De-escalation Is The Answer To Growing Cyber Tension

Presidents Xi and Obam talk peace.

Leading up to Chinese President Xi Jinping’s visit to the United States, media buzzed with talk of an unprecedented cybersecurity agreement on par with previous governance around the creation and handling of nuclear, chemical and biological weapons.

But what was built up to be the first arms control accord for cyberspace actually turned out to be quite anticlimactic.
The agreement as it stands stops short of putting an end to international cyberattacks, failing to address theft of corporate information for espionage and stealing of government records and other sensitive data not aimed at commercial gain. It also doesn’t even mention a safeguard against attacks targeting critical infrastructure. Instead, it focused on ending government support — particularly in China — of cyberattacks that aim to steal corporate data for economic benefit, paired with a plan to better cooperate for future investigation of cybercrimes in both nations.

Even ignoring the exceedingly narrow realm of information protected, the pact is mired in a grey area. It’s been noted that President Obama claims the agreement is a work in progress, in which case it is left to be seen whether China will follow through. President Xi  has taken a self-preservatory stance with a caveat to his own promise of full cooperation: That he can’t be expected to guarantee the Chinese population of 1.3 billion people will abide. The impact of the pact is nullified by this reluctance to enforce strong parameters.

What do we get? An “agreement.” It’s weak at best, considering it contains no international standards of conduct in cyberspace. It’s the Wild West of technology, and the only thing we can rely upon to keep both nations honest is someone’s word. Given that China has been accused of executing the OPM breach and implicated by the likes of my former colleague, NSA Director Adm. Michael Rogers for supporting cyber attacks against the US (despite constant denial), it’s hard for the Obama administration to trust that Xi and his own government will fully cooperate.

That said, even through the easy criticisms of a weak agreement, there’s no denying it is a step in the right direction. An international framework to guide cyber capabilities does need to be established, and this pact — narrow as it may be — is a start, and an important one. But there are two faces to this coin. Because the world lacks an existing policy framework on this topic, failing to follow through on the US-China agreement could be the first step in history toward an inevitable world cyberwar. Many reports have already branded our current era as the new Cold War, drawing similarities between developing cyberweapons and the nuclear arms race of a few decades ago.

One distinction, however, ups the ante: Access to cyberweapons is far more widespread, and phishing schemes that pilfer legitimate user credentials don’t even require malicious code. Moreover, advanced threats are nearly impossible to trace, and the Dark Web makes it easy to purchase malicious code without the threat of being identified.
As US Naval War College professor Michael Schmitt put it in a recent WSJ article, “It’s not like developing an air force. You don’t need to have your own cyberforce to have a very robust and very scary offensive capability.” In short, there is no enforceable way to control the production of cyber capabilities, and, once executed, attribution is nearly impossible.
Impending Cyberwar Or Cooperation?

Today, we have two paths in front of us. One leads to disaster and cyberwar, the other to strong cooperation and a secure cyberspace. To avoid the former, we need to establish laws and policies that would elevate and protect the cyber capabilities of participating nation-states while also allowing them to defend their own networks and infrastructure from outside threats. Models are already at play from the nuclear Non-Proliferation Treaty to the Chemicals Weapons Convention. It’s time to learn from those agreements and carry the knowledge over into the cyber realm.

This won’t be easy. It will prove challenging to make an enforceable regulatory crossover to the abstract and behavior-driven nature of cybersecurity. Tangible weapons require a lot of steps before production, which can be monitored and controlled. In contrast, with cyberweapons, all it takes is a computer and a few lines of code — and sometimes no code at all. Not to mention that trying to manage the individuals behind development of cyberweapons may turn out to be impossible.
The solution could lie in initiating a framework that would govern behavioral norms for software and hardware development, rooted in national and international policies and regulations. But there’s a fine line. Regulations should aim to protect but never handicap research and well-meaning development in the cybersecurity space. We cannot confuse policy and regulation for censorship, as the recently proposed changes to the Wassenaar Arrangement almost did.

However great the struggle to finding an even playing field for cyber regulations may be, it should not be a deterrent to making the necessary effort. We’ve recently begun seeing repercussions of the alternative, in the forms of government and industrial breaches. Perhaps the answer is not in regulation but in scaling back offensive cybersecurity technology, simialr to what has been done in the past with conventional weapons.
Techcrunch: http://tcrn.ch/1PbIbtc

 

« US Intelligence Faces A Diversity of Challenges
UK Crime Rate Rises Sharply as Cybercrime is Included »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Optimum Insurance

Optimum Insurance

Optimum's Cyber Risk & Data Protection Insurance policies are designed to protect against cyber exposures that arise when a company’s data and customer information is breached or stolen.

Falanx Cyber

Falanx Cyber

Falanx Cyber provides enterprise-class cyber security services and solutions. We deliver end-to-end cyber capabilities, either as specific engagements or as fully-managed services.

SecureBrain

SecureBrain

SecureBrain software and services help protect against Japanese-specific cybercrime and global internet security threats such as online fraud, phishing, drive-by downloads and malware attacks.

Cyber Discovery

Cyber Discovery

Cyber Discovery, the UK Government's Cyber Schools Programme, is a learning programme designed to give young people the opportunity to learn the skills needed to enter the cyber security profession.

LUCY Security

LUCY Security

LUCY is the answer when you want to increase your IT security, maintain your cyber security awareness, or test your IT defenses.

National Accreditation Agency of Ukraine (NAAU)

National Accreditation Agency of Ukraine (NAAU)

NAAU is the national accreditation body for Ukraine. The directory of members provides details of organisations offering certification services for ISO 27001.

Jenson Knight

Jenson Knight

Jenson Knight is a global cyber security, cloud and IT infrastructure staffing specialist.

BetaDen

BetaDen

BetaDen provides a revolutionary platform for businesses to develop next-generation technology, such as the internet of things and industry 4.0.

Netography

Netography

Netography provides a scalable and reliable platform for detection & remediation of cyber threats found on your network.

Antares NetlogiX

Antares NetlogiX

Antares Netlogix are a leading Austrian service provider for IT security, critical infrastructures and managed security services.

Foundries.io

Foundries.io

Foundries.io have built a secure, open source platform for the world's connected devices, and a cloud service to configure this to any hardware and any cloud.

StrataCore

StrataCore

StrataCore is a single-source technology lifecycle advocate that works behind IT teams as a strategic partner to help them achieve peak enterprise outcomes.

Asimily

Asimily

Asimily’s IoMT risk remediation platform holistically secures the mission-critical healthcare devices that deliver safe and reliable care.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Nerds On Site

Nerds On Site

Nerds On Site provide on-site & in-home IT and technical support, managed IT services, and cyber security through our collaborative team of highly-trained IT and Security professionals.

SafeLiShare

SafeLiShare

SafeLiShare’s data security platform unifies encryption strategies for organizations with hybrid and multi-cloud infrastructures, ensuring data is secure regardless of its location.