De-escalation Is The Answer To Growing Cyber Tension

Presidents Xi and Obam talk peace.

Leading up to Chinese President Xi Jinping’s visit to the United States, media buzzed with talk of an unprecedented cybersecurity agreement on par with previous governance around the creation and handling of nuclear, chemical and biological weapons.

But what was built up to be the first arms control accord for cyberspace actually turned out to be quite anticlimactic.
The agreement as it stands stops short of putting an end to international cyberattacks, failing to address theft of corporate information for espionage and stealing of government records and other sensitive data not aimed at commercial gain. It also doesn’t even mention a safeguard against attacks targeting critical infrastructure. Instead, it focused on ending government support — particularly in China — of cyberattacks that aim to steal corporate data for economic benefit, paired with a plan to better cooperate for future investigation of cybercrimes in both nations.

Even ignoring the exceedingly narrow realm of information protected, the pact is mired in a grey area. It’s been noted that President Obama claims the agreement is a work in progress, in which case it is left to be seen whether China will follow through. President Xi  has taken a self-preservatory stance with a caveat to his own promise of full cooperation: That he can’t be expected to guarantee the Chinese population of 1.3 billion people will abide. The impact of the pact is nullified by this reluctance to enforce strong parameters.

What do we get? An “agreement.” It’s weak at best, considering it contains no international standards of conduct in cyberspace. It’s the Wild West of technology, and the only thing we can rely upon to keep both nations honest is someone’s word. Given that China has been accused of executing the OPM breach and implicated by the likes of my former colleague, NSA Director Adm. Michael Rogers for supporting cyber attacks against the US (despite constant denial), it’s hard for the Obama administration to trust that Xi and his own government will fully cooperate.

That said, even through the easy criticisms of a weak agreement, there’s no denying it is a step in the right direction. An international framework to guide cyber capabilities does need to be established, and this pact — narrow as it may be — is a start, and an important one. But there are two faces to this coin. Because the world lacks an existing policy framework on this topic, failing to follow through on the US-China agreement could be the first step in history toward an inevitable world cyberwar. Many reports have already branded our current era as the new Cold War, drawing similarities between developing cyberweapons and the nuclear arms race of a few decades ago.

One distinction, however, ups the ante: Access to cyberweapons is far more widespread, and phishing schemes that pilfer legitimate user credentials don’t even require malicious code. Moreover, advanced threats are nearly impossible to trace, and the Dark Web makes it easy to purchase malicious code without the threat of being identified.
As US Naval War College professor Michael Schmitt put it in a recent WSJ article, “It’s not like developing an air force. You don’t need to have your own cyberforce to have a very robust and very scary offensive capability.” In short, there is no enforceable way to control the production of cyber capabilities, and, once executed, attribution is nearly impossible.
Impending Cyberwar Or Cooperation?

Today, we have two paths in front of us. One leads to disaster and cyberwar, the other to strong cooperation and a secure cyberspace. To avoid the former, we need to establish laws and policies that would elevate and protect the cyber capabilities of participating nation-states while also allowing them to defend their own networks and infrastructure from outside threats. Models are already at play from the nuclear Non-Proliferation Treaty to the Chemicals Weapons Convention. It’s time to learn from those agreements and carry the knowledge over into the cyber realm.

This won’t be easy. It will prove challenging to make an enforceable regulatory crossover to the abstract and behavior-driven nature of cybersecurity. Tangible weapons require a lot of steps before production, which can be monitored and controlled. In contrast, with cyberweapons, all it takes is a computer and a few lines of code — and sometimes no code at all. Not to mention that trying to manage the individuals behind development of cyberweapons may turn out to be impossible.
The solution could lie in initiating a framework that would govern behavioral norms for software and hardware development, rooted in national and international policies and regulations. But there’s a fine line. Regulations should aim to protect but never handicap research and well-meaning development in the cybersecurity space. We cannot confuse policy and regulation for censorship, as the recently proposed changes to the Wassenaar Arrangement almost did.

However great the struggle to finding an even playing field for cyber regulations may be, it should not be a deterrent to making the necessary effort. We’ve recently begun seeing repercussions of the alternative, in the forms of government and industrial breaches. Perhaps the answer is not in regulation but in scaling back offensive cybersecurity technology, simialr to what has been done in the past with conventional weapons.
Techcrunch: http://tcrn.ch/1PbIbtc

 

« US Intelligence Faces A Diversity of Challenges
UK Crime Rate Rises Sharply as Cybercrime is Included »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManagedMethods

ManagedMethods

ManageMethods Cloud Access Monitor is the only Cloud Access Security Broker (CASB) that can be deployed in minutes, with no special training, and with no impact on users or networks.

Terranova Security

Terranova Security

Terranova is dedicated to providing information security awareness programs customized to your internal policies and procedures.

CyberSec.sk

CyberSec.sk

CyberSec.sk is the Slovak portal bringing the latest cyber security news, politics, tips and instructions on how to protect the internet.

Defence Intelligence

Defence Intelligence

Defence Intelligence is an information security firm specializing in advanced malware protection.

MER Group

MER Group

MER Group is a world-leading integrator in the areas of communications and security. MER cyber solutions cover the entire range of cyber and intelligence related products and services.

Sphonic

Sphonic

Sphonic provides regulated institutions of any size a powerful compliance & risk platform to quickly and securely onboard new customers and manage ongoing AML and Fraud & Risk trends.

Cynamics

Cynamics

Cynamics is the only network monitoring solution built specifically for Smart City, Public Safety and Critical Infrastructure networks.

Rigado

Rigado

Rigado's mission is to enable commercial IoT success by providing high-performance secure and scalable wireless edge connectivity and network infrastructure.

Pyxsoft PowerWAF

Pyxsoft PowerWAF

Pyxsoft PowerWAF responds to the problem of business cybersecurity. We protect our clients' websites and data against attacks and exploitation of all kinds of vulnerabilities.

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER)

US Marine Corps Forces Cyberspace Command (MARFORCYBER) conducts full spectrum military cyberspace operations in order to enable freedom of action in cyberspace and deny the same to the adversary.

Cufflink

Cufflink

Cufflink makes your business more secure, compliant and trusted. We limit the likelihood and impact of a data breach by controlling exactly what can and can't be done with personal data.

CornerStone

CornerStone

CornerStone is an award winning, independent risk, cyber and security consulting firm providing a range of Risk Management, Security Design and Implementation Management Services.

ShellBoxes

ShellBoxes

ShellBoxes are a leading Web3 company focused on providing top-notch blockchain security and development services.

Exodata

Exodata

Exodata is a French digital services company specializing in the outsourcing of IT Systems and solutions.

ACDS (Advanced Cyber Defence Systems)

ACDS (Advanced Cyber Defence Systems)

ACDS was founded in the belief that cyber security can be done better. We’re combining emerging technologies and proven methods to bring a new approach to tackling the growing threat landscape.

Hubble

Hubble

Hubble grew from the idea that legacy solutions were failing to provide organizations with the asset visibility they needed to effectively secure and operate their businesses.