A new “14 Points” for the security of critical infrastructure in cyberspace

“All the peoples of the world are in effect partners in this interest, and for our own part we see very clearly that unless justice be done to others it will not be done to us.” – Woodrow Wilson, 1918

It was a 102 years ago that U.S. President Woodrow Wilson made his peace proposals after the end of the “war to end all wars” in January 8, 1918.  They were “The Fourteen Points” and sadly, were not successful in preventing the next World War that ended in 1945. Going forward to our times this has been a bad decade for the cybersecurity of critical infrastructure[1] with discovery of several malware that have been designed in such a way as to threaten  the very technical foundations of modern society[2].  Efforts at the policy level to manage an increasingly dangerous cyberspace environment have achieved little success[3]. It would seem that the engineers who daily work to keep our critical infrastructures running and available to support our activities face targeted attacks from malicious state actors alone. Without the moderating effects of an international instrument to stay the hands of the advanced, persistent attacker from safely targeting his victims from cyberspace.

However, one can argue that the efforts made after World War II to establish a lasting peace did eventually meet with some success when the United Nations was created.  States continue to misbehave and enter into conflict with each other but the UN is addressing the issues of conflict. One example is the Prohibition on the Use of Chemical Weapons[4] and creation of a body[5] to monitor and report on violations. Perhaps it is a good time now to consider an updated “14 Points”[6] for securing the future peace and safety of the critical systems that exist in cyberspace.  Let us see if those 14 proposals for world peace made 102 years ago can be adapted to promote peace in cyberspace today.

It was a 102 years ago when U.S. President Woodrow Wilson made his 14 proposals to keep the peace after the end of the “war to end all wars”.

Out of the original 14 Points, nine were adapted.  Here they are:

The Nine Points for 21st Century Cyberspace

  1. States commit to transparency in regard to their cyberspace activities. One of the desired outcomes would be the re-establishment of trust in cyberspace to prevent unintentional or unmanaged escalation of a new cyber arms race;
  2. People’s freedom to access and make use of the Internet for the pursuit of knowledge, commerce and happiness. Supports a report  to the UN General Assembly which stated that access to the internet is a human right[7];[8]
  3. States agree to the principle of reciprocity of access. This means promoting fairness in digital transactional exchanges and avoid danger of one state taking advantage of its closed telecommunication infrastructure to hijack part of the Internet.[9];
  4. States agree to restrain from directing malicious cyber activities at the critical infrastructure of other states. Supports UNGGE 2015 recommendations and could be the basis for arriving at a common ground: States should agree that it is in their own interest to protect the infrastructure their economies and society’s well-being rest upon[10];
  5. States agree to remove all ‘logic bombsor malware placed in the critical infrastructure of other states. Useful for controlling the rise of tension among states. One can imagine the pressures on targeted Governments to do something when such bombs are discovered;
  6. States agree to make every effort to promote trust on the Internet. The Internet first came about because of trust between those wishing to connect their systems for mutual benefit. The Internet now risks becoming much less than what it was once promised to be;
  7. States agree to take responsibility for malicious cyber activities taking place inside or transiting through their cyberspace jurisdictions. Allows for the possibility of applying soft pressure on states who deny responsibility in spite of evidence to the contrary;
  8. States agree to respect each other as equal stakeholders in managing and using the Internet and respect the legitimacy of each other’s culture as expressed in cyberspace. This may be a controversial point as it contends that there are nations which may be seeking either intentionally or because of their de facto pervasive technical presence as dominating or ‘colonizing’ the Internet;
  9. States agree  to  create  a  coalition  of  willing  experts  and  institutions  to  monitor and advise on violations of the above  agreements. This point will also address the attribution issue. What has been lacking up to this point is the will among nations to cooperate and share information.  Something that is evident in fighting cybercrime but missing from countering malicious state cyber activities in cyberspace.

This was an interesting exercise.  If these points gain acceptance by nations someday, they must overcome the obstacles that caused their failure to stop the outbreak of World War II. Although not all the 14 Points were implemented, one did have a chance to make a difference in avoiding future wars.  This was the 14th point (similar to the 9th point on our new list) calling for the creation of a League of Nations. Alas, this created body to keep the peace did not live up to its promise of stopping aggression.  The actions of the aggressors in the 1930’s were not met with firm action. As a result, these states were encouraged to continue in their bad behavior toward their neighbors. Today in cyberspace, we see a lack of action toward state perpetrators who continue to see this destabilizing activity as effective, cheap and deniable.  Perhaps the realization of today’s vital technological interdependence will change this kind of thinking and help open currently blocked doors and contribute towards “cyberspace peace” in the 21st century.

Palanga, 29 December 2020


[1] http://scadamag.infracritical.com/index.php/2020/12/28/unsettling-trends-in-cyberspace-2010-2020/

[2] Johnson B., Caban D., Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

[3] http://scadamag.infracritical.com/index.php/2017/12/11/ics-cybersecurity-crossroads-heading-toward-cyber-peace-towards-duty-hack/

[4] https://www.opcw.org/chemical-weapons-convention

[5] https://www.opcw.org/

[6] http://www.u-s-history.com/pages/h1324.html

[7] United Nations General Assembly (2011) Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. A/HRC/17/27

[8] https://www.wired.com/2011/06/internet-a-human-right/

[9] Demchak, Chris C. and Shavitt, Yuval (2018) “China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking,” Military Cyber Affairs: Vol. 3 : Iss. 1, Article 7.
DOI: https://doi.org/10.5038/2378-0789.3.1.1050
Available at: https://scholarcommons.usf.edu/mca/vol3/iss1/7

[10] United Nations General Assembly (2015) Developments in the field of information and telecommunications in the context of international security. A/RES/70/237

https://www.unidir.org/files/medias/pdfs/developments-in-the-field-of-information-and-telecommunications-in-the-context-of-international-security-2016-2017-a-res-70-237-eng-0-715.pdf

https://undocs.org/pdf?symbol=en/A/70/174

https://enseccoe.org/en

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations.