Pages

26 February 2019

Can We Wait Any Longer For A Multinational Cyber Treaty?

Corey Nachreiner

Each year, my company and I release a series of cybersecurity predictions for the upcoming year. One of our predictions for this year is that the United Nations (UN) will address the issue of state-sponsored cyberattacks by enacting a multinational cybersecurity treaty.

Unlike the majority of our predictions, which focus on scary evolutions in malware or attack techniques, this is one I actually hope comes true. Let’s explore why.

Why Do We Need An International Cyberwar Treaty?


Over the years, governments have become very active in “cyber.” Moving past mere defense, many have actively built “red teams” that carry out offensive cyberattacks against other countries, ranging from basic espionage and digital propaganda to assaults on infrastructure and stolen money or intellectual property (IP).

The public likely became broadly aware of state-sponsored attacks during 2010’s leak of Stuxnet, a sophisticated computer worm designed to infiltrate Iranian nuclear enrichment facilities. It successfully destroyed a significant percentage of Iran’s nuclear centrifuges at the Natanz nuclear facility, and while no country has officially claimed responsibility, significant evidence suggests it was a U.S. and Israeli operation.

Launching Stuxnet or “Operation Olympic Games” was like opening Pandora’s box. Though it was sophisticated enough to avoid detection and non-targeted machines, mistakes in its code allowed the worm to leak to other machines that put the threat in the hands of security researchers and antivirus companies. Once they released Stuxnet’s details to the public, governments saw proof that some nations were participating in aggressive cyberattacks.

I imagine some governments asked, “If the U.S. has taken off its cyber kid gloves, why shouldn’t we?” The public leak seems to have been the turning point, where government cyber operations that were previously more “passive” and covert turned serious.

Take the U.S. Office of Personnel Management (OPM) breach of 2015, allegedly a Chinese-led attack that compromised government employees’ Social Security numbers and fingerprints. And who can forget the Sony Pictures hack? Believed to be launched by North Korea over the planned releases of a particularly unflattering movie, this attack destroyed 100 terabytes of data and scuttled the company for weeks.

The list goes on. The 2016 U.S. presidential race was marred by incidents attributed to Russian threat actors, including stolen data from voter registration databases, the DNC breach and tons of fake social media activity designed to sway voter opinions.

In 2017, infections from self-spreading ransomware variant WannaCrycaused an estimated $4 billion in damages and even shut down U.K. health services. The attacks were attributed to North Korea this time. Shortly after that, the suspected Russian “false flag” attack NotPetya wreaked havoc throughout the world, masquerading as ransomware but wiping computers after ransom payments with no chance of data recovery.

As you can see, governments are getting much more aggressive with offensive cyber campaigns. Worse yet, they seem to be breaking certain unspoken rules of engagement, which is why a multinational cybersecurity agreement is so necessary.

What Makes 2019 The Year This Will Happen?

While it’s sometimes hard to argue why cyber espionage is acceptable, society has pretty much come to expect it. As long as cyber black ops doesn’t affect the average citizen, we can more easily accept it, whether or not we think espionage is right or wrong.

However, the same can’t be said of state-sponsored cyberattacks that affect everyday citizens and private business. Governments shouldn’t harm innocent civilians or steal IP or money from private companies and people. Yet, some of the latest nation-state attacks directly affect everyone. WannaCry, in particular, cost the world billions in damages, even though its perpetrators only made about $250,000.

Furthermore, recent attacks like the 2016 “election hacks” are the type of aggressive actions that could provoke a nation to respond to a cyberattack with a physical response -- especially if future perpetrators more directly hack election results. Based on these recent state-sponsored attacks, a cyberattack that results in a real war might not be far off.

What Has The UN Done So Far?

Given all this, you would think the UN would enact a multinational treaty. The truth is, they’ve been trying to for quite some time. As early as 2003, the UN set up a Group of Governmental Experts (GGE) to tackle cybersecurity issues. Interestingly, Russia was actually the first to propose this information security GGE working group. While it did come up with codes of conduct that make sense, certain language within the agreement prevented the delegation from coming to a consensus. In fact, when brought to vote, the U.S. was actually the only country to vote against the resolution.

In 2009, a second cybersecurity GGE group was set up, this time started by a report from delegates from Russia and China (and a few others). While this agreement did have a few things everyone could agree upon, the U.S., along with many other countries, voted against it.

So, why can’t we see eye to eye? In short, the U.S. and many other countries have been concerned with language in proposed resolutions that seems to give an individual state ultimate control over their own internet. While there doesn’t seem to be much disagreement on the cyberwarfare rules themselves, we are still fighting about whether we should govern cyberspace in a multilateral (every state owns their own) or multi-stakeholder (as a global community) fashion. Until we can compromise or remove this particular topic from our cyberwarfare resolutions, progress will continue to be a challenge.

The Cost Is Becoming Too Great

Recent state-sponsored attacks are getting out of hand. They’ve cost citizens and businesses around the world billions of dollars while making the world a more dangerous place. Whether or not the nuclear arms race is really over is up for debate, but we currently find ourselves in a dangerous cyber arms race. If the UN, or any other international body, doesn’t get the world’s superpowers to approve a multinational cyberwar code of conduct soon, we may find ourselves in a real war that could have easily been avoided.

No comments:

Post a Comment