application of principles of international law to computer networks operations management
Post on 05-Jul-2015
254 Views
Preview:
TRANSCRIPT
Application of principles of international law to computer network operations management
Adriana Dvoršak
1st international academic conference on intelligence and security Contemporary Intelligence Support Systems.
1. Security of IP (concern of the IETF).
2. Security of networks (focus on CERT). 3. Security of business.
4. The individual's human rights (privacy)5. National security (state sovereignty, national
interests, cyber warfare).(Doria, 2007)
Providing security to individuals, business, state.
Concepts of cyber security
and law of armed conflict:
1. military necessity,
2. distinction, 3. proportionality,
4. perfidy, 5. neutrality, and6. unnecessary suffering.
Principles of international law
(Kanuck, 2007)
CNO in operation Allied forceCNE - NATO, SerbiaCNA – NATOCND – US (?)
Propaganda - SerbiaMilitary deception - Serbia
Learning points for NATOVulnerabilities National decision making processes
State practice from the region
Offensive doctrine Military foreign policy options are expanded Small states with offensive foreign policy
Can Slovenia advocate cyber offensive? Article 124 of Constitution: In the provision of security the state
proceeds principally from a policy of peace, and an ethic of peace and non-aggression.
Legal conditions for CNARight for self-defensePart of general and information warfareRequest from UNSCCoalitions of the willing supported by UN Resolution
Cyber offensive
CNA CND
TARGET
IW AREAS
TACTICS TACTICS
WEAPONS ATTRIBUTES
CONSEQUENCESREACTIONSperceptions,actions
RECOVERY
DECISIONCONTEXT
CONSIDERATIONS FORIW PLANNING1 Legal,political,social2 Skil levels, technical3 Financial
reev
alua
tion
CNO lifecycle model
Adapted from van Niekerk, 2011
The self-defence rule: Everyone has the right to self-defence.
The cooperation rule: The fact that a CNA has been conducted via information systems located in
a state’s territory creates a duty to cooperate with the victim state.
The access to information rule: The public has a right to be informed about threats to their life, security
and well-being.
The mandate rule: An organisation’s capacity to act (and regulate) derives from its mandate.
The data protection rule: Information relating to an identified or identifiable natural person is
regarded as personal data. (Tikk, 2011)
NATO 10 rules
The territoriality rule: Information infrastructure located within a state’s territory is
subject to that state’s territorial sovereignty.
The responsibility rule: Fact that CNA was launched from inf.system located in a state’s
territory is evidence that the act is attributable to that state.
The duty of care rule: Everyone has the responsibility to implement a reasonable level
of security in their information infrastructure.
The early warning rule: There is an obligation to notify potential victims about known,
upcoming cyber attacks.
The criminality rule: Every nation has the responsibility to include the most common
cyber offences in its substantive criminal law.
NATO 10 rules
Member States required to have:• national network and information security (NIS)
strategy;• NIS cooperation plan;• NIS competent national authority:
– technical expertise, – international liasion, – security breach reporting,– CERT functions.
• Computer Emergency Response Team (CERT).
EU Directive on common level of NIS
Obligatory breach notification to the competent authority, it determines which notification is in the public interest (security intelligence?).
Competent authority requires market operators and public administrations to: – provide information needed to assess the security of their NIS; – undergo a security audit and make the results available to the
competent authority;– issues binding instructions to market operators and public
administrations.(Articles 14 and 15)
EU Directive – competent authority
Difference Proposal for a Directive on network and info security vs Cyber Security Strategy
Cyberdefence policy and capabilities related to Common Security and Defence Policy (CSDP)
Aims: – To concentrate on cyberdefence capability on detection,
response and recovery from sophisticated cyber threats;– synergies between civilian and military approaches.
Cyber Security Strategy and CSDP
High Representative, MS, EDA will assess capability development: doctrine, leadership, organisation, personnel, training, technology,
infrastructure, logistics and interoperability.
Develop EU cyberdefence policy: missions and operations, dynamic risk management, improved
threat analysis, information sharing, training and exercise for militaries in the EU and multinational context.
Promote dialogue and coordination – civilian and military actors in the EU,– international partners, NATO, international organisations.
High Representative activities
National cyber security and cyber defense strategy.
Analysis of external environment Pressure - normative dimension (EU Directive obligations, NATO
minimum requirements);Threats.
Internal environment Changes to legal framework (information society, criminal code,
privacy).Stakeholders (military, police, academia, civil society,
business).Synergies between national cyber incident capabilities, CERT,
and competent authority (EU Directive on network and info security)
Way ahead for Slovenia
Centre vs. PeripheryGlobal North - Global South relations
Balkanization of CNE 1981 UNGA Declaration on Non-intervention: “the right of states
and peoples to have free access to information and to develop fully, without interference, their system of information and mass media, and to use their information media in order to promote their political, social, economic, and cultural interests and aspirations.”
Certain CNE amount to an unlawful intervention, e.g. cyber propaganda activities aimed at fomenting civil upraising in a target state, interference with elections.
Non-intervention
National assesement
Synergies between national needs and international requirementsEU DirectiveNATO requirementsNew institutions
Conclusions
AppendixConstitution of International Telecommunications Union (1992).Doria, A. (2007). What do the Words »Internet Security« Mean? In Kleinwoechter (Ed.), The Power of Ideas: Internet Governance in a Global Multi-Stakeholder Environment. BerlinKanuck, S. (2009). Sovereign Discourse on Cyber Conflict under International Law. Texas Law Review, 88. van Niekerk, B., & Maharaj, M. S. (2011). The Information Warfare Life Cycle Model. SA Journal of Information Management, Vol 13, No1 European Commission. (2013a). Cyber Security Strategy of the European Union: An Open, Safe and Secure Cyberspace. Retrieved from http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security. European Commission. (2013b). Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union. (COM(2013) 48). Retrieved from http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security.Tikk, E. (2011). Ten Rules for Cyber Security. Survival: Global Politics and Strategy, 53(3).
top related