It doesn’t immediately make sense, does it: the terms peace and cyber hygiene in the same breath. Still, there is a reason why these two come together at the Paris Peace forum this week. That reason is simple though. Cyber hygiene – taking basic and common measures to secure software, devices, and networks – reduces the attack vectors that can be used by criminals and state actors alike. Cyber hygiene will reduce the odds that your network is seen as a belligerent actor just because it has been hacked by others. Cyber hygiene helps to create a more trustworthy and secure environment where people can go about their daily business in confidence that nothing dreadful will happen to them. It is one of the tools in the toolbox of confidence-building measures that enable peace.
Supporters of the Paris Peace Call, which was launched at the Peace Forum last year, are committed to working together to, among other things, “improve the security of digital products and services as well as everybody’s ‘cyber hygiene.’” The Internet Society has joined with a significant number of states, companies, and organizations to sign the Paris Call.
The topic of cyber hygiene is not new to the Internet Society, but at the Paris Peace Forum three activities stand out.
Cyber Hygiene and Global Normative Behavior
The Global Commission on the Stability of Cyberspace explicitly talks about Cyber Hygiene. It proposes two norms that are related: the Norm to Reduce and Mitigate Significant Vulnerabilities and the Norm on Basic Cyber Hygiene as Foundational Defense. These two norms read, respectively:
- Developers and producers of products and services on which the stability of cyberspace depends should prioritize security and stability, take reasonable steps to ensure that their products or services are free from significant vulnerabilities, take measures to timely mitigate vulnerabilities that are later discovered, and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.
- States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.
The first norm calls upon the many actors that are involved in the day-to-day operation. The second calls upon on states’ role to provide the policy and legal environment to foster cyber hygiene.
The final report of the GCSC, in addition to proposed norms, provides a set of principles to approach cyber peace and stability and a number of recommendations.
The Internet Society has long promoted the idea that improving the security of the Internet is a responsibility of those that operate, design, and use the network. There are many endeavors that help improve the Internet’s security and of cyber space in general. Which is the context for the next two activities.
Using Technology to Strengthen Cyber Hygiene
We joined CyberGreen, the Cybersecurity Tech Accord, the Global Cyber Alliance, and Microsoft in an initiative to promote existing good practices that could help address the growing set of attacks that lever vulnerabilities have existed for a significant time. The initiative brings together those that help drive the adoption of essential measures to defend against avoidable dangers in cyberspace. Measures include adoption of the Mutually Agreed Norms for Routing Security (MANRS) and the deployment Domain-based Message Authentication, Reporting and Conformance (DMARC).
We hope that over the coming months and weeks others will join in the effort of promoting the Paris Call’s cyber hygiene principle and add to the list of good practices that aim to increase the security and safety of our global online environment.
Please see the Tech Accord for more information about this call.
Collaborative Efforts towards Cyber Hygiene
Getting to a secure and trustworthy Internet is complex and multifaceted. It calls for tailored approaches that, depending on the context and the nature of the subject, involve different stakeholders. In any case collaboration seems to be the vital ingredient for success. During the Peace Forum we pitch examples of two endeavors that address different issues but lead to a more secure cyberspace: the collaborative approach to face the growing set of challenges in IoT Security, and the Mutual Agreed Norms on Routing Security (MANRS) that pertains to the very fabric of the Internet itself.
We have written extensively about MANRS, but if you want to know more see manrs.org Let me focus here on the IoT developments.
The collaborative work on IoT takes place on many fronts. The Candadian Multistakeholder process on Enhancing IoT security has produced an extensive report around:
- A shared set of definitions and benchmarks around the security of Internet-connected devices.
- Shared guidelines to ensure the security of Internet-connected devices over their lifespan, including the development, manufacturing, communications, and management processes.
- Recommendations to inform national policy related to IoT security in Canada.
It’s set into motion work by the government and the community to tackle the challenges with insecure IoT deployments.
In addition to the Canadian Multistakeholder process on Enhancing IoT security, the Internet Society’s French Chapter has worked with AFNIC, ANSSI, ARCEP, CINOV-IT, Conseil National du Numérique (CNNum), La Quadrature du Net, Nokia, and Pôle Systematic Paris-Région to explore strategies to strengthen the security and protection of personal data in IoT. Their report will be launched soon. The developments in Canada and France do not happen in isolation. Similar activities have been launched in Senegal and Uruguay.
In order to bring together the experiences from these initiatives we have helped to establish an innovative platform. The IoT Security Policy Platform is made up of national government agencies and non-governmental organizations (NGOs) working in this space, that draw on the strength and expertise of all stakeholders to develop solutions to protect both people and innovation online. By the cross pollination of ideas, practices, and experiences, the platform can aid harmonization of various approaches and speed up the development and deployment of the measures. As far as I know, this is a unique approach.
The Internet Way
The Paris Peace Forum brings together leaders from across the world with an interest in peace and stability – in the context of a digitized society. It starts with the realization that the Internet is not a thing but rather a result. A result that reflects the values of sharing and collaboration for the greater good. Making the Internet, and all that is connected, more secure must be done in the same spirit. The Paris Call on Cyber Hygiene expresses not just a common goal, but vision. Much like the Internet itself, a large and distributed set of collaborative efforts will get us there.