French diplomat: Spies gonna spy – there aren't any magical cyberspace laws that can prevent it

Pragmatic chap looks at reality of international relations

FIC2019 A French diplomat has suggested that future global regulation of cyberspace could exempt spying from regulation "as long as some specific sectors are preserved".

Although he prefaced his comments by saying "I speak on my behalf, not for France," Jean Heilbronn went on to tell an audience at French infosec conference FIC2019: "I don't think we need a new global agreement to stabilise cyberspace."

Baddies linked to Iran fingered for DNS hijacking to read Middle Eastern regimes' emails

READ MORE

Heilbronn – a diplomat whose background includes posts as a political advisor to the French Ministry of Defence and at NATO, as well as a period spent studying at the London School of Economics – spoke during a panel discussion at the Forum Internationale de Cybersécurité titled: "Which form of multilateral regulation can lead to a safe and stable cyberspace?"

"We already have rules in international law with the UN Charter which prevents restrictions on the use of force," said Heilbronn through a translator, though later in the talk he switched to fluent English. "That also applies to cyberspace... let's be careful with this notion."

He continued: "What matters is that states have to respect some lines and shouldn't cross some red lines. States spying on each other? That's normal. We should not normally prevent this. If we have a ban [on spying] then we need to check that the ban is not breached. There would be no consensus on how to punish a ban. Let's not get into negotiations we would lose."

After the panel session, he clarified his remarks to The Register by saying that states are always going to engage in espionage, something that is not actually illegal under international law, and that recognising these types of grey areas is vital in diplomacy. Spying for the purpose of gaining industrial advantage (IP theft) was one example he gave of an unacceptable use of spying. During his talk he boiled down the problem of cyberspace regulation to one of crisis prevention, crisis management and international regulation "as a lawmaking activity" intended to create "new standards [and] new behaviours".

Heilbronn's fellow panelists were broadly of the view that current international bodies are good enough to regulate cyberspace, insofar as it needs regulating to help prevent potentially warlike escalations of force arising out of nation-state-level hacks. They also thought that the world could do this without needing dedicated new cyber multinational bodies.

Michael Daniel of the Cyber Threat Alliance, a former advisor to past American president Barack Obama, characterised cyberspace regulation as "not just a technological problem but also a physical problem, an economic problem... and an international relations problem".

"Cyberspace is relatively young," said Daniel, contrasting it with how international treaties on maritime borders and commerce evolved over centuries. "In the US the [world wide web] is barely able to drink."

Frédérick Douzet, a member of the Global Commission for Stability in Cybersecurity, gloomily opened with: "We really believe that cyberspace stability is at risk, international security and peace is also at risk," He qualifyed that by saying it was "because of a broader geopolitical context that shows a lot of tension right now".

"There is a strong incentive to find a way to regulate this space to avoid a major catastrophe," she added, pointing out that nation states' tools (such as the NSA's Eternalblue) have a nasty habit of leaking into the public domain, with elements ending up in malware such as WannaCry and NotPetya.

"10 years ago," mused Daniel, "we'd have been talking about website defacements. When was the last time we talked about website defacement as a problem? Now we're talking about NotPetya as a problem." ®




Biting the hand that feeds IT © 1998–2019