[infowar.de] US-Sicht auf Cybersecurity für Weltgipfel Info-Gesellschaft

[Ralf Bendrath <bendrath -! - zedat - fu-berlin - de>]

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Dieses Papier wurde auf der Pariser Vorbereitungskonferenz im Juli
verteilt. Ich habe es nun auch elektronisch bekommen. 
Die Gipfelpapiere (Entwürfe), auf die sie sich beziehen, gibt es hier:
<http://www.itu.int/wsis/documents/doc_multi.asp?lang=en&id=698|699|700>

Zentrale Punkte: 

"Some States believe that goal can be accomplished through an
international convention that that would ban or constrain the
development or use of a wide range of information technologies both
military and civilian."
(das bezieht sich auf die Russen)

"...effective criminalization by States of the misuse of information 
technology and on the systematic national implementation of measures 
designed to prevent damage to critical information infrastructures no 
matter the source of the threat, what the U.S. calls the creation of a 
global culture of cybersecurity."

"...the U.S. views the attempt to impose borders in cyberspace as a
direct 
challenge to democratic principles that could easily be used by
governments 
to justify restrictions on the free flow of information and the peaceful 
use of information technology. With respect to military applications of 
information technology, such an international convention is completely 
unnecessary. The Law of Armed Conflict and its principles of necessity, 
proportionality, limitation of collateral damage, already govern the use
of 
such technologies."

Die Bundesregierung bittet um Stellungnahmen zu den Entwürfen bis Mitte
August. 
Wer also etwas zu sagen hat: Bitte melden.
RB

----------------------------------------
July 2003

United States Views on 
Information Network and Infrastructure Security
in the WSIS Action Plan

Issue

Effective information network and infrastructure security is essential
to ensure the reliability, availability and integrity of those national
and global information networks on which States and their citizens
increasingly depend for essential services and economic security.  The
issue to be addressed is how nations can act individually and as a
community to enhance information network and infrastructure security and
prevent debilitating attacks. 

Some States believe that goal can be accomplished through an
international convention that that would ban or constrain the
development or use of a wide range of information technologies both
military and civilian. These proposals also contain particularly
troubling elements, such as extending to governments the right to
constrain or ban information transmitted into national territory from
outside its borders should it be deemed disruptive politically,
socially, culturally, etc.  

By contrast, the U.S. believes that the key threat to cybersecurity
originates in the relentless criminal attacks by organized criminals,
individual hackers and non-state actors, including terrorists. From this
perspective, the benefits of cyberspace can best be protected by
focusing both on the effective criminalization by States of the misuse
of information technology and on the systematic national implementation
of measures designed to prevent damage to critical information
infrastructures no matter the source of the threat, what the U.S. calls
the creation of a global culture of cybersecurity. In this view, all
parties (government, business, civil society) are aware of their
responsibilities and act appropriate to their roles to ensure
cybersecurity. 

Lastly, the U.S. views the attempt to impose borders in cyberspace as a
direct challenge to democratic principles that could easily be used by
governments to justify restrictions on the free flow of information and
the peaceful use of information technology. With respect to military
applications of information technology, such an international convention
is completely unnecessary. The Law of Armed Conflict and its principles
of necessity, proportionality, limitation of collateral damage, already
govern the use of such technologies.


U.S. Position: Cybersecurity Through Prevention  

The U.S. believes that the goal of cybersecurity can best be achieved by
States acting nationally and cooperating internationally to enhance the
security of their own critical information infrastructures.  Each State
should establish a national program that

"	educates and strengthens awareness of best practices in information
network and infrastructure security, 
"	effectively criminalizes misuse of information technology,
"	fosters a partnership between government and industry to provide
incentives to ensure the security of their national systems, and 
"	establishes a national incident warning and response capability and
procedures for sharing information both nationally and internationally.

Each State should focus on creating a "culture of cybersecurity" among
all stakeholders, including governments, businesses and private citizens
and international cooperation among States towards a global culture of
cybersecurity.  

WSIS documents should underscore the approaches contained in UNGA
Resolutions 55/63 and 56/121, both entitled "Combating the Criminal
Misuse of Information Technologies," and 57/239, entitled "Creation of a
Global Culture of Cybersecurity."  The WSIS action plan could build on
these approaches by including language to further the cybersecurity
principles that members have already adopted. Such efforts could be
informed by recent multilateral efforts to enhance regional
cybersecurity, such as those in the APEC Telecommunications Forum and
the G-8.

The U.S. believes that the cybersecurity must not impinge upon the
freedom of any individual to seek, receive and impart information and
ideas through any media - including electronic - and regardless of
frontiers, as set forth in Article 19 of the Universal Declaration of
Human Rights. 

Background

Costly threats to the integrity and availability of national and global
information infrastructures originate overwhelmingly from criminal
misuse, not military attack by States against one another. From the U.S.
perspective, it is far more important that governments take steps to
ensure that those individuals who engage in such activity can be
effectively investigated and prosecuted. For this reason, the U.S. and
34 other States have signed the Council of Europe (COE) Cybercrime
Convention, which provides guidelines for national legislation and
cross-border law enforcement cooperation.  The COE expects to open the
Convention to countries outside the COE, according to COE practice (see
Article 37). Indeed, all countries, whether party to the convention or
not, can use it immediately as a model for drafting effective domestic
laws against cybercrime.

Moreover, regardless of the origin or motivation of an attack, the tools
used and the damage suffered by information systems is similar in
nature. Thus, it is more important that all nations take systematic
steps to reduce the vulnerability of their systems and inculcate in
their citizenry a "culture of cybersecurity," a set of security
practices and habits designed to safeguard their information
infrastructures.

Effective critical network and information infrastructure protection
includes identifying threats to and reducing the vulnerability of such
infrastructures to damage or attack, minimizing damage and recovery time
in the event that damage or attack occurs, and identifying the cause of
damage or the source of attack for analysis by experts and/or
investigation by law enforcement.  Effective protection also requires
communication, coordination, and cooperation nationally and
internationally among all stakeholders -industry, academia, the private
sector, and government entities, including infrastructure protection and
law enforcement agencies. Such efforts should be undertaken with due
regard for the security of information and applicable law concerning
mutual legal assistance and privacy protection.  In furthering these
goals, States should be encouraged to implement the eleven Principles
drafted by Critical Information Infrastructure Protection experts from
the G8 countries and subsequently adopted by the Justice and Interior
Ministers of the G8 in May 2003 as they develop a strategy for reducing
risks to critical information infrastructures:

1.	Countries should have emergency warning networks regarding cyber
vulnerabilities, threats, and incidents. 

2.	Countries should raise awareness to facilitate stakeholders'
understanding of the nature and extent of their critical information
infrastructures, and the role each must play in protecting them. 

3.	Countries should examine their infrastructures and identify
interdependencies among them, thereby enhancing protection of such
infrastructures. 

4.	Countries should promote partnership among stakeholders, both public
and private, to share and analyze critical infrastructure information in
order to prevent, investigate, and respond to damage to or attacks on
such infrastructures. 

5.	Countries should create and maintain crisis communication networks
and test them to ensure that they will remain secure and stable in
emergency situations. 

6.	Countries should ensure that data availability policies take into
account the need to protect critical information infrastructures. 

7.	Countries should facilitate tracing attacks on critical information
infrastructures and, when appropriate, the disclosure of tracing
information to other countries. 

8.	Countries should conduct training and exercises to enhance their
response capabilities and to test continuity and contingency plans in
the event of an information infrastructure attack and should encourage
stakeholders to engage in similar activities. 

9.	Countries should ensure that they have adequate substantive and
procedural laws, such as those outlined in the Council of Europe
Cybercriminality Convention of 23 November 2001, and trained personnel
to enable them to investigate and prosecute attacks on critical
information infrastructures, and to coordinate such investigations with
other countries as appropriate. 

10.	Countries should engage in international cooperation, when
appropriate, to secure critical information infrastructures, including
by developing and coordinating emergency warning systems, sharing and
analyzing information regarding vulnerabilities, threats and incidents,
and coordinating investigations of attacks on such infrastructures in
accordance with domestic laws. 

11.	Countries should promote national and international research and
development and encourage the application of security technologies that
are certified according to international standards.


Plan of Action:

Section 1, para 25. The U.S. proposes the following changes to focus
this paragraph on the need for preventive actions to protect network and
information infrastructure security:

Network and Information Infrastructure Security: 

Effective network and information infrastructure security can be
enhanced by education and training, policy and law, and international
cooperation, and may be supported by technology.

The United Nations and other multilateral organizations should be
supported in their efforts at encouraging member nations to:

"	Assess the security of their critical national networks and
information infrastructures, including understanding their
vulnerabilities and interdependencies,

"	Educate and strengthen national awareness of best practices in
information network and infrastructure security, 

"	Effectively criminalize misuse of information technology and to
facilitate transborder investigations of cybercrime,

"	Foster a partnership between government and industry to provide
incentives to ensure the security of their national systems, and 

"	Establish a national incident warning and response capability and
procedures for sharing information both nationally and internationally.


Section 1, para 26.  The U.S. proposes to delete "regulations" in the
first sentence. Following the first sentence, the U.S. proposes to add
the following sentence: "Governments should support the principles of UN
Resolution 57/239 to promote a global culture of cybersecurity and adopt
the G8 Principles for Protecting Critical Information Infrastructures
when developing a national cybersecurity strategy." The U.S. also
proposes to delete the reference to "technological neutrality."

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.