Governments need to treat cybersecurity like “a core national and economic security concern and not a boutique technical issue,” global cyber expert Chris Painter said in a report released today.
This was one of several recommendations provided by Painter in a cyberwarfare policy paper, ‘Deterrence in cyberspace’, released by The Australian Strategic Policy Institute and Australian Computer Society (ACS).
“If cyberattacks really pose a significant threat, governments need to start thinking of them like they think of other incidents in the physical world,” said Painter.
“It is telling that [U.K.] Prime Minister Theresa May made public attribution of the Salisbury poisonings in a matter of days and followed up with the consequences shortly thereafter. Her decisive action also helped galvanise an international coalition in a very short time frame,” he said in the report.
“Obviously that was a serious matter that required a speedy response, but the speed was also possible because government leaders are more used to dealing with physical world incidents. They still don’t understand the impact or importance of cyber events, or have established processes to deal with them.”
Painter added that mainstreaming the cyber issue also expands and makes existing response options more effective. A prime reason for the US-China accord on intellectual property theft was the fact that it was considered a core economic and national security issue that was worth creating friction in the overall US-China relationship, he added.
Meanwhile, the report also recommended shortening the attribution cycle. Making progress on speeding technical attribution will take time but delays caused by equity reviews, interagency coordination, political willingness, and securing agreement among several countries to share in making attribution are all areas that can be streamlined, the report said.
“Often the best way to streamline these kinds of processes is to simply exercise them by doing more public attribution while building a stronger political commitment to call bad actors out.
“The WannaCry and NotPetya public attributions are a great foundation for exercising the process, identifying impediments and speeding the process in the future. Even when attribution is done privately, practice can help shorten interagency delays and equity reviews,” Painter said in the report.
He said attribution six months or one year after the fact with the vague promise of future consequences will often ring hollow particularly given the poor track record of imposing consequences in the past.
“When attribution can be made quickly, the promise of a future response is understandable, but delaying the announcement until it can be married with a response may be more effective,” Painter added.
Other recommendations included building flexible alliance of like-minded countries to impose costs on bad actors; improving diplomatic messaging, and determine potential adversary-specific deterrence strategies.
ACS president, Yohan Ramasundara, said that many of the major malware outbreaks of the past few years have been developed from tools stolen or copied from the products of state-sponsored hacking groups. This has had an impact far wider than national security, he said.
“The malware developed from these tools have affected businesses and individuals as well. If we deter the use of these tools, then the internet will become safer for all of us.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.