De-escalation Is The Answer To Growing Cyber Tension

Uploaded on 2015-11-25 in NEWS-Cybersecurity News, GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW

Presidents Xi and Obam talk peace.

Leading up to Chinese President Xi Jinping’s visit to the United States, media buzzed with talk of an unprecedented cybersecurity agreement on par with previous governance around the creation and handling of nuclear, chemical and biological weapons.

But what was built up to be the first arms control accord for cyberspace actually turned out to be quite anticlimactic.
The agreement as it stands stops short of putting an end to international cyberattacks, failing to address theft of corporate information for espionage and stealing of government records and other sensitive data not aimed at commercial gain. It also doesn’t even mention a safeguard against attacks targeting critical infrastructure. Instead, it focused on ending government support — particularly in China — of cyberattacks that aim to steal corporate data for economic benefit, paired with a plan to better cooperate for future investigation of cybercrimes in both nations.

Even ignoring the exceedingly narrow realm of information protected, the pact is mired in a grey area. It’s been noted that President Obama claims the agreement is a work in progress, in which case it is left to be seen whether China will follow through. President Xi  has taken a self-preservatory stance with a caveat to his own promise of full cooperation: That he can’t be expected to guarantee the Chinese population of 1.3 billion people will abide. The impact of the pact is nullified by this reluctance to enforce strong parameters.

What do we get? An “agreement.” It’s weak at best, considering it contains no international standards of conduct in cyberspace. It’s the Wild West of technology, and the only thing we can rely upon to keep both nations honest is someone’s word. Given that China has been accused of executing the OPM breach and implicated by the likes of my former colleague, NSA Director Adm. Michael Rogers for supporting cyber attacks against the US (despite constant denial), it’s hard for the Obama administration to trust that Xi and his own government will fully cooperate.

That said, even through the easy criticisms of a weak agreement, there’s no denying it is a step in the right direction. An international framework to guide cyber capabilities does need to be established, and this pact — narrow as it may be — is a start, and an important one. But there are two faces to this coin. Because the world lacks an existing policy framework on this topic, failing to follow through on the US-China agreement could be the first step in history toward an inevitable world cyberwar. Many reports have already branded our current era as the new Cold War, drawing similarities between developing cyberweapons and the nuclear arms race of a few decades ago.

One distinction, however, ups the ante: Access to cyberweapons is far more widespread, and phishing schemes that pilfer legitimate user credentials don’t even require malicious code. Moreover, advanced threats are nearly impossible to trace, and the Dark Web makes it easy to purchase malicious code without the threat of being identified.
As US Naval War College professor Michael Schmitt put it in a recent WSJ article, “It’s not like developing an air force. You don’t need to have your own cyberforce to have a very robust and very scary offensive capability.” In short, there is no enforceable way to control the production of cyber capabilities, and, once executed, attribution is nearly impossible.
Impending Cyberwar Or Cooperation?

Today, we have two paths in front of us. One leads to disaster and cyberwar, the other to strong cooperation and a secure cyberspace. To avoid the former, we need to establish laws and policies that would elevate and protect the cyber capabilities of participating nation-states while also allowing them to defend their own networks and infrastructure from outside threats. Models are already at play from the nuclear Non-Proliferation Treaty to the Chemicals Weapons Convention. It’s time to learn from those agreements and carry the knowledge over into the cyber realm.

This won’t be easy. It will prove challenging to make an enforceable regulatory crossover to the abstract and behavior-driven nature of cybersecurity. Tangible weapons require a lot of steps before production, which can be monitored and controlled. In contrast, with cyberweapons, all it takes is a computer and a few lines of code — and sometimes no code at all. Not to mention that trying to manage the individuals behind development of cyberweapons may turn out to be impossible.
The solution could lie in initiating a framework that would govern behavioral norms for software and hardware development, rooted in national and international policies and regulations. But there’s a fine line. Regulations should aim to protect but never handicap research and well-meaning development in the cybersecurity space. We cannot confuse policy and regulation for censorship, as the recently proposed changes to the Wassenaar Arrangement almost did.

However great the struggle to finding an even playing field for cyber regulations may be, it should not be a deterrent to making the necessary effort. We’ve recently begun seeing repercussions of the alternative, in the forms of government and industrial breaches. Perhaps the answer is not in regulation but in scaling back offensive cybersecurity technology, simialr to what has been done in the past with conventional weapons.
Techcrunch: http://tcrn.ch/1PbIbtc

 

« US Intelligence Faces A Diversity of Challenges
UK Crime Rate Rises Sharply as Cybercrime is Included »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Global Knowledge Training

Global Knowledge Training

Global Knowledge is a worldwide leader in IT and business training, featuring Cisco, Microsoft, VMware, IBM, security, cloud computing, and project management.

Cryptomathic

Cryptomathic

Cryptomathic is an expert on commercial crypto - we develop, deliver and support the most secure and efficient off-the-shelf and customised solutions.

Onspring

Onspring

Onspring is the cloud-based platform of choice for governance, risk and compliance (GRC) teams and business operations experts across multiple industries.

Sumo Logic

Sumo Logic

Sumo Logic simplifies how you collect and analyze machine data so that you can gain deep visibility across your full application and infrastructure stack.

Digital Arts

Digital Arts

Digital Arts provides internet security software and appliance products for companies and individuals.

ComCERT

ComCERT

ComCERT SA is an independent, private consulting company focusing in the assistance of its customers facing the dangers of cyber threats and security incidents.

Encore Media Group

Encore Media Group

Encore Media Group provide an international enterprise technology event series exploring IoT, Blockchain AI, Big Data, 5G, Cyber Security and Cloud.

CYBAVO

CYBAVO

CYBAVO is a cryptocurrency security company founded by experts from the cryptocurrency and security industries.

Lifetech

Lifetech

Lifetech is a software development, product engineering and system integration company. Cybersecurity services include SIEM deployment and training.

Aura

Aura

Aura is a mission driven technology company dedicated to creating a safer internet for everyone. We’re making comprehensive digital security that's simple to understand and easy to use.

AutoRABIT

AutoRABIT

AutoRABIT provides DevSecOps tools built specifically for Salesforce developers to increase release velocity, produce consistently high-quality code, and enhance data security.

Spec

Spec

Spec is the only no-code orchestration platform that protects enterprise fraud defenses from being blocked, bypassed, and manipulated by modern attack tactics.

Lasso Security

Lasso Security

Lasso Security is a pioneer cybersecurity company ensuring comprehensive protection for businesses leveraging generative AI and other large language model technologies.

FoxPointe Solutions

FoxPointe Solutions

FoxPointe Solutions is a full-service cyber risk management and compliance firm.

eGyanamTech (EGT)

eGyanamTech (EGT)

eGyanamTech provides robust security solutions tailored for Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems used in critical infrastructure systems.

Utilize

Utilize

Utilize is an award-winning technology company with over 25 years of industry expertise, we support hundreds of businesses across London and the South East.