International Cybersecurity Research Made in Hamburg

Kick-off Workshop on "Zero Trust"

12 May 2021

For the official opening of the IFSH research focus "International Cybersecurity", the team around project leader Dr Mischa Hansel organised an event titled "With Zero Trust to Global Trust? International Cybersecurity in Light of the SolarWinds Attack".

More than 50 representatives from science, business, diplomacy, politics and the media took part in the interdisciplinary workshop. After an opening speech by the German Cyber Ambassador Dr Regine Grienberger, Professor Elmarie Biermann (Stellenbosch University, South Africa), Thorsten Delbrouck (Giesecke+Devrient, Germany), John Kindervag (ON2IT, United States) and Dr Tim Stevens (King's College London, UK) discussed the impact of the "Zero Trust" concept on regional and international cooperation between states, companies and individuals.

An increasing number of entities are relying on "Zero Trust" architectures in order to mitigate the effects of cyberattacks - a paradigm shift in IT security thinking. Instead of focusing on external threats and defending the network "border", "Zero Trust" presupposes that an attacker could always be within a network. It is therefore crucial to shift the security perspective, for example by limiting data access and user privileges. Taking this approach, recent cyber incidents, such as the far-reaching SolarWinds hack, could have been prevented, according to security experts at the event. However, it is not yet clear whether "Zero Trust" will become standard practice. Adoption and success will be driven by transnational companies and private standard-setting processes, not through state diplomacy.

Yet, the role of diplomacy was discussed intensively. Many participants were particularly concerned with the question of how "Zero Trust" could be reconciled with efforts to achieve "human trust" - the foundation of diplomacy. One position was that trust in relation to digitalisation was irrelevant or even dangerous, while other participants warned against applying the premises of "Zero Trust" to political relations. "There are digital solutions to digital problems, but no digital solutions to human problems," one participant summarised. Global norms and trust-building steps cannot be replaced by unilateral technical measures. Yet other participants emphasised the interdependence of technical and political strategies. In the future, technical monitoring and verification measures could for example allow states to counter accusations of acting in bad faith, in turn leading to trust being rebuilt.

Current measures to strengthen European digital sovereignty were also debated. Here one participant remarked that the fixation on differentiating between inside and outside completely misses the technical realities of the internet. "Zero Trust" points out how dangerous false analogies are. The event underlined how vital the dialogue between the IT security and cyber diplomacy communities is, precisely because they are characterised by very different perspectives and concepts.

<-- Read Part III: Cyber Operations and the Loss of Escalation Control