A new “14 Points” for the future security of critical infrastructure in cyberspace

It was a 100 years ago this week that U.S. President Woodrow Wilson made his peace proposals after the end of the “war to end all wars” in January 8, 1918. They were “The Fourteen Points” and sadly, were not successful in preventing the next World War that ended in 1945. Going forward to our times this has been a bad year for the cybersecurity of critical infrastructure with discovery of several malware that have been designed in such a way as to threaten the very technical foundations of modern society (1). Efforts at the policy level to manage an increasingly dangerous cyberspace environment have also achieved little success (2). However, it can be argued that the efforts made did eventually meet with some success when the United Nations was created after the end of the Second World War. Perhaps it is a good time now to consider an updated “14 Points” (3) for securing the future peace and safety of cyberspace and the critical systems that exist there. Let us see if those 14 proposals for world peace made 100 years ago can be adapted to promote peace in cyberspace today.

Figure 1: It was a 100 years ago when U.S. President Woodrow Wilson made his 14 proposals to keep the peace after the end of the “war to end all wars”.

The first point, “Open covenants of peace, openly arrived at”, sounds like it could be changed to “States commit to transparency in regarding their cyber activities.
Now will propose an adaptation of the remaining of Wilson’s Fourteen Points:

2. Freedom for all to access and make use of the Internet (Access to the internet is a human right according to a report submitted to the U.N. General Assembly); (4)
3. “Equality of trade conditions” sounds like “Net Neutrality” or the idea that Internet service providers (ISP’s) should treat all data traversing their networks the same (5);
4. “Reduction of armaments” should be a “no-brainer”. For today, it could be restated: States agree to restrain themselves from directing malicious cyber activities at the critical infrastructure of other states. (6)
5. Nr. 5 transposes to “States respect the confidentiality, integrity and availability of cyberspace based resources of other states”.
6. Nr. 6 could be restated as “States agree to remove all “logic bombs” (7) or malware placed in the critical infrastructure of other states”;
7. Nr. 7 is similar to Nr. 6 in terms of restoring something that has been lost or taken away from a people (in the original it was for the occupying army to leave Belgium), but it can be rephrased as “States agree to make every effort to promote TRUST on the Internet;
8. Nr. 8 sounds too similar to 6 and 7. So will skip this (unless someone can offer a suitable proposal?);
9. This sounds like it could adapted to read: “States agree to take responsibility for malicious cyber activities taking place inside or transiting through their cyberspace jurisdictions”. (8)
10. Number 10 perhaps should not be considered on the list of adapted points. The main reason is that this sounds very much like the trend on the part of so-called authoritarian states (9) to develop their own separate national Internets .(10) This would contradict the intentions behind the first and several other points.
11. Sounds similar to nr. 10.
12. This may be controversial point as it contends that there are nations which may be seeking either intentionally or because of their de facto pervasive technical presence as dominating or “colonizing” Internet (11). A rephrase of this point for today’s cyberspace could read: States agree to respect each other as equal stakeholders managing and using the Internet and the legitimacy of each other’s culture as expressed in cyberspace.
13. This sounds similar to points 2 and 3.
14. This point originally called for a “League of Nations to guarantee independence and territorial integrity to great and small states alike”. This can be adapted for today’s cyberspace peace proposal point as: States agree to create a coalition of willing experts and institutions to monitor and advise on violations of the above agreements. (12)

To make things simpler the final list will shortened to weed out the repetitions and points that do not seem to carry over into our time. Then below we find:

“The Ten Points” for 21st century cyberspace:

1. States commit to transparency in regard to their cyber activities;

2. Freedom for all to access and make use of the Internet for the pursuit of knowledge, commerce and happiness. (sorry for some borrowing from the Declaration of Independene);

3. “Net Neutrality” or the idea that Internet service providers (ISP’) should treat all data traversing their networks the same;

4. States agree to restrain themselves from directing malicious cyber activities at the critical infrastructure of other states;

5. States respect the confidentiality, integrity and availability of cyberspace based resources of other states;

6. States agree to remove all “logic bombs” or malware placed in the critical infrastructure of other states;

7. States agree to make every effort to promote TRUST on the Internet;

8. States agree to take responsibility for malicious cyber activities taking place inside or transiting through their cyberspace jurisdictions;

9. States agree to respect each other as equal stakeholders managing and using the Internet and respect the legitimacy of each other’s culture as expressed in cyberspace.;

10. States agree to create a coalition of willing experts and institutions to monitor and advise on violations of the above agreements;

I will stop at 10, a good number. It may sound to some as more persuasive and legitimate as the number “10” is used in mathematics as in the decimal system and in religion as in The Ten Commandments.

There you have them. This was an interesting exercise. If these points are accepted by nations someday, special care must be made to address the issues that caused their failure to stop the outbreak of World War II. Although not all the points were fully implemented, one did have a chance to make a difference in avoiding future wars. This was the 14th point calling for the creation of a League of Nations which did not live up to its promise of stopping aggression. The actions of the aggressors in the 1930’s were not met with firm action. Instead of being checked, these states were encouraged to continue in their bad behavior toward their neighbors. The main reason for the collective failure to act against aggression was the failure of one of the leading nations that could have given weight or gravitas to this proposal to join the League. Instead, a policy of isolationism and avoidance of foreign entanglements was pursued. It was mistakenly assumed that the nation’s stature and location in the world would act to insulate from any severe consequences performed by the aggressor states. Perhaps the realization of today’s technological interdependence will change this kind of thinking and help open some currently blocked doors. Perhaps some of them as represented by the Ten Points listed above could make a contribution towards “cyberspace peace” in the 21st century.

Vilnius, 10 January 2018

References:
1. Johnson B., Caban D., Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure.

2. http://scadamag.infracritical.com/index.php/2017/12/11/ics-cybersecurity-crossroads-heading-toward-cyber-peace-towards-duty-hack/

3. http://www.u-s-history.com/pages/h1324.html

4. https://www.wired.com/2011/06/internet-a-human-right/

5. https://phys.org/news/2017-12-expert-overview-net-neutrality-debate.html

6. Butrimas, V. National Security and International Policy Challenges in a Post Stuxnet World, https://www.degruyter.com/downloadpdf/j/lasr.2014.12.issue-1/lasr-2014-0001/lasr-2014-0001.pdf p.26.

7. https://en.wikipedia.org/wiki/Logic_bomb

8. Butrimas, V. National Security and International Policy Challenges in a Post Stuxnet World . page 27.

9. Russia’s Security Council tells the government to develop a separate Internet for the BRICS https://meduza.io/en/news/2017/11/28/russia-s-security-council-tells-the-government-to-develop-a-separate-internet-for-the-brics 28 November 2017.

10. Goldstein, G. The Internet Is Fracturing Into Separate Country-Specific Networks http://www.nextgov.com/cio-briefing/2014/06/internet-fracturing-separate-country-specific-networks/87430/ June 27, 2014.

11. Farrell, M. How the Rest of the World Feels About U.S. Dominance of the Internet http://www.slate.com/articles/technology/future_tense/2016/11/the_u_s_should_stop_lecturing_about_internet_values.html Nov. 18 2016.

12. Butrimas, V. National Security and International Policy Challenges in a Post Stuxnet World, https://www.degruyter.com/downloadpdf/j/lasr.2014.12.issue-1/lasr-2014-0001/lasr-2014-0001.pdf p.28.

Vytautas Butrimas

About Vytautas Butrimas

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 28 years. Mr. Butrimas has participated in several cybersecurity exercises, contributed to various international reports and trade journals, and has published numerous articles on cybersecurity and policy issues.