The World Economic Forum has published a lengthy cyber-security report in the run up to Davos 2018 that seeks to establish a baseline of common language – encouraging various international actors to come into discussion from a place of mutual understanding.
Created in partnership with the Boston Consulting Group, the WEF describes the report as a "tool to facilitate capacity-building, policies and processes necessary to support collaboration, safeguard cyberspace, and strengthen cyber-resilience".
The World Economic Forum, which was founded in 1971 by Klaus Schwab and takes place every January, seeks to bring world leaders, 'decision-makers', academics, and private industry together to discuss the issues of the day. This year's theme is "Creating a Shared Future in a Fractured World".
Speaking with Techworld, the WEF's global leadership fellow and project lead for IT Daniel Dobrygowski said the point of the report is to encourage cooperation in cyber security, between states and between the public and private sectors.
"For me the overarching takeaway of a lot of the work we do here is that cooperation is key in this space – there aren't a lot of analogies to other security situations where you have both public and private actors in spaces that are generally controlled by the private sector," Dobrygowski said. "That's why cooperation is absolutely key."
"A lot of the disagreements or issues we run into on a day-to-day basis I think stem from a lack of common language or a lack of clarity around what we're all talking about, when we talk about security or resilience in this space. Having that common language is absolutely vital to have any productive, actionable future conversations."
One of the problems is that nations will have their own political values and policy norms for how they view cyber security and in how public-private relationships are established.
Russia, for example, has been accused of being behind 'state-sanctioned' cyber attacks – where hacking groups are allowed to, if not encouraged to, launch attacks on businesses and other countries. But attribution is difficult.
"When we think about attribution one issue is that there are companies and national governments that can do attribution very well," Dobrygowski said. "But the issue that comes up over and over is: there aren't any rules of the world that everyone's agreed on. How to do attribution, what are the qualities of it? Then what do you do with it once you've attributed a particular attack to some place or some group?
"So the first step is very much getting together and understanding what the capabilities are to attribution, and also what they're not. Second, starting to develop those rules of the road. This report is very much focused on the intra-state activities: how do governments relate to companies and organisations within the jurisdictions?"
There has been some movement in this area – the Tallinn Manual for example, and various resolutions raised at the United Nations.
The Forum has traditionally been a neutral platform for discussion between world leaders, where historic agreements have occasionally been brokered. And that's the purpose of raising cyber security at this level, says Dobrygowski.
Public-private partnerships have been regarded as essential in tackling cyber crime, but the report finds these dialogues are frequently "off-target" and "at cross purposes". Adding to that complexity is that policy will differ according to national the context – with each country having its own capabilities, vulnerabilities, priorities, norms and values.
There then leads to a strange contradiction where the country of origin for a company could threaten its relationship to other governments – see espionage allegations filed against Russian-origin Kaspersky, or that companies like FireEye employ former US defence and intelligence officials. Amazon, meanwhile, launched a cloud service specifically designed for US intelligence.
In the words of the report: "A policy of validating private-sector claims of attribution risks private companies being effectively considered as government appendages, hampering the capacity of some businesses to operate outside of a given country (given associations with a national government). Furthermore, such a policy is fundamentally impracticable in the long run for multinational organisations.
"...Multinationals are then forced to pick between customers and national demands. Most commentators agree that while attribution is technically possible, in practice few private-sector actors have the capabilities to reliably establish it, and many are headquartered in the United States.
"The reliance on private-sector actors to engage in attribution, particularly given the geopolitical risks, may result in a system brittle to accusations of nationalism clouding judgement."
It's not difficult to imagine a situation where vendors are then white- or blacklisted based on their geographies – for example, some vendors being considered NATO-safe. Countries such as China, for example, are increasingly moving towards open source infrastructure (such as Openstack) from a security perspective so that they can take full ownership of the technology – as China Railway and Tencent have both confirmed to Computerworld UK previously.
On a more basic level outside of the world of international policy, there is every possibility that government agencies and their private sector partners might not fully understand where their responsibilities lie – with potentially catastrophic consequences.
"I think that if nothing changes you can imagine there being a significant challenge where the ownership of particular roles and responsibilities are unclear," Dobrygowski says, speaking about public-private relationships. "So you could have duplication or multiple efforts pointed towards solving the same problem in different ways.
"The worst problem could be that no one understands their responsibilities and then no one takes responsibility until it's too late – I see those as the main dangers with respect to public-private collaboration."
"That being said, those are not insolvable problems. Part of the work we are doing here is to develop a framework through which the public sector and the private sector can cooperate and work together to determine those roles beforehand, so we don't end up in these ad hoc situations where roles are unclear during times of an emergency or a crisis.
"Our premise here is that if you make these decisions beforehand, if you at least develop some clarity before you run into an emergency, you're more likely not to run into these issues of collaboration around roles and responsibilities."
The Forum itself – starting 23 January – will host several talks on cyber security, ranging from discussions for what is at stake through to future scenarios like biological hacking used to wipe out ecosystems. The report will inform the establishing of the WEF's new Global Centre for Cybersecurity, which will act as a think tank and as a library for cyber security best practices, public and private.