Yesterday two academics proposed creating an international organization modeled after the International Committee of the Red Cross (ICRC), that would “provide assistance and relief to vulnerable citizens and enterprises affected by serious cyberattacks.”
The authors of the article–Elaine Korzak, visiting assistant professor of cybersecurity at the Middlebury Institute of International Studies at Monterey and affiliate at the Center for International Security and Cooperation (CISAC), Stanford University, and Herb Lin, a senior research scholar for cyber policy and security at CISAC and Hank J. Holland fellow in cyber policy and security at the Hoover Institution, both at Stanford University – explained that the cyber-ICRC would act to mitigate cyber-related damages, rather than focus on preventing cyber events from happening.
“The ICRC accepts natural and man-made disasters as facts of life, and seeks to mitigate subsequent harm rather than prevent such events,” the authors wrote. “Similarly, a cyber-ICRC would seek to mitigate the effects of cyberattacks rather than prevent them.”
Korzak and Lin proposed that companies that have already signed onto the Tech Accord principles would form the backbone of the organization and would help fill an “important gap in an increasingly volatile geopolitical environment.”
The Tech Accord represents a public commitment among more than 40 global companies, including Microsoft, Facebook, Oracle, Cisco, Dell, and VMware, to protect and empower civilians online and to improve the security, stability, and resilience of cyberspace.
The authors explained that the Tech Accord was likely born out of a speech that Brad Smith, Microsoft´s President and Chief Legal Officer, gave at the United Nations in 2017 in which he called for a “neutral digital Switzerland, to protect people around the world.” He also said the tech industry should “assist anyone who is injured anywhere [in cyberspace],” regardless of “allegiance or home nation.”
In line with being a “neutral digital Switzerland,” Korzak and Lin explained that the cyber-ICRC would stay out of politically sensitive matter.
“Recovery and assistance in response to harm caused by cyberattacks or experienced during cyber incidents would form its core mission, and, in particular, cyber-ICRC personnel would not focus on politically sensitive matters such as attribution of the incident or collection of intelligence information on behalf of governments,” they wrote.
In this regard, the cyber-ICRC would play a different role from the International Red Cross, the authors said.
“The ICRC does talk to national governments privately when it uncovers evidence of unlawful conduct of representatives or agents of those governments,” Korzak and Lin wrote. “But a cyber-ICRC investigating a cyber incident in Nation A would not be authorized to conduct an investigation in Nation B, even if it was believed that Nation B was responsible for the incident. Because the focus of the cyber-ICRC’s efforts would be recovery rather than attribution, information relevant to the latter would be collected only incidentally to the primary mission of facilitating recovery.”
The developing world would especially benefit from a cyber-ICRC, according to Korzak and Lin. They pointed to an assistance gap felt by cyberattack victims who lack the capacity or resources to recover from an attack, and explained that the gap is particularly acute in the developing world.
However, because the cyber-ICRC would focus on serious and significant attacks, a threshold for qualifying attacks would have to be established. The authors did note that the threshold should vary between countries and regions.
“A cyber-ICRC would focus its work on cyber incidents of significant consequence,” Korzak and Lin noted. “Accordingly, if a civilian entity were to suffer serious cyber harm, it would be eligible to request assistance from a cyber-ICRC. Because assistance would be reserved for significant events, a threshold would need to be effectively established. What qualifies as a significant event can, of course, differ across countries, sectors and organizations and will need to be discussed further.”
The cyber-ICRC would only provide assistance if “the victim(s) of cyberattacks agreed to allow personnel from the cyber-ICRC to provide such assistance, and if the host government (i.e., the government that exercises jurisdiction over the harmed civilian entity) consents as well.”
Korzak and Lin conclude their paper with a list of open questions about the proposed cyber-ICRC, which they acknowledge are “hard to answer, and are merely illustrative of myriad other questions that must be addressed satisfactorily before a cyber-ICRC can be realized.”
Their questions include:
- What criteria should be established as a threshold for responding to a call for assistance from the cyber-ICRC? Who gets to formally determine the criteria?
- What should the relationship be between the assistance organization and the host government of affected civilian entities?
- What are appropriate data protection standards?
- To what extent and under what circumstances should the activities of a cyber-ICRC remain non-public?
- How should the neutrality of a cyber-ICRC and its activities be safeguarded?
- What criteria determine the appropriate end of the cyber-humanitarian mission? And who decides if those criteria are met in any given instance?
“Assuming that the questions above can be answered adequately, a willingness to support a cyber-ICRC with funding and, more importantly, with expertise would go a long way in generating tangible and visible results in the quest for a safer and more secure cyberspace,” Korzak and Lin concluded.
