De-escalation Is The Answer To Growing Cyber Tension

Uploaded on 2015-11-25 in NEWS-Cybersecurity News, GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW

Presidents Xi and Obam talk peace.

Leading up to Chinese President Xi Jinping’s visit to the United States, media buzzed with talk of an unprecedented cybersecurity agreement on par with previous governance around the creation and handling of nuclear, chemical and biological weapons.

But what was built up to be the first arms control accord for cyberspace actually turned out to be quite anticlimactic.
The agreement as it stands stops short of putting an end to international cyberattacks, failing to address theft of corporate information for espionage and stealing of government records and other sensitive data not aimed at commercial gain. It also doesn’t even mention a safeguard against attacks targeting critical infrastructure. Instead, it focused on ending government support — particularly in China — of cyberattacks that aim to steal corporate data for economic benefit, paired with a plan to better cooperate for future investigation of cybercrimes in both nations.

Even ignoring the exceedingly narrow realm of information protected, the pact is mired in a grey area. It’s been noted that President Obama claims the agreement is a work in progress, in which case it is left to be seen whether China will follow through. President Xi  has taken a self-preservatory stance with a caveat to his own promise of full cooperation: That he can’t be expected to guarantee the Chinese population of 1.3 billion people will abide. The impact of the pact is nullified by this reluctance to enforce strong parameters.

What do we get? An “agreement.” It’s weak at best, considering it contains no international standards of conduct in cyberspace. It’s the Wild West of technology, and the only thing we can rely upon to keep both nations honest is someone’s word. Given that China has been accused of executing the OPM breach and implicated by the likes of my former colleague, NSA Director Adm. Michael Rogers for supporting cyber attacks against the US (despite constant denial), it’s hard for the Obama administration to trust that Xi and his own government will fully cooperate.

That said, even through the easy criticisms of a weak agreement, there’s no denying it is a step in the right direction. An international framework to guide cyber capabilities does need to be established, and this pact — narrow as it may be — is a start, and an important one. But there are two faces to this coin. Because the world lacks an existing policy framework on this topic, failing to follow through on the US-China agreement could be the first step in history toward an inevitable world cyberwar. Many reports have already branded our current era as the new Cold War, drawing similarities between developing cyberweapons and the nuclear arms race of a few decades ago.

One distinction, however, ups the ante: Access to cyberweapons is far more widespread, and phishing schemes that pilfer legitimate user credentials don’t even require malicious code. Moreover, advanced threats are nearly impossible to trace, and the Dark Web makes it easy to purchase malicious code without the threat of being identified.
As US Naval War College professor Michael Schmitt put it in a recent WSJ article, “It’s not like developing an air force. You don’t need to have your own cyberforce to have a very robust and very scary offensive capability.” In short, there is no enforceable way to control the production of cyber capabilities, and, once executed, attribution is nearly impossible.
Impending Cyberwar Or Cooperation?

Today, we have two paths in front of us. One leads to disaster and cyberwar, the other to strong cooperation and a secure cyberspace. To avoid the former, we need to establish laws and policies that would elevate and protect the cyber capabilities of participating nation-states while also allowing them to defend their own networks and infrastructure from outside threats. Models are already at play from the nuclear Non-Proliferation Treaty to the Chemicals Weapons Convention. It’s time to learn from those agreements and carry the knowledge over into the cyber realm.

This won’t be easy. It will prove challenging to make an enforceable regulatory crossover to the abstract and behavior-driven nature of cybersecurity. Tangible weapons require a lot of steps before production, which can be monitored and controlled. In contrast, with cyberweapons, all it takes is a computer and a few lines of code — and sometimes no code at all. Not to mention that trying to manage the individuals behind development of cyberweapons may turn out to be impossible.
The solution could lie in initiating a framework that would govern behavioral norms for software and hardware development, rooted in national and international policies and regulations. But there’s a fine line. Regulations should aim to protect but never handicap research and well-meaning development in the cybersecurity space. We cannot confuse policy and regulation for censorship, as the recently proposed changes to the Wassenaar Arrangement almost did.

However great the struggle to finding an even playing field for cyber regulations may be, it should not be a deterrent to making the necessary effort. We’ve recently begun seeing repercussions of the alternative, in the forms of government and industrial breaches. Perhaps the answer is not in regulation but in scaling back offensive cybersecurity technology, simialr to what has been done in the past with conventional weapons.
Techcrunch: http://tcrn.ch/1PbIbtc

 

« US Intelligence Faces A Diversity of Challenges
UK Crime Rate Rises Sharply as Cybercrime is Included »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

FDM Group

FDM Group

FDM Group is an international Professional services company with a focus on IT. Services offered include Software Testing, and Information Security with a focus on operational security and compliance.

One Identity

One Identity

One Identity delivers identity governance, access management, and privileged account management solutions that facilitate and secure your digital transformation.

Cyanre

Cyanre

Cyanre delivers state of the art cyber forensic services through software technologies and procedures that exceed conformities of major law enforcement agencies across the globe.

ID Agent

ID Agent

ID Agent provides a comprehensive set of threat intelligence and identity monitoring solutions.

Gemserv

Gemserv

Gemserv is a specialist market design, governance and assurance services consultancy.

miniOrange

miniOrange

miniOrange is a cloud and on-premise based identity and access management (IAM) solution provider.

Metrarc

Metrarc

Metrarc has developed a ground-breaking technology called ICMetrics™ for deriving secure encryption keys from the properties of digital systems without the need to store any of the encryption keys.

Bio-Morphis

Bio-Morphis

Bio-Morphis Reflex solution is a paradigm shift in the approach to information systems security.

SensorHound

SensorHound

SensorHound’s mission is to improve the security and reliability of the Internet of Things (IoT).

Enso Security

Enso Security

Enso is the first Application Security Posture Management (ASPM) solution, helping security teams everywhere eliminate their AppSec chaos with application discovery, classification and management.

Capital Network Solutions

Capital Network Solutions

Capital Network Solutions are a highly accredited managed IT services and consultancy provider, specialising in cyber security, infrastructure and communications.

IntegraONE

IntegraONE

IntegraONE is a IT solutions provider offering a full range of networking and technology solutions.

Senteon

Senteon

Senteon is a turnkey cybersecurity platform designed to make securing confidential data affordable, understandable, and streamlined for small-to-mid sized businesses and MSPs.

SE Ventures

SE Ventures

SE Ventures provides capital to big ideas and bold entrepreneurs who can benefit from Schneider Electric's deep domain expertise, R&D assets, and global customer base.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

LOCH Technologies

LOCH Technologies

LOCH Wireless Machine Vision platform delivers next generation cybersecurity, performance monitoring, and cost management for all 5G and for broad-spectrum IoT, IoMT and OT wireless environments.