G7 Geared Up for Cyber Threats in 2016, Focusing on Financial Sector

The G7 stepped up its cybersecurity efforts during the Japanese chairmanship in 2016. The group held an ICT Ministers’ Meeting on 29-30 April 2016. On 27 May 2016, it adopted the G7 Principles and ACtions on Cyber as an annex of the G7 Leaders’ Declaration in Ise-Shima, Japan, and established the Ise-Shima Cyber Group. The G7 further endorsed the G7 Fundamental Elements of Cybersecurity for the Financial Sector on 7 October 2016.

G7 ministerial meetings in 2016 related to cybersecurity

The G7 ICT Ministers met in Takamatsu, Kagawa, on 29-30 April 2016. According to the Japanese Ministry of Internal Affairs and Communications, it was the first meeting of the ICT Ministers in some 20 years. The ICT Ministers dealt with cyberspace in general, concentrating on economic and social aspects, but also devoted one session to cybersecurity.

The ICT Ministers adopted a Charter for the Digitally Connected World (the ‘Charter’), issued a Joint Declaration (an Action Plan for implementing the Charter), and formulated the G7 Opportunities for Collaboration.

The Charter lists four fundamental principles underpinning the ‘digitally connected world’:

  • promoting and protecting human rights,
  • promoting and protecting the free flow of information (here the Charter talks about ‘digital security’),
  • supporting a multi-stakeholder approach, and
  • strengthening digital connectivity and inclusiveness for all.

To develop these principles, the Charter formulates the G7 ICT Strategy. The Strategy deals with promoting cybersecurity in paragraph 15, along with cross-border information flows and privacy and data protection.

The Charter is implemented by the Action Plan contained in the Joint Declaration. In paragraphs 16–20 of the Action Plan, the ICT Ministers state that they support policies which promote internet openness and the flow of information across borders; they oppose ‘unjustifiable’ data localisation requirements; and they support ‘high standards of privacy and data protection’, referring to the ‘Privacy by Design’ approach. International collaboration, capacity building and public-private partnerships are viewed as important elements of cybersecurity, as are training, education and increased awareness.

The annex to the Joint Declaration, titled G7 Opportunities for Collaboration, contains a list of projects which the G7 states consider important enough to call on for international cooperation. The section on ‘promoting and protecting the free flow of information’ lists several cybersecurity projects:

  • the CyberGreen Project,
  • Network Incident Analysis Centre for Tactical Emergency Response (NICTER),
  • Information Sharing and Analysis Centres (ISACs),
  • initiatives to enhance open-source security, such as the Linux Foundation’s Core Infrastructure Initiative (CII),
  • information sharing in the field of data economy, and
  • international collaboration in the domain of spam and malware intelligence.

Cybersecurity is also covered by the statement of G7 Energy Ministers, who met in Kitakyushu, Fukuoka, on 1-2 May 2016. The Energy Ministers ‘commit [them]selves to advancing resilient energy systems including electricity, gas and oil, in order to respond effectively to emerging cyber threats and to maintain critical functions.’

Parts of the Joint Communiqué of the G7 Hiroshima Foreign Ministers’ Meeting (10-11 April 2016) dealing with cyberspace appear in the Ise-Shima texts.

G7 Ise-Shima Summit

The G7 held its annual summit in Ise-Shima, Japan, on 26-27 May 2016. The summit declaration, while dealing with a variety of global and regional issues, contains several references to cyberspace and cybersecurity. The leaders also endorsed the  ‘ G7 Principles and Actions on Cyber ’, which form an annex of the declaration and elaborate some of the ideas from the declaration itself.

Openness and security of cyberspace

In both documents, the G7 leaders express their common principles with respect to cyberspace, stating that its openness is essential to economic prosperity and the common democratic values of the G7, and supporting ‘an accessible, open, interoperable, reliable and secure cyberspace’. By putting security on the same level as openness, the G7 countries want to emphasise that security is essential for cyberspace to remain open and accessible.

On the other hand, the annex talks about ‘decisive and robust measures in close cooperation against malicious use of cyberspace both by states and non-state actors, including terrorists’ and the necessity of national and international cooperation of the ‘various actors responsible for cyber security, cyber defense and fighting cybercrime’. Interestingly, the declaration and annex fully avoid the use of the term ‘encryption’, which was one of the main topics on which the debate on national security and cyberspace has focused in recent years (‘Crypto Wars’). It is possible that this is due to the fact that even the G7 states and their respective intelligence and law enforcement authorities have conflicting interests regarding enhancing or breaking encryption.

International law and norms in cyberspace

The G7 leaders reaffirm that international law is applicable in cyberspace and commit to promoting voluntary norms of responsible state behaviour and confidence-building measures. They mention the 2015 UN GGE Report and call upon all states to be guided by it. They also praise the work of the ‘new’ UN GGE (2016-2017).

In the annex, they affirm that cyber activities could amount to the use of force or an armed attack, triggering a state’s right of individual or collective self-defence and the application of international humanitarian law. This is obviously more open language than can be found in the 2015 UN GGE Report, and it is similar to the recent NATO documents from the Warsaw Summit.

The G7 leaders deplore economic cyber espionage (state-conducted or state-supported ICT-enabled theft of intellectual property with the intent to gain unfair competitive advantages for companies). This is in line with earlier separate declarations by the G7 countries, especially the US.

The leaders recognise that ‘States have particular responsibilities and roles in the ICT environment, just as elsewhere[,] to promote security, stability and prosperity.’ This echoes Rule 5 of the Tallinn Manual, which represents international law de lege lata: ‘A State shall not knowingly allow the cyber infrastructure located in its territory or under its exclusive governmental control to be used for acts that adversely and unlawfully affect other States.’ The G7 statement is slightly vague; however, it seems to point in the direction of an emerging rule on due diligence in cyberspace.

Cybersecurity and digital economy

Further developing the principle of ‘openness, transparency and freedom of the Internet’, the declaration mentions ‘a fair and equal access to the cyberspace for all actors of digital economy’, which shows an implicit commitment by the G7 to the principle of net neutrality. Echoing the declaration of the ICT Ministerial Meeting (see below), the G7 leaders also oppose ‘unjustifiable’ data localisation requirements as these undermine the global nature of the Internet.

The leaders commit ‘to the protection and promotion of human rights online’, as well as ‘to promote a multi-stakeholder approach to Internet governance’. This is an ongoing position of the G7 states, distancing themselves from efforts to subject cyberspace to multilateral sovereign control by states, so it comes as no surprise.

G7’s concerted actions regarding cybersecurity

The G7 wants to promote cybersecurity by encouraging cooperation among national computer security incident-response teams, as well as building capacity and raising awareness. Information sharing on cybersecurity threats, especially to critical infrastructure, should be enhanced, and the G7 will collaborate on research in security, privacy, and resilience. This shows that at least on the international stage, the G7 states remain supportive of privacy, even though the topic of ‘encryption’ is not mentioned.

The G7 encourages more states to join the Budapest Convention on Cybercrime of the Council of Europe, and it promotes the activities of the G7 Roma-Lyon Group’s High-Tech Crime Subgroup and its 24/7 Network.

The need for collaboration in cybersecurity of large international events, such as the Olympic and Paralympic Games, and of multilateral summit meetings, is specifically noted by the annex.

Two cyber groups

A new G7 working group on cyber, called the Ise-Shima Cyber Group, was established by the declaration. The group should ‘enhance […] policy coordination and practical cooperation to promote security and stability in cyberspace.’ The group’s first meeting since the summit was held on 14 October 2016. It had a ‘frank discussion on how to promote international law, norms, confidence building measures and capacity building in order to increase stability and security in cyberspace’. It will convene again during the Italian G7 presidency in 2017.

At the Ise-Shima summit, the leaders also welcomed the work of the G7 Cyber Experts Group (different from the Ise-Shima Cyber Group) in the financial area. This group went on to prepare the G7 Fundamental Elements of Cybersecurity for the Financial Sector.

G7 Fundamental Elements of Cybersecurity for the Financial Sector

The Elements are non-binding principles of cybersecurity for private and public entities and authorities in the financial sector. They are described as the ‘building blocks’ upon which an entity can design, implement and re-evaluate its cybersecurity strategy and operating framework. According to the German central bank, the Elements were prepared by the G7 Cyber Expert Group and endorsed by the G7 finance ministers and central bank governors on the margins of the annual meeting of the International Monetary Fund (IMF) in Washington, DC, on 7 October 2016.

There are eight topics listed in the Elements: (1) cybersecurity strategy and framework, (2) governance, (3) risk and control assessment, (4) monitoring, (5) response, (6) recovery, (7) information sharing, and (8) continuous learning. They are elaborated in a very general way, and their value is mostly declaratory. The G7 states that financial cybersecurity is an important matter. They are obviously very broad and resemble the topics of the cybersecurity standards in the ISO/IEC 27000 family (for instance, the ISO/IEC technical report 27015:2012 deals specifically with financial services).

A G7 state official said to Reuters that the Elements may ‘drive a common lexicon’ and the building up of trust and confidence between governments and the financial sector.

However, the effect of the Elements should not be overestimated. While it is good that the issue has been raised, practical implementation is largely up to the governments and public and private entities, since the Elements themselves are not legally binding. Nevertheless, they are useful for showing the official policies of the G7 states, which tend to be like-minded in their cyberspace and cybersecurity policies, and might agree on more common principles than the UN GGE in their past reports or the OSCE in their Confidence-Building Measures.

The Elements have to be viewed in the context of recent incidents of abuse of the SWIFT messaging network, which is run by a Belgium-based association owned by banks and used for international bank payments. In February 2016, hackers took control of Bangladesh Bank computers used for making international transfers through the SWIFT network and managed to steal 81 million USD by making fake transactions from the bank’s account.

It is important to note that the SWIFT network itself was not hacked – it was the hack of the systems at the Bangladesh Bank that enabled the heist. However, the Bangladesh Bank heist is novel in the fact that its perpetrator was probably a state, or a state-sponsored actor. According to Symantec, the malware used to infect the bank’s computers can be traced to a group named ‘Lazarus’, which has links to North Korea and was behind the 2014 Sony hack. If this can be confirmed, the case could be interesting from the perspective of international law due to possible direct or indirect state responsibility regarding North Korea. The usual ambiguity of cyber espionage would not apply here because the North Korean hackers were not seeking national security information or intellectual property – only money.

SWIFT is introducing a set of mandatory cybersecurity measures for its network clients. It will start inspecting them in 2018 and will inform the clients’ counterparties and regulators in case of non-compliance. On 2 November 2016, the messaging network warned the banks of the rising threat in an undisclosed letter, as reported by Reuters.

Conclusion

The 2016 cyber developments at the G7 show that the group is clearly gearing up for cyber threats in comparison with previous years. Cybersecurity forms a large part of the declaration of this year’s summit; a new working group on cyber was created and guidance for the financial sector cybersecurity was issued. The division of tasks among the Ise-Shima Group on Cyber, the Cyber Experts Group and the ICT Ministers meeting has not been made clear but will hopefully be settled soon.

The recent efforts regarding cybersecurity are undoubtedly due in large part to the Japanese chairmanship. Similar to Singapore’s activities in the ASEAN, Japan is trying to push cybersecurity in the G7 agenda. Japan has a relatively new national cybersecurity strategy, dating from just 2015, and some formulations from the strategy also appear in the G7 documents from 2016. In an interesting coincidence, as if to humiliate the Japanese hosts, the Wi-Fi network at the accommodation for the reporters covering the Ise-Shima summit was itself hacked.

The G7 group generally voices the ‘Western consensus’ opinion on cyberspace and cybersecurity, despite a lack of clarity and detail in their encryption and privacy policies. The group is quite progressive with respect to the applicability of international law in cyberspace, and it expresses fairly liberal views on the issues of multi-stakeholderism in Internet governance, the openness and accessibility of the Internet, and in the relationship between human rights and cyberspace. The leaders agreed that security is necessary to keep cyberspace open and accessible but should not be abused to curtail human rights online. It remains to be seen to what extent the G7 can remain true to this principle in the face of a variety of emerging threats in the years to come.

Tomáš Minárik

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.