21 February 2017

How can nation states win the unfolding cyberwar?

Jane McCallion

Hawkishness and 'Swiss' neutrality go head-to-head at RSA Conference 2017

Nation state hacking is putting democracy and civilian welfare at risk, but there is little consensus on how to deal with this issue.

In two contrasting talks at RSA Conference 2017, Michael McCaul, chairman of the House Homeland Security Committee in the US, and Brad Smith, Microsoft chief legal officer, struck markedly different tones when discussing how to approach these issues.

In his keynote, McCaul said: "It's clear to me that our adversaries are turning digital breakthroughs into digital bombs ... our cyber rivals are overtaking our defences."

"The combatants are everywhere – and the phones in your pockets are the battle space," McCaul continued. "Our democracy itself is at risk. Last year, there's no doubt in my mind that the Russian government tried to undermine and influence our elections.

"The crisis was the biggest wakeup call yet that cyber intrusions have the potential to jeopardise the very fabric of our republic."

McCaul pointed to several issues making things harder for those trying to defend against attacks, including a lack of resources.

"There are more cyber outlaws than cyber sheriffs to round them up. A lot of hackers out there should be behind bars, but law enforcement agencies at all levels are struggling to keep up with the volume and complexity of network intrusions.

"Today, in some cases, the United States government is fighting 21st Century threats with 20th Century technology and a 19th Century bureaucracy," he claimed.

McCaul also said there's "a real paradox between national security and digital security".

"Nowhere is this more obvious than with the terror threat," McCaul claimed. "We have a new generation of terrorists who are recruiting over the internet and using virtual safe havens to escape detection and force their propaganda on a global internet scale.

"We have the brutal attacks in Paris and Brussels as tragic examples and reminders of how terrorists stay under the radar by using end-to-end encryption on their phones to cover their tracks."

However, McCaul said governments "must resist the temptation to go after [them] with simple knee-jerk responses".

"We cannot undermine encryption ... it's the bedrock of our internet security. But at the same time we can't allow groups like ISIS to remote control terrorist attacks using the darkness of the web," he added.

Nevertheless, the US "must respond to attacks decisively" if it's to win the war against these varied adversaries, he said.

"We're feeling tectonic shifts on the virtual ground beneath us and our current cyber plans just won't cut it," said McCaul. "Our ability to win the war in cyberspace depends on our ability to deliver consequences by striking back when appropriate."

McCaul's somewhat hawkish tone was in stark contrast to Smith's keynote, however.

Microsoft's Smith called for a digital Geneva Convention and an equivalent of the International Atomic Energy Association (IAEA) to protect civilians.

"We suddenly find ourselves living in a world where nothing seems off limits to nation state attacks. Conflicts between nations are no longer confined to the ground, sea and air, as cyberspace has become a potential new and global battleground," said Smith.

This, he said, is something that needs to change, with the introduction of new international norms.

"Just as the world's governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, we need a Digital Geneva Convention that will commit governments to ... [protecting] civilians on the internet in times of peace."

As for the digital IAEA equivalent, Smith said: "This organisation should consist of technical experts from across governments, the private sector, academia and civil society with the capability to examine specific attacks and share the evidence showing that a given attack was by a specific nation-state. Only then will nation-states know that if they violate the rules, the world will learn about it."

Finally, there's an important role for the tech sector to play. It must be a neutral "digital Switzerland", said Smith, meaning tech companies agree never to help governments of any stripe attack civilians and civilian infrastructure.

"This commitment to 100% defense and 0% offense has been fundamental to our approach as a company and an industry. And it needs to remain this way in the future," he concluded.

Features editor Jane McCallion is on the ground at RSA Conference 2017 in San Francisco all week. Follow her on Twitter for live updates and bookmark our dedicated page for more coverage from the business security conference.

No comments: