OSCE's Cyber Security Confidence Building Measures Revealed by Anonymous

Anonymous has been able to exfiltrate a second, smaller batch of documents from OSCE's webserver (OSCEPA.AT) on November 11, 2012; even after the company knew that they had been attacked. This second batch of documents contains up-to-date information on the OSCE's Internal Working Group 1039 whose mandate (.pdf) is to create cyber security Confidence-Building Measures (CBMs) that would reduce the risk of cyber conflicts. The chairman of the IWG 1039 is U.S. Ambassador Ian Kelly.

The latest revised draft set of CBMs was circulated in a document marked RESTRICTED among IWG 1039 members on November 7, 2012 in preparation for their meeting today, November 13, 2012 in Dublin. They are as follows:
  1. Participating States will voluntarily provide their national views on some aspects of national and transnational ICT security. These may include, but are not necessarily limited to, views on doctrine; strategy; norms; lessons learned; real and potential threats; protective measures; concepts of operating in cyberspace.
  2. Participating States will voluntarily share information on national organizations, programmes, or strategies relevant to their ICT security. This information will include the organization of the structures and a description of their mandate. Participating States will nominate a contact point to facilitate communications and dialogue on ICT-security matters.
  3. Participating States will voluntarily provide contact details of existing official national Computer Security Incident Response Teams (CSIRTs), or equivalent official national structures, so that national experts can enter into a direct dialogue. Participating States will update contact information annually but in any event no later than thirty days after a change has occurred.
  4. In order to reduce the risk of misunderstandings in the absence of agreed terminology, participating States will on a voluntary basis provide a list of national terminology related to ICT security accompanied by an explanation or definition of each term. It will be for each participating State to select those terms they deem most relevant for sharing.
  5. Participating States will voluntarily exchange views on how existing OSCE mechanisms, such as the OSCE Communications Network, maintained by the OSCE Secretariat's Conflict Prevention Centre, could be used to facilitate communications regarding incidents involving ICTs, (e.g. establishing protocols to ensure rapid communication at high levels of authority, to permit concerns to be raised at the national security level.)
  6. Participating States will, at the level of national experts, meet at least three times each year, within the framework of the Security Committee and its Informal Working Group established by PC Decision 1039 to discuss information exchanged and explore appropriate development of this initial list of confidence building measures as well as others that might be candidates for future consideration.
This set of draft CBMs are for discussion by the members. One of the documents included in the latest batch (Comments_AZE_IWB_1039.doc) offers comments from the delegation of Azerbaijan and Lithuania who both want to considerably beef up the language with a few intriguing suggestions:
General comment: Proposed list of CBMs, in general is not result-oriented and does not identify any imperative actions. All proposed CBMs are based on voluntary actions and most of them are already carried out by pS through other various international and regional organizations. We need some more concrete actions that define the responsibilities of the Participating States for the incidents stemming from the use of ICTs. 
Specific comments:
  • Support the proposal made by Lithuania to add the following CBM to the list: “Participating States will refrain from directing malicious cyber activities against critical infrastructure vital to the wellbeing of civilians, such as telecommunications, energy, transportation and financial systems”;
  • We support the following proposal made by Lithuania, as well: “Participating States will accept responsibility for their national cyberspace jurisdictions”.
  • Moreover, in addition to the CBMs defining the responsibilities of the states for their actions in the cyber-space, it is very important to identify also the responsibilities of the States over their ICT companies to act in accordance with national legislation of other Participating States.
The concept of a nation state being held responsible for attacks emanating from servers within its borders has come up for discussion within U.S. DoD too. It would certainly make attribution a lot easier if we could simply point to the geolocation of an IP address and say case closed. Unfortunately, that's a completely unrealistic scenario since Internet Service Providers aren't regulated entities and because web servers are easy to compromise (i.e., OSCEPA.AT).

Most of the suggested CBMs are voluntary and fairly ineffective even if put into practice. That's probably due to the fact that the membership of this committee is heavily loaded with policy makers and lawyers and has very few technologists or security engineers. The attack that was levied against the OSCE by Anonymous was apparently of the same variety that its members prefer - looking for easy pickings against poorly-protected web servers. The first confidence building measure that these OSCE national experts should draft is to invoke an Assumption of Breach security framework. In other words, expect to be breached and keep your sensitive documents in a separate, controlled and monitored environment ; i.e., not on a web server.