Published on November 15th, 2021 📆 | 8270 Views ⚑0
Remembering the Cybersecurity Treaty That Never Happened
The cybercrime legal community from around the globe is meeting under the aegis of the Council of Europe (COE) to hold the annual Cooperation against Cybercrime conference dubbed Octopus 2021. It is also celebrating the 20th anniversary of the Cybercrime Convention treaty signed in November 2001 in Budapest.
Not celebrated and little known, however, is the Stanford Draft—A Proposal for an International Convention on Cyber Crime and Terrorism—and the initiative begun in 1997 which brought about that draft treaty instrument. The Stanford Draft was in some ways a more technologically oriented and comprehensive treaty instrument that called for the creation of an international treaty-based Agency for Information Infrastructure Protection.
However, the European cybercrime community had concurrently developed its own treaty instrument known as the COE Draft; and in the turmoil following the 9/11 attacks, the U.S. Administration decided to support that instrument. Four years later, in April 2005, some of the key people who were instrumental in creating the Stanford Draft, came together at a Georgia Tech workshop to revisit the subject matter and recommend an array of cybersecurity initiatives for the U.S. together with rapid ratification of the COE Cybercrime Convention—dubbed the Atlanta Declaration.
This article conveys some of the history of this seminal work by leading cybersecurity experts of the period—many of whom came with long and distinguished backgrounds in national security and nuclear arms control. It was prescient work far ahead of its time.
In the early 1990s, several developments both in the United States and Europe converged to produce parallel efforts to focus on new cybersecurity arrangements and paradigms—including international treaty arrangements and institutions. The years of cooperation between industry and the National Security Agency throughout the 1980s to develop and implement the Secure Data Network System (SDNS) platforms globally for telecommunication and information infrastructure security failed to scale in the rapidly growing and evolving marketplace. Network infrastructure became substantially deregulated and removed from government operational control worldwide. An autonomous, self-organizing chaos of architectures emerged for both mobile and fixed internets. Attacks on network infrastructure and all manner of cybercrime began scaling exponentially.
The seminal development in the U.S. occurred in March 1997, when the Center for International Security and Arms Control at Stanford University and the Center for Global Security Research at LLNL hosted for members of the newly formed Presidential Commission on Critical Infrastructure Protection (PCCIP) and sixty representatives from industry, universities, and national laboratories to evaluate the issues. Both venues and many of the participants were highly respected, longtime leaders in the national security and nuclear arms control field. Known as the Workshop on Protecting and Assuring Critical National Infrastructure, it limited its focus to organized information technology-based threats and needed responses. These threats include terrorism, organized crime, and state-sponsored attacks.
Among the legal recommendations of the workshop was a call for “comprehensive use of regulations, new laws, and treaties is needed to respond to this problem.” Related recommendations of note were that: 1) blame apportioned in ways that lead to stronger asset protection in the public interest, and 2) an active public/private relationship given the nature of the control of assets and the overlapping responsibility for national security and infrastructure protection.
The CRISP Project
A principal result of the workshop was the creation in 1998 of a new project at Stanford University called the Consortium for Research on Information Security and Policy (CRISP). As part of a response to growing government concern over the threat of cyber attacks directed against critical national infrastructures, the National Security Agency (NSA) contracted with Stanford University in 1998 to undertake a multi-track program to provide a forum, develop information, and to analyze options for addressing this threat.
CRISP involved several university organizations, the Sam Nunn School of International Relations and the College of Computing, both part of the Georgia Institute of Technology; many companies involved in information technology development and products; several U.S. government agencies; and people from other countries. Notable leaders of the international effort were Abraham Sofaer, Seymour Goodman, Stephen Lukasik, and Prescott Winter who was a senior official at NSA noted for innovative leadership. All had distinguished careers and came together to tackle the challenges of global cybersecurity. The work represents the beginning of contemporary cyber security analysis and produced many seminal concepts and papers on cybersecurity that remain highly relevant today. Sofaer and Goodman subsequently published a compendium of the material as a book entitled The Transnational Dimension of Cyber Crime and Terrorism.
After the CRISP project identified and analyzed what they described as the “vulnerabilities of cyberspace,” they convened a conference in December 1999 on International Cooperation to Combat Cyber Crime and Terrorism. A clear consensus emerged that greater international cooperation is required, and considerable agreement that a multilateral treaty focused on criminal abuse of cyber systems would help build the necessary cooperative framework.
The Stanford and COE Drafts
The following year, in August 2000, nine of the principal experts published the Stanford Draft—A Proposal for an International Convention on Cyber Crime and Terrorism. As a former Federal judge and the Legal Advisor to the U.S. State Department, Sofaer’s substantial involvement in the draft was significant.
The Commentary accompanying the Draft describes the European initiative referred to as the COE Draft and contrasts the two. That draft began about the same time as the U.S. efforts with the European Committee on Crime Problems (CDPC) recommending in November 1996 that the Council of Europe set up an experts committee on cybercrime—which independently developed a cybercrime treaty. It is that work which ultimately prevailed in emerging as a treaty instrument opened for signature in 2001, and joined by the U.S. Significant related work was also occurring among the UK security agencies at the time.
As the Stanford Draft Commentary notes, “the Stanford Draft is largely consistent with the draft COE Convention on Cyber-Crime, but differs in some respects. Most significantly, the Stanford Draft would establish an international agency, modeled along the lines of successful, specialized United Nations agencies, to prepare and promulgate—on the basis of advice from non-political experts—standards and recommended practices (SARPs) to enhance the effectiveness of protective and investigative measures.” In particular, “the Stanford Draft draws on the ICAO and ITU patterns in creating a proposed international institution, the “Agency for Information Infrastructure Protection” or “AIIP,” to implement the objectives of States Parties with regard to protecting the information infrastructure from criminal and terrorist cyber activities. No single set of technical fixes will solve the problems that now exist, let alone those that will develop as the technological possibilities expand.”
The Georgia Tech Workshop
In April 2005, Georgia Tech, together with Carnegie Mellon University, which are two of the leading U.S. cybersecurity Centers of Excellence, hosted a Workshop on Exploring the International Dimensions of Cybersecurity led by Sy Goodman. It brought together many of those involved in the Stanford Draft together with a wide array of private sector and government representatives.
The resulting Atlanta Declaration notes that “National public communication network infrastructures generally—and that of the U.S. in particular—have over the past decade become significantly more vulnerable and are likely to become even more so unless urgent responsive actions are taken.” It then describes five “origins” and describes five “corrective actions.” Of those five actions, only one was acted upon—ratify the Convention on Cybercrime and create a permanent secretariat to implement and evolve its global infrastructure protection role.”
Over the years after the 2005 Workshop, the participants involved in the CRISP program engaged year after year in producing more reports, holding conferences, and engaging with successive U.S. Administrations and international organizations with minimal actual implementation of the original recommendations.
The participants in the CRISP and Stanford Draft initiatives would continue over a number of years to write innumerable papers and participate in U.S. and international cyber defense organizations and initiatives. Seymour Goodman chaired a prestigious National Research Council effort that resulted in 2007 in a massive study report co-authored with Herb Lin—Toward a Safer and More Secure Cyberspace.
In October 2013, one of the key original Stanford Draft participants, NSA’s Prescott Winter, left it for the private sector and characterized the state of enterprise security as “appalling”. Four years later, he would recommend some of the same actions as a private-sector member of the President’s National Security Telecommunications Advisory Committee and its Report to the President on Internet and Communications Resilience.
Lukasik passed away in 2019, somewhat dismayed at the persistent inability of the U.S. government to bring about almost any of the many cyber security and infrastructure protection steps recommended repeatedly over the years that continued to result in ever-worsening attacks and adverse consequences using infrastructure he facilitated as DARPA Director. One of his last activities was the preparation of a detailed analysis for the Defense Threat Reduction Agency on how social media would be weaponized and how to mitigate the threats. Abe Sofaer and Sy Goodman still hold emeritus positions at Stanford and Georgia Tech.
On a positive note, a significant quantum of cyber security solace resides in the massive assembled knowledge and techniques developed by the U.S. national security community’s actual cyber defense experts who retired to create the non-profit Center for Internet Security and assemble a global community advancing and implementing needed capabilities. The measures are demonstrably effective and being widely taken up internationally.
Endnote: The author had the pleasure and honour of being a friend and colleague with many of those involved in these efforts over many years.