Cyber Warfare Needs Rules Of Engagement

'I think all of us would agree that cyber space is the new battle space'

OpenWorld Former intelligence leaders have called for international terms of engagement in cyber warfare and greater collaboration between the public and private sectors to defend critical infrastructure.

The comments came at a security-focused keynote at this year's Oracle OpenWorld conference in San Francisco, where, instead of the usual parade of enthusiastic customers, co-CEO Mark Hurd took to the stage with three former spies.

John Scarlett, who led the UK's MI6 between 2004 and 2009, said that when it came to cyber-attacks, there was “no sense of the rules of the game” and no international or legal structure. 

This lack of terms of engagement was central to the reemergence of the great tension and rivalry between different actors, he told the audience today.

However, he conceded that it is “hard to see how they [rules of engagement] can be developed and agreed on,” and questionable whether any state would trust the various sides to implement them honestly.

“We have to get our brains thinking differently,” Scarlett said, arguing that the old way of thinking about attacks and defense didn’t translate into cyber threats.

The long-expected Cyber Pearl Harbor

His comments came in response to Hurd’s opening question, which asked what a “9/11 cyber-attack” would look like, a term that the Brit spy said that he was “wary” of using.

Similarly, former head of US homeland security Jeh Johnson said that the term was “rather provocative”, while pointing out that it could sometimes take years to assess the full impact of a cyber-attack.

That said, he did suggest that the impact that Russian interference in the 2016 US elections had on democracy could be as significant as the terrorist attacks in New York.

Johnson said that the open, free society in the US, and the access to it via the Internet, was both the nation’s greatest strength and a major vulnerability.

“I think all of us would agree that cyber space is the new battle space,” he said, adding that the best form of defense in this respect was a good offense, and that this should be a national and international priority for both governments and industry.

“We need to do a better job of public-private partnerships on defense of cyber space and our critical infrastructure,” he said.

Meanwhile, Michael Hayden, who has led both the National Security Agency and the Central Intelligence Agency, said that the answers will not be obvious, and that the rapid pace of technological development can lead to changing definitions on what constitutes security.

For instance, Hayden said that he had come down on the side of Apple in the battle between it and the feds seeking to break the encryption on the San Bernadino killer’s iPhone.

This was not on privacy grounds, or on commercial grounds, he said, but “on a broader definition of security”. Law enforcement’s requests were legitimate, he said, but “the costs of conceding exception access outweighed the benefits” in this case.

Flexibility and Possible Fixes

Hayden emphasised that this wasn’t about setting one hard and fast rule, as different factors might warrant a different decision; rather he urged a discussion of the balance of privacy, security, freedom and liberty.

Oracle has spent its annual gabfest touting the security credentials of its autonomous database and “second-generation” cloud infrastructure, and the decision to bring the three former intelligence bosses on stage also comes as it is eyeing up the Pentagon’s $10bn JEDI cloud contract.

And so it could hardly miss the opportunity to give its technology a plug, no matter how painfully orchestrated it was to have Big Red’s chief corporate architect Edward Screven sitting alongside the former spies, ready to big-up his firm’s new tech.

The session ended with the more cynical members of the audience rolling their eyes as Screven opined that there was “no such thing as a civilian” in cyber warfare now, all IT professionals are on the “cyber battlefield”, but, with the technology Oracle has developed, “we can be much more effective at defending that threat”. 

The Register:

You Might Also Read:

Why Has The US Not Been Hit With A Devastating Cyber Attack?

« Australia And NZ Announce Joint Pacific Cyber Cooperation
Stuxnet 2.0 - Iran Says Israel Has Launched New Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ClearDATA

ClearDATA

The ClearDATA Managed Cloud protects sensitive healthcare data using purpose-built DevOps automation, compliance and security safeguards, and healthcare expertise.

BehavioSec

BehavioSec

BehavioSec uses the way your customers type, swipe, and hold their devices, and enables them to authenticate themselves through their own behavior patterns.

National Cyber Summit (NCS)

National Cyber Summit (NCS)

The National Cyber Summit is the preeminent event for cyber training, education and workforce development aimed at protecting our nation's infrastructure from the ever-evolving cyber threat.

Cryptsoft

Cryptsoft

Cryptsoft provides key management and security software development toolkits based around open standards such as OASIS KMIP and PKCS#11.

Nucleon

Nucleon

Nucleon enables cybersecurity tools, organizations and software developers to become proactive by blocking threats before they become breaches.

UK Research & Innovation (UKRI)

UK Research & Innovation (UKRI)

UKRI works in partnership with universities, research organisations, businesses, charities, and government to create the best possible environment for research and innovation to flourish.

CyFIR

CyFIR

CyFIR is a network investigation and Incident Response tool for performing live computer investigations across any size enterprise.

SafeGuard Cyber

SafeGuard Cyber

The SafeGuard Cyber SaaS platform empowers enterprises to adopt the social and digital channels they need to reach customers, while reducing digital risk and staying secure and compliant.

L3Harris Technologies

L3Harris Technologies

L3Harris Technologies is a global aerospace and defense technology innovator, delivering solutions to meet mission-critical needs across air, land, sea, space and cyber domains.

Sunartek Labs

Sunartek Labs

Sunartek are equipped with expert resources and advanced technology to identify cyber threats and prevent any breach, bypassing the security network of your organization.

IntelliDyne

IntelliDyne

IntelliDyne is a leading information technology consulting firm enabling better mission performance through innovative technology solutions.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

RiskSmart

RiskSmart

RiskSmart empower risk, compliance, and legal teams with a tech-led and data-driven platform designed to save time, reduce costs and add real value to businesses.

CyberXposure

CyberXposure

CyberXposure has been built by a team comprising of Cyber Security Professionals and SAAS experts in data backup, disaster recovery and cyber-security.

TrustCloud

TrustCloud

TrustCloud is a global company specializing in the orchestration and custody of secure digital transactions including identification, signature, payments, and electronic custody.

AuthX

AuthX

AuthX provides secure and seamless log-in capabilities through strong authentication and integrations.