Nuclear plant in South Korea hacked... Hackers attack Internet overlord ICANN... US, European police swoop on Tor 'dark markets' ... Cybersecurity units to protect Russia’s nuclear weapons stockpiles... Digital War takes shape on websites over ISIS... The winds of net-war: China warns of US arms race in cyberspace... China expands cyber spying... Can the headlines get any worse in 2015? Yes. But they could possibly get better as well.
Threats on fast-forward
Evidence of cybersecurity threats and (un)successful responses are scarce and discomforting. Ed Gelbstein warns that in spite of the high cost of security breaches in which data are stolen ‒ over US$250 per record (some attacks involve millions of records) for notifying the parties affected, plus the commercial value of the stolen data which may consist of intellectual property valued in hundreds of millions of US dollars ‒ companies spend less than the price of a cup of coffee per employee per day on IT security. At country level, my recent research estimates that a financial loss of a potential country-scale attack on information infrastructures – similar to what happened to Estonia in 2007 – ranges from over €10 million per day for a small developing country, to over €500 million per day for a developed economy like Switzerland. Worse than that ‒ hacking (can) gets physical, as Forbes put it: a Ponemon Institute and Unisys report reveals that two-thirds of the interviewed energy sector industry has survived at least one cyber-attack that ‘led to the loss of confidential information or disruption to operations’; according to Symantec, the energy sector was the fifth most targeted sector worldwide.
Protection of the critical infrastructure from cyber-attack is thus coming to the top of the priority list. A breach in the South Korean nuclear power plant is a recent example of this need. Most countries, however, have not even formally defined what their critical infrastructure is, let alone raised the capacity of associated institutions and the corporate sector to combat risks stemming from cyberspace and to develop skills to prevent and respond to incidents.
Cybercrime is getting more complex and sophisticated; FireEye, a well-known security company, predicts threats like ransomware (criminals locking a user’s or a company's data and requesting a ransom to unlock). As the criminal milieu gets bigger, competing ‘gangs’ are more prone to fighting for clients by entering ‘gang fights’ (e.g. Silk Road 2.0 ‒ the recently dismantled leading underground market ‒ suffered DDoS attacks earlier, allegedly coming from competitors). The consequences of private cyberwars, however, may go way beyond those of Al Capone's time ‒ a spill-over effect of a DDoS attack may impact the entire Internet, as we sensed from the CyberBunker vs Spamhaus case last year.
A different threat ‒ or rather a risk ‒ may, however, come to forefront in 2015: cyber-armament. We are already seeing leading countries establishing cyber-commands with defence (and pro-active defence) capabilities, but possibly also for the offence; the UNIDIR reports that 47 states have cybersecurity programmes that involve armed forces. This trend is further stimulated by war-drums in statements and articles attributing certain cyber-attacks to states even though it is well understood by experts that the inability to attribute is one of the greatest challenges when it comes to the application of international law to cyberspace. Most recently, North Korea has been labelled as a ‘rogue state’ behind the attacks on Sony and, indirectly, on the USA, in spite of very weak evidence disputed by experts, evidence that would be unlikely to stand up in court. Frivolous attributions to countries ‒ even rogue ones ‒ for incidents of high magnitude may result in greater tension, further cyber-armament, and less cooperation against real threats such as the cybercrime, from where most of the cyber-weapons originate and without which cyberwarfare would be much less possible in the first place. Moreover, increased tension allows decision-makers in both rogue states and democracies to push through restrictive legislation that can impose online content control and cripple the Internet’s openness and freedom under the guise of national security.
Is there a ‘pause’ button?
It is not likely that these threats can be paused, but it is probable they can be slowed down to an ‘acceptable’ rate and better harnessed by addressing existing gaps in global governance and international cooperation. A few examples:
Some other gaps are similar to those of the wider Internet governance debate, well outlined in The Message from the Geneva Internet Conference by the Geneva Internet Platform, including the needs for bridging policy silos, strengthening genuine participation of different stakeholders and sectors, prioritising data analysis and evidence-based policy-making, and ensuring holistic capacity development.
On the positive side, cybersecurity is becoming a buzz-word: more and more political initiatives are emerging to address confidence-building measures and conflict prevention. At UN level, the Groups of Governmental Experts (GGE), which had its first report on threats from cyberspace and possible cooperative measures back in 2010, has been renewed in 2014 and should report to the General Assembly again in 2015. The 2013 GGE report outlines the need for ‘cooperation for a peaceful, secure, resilient and open ICT environment’, and useful recommendations on ‘norms, rules and principles of responsible behaviour by States’, ‘confidence-building measures and the exchange of information’, and capacity-building measures. The report on ICT and international security of the Secretary-General in June 2014 builds on this and summarises the updates on national policy developments collected from a number of governments.
It is important to note that the GGE recommends the application of existing international law to cyberspace, which is in line with the official positions of the USA and its NATO partners. At the same time, the report notes the initiative by China and Russia and their partners from the Shanghai Cooperation Organisation for an international code of conduct for information security. This is principally opposed by the USA and its partners, who argue that such a code would open the door for allowing content control by governments and reduce the Internet’s openness and freedom. This political battle is likely to remain prominent, as it also has practical components: the implementation of existing international law faces certain limits with regard to the definition of and the reaction to armed conflicts in cyberspace (especially related to the principles of attribution, necessity, distinction, and proportionality), thus its ‘upgrade’ in some form might be needed in order to avoid different interpretations of future incidents, which may then slide into conventional conflicts.
The OSCE, with its follow-up work on the Confidence Building Measures (CBMs) adopted in December 2013, has also focused on common understanding and cooperation among states. The most complex task will be a follow-up to CBM 3 which invites consultations among participating states in order to ‘reduce the risks of misperception, and of possible emergence of political or military tension or conflict that may stem from the use of ICTs, and to protect critical national and international ICT infrastructures including their integrity’. Other CBMs promise greater achievements as they relate to establishing institutional (strategic, legal, and operational) mechanisms in member states, which could enable information sharing about threats and best practices across sectors and borders, and contribute to awareness raising, and incident prevention and response. Most importantly, the OSCE seems to understand the necessity of involving other sectors and professional cultures in its work related to cybersecurity: during the Chairmanship Event ‘Promoting implementation, supporting negotiations’ in November 2014, representatives of the corporate sector had important inputs related to the protection of critical infrastructure, while the non-government and academic sectors outlined their possible contribution to evidence-based policy-making through research and capacity building. This was an important signal to participating states to also embrace a multistakeholder approach to cybersecurity.
Developing institutional and professional capacities is recognised in various forums as a precondition for successful implementation of confidence-building measures. Capacity building, however, goes beyond training sessions, and includes a comprehensive set of learning, coaching, research, and policy immersion. It should also target various levels and various professional groups: from ambassadors to junior diplomats, from ministers and parliamentarians to policy developers, from corporate CEOs to project managers, from NGO leaders to practitioners in the field.
Following the community-based updates of Diplo's famous Internet Governance Building under Construction illustration, in which cybersecurity has recently emerged as a separate floor, we are also strengthening our capacity building programmes in cybersecurity:
We invite you to join us and follow the updates at: http://www.diplomacy.edu/cybersecurity
Let's start raising awareness with an illustrated calendar for 2015:
(You can download a print-ready version of the calendar here [PDF, 22MB])