Is cyber-armament a growing trend? What are the main diplomatic responses? And why is the private sector calling for a global political dialogue? This three-part post analyses cyber-armament as a growing trend, and looks at diplomatic initiatives on tackling cyber-attacks. It also makes reference to DiploFoundation’s latest report, Towards a secure cyberspace via regional co-operation.
Interestingly, the corporate sector has also started inviting for political agreement. After it surprised the traditional security community with its own proposal for cyber-norms of state behaviour, Microsoft recently called for a Digital Geneva Convention which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property… it should require that governments assist private sector efforts to detect, contain, respond to and recover from these events, and should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them’.
Microsoft further called for the establishment of an independent organisation, involving both public and private sectors, ‘that can investigate and share publicly the evidence that attributes nation-state attacks to specific countries…’, similar to the role played by the International Atomic Energy Agency in the field of nuclear non-proliferation (note the similarity with one of the proposals on the table for the future of the UN GGE). Some companies are already warning their customers when digital forensics shows that states are behind a cyber-attack. This signals the emergence of a business model responding to clients’ demands. Such an independent organisation would, therefore, raise these emerging technical efforts for attribution to a political level, to produce a worldwide name-blame-shame effect.
The business interest in calling for political solutions should not come as surprise. We have already analysed the general context in our Digital politics in 2017 outlook. Specifically, cyber-armament is predominantly based on exploiting vulnerabilities in commercial private-sector products. This has profound consequences across the globe. Exploiting product vulnerabilities endangers billions of users, and potentially makes any device a cyber-weapon itself by turning it into a bot (a hijacked device driven by perpetrators to attack others). Also, exploiting vulnerabilities instead of reporting them to the vendors prevents product upgrades and decreases overall global cybersecurity. Moreover, governments often purchase those exclusive exploiting tools (known as zero-day exploits) on black markets, thereby subsidising criminal hackers. Once the exploits are used, they are discovered by security companies as well as other criminal groups, and are easily transformed into widespread tools for criminal activities targeting millions of users that might have not patched their software.
According to Angela McKay, Director of Cybersecurity Policy and Strategy, Global Security Strategy and Diplomacy Team at Microsoft, threat models for enterprises are distorted, since the private sector now plays multiple roles during cyber-attacks: a possible target of cyber-attacks; the attack vector, thanks to its products being misused; and a responsible entity to clean up the consequences. This raises the costs for the industry, but also dangerously diminishes consumer trust in ICT products and services. Perhaps Paul Nicholas, Senior Director on the Microsoft’s Global Security Strategy and Diplomacy Team, expresses it even more bluntly: ‘I am out here building something to deliver commercially through a threat model that I think is reasonable, and yet there is somebody in Moscow or Beijing or Maryland or somewhere working on something that is designed to blow up my product. That blows your product threat model…, no way to anticipate that.’
While the initiative for a global political dialogue by the private sector is certainly welcomed, it is equally important that that private sector looks into its own back yard at how it can make its own products safer, as well as how it could become more responsible (if not liable) for vulnerabilities. Microsoft’s second paper on norms proposes norms for the industry; it is certainly a good start, but may need to be followed more proactively by the ICT industry, to increase its credibility in the international dialogue on cybersecurity.