Experts disagree on whether the international community can pressure nation-state actors that violate global cybersecurity norms to behave better.
SAN FRANCISCO -- For those in the cybersecurity realm, the damaging reach of cyberattacks has gotten only more pronounced over the past several years.
Cyberattacks can take down IT systems in minutes, cost billions of dollars to recover from and erode trust in the organizations that are the victims of damage. These outcomes are all the more corrosive—and insidious—when wrought by nation-state actors. Nation-states are supposed to foster society and institutions—not take them down.
But in the past few years, the realm of cybersecurity has overturned our notions of fair play in battle.
In 2017 WannaCry and NotPetya—two of the most damaging cyberattacks in recent years—unfurled. These malware attacks were reportedly the handiwork of nation-states (North Korea and Russia, respectively). WannaCry hit hundreds of thousands of computer systems worldwide, causing disruption to countless organizations and enterprises. NotPetya, also a global malware campaign, affected the Ukraine, Russia, Denmark, the U.K. and the U.S. in 2017 and brought chaos to banks, transportation systems and core infrastructure, such as nuclear facilities.
Together, these malware attacks cost hundreds of billions of dollars and brought systems to a grinding halt. Companies lost data, dollars and productivity, and the targets of these attacks were so widespread that the impact eroded trust in the sanctity of foundational financial and infrastructure systems. [Editor’s note: Cisco Talos, a threat intelligence group, was instrumental in providing information on the nature of both cyberattacks and helping institutions and enterprises respond to their effects.]
The swiftness and impact of these events gave the U.S. government pause.
“They made us think more carefully about what the nation-state threat really is to the future of the Internet, to the economies and to our critical infrastructure,” recalled Robert Strader, during a panel on how to manage fallout from nation-states that “behave badly” at RSA Conference 2019 this week. Strader is deputy assistant secretary for cyber and international communications and information policy at the U.S. Department of State.
As the volume and impact of cyberattacks has increased, the State Department has developed a code of conduct to hold cybercriminals accountable.
“Working with the UN [United Nations] and others, we’ve tried to build consensus around responsible norms of state behavior,” Strader said. The State Department’s work resulted in a list of 11 norms that define unacceptable behavior on the Web, including attacking a nation’s critical infrastructure and undermining human rights.
Numerous countries came together to endorse those norms. The department also took a stand on consequences for malicious behavior by state actors. It noted that a blend of diplomatic efforts—negotiations, sanctions and other financial measures, indictments and other forms of legal action— were all pieces of a toolkit to bring to account nation-states that violate these norms.
“We realized that we could bring a much broader set of consequences,” Strader said, by using all options.
Ultimately, most panelists agreed that consequences for global infractions of these norms is more effective when countries align on stopping rogue nation-states.
Countries that will stand together can then jointly levy consequences “when we see destabilizing behavior online,” Strader noted.
Tom Corcoran, a onetime foreign policy adviser and now a head of cybersecurity at a major insurance company, affirmed the idea that global cybersecurity norms and consequences can encourage nation-states to follow the rules.
He said that a firm approach had a positive impact several years ago, when the Chinese received stern signals that espionage wouldn’t be tolerated.
“There was a point when China was really running rampant,” Corcoran said. “We saw an effective campaign to push back on the Chinese to say it was an unacceptable norm of behavior.
But, he lamented, that firmness has given way over the past few years.
“It seems to be creeping back,” Corcoran said. “We are no longer delivering that message to the Chinese that it’s unacceptable.”
In a keynote session at RSA, Christopher Wray, FBI director, said counterintelligence efforts by nation-states have grown bolder in recent years.
“There is nothing like it,” Wray said, noting the “breadth, depth and the scale” of the espionage.
As the attack surface grows, with proliferating Internet of Things (IoT) devices predicted to swell to 31 billion devices by 2020 the opportunities for malicious actors to use malware or other means to overtake a system, extract data and cause damage is also increasing.
But the global view on using cybersecurity norms as a foundation to pressure nation-states that act out may not be as uniform as Western allies assume. James Lewis, senior vice president at the Center for Strategic International Studies (CSIS) doubted that the international community sees cybersecurity in the same way as the U.S. and its allies.
“I spent the last year and a half talking to non-Western countries about this, and their views on this are different,” Lewis said. “Some have said, ‘Nothing has ever gone to the Security Council. No cyber-thing has gone there. Nobody has ever died—so why do you care?’ It’s what other countries look at.”
There was also ample skepticism about the ability of the international community to inhibit this behavior. For some experts, strides made over the past 10 years to curb bad actors have been undone more recently.
“I have become skeptical about ‘norms of behavior,’” said Paul Rosenzweig, senior fellow at R Street Institute in Washington, D.C. “The only norms that are effective are ones where it is in the state’s interest to [follow them].”
“Eight years ago, I used to characterize the cyber-realm as the Wild West—without any norms, without any rules,” Rosenzweig recalled. “Then about four or five years ago, I said, ‘Things are changing. We are finding the tools to bind states to act more properly.’ What we’ve seen in the last four years, we’ve seen a retrograde.”
Rosenzweig noted that events such as cyberattacks on critical infrastructure as well as interference in the 2016 U.S. election signaled a new chapter in the rules of global cybersecurity engagement.
If threats from state actors are worrisome, rogue individuals are also a concern, as well as alliances between these individuals and nations.
Some members of the panel said that consensus about proper global cybersecurity norms can’t adequately secure the landscape given the number of potential threat actors.
“All the agreement among nation-states won’t get us all the way there when non-nation-state actors have the ability—10 guys, with some servers and access to the network—[to] play in this space,” Rosenzweig said.
Lewis adamantly disagreed. “Nonstate actors aren’t a threat, and they aren’t on a path to become a threat over the next couple of years.”
Corcoran may have split the middle on the threat rogue individuals pose. They can write code that could do a lot of damage, he said, but “they can’t present the same threat as an advanced nation-state." He added, “Years of sustained adversarial attacks doesn’t seem realistic in the near term.”
Nonetheless, just as collaboration and partnerships has proved critical in fighting adversaries, the “2019 Global Threat Report” noted that collaboration is also the coin of the realm among cybercriminals.
“Throughout 2018, . . . intelligence has observed increased collaborations between highly sophisticated criminal actors,” the report noted.
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”