CYFY
On 3rd October I attended CyFy conference held at Delhi, organised by ORF.
There was a session on The Militarisation of Cyberspace. Experts from Israel, NATO, Japan, UK, China, Italy and USA were there. Surprisingly there was no representation from India!
The deliberations were disappointing from such a star studded panel. Some of the issues discussed are given below.
There has been no consensus on norms, behaviour and international laws on cyber space. Speed, size and persistence of cyber attacks are increasing every year. In the year 2017, frequency of attacks by highly effective malware is more than usual. Massive attack campaigns like Ransomware are increasing. Fresh grounds like interfering with elections of presidency, robbing of central government banks like Bangladesh are new sources of revenue generation. Now there is a threat of EMP attacks. Some attacks like Ransomware are disruptive in nature. There is a serious threat to the supply chain. Major attacks like Wanacry will impact global economy. It would undermine people’s confidence in cyber space. There will be more regulations in the name of cyber security. Developing countries must develop capabilities on their own.
Data is being encrypted, cannot be recovered. Encryption is not limited to military. It has serious repercussions. There is debate on privacy versus security, GG discussions are not reaching any consensus.
There is a requirement of responsible state behaviour in cyber space. It should be voluntary, non binding, emphasis on resilience, more importance to HRD, training to develop capability to understand technical issues and strategic political issues. It would help in making strategic decisions.
Attribution is a big issue. It is not that it cannot be done. It is difficult but possible. Use of big data analytics and other recent techniques can provide reasonable clue to identify. Attribution can be done by the government by its own resources, be it technical or non technical. Non technical means include: diplomatic, intelligence, law enforcing agencies, financial, economic, trade etc.
Whether attribution is certain is difficult to say. However, governments do come to know. It is a separate question whether governments will say know or don’t know. Gathering of evidence would require cooperation by governments hosting the hackers. It is incumbent on state’s hosting them to take responsibility. Questions come, how come everybody became reasonably certain that North Korea was behind Sony attack.
How do we bring International Community together:
--- Cooperation with private sector crucial
--- technology
--- exercising by the government
--- exchange of classified information
--- no country is alone. Have bilateral, regional, diplomatic and intelligence level alliances.
--- Presently alliances are slacked.
Military Domain
Armed forces are not immune. Lines between war and peace are getting blurred. Today attacks are hybrid in nature. Lawyers are raising the issue: soldiers are getting secured and citizens are getting attacked.
Resilience in military domain is to be increased by:
Measured informed approach
Invest in defence and resilience
Pledge at strategic level, get the organisational structure in place
Keep the channels of communications open
Employ the best practices
Military should be prepared to operate in contested and degraded environment. They must review their training, equipment and collaboration with other agencies on cyber space.
Forty different countries are developing offensive cyber war capabilities. By themselves, armed forces cannot handle everything. Private sector and academia have to be incorporated. Capability of first responders is to be augmented, should have designs to limit the loss in cyber space.
Deterrence
If you don’t take action against bad actors doing bad things, they will do bad things again. How do we deter? Has to be done by credible measures. There should be doctrine of deterrence.
Deterrence can be achieved by: defence, retaliatory capability and internet legal regime. Internet legal regime will take at least ten years.
Deterrence can be created by counter measures when cyber attacks takes place. It is complex because of attribution and political issues. To develop cyber capabilities countries would need :
Operational intelligence, tools need to be installed in adversaries system, human resources to operate sophisticated tools, partnership with other stakeholder agencies, look at technical weakness of adversaries etc etc.
How do we define deterrence? UNGG can look at that. Deterrence works at two levels:
Have strong capability, technical issue, punish the target
For less develop countries it is a political problems. If you do not have capability, how do you deter?
For critical infrastructure, deterrence is by denial. Must improve protection measures, resilience, have collective responsibility, share best practices, take concrete steps to augment defence.
Mr Carl Bildt, former Prime Minister of Sweden and special representative, Global Commission on the stability of cyber space had a stern word of caution regarding development of offensive cyber capabilities. He said, “If you employ offensive measures, you won’t know how it will end. It is a very very dangerous domain. We are not aware what capabilities your adversaries have. It is always better to strengthen your cyber defensive capabilities”