Identifier
Created
Classification
Origin
09USOSCE64
2009-03-25 16:06:00
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Mission USOSCE
Cable title:
OSCE/FSC: DAY ONE--OSCE WORKSHOP ON A
how-toVZCZCXRO9778 OO RUEHAG RUEHAST RUEHDA RUEHDBU RUEHDF RUEHFL RUEHIK RUEHKW RUEHLA RUEHLN RUEHLZ RUEHMRE RUEHNP RUEHPOD RUEHROV RUEHSK RUEHSR RUEHVK RUEHYG DE RUEHVEN #0064/01 0841606 ZNR UUUUU ZZH O 251606Z MAR 09 FM USMISSION USOSCE TO RUEHC/SECSTATE WASHDC IMMEDIATE 6278 INFO RUCNCFE/CONVENTIONAL ARMED FORCES IN EUROPE PRIORITY RUEHNO/USMISSION USNATO PRIORITY 1718 RUEAIIA/CIA WASHDC PRIORITY RUEKJCS/DIA WASHDC PRIORITY RUEKJCS/SECDEF WASHDC PRIORITY RUESDT/DTRA-OSES DARMSTADT GE PRIORITY RHMFISS/CDR USEUCOM VAIHINGEN GE PRIORITY RUEKJCS/JOINT STAFF WASHDC//J5-DDPMA-IN/CAC/DDPMA-E// PRIORITY RUEAHQA/HQ USAF WASHINGTON DC//XONP// PRIORITY RUEADWD/DA WASHINGTON DC PRIORITY RUEASWA/DTRA ALEX WASHINGTON DC//OSAE PRIORITY RUEHZL/EUROPEAN POLITICAL COLLECTIVE 0080 RUCNOSC/OSCE COLLECTIVE
UNCLAS SECTION 01 OF 07 USOSCE 000064
SENSITIVE
SIPDIS
STATE FOR VCI/CCA, EUR/RPM, NSA FOR STANAR-JOHNSON, T FOR
KATSAPIS, OSD EUR/NATO, OSD/NII FOR HALL, DHS FOR DENNING,
NSC FOR HATHAWAY, NSC FOR DONAHUE, NSC FOR CUMMINGS, WINPAC
FOR FRITZMEIER, ISN FOR KARTCHNER,
NSC FOR HAYES
JCS FOR J5/COL NORWOOD
OSD FOR ISA (PERENYI)
E.O. 12958: N/A
TAGS: EINT FR KCFE KHLS OSCE PARM PREL RS KCIP
SUBJECT: OSCE/FSC: DAY ONE--OSCE WORKSHOP ON A
COMPREHENSIVE OSCE APPROACH TO ENHANCING CYBERSECURITY
UNCLAS SECTION 01 OF 07 USOSCE 000064
SENSITIVE
SIPDIS
STATE FOR VCI/CCA, EUR/RPM, NSA FOR STANAR-JOHNSON, T FOR
KATSAPIS, OSD EUR/NATO, OSD/NII FOR HALL, DHS FOR DENNING,
NSC FOR HATHAWAY, NSC FOR DONAHUE, NSC FOR CUMMINGS, WINPAC
FOR FRITZMEIER, ISN FOR KARTCHNER,
NSC FOR HAYES
JCS FOR J5/COL NORWOOD
OSD FOR ISA (PERENYI)
E.O. 12958: N/A
TAGS: EINT FR KCFE KHLS OSCE PARM PREL RS KCIP
SUBJECT: OSCE/FSC: DAY ONE--OSCE WORKSHOP ON A
COMPREHENSIVE OSCE APPROACH TO ENHANCING CYBERSECURITY
1. (U) NOTE: This is the first of two cables reporting the
March 17-18 OSCE Workshop on a Comprehensive OSCE Approach to
Enhancing Cybersecurity. END NOTE.
2. (SBU) Summary: More than 200 civil and military
representatives gathered in Vienna, March 17 ) 18, in the
first wide-scale FSC effort to discuss cybersecurity. This
was one of the more broadly attended workshops held under the
auspices of the OSCE, with reps in attendance from Egypt,
Japan, the Arab League, and NATO, among others. Their key
aim was to identify ways to cooperate on enhancing
cybersecurity and examine the potential future role of the
OSCE in addressing this global problem. Washington reps, led
by State/INR Michele Markoff, also consisted of reps from
State/EEB, DHS, and DOD.
3. (SBU) Initially considered by the U.S. a risky topic for
the FSC, the workshop proved a successful endeavor for
achieving U.S. objectives, which were to prevent the
militarization of cyber security, refrain from engaging in
discussions on constraining state capabilities, and keeping
the focus on defensive remedies to ensure cyber security.
There was much support for the U.S. position to focus on
defensive strategies and for a U.S. recommendation that OSCE
participating States conduct a self-survey to identify gaps
and capacities in order to later devise an approach to cyber
resiliency. There was very little support for Russia's
description of cyber security as an "information arms race"
that required a new international treaty instrument.
Russia's proposal to begin by defining relevant terms and
concepts also gained little traction. Russia was alone in
its opposition to the Council of Europe Convention on Cyber
Crime. Turkey reported that inconsistencies with its own
national legislation had kept it from adopting the
convention, but asked USdel on the margins of the workshop
for assistance in reconciling this obstacle.
4. (SBU) There was strong support for U.S. expert
participation from Washington in the workshop. Several
delegations praised the efforts of the U.S. panelists
(State/INR, DOD, and DHS reps) and pointed out the U.S. rep's
excellent job of summarizing two days of discussion in the
last working session. Several delegations were eager to
follow up with the U.S. head of del after her presentation.
EU reps invited U.S. participation/expertise to an informal
ministerial conference on critical information infrastructure
protection (CIIP),to be held April 27-28 in Tallinn. A
number of possible recommendations for follow-up activities
were proposed. We would welcome Washington guidance on how
it envisions follow-up activity in Vienna.
5. (SBU) COMMENT: If the USG wishes to move forward on
cyber security in the OSCE, a new CSBM introduced by the U.S.
and close Allies on cyber security may be in U.S. interest
for three reasons. First, this could advance the U.S.
approach with the 56 participating States (pS),over half of
whom are not in NATO. Second, this would proactively offer a
positive alternative to displace unhelpful Russian proposals
and prevent Russian views from being the center of attention.
Third, the U.S. would assert leadership. Such a CSBM could
be centered, for instance, around the 6-7 well-received
recommendations the USG panelist made at the end of the
workshop or the 11 agreed points on cyber security already
agreed within the G-8. By moving forward with one of the
recommendations that were also proposed in the non-paper
authored by Austria, Estonia, and Lithuania, the U.S. could
enlist one or all of these countries as co-leads of the
action. END COMMENT.
END SUMMARY.
USOSCE 00000064 002 OF 007
- - - - - - - - - - - - - - - - - - - - - - - -
Opening Session: OSCE Takes on Cyber security
- - - - - - - - - - - - - - - - - - - - - - - -
6. (U) Greek Chairman in Office (Ambassador Mara Marinaki)
opened the March 17 -18 OSCE Workshop on a Comprehensive OSCE
Approach to Enhancing Cyber Security by saying it was the
first wide-scale OSCE effort to discuss cyber security,
building on previous OSCE efforts to combat terrorism on the
Internet, exchange information, and discuss concrete steps
for a way forward. The Greek CiO pointed out, in particular,
a jointly sponsored non-paper authored by Austria, Estonia,
and Lithuania (FSC.DEL/33/09),which lays out specific
concerns related to cyber security and a possible way forward
for the OSCE to address those concerns. The OSCE Secretary
General Marc Perrin de Brichambaut commented that the holding
of this event demonstrated how the OSCE was seeking to remain
in step with modern-day challenges. Cyber security as a
theme also showed continued relevance of the OSCE's signature
concern of "comprehensive security." The SYG hoped the
workshop could explore what kind of comprehensive approach
the OSCE could craft and how could it help participating
States. He said that OSCE pS had been working to create a
mandate to enhance cyber security by (1) combating terrorist
use of the Internet (MC.DEC/3/04 and MC.DEC/7/06); (2)
promoting public-private partnerships (MC.DEC/5/07); and (3)
crafting a comprehensive OSCE approach to cyber security
(FSC.DEC/10/08).
7. (SBU) The Estonian Minister of Defense Jaak Aaviksoo
called cyber security an "essential and demanding" topic
(FSC.DEL/42/09). He saw the OSCE as an ideal forum for this
discussion given the need for "security and cooperation in
Europe" on cyber security and also called it a "key forum"
for discussing a "true 21st century challenge." Aaviksoo
stressed the responsibility of pS to raise awareness and
described the OSCE as a large intergovernmental organization
with a significant role to play. He said a dual approach
that would increase cooperation multilaterally and improve
resilience on a national basis was needed. He also stressed
the need for States to create the national legal framework
necessary for a comprehensive cyber security program, and the
need for national Computer Emergency Response Teams. More
evenly regulated national cyber environments, he said, would
contribute to a better governed international space.
Aaviksoo also applauded the Council on Europe Convention on
Cybercrime as a great framework for cooperation. The Czech
Republic (Reinohlova) on behalf of the European Union said
that cyber security was an "important precondition" for
defending values.
- - - - - - - - - - - - - - - - - - -
Session 1: Threats to Cyber security
- - - - - - - - - - - - - - - - - - -
8. (SBU) The first session addressed attributes and common
forms of cyber attacks, cyber crime, defensive strategies for
threat mitigation, and consequence management and
remediation. Keynote speakers were Captain H.N. Dionisis
Antonopolous, Director Cyber Defense Directorate, Hellenic
National Defense General Staff; Vladislav Sherstyuk, Deputy
Secretary of the Security Council of the Russian Federation;
Michele Markoff, Acting Director, Office of Cyber Affairs,
Department of State; and Rytis Rainys, Head of Network and
Information Security Division of Lithuania. The panel was
moderated by Raphael Perl from the Office of the OSCE
Secretary General, Action Against Terrorism Unit.
- - - - - - - - - - - - -
USOSCE 00000064 003 OF 007
Don't Forget the End-User
- - - - - - - - - - - - -
9. (SBU) Antonopolous' presentation, The Key to an Effective
Cyber Defense Strategy, focused on the human factor in cyber
security (FSC.DEL/38/09). Due to the nature of cyber attacks
the end-user often becomes an unknowing victim. He said that
most public and private entities provide high level training
for cyber security personnel, but it can never be enough. He
stressed that the common end-user has been left out and more
education for individuals, who use computers daily at home
and work, was needed.
- - - - - - - - - - - - - - - - - - - - -
Russians Claim New Arms Race Unfolding
- - - - - - - - - - - - - - - - - - - - -
10. (SBU) Sherstyuk's presentation, Problems of Ensuring
International Information Security, made attempts to assert
that an "information arms race" was unfolding internationally
(FSC.DEL/22/09). He stressed the need for collective action
to prevent the "next round of an arms race," claiming that
120 nations had "departments" dealing with cyber warfare.
Sherstyuk also believed that it was especially important to
draw up a universal document under international law that
acknowledged the existence of political-military and criminal
threats, including terrorism, to "international information
security." He proposed the publication of a dictionary of
terms "used in the international information security field."
Sherstyuk also mentioned that an international conference on
cybercrime jointly sponsored by Russia and Germany would take
place on April 18 in Germany.
- - - - - - - - - - -
U.S. Focus on Defense
- - - - - - - - - - -
11. (SBU) Markoff's presentation, U.S. Views on National
and International Approaches to Information Network Security,
focused on securing networks through layered defenses that
are effective whatever the source of the attack
(FSC.DEL/40/09/Rev.1). Markoff explained that a national
review of cyber policy currently was being conducted in
Washington and without prejudging the outcome said that the
U.S. will continue actively to pursue international
collaboration on cyber security in bilateral, multilateral,
and international venues. The U.S. would also continue to
offer its detailed views of those steps that states,
individually and collectively, need to take to enhance cyber
security.
12. (SBU) Markoff said that cyber security was not inherently
political-military in nature, just as information technology
is neither inherently civil nor military. Therefore, cyber
security was a shared responsibility of government, industry,
and individual citizens. Markoff demonstrated that the
Russian rep's call for an arms control-like convention that
would ban the development or use of a wide range of
information technologies was not helpful or effective in
addressing the security threats associated with this
technology. It also was most likely unenforceable.
- - - - - - - - - - - - - - - - - - - - -
Lithuania: "Think Globally, Act Locally"
- - - - - - - - - - - - - - - - - - - - -
13. (SBU) Rainys' presentation, Overview of Cyber-related
Security Incidents in 2008, stressed that cyber attacks were
becoming massive and well-organized. He stated that most
cyber attacks were motivated by financial gain. His message
USOSCE 00000064 004 OF 007
was to "think globally, act locally." Rainys said that if
each nation could implement an incident management system
that would keep its local network as clean as possible, this
would, in turn, enhance the security of global networks.
Rainys stressed that defensive activities were key. He said
that incident management work by CERT groups should be
enhanced, technical solutions that could be implemented by
network providers would lead to better protection of
end-users, and wider cooperation and coordination were
important.
- - - - - - - - - - - - -
Self-Survey As First Step
- - - - - - - - - - - - -
14. (SBU) In response to questions posed by the audience,
Markoff suggested that the OSCE first set up a "self-survey"
in order to know the gaps and capacities among OSCE pS.
Then, Markoff said, the OSCE could design a program where the
first steps would be to develop confidence and trust. She
also indicated that this could include identifying points of
contact for the first responders of member States. Finland
(Kangaste) agreed that cyber security posed challenges to all
stakeholders and supported defensive measures as the most
concrete way for dealing with cyber attacks. He called the
Council of Europe Convention on Cyber Crime "groundbreaking."
He also echoed the U.S. (Markoff) point about the need to
build a "culture of cyber security" as well as the U.S.
recommendation for a self-survey. Kangaste said it was
important to ensure that the rules of international
humanitarian law apply and said that Sweden, Switzerland, and
Finland have an ongoing joint study to define what this means
for cyber space.
- - - - - - - - - - - - - - - - - - - -
U.S. Upholds Principles of Free Speech
- - - - - - - - - - - - - - - - - - - -
15. (SBU) Cyprus agreed with Rainys, statement, "think
globally, act locally," but reordered the priority to acting
locally and collaborating internationally. The Cyprus rep
stressed the need for a well-defined plan and said "perfect
planning prevents pathetic performance." Azerbaijan
(Jafarova) noted that networks should not be used for
"racism, terrorism, or other phobias, such as Islamaphobia."
Jafarova spoke about the potential for a state to develop
propaganda against another state and said that Azerbaijan had
found websites that challenged its territorial integrity and
sovereignty. The U.S. (Markoff) responded that while we may
witness speech that is hostile and political on the internet,
it remains the U.S. position that one's view of illegitimate
speech is another's legitimate political expression. In
upholding the right of free speech, Markoff cautioned against
"regulating content8 and stressed the importance of
maintaining the principles of the Universal Declaration of
Human Rights.
- - - - - - - - - - - - - - - - - - - - - - -
Russia Says It's Misunderstood; Quotes Castro
- - - - - - - - - - - - - - - - - - - - - - -
16. (SBU) Georgia (Kvanchakhadze) recalled the "most serious
attack against (their) infrastructure" in August 2008 and
questioned who would be the main international body to fight
state sponsored attacks. The U.S. (Markoff) stressed that
the unique attributes of this technology made the problem of
acting against perceived perpetrators very difficult and that
a better understanding of the technical issues in the
international environment was essential before strategizing
further. Russia (Krutskikh) alleged that there was a problem
USOSCE 00000064 005 OF 007
understanding each other because cyber terms had not been
defined. He then said Russia was misunderstood as pushing
for "disarmament." Krutskikh said we should use the
experience we have already acquired but we should be sure we
were targeting the right problems, such as crime, terrorism,
and armed attack. He quoted Fidel Castro, who said "if you
devise an imaginary enemy, you ignore the real enemy that
exists."
17. (SBU) Antonopolous tried to clarify that cyber meant
the "space where we are when we are talking on the phone."
In other words, it is "the non-visual space where you can
apply visual actions." The U.S. (Markoff) responded that
Krutskikh's comments seemed to imply a change in the Russian
position that has held for several years that an arms control
race in unfolding. Markoff said that the Russian position
had been to establish boundaries of sovereignty in cyber
space, but if that had changed, the U.S. would welcome
hearing more details.
- - - - - - - - - - - - - - -
Session 2: Government Options
- - - - - - - - - - - - - - -
18. (U) The second session addressed national and
international good practices and legal frameworks and their
use to develop policy options for governments. Michele
Markoff was the moderator. Keynote speakers included John
Denning, Director for External Affairs in the Office of Cyber
security and Communications, Department of Homeland Security;
Patrick Pailloux, Director of Information Security, French
General-Secretariat for National Defense; and, Andrea
Servida, Directorate General Information Society of the
European Commission.
- - - - - - - - - - - - - - - - - - -
U.S. Describes Cybersecurity Culture
- - - - - - - - - - - - - - - - - - -
19. (SBU) Denning (Department of Homeland Security) called
for the construction of a culture of cyber security based on
shared responsibility (FSC.DEL/44/09/Add.1). Denning
described the key elements of a viable cyber security program
as: development of national strategy; collaboration between
national governments and industry; deterrence of cybercrime;
creation of national incident management capabilities; and
promotion of a national culture of cyber security.
20. (SBU) Denning said governments must provide an example
of good cyber security practices in their outreach to the
private sector. He noted that government efforts are
inherently multi-agency and, in the U.S., include federal,
state, and local officials. His own agency, Homeland
Security, had developed a National Infrastructure Protection
Plan that relied on close relationships between the
government and key sectors of the critical infrastructure.
Inculcating cyber security awareness in all parts of the
society will require constant awareness raising and education.
- - - - - - - - - - - - -
French National Responses
- - - - - - - - - - - - -
21. (SBU) Pailloux said that much thinking in the French
government on cyber security was captured in its recent white
paper on defense (FSC.DEL/45/09). France, noting the 2007
attack on Estonia, estimates a high probability of cyber
attack as the technology required is readily available to
many and can be employed with minimal risk to the attacker.
He noted that critical infrastructures worldwide increasingly
USOSCE 00000064 006 OF 007
depend on information technology for effective functioning,
increasing the risk cyber attacks could seriously impede
delivery of vital services to citizens. Pailloux praised the
FSC workshop as a necessary effort to raise awareness of the
threats to cyber security. Also needed was international
agreement on a minimum level of rules and good practices that
system operaters need to follow. He also stressed that
security requirements should not hamper innovation and rapid
technology development in the IT industry, and said that
international cooperation is essential to deter and prosecute
cybercrime. He said that the EU must take steps to protect
its critical information infrastructure, as it protects its
other critical infrastructures. The French government CERT,
which Pailloux heads, was able to close down over 2,000
phishing sites with the help of its international partners.
- - - - - - - - - - -
EU Policy Initiatives
- - - - - - - - - - -
22. (SBU) Andrea Servida described ongoing EU efforts to
enhance cyber security in the EU's Member States and
institutions. While EU executive agencies like the European
Network and Information Security Agency are raising awareness
and fostering dialogue with industry, there was also a need
for greater public participation in shaping an enhanced
European policy on network and information security. The
Commission launched an on-line public consultation in 2008 to
which academics, industry experts, and private citizens have
contributed.
23. (SBU) Noting the increasing number and severity of
cyber attacks and their costs to national and regional
economies, Servida said the Commission had several policy
initiatives designed to ensure the protection and survival of
European Critical Information Infrastructure. These would be
based on both government and private sector programs and
would protect against all threats. Next steps include an
informal ministerial meeting on critical information
infrastructure protection (CIIP) in Tallinn in late April.
He noted that while there are 150 CERTs in the EU, only 15
are national-level, of which seven have standard operating
language to communicate with each other.
24. (SBU) Italy (Somma),in response, described briefly its
MOD cyber defense organization and highlights of a recent
cyber exercise ("CYBER SHOT") that involved all the military
services, including the Carabinieri or national police, and
representatives of civilian government agencies and critical
information infrastructure. Somma spoke of the importance of
setting up a clear command structure for dealing with
incidents as they occur, and situational awareness of the
state of network defenses. Another exercise is planned in
November in conjunction with a NATO cyber event. The Arab
League (Wehbe) said it was taking steps to follow UN
measures. Wehbe pointed out that the Arab countries were
trying to combat terrorist use of the internet while
maintaining respect for human rights.
- - - - - - - - - - - - - - - - - - - - -
Meridian Process: Connecting Policymakers
- - - - - - - - - - - - - - - - - - - - -
25. (SBU) The UK (Burnett) described the Meridian Process,
which began in 2005 with the support of the EU and G8 for
policymakers involved in CIIP. Burnett noted that the
Meridian Process is an annual conference, with a rotating
presidency, open to any country that wants to join. It had
been deemed successful by participants. The presidency was
held by the UK (2005),Hungary (2006),Sweden (2007),
USOSCE 00000064 007 OF 007
Singapore (2008),this year (November) by the U.S., and in
2010 by Taiwan. The theme of Meridian is "connecting and
protecting," and identify points of contacts between
participants. Burnett stressed the conference was meant for
policymakers, not CERT professionals or technical experts.
26. (U) This cable has been cleared by INR/CCT Markoff;
OSD/NII; and, OSD/P.
NEIGHBOUR
SENSITIVE
SIPDIS
STATE FOR VCI/CCA, EUR/RPM, NSA FOR STANAR-JOHNSON, T FOR
KATSAPIS, OSD EUR/NATO, OSD/NII FOR HALL, DHS FOR DENNING,
NSC FOR HATHAWAY, NSC FOR DONAHUE, NSC FOR CUMMINGS, WINPAC
FOR FRITZMEIER, ISN FOR KARTCHNER,
NSC FOR HAYES
JCS FOR J5/COL NORWOOD
OSD FOR ISA (PERENYI)
E.O. 12958: N/A
TAGS: EINT FR KCFE KHLS OSCE PARM PREL RS KCIP
SUBJECT: OSCE/FSC: DAY ONE--OSCE WORKSHOP ON A
COMPREHENSIVE OSCE APPROACH TO ENHANCING CYBERSECURITY
1. (U) NOTE: This is the first of two cables reporting the
March 17-18 OSCE Workshop on a Comprehensive OSCE Approach to
Enhancing Cybersecurity. END NOTE.
2. (SBU) Summary: More than 200 civil and military
representatives gathered in Vienna, March 17 ) 18, in the
first wide-scale FSC effort to discuss cybersecurity. This
was one of the more broadly attended workshops held under the
auspices of the OSCE, with reps in attendance from Egypt,
Japan, the Arab League, and NATO, among others. Their key
aim was to identify ways to cooperate on enhancing
cybersecurity and examine the potential future role of the
OSCE in addressing this global problem. Washington reps, led
by State/INR Michele Markoff, also consisted of reps from
State/EEB, DHS, and DOD.
3. (SBU) Initially considered by the U.S. a risky topic for
the FSC, the workshop proved a successful endeavor for
achieving U.S. objectives, which were to prevent the
militarization of cyber security, refrain from engaging in
discussions on constraining state capabilities, and keeping
the focus on defensive remedies to ensure cyber security.
There was much support for the U.S. position to focus on
defensive strategies and for a U.S. recommendation that OSCE
participating States conduct a self-survey to identify gaps
and capacities in order to later devise an approach to cyber
resiliency. There was very little support for Russia's
description of cyber security as an "information arms race"
that required a new international treaty instrument.
Russia's proposal to begin by defining relevant terms and
concepts also gained little traction. Russia was alone in
its opposition to the Council of Europe Convention on Cyber
Crime. Turkey reported that inconsistencies with its own
national legislation had kept it from adopting the
convention, but asked USdel on the margins of the workshop
for assistance in reconciling this obstacle.
4. (SBU) There was strong support for U.S. expert
participation from Washington in the workshop. Several
delegations praised the efforts of the U.S. panelists
(State/INR, DOD, and DHS reps) and pointed out the U.S. rep's
excellent job of summarizing two days of discussion in the
last working session. Several delegations were eager to
follow up with the U.S. head of del after her presentation.
EU reps invited U.S. participation/expertise to an informal
ministerial conference on critical information infrastructure
protection (CIIP),to be held April 27-28 in Tallinn. A
number of possible recommendations for follow-up activities
were proposed. We would welcome Washington guidance on how
it envisions follow-up activity in Vienna.
5. (SBU) COMMENT: If the USG wishes to move forward on
cyber security in the OSCE, a new CSBM introduced by the U.S.
and close Allies on cyber security may be in U.S. interest
for three reasons. First, this could advance the U.S.
approach with the 56 participating States (pS),over half of
whom are not in NATO. Second, this would proactively offer a
positive alternative to displace unhelpful Russian proposals
and prevent Russian views from being the center of attention.
Third, the U.S. would assert leadership. Such a CSBM could
be centered, for instance, around the 6-7 well-received
recommendations the USG panelist made at the end of the
workshop or the 11 agreed points on cyber security already
agreed within the G-8. By moving forward with one of the
recommendations that were also proposed in the non-paper
authored by Austria, Estonia, and Lithuania, the U.S. could
enlist one or all of these countries as co-leads of the
action. END COMMENT.
END SUMMARY.
USOSCE 00000064 002 OF 007
- - - - - - - - - - - - - - - - - - - - - - - -
Opening Session: OSCE Takes on Cyber security
- - - - - - - - - - - - - - - - - - - - - - - -
6. (U) Greek Chairman in Office (Ambassador Mara Marinaki)
opened the March 17 -18 OSCE Workshop on a Comprehensive OSCE
Approach to Enhancing Cyber Security by saying it was the
first wide-scale OSCE effort to discuss cyber security,
building on previous OSCE efforts to combat terrorism on the
Internet, exchange information, and discuss concrete steps
for a way forward. The Greek CiO pointed out, in particular,
a jointly sponsored non-paper authored by Austria, Estonia,
and Lithuania (FSC.DEL/33/09),which lays out specific
concerns related to cyber security and a possible way forward
for the OSCE to address those concerns. The OSCE Secretary
General Marc Perrin de Brichambaut commented that the holding
of this event demonstrated how the OSCE was seeking to remain
in step with modern-day challenges. Cyber security as a
theme also showed continued relevance of the OSCE's signature
concern of "comprehensive security." The SYG hoped the
workshop could explore what kind of comprehensive approach
the OSCE could craft and how could it help participating
States. He said that OSCE pS had been working to create a
mandate to enhance cyber security by (1) combating terrorist
use of the Internet (MC.DEC/3/04 and MC.DEC/7/06); (2)
promoting public-private partnerships (MC.DEC/5/07); and (3)
crafting a comprehensive OSCE approach to cyber security
(FSC.DEC/10/08).
7. (SBU) The Estonian Minister of Defense Jaak Aaviksoo
called cyber security an "essential and demanding" topic
(FSC.DEL/42/09). He saw the OSCE as an ideal forum for this
discussion given the need for "security and cooperation in
Europe" on cyber security and also called it a "key forum"
for discussing a "true 21st century challenge." Aaviksoo
stressed the responsibility of pS to raise awareness and
described the OSCE as a large intergovernmental organization
with a significant role to play. He said a dual approach
that would increase cooperation multilaterally and improve
resilience on a national basis was needed. He also stressed
the need for States to create the national legal framework
necessary for a comprehensive cyber security program, and the
need for national Computer Emergency Response Teams. More
evenly regulated national cyber environments, he said, would
contribute to a better governed international space.
Aaviksoo also applauded the Council on Europe Convention on
Cybercrime as a great framework for cooperation. The Czech
Republic (Reinohlova) on behalf of the European Union said
that cyber security was an "important precondition" for
defending values.
- - - - - - - - - - - - - - - - - - -
Session 1: Threats to Cyber security
- - - - - - - - - - - - - - - - - - -
8. (SBU) The first session addressed attributes and common
forms of cyber attacks, cyber crime, defensive strategies for
threat mitigation, and consequence management and
remediation. Keynote speakers were Captain H.N. Dionisis
Antonopolous, Director Cyber Defense Directorate, Hellenic
National Defense General Staff; Vladislav Sherstyuk, Deputy
Secretary of the Security Council of the Russian Federation;
Michele Markoff, Acting Director, Office of Cyber Affairs,
Department of State; and Rytis Rainys, Head of Network and
Information Security Division of Lithuania. The panel was
moderated by Raphael Perl from the Office of the OSCE
Secretary General, Action Against Terrorism Unit.
- - - - - - - - - - - - -
USOSCE 00000064 003 OF 007
Don't Forget the End-User
- - - - - - - - - - - - -
9. (SBU) Antonopolous' presentation, The Key to an Effective
Cyber Defense Strategy, focused on the human factor in cyber
security (FSC.DEL/38/09). Due to the nature of cyber attacks
the end-user often becomes an unknowing victim. He said that
most public and private entities provide high level training
for cyber security personnel, but it can never be enough. He
stressed that the common end-user has been left out and more
education for individuals, who use computers daily at home
and work, was needed.
- - - - - - - - - - - - - - - - - - - - -
Russians Claim New Arms Race Unfolding
- - - - - - - - - - - - - - - - - - - - -
10. (SBU) Sherstyuk's presentation, Problems of Ensuring
International Information Security, made attempts to assert
that an "information arms race" was unfolding internationally
(FSC.DEL/22/09). He stressed the need for collective action
to prevent the "next round of an arms race," claiming that
120 nations had "departments" dealing with cyber warfare.
Sherstyuk also believed that it was especially important to
draw up a universal document under international law that
acknowledged the existence of political-military and criminal
threats, including terrorism, to "international information
security." He proposed the publication of a dictionary of
terms "used in the international information security field."
Sherstyuk also mentioned that an international conference on
cybercrime jointly sponsored by Russia and Germany would take
place on April 18 in Germany.
- - - - - - - - - - -
U.S. Focus on Defense
- - - - - - - - - - -
11. (SBU) Markoff's presentation, U.S. Views on National
and International Approaches to Information Network Security,
focused on securing networks through layered defenses that
are effective whatever the source of the attack
(FSC.DEL/40/09/Rev.1). Markoff explained that a national
review of cyber policy currently was being conducted in
Washington and without prejudging the outcome said that the
U.S. will continue actively to pursue international
collaboration on cyber security in bilateral, multilateral,
and international venues. The U.S. would also continue to
offer its detailed views of those steps that states,
individually and collectively, need to take to enhance cyber
security.
12. (SBU) Markoff said that cyber security was not inherently
political-military in nature, just as information technology
is neither inherently civil nor military. Therefore, cyber
security was a shared responsibility of government, industry,
and individual citizens. Markoff demonstrated that the
Russian rep's call for an arms control-like convention that
would ban the development or use of a wide range of
information technologies was not helpful or effective in
addressing the security threats associated with this
technology. It also was most likely unenforceable.
- - - - - - - - - - - - - - - - - - - - -
Lithuania: "Think Globally, Act Locally"
- - - - - - - - - - - - - - - - - - - - -
13. (SBU) Rainys' presentation, Overview of Cyber-related
Security Incidents in 2008, stressed that cyber attacks were
becoming massive and well-organized. He stated that most
cyber attacks were motivated by financial gain. His message
USOSCE 00000064 004 OF 007
was to "think globally, act locally." Rainys said that if
each nation could implement an incident management system
that would keep its local network as clean as possible, this
would, in turn, enhance the security of global networks.
Rainys stressed that defensive activities were key. He said
that incident management work by CERT groups should be
enhanced, technical solutions that could be implemented by
network providers would lead to better protection of
end-users, and wider cooperation and coordination were
important.
- - - - - - - - - - - - -
Self-Survey As First Step
- - - - - - - - - - - - -
14. (SBU) In response to questions posed by the audience,
Markoff suggested that the OSCE first set up a "self-survey"
in order to know the gaps and capacities among OSCE pS.
Then, Markoff said, the OSCE could design a program where the
first steps would be to develop confidence and trust. She
also indicated that this could include identifying points of
contact for the first responders of member States. Finland
(Kangaste) agreed that cyber security posed challenges to all
stakeholders and supported defensive measures as the most
concrete way for dealing with cyber attacks. He called the
Council of Europe Convention on Cyber Crime "groundbreaking."
He also echoed the U.S. (Markoff) point about the need to
build a "culture of cyber security" as well as the U.S.
recommendation for a self-survey. Kangaste said it was
important to ensure that the rules of international
humanitarian law apply and said that Sweden, Switzerland, and
Finland have an ongoing joint study to define what this means
for cyber space.
- - - - - - - - - - - - - - - - - - - -
U.S. Upholds Principles of Free Speech
- - - - - - - - - - - - - - - - - - - -
15. (SBU) Cyprus agreed with Rainys, statement, "think
globally, act locally," but reordered the priority to acting
locally and collaborating internationally. The Cyprus rep
stressed the need for a well-defined plan and said "perfect
planning prevents pathetic performance." Azerbaijan
(Jafarova) noted that networks should not be used for
"racism, terrorism, or other phobias, such as Islamaphobia."
Jafarova spoke about the potential for a state to develop
propaganda against another state and said that Azerbaijan had
found websites that challenged its territorial integrity and
sovereignty. The U.S. (Markoff) responded that while we may
witness speech that is hostile and political on the internet,
it remains the U.S. position that one's view of illegitimate
speech is another's legitimate political expression. In
upholding the right of free speech, Markoff cautioned against
"regulating content8 and stressed the importance of
maintaining the principles of the Universal Declaration of
Human Rights.
- - - - - - - - - - - - - - - - - - - - - - -
Russia Says It's Misunderstood; Quotes Castro
- - - - - - - - - - - - - - - - - - - - - - -
16. (SBU) Georgia (Kvanchakhadze) recalled the "most serious
attack against (their) infrastructure" in August 2008 and
questioned who would be the main international body to fight
state sponsored attacks. The U.S. (Markoff) stressed that
the unique attributes of this technology made the problem of
acting against perceived perpetrators very difficult and that
a better understanding of the technical issues in the
international environment was essential before strategizing
further. Russia (Krutskikh) alleged that there was a problem
USOSCE 00000064 005 OF 007
understanding each other because cyber terms had not been
defined. He then said Russia was misunderstood as pushing
for "disarmament." Krutskikh said we should use the
experience we have already acquired but we should be sure we
were targeting the right problems, such as crime, terrorism,
and armed attack. He quoted Fidel Castro, who said "if you
devise an imaginary enemy, you ignore the real enemy that
exists."
17. (SBU) Antonopolous tried to clarify that cyber meant
the "space where we are when we are talking on the phone."
In other words, it is "the non-visual space where you can
apply visual actions." The U.S. (Markoff) responded that
Krutskikh's comments seemed to imply a change in the Russian
position that has held for several years that an arms control
race in unfolding. Markoff said that the Russian position
had been to establish boundaries of sovereignty in cyber
space, but if that had changed, the U.S. would welcome
hearing more details.
- - - - - - - - - - - - - - -
Session 2: Government Options
- - - - - - - - - - - - - - -
18. (U) The second session addressed national and
international good practices and legal frameworks and their
use to develop policy options for governments. Michele
Markoff was the moderator. Keynote speakers included John
Denning, Director for External Affairs in the Office of Cyber
security and Communications, Department of Homeland Security;
Patrick Pailloux, Director of Information Security, French
General-Secretariat for National Defense; and, Andrea
Servida, Directorate General Information Society of the
European Commission.
- - - - - - - - - - - - - - - - - - -
U.S. Describes Cybersecurity Culture
- - - - - - - - - - - - - - - - - - -
19. (SBU) Denning (Department of Homeland Security) called
for the construction of a culture of cyber security based on
shared responsibility (FSC.DEL/44/09/Add.1). Denning
described the key elements of a viable cyber security program
as: development of national strategy; collaboration between
national governments and industry; deterrence of cybercrime;
creation of national incident management capabilities; and
promotion of a national culture of cyber security.
20. (SBU) Denning said governments must provide an example
of good cyber security practices in their outreach to the
private sector. He noted that government efforts are
inherently multi-agency and, in the U.S., include federal,
state, and local officials. His own agency, Homeland
Security, had developed a National Infrastructure Protection
Plan that relied on close relationships between the
government and key sectors of the critical infrastructure.
Inculcating cyber security awareness in all parts of the
society will require constant awareness raising and education.
- - - - - - - - - - - - -
French National Responses
- - - - - - - - - - - - -
21. (SBU) Pailloux said that much thinking in the French
government on cyber security was captured in its recent white
paper on defense (FSC.DEL/45/09). France, noting the 2007
attack on Estonia, estimates a high probability of cyber
attack as the technology required is readily available to
many and can be employed with minimal risk to the attacker.
He noted that critical infrastructures worldwide increasingly
USOSCE 00000064 006 OF 007
depend on information technology for effective functioning,
increasing the risk cyber attacks could seriously impede
delivery of vital services to citizens. Pailloux praised the
FSC workshop as a necessary effort to raise awareness of the
threats to cyber security. Also needed was international
agreement on a minimum level of rules and good practices that
system operaters need to follow. He also stressed that
security requirements should not hamper innovation and rapid
technology development in the IT industry, and said that
international cooperation is essential to deter and prosecute
cybercrime. He said that the EU must take steps to protect
its critical information infrastructure, as it protects its
other critical infrastructures. The French government CERT,
which Pailloux heads, was able to close down over 2,000
phishing sites with the help of its international partners.
- - - - - - - - - - -
EU Policy Initiatives
- - - - - - - - - - -
22. (SBU) Andrea Servida described ongoing EU efforts to
enhance cyber security in the EU's Member States and
institutions. While EU executive agencies like the European
Network and Information Security Agency are raising awareness
and fostering dialogue with industry, there was also a need
for greater public participation in shaping an enhanced
European policy on network and information security. The
Commission launched an on-line public consultation in 2008 to
which academics, industry experts, and private citizens have
contributed.
23. (SBU) Noting the increasing number and severity of
cyber attacks and their costs to national and regional
economies, Servida said the Commission had several policy
initiatives designed to ensure the protection and survival of
European Critical Information Infrastructure. These would be
based on both government and private sector programs and
would protect against all threats. Next steps include an
informal ministerial meeting on critical information
infrastructure protection (CIIP) in Tallinn in late April.
He noted that while there are 150 CERTs in the EU, only 15
are national-level, of which seven have standard operating
language to communicate with each other.
24. (SBU) Italy (Somma),in response, described briefly its
MOD cyber defense organization and highlights of a recent
cyber exercise ("CYBER SHOT") that involved all the military
services, including the Carabinieri or national police, and
representatives of civilian government agencies and critical
information infrastructure. Somma spoke of the importance of
setting up a clear command structure for dealing with
incidents as they occur, and situational awareness of the
state of network defenses. Another exercise is planned in
November in conjunction with a NATO cyber event. The Arab
League (Wehbe) said it was taking steps to follow UN
measures. Wehbe pointed out that the Arab countries were
trying to combat terrorist use of the internet while
maintaining respect for human rights.
- - - - - - - - - - - - - - - - - - - - -
Meridian Process: Connecting Policymakers
- - - - - - - - - - - - - - - - - - - - -
25. (SBU) The UK (Burnett) described the Meridian Process,
which began in 2005 with the support of the EU and G8 for
policymakers involved in CIIP. Burnett noted that the
Meridian Process is an annual conference, with a rotating
presidency, open to any country that wants to join. It had
been deemed successful by participants. The presidency was
held by the UK (2005),Hungary (2006),Sweden (2007),
USOSCE 00000064 007 OF 007
Singapore (2008),this year (November) by the U.S., and in
2010 by Taiwan. The theme of Meridian is "connecting and
protecting," and identify points of contacts between
participants. Burnett stressed the conference was meant for
policymakers, not CERT professionals or technical experts.
26. (U) This cable has been cleared by INR/CCT Markoff;
OSD/NII; and, OSD/P.
NEIGHBOUR