International cyber security policy

Transatlantic Cyber Forum

Cyber security and defense policies increasingly gain importance and momentum worldwide. Issues, such as the regulation of state surveillance, encryption policy and vulnerability exploitation, cooperation and coordination in the information security realm as well as offensive cyber operations, have implications for the domestic and international spheres alike. Those are global challenges which cannot adequately be addressed from a singular nation-state perspective. It is therefore prudent to learn from each other and develop smart and pragmatic solutions together. The United States as the global technology leader and Germany as a central stakeholder of the European Union with a distinct security and privacy culture and mindset play a major role in providing answers to those challenges.

The Transatlantic Cyber Forum (TCF) has been established by Stiftung Neue Verantwortung (SNV). TCF is an intersectoral network of experts from civil society, academia and private sector working in various areas of transatlantic cyber security and cyber defense policy. The Transatlantic Cyber Forum was made possible by the financial support of the Robert Bosch Stiftung and the William and Flora Hewlett Foundation.


Policy Tracks

Policy Track #1: Encryption Policy & Government Hacking

  • Problem Analysis
  • Addressing Challenges
  • Initial Take-Away
  • Working Group

Policy Track #2: Cyber Defense & Political IT-Infrastructures

  • Problem Analysis
  • Addressing Challenges
  • Working Group

Policy Track #3: Intelligence Governance & Oversight Innovation

  • Hypothesis and Workshop

 

Policy Track #1: Encryption Policy & Government Hacking
 

Problem Analysis: The first working hypothesis was that Germany and the United States should forego any further encryption policy and mandatory backdoors discussion and rather focus on the analysis of obtaining digital evidence through a variety of other means including government hacking.

The problem analysis which has been conducted and published revealed that government hacking faces many challenges.

The following areas have been identified for further research and analysis:

  1. assessing government hacking and identifying alternatives;
  2. evaluating and designing a comprehensive vulnerability management scheme;
  3. discussing future challenges arising from digital evidence;
  4. exploring the adequacy of judicial review;
  5. mitigating possible foreign policy implications.

Addressing Challenges: A workshop conducted in Washington D. C. on July 12-13 brought together members of the working group on encryption policy & government hacking to discuss the results of the problem analysis and the way forward. Based on the outcome of the problem analysis, the working group discussed various ideas on how to address those challenges.

The working group agreed to collaborate on the following:

  1. drafting principles for a comprehensive vulnerability management scheme, taking into consideration the international and human rights dimensions;
  2. drafting a holistic framework for government hacking, including legal bar/standards, the nature of digital evidence, impact minimization (such as exploring alternatives), minimum disclose details as well as the international and human rights dimensions.

The next workshop has been loosely scheduled for spring 2018 to discuss the results of the collaboration on those issues and plan the subsequent policy and outreach activities.

Another outcome of the workshop is the jointly agreed “Initial Take-Away on Encryption Policy and "Government Hacking".

Working Group: The working group consists of 39 members from civil society, private sector and academia from Germany and the United States. The views and opinions expressed by TCF as a whole (and on this website) are those of the project team and do not necessarily reflect the official policy or position of the individuals in the working group and that of their employer. The following members agreed to be named on this website:

  1. Kevin Bankston, New America’s Open Technology Institute
  2. Cathleen Berger, Mozilla
  3. Ulf Buermeyer, Gesellschaft für Freiheitsrechte
  4. Chris Calabrese, Center for Democracy and Technology
  5. Jennifer Daskal, American University Washington College of Law
  6. Jan Dominik Gunkel, Wachter Digital Partners
  7. Sharon Bradford Franklin, New America
  8. Sven Herpig, Stiftung Neue Verantwortung
  9. Stefan Heumann, Stiftung Neue Verantwortung
  10. Scarlet Kim, Privacy International
  11. Andreas Kuehn, Cyberspace Cooperation of the East West Institute
  12. Emily McReynolds, University of Washington Tech Policy Lab
  13. Jan Neutze, Microsoft
  14. Daniel Moßbrucker, Reporters without Borders
  15. Rainer Rehak, FIfF (Computer Scientists for Peace and Social Responsibility)
  16. Thomas Reinhold, CyberPeace
  17. Volker Roth, Institute for Computer Science of the Freie Universität Berlin
  18. Ross Schulman, New America’s Open Technology Institute
  19. Julia Schuetze, Stiftung Neue Verantwortung
  20. Ari Schwartz, Venable LLP
  21. Megan Stifel, Public Knowledge
  22. Eric Wenger, Cisco
  23. Jörg Pohle, Alexander von Humboldt Institut für Internet und Gesellschaft
  24. Christoph Zurheide, Deutsche Post DHL Group
  25. Betsy Cooper, Center for Long-Term Cyber Security, University of Berkeley
  26. Jan Dominik Gunkel, Wachter Digital Partners

 

Policy Track #2: Cyber Defense & Political IT-Infrastructures
 

Problem Analysis: The first working hypothesis was that Germany and the United States should adapt and implement different aspects outlined in deterrence theory in order to prevent future (successful) cyber operations against their political IT-infrastructures.

The problem analysis which has been conducted and published revealed that a holistic approach is needed to tackle cyber operations against political IT-infrastructures.

The following areas have been identified for further research and analysis:

  1. protecting the political IT-infrastructure (“deterrence-by-denial”);
  2. assessing options for show of force (“deterrence-by-retaliation”);
  3. relying on international relations (“deterrence-by-norms”/ “-entanglement”);
  4. analyzing the pre-condition attribution.

Addressing Challenges: A workshop conducted in Washington D. C. on July 10-11 brought together members of the working group on cyber defense & political IT-infrastructures to discuss the results of the problem analysis and the way forward. Based on the outcome of the problem analysis, the working group discussed various ideas on how to address those challenges.

The two main components that were identified are the analysis of the broader geopolitical objectives for influencing democratic processes and the identification of critical points and technologies for influencing future elections. The objective is to “red team” the elections in 2018 (Midterm US) and potentially 2020 (Presidential US) and 2021 (Federal Germany) based on the findings of the working group.  This exercise would then enable the group to make recommendations on how to safeguard the elections (data protection and hardening systems).

The next workshop has been loosely scheduled for spring 2018 to discuss the results of the collaboration on those issues and plan the subsequent policy and outreach activities.

Working Group: The working group consists of 34 members from civil society, private sector and academia from Germany and the United States. The views and opinions expressed by TCF as a whole (and on this website) are those of the project team and do not necessarily reflect the official policy or position of the individuals in the working group and that of their employer. The following members agreed to be named on this website:

  1. Constance Baban, Brandenburg Institute for Society and Security
  2. Tore Bierwirth, Institute for Computer Engineering of the Universität der Bundeswehr München
  3. Nathaniel Gleicher, Center for Strategic & International Studies | Illumio
  4. Sven Herpig, Stiftung Neue Verantwortung
  5. Stefan Heumann, Stiftung Neue Verantwortung
  6. Marco Macori, Institute for Security and Safety of the Technische Hochschule Brandenburg
  7. Tim Maurer, Carnegie Endowment for International Peace
  8. Igor Mikolic-Torreira, RAND Corporation
  9. Steven Nyikos, Carnegie Endowment for International Peace
  10. Thomas Reinhold, CyperPeace
  11. Laura Rosenberger, German Marshall Fund of the United States (in and out)
  12. Julia Schütze, Stiftung Neue Verantwortung
  13. Isabel Skierka, Digital Society Institute of the European School of Management and Technology Berlin
  14. Tillmann Werner, Crowdstrike
  15. Kenneth Geers, Comodo / NATO Cyber Centre

 

Policy Track #3: Intelligence Governance & Oversight Innovation

 

Hypothesis and Workshop

The governance of intelligence remains a central theme in US and German politics. Both countries share a long history of intelligence cooperation and have recently adopted new laws and policies controlling government access to telecommunication data and democratic oversight. Unlike many other countries, Germany and the United States have also hosted an array of in-depth reviews, litigation and parliamentary inquiries regarding the legality, propriety and efficiency of signals intelligence and its oversight. Furthermore, both countries remain central stakeholders in the ongoing US-EU negotiations on the future of transatlantic data transfer, government access and judicial safeguards. 

While there is no shortage of suitable topics for this track, we selected oversight innovation as our first topic because of its particular relevance to both countries. Post-Snowden, much ink has been spilled, of course, on why and how oversight mechanisms in both countries were not fit for their purpose at crucial moments of national security decision-making. Yet, the important follow-up question of how to ensure more effective signals intelligence oversight remains relatively under-researched to date. This is particularly worrisome at a time where both the US and Germany continue to expand and adjust their surveillance machineries to technological innovation. Given the unprecedented amount of public knowledge that now exists on interception tools and methods coupled with the practitioners’ knowledge that some members of this track can bring to bear, we will use this track to promote a more systematic and evidence-based exchange on best practice regarding oversight innovation in an age of big data.

The following themes and questions will guide our initial inquiry: What policy and technological aspects ought to be considered when it comes to the design and implementation of automated oversight mechanisms for bulk collection powers (aka the generic access to and interference with communication data)? What are the key requirements as concerns the mandate and composition of technological advisory panels for intelligence oversight bodies? Moreover, as concerns judicial authorization and control of technical intelligence, what tools are available and what experiments have been made thus far to represent the interest of affected parties in authorization decisions?

Naturally, the search for oversight innovation presupposes a firm understanding of recent and/or likely changes to national intelligence legislation especially with regard to the mandate of national intelligence services to use different bulk powers. Not all such powers (e.g. bulk acquisition) are fully accounted for in national laws, so the debate around use minimization and the trimming of bulk collection powers will also be a central focus of debate within the expert group.

The work of this group will also shed critical light on the oversight dynamics (and innovation) regarding intelligence cooperation. For example, how explicit and far-ranging are/ought national intelligence laws go as regards requirements for national governments to ensure human rights compliance, data purpose assignments of shared data and exclusion of partner oversight bodies from the Third Party Rule? To what extent can US and German intelligence oversight bodies establish a more productive working relationship with each other? Given the intense intelligence cooperation between both countries, fresh thinking is needed on how to establish more meaningful collaboration among the two countries’ oversight bodies and a tentative agenda for it.

This track will initially run from January 2017 until September 2017. It will be facilitated by Dr. Thorsten Wetzling.

In addition to online collaboration, this track will feature an expert workshop taking place in two sessions on consecutive days:

September 19, 1pm - 6pm

September 20, 9am - 1pm

Location:  New America in Washington D. C. (tentative).