By Klara Jordan
Operationalising Principles One Year In
2018 saw a range of initiatives aimed at promoting different aspects of multi-stakeholder collaboration in cybersecurity. Intended as norm-building, they all centre around high-level commitments and principles for a safer internet and information and communications technology (ICT).
The Cybersecurity Tech Accord commits to protect and empower civilians online and improve overall resilience of the internet; the Siemens lead Charter of Trust promotes standards to drive cybersecurity across the global supply chain; and the Paris Call for Trust and Security in Cyberspace, launched by the President of France at the Internet Governance Forum (IGF), contains a proposal for the multi-stakeholder development of international cybersecurity standards and practices.
These initiatives promote and consolidate existing efforts and principles and are a valuable effort to showcase the industry’s efforts to be good corporate citizens for the sake of the larger ecosystem and for the protection of its customers.
High-level declarations of principles notwithstanding, true norm-building in cybersecurity – just as in any other field – can only happen through action and operationalisation of high-level principles.
One year after endorsing the Paris Call for Trust and Security in Cyberspace, the Global Cyber Alliance (GCA) has been actively implementing and operationalising two of the principles of the Call.
Principle #3 calls for strengthening the capacity to prevent malign interference by foreign actors aimed at undermining electoral processes through malicious cyber activities.
Weaponisation of information not intended for public consumption has been utilised by foreign actors in efforts to impact voters’ choices. The attack vector for these incidents has involved, in many cases, spearphishing techniques to gain remote access to servers and gaining credentials to access social media accounts with the aim of undermining the credibility of individuals or campaigns.
In other instances, phishing and spoofing of user credentials of election offices has resulted in attempts to carry out distributed denial of service (DDoS) attacks in efforts to jeopardise the availability and authentication of systems involved in elections.
To address the threat to election offices, GCA created a toolkit to help election officials mitigate the cyber risks they face every day. The toolkit follows guidance from the CIS Handbook for Election Infrastructure Security, an accepted set of best practices for the security of election system infrastructure, based on CIS Controls. GCA has also engaged in awareness and outreach efforts to support the adoption of the toolkit and worked with a range of stakeholders to support its implementation.
Principle #7 of the Paris Call asks for support to strengthen advanced cyber hygiene for all actors.
GCA’s toolkits for small businesses and election offices have helped organisations and people achieve better cyber hygiene. Implementation of some of the most basic cyber hygiene principles can reduce cyber risk by as much as 85%. In addition, GCA has driven global implementation of Domain-based Message Authentication, Reporting, and Conformance (DMARC), an email authentication protocol that prevents spoofing of domains in email, stopping the most virulent kind of phishing. As part of this effort, GCA developed a Setup Guide to ease in the implementation process. The guide is available in 18 languages, has been accessed from 180 countries and nearly 5,500 cities, and GCA has trained many organisations in the use of DMARC. GCA, in collaboration with IBM and Packet Clearing House, also developed the Quad9 protective domain name system (DNS) service that blocks access to malicious sites, significantly limiting and reducing the impact of phishing and malicious software. As a protective DNS service, Quad9 can significantly mitigate up to one-third of internet attacks.
GCA has not done this alone; all projects were carried out in collaboration with or with support from its partners, a de facto multi-stakeholder ecosystem of organisations and individuals dedicated to practical solutions to address cyber risk at scale.
GCA’s commitment to the principles and priorities of the Paris Call continues to be grounded in action through outreach, advocacy, and new projects. Impact at scale will only be possible if a large number of organisations operationalise these principles.
GCA urges its partners not only to continue to engage in collaborative projects to implement the principles from the Paris Call but to also support the initiatives by endorsing the Paris Call. It could serve to raise awareness and increase organisational visibility on responsibility in cyberspace.
To show this additional support, all that is needed is an email notifying the French Ministry of Foreign Affairs of organisational endorsement of the Paris Call for Trust and Security in Cyberspace. Additionally, please don’t hesitate to express your particular interest in one of the principles to the French government. To contact the French Ministry of Foreign Affairs and support the Paris Call, please send an email to firstname.lastname@example.org.
The author, Klara Jordan, is the Executive Director, EU and Africa, at the Global Cyber Alliance. You can follow her on Twitter at @JordanKlara or connect with her on LinkedIn.