On December 4, 2019 Yurie Ito delivered an intervention at the United Nations Open Ended Working Group on developments in the field of information and telecommuications in the context of international security in New York, NY. The meeting was attended by member states and over 100 participating organizations in the field.

During the session on Confidence building measures and capacity building: Engaging all stakeholders to enhance capacity-building efforts, CyberGreen advocated for a comprehensive framework to measure global Internet health using data and metrics. States and stakeholders were encouraged to use data and metrics to improve the state of global Internet health.

The full text of the intervention is below:

In discussing confidence-building measures in the context of cyber capacity building, we should keep in mind 2 notions:

1. The Internet has no borders

2. The lack of cyber capacity in one country affects not only that country, but potentially every other country in the world. If your Internet ecosystem is riddled with vulnerabilities and risks, your Internet ecosystem is a liability to every other country in the world.

The management and mitigation of vulnerabilities helps to create a cleaner Internet ecosystem and is key to confidence-building between states as a good faith effort toward reducing systemic risk. As the saying goes: think globally, act locally.

The CyberGreen Institute is a global non-profit and collaborative organization that serves the global public benefit by supporting a more resilient and healthier global Internet Ecosystem. CyberGreen is a trusted player in that Ecosystem following transparent ways of working, and identifying sources of risk and best practices for the community. We are committed to evidence-driven metrics and measurements.

Our mission focuses on a multi-stakeholder approach toward advocacy and accountability; that is:

First, ensuring that policymakers are aware of the risks that are present in their local ecosystems and that, given the borderless nature of the Internet, these risks are not only to the local ecosystem in which they are hosted, but to the global Internet ecosystem as a whole.

Next, ensuring CERTs and regulators have a plan in place for communicating with ISPs and network operators, leveraging data as evidence.

Finally, that there is sufficient buy-in from the ISP/network operator community to implement changes and communicate to end users where needed.

We encourage and call on all stakeholders to use data and metrics to drive the establishment and maintenance of their cybersecurity infrastructure on the basis of evidence.

As mentioned, our work at CyberGreen focuses on quantifying open ports, – which could be used as DDoS amplification attack infrastructure, and which exist on the public-facing Internet. But we know that, in order to paint a more comprehensive picture of the systemic risks that exist on the Internet, we need to work with partners to produce more comprehensive metrics.

There are many challenges that currently exist in the realm of Internet health metrics. Only a limited number of organizations provide robust metrics and data to measure cybersecurity risks on a global scale. As a result, policymakers often make decisions that are not based on evidence or good data. In the absence of accurate and meaningful statistics on the health of the Internet generally and domestic networks in particular, it is difficult to enact policies that will achieve impactful results, strengthening network security both nationally and internationally.

One of the most important conditions for enabling robust cooperation in cyberspace is the availability of cross-comparable statistics that empower decision makers to set policies based on evidence, establish priorities, and view trends.

The medical community has established frameworks for risk indicators and courses of treatment based on those indicators. For example, the World Health Organization (WHO) publishes global statistics on key risk indicators prioritized by the global community to provide information on the health situation and trends, including responses at national and global levels.

CyberGreen is requesting collaboration and support to develop a similar framework for Internet health and to create a scorecard for each nation based on the data collected. The potential for global collaboration stemming from cross-comparable statistics in Internet health is enormous. Policymakers, budget and investment decision makers, and nations trying to deploy Internet norms across the world will be able to use current data, but over time also see trends such as activity patterns, and vulnerability life cycles.

CyberGreen proposes to conduct this work with a focus on inclusivity. While CyberGreen will manage the process, and ultimately make the framework publicly available, it will also seek validation and input from the Internet security community. By engaging experts and forming working groups to develop this framework, and presenting the findings at conferences and other venues to solicit feedback, CyberGreen will ensure that there is sufficient buy-in from the community on the outline and inputs of the metrics framework it seeks to create and maintain.

Together, as a global community, we can reduce systemic risks that currently exist on the Internet. This necessitates a multi-stakeholder effort, and we encourage all relevant stakeholders to adopt the idea of a comprehensive framework to drive local and global mitigation campaigns for a cleaner, healthier Internet ecosystem.