Advertisement
by Kranostav » Thu Apr 14, 2022 1:04 am
by PotatoFarmers » Thu Apr 14, 2022 6:00 am
SherpDaWerp wrote:PotatoFarmers wrote:The current definition of cyberattacks fails to take into account attacks meant for the stealing of information & data. This could include personal medical history, secrets relating to the security of the state, military intelligence, or even commercial secrets. Considering that these cyberattacks don't cause disruption, they are not covered by your definition & therefore, this piece of legislation.
My intention was that a "disruption" is any abnormal activity, even if said activity is not visible to the average user. Dictionary says "a break or interruption in the normal course or continuation of some activity, process, etc." - data being illegally removed from a server is not the normal course of that server running. Removing data would be, in my opinion, "an interruption in the normal course of a server's programming, where digital input is executed to (at minimum) gain unauthorised access to or otherwise compromise that server" - fitting the definition of a cyberattack. (having scrutineered this clause again, it was a bit silly of me to say "unauthorised" twice, but I don't believe that's really worth any definitional points against it)
SherpDaWerp wrote:PotatoFarmers wrote:Secondly, because of the (lack of) definitions, clause 2a come off as a little weird and awkward. What is defined as a medical facility? Does it refer to the physical building, or does it also include the computer infrastructure that the doctors rely on for patient records? Same thing for your use of "civilian infrastructure". Do you mean the physical infrastructure or the technological infrastructure?
I assumed the definition of cyberattack including "a computer system or related infrastructure" would have made this clear. Does it not?
SherpDaWerp wrote:PotatoFarmers wrote:Thirdly, there are a variety of loopholes that come as a result of certain phrasing of 2b. For example, 2bii excludes individuals which are "direct governmental staff" of a nation. What about teachers who are employed by the Education Ministry to teach in public schools? What about admin clerks, janitors and other service staff directly employed in the various ministries? Are they not protected? Same for 2bi - Admin staffers who are non-uniformed aren't protected because they are part of the military. Conversely, military subcontractors who produce machinary & technology are protected against cyberattacks. Is there a reason for that?
In general, teachers and other members of the civil service aren't directly employed by Ministeries but by government departments that receive funding based on decisions made by the Ministery. This was brought up in drafting; wording that makes this distinction explicitly clear will only introduce more loopholes. How do you define "staff of the government" in a way that accounts for a lottocratical nation? An autocratic one? A democratic one where ministerial staff are personally elected, or come with elected members, or even remain in place with different elected members in the lead?
As for admin clerks and janitors directly employed in the ministries or military - they are, and should be, valid targets, noting that 2b requires the cyberattack to be immediately relevant to the grounds for attacking that individual, so their access badges to enter ministerial offices are fair game, but personal social media accounts are not.
Military subcontractors and suppliers are tempting, however, companies regularly do many different things, and it would be unreasonable to expect every company that contracts for the military to be subject to nation-based cyberwarfare, right down to the company that sells their boots.
by SherpDaWerp » Thu Apr 14, 2022 5:53 pm
If it was narrower, it would simply not cover everything. As it is, it seems there's things that it leaves out.Kranostav wrote:I'm not sure how I feel about this proposal given its rather vague nature and cyberwarfare being such a broad method of engagement.
Because member states enabling non-member protectorates or allies to conduct cyberwarfare should be fine (so it needs to include more than just "member nations") but members enabling actively non-compliant nations to conduct cyberwarfare shouldn't be (so it shouldn't include "all nations").Kranostav wrote:I am also unsure why you specifically picked out non-compliant nations when simply saying 'member nations' or 'all nations' would have sufficed.
If the server is doing something abnormal... then that's an interruption in normality. I'm not sure what else to say. It doesn't matter to whom the interruption is visible, it's still an interruption.PotatoFarmers wrote:I don't quite agree that data stealing is an interruption in the normal course, since the processes of the government servers would probably be coming Especially since most of the time these data losses are done stealthily and unknowingly until further incidence response is done. In that case,SherpDaWerp wrote:My intention was that a "disruption" is any abnormal activity, even if said activity is not visible to the average user. Dictionary says "a break or interruption in the normal course or continuation of some activity, process, etc." - data being illegally removed from a server is not the normal course of that server running. Removing data would be, in my opinion, "an interruption in the normal course of a server's programming, where digital input is executed to (at minimum) gain unauthorised access to or otherwise compromise that server" - fitting the definition of a cyberattack. (having scrutineered this clause again, it was a bit silly of me to say "unauthorised" twice, but I don't believe that's really worth any definitional points against it)
Alright, I'll cop this one as needing work.PotatoFarmers wrote:Nope, I don't think I can use a definition of a term to assume another term? Do I consider the water pumps or chlorine pumps in a water purification plant a computer system or a related infrastructure? Likely not. But what if I can disrupt the water pumps from working normally to stop the water from being pumped to households?SherpDaWerp wrote:I assumed the definition of cyberattack including "a computer system or related infrastructure" would have made this clear. Does it not?
PotatoFarmers wrote:SherpDaWerp wrote:In general, teachers and other members of the civil service aren't directly employed by Ministeries but by government departments that receive funding based on decisions made by the Ministery. This was brought up in drafting; wording that makes this distinction explicitly clear will only introduce more loopholes. How do you define "staff of the government" in a way that accounts for a lottocratical nation? An autocratic one? A democratic one where ministerial staff are personally elected, or come with elected members, or even remain in place with different elected members in the lead?
As for admin clerks and janitors directly employed in the ministries or military - they are, and should be, valid targets, noting that 2b requires the cyberattack to be immediately relevant to the grounds for attacking that individual, so their access badges to enter ministerial offices are fair game, but personal social media accounts are not.
Military subcontractors and suppliers are tempting, however, companies regularly do many different things, and it would be unreasonable to expect every company that contracts for the military to be subject to nation-based cyberwarfare, right down to the company that sells their boots.
3 points:
- I am pretty sure civil servants, by definition, are government officials. As such, I don't think a broad exemption on "government staff" would make any sense, that is what I am getting at
- Do you not agree that 2b, and the phrase "relevant to the grounds" is a little vague? Like what constitutes relevance? If I can steal the person's personal data so as to blackmail him into giving state secrets, isn't it relevant to the reason why I stole the personal data?
- The part on Military subcontractors make sense, though I was trying to cite that to as a comparison. The main question here is - why admin clerks and janitors are considered valid targets and others are not? How does this list come about?
by Eloren » Mon Apr 18, 2022 6:32 am
by Fachumonn » Mon Apr 18, 2022 7:45 am
by Untecna » Mon Apr 18, 2022 9:21 am
by Equai » Mon Apr 18, 2022 10:35 am
EBN News: USA-Equai Diplomatic Rift: Cold War Rhetoric Escalates - USA President Wilson calls for WA Security Council and international containment of Equai
by Dogologo » Mon Apr 18, 2022 11:25 am
member states must not conduct cyberwarfare on any individual citizens of a nation, except where:
the individual is a member of that nation’s military, or
the individual is a member of that nation’s government or direct governmental staff, or
the individual is actively involved in conducting attacks of any sort on the member state, its citizens, any of the member state's treatied allies, or any of the member state's treatied allies' citizens, or
by PokemonGirl » Mon Apr 18, 2022 11:39 am
by Youtube Inc » Mon Apr 18, 2022 12:21 pm
by The Forest of Aeneas » Mon Apr 18, 2022 2:03 pm
by SherpDaWerp » Mon Apr 18, 2022 5:50 pm
In general, I believe, requiring $x means you have to make a best-effort attempt to verify $x before acting. You can't just take one glance before retaliating. (Also worth noting I'm unaware of any APT groups, IRL, that haven't been identified as belonging to some country or another.)Eloren wrote:What in this resolution would ensure that cyberattacks would not be carried out unless there was high certainty that the target was verified as an aggressor?
This resolution makes no attempt to regulate cyberattacks, except where they're carried out by nations. Non-government actors, under this resolution, would be free to cyberattack whatever they want; I prefer the idea of this being a separate resolution so that it's explicitly clear what governments can do about cyberattacks and what everyone else can do about cyberattacks. There aren't any extant resolutions that regulate cyberattacks between NGOs, but the International Cybersecurity Convention proposed in this forum seems to want to fill that niche.Eloren wrote:What's to deal with non-government actors (e.g. businesses, religious orders, non-profit orgs, etc) from responding to a cyberattack in kind (justified as it may be)? This is a particularly messy issue as it involves problems of attribution errors, tit-for-tat, and "fog of war" from multiple parties.
Or is there another existing resolution that already covers cyberattacks?
Governments that hire mercenaries to do their "dirty work" are still sponsored and/or encouraged by national actors, and are subject to the provisions of this resolution.PokemonGirl wrote:Neckbeard mercenaries working for tendies
The argument that 2a is read independently of the definitions in 1, and thus is unclear about what "medical institution or civilian infrastructure" actually means, is also reasonably compelling. Unfortunately it, to me, it seems these criticisms were only brought to me at the eleventh hour to make way for another nation to write a resolution on this topic.The Forest of Aeneas wrote:Personally, the only argument against this I have seen that I find compelling is "direct governmental staff" being too broad.
by Alistia » Mon Apr 18, 2022 8:47 pm
by Toonela » Mon Apr 18, 2022 9:23 pm
by Vietstalia » Tue Apr 19, 2022 12:40 pm
by Ishtimbine » Wed Apr 20, 2022 4:31 am
by Orifna » Wed Apr 20, 2022 4:37 am
by SherpDaWerp » Thu Apr 28, 2022 1:48 am
by The Wallenburgian World Assembly Offices » Sat Apr 30, 2022 10:04 am
by Cretox State » Sat Apr 30, 2022 10:32 am
The Wallenburgian World Assembly Offices wrote:Please start a new thread instead of reusing one for an already defeated resolution.
by Imperium Anglorum » Sat Apr 30, 2022 3:48 pm
by SherpDaWerp » Sun May 01, 2022 4:43 am
Advertisement
Users browsing this forum: No registered users
Advertisement