International cyber security policy

Transatlantic Cyber Forum

Cyber security and defense policies increasingly gain importance and momentum worldwide. Issues, such as the regulation of state surveillance, encryption policy and vulnerability exploitation, cooperation and coordination in the information security realm as well as offensive cyber operations, have implications for the domestic and international spheres alike. Those are global challenges which cannot adequately be addressed from a singular nation-state perspective. It is therefore prudent to learn from each other and develop smart and pragmatic solutions together. The United States as the global technology leader and Germany as a central stakeholder of the European Union with a distinct security and privacy culture and mindset play a major role in providing answers to those challenges.

The Transatlantic Cyber Forum (TCF) has been established by Stiftung Neue Verantwortung (SNV). TCF is an intersectoral network of experts from civil society, academia and private sector working in various areas of transatlantic cyber security and cyber defense policy. The Transatlantic Cyber Forum was made possible by the financial support of the Robert Bosch Stiftung and the William and Flora Hewlett Foundation.


Policy Tracks

Policy Track #1: Encryption Policy & Government Hacking

  • Problem Analysis
  • Addressing Challenges
  • Initial Take-Away
  • Working Group

Policy Track #2: Cyber Defense & Political IT-Infrastructures

  • Problem Analysis
  • Addressing Challenges
  • Working Group

Policy Track #3: Intelligence Governance & Oversight Innovation

  • Problem Analysis
  • Addressing Challenges
  • Working Group

 

Policy Track #1: Encryption Policy & Government Hacking
 

Problem Analysis: The first working hypothesis was that Germany and the United States should forego any further encryption policy and mandatory backdoors discussion and rather focus on the analysis of obtaining digital evidence through a variety of other means including government hacking.

The problem analysis which has been conducted and published revealed that government hacking faces many challenges.

The following areas have been identified for further research and analysis:

  1. assessing government hacking and identifying alternatives;
  2. evaluating and designing a comprehensive vulnerability management scheme;
  3. discussing future challenges arising from digital evidence;
  4. exploring the adequacy of judicial review;
  5. mitigating possible foreign policy implications.

Addressing Challenges: A workshop conducted in Washington D. C. on July 12-13 brought together members of the working group on encryption policy & government hacking to discuss the results of the problem analysis and the way forward. Based on the outcome of the problem analysis, the working group discussed various ideas on how to address those challenges.

The working group agreed to collaborate on the following:

  1. drafting principles for a comprehensive vulnerability management scheme, taking into consideration the international and human rights dimensions;
  2. drafting a holistic framework for government hacking, including legal bar/standards, the nature of digital evidence, impact minimization (such as exploring alternatives), minimum disclose details as well as the international and human rights dimensions.

The next workshop has been loosely scheduled for spring 2018 to discuss the results of the collaboration on those issues and plan the subsequent policy and outreach activities.

Another outcome of the workshop is the jointly agreed “Initial Take-Away on Encryption Policy and "Government Hacking".

Working Group: The working group consists of 42 members from civil society, private sector and academia from Germany and the United States. The views and opinions expressed by TCF as a whole (and on this website) are those of the project team and do not necessarily reflect the official policy or position of the individuals in the working group and that of their employer. Any statement linked on the website only represents the views of the respective signatories. The following members agreed to be named on this website:

  1. Simon Assion, Bird & Bird
  2. Kevin Bankston, New America’s Open Technology Institute
  3. Cathleen Berger, Mozilla
  4. Ulf Buermeyer, Gesellschaft für Freiheitsrechte
  5. Chris Calabrese, Center for Democracy and Technology
  6. Betsy Cooper, Center for Long-Term Cyber Security, University of Berkeley
  7. Jennifer Daskal, American University Washington College of Law
  8. Alan Duric, Wire
  9. Marc Fliehe, Verband der TÜV e. V. (VdTÜV)
  10. Sharon Bradford Franklin, New America
  11. Benjamin Güldenring, Institute for Computer Science of the Freie Universität Berlin
  12. Jan Dominik Gunkel, DIGANTRO
  13. Sven Herpig, Stiftung Neue Verantwortung
  14. Stefan Heumann, Stiftung Neue Verantwortung
  15. Scarlet Kim, Privacy International
  16. Andreas Kuehn, Cyberspace Cooperation of the East West Institute
  17. Susan Landau, Tufts University
  18. Emily McReynolds, University of Washington Tech Policy Lab
  19. Daniel Moßbrucker, Reporters without Borders
  20. Jan Neutze, Microsoft
  21. Jörg Pohle, Alexander von Humboldt Institut für Internet und Gesellschaft
  22. Rainer Rehak, FIfF (Computer Scientists for Peace and Social Responsibility)
  23. Thomas Reinhold, CyberPeace
  24. Volker Roth, Institute for Computer Science of the Freie Universität Berlin
  25. Ross Schulman, New America’s Open Technology Institute
  26. Julia Schuetze, Stiftung Neue Verantwortung
  27. Ari Schwartz, Venable LLP
  28. Megan Stifel, Public Knowledge
  29. Eric Wenger, Cisco
  30. Christoph Zurheide, Deutsche Post DHL Group

 

Policy Track #2: Cyber Defense & Political IT-Infrastructures
 

Problem Analysis: The first working hypothesis was that Germany and the United States should adapt and implement different aspects outlined in deterrence theory in order to prevent future (successful) cyber operations against their political IT-infrastructures.

The problem analysis which has been conducted and published revealed that a holistic approach is needed to tackle cyber operations against political IT-infrastructures.

The following areas have been identified for further research and analysis:

  1. protecting the political IT-infrastructure (“deterrence-by-denial”);
  2. assessing options for show of force (“deterrence-by-retaliation”);
  3. relying on international relations (“deterrence-by-norms”/ “-entanglement”);
  4. analyzing the pre-condition attribution.

Addressing Challenges: A workshop conducted in Washington D. C. on July 10-11 brought together members of the working group on cyber defense & political IT-infrastructures to discuss the results of the problem analysis and the way forward. Based on the outcome of the problem analysis, the working group discussed various ideas on how to address those challenges.

The two main components that were identified are the analysis of the broader geopolitical objectives for influencing democratic processes and the identification of critical points and technologies for influencing future elections. The objective is to “red team” the elections in 2018 (Midterm US) and potentially 2020 (Presidential US) and 2021 (Federal Germany) based on the findings of the working group.  This exercise would then enable the group to make recommendations on how to safeguard the elections (data protection and hardening systems).

The next workshop has been loosely scheduled for spring 2018 to discuss the results of the collaboration on those issues and plan the subsequent policy and outreach activities.

Working Group: The working group consists of 35 members from civil society, private sector and academia from Germany and the United States. The views and opinions expressed by TCF as a whole (and on this website) are those of the project team and do not necessarily reflect the official policy or position of the individuals in the working group and that of their employer. Any statement linked on the website only represents the views of the respective signatories. The following members agreed to be named on this website:

  1. Constance Baban, Brandenburg Institute for Society and Security
  2. Tore Bierwirth, Institute for Computer Engineering of the Universität der Bundeswehr München
  3. Kenneth Geers, Comodo / NATO Cyber Centre
  4. Nathaniel Gleicher, Center for Strategic & International Studies | Illumio
  5. Sven Herpig, Stiftung Neue Verantwortung
  6. Stefan Heumann, Stiftung Neue Verantwortung
  7. Marco Macori, Institute for Security and Safety of the Technische Hochschule Brandenburg
  8. Tim Maurer, Carnegie Endowment for International Peace
  9. Igor Mikolic-Torreira, RAND Corporation
  10. Jan Neutze, Microsoft
  11. Steven Nyikos, Carnegie Endowment for International Peace
  12. Thomas Reinhold, CyperPeace
  13. Laura Rosenberger, German Marshall Fund of the United States (in and out)
  14. Julia Schütze, Stiftung Neue Verantwortung
  15. Isabel Skierka, Digital Society Institute of the European School of Management and Technology Berlin
  16. Tillmann Werner, Crowdstrike

 

Policy Track #3: Intelligence Governance & Oversight Innovation

 

Problem Analysis: Effective intelligence oversight remains an ambitious, unattained and vague benchmark - on both sides of the Atlantic. While there is no shortage of guiding principles, international reports and legislative reforms promoting effective intelligence oversight, oversight dynamics on the ground continue to be marred by various problems. Among those are ineffective control mechanisms, regulatory capture, a lack of technological knowledge and an insufficient motivation to engage persistently in proactive and unglamorous investigative oversight work. In addition, one can point to no-go-zones and accountability gaps in conjunction with international intelligence cooperation or intelligence activities by agencies and contractors that are not subject to the same oversight regime. A lack of objective performance indicators and government secrecy make it also difficult to assess, let alone compare, oversight performances. Individual political systems differ substantially and concepts like transparency, accountability and democracy remain contested across time and space.

Despite important recent measures to further professionalize and democratize national oversight frameworks in Europe and North America, it is still a long road to establish independent, competent, informed, agile and resourceful oversight bodies. We consider this as work in progress. Despite numerous challenges, much work can be done today to significantly improve oversight effectiveness. This work should not be left to government and legislators alone. As the pace of technological innovation continues to challenge core concepts of intelligence law and oversight practice, a broader set of perspectives are needed to identify and refine options for positive change. It is with this aim in mind that we initiated this working group.

Those ideas have been laid out in a first discussion paper.

Addressing Challenges: Using collaborative work methods, the group aims to identify and refine ideas for better intelligence oversight.  A first workshop held in Washington D.C. on 19-20 September brought together European and US experts from civil society, academia and private sector and former oversight representatives. Based on this discussion paper, the group exchanged views on future challenges and potential leads for more effective oversight over electronic surveillance. The second day of the workshop was then used to develop a work agenda for the group.

It was decided that two themes, in particular, will be explored further: criteria and tools for advanced transparency as well as automated oversight / audits. As regards the former, the group will study and compare ways in which transparency to the public exists as regards the practice of communication surveillance by national intelligence services. With regard to the latter, the group will study the different kinds of accesses that oversight bodies have in different national settings. They will collectively identify and discuss both policy and technological aspects that ought to be considered to improve the design and implementation of automated oversight mechanisms for bulk collection powers (aka the generic access to and interference with communication data).

The next workshop will take place in late spring/early Summer 2018 and will allow the group to review the group’s progress on the two themes.

Working Group: The working group consists of 35 members from civil society, private sector and academia from the United States, Germany and other European Union states. The views and opinions expressed by TCF as a whole (and on this website) are those of the project team and do not necessarily reflect the official policy or position of the individuals in the working group and that of their employer. Any statement linked on the website only represents the views of the respective signatories. The following members agreed to be named on this website:

  1. Simon Assion, Bird & Bird
  2. Tomaso Falchetta, Privacy International
  3. Joan Feigenbaum, Yale University
  4. Sharon Bradford Franklin, New America’s Open Technology Institute
  5. Sven Herpig, Stiftung Neue Verantwortung
  6. Cameron Kerry, Brookings Institution
  7. Eric King, independent
  8. Ronja Kniep, Berlin Social Science Center
  9. Klaus Landefeld, eco Verband der Internetwirtschaft e.V.
  10. Kate Martin, Center for American Progress
  11. Greg Nojeim, Center for Democracy and Technology
  12. Jörg Pohle, Humboldt Institut für Internet und Gesellschaft
  13. Michelle Richardson, Center for Democracy and Technology
  14. Heide Sandkuhl, Deutscher Anwaltverein
  15. Julia Schuetze, Stiftung Neue Verantwortung
  16. Graham Smith, Bird & Bird
  17. Eric Töpfer, Institut für Menschenrechte
  18. Njord Wegge, Norwegian Institute of International Affairs
  19. Thorsten Wetzling, Stiftung Neue Verantwortung