1 March 2020

#RSAC: What Governments Should Do to Respond to Nation State Attacks

Sean Michael Kerner 

Nation states are actively attacking digital and internet-connected assets, but whether or not the US and other governments are doing enough to stop those attacks is a burning question that was debated in a session at the RSA Conference in San Francisco.

Sometimes there is a tendency for individuals or even organizations to question whether nation state cybersecurity attacks matter, which is something that Tom Corcoran, head of cybersecurity at Farmers Insurance Group, disagreed with. In his view, whether we like it or not, cyber space attacks matter to everyone now. To reinforce his point, he cited a famous quote attributed to Russian revolutionary Leon Trotsky at the turn of the twentieth century: “You may not be interested in war, but war is interested in you.”

What Nation States Want

The reasons why different nations engage in cybersecurity attacks are wide and varied though Stewart Baker, partner at Steptoe & Johnson LLP, summarized the key threat actors succinctly.


“The Chinese just want to steal everything, Iran is out for revenge and the Russians just want to screw us up,” he said.

Ambassador Timo Koster, ambassador-at-large, Ministry of Foreign Affairs of the Kingdom of the Netherlands, had a somewhat more nuanced view on why different countries engage in cybersecurity attacks. In Koster’s view, there is a link between the nations that attack others over the internet, and what they do to their own people.

“They are largely authoritarian regimes that have a disregard for individual and collective human rights and that is exactly what they do to other nations,” Koster argued.

Liesyl Franz, senior policy advisor, Office of the Coordinator for Cyber Issues at the US Department of State, noted that each nation state has its own motivations for attacks and that all comes into play with how the US and other governments can deter them. She also noted that there are things that the US is in fact doing to deter nation state-backed cyber-attacks.

“Over the last 18 months, we have taken progressively nimble steps to call out nation state behavior in cyber, to attribute malicious cyber-behavior, calling them out and saying why it is bad and what harm it does,” she said.

One such action occurred on February 20 when the US government publicly accused Russia of a major cyber-attack in the Republic of Georgia. Franz noted that the US government isn’t just looking to “name and shame” nation states but rather it is looking to establish a framework for responsible state behavior in the cyber-domain.

“We think that the diplomatic aspect of the public attributions we made may not work today for what happened in Georgia,” Franz admitted.

She added that the next step after public disclosure could be sanctions or legal indictments. Koster added that deterrence in cyber space is a difficult thing and there is a need to have a continuum of responses available to help influence decisions and ultimately deter nation state cyber-attacks.

With cyber-attacks, there is also a large risk from un-intended consequences, which is another challenge that governments will need to consider. One primary example of that risk comes from the NotPetya attack, which has been attributed to Russia as a specific attack against the Ukraine. The NotPetya attack, however, had a much broader, global economic impact.

“Cyber is like climate, it doesn’t stop at the border,” Koster concluded.

No comments: