Why We Should Worry About A War On Cybercrime
As geopolitical tensions rise, cyberattacks propagated both by state-sponsored and criminal groups have risen even further up the list of concerns for governments and businesses worldwide. Cyberattacks are transitioning from being an issue of enterprise security to one of risk to public safety given attacks increasingly impact on Critical National Infrastructure and physical systems.
It might be that governments and law enforcement need to redefine the rules governing their response to cyberattacks, given such a situation is increasingly on the horizon.
In 2023, it is likely that an attack, or a series of attacks, will put lawmakers in a position where they feel that the only option is to go beyond current responses, and truly disrupt and deter the people behind the keyboards altogether. As such, this year, we need two major sets of actions.
One at the policy level is to review and implement changes to allow the appropriate capabilities across governments, especially regarding the prosecution and deterrence of actors. Secondly, the community must focus on generating more positive incentives for greater systemic resilience.
Policy Actions - Deterrence and Enforcement
In other security and defence policy areas, major events have given rise to government action that would once have been inconceivable. In the realm of cybersecurity, the speed at which the UK government suggested amendments to the rules governing Managed Security Providers (MSPs) by updating the Network and Information Systems Regulation after a wave of supply chain attacks, including Operation CloudHopper, shows that legislators are not afraid to act quickly t if they feel the need.
Organisations such as the British NCSC have been successful with improving cybersecurity policies, no state or multilateral organisation has yet come up with a robust definition of what “enforcement success’ means in the context of tackling cyber actors and states that provide safe harbours for threat actors.
It is also the case that many national governments have not yet fully legislated for the capabilities to prosecute cyber actors, such as in the UK of allowing the intercept of data to be disclosable in court, or in many jurisdictions, the use of Computer Network Exploitation to gather evidence by the police.
Not only is there an issue of better definitions and powers, but there would also have to be considerably more cooperation between national and supranational agencies, including better access to global data sources. This requires deep, scalable operations partnerships with law enforcement agencies globally. This still might be unpalatable to many, but necessary to be able to extradite hackers and press charges against them. For example, the issue of lack of sustained engagement with Russia is crucial to the global law enforcement community concerning cybercrime. One now being raised at the very highest level of Governments.
Incentive Models - A Focus on the Positive
Currently, too few companies have the bespoke capabilities, human resources, and training to secure the convergence of enterprise properly, namely the Internet of Things (IoT) and Operational Technology (OT) environments associated with Critical National Infrastructure.. This fact needs greater recognition from the community.
It should inspire more action to ensure a broader base of companies with the skills and capabilities required to protect our digital infrastructure, particularly that which supports critical national infrastructure.
Whilst we have plenty of negative incentive models in the form of regulation and penalties for non-compliance, these will only take us so far. We need more positive incentive models whereby the government works with the community to provide the capability, resources, and financial support required to build the proper ecosystem of organisations able to securely manage the complexity of critical national infrastructure environments. We have seen examples of this, such as payments to organisations by the US government to improve cybersecurity controls following the Colonial Pipeline. However, there needs to be deeper and more meaningful public-private cooperation if it is to make a real difference.
Time for Action
There is no getting away from the fact that the threat level continues to increase and is only headed in one direction. While governments and the cybersecurity community are working to improve cybersecurity controls and combat the risks that organisations face, there needs to be a more proactive focus on building cybersecurity companies with the capabilities and skill base required to combat cyber risks and prevent widespread public harm.
Without this, and on the current trajectory, we are almost sure to find ourselves in a situation where governments feel they have to take more extreme measures to deal with the threat, with all of the intended and unintended consequences such actions will bring.
Will Dixon is Global Head of the Academy and Community at ISTARI
You Might Also Read:
How To Prepare For A Cyber Crisis:
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquires: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible