IGF 2020 WS #193 Towards an evidence-led accountability framework

Subtheme

Organizer 1: Stéphane Duguin, CyberPeace Institute
Organizer 2: Tiina Joosu-Palu, CyberPeace Institute
Organizer 3: Ottavia Galuzzi, CyberPeace Institute

Speaker 1: Douzet Douzet, Civil Society, Western European and Others Group (WEOG)
Speaker 2: Nathalie Van Raemdonck, Intergovernmental Organization, Western European and Others Group (WEOG)
Speaker 3: Ronald Deibert, Civil Society, Western European and Others Group (WEOG)

Moderator

Stéphane Duguin, Civil Society, Western European and Others Group (WEOG)

Online Moderator

Tiina Joosu-Palu, Civil Society, Eastern European Group

Rapporteur

Ottavia Galuzzi, Civil Society, Western European and Others Group (WEOG)

Format

Break-out Group Discussions - Round Tables - 90 Min

Policy Question(s)

- How does the accountability gap in cyberspace affect the concept of United Internet and of Internet Governance? - How can the multi-stakeholder community collaborate in order to bridge the accountability gap in cyberspace and to promote the shift from best practices to cybersecurity norms?

In this break-out discussion, the CyberPeace Institute intends to address the challenges posed by the current accountability gap, and to promote a framework designed to ease the process of holding malicious actors accountable for their actions. The Institute aims to address the topic of accountability in cyberspace, starting from the following statements: - Accountability is rooted in facts, that allow investigations of cyberattacks to be carried out based on collaborative forensic analyses and transparent methodologies; - Accountability is about consequences, that represent the incentives for states to apply regulations; - Accountability is about bridging the gap between technology and norms.

SDGs

GOAL 10: Reduced Inequalities
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals

Description:

The growing weaponization of the Internet reflects the current threat landscape, where malicious actors are conducting cyber operations with little risk to be held accountable. The increasing number and, at the same time, the challenges of conducting thorough investigation after major attacks leave people desensitized, disillusioned, and disempowered; therefore, crippling their trust in institutions and governments. The exponential growth of cyberattacks occurring amid the COVID-19 outbreak has been a shattering revelation of how malicious actors are not scrupulous of exploiting the weaknesses of critical infrastructure’s systems and networks. In this regard, the CyberPeace Institute is determined to ensure the reinforcement of these weaknesses, as it is part of its mission to assist and protect vulnerable populations. In this particular context, healthcare organizations as well as medical suppliers and manufacturers are among the most vulnerable to COVID-19 related cyber threats. The healthcare sector and its wider supply chain often rely on weak IT systems and cyber capabilities, which make these infrastructures more easily affected by the current digital divide. Not only can cyberattacks on hospitals cripple people’s trust in the whole sector, but they also put human lives at risks. The digital vulnerabilities, lack of IT capabilities and overlooked cybersecurity standards affecting healthcare organizations and related supply chain have facilitated the exposure of this sector to cyberattacks. These aspects together with the growing difficulty of holding malicious actors accountable show how not closing the accountability gap means a widening of the digital divide between who has the capabilities in place to react to cyberattacks, and who does not. Insofar, one framework to address the issue of accountability is to enact globally recognized norms and regulations. But this top down approach shows its limitations when confronted with the technical construct of cyberspace and with the fact that nowadays neither norms nor regulations constitute law in the cyberspace. Therefore, a new capability for accountability needs to be built whilst taking into consideration multiple facets: strengthen the top down approach for the international community to design an overarching framework, and develop a bottom-up approach where grassroots practitioners propose actionable accountability measures on the basis of the technical characteristics of cyberspace and the socio-economic consequences, and, ultimately the cost of human lives of cyberattacks. The CyberPeace Institute is adopting and combining a top-down and bottom-up approach through its series of CyberPeace Labs, titled “Infodemic: A Threat to Cyberpeace”, where the Institute has gathered experts from academia, international organizations, civil society, private sector and government bodies in order to investigate how malicious actors are exploiting the COVID-19 crisis for launching cyber operations. Targeted attacks against hospitals, health agencies, testing and research centers during the COVID-19 pandemic demonstrate the pressing necessity to promote an actionable and evidence-led accountability framework, that links attacks with consequences and allows to compare analytics and evidence of attacks with the views, practices and pledges of the international community. In the format of a break-out group discussion: - The CyberPeace Institute will propose an evidence-led accountability framework as a tangible solution for achieving greater accountability, including for attribution of malicious cyber activities. After a brief presentation of the framework by the CyberPeace Institute, in a tour de table the 3 speakers will present their views on the topic of closing the accountability gap in cyberspace, setting the stage for the break-out group discussion (30 minutes). - The CyberPeace Institute will ask to the audience to discuss in groups potential challenges and opportunities to build such framework (40 minutes). - With the help of the speakers as moderator, the discussion within the different groups will be focused on identifying challenges and good practices related to the following questions: o How to assist targeted civilian populations in a scalable and sustainable way, when there is such an asymmetry in the capabilities of attackers and defenders? o How to ensure accountability, when malicious actors are operating in a culture of obfuscation, benefiting from a technical landscape which evolves at an exponential pace (i.e. AI, 5G)? o How to develop collective analysis, research, and investigations of sophisticated cyberattacks in such a complex technical context (i.e. heterogeneous big data flows, barriers to information sharing)? o How to create incentive for states to operationalize norms? How to enforce consequences when norms are violated? - The groups will gather together to present the highlights of their discussions, outlining what they believe are the best practices to enforce a framework for accountability (20 minutes). From this break-out session, the CyberPeace Institute will draft a set of actionable recommendations to implement a credible evidence-led framework for collective analysis and strengthen the process to accountability. The Institute’s commitment stems from the belief that the cyberspace is a common good, and how malicious actors abuse it should be public knowledge.

Expected Outcomes

The main outcome is to gather the audience’s feedback in order to draft a set of actionable recommendations aimed at implementing an evidence-led accountability framework to support states to hold malicious actors accountable and, ultimately, to deliver scalable and sustainable solutions to vulnerable communities targeted by major attacks. The CyberPeace Institute is determined to carry out a civilian-centric process to close the divide between who has the capabilities in place to react to cyberattacks, and who does not. It is paramount to bear in mind that such divide lies also in the communities’ necessity to have a certain level of digital infrastructure in place in order to be able to absorb the assistance provided by multi-stakeholder initiatives. Finally, this divide results as well in a lack of effective collaboration between the technical and policy environments. The evidence-led accountability framework will provide an actionable solution to support the collective effort of narrowing this divide. The framework is designed to collectively analyze data to hold malicious actors accountable, to support the assistance of vulnerable communities following cyberattacks, and to help shaping the fragmented ecosystem of norms to better respond to potential cyber threats.

The organizers are planning to actively participate to the break-out group discussion, by briefly presenting the CyberPeace Institute's proposal of an evidence-led accountability framework and by discussing the topic of the accountability gap with the speakers. Together with the speakers, the organizers will moderate and facilitate the groups' discussions around the main questions provided in the session's description.

Relevance to Internet Governance: The Institute’s session is aimed to ensure that Internet Governance discussions will not happen in a vacuum, as it is easy to forget that governing the Internet is not about governing networks or infrastructures, but protecting and empowering people. It is about ensuring that civilian communities can benefit from a cyberspace at peace, everywhere. The Institute is aware of the challenge to ensure that technology informs diplomacy in real time, as shaping the technical reality of cyberspace immediately causes an impact to its normative framework at a global scale. For this reason, the Institute believes that its session on an evidence-led accountability framework could facilitate the IGF 2020 discussion around the implementation of a more united Internet. The Institute believes that Internet Governance is about ensuring the readiness of a normative framework towards effective accountability. It is about ensuring that this framework provides for the tools and methodologies to hold malicious actors accountable, and that conducting a malicious act bears consequence also in cyberspace.

Relevance to Theme: The Institute’s session will contribute to the narrative of the Trust Thematic Track, as the session aims to draft actionable recommendations for the implementation of a framework designed to foster accountability in cyberspace. Such framework also has the ultimate goal of restoring trust of civilians and vulnerable communities in institutions and governments. With a specific focus on cybersecurity policy, standards and norms, the Institute’s session will engage with the audience to discuss an innovative framework, that will react to the urgent need to build capability for accountability whilst taking the technical construct of cyberspace into consideration through multiple facets. This framework will be combined with the multi-stakeholder efforts of enacting globally recognized norms and regulations to promote a better and more united Internet.

Online Participation

 

Usage of IGF Official Tool.