Post Budapest – Pre Seoul: Towards International Cyber Norms – Decoupling E-Crime and Cyber Espionage

On Monday, November 12, The ICD engaged leading policy, technology, legal and academic cyber experts in a discussion of major issues surrounding international best practices and security that were raised at the Budapest Second international Conference on Cyberspace October 3-5, 2012; the second in a global triad of conferences initiated by the United Kingdom in November 2011 which concludes in South Korea October, 2013.  ICD members Anne Bader and Richard Stiennon opened the meeting with a report from the conference which drew 900 government experts from 70 nations.   This report is a summary of that discussion, held under the Chatham House Rule.

What is the role of the Budapest Convention on Cybercrime, signed by 46 countries, and how will the itu’s proposed new treaty impact cyber law enforcement?   How can an effective international regime of law enforcement be coordinated to counter cyber-criminal activities?

International norms must require that appropriate security systems are in place and implemented. 

“Shamoon was a targeted attack, but obviously technologically simple.  Any kid who’s taken a computer science class could have written it.  The problem was that there was nothing to stop it.  It wasn’t pretty or fancy, and didn’t want to change things; all it did was to create disruption, akin to a dirty bomb.”

“What about educating people to try and prevent this? The issues is that they DID know, but that they didn’t prepare.”

Business systems and control systems must be separate. 

“There need to be more boundaries between business and infrastructure networks.   If you can get on the network, there’s no further identification or security needed.  There is not enough compartmentalization of networks, not enough check points.  A freelancer tries to be more efficient and creates a patch that integrates the systems.  We have to keep business systems and control systems separate.  “

Create a network of authorities through private/public sector cooperation to reinforce international norms of behavior and compliance 

“Who is the main cyber-authority?  The UN?  The EU?  Interpol?  Individual governments?”

“There was a contention between treaties and regulations versus norms. The US and UK want norms, because we already have treaties.  Russia and China want treaties that give cyber control to the UN.”

“Actually, if there’s a cyber attack against a company, and it requires federal investigation, every embassy has an FBI attaché.  The company would contact the FBI, who would contact the Legate, who would reach out to the country.”

“You’re fixing problems and reclaiming customers’ data.   By going after cyber-criminals yourself as part of your job, does that make you a vigilante?”

Manage Risk and the Threat in the Supply Chains

“All protection plans will do SCRM.  It used to be all about resilience, but now it’s more about product integrity.  Where is the stuff coming from and to?  Who has access?  Cybersecurity is all about enterprise risk and business operations “

“Companies need to do both risk AND threat management.  They need to identify key assets and publish a risk percentage for each asset.  This is fairly impossible to do, though, especially on a large scale.”

“Trusted supply chains just aren’t trustworthy enough.  You can never find a chain that goes all the way back.”

“It’s more important to understand your own risk tolerance first, and then worry about others.  Until I can articulate how much I’m willing to risk, I can’t do anything.  When having a trustworthy chain and a trustworthy supplier, I don’t need to know everything that he knows. I just need to know that he knows.”

“What an organization has to ask itself is:  What are the bad things I can tolerate?  What are the causes?  What can I do to mitigate them?  When you’re dealing with supply chain risk management, obviously the safest thing to do is to fabricate as much as possible yourself, especially the most critical pieces of infrastructure, though this may be unfeasible.  You also have to ask, how do you impose risk and tolerance in a legal sense?  On the Hill, maybe 5% of the talk in policy committees is technical input.“

“The ideal situation would be for all agencies to be wide-open and collaborative, but that hasn’t been perfectly achieved with any organization, much less with cybersecurity.  Though we could at the minimum try a similar approach to start down that way.”

As most states formulate their cyber strategies how can early leaders assist with capacity planning/sharing?

CEOs and 4 STARS must be educated, accountable and advocate increased technological safeguards.

“A big thing will be getting C-level folks involved.  In finance, the CFO level.  CIOs too.  The supply chain is how the world works, and it needs to be an integral part of cybersecurity.”

“We really need to underscore leadership at the top.  The Estonians are doing a great job at preventing and minimizing risks.  The Moldovans are also competent and experienced, and the new government is the push behind it.  They were still reluctant to talk in government buildings though, as they are still afraid of surveillance.  “

“You have to make senior management aware that they have to be responsible for cybersecurity, and that it is an important issue.  The three things that are needed are leadership interest, increased technological safeguards, and more and better education.  Even attacks by nation states are aided by uneducated users who make it easier to be attacked.”

“The war in Georgia changed how NATO works, since it brought it to NATO’s attention.  Estonia is especially familiar with cyberattacks, after sustained DDoS attacks hit government in 2007.  They set up a center for excellence, and their president really cares about the issue.  This is a good example of starting cybersecurity  at the top.

 How is Stuxnet and its family of associated cyber weapons changing the debate over state sponsored attacks?

Attribution is as critical as context.

“The first concern is to stop the attack, then to figure out who did it.”

“We need to investigate.  Attribution is absolutely necessary.  You need to know the context in order to respond effectively.”

“You have to look at each situation differently to see your priorities.  You have to pick up the rubble first.  For espionage, wait it out, try to raise the costs of the espionage, and try to track it back to its source.”

“I think we have to narrow the focus.  We have to look at it as just another tool of espionage. Other entities are always going to attempt to do us harm and steal our information.”

“You have to worry about where the hack came from, and the level of response to an attack.  Shamoon could have been some 14 year old in California, and then the US attacks China or something.  It’s really important to know where it came from.”

“Cyber was 99% of what was discussed in Budapest.  Most other issues were actually attended to, and most delegates reported improvements.  There were some underlying themes though, such as Stuxnet, and the Sanger article.”

Deterrence and prevention are both priorities.

“We need to focus not just on preventing, but on deterrence.  We need deterrence by denial, making it more difficult to attack us, and deterrence by retribution In that case, attribution is completely necessary, and you have to know earlier instead of later.”

“South America will explode in cyber use and cyber attacks in the near future.  There is a proliferation of cyberweaponry in the region.”

“Now that there are cyberweapons, there are cyber-sales and a black market.”

“People can easily weaponize hardware, or buy weapons.”

“How strong is the analogue with real arms trafficking?”

“It’s more difficult to stop when it comes to cyberweapons, because it’s all on the internet, and there are no physical checkpoints or barriers.  Usually by the time you notice a cyberweapon, it’s because it’s already been used on you.”

Empower with intelligence. Decouple crime and espionage. Prevention is not enough; Focus on removing the infection.

“People need to be empowered through intelligence.  We also need to decouple e-crime and espionage.  Start with intelligence asset collection and analysis.  At a simple level, a company needs to monitor vendors like Java, correlating it with the world.  Also, there is too much of a focus on prevention.  More than preventing them, the better thing to focus on improving is how long it takes to kick them out of a system.”

“Does anyone see a link between culture and analysis?  How can you put culture into the mix?”

“I definitely have seen attacker code vary by region.  You can see personal and culture influences on how code is written.”

Final thoughts

Cybersecurity in large part is a supply chain risk management issue.  Upper level management and top leaders need to be aware of the costs and implications of cyber attacks, because the most effective change will come from the top-down. There needs to be more segregation of systems and networks, and some sort of checks even within those networks. People need to be better educated on cybersecurity and how networks work. While some countries like Estonia are aware of cyber-threats, most of the developed world is not, with developing countries criminally insecure due to budget restraints and corruption.

“The level of urgency just isn’t high enough.  Hackers already steal massive amounts of money and data.”

“It would take a national catastrophe to really motivate people, and then I’m sure there would be legislation in a matter of weeks.  Power and infrastructure are what’s most important.”

“An attack of Sandy level damage taking place in two simultaneous locations would cripple the country.  You wouldn’t need a global power outage, just a targeted and sustained attack.”

This entry was posted in Past Events. Bookmark the permalink.

Comments are closed.