De-escalation Is The Answer To Growing Cyber Tension

Uploaded on 2015-11-25 in NEWS-Cybersecurity News, GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW

Presidents Xi and Obam talk peace.

Leading up to Chinese President Xi Jinping’s visit to the United States, media buzzed with talk of an unprecedented cybersecurity agreement on par with previous governance around the creation and handling of nuclear, chemical and biological weapons.

But what was built up to be the first arms control accord for cyberspace actually turned out to be quite anticlimactic.
The agreement as it stands stops short of putting an end to international cyberattacks, failing to address theft of corporate information for espionage and stealing of government records and other sensitive data not aimed at commercial gain. It also doesn’t even mention a safeguard against attacks targeting critical infrastructure. Instead, it focused on ending government support — particularly in China — of cyberattacks that aim to steal corporate data for economic benefit, paired with a plan to better cooperate for future investigation of cybercrimes in both nations.

Even ignoring the exceedingly narrow realm of information protected, the pact is mired in a grey area. It’s been noted that President Obama claims the agreement is a work in progress, in which case it is left to be seen whether China will follow through. President Xi  has taken a self-preservatory stance with a caveat to his own promise of full cooperation: That he can’t be expected to guarantee the Chinese population of 1.3 billion people will abide. The impact of the pact is nullified by this reluctance to enforce strong parameters.

What do we get? An “agreement.” It’s weak at best, considering it contains no international standards of conduct in cyberspace. It’s the Wild West of technology, and the only thing we can rely upon to keep both nations honest is someone’s word. Given that China has been accused of executing the OPM breach and implicated by the likes of my former colleague, NSA Director Adm. Michael Rogers for supporting cyber attacks against the US (despite constant denial), it’s hard for the Obama administration to trust that Xi and his own government will fully cooperate.

That said, even through the easy criticisms of a weak agreement, there’s no denying it is a step in the right direction. An international framework to guide cyber capabilities does need to be established, and this pact — narrow as it may be — is a start, and an important one. But there are two faces to this coin. Because the world lacks an existing policy framework on this topic, failing to follow through on the US-China agreement could be the first step in history toward an inevitable world cyberwar. Many reports have already branded our current era as the new Cold War, drawing similarities between developing cyberweapons and the nuclear arms race of a few decades ago.

One distinction, however, ups the ante: Access to cyberweapons is far more widespread, and phishing schemes that pilfer legitimate user credentials don’t even require malicious code. Moreover, advanced threats are nearly impossible to trace, and the Dark Web makes it easy to purchase malicious code without the threat of being identified.
As US Naval War College professor Michael Schmitt put it in a recent WSJ article, “It’s not like developing an air force. You don’t need to have your own cyberforce to have a very robust and very scary offensive capability.” In short, there is no enforceable way to control the production of cyber capabilities, and, once executed, attribution is nearly impossible.
Impending Cyberwar Or Cooperation?

Today, we have two paths in front of us. One leads to disaster and cyberwar, the other to strong cooperation and a secure cyberspace. To avoid the former, we need to establish laws and policies that would elevate and protect the cyber capabilities of participating nation-states while also allowing them to defend their own networks and infrastructure from outside threats. Models are already at play from the nuclear Non-Proliferation Treaty to the Chemicals Weapons Convention. It’s time to learn from those agreements and carry the knowledge over into the cyber realm.

This won’t be easy. It will prove challenging to make an enforceable regulatory crossover to the abstract and behavior-driven nature of cybersecurity. Tangible weapons require a lot of steps before production, which can be monitored and controlled. In contrast, with cyberweapons, all it takes is a computer and a few lines of code — and sometimes no code at all. Not to mention that trying to manage the individuals behind development of cyberweapons may turn out to be impossible.
The solution could lie in initiating a framework that would govern behavioral norms for software and hardware development, rooted in national and international policies and regulations. But there’s a fine line. Regulations should aim to protect but never handicap research and well-meaning development in the cybersecurity space. We cannot confuse policy and regulation for censorship, as the recently proposed changes to the Wassenaar Arrangement almost did.

However great the struggle to finding an even playing field for cyber regulations may be, it should not be a deterrent to making the necessary effort. We’ve recently begun seeing repercussions of the alternative, in the forms of government and industrial breaches. Perhaps the answer is not in regulation but in scaling back offensive cybersecurity technology, simialr to what has been done in the past with conventional weapons.
Techcrunch: http://tcrn.ch/1PbIbtc

 

« US Intelligence Faces A Diversity of Challenges
UK Crime Rate Rises Sharply as Cybercrime is Included »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Bromium

Bromium

Bromium deliver a new technology called micro-virtualization to address the enterprise security problem and provide protection for end users against advanced malware.

StoneFly

StoneFly

StoneFly offers High Availability, high performance cluster and scale out storage, and backup and disaster recovery appliances.

Cloudrise

Cloudrise

Cloudrise are elevating cloud security, data protection, and privacy through assessment, technology enablement, and process automation.

Dell Technologies Capital

Dell Technologies Capital

At Dell Technologies Capital we lead investment in disruptive, early-stage startups in enterprise and cloud infrastructure.

SecureLogix

SecureLogix

SecureLogix deliver a unified voice network security and call verification solution. Protect against call attacks & fraud.

Stratum Security

Stratum Security

Stratum Security is an information security consulting company that focuses on providing clear and concise risk guidance to its clients through high quality assessment services.

Boeing

Boeing

Boeing is the world's largest aerospace company and leading manufacturer of commercial jetliners, defense, space and security systems.

Institute for Security and Technology (IST)

Institute for Security and Technology (IST)

The Institute for Security and Technology's goal is to provide the tools and insights needed for companies and governments to outpace emerging global security threats.

TryHackMe

TryHackMe

TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers.

Accedian

Accedian

Accedian is a leader in performance analytics and end user experience solutions, dedicated to providing our customers with the ability to assure their digital infrastructure.

Crayon

Crayon

Crayon is a customer-centric innovation and IT services company. We provide guidance on the best solutions for our clients’ business needs and budget with software, cloud, AI and big data.

Paramount Defenses

Paramount Defenses

Paramount Defenses have unrivaled capability in two of the most critical areas in cyber security today – Active Directory Security and Privileged Access.

Edera

Edera

Edera is changing the way containers are run and secured, making isolation a reality and fundamentally transforming computing in the process.

DeepStrike

DeepStrike

DeepStrike is a cutting-edge penetration testing company that specializes in providing Penetration Testing as a Service (PTaaS) and continuous penetration testing solutions.

Faddom

Faddom

Faddom is an agentless tool that visualizes your on-premises and cloud infrastructure, as well as their inter-dependencies.

BeckTek

BeckTek

BeckTek specialize in IT Cyber Security & Support, helping clients run their businesses faster, easier and more profitably.