IGF 2022 WS #370 Addressing the gap in measuring the harm of cyberattacks

Time
Thursday, 1st December, 2022 (10:45 UTC) - Thursday, 1st December, 2022 (11:45 UTC)
Room
Large Briefing Room

Organizer 1: Pavlina Pavlova, CyberPeace Institute

Speaker 1: Raffray Emma, Civil Society, Western European and Others Group (WEOG)
Speaker 2: Roxana Radu, Civil Society, Eastern European Group
Speaker 3: Peter Stephens, Intergovernmental Organization, Intergovernmental Organization

Moderator

Cherie Lagakali, Civil Society, Asia-Pacific Group

Online Moderator

Pavlina Pavlova, Civil Society, Western European and Others Group (WEOG)

Rapporteur

Pavlina Pavlova, Civil Society, Western European and Others Group (WEOG)

Format

Round Table - U-shape - 60 Min

Policy Question(s)

How should “harm” be defined in cyberspace? What are the categories and indicators that can effectively help to measure harm from cyberattacks? How will a methodological framework for harm to people improve policy making and ensure greater accountability for cyberattacks? How will a methodological framework for harm improve implementation of cyber norms? How can a changed perception of harm through a human-centric approach inform the decision making at the domestic, regional, and international levels?

Connection with previous Messages: The session closely follows on the IGF 2021 Message on Trust, Security, and Stability, which states that “the development and implementation of cyber norms should include the views of all stakeholders (including victims, etc.) and address meaningfully their needs and responsibilities. Processes need to be based on research and analysis which include these communities”. The aim of the session is to bring attention to the impact of cyberattacks on the victims and offer a human-centric perspective on the harm caused by malicious activities in cyberspace. Importantly, it aims to support policy making, decision making, and norms implementation based on a methodological framework building on in-depth research and cyber incident analysis which assess both the vulnerability and needs of victims of cybercrime.

SDGs

16.3
Targets: 16.3 Promote the rule of law at the national and international levels and ensure equal access to justice for all The session will present a methodology for measuring the societal impact of cyberattacks. The methodology proposes a novelty approach to the selection of indicators of harm and assessing the harm in cyberspace. To this day, there has not been a sustained effort to comprehensively measure the harm to people from malicious cyber behavior. This methodology aims to change this and contributes to policy- and decision-making through an informed and human-centric approach. This will help to develop prioritized resilience efforts based on areas with high levels of societal harm. The outcome of the session will effectively contribute to promoting the rule of law at the international levels, in particular at the United Nations processes such as the Open-Ended Working Group (OEWG) on security of and in the use of information and communications technologies and the Ad Hoc Committee (AHC) to elaborate a UN cybercrime convention, but also on national and regional levels. By doing so, it supports the steps toward closing the accountability gap in cyberspace and ensuring equal access to justice for all victims. Technology 17.6 Enhance North-South, South-South and triangular regional and international cooperation on and access to science, technology and innovation and enhance knowledge sharing on mutually agreed terms, including through improved coordination among existing mechanisms, in particular at the United Nations level, and through a global technology facilitation mechanism. Developing a harm methodology can meaningfully contribute to regional and international cooperation and capacity building, through knowledge sharing and increased understanding of mutually agreed terms. At the same time, the focus on accountability for malicious cyber behavior prioritizes finding synergies and improving coordination among existing mechanisms to achieve an effective implementation on the ground. The methodology, just as the proposed session itself, builds on a multistakeholder approach that supports and enhances global exchange and reflects on the diversity of perspectives among different groups of stakeholders.

Description: In an era where the use of technology is intrinsically linked to every detail of our lives, we are seeing increasing threats to the secure and safe use of these technologies. Cyberattacks on critical infrastructure have demonstrated how vulnerable we really are when services such as emergency care, access to clean water and electricity are impacted. Over the years efforts to measure the impact of cyberattacks have focused on the direct impact to targeted systems or organizations; from time to restore, financial costs and to some extent the number breached records. This narrow assessment of the impact of cyberattacks misses a fundamental element; what harm has the attack caused to people. The real harm on society is difficult to estimate, whether it has to do with a cumulation of many individual events or a one-off major disruption, but getting to the point where we can measure this will allow us to better protect infrastructure essential to our lives but also people who depend on it. There is currently no standard methodology in place and we lack the metrics, tools and frameworks to understand and track harm from cyberattacks over time. Defining indicators of harm is the first step to developing a thorough methodology; the CyberPeace Institute has begun research into categories of harm and indicators relating to physical, digital, informational and psychological harms. These are then used as the backbone for proposals for a standardized methodology to measure and assess harm across industrial sectors, geographic regions and ultimately society. A methodological framework can lay the foundation for, and influence, solid policymaking to ensure accountability for cyberattacks and help to develop prioritized resilience efforts based on areas with high levels of societal harm. Through this session we propose to outline the draft methodology, so as to leverage the expertise of the audience to provide feedback and indicate interest in peer-reviewing or testing such a methodology. As well as to have an open discussion about the value of understanding harm in a cyber context.

Expected Outcomes

The input from the participants will be gathered and analyzed to further inform and improve the developing methodological framework for harm to people from cyberattacks.

Hybrid Format: - How will you facilitate interaction between onsite and online speakers and attendees? The onsite and online moderators will facilitate the interaction, stirring a discussion with proposed guiding questions and giving the floor to participants interested in commenting or asking a question. - How will you design the session to ensure the best possible experience for online and onsite participants? The online event will have an open format where, after the introduction and opening statements informing the discussion, the moderator will focus on driving the discussion among participants and have them actively engage on the topic. - Please note any complementary online tools/platforms you plan to use to increase participation and interaction during the session. The online event will be facilitated over a video secure video conferencing platform with an enabled chat function to allow the participants to pose questions or comment through the event.

Online Participation

Usage of IGF Official Tool.

 

Key Takeaways (* deadline 2 hours after session)

Developing both qualitative and qualitative measurements as well as general indicators and sector-specific indicators is key part of advancing the harm methodology. The methodological framework should consider different kinds of harm inflicted by cyberattacks and include issues of re-victimization and redress. It is recommended to link the discussions on the methodological framework for measuring harm to the accountability framework.

Call to Action (* deadline 2 hours after session)

Addressing the harm stemming from cyberattacks is a collective responsibility. There is a need for multistakeholder initiatives that can break existing silos between different communities and experts to meaningfully advance the harm methodology. Outreach is important to the wider community, especially cybersecurity experts, policymakers, economists, and mathematicians who can meaningfully contribute to developing the harm methodology.

Session Report (* deadline 26 October) - click on the ? symbol for instructions

Recent years have seen a growing number, scale, and impact of cyberattacks. State and non-state actors increasingly exploit vulnerabilities in cyberspace for financial profit or to gain an advantage over their adversaries. The CyberPeace Institute has been recording cases of cyberattacks related to the healthcare sector and in connection to the war in Ukraine. From June 2020 to November 2022, the Institute aggregated a total of 501 incidents affecting 43 countries around the world as part of the Cyber Incident Tracer (CIT) #HEALTH – a platform that records and analyses data on cyberattacks in the healthcare sector and, importantly, their impact. Similarly, to this date, the Institute’s Cyber Attacks in Times of Conflict Platform #Ukraine has featured 834 cyberattacks and operations in 35 targeted countries. While this is only a fraction of the full scale of the threat landscape, these platforms attempt to bridge the current gap in the understanding of the harm to people stemming from cyberattacks.

This workshop posed some key questions for developing the harm methodology, including how “harm” should be defined in cyberspace, what categories and indicators can effectively help to measure harm from cyberattacks, and how a methodological framework for harm caused to people can improve policymaking and ensure greater accountability for cyberattacks. While a significant effort has been devoted to documenting cyberattacks and understanding their economic impact, there is a remaining gap in understanding the damage they cause to societies. The harm methodology introduced during the session attempts to close this gap and proposes a novelty approach to the selection of indicators of harm and the assessment of harm in cyberspace. This framework aims to contribute to the efforts of comprehensively measuring the harm to people from malicious cyber behavior and this way advance policymaking and decision-making through an informed and human-centric approach.

The panelists spoke about the lack of data related to cyberattacks and what is the generated harm caused by such attacks. It was proposed that currently, we see the impact on records, facilities, and the economy, among others, but such an assessment is too narrow. There is a need to develop qualitative and qualitative measurements for societal harm, particularly in regard to the impact on vulnerable people and the possible re-victimization – both online and offline. Harm originating in cyberspace can be represented in many ways, and it is important to have an impact assessment as part of related policies and legislation. When discussing the state of play, the panelists noted that some attacks are already high on the agenda, including ransomware and spyware, but more efforts are needed to understand different kinds and degrees of harm. Research conducted on this topic remains insufficient, but some important contributions have been already published, including on the taxonomy of cyber harm. Conversations are important for advancing the initial methodological framework, especially concerning the number of indicators, quantifying numerical values, and qualitatively documenting and tracking the results. The CyberPeace Institute welcomes contributions from stakeholders. 

A methodological framework for cyber harm can improve policymaking and ensure greater accountability for cyberattacks with a human-centric approach. Given the complex landscape of cyberspace, policymakers need to understand the impact of cyberattacks in order to be able to base policies, strategies, and legislation on empirical assessments. By extension, it is key to not only measure the economic impact of cyberattacks but also the harm they cause to people. The panelists remarked on the critical need to consider redress for those who were affected. The effects of cyberattacks are often localized, meaning that many people experience harm to some extend and we need new safeguards and effective remedies.  Furthermore, it is important to link the discussions on the framework for measuring harm to the accountability framework. There are remaining silos in areas relevant to developing the harm methodology, including cyber insurance, law enforcement, and education, but building this framework should be a collective investment. Entities across the stakeholder communities need to cooperate and test the proposed approaches in different sectors as the indicators can vary. 

In conclusion, this workshop contributed to raising awareness about the methodology for measuring harm from cyberattacks. Such a framework has the potential to inform policymaking and decision-making and help prioritize resilience efforts based on areas with high levels of societal harm caused by cyberattacks. It was outlined that a follow-up should include outreach to the wider community, specifically to cybersecurity experts, policymakers, economists, and mathematicians. The input from the participants at the workshop has been gathered and analyzed to further inform and improve the methodology.