intelligence. Research shows that unless arms control regimes and the overall strategic posture go hand in hand, they are no feasible policy option (Eilstrup Sangiovanni, 2018, p. 381). Convention (CWC) of 1997 features strong verification measures, but that these cannot be easily transferred to the cyber domain (Geers 2010). Reuter and Reinhold come to similar conclusions with the BWC (Reinhold & Reuter, 2019, pp. 212–213). This reason and the fact that the chemical industry torpedoed the ratification in the USA explain why the Geneva Protocol failed (Dumbacher, 2018). Private sector participation in cyber arms control seems necessary since an estimated 95% of the digital infrastructure is run by corporations and not states. By analyzing these studies, one can deduce at least three inhibiting factors that explain why transferring traditional arms control to the cyber domain is difficult. The first inhibiting factor is that it remains unclear what exactly the object of regulation in any type of cyber arms control regime would be. Arms control traditionally focuses on restricting certain objects, like poison gas, or they focus on restricting behavior, like nuclear testing (Arimatsue, 2010). There is no consensus on whether digital software qualifies as an object or even a weapon (Tikk, 2017). More so, states hold different perceptions about the permissiveness of behavior like economic vs. political cyber espionage or cyber crime. Many famous cyber intrusions are not based on technical, but rather on social manipulation. When focusing on objects like malware, more issues arise because “malicious code is notoriously difficult to define” (Geers, 2010, p. 559). The code is changeable, and its characteristics may look different after an update. It is also modular, meaning that individually harmless or legitimate components can be bundled together to create emergent effects. For example, encryption normally enhances cyber security unless it is “weaponized” in form of ransomware. Code is dual use. Tools used for cyber offense are often necessary for cyber defense as well. Additionally, a clear cut distinction between military, criminal and civil code is hard to achieve. Some “living off the land” cyber attacks rely entirely on pre installed software like the Windows PowerShell. Banning or regulating software designed for cyber offense might impede cyber defense, like vulnerability research and ethical hacking (Dumbacher, 2018, p. 208). Malware with kinetic effects like Stuxnet can, under some circumstances, be considered a cyber weapon (Rid, 2018, pp. 73–75). However, unlike a warhead with a predetermined destructive capacity, the potential effect of a malware depends on the configuration of the target. Malware can hardly kill humans directly unless the targeted IT system has capabilities to inflict physical harm. These conceptual difficulties imply arms control mechanisms that focus on fixed characteristics of an object “fall short in the digital age” (Dumbacher, 2018, p. 221). The second inhibiting factor is verification (Tikk, 2017). To be effective, arms control regimes need to verify that regime members adhere to the agreed principles outlined in a treaty. Historically, this is done via on site inspections, sensors, areal imaging and data exchange (Reinhold & Reuter, 2019). However, there is no easy way of measuring the relative strength of malware arsenals and cyber power. A small group of high skilled hackers might be able to inflict more damage than a large, but medium skilled cyber battalion. Asymmetries in cyber power and different cyber capabilities of states in detecting and defending attacks also are an inhibitor for verification because lesser cyber powers cannot hold more potent states accountable. The attribution problem and high levels of secrecy surrounding cyber espionage activities SuF_01_20_Inhalt_3.Umbruch.indd 18 24.06.20 14:14 S+F (38� Jg�) 1/2020 | 19 Schulze, The State of Cyber Arms Control | T H E M E N S C H W E R P U N K T VEPs, a vulnerability researching entity discloses a discovered zero day vulnerability to some sort of review board, which then decides, based on agreed indicators, how to proceed, either disclosing or retaining a vulnerability (Herpig, 2018, p. 17). From this it follows logically, that an international VEP requires an international body, which potentially consists of member states that are involved in the equities deliberation at some stage. Therefore, national and international equity boards need to be aligned to create an IVEP. If one takes this as a foundation, there are only two logical ways to implement this: either having an International Vulnerability Review Board (IVRB) as the first stage of a vulnerability review process, and the national VEP as the second stage, or vice versa. In the first model, an international vulnerability review board would serve as the first stage in the process. In other words, the IVRB decision to retain or disclose vulnerabilities would be upstream to any national VEP decision. In this model, researchers or other governments would disclose the zero day vulnerabilities they found to the IVRB. That board then would decide, akin the national VEPs, whether to disclose this vulnerability to the vendor for patching, or whether knowledge of this vulnerability is retained. The internal governance structure of the IVRB, i.e. questions of external expert participation or voting modalities, can follow best practices from national VEPs (Herpig 2018). If the IVRB decides to retain the knowledge of a reported vulnerability, it would then, in a second stage, share this knowledge with the member states of the IVRB. This would give them exclusive access to a zero day vulnerability. Member states could exploit this knowledge for own cyber attacks, giving them a temporal offensive edge. Alternatively, they could immunize their systems or upgrade their intrusion detection systems based on this knowledge. This would provide them with a head start against future attacks that might exploit this vulnerability, while it remains unpatched. Due to this mechanism, less potent cyber states might have access to more zero days to use and it would provide all members with a better situational awareness of zero days being in circulation. This type of defensive sharing could be modeled after already existing threat sharing programs in cyber security, for example, the Zero Day Initiative. Threat indicators to detect certain types of attacks are often shared in 3. Is an International Vulnerability Equities Process the Way Forward? To overcome these inhibitors, scholars suggested to focus arms control not on cyber weapons but rather on their ammunition – software vulnerabilities (Fidler 2015). Zero day vulnerabilities are errors in a soft or hardware code that the vendor is not aware of and that, at time of discovery by researchers, is not fixed by a patch. Zero day attacks utilizing this vulnerability, in principle, allow undetectable intrusions and are typically used for high profile sabotage and cyber espionage operations. If a software vendor fixes a zero day vulnerability with a patch, it becomes an N day vulnerability that is publicly known. N day cyber attacks only work against unpatched systems. Zero days are interesting for an arms control approach because they may overcome one central inhibitor, which is the lack of political will. Currently, we are witnessing the trend that states start to restrict their zero day use. The USA, the United Kingdom, Australia, Canada, and China have published so called Vulnerability Equities Processes (VEPs), while other countries like Germany are working on one (Herpig & Schwartz, 2019). VEPs are national, administrative processes that gauge the offensive and defensive value of zero day vulnerabilities for cyber offense and defense. For that purpose, an inter agency review board including both cyber offense (intelligence agencies, military) and cyber defense actors is created. The board tries to answer whether a government obtained zero day vulnerability is kept secret and being utilized for cyber offensive purposes, or whether the knowledge of this vulnerability is being disclosed to the software vendor, thus increasing cyber defense. If a vulnerability is being disclosed, the respective software vendor ideally patches the vulnerability, and thus provides immunization against any further attacks. The idea behind a VEP is to restrict certain types of offensive cyber capability that represent a high risk for a state, while permitting the use of zero days that entail little risk (Healey, 2016). Vulnerabilities in the core Internet protocols would entail global and collective risks, while others, software in country specific military equipment, only entail localized risks. Since states started to restrict zero days for their own cyber offense, this momentum could be used to expand into an International Vulnerabilities Equities Process (IVEP) (Mallory, 2018; Fidler, 2014). There have been very abstract and general calls for an IVEP from policy experts, but to date no one has really presented a format of how a specific IVEP can look like (United Nations Institute for Disarmament Research, 2018). Since there is no systematic, prior research on the subject, the author takes the first step and presents two different models in an attempt of original research (Figure 1). These models were deduced from the institutional design of the national VEP in the US (Healey 2016, p. 4). Comparative research on VEPs indicates some best practices for VEP design. In most national Figure 1. IVEP Models SuF_01_20_Inhalt_3.Umbruch.indd 19 24.06.20 14:14 T H E M E N S C H W E R P U N K T  | Schulze, The State of Cyber Arms Control 20 | S+F (38� Jg�) 1/2020 This idea also has its disadvantages. The problem of complexity remains the same. Since the second model excludes the most potent zero days, which would not be reported to the IVRB, it reduces harmful zero day operations only by a fraction. This also reduces the value of participation in this structure compared to the club model. Reports about disclosed vulnerabilities are operationally less valuable compared to the sharing of potent zero day information among club members. This would also reduce the sanctioning power of such a regime, because withholding these reports to non compliant states would imply tolerable costs. The general problem of verification remains the same as in the club model. Then there is the issue of free riding: one state disclosing a lot while others disclosing nothing or little of value. The incentive structure of this proposal is still a problem. More so, focusing on governments alone, the private sector is mostly being excluded from this dynamic. 4. Discussion How does an IVEP regime score against the previously identified inhibitors of adopting traditional arms control regimes to the cyber domain? First, a regime focusing on zero days has the advantage, that the object of regulation is straight forward. The definition of zero days is not really contested. Second, a regime prohibiting the use of zero day attacks could overcome the challenge of lacking political will and self interest. Many states agree that zero days are highly problematic and many initiatives for cyber norms and confidence building measures also focus on them (Pawlak, 2016). Restricting only zero days while allowing the use of N days and phishing would still leave states with enough room to maneuver for limited offensive operations. Not giving up all, but only the most dangerous cyber attack capability might serve the interest of states. Third, an arms control regime focusing on zero days could partly facilitate the involvement of the private sector. Software companies are the primary emitters of zero day vulnerabilities, but they are also the main responsible actors for patching. There already exists a worldwide ecosystem and infrastructure for coordinated vulnerability disclosure to vendors, such as bug bounties (Schulze, 2019). Building on this existing structure could reduce opportunity costs in setting up a regime. Fourth, an IVEP regime could help to mediate asymmetries in cyber power and different capabilities of states. By sharing offensive information, the playing field could be leveled, at least for members in the club model. The report model would only enhance situational awareness and knowledge about attack capabilities a bit. Like the other proposed cyber regimes, an IVEP falls short in terms of reliable and unobtrusive verification, as well as attribution and enforcement of sanctions for non compliant behavior. Since zero day attacks are by nature not detectable if one does not possess the knowledge about the attack vector, the attribution problem remains (Rid & Buchanan, 2014). The proposals also do not really address the aspect of espionage and the dual use nature of zero day capabilities. Lastly, they imply a large bureaucratic overhead while addressing only a tiny portion of cyber attacks. exclusive circles with limited access (Traffic Light Protocol). This fact makes the club model politically feasible, because some of the required infrastructure already exists. Fidler argues that this would only work in high trust environments of like minded states like NATO (Fidler, 2014, p. 162). Membership in the IVRB would thus be exclusive, which is why I call this the club model. In a club model, governance issues such as membership, meeting schedules and voting modalities can probably be agreed on more easily. This model could also include further rules, for example, that members would not attack each other with the shared zero days. Withholding access to this exclusive vulnerability sharing model could serve as a sanction instrument. There are downsides to the club model. First, there is potential for spoilers. If the IVRB decides to retain a vulnerability for exclusive club sharing, a spoiler state could disclose this vulnerability to the vendor anonymously with plausible deniability. This would counteract the IVEP’s decision. Another downside is that it adds another layer of complexity to the already existing vulnerability disclosure infrastructure. It would be always more efficient for researchers to disclose vulnerabilities to vendors directly instead of going through an additional layer of international bureaucracy. Ethical hackers would certainly not contribute to any regime that favors cyber offense over defense. Spoiler states could also feed bogus or non critical zero day information into the process, to slow it down. Another unresolved issue is how to verify compliance in such a regime. In the second model, the IVRB would be set up downstream to any national VEP. Therefore, the IVRB would collect information about the disclosing behavior to software vendors by national VEP review boards within the member states. Any member with a national VEP would have the obligation to share with the IVRB all the vulnerabilities its national review board decided to disclose to vendors. If a national VEP retains a zero day vulnerability, it would not be shared and could be used for national offensive. The IVRB would then draft reports about the disclosing behavior of member states, collecting general statistics as well as some characteristics about disclosed vulnerabilities. The reporting of national VEP to the IVRB, of course, must be standardized. It could be modeled after declaration policies in other regimes, such as the Chemical Weapons Convention. In the CWC for example, states must declare national chemical production facilities and output quantities. Similarly, states in an IVEP regime could declare quantities of vendor disclosed zero days to the IVRB. This information can help member states to determine the quality and quantity of disclosed vulnerabilities, thus giving some insight into the relative strength and cyber power of others. Even the information about disclosed vulnerabilities can tell an adversary a lot about intended targets, capacity, and skill of a cyber offense actor (Aitel & Tait, 2016). For an international regime, this “meta data” on vulnerabilities could create shared situational awareness and serve as a confidence building measure. By sharing only meta data about disclosed vulnerabilities, national operational capacity for cyber offense would not be harmed, because highly potent zero day exploits would not be shared with the IVRB anyway. This fact allows membership to be more inclusive, integrating even antagonists in the IVRB structure. SuF_01_20_Inhalt_3.Umbruch.indd 20 24.06.20 14:14 S+F (38� Jg�) 1/2020 | 21 Schulze, The State of Cyber Arms Control | T H E M E N S C H W E R P U N K T Fidler, M. (2014). Anarchy or Regulation: Controlling the Global Trade in Zero Day Vulnerabilities. Fidler, M. (2015). Regulating the Zero Day Vulnerability Trade: A Preliminary Analysis. Journal of law and Policy for the Information Society, 11(2), from https://papers. ssrn.com/sol3/papers.cfm?abstract_id=2706199. Ford, C. (2010). The Trouble with Cyber Arms Control. The New Atlantis, Fall, from https://www.thenewatlantis.com/docLib/20110301_TNA29Ford.pdf Geers, K. (2010). Cyber Weapons Convention. Computer Law & Security Review, 26(5), 547–551. Healey, J. (2016). The U.S. Government and Zero Day Vulnerabilities.: From Pre Heartbleed to Shadow Brokers, from https://jia.sipa.columbia.edu/online articles/ healey_vulnerability_equities_process. Henriksen, A. (2019). The end of the road for the UN GGE process: The future regulation of cyberspace. Journal of Cybersecurity, 5(1), 425. Herpig, S. (2018). Governmental Vulnerability Assessment and Management: Weighing Temporary Retention versus Immediate Disclosure of 0 Day Vulnerabilities. Berlin: Stiftung Neue Verantwortung, from https://www.stiftung nv.de/sites/default/files/ vulnerability_management.pdf. Herpig, S. & Schwartz, A. (2019). The Future of Vulnerabilities Equities Processes Around the World, from Lawfare: https://www.lawfareblog.com/future vulnerabilities equities processes around world. Lindsay, J. R. (2013). Stuxnet and the Limits of Cyber Warfare. Security Studies, 22(3), 365–404. Mallory, J. C. (2018). Cyber arms control: risk reduction under linked regional insecurity dilemmas, from Institute for International and Security Studies: https://www.iiss. org/events/2018/09/cyber arms control. Nye, J. (2015). The World Needs an Arms control Treaty for Cybersecurity, from Belfer Center for Science and International Affairs: https://www.belfercenter.org/ publication/world needs arms control treaty cybersecurity. Pawlak, P. (2016). Confidence Building Measures in Cyberspace Current Debates and Trends. In A. M. Osula & H. Roigas (Eds.), International Cyber Norms. Legal, Policy & Industry Perspectives. Tallinn. Radsan, A. J. (2007). The Unresolved Equation of Espionage and International Law. Michigan Journal of International Law, 28(3). Reinhold, T., & Reuter, C. (2019). Arms Control and its Applicability to Cyberspace. In C. Reuter (Ed.), Information Technology for Peace and Security (pp. 207–231). Wiesbaden: Springer Fachmedien Wiesbaden. Rid, T. (2018). Mythos Cyberwar: Über digitale Spionage Sabotage und andere Gefahren. Hamburg: Edition Körber. Rid, T., & Buchanan, B. (2014). Attributing Cyber Attacks. Journal of Strategic Studies, 38(1 2), 4–37. Ruhrmann, I. (2015). Neue Ansätze für die Rüstungskontrolle bei Cyber Konflikten. In Douglas Cunningham, Petra Hofstedt, Klaus Meer, Ingo Schmitt (Ed.), Informatik 2015. Lecture Notes in Informatics. Bonn: Gesellschaft für Informatik. Schulze, M. (2019). Governance von 0 Day Schwachstellen in der deutschen Cyber Sicherheitspolitik. Stiftung Wissenschaft und Politik, from https://www.swp berlin. org/10.18449/2019S10/. Schulze, M. & Herpig, S. (2018). Germany Develops Offensive Cyber Capabilities Without A Coherent Strategy of What to Do With Them, from Council on Foreign Relations: https://www.cfr.org/blog/germany develops offensive cyber capabilities without coherent strategy what do them. Tikk, E. (2017). Cyber Arms Control without arms? In T. Koivula & K. Simonen (Eds.), National Defence University Series 1, Research publications: No. 16. Arms control in Europe. Regimes, trends and threats. Helsinki: National Defence University. United Nations Institute for Disarmament Research (2018). Preventing and Mitigating ICT Related Conflict. Cyber Stability Conference: United Nations institute for Disarmament Research. 5. Conclusion The article presented the first step in the conception of an IVEP regime that has been called for by cyber experts. It presented two models of how such a regime could look like. The IVEP proposal holds some promise, but due to many open questions, it is currently not feasible as a policy option. There remain several issues. First, future research should investigate alternative models for an IVEP. Could there be a model that fares better than the two presented? Maybe disclosing vulnerabilities to a centralized international body is the wrong way? Second, more research needs to be done on incentive structures of the two presented models. How do we overcome the issue of spoilers not sharing vulnerability information with an IVRB? Does it make sense to adopt monetary mechanisms like bug bounty or reward programs for an IVEP regime? Where would the IVRB get the funding from? Third, one could think about expanding the mandate of an IVRB, for example by adding a capacity building function: potent cyber powers could help lesser developed states with the mitigation of reported zero days. That could be an option for the club model, but maybe not necessarily for the report model. This could be an incentive for smaller states to participate. Fourth, an alternative could be to rethink an IVEP not as a full fledged regime but as a confidence building measure. The findings presented here are only a first step to move the abstract international discussion about IVEPs forward. Future research must show whether a vulnerability regime is indeed the way forward to enhance peace and security in the cyber domain. 6. Bibliography Ablon, L., Libicki, M. C., & Golay, A. A. (2014). Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar. RAND. Aitel, D. & Tait, M. (2016). Everything You Know About the Vulnerability Equities Process Is Wrong, from Lawfare: https://www.lawfareblog.com/everything you know about vulnerability equities process wrong. Arimatsue, L. (2010). A Treaty for Governing Cyber Weapons: Potential Benefits and Practical Limitations. In C. Czosseck & K. Ziolkowski (Eds.), 4th International Conference on Cyber Conflict. Tallinn. Borghard, E. D., & Lonergan, S. W. (2017). The Logic of Coercion in Cyberspace. Security Studies, 26(3), 452–481. Borghard, E. D. & Lonergan, S. W. (2018). Why Are There No Cyber Arms Control Agreements? from Council on Foreign Relations: https://www.cfr.org/blog/why are there no cyber arms control agreements. Buchanan, B. (2017). The Cybersecurity Dilemma: Hacking, Trust and Feat Between Nations (Vol. 1): Oxford University Press. Burgers, T., & Robinson, D. R. S. (2018). Keep Dreaming: Cyber Arms Control is Not a Viable Policy Option. Sicherheit & Frieden, 36(3), 140–145. Davis, J. S. (2017). Stateless attribution: Toward international accountability in cyberspace. Research report: RR 2081 MS. Santa Monica Calif.: RAND Corporation. Dumbacher, E. D. (2018). Limiting cyberwarfare: Applying arms control models to an emerging technology. The Nonproliferation Review, 25(3 4), 203–222. Eilstrup Sangiovanni, M. (2018). Why the World Needs an International Cyberwar Convention. Philosophy & Technology, 31(3), 379–407. Matthias Schulze is a researcher at the security division of the German Institute for International and Security Affairs – SWP. His research fo cuses on the strategic use of cyber capabilities in international relations, cyber conflicts, cyber espionage and information operations. He hosts the percepticon.de podcast. SuF_01_20_Inhalt_3.Umbruch.indd 21 24.06.20 14:14

Abstract

Although the threat of cyber-conflict is rising at the moment, not much ground has been gained with cyber arms control regimes. The article analyses proposals for cyber arms control, modelled after traditional arms control regimes. It finds that challenges of the digital domain, issues of regime verification and the lack of political will are big inhibitors in transferring these to the cyber-domain. To overcome these inhibitors, cyber-experts proposed a new type of regime focusing on Zero-day vulnerabilities. Since nobody so far explained how a so-called International Vulnerabilities Equities Process (IVEP) could look like, the article picks up the task, and presents two models with their advantages and shortcomings. The article concludes that the IVEP proposal holds some promise, but due to many open questions, it is currently not feasible as a policy option.

References
Ablon, L., Libicki, M. C., & Golay, A. A. (2014). Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar. RAND.
Aitel, D. & Tait, M. (2016). Everything You Know About the Vulnerability Equities Process Is Wrong, from Lawfare: https://www.lawfareblog.com/everything-you-know-about-vulnerability-equities-process-wrong.
Arimatsue, L. (2010). A Treaty for Governing Cyber-Weapons: Potential Benefits and Practical Limitations. In C. Czosseck & K. Ziolkowski (Eds.), 4th International Conference on Cyber Conflict. Tallinn.
Borghard, E. D., & Lonergan, S. W. (2017). The Logic of Coercion in Cyberspace. Security Studies, 26(3), 452–481.
Borghard, E. D. & Lonergan, S. W. (2018). Why Are There No Cyber Arms Control Agreements? from Council on Foreign Relations: https://www.cfr.org/blog/why-are-there-no-cyber-arms-control-agreements.
Buchanan, B. (2017). The Cybersecurity Dilemma: Hacking, Trust and Feat Between Nations (Vol. 1): Oxford University Press.
Burgers, T., & Robinson, D. R. S. (2018). Keep Dreaming: Cyber Arms Control is Not a Viable Policy Option. Sicherheit & Frieden, 36(3), 140–145.
Davis, J. S. (2017). Stateless attribution: Toward international accountability in cyberspace. Research report: RR-2081-MS. Santa Monica Calif.: RAND Corporation.
Dumbacher, E. D. (2018). Limiting cyberwarfare: Applying arms-control models to an emerging technology. The Nonproliferation Review, 25(3-4), 203–222.
Eilstrup-Sangiovanni, M. (2018). Why the World Needs an International Cyberwar Convention. Philosophy & Technology, 31(3), 379–407.
Fidler, M. (2014). Anarchy or Regulation: Controlling the Global Trade in Zero-Day Vulnerabilities.
Fidler, M. (2015). Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis. Journal of law and Policy for the Information Society, 11(2), from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2706199.
Ford, C. (2010). The Trouble with Cyber Arms Control. The New Atlantis, Fall, from https://www.thenewatlantis.com/docLib/20110301_TNA29Ford.pdf
Geers, K. (2010). Cyber Weapons Convention. Computer Law & Security Review, 26(5), 547–551.
Healey, J. (2016). The U.S. Government and Zero-Day Vulnerabilities.: From Pre-Heartbleed to Shadow Brokers, from https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process.
Henriksen, A. (2019). The end of the road for the UN GGE process: The future regulation of cyberspace. Journal of Cybersecurity, 5(1), 425.
Herpig, S. (2018). Governmental Vulnerability Assessment and Management: Weighing Temporary Retention versus Immediate Disclosure of 0-Day Vulnerabilities. Berlin: Stiftung Neue Verantwortung, from https://www.stiftung-nv.de/sites/default/files/vulnerability_management.pdf.
Herpig, S. & Schwartz, A. (2019). The Future of Vulnerabilities Equities Processes Around the World, from Lawfare: https://www.lawfareblog.com/future-vulnerabilities-equities-processes-around-world.
Lindsay, J. R. (2013). Stuxnet and the Limits of Cyber Warfare. Security Studies, 22(3), 365–404.
Mallory, J. C. (2018). Cyber arms control: risk reduction under linked regional insecurity dilemmas, from Institute for International and Security Studies: https://www.iiss.org/events/2018/09/cyber-arms-control.
Nye, J. (2015). The World Needs an Arms-control Treaty for Cybersecurity, from Belfer Center for Science and International Affairs: https://www.belfercenter.org/publication/world-needs-arms-control-treaty-cybersecurity.
Pawlak, P. (2016). Confidence-Building Measures in Cyberspace Current Debates and Trends. In A.-M. Osula & H. Roigas (Eds.), International Cyber Norms. Legal, Policy & Industry Perspectives. Tallinn.
Radsan, A. J. (2007). The Unresolved Equation of Espionage and International Law. Michigan Journal of International Law, 28(3).
Reinhold, T., & Reuter, C. (2019). Arms Control and its Applicability to Cyberspace. In C. Reuter (Ed.), Information Technology for Peace and Security (pp. 207–231). Wiesbaden: Springer Fachmedien Wiesbaden.
Rid, T. (2018). Mythos Cyberwar: Über digitale Spionage Sabotage und andere Gefahren. Hamburg: Edition Körber.
Rid, T., & Buchanan, B. (2014). Attributing Cyber Attacks. Journal of Strategic Studies, 38(1-2), 4–37.
Ruhrmann, I. (2015). Neue Ansätze für die Rüstungskontrolle bei Cyber-Konflikten. In Douglas Cunningham, Petra Hofstedt, Klaus Meer, Ingo Schmitt (Ed.), Informatik 2015. Lecture Notes in Informatics. Bonn: Gesellschaft für Informatik.
Schulze, M. (2019). Governance von 0-Day-Schwachstellen in der deutschen Cyber-Sicherheitspolitik. Stiftung Wissenschaft und Politik, from https://www.swp-berlin.org/10.18449/2019S10/.
Schulze, M. & Herpig, S. (2018). Germany Develops Offensive Cyber Capabilities Without A Coherent Strategy of What to Do With Them, from Council on Foreign Relations: https://www.cfr.org/blog/germany-develops-offensive-cyber-capabilities-without-coherent-strategy-what-do-them.
Tikk, E. (2017). Cyber-Arms Control without arms? In T. Koivula & K. Simonen (Eds.), National Defence University Series 1, Research publications: No. 16. Arms control in Europe. Regimes, trends and threats. Helsinki: National Defence University.
United Nations Institute for Disarmament Research (2018). Preventing and Mitigating ICT-Related Conflict. Cyber Stability Conference: United Nations institute for Disarmament Research.
Sharing of Cyber Threat Intelligence between States
Philipp Kuehn, Thea Riebe, Lynn Apelt, Max Jansen, Christian Reuter
Abstract:
Threats in cyberspace have increased in recent years due to the increment of offensive capabilities by states. Approaches to mitigate the security dilemma in cyberspace within the UN are deadlocked, as states have not been able to achieve agreements. However, from the perspective of IT-Security, there are Cyber Threat Intelligence (CTI) platforms to share and analyze cyber threats for a collective crisis management. To investigate, if CTI platforms can be used as a confidence-building measure between states and international organizations, we portray current CTI platforms, showcase political requirements, and answer the question of how CTI communication may contribute to confidence-building in international affairs. Our results suggest the need to further develop analytical capabilities, as well as the implementation of a broad social, political, and legal environment for international CTI sharing.
Keywords: Cyber Threat Intelligence, confidence-building measures, cyberspace, International System
Schlagwörter: Informationen zu Cyberbedrohungen, Maßnahmen der Vertrauensbildung, Cyberraum, internationales System
Bibliography
Altmann, Jürgen. (2019). Confidence and Security Building Measures for Cyber Forces. In Information Technology for Peace and Security (pp. 185–203). Wiesbaden: Springer Fachmedien Wiesbaden. https://doi.org/10.1007/978-3-658-25652-4_9
Altmann, Jürgen, & Siroli, Gian Piero. (2018). Confidence and Security Building Measures for the Cyber Realm. In A. Masys (Ed.), Handbook of Security Science. London: Routledge.
BA. (2019). Bearded Avenger. Retrieved June 19, 2019, from https://github.com/csirtgadgets/bearded-avenger
Badsha, Shahriar, Vakilinia, Iman, & Sengupta, Shamik. (2019). Privacy preserving cyber threat information sharing and learning for cyber defense. In 2019 IEEE 9th Annual Computing and Communication Workshop and Conference, CCWC 2019 (pp. 708–714). IEEE. https://doi.org/10.1109/CCWC.2019.8666477
Barnum, Sean. (2014). Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIXTM). MITRE Corporation, July, vol. 11, , pp. 1–20. Retrieved from http://blackberry8520.b277.doihaveamobilestrategy.com/http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.0_(Draft).pdf
Bodeau, Deborah J., Mccollum, Catherine D., & Fox, David B. (2018). “Cyber Threat Modeling: Survey, Assessment, and Representative Framework”,” PR 18-1174. HSSEDI, The Mitre Corporation, iss. 18. Retrieved from https://www.mitre.org/sites/default/files/publications/pr_18-1174-ngci-cyber-threat-modeling.pdf
Bourgue, Romain, Budd, Joshua, Homola, Jachym, Wlasenko, Michal, & Kulawik, Dariusz. (2013). Detect , SHARE , Protect Solutions for Improving Threat Data Exchange among CERTs. European Network and Information Security Agency (ENISA), iss. October, pp. 51. Retrieved from https://www.enisa.europa.eu/publications/detect-share-protect-solutions-for-improving-threat-data-exchange-among-certs
Buchanan, Ben. (2016). The Cybersecurity Dilemma. London: C. Hurst & Co.
Buchanan, Ben. (2017). The cybersecurity dilemma: Hacking, trust, and fear between nations. The Cybersecurity Dilemma: Hacking, Trust, and Fear between Nations. London: C. Hurst & Co. https://doi.org/10.1093/acprof:oso/9780190665012.001.0001
CRITs. (2016). CRITs. Retrieved June 6, 2019, from https://crits.github.io
Dandurand, Luc, & Serrano, Oscar. (2013). Towards improved cyber security information sharing. In International Conference on Cyber Conflict, CYCON (pp. 1–16).
Davis, John S. II, Boudreaux, Benjamin, Welburn, Jonathan William, Ogletree, Cordaye, McGovern, Geoffrey, & Chase, Michael S. (2017). Stateless Attribution: Toward International Accountability in Cyberspace.
Dickow, Marcel, Hansel, Mischa, & Mutschler, Max M. (2015). Präventive Rüstungskontrolle – Möglichkeiten und Grenzen mit Blick auf die Digitalisierung und Automatisierung des Krieges. Sicherheit & Frieden, vol. 33, iss. 2, pp. 67–73. https://doi.org/10.5771/0175-274x-2015-2-67
Dulaunoy, Alexandre, Iklody, Andras, Dereszowski, Andrzej, Studer, Christian, Vandeplas, Christophe, Andre, David, … Clement, Steve. (2019). Malware Information Sharing Platform.
Dunn Cavelty, Myriam. (2014). Breaking the Cyber-Security Dilemma: Aligning Security Needs and Removing Vulnerabilities. Science and Engineering Ethics, vol. 20, iss. 3, pp. 701–715. https://doi.org/10.1007/s11948-014-9551-y
ENISA. (2015). Actionable Information for Security Incident Response. Retrieved from https://www.enisa.europa.eu/publications/actionable-information-for-security
ENISA. (2017). Information Sharing and Analysis Centres (ISACs) Cooperative models. https://doi.org/10.2824/549292
ENISA. (2019). Incident Handling Automation. Community Projects. Retrieved from https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation
EU. (2016). Directive (EU) 2016 / 1148. Official Journal of the European Union, vol. 6, iss. 1, pp. 30. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN
Falliere, Nicolas, Murchu, Liam O., & Chien, Eric. (2011). W32. stuxnet dossier. Symantec Security Response, vol. 14, iss. February, pp. 1–69. Retrieved from http://large.stanford.edu/courses/2011/ph241/grayson2/docs/w32_stuxnet_dossier.pdf
Hoepman, Jaap Henk, & Jacobs, Bart. (2007). Increased security through open source. Communications of the ACM, vol. 50, iss. 1, pp. 79–83. https://doi.org/10.1145/1188913.1188921
Howard, John D., & Longstaff, Thomas A. (1998). A common language for computer security incidents. Sandia National Laboratories. https://doi.org/10.2172/751004
IntelMQ. (2019). IntelMQ – Data Harmonization. Retrieved June 26, 2019, from https://github.com/certtools/intelmq/blob/develop/docs/Data-Harmonization.md
Johnson, Christopher S., Badger, Mark Lee, Waltermire, David A., Snyder, Julie, & Skorupka, Clem. (2016). Guide to Cyber Threat Information Sharing. Special Publication – Council for Agricultural Science and Technology. Gaithersburg, MD. https://doi.org/10.6028/nist.sp.800-150
Kaiafas, Georgios (European Commission). (2017). Horizon 2020. Threat Intelligence Sharing : State of the Art and Requirements. Retrieved from https://protective-h2020.eu/wp-content/uploads/2017/07/PROTECTIVE-D5.1-E-0517-Threat-Intelligence-Sharing.pdf
Kaufhold, Marc-André, Rupp, Nicola, Reuter, Christian, & Habdank, Matthias. (2019). Mitigating Information Overload in Social Media during Conflicts and Crises: Design and Evaluation of a Cross-Platform Alerting System. Behaviour & Information Technology (BIT).
Liptak, Andrew. (2019, May 25). Hackers reportedly used a tool developed by the NSA to attack Baltimore’s computer systems. The Verge. Retrieved from https://www.theverge.com/2019/5/25/18639859/baltimore-city-computer-systems-cyberattack-nsa-eternalblue-wannacry-notpetya-cybersecurity
McQuade, Mike. (2018). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Wired, pp. 1–6. Retrieved from https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Meyer, Berthold, von Bredow, Wilfried, & Evers, Frank. (2015). 40 Jahre Schlussakte von Helsinki, 25 Jahre Pariser Charta: Rückblick und Ausblick auf die OSZE. Sicherheit & Frieden, vol. 33, iss. 2, pp. 106–111. https://doi.org/10.5771/0175-274x-2015-2-106
MISP. (2018). MISP – User Guide, A Threat Sharing Platform. MISP Community. https://www.circle.lu/doc/misp/
Mitre Corporation. (2015). Collaborative Research Into Threats. MITRE Corporation. Retrieved from https://crits.github.io/.
Mohaisen, Aziz, Al-Ibrahim, Omar, Kamhoua, Charles, Kwiat, Kevin, & Njilla, Laurent. (2017). Rethinking information sharing for threat intelligence [Position Paper]. HotWeb 2017 – Proceedings of the 5th ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies, pp. 1–7. https://doi.org/10.1145/3132465.3132468
OSCE. (2013). Initial set of OSCE confidence-building measures to reduce the risks of conflict stemming from the use of information and communication technologies. DEC/1202, vol. 10, iss. December, pp. 4. Retrieved from http://www.osce.org/pc/109168?download=true
Páhi, Tímea, Leitner, Maria, & Skopik, Florian. (2017). Analysis and Assessment of Situational Awareness Models for National Cyber Security Centers. In Proceedings of the 3rd International Conference on Information Systems Security and Privacy (Vol. 2017, pp. 334–345). SCITEPRESS – Science and Technology Publications. https://doi.org/10.5220/0006149703340345
Pawlak, Patryk. (2016). Confidence-Building Measures in Cyberspace : Current Debates and Trends. International Cyber Norms: Legal, Policy & Industry Perspectives, vol. 20, iss. April 2015, pp. 129–153.
Perlroth, N., & Sanger, D. E. (2019). U.S. Escalates Online Attacks on Russia’s Power Grid – The New York Times. New York Times. The New York Times Company. Retrieved from https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html%0Ahttps://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html?smid=nytcore-ios-share
Reinhold, Thomas, & Reuter, Christian. (2019). Arms Control and its Applicability to Cyber Space. In C. Reuter (Ed.), Information Technology for Peace and Security (pp. 207–233). Wiesbaden: Springer.
Reuter, Christian. (2019). Information Technology for Peace and Security – IT-Applications and Infrastructures in Conflicts, Crises, War, and Peace. (C. Reuter, Ed.). Wiesbaden. Retrieved from https://doi.org/10.1007/978-3-658-25652-4
Reuter, Christian. (2020). Towards IT Peace Research: Challenges on the Interception of Peace and Conflict Research and Computer Science. S+F Sicherheit Und Frieden / Peace and Security, vol. 38, iss. 1, pp. 1–15.
Sauerwein, Clemens, Sillaber, Christian, Mussmann, Andrea, & Breu, Ruth. (2017). Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives. In Proceedings of the 13th International Conference on Wirtschaftsinformatik (WI 2017) (pp. 837–851).
Serrano, Oscar, Dandurand, Luc, & Brown, Sarah. (2014). On the Design of a Cyber Security Data Sharing System. In Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security – WISCS ’14 (Vol. 2014-Novem, pp. 61–69). New York, New York, USA: ACM Press. https://doi.org/10.1145/2663876.2663882
Skopik, Florian, Páhi, Tímea, & Leitner, Maria (Eds.). (2018). Cyber Situational Awareness in Public-Private-Partnerships. Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-662-56084-6
Skopik, Florian, Settanni, Giuseppe, & Fiedler, Roman. (2016). A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Computers and Security, vol. 60, , pp. 154–176. https://doi.org/10.1016/j.cose.2016.04.003
Strobel, Warren. (2015, February 10). U.S. creates new agency to lead cyberthreat tracking – Reuters. Reuters. Retrieved from https://www.reuters.com/article/us-cybersecurity-agency/u-s-creates-new-agency-to-lead-cyberthreat-tracking-idUSKBN0LE1EX20150210
Strom, Blake E., Applebaum, Andy, Miller, Doug P., Nickels, Kathryn C., Pennington, Adam G., & Thomas, Cody B. (2018). MITRE ATT&CK – Design and Philosophy. Technical Report, iss. July, pp. 37.
Symantec Corporation. (2019). Symantec Internet Security Threat Report. Network Security, iss. 24, pp. 61. Retrieved from https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf
Team CIRCL. (2017). MISP features and functionalities. Retrieved June 25, 2019, from https://www.misp-project.org/features.html
Ziolkowski, Katharina. (2013). Confidence Building Measures for Cyberspace–Legal Implications. NATO CCD COE Publication, pp. 1–88.

Abstract

S+F (Security and Peace) is the leading German journal for peace research and security policy. S+F aims to serve as a forum linking civil society and the armed forces in the areas of science and politics comprising of research analysis, insider reports and opinion pieces. Decisions on publication are made on the basis of the contribution made by a text to national and international discussions on peace and security issues; from scientific aspects of arms control, to questions of nation-building in post-war societies. Every issue of S+F is focussed on a particular theme. In addition to contributions devoted to the central theme, texts addressing general aspects of peace and security research are also published. Contributors can choose whether to have the text evaluated by the editorial team or by way of an external evaluation process (double-blind peer-review).

Articles of the journal S+F are entered in various national and international bibliographic databases. Among them are Online Contents OLC-SSG Politikwissenschaft und Friedensforschung (Political Science and Peace Research), PAIS (Public Affairs Information Service) International Database, Worldwide Political Science Abstracts and World Affairs Online (by the Fachinformationsverbund Internationale Beziehungen und Länderkunde FIV / The German Information Network International Relations and Area Studies) (see also www.ireon-portal.de).

Website: www.sicherheit-und-frieden.nomos.de

Zusammenfassung

Die Zeitschrift versteht sich als Diskussionsforum für neuere Forschungsergebnisse und politische Entwicklungen auf dem Gebiet der Friedens- und Sicherheitspolitik. Durch Analysen, Stellungnahmen, Dokumente und Informationen sollen kontroverse Auffassungen und brisante Themen einer sachlichen Diskussion zugeführt werden.

Homepage: www.sicherheit-und-frieden.nomos.de