7 June 2018

State-sponsored cyber attacks deserve tougher responses: ASPI report

By Stilgherrian 

Naming and shaming isn't enough. Deterrence in cyberspace requires consequences. Potential adversaries should put on notice about what's unacceptable, and what will happen if they cross the cyber line. 


"If cyberattacks really pose a significant threat, governments need to start thinking of them like they think of other incidents in the physical world," says a new policy paper from the Australian Strategic Policy Institute (ASPI).

"It is telling that Prime Minister Theresa May made public attribution of the Salisbury poisonings in a matter of days and followed up with consequences shortly thereafter. Her decisive action also helped galvanise an international coalition in a very short time frame," it says.

"Obviously that was a serious matter that required a speedy response, but the speed was also possible because government leaders are more used to dealing with physical world incidents. They still don't understand the impact or importance of cyber events or have established processes to deal with them."

The paper, titled Deterrence in cyberspace, was released on Friday. The author is Chris Painter, formerly the world's first top cyber diplomat at the US State Department, now a Commissioner on the Global Commission for the Stability of Cyberspace (GCSC), and distinguished non-resident fellow at ASPI's International Cyber Policy Centre (ICPC).

Painter notes that while there's been progress in creating a set ofcyberspace norms, or standards of behaviour, they mean little if there are no consequences for states that violate them.

"This is as true in the cyber world as in the physical one. Inaction creates its own norm, or at least an expectation on the part of bad state actors that their activity is acceptable because there are no costs for their actions and no likely costs for future bad acts," he writes.

Painter's solution is to speed up the attribution of cyber attacks, name and shame as soon as possible, and create a credible response beyond that -- ideally doing all of this as part of a collective multilateral action.

"Although attribution is often achievable, even if difficult, it still seems to take far too long -- at least for public announcements of state attribution," he writes.

Delays can be due to the technical difficulty of gathering evidence; balancing the benefits of going public against the risk of compromising the "sources and methods" of intelligence gathering, and "the need to summon the political will to announce blame and take action".

"All of these cycles need to be shortened," Pointer writes.

Public attribution, or "naming and shaming", can be an effective tool, especially when done collectively. When seven nations including Australia, the US, and UK attributed the NotPetya cyber attacks to Russia in February, that was a coordinated diplomatic action.

But it has its limits.

"Naming and shaming has little effect on states that don't care if they're publicly outed and has the opposite effect if the actor thinks their power is enhanced by having actions attributed to them ... It's doubtful that naming and shaming alone will change either North Korea's or Russia's conduct," Pointer writes.

Pointer is calling for states to use and expand the tools already in their toolkits.

"The current tools that can be used in any instance to impose consequences are diplomatic, economic (including sanctions), law enforcement, cyber responses, and kinetic responses," he writes.

"Some of them have been used in the past to varying degrees and with varying levels of effectiveness but not in a consistent and strategic way. Some, like kinetic responses, are highly unlikely to be used unless a cyber event causes death and physical injury similar to a physical attack. Others admittedly take a while to develop and deploy, but we have to have the political willingness to use them decisively in the appropriate circumstances and in a timely manner."

The US government, for example, has had the power to impose cyber-specific sanctions since April 2015, but has only used them twice: Once in December 2017 against Russian actors for election interference and a second time in March 2018, again against Russian actors.

"For the threat of sanctions to be taken seriously, they must be used in a more regular and timely manner, and their targets should be chosen to have a real effect on the violating state's decision-making."

Pointer's recommendations include shortening the attribution cycle, or if attribution can't be made quickly, couple the eventual public attribution with "at least one visible responsive action". He also calls for cybersecurity to be "mainstreamed" and treated as a core national and economic security concern, not as "a boutique technical issue".

"We must change the calculus of those who believe this is a costless enterprise. Imposing effective and timely consequences for state-sponsored cyberattacks is a key part of that change," he writes.

No comments: