The Center for International Law and Governance (CILG) at The Fletcher School of Law and Diplomacy hosted its inaugural event — a two-day conference on the world of cybersecurity — in Breed Memorial Hall over the weekend.
Titled “Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations," the conference featured presentations from cybersecurity experts in government, business and academia. Former Estonian Minister of Foreign Affairs Ambassador Marina Kaljurand (F ’95), Senior Director of Cybersecurity Policy and Strategy at Microsoft Angela McKay and United Nations Assistant Secretary-General for Strategic Coordination Fabrizio Hochschild were among the speakers in attendance.
In an interview with the Daily, Joel Trachtman, professor of international law at the Fletcher School and faculty director of CILG, said the concept for the new center was developed last summer in conjunction with fellow CILG faculty director Ian Johnstone, who is also professor of international law and dean ad interim of the Fletcher School. It stemmed from an idea that had been floating around with the support of former Fletcher Dean James Stavridis, according to Trachtman.
Diplomacy has come a long way since the Fletcher School's founding, as Trachtman noted.
“Today, diplomacy is health and cybersecurity and financial regulation and trade and all sorts of things,” Trachtman said. “What Professor Johnstone and I realized is that we needed to readdress that link between law and diplomacy to broaden it and to deepen it.”
CILG's interdisciplinary mission is in line with Fletcher’s: to combine law and diplomacy with the ultimate goal of creating world peace, Trachtman said.
Trachtman shared that the CILG chose cybersecurity as its first area of focus. For this conference, five teams of researchers were tasked with writing papers on one of five subtopics: standards, export controls, vulnerability disclosure, attribution and compliance.
Trachtman said each team comprised of a lawyer and a technical expert who were given six months to work collaboratively to produce a paper.
“Real interdisciplinary work very often has to be done by combining people with different disciplinary expertise," Trachtman said. He added that while an individual with familiarity in two separate disciplines might find success in interdisciplinary work, it often takes a subject expert to do the job well.
Both Johnstone and Trachtman opened the conference on Friday afternoon. Johnstone began by providing attendees with an overview of the conference's topic: the pertinent cybersecurity issues faced by governments and citizens alike.
In his opening remarks, Trachtman also noted that the future of international cybersecurity norms remain unclear. He questioned how an area devoid of any "specific rules," as the cyber realm largely is, might develop.
“Even if you accept the idea that sovereignty is a rule of international law as opposed to simply a principal from which actual rules are developed, the scope of those actual rules […] are completely uncertain,” Trachtman said.The writers of each paper then presented an overview of their findings in five panels, before an expert commentator who had reviewed the paper provided additional remarks.
The first panel was about cybersecurity standards, specifically dealing with the Internet-of-Things (IoT). It included a presentation entitled “Have you updated your toaster?”
Scott Shackelford, an assistant professor of business law and ethics at Indiana University, and retired senior technology consultant at Harvard University Scott Bradner discussed topics such as the invisibility of the internet, imposing liability on manufacturers and the IoT Cybersecurity Improvement Act of 2017.
In their paper, Shackelford and Bradner discuss an alternate approach to cybersecurity that some companies are adopting.
“Instead of thinking about cybersecurity as an exercise of cost-benefit analysis, some are trying to think of it more in terms of corporate social responsibility,” Shackelford said. “That flips the paradigm a little bit.”
Alison Russell, an assistant professor of political science and international studies at Merrimack College, added that the Federal Trade Commission needs to be clearer with its standards and that the government needs to be more involved. She said that IoT and big data were certainly benefiting companies but questioned if IoT was helping or hurting consumers.
“How do you know if your refrigerator is engaged in cyber war?” Russell joked.
The second panel dealt with export controls. The corresponding paper was written by Trachtman and Herb Lin, a scholar of cyber policy and security based at the Center for International Security and Cooperation and Hoover Institution, both affiliated with Stanford University.
In his presentation, Lin talked about using export controls to protect civilians from attacks by foreign governments, specifically focusing on “intrusion software.” He also discussed methods to determine the origin of software in relation to monitoring software that has been leaked to unauthorized parties.
Trachtman proposed the idea of focusing on identity rather than territoriality when distributing software to users. He said that the concept of having verified end-users is much more feasible in the world of software, where territorial borders are invisible.
George Bemis Professor of International Law at Harvard Law School Jonathan Zittrain responded by considering both the pros and cons of such an end user-oriented system.
The first day of the conference ended with a keynote address by Kaljurand, who talked about the prevalence of electronics in Estonia and explained how Estonia was the one of the first countries to suffer a politically-motivated cyberattack from a foreign government. In 2007, many of Estonia's banks and digital media outlets were taken offline — in some cases for weeks — by a sweeping cyberattack linked back to Russian IP addresses, according to the BBC.
“We learned that our e-lifestyle also entails e-challenges and e-responsibilities," Kaljurand said.
Kaljurand said the lack of definite borders in the online world necessitates international cooperation.
She reflected on the 2016/2017 Group of Governmental Experts (GGE) on Information Security, in which experts from 25 countries were tasked with studying existing cyber threats and creating measures to address them.
The GGE was unable to come to a consensus, a fact which many viewed as a failure, Kaljurand said. But she asserted that the GGE did not completely fail; it simply needed to be altered.
Kaljurand said the GGE can no longer be an exclusive club. Since governments alone have not been able to do this work, Kaljurand suggested that non-state actors should also submit proposals. She added that the GGE's reports need to be discussed and distributed more widely as well.
Kaljurand also spoke about the work she is doing with the Global Commission on the Stability of Cyberspace, which she now chairs.
“The first task of the commission was to examine how existing norms can be applied to cyberspace, where new norms are needed and how to put the norms in use,” Kaljurand said.
Once the commission has worked its way through existing norms, it will then begin considering more philosophical questions that are harder to answer.
The second day of the conference included panels on vulnerability disclosure, attribution, and compliance, and featured a keynote address by McKay.
The sixth and final panel featured Hochschild, Kaljurand and Rasa Ostrauskaite, coordinator of Activities to Address Transnational Threats at the Organization for Security and Co-operation in Europe, speaking on multilateral initiatives in cybersecurity. They were all present for the entire conference and thus also able to provide their own insights on the matters discussed in previous speeches and panels.
Bridge Professor in Cyber Security and Policy at the Fletcher School and the Tufts School of Engineering Susan Landau closed the conference.
Trachtman said that once the papers are edited by their respective authors, they will be submitted to the European Journal of International Law for publication.