This session featured three presentations covering crucial aspects for the challenge: effective oral presentation techniques, the complex interplay of dual-use technology and international law in conflict zones, and the practical realities of cyber incident response.
Preparing the Oral Presentation (Andrew Lee)
This presentation focused on strategies for effectively delivering the decision document and handling the Q&A session during the challenge.
Presenting the Decision Document
A successful presentation hinges on clearly articulating your proposed actions and the rationale behind them. Be explicit about how you plan to accomplish each task, specifying who you would ask and how you would justify the request. For instance, convening the Arctic Council requires diplomatic maneuvering, while retrieving criminal records involves law enforcement cooperation, and accessing logs needs technical and potentially legal authorization.
It’s beneficial to prepare a “policy grab bag” in advance, containing potential options across different domains like economic sanctions, intelligence gathering (wiretapping, sabotage), or military actions (exercises, mobilization). Understand the escalatory potential, enactment process, and timescale for each option. Support your decisions with information from reliable sources, such as the Financial Times, Euractiv, or Bruegel for European perspectives, and the AP Wire, Lawfare blog, CSIS, or Brookings for the United States.
Crucially, follow through on your thoughts. Don’t stop halfway or assume the judges understand your implicit connections. Clearly link the identified problem to your proposed solution and explain the underlying logic. Instead of simply stating “We should respond to Russia,” detail the action: “We will begin intelligence sharing with the United States, reminding U.S. leaders that American businesses are under threat…” Similarly, specify actions involving groups like scientists: “Our press release will highlight that Russia’s actions endanger scientists… If this continues… we will treat Russian universities as sanctioned entities.”
Remember the principles of ACE: Articulation (maximize information per word, be concise yet detailed), Confidence (project assurance), and Eloquence (persuade and move the judges).
Mastering the Q&A
The Q&A session demands quick thinking and strategic responses. The basic flow involves identifying the question, determining if you know the answer, and responding accordingly. If unsure, employ improvisation techniques rather than guessing or “BS-ing.”
Effective improvisation techniques include:
- Don’t Assume Judge Understands: Treat judges as if they have only scanned the material; they may lack full context. Don’t overestimate their familiarity with every detail.
- Ask to Clarify: If a question is unclear, or you need a moment to think, politely ask for clarification. Frame it specifically, e.g., “Did you mean that more in a political context, or a military context?” or “What objective are you thinking about accomplishing?” The act of asking can be as valuable as the clarification itself.
- Delegate: Pre-agree on topic responsibilities within the team and use non-verbal cues to pass questions. Crucially, do not interrupt or contradict teammates. Handing off mid-answer is acceptable if necessary.
- Validate the Judge: Acknowledge the judge’s point to make them feel heard, even if you pivot the answer. Phrases like “I think you’ve raised a really good point…” or “This is a very important aspect…” can be effective.
- Say Something True (Last Resort): If completely stuck, state a relevant, undeniable truth to ground the discussion and potentially create an opening to pivot, e.g., “We all know that transatlantic partnership is currently at a low point…” or “Space is an emerging field of defense…”
Dual-Use Tech in Conflict (Mauro Vignati, ICRC)
This presentation, delivered by the International Committee of the Red Cross (ICRC), addressed the growing challenge of dual-use technologies in armed conflicts from the perspective of International Humanitarian Law (IHL).
The New Reality
The landscape of conflict is changing. Over 100 states possess military cyber capabilities, with many acknowledging their use in armed conflicts. The ICRC currently tracks over 120 armed conflicts globally. Cyber operations carry significant potential for human cost, a risk recognized in UN reports highlighting dangers to critical infrastructure and devastating potential consequences. International calls urge parties to protect civilian critical infrastructure, including essential internet components like cables and satellites.
Observations
Several trends are apparent: increased military reliance on civilian tech infrastructure (cloud, satellites); the internet’s design lacking clear separation between military and civilian use; civilian platforms being repurposed for offensive military operations; and an accelerating intermingling of civilian and military tech development.
Legal Perspective: Principle of Distinction
The principle of distinction is a ‘cardinal’ and ‘intransgressible’ tenet of IHL. It mandates that parties to a conflict must at all times distinguish between civilians and combatants, and between civilian objects and military objectives. Applied to cyber operations, this means attacks may only target combatants or military objectives; attacks targeting civilians or civilian objects, or those which are indiscriminate, are prohibited.
Civilians lose their protection only if and for such time as they take a Direct Participation in Hostilities (DPH). This requires meeting three cumulative criteria:
- The act must reach a certain Threshold of Harm, likely adversely affecting enemy military operations/capacity or causing harm to protected persons/objects.
- There must be Direct Causation, a direct causal link (“one causal step”) between the act and the likely harm.
- There must be a Belligerent Nexus, meaning the act is specifically designed to cause harm in support of one party and to the detriment of another.
The definition of an “attack” in the cyber context remains controversial. While physically damaging hardware likely qualifies, actions like rendering computers dysfunctional might, and website defacement likely does not. This interpretation is crucial as many IHL rules apply specifically to “attacks.”
Civilian Objects Becoming Military Objectives
Civilian ICT infrastructure may become a legitimate military objective if its use meets two cumulative conditions:
- It makes an effective contribution to military action.
- Its destruction, capture, or neutralization offers a definite military advantage in the circumstances ruling at the time.
Even if an object qualifies, any attack must still adhere to all other IHL rules, notably proportionality (balancing expected military advantage against anticipated civilian harm) and precaution (taking feasible steps to minimize civilian harm).
Examples
Examples of dual-use challenges include civilian satellite systems (like KA-SAT) used for military communication or targeting via software (like GisArta, Delta), potentially making them targets themselves. Attacks on such systems (e.g., using AcidRain wiper malware) inevitably impact both military and civilian users. Another example is the modification of commercially available drones with warheads, turning civilian tech into offensive military platforms.
Consequences & Responsibilities
The use of dual-use tech in conflict has broad consequences for civilians, including service disruption, eroded trust, loss of situational awareness and information access, potential for social unrest, fear, data manipulation, physical harm, movement restrictions, financial loss, harassment, and tech-facilitated violence.
Digital technology companies, managing personnel, physical assets (data centers, satellites), non-physical infrastructure, and third-party dependencies, bear responsibilities. They should incorporate IHL knowledge into risk management, conduct IHL-specific risk assessments, inform stakeholders of risks, and implement risk mitigation measures.
How to prepare for the unknown? The art of incident response (Gergana Karadzhova-Dangela)
This presentation offered practical insights into Digital Forensics and Incident Response (DFIR), drawing on experience from Microsoft.
Forensics & IR Basics
Forensics is the application of science to legal problems, often involving physical evidence. Computer Forensics specifically combines computer science and law to collect and analyze digital data admissibly. Incident Response (IR) encompasses an organization’s processes and technology for handling cyber threats, aiming for rapid recovery and prevention. DFIR is the combined field. The typical phases of IR are Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity.
Incident Timeline & Anatomy
From an attacker’s viewpoint, an attack follows stages like the Cyber Kill Chain (Reconnaissance to Actions on Objectives). Defenders often enter mid-incident, needing to quickly understand the situation and “kill” the attack project to minimize damage.
A typical post-detection timeline involves:
- Identifying malicious actions (Indicators of Compromise - IoCs).
- Defining the scope (affected systems/data).
- Formulating a hypothesis (attacker goal, entry vector).
- Stopping the spread (containment).
- Eliminating the initial vector (patching, revoking credentials).
- Removing persistence mechanisms (rogue accounts, malware).
- Providing recovery recommendations.
Resolution speed depends on factors like detection delay, environment visibility, attack complexity, IR maturity, available resources, and business support.
Incident Participants
Responding to an incident involves various roles. Primary technical participants include Security Analysts (SOC, IR, CSIRT), Threat Intelligence Analysts, Networking teams, and Technical Management (Team Lead, CISO). Secondary technical roles involve System Owners, Business Unit Leaders, Backup Teams, and Identity Management teams. Non-technical participants include General Management (CTO, CEO), Legal, Communications, HR, and potentially a dedicated Crisis Manager. Cisco’s Talos Threat Intelligence 101 course provides further related information.
Technical Analysis
Key data sources for analysis are host data (workstations, servers), network data (PCAPs, DNS queries), memory data (valuable but rare), and logs (from hosts, network gear, cloud systems, etc.). Associated tools include AV, EDR, XDR, NDR, and SIEM systems.
While more data helps, it adds complexity. Different data types are useful at different stages (e.g., SIEM/XDR for initial scoping, host forensics for deep dives). It’s crucial to confirm findings using multiple sources, be aware of anti-forensic techniques, and work pragmatically with the available data. The Microsoft Digital Defense Report 2024 highlights that sectors like Education/Research are heavily targeted.
IR Readiness
Preparation is key. Technical readiness involves maintaining an Asset Inventory, reducing the Attack Surface, timely Patching, Hardening Systems (limiting admin rights, insecure protocols), and robust, tested, protected Backups.
Organizational readiness requires having an IR Plan with playbooks, Testing the Plan through simulations, fostering a Security Awareness Culture encouraging reporting, and Automating Bulk Operations where possible to free up human analysts. The European Cybersecurity Skills Framework identifies relevant roles like Responder, Analyst, and Investigator.
”The” Incident Report
The format of an incident report depends on its goal. Most often, the aim is rapid control (e.g., ransomware), recovery, and defining security improvements, without a primary legal focus. Less frequently, a detailed forensic investigation is needed for potential litigation (e.g., insider threat).
Forensic experts should adhere to specific practices:
- Document everything meticulously (actions, observations, considerations).
- Use consistent timestamps.
- Add meaningful notes explaining why an observation is relevant.
- Use precise, careful wording (e.g., “relative confidence,” avoid absolutes).
A typical IR report includes:
- Key Facts (Eckdaten): Incident timeline basics, reporting/involved parties.
- Executive Summary: Concise, readable overview focusing on impact.
- (Visual) Timeline of Events: High-level, non-technical summary.
- Technical Findings: Detailed forensic analysis.
- List of IOCs: Compromised assets, malicious indicators.
- Recovery & Resilience Recommendations: Actionable steps for improvement.
Next: 05 Digital Warfighting in Ukraine & Military Cyber Perspective