WHY PREVENTING CYBERATTACKS IS SO HARD
The world cannot decide what constitutes fair game, and what should be off limits, writes
viable means of deterring the most damaging attacks. It still takes too long to formally identify the culprits.
Efforts to establish “norms of behaviour” got a promising start, but are now falling apart. No one can even agree on when an act of aggression in cyberspace amounts to an act of war.
The Pentagon, in its first nuclear strategy review since Donald Trump took office, is even proposing to use the threat of unleashing nuclear weapons against a country or group that delivered a devastating cyberattack against the critical infrastructure of the United States or its allies. But, that doesn’t help with the problem of everyday attacks.
The most talented state sponsors of attacks — mostly Russia, China, Iran and North Korea — have carefully calibrated their operations in cyberspace to achieve their strategic aims while avoiding a real shooting war.
So far, they have succeeded. While there have been indictments of Iranian and Chinese hackers in major strikes on the US, they have never seen the inside of a US courtroom.
North Korea has been a case study in how a nation learns to make use of its cyberweapons for disruption, revenge or profit, without fear of serious retaliation. It has learnt how to station hackers around the world — in China, Malaysia, Thailand and elsewhere — and has gotten away with bolder and bolder attacks, from Wannacry to its raid on Bangladesh’s central bank, which nearly resulted in the theft of US$1 billion (RM3.9 billion). (The transfers were halted after US$81 million had passed through the Swift system, the international clearinghouse for transactions, after someone at the New York Fed discovered a spelling error — the word “fandation” for “foundation” — and stopped the heist).
The explosion of state-sponsored, sophisticated cyberattacks over the past seven or eight years has been fuelled, in large part, by the expansion of poorly protected targets.
Banks and major utilities have, for the large part, tightened their defences, and tens of billions of dollars have been made by companies promising all kinds of cyberprotections, from the most basic programmes loaded on your laptop to sophisticated systems designed to anticipate future action, or watch for variations in the normal behaviour of users.
But, none of that has prevented cyberspace from becoming what former US president Barack Obama termed the “Wild, Wild West”, a territory of anarchy, where adversaries take free shots at one another.
In the past five years, these attacks have become the cheapest way for nations to undercut one another in the name of bigger strategic goals.
Yet, the world has been unable to decide what constitutes fair game, and what should be off limits.
For years officials talked about their fear of a “cyber Pearl Harbour”, a devastating strike against the power grid that would turn out the lights from Boston to Washington, or London to Rome.
That has not happened, save for limited strikes in Ukraine, widely attributed to Russian hackers, that seemed intended to send a message that they could attack critical infrastructure at any time. Countries have sensed what would happen if they went too far.
Instead, cyberattacks have taken a far more subtle turn. The Russian-led attacks on the 2016 US election — and similar efforts in France and Germany last year — are prime examples.
While UN experts had been struggling to come up with “norms of behaviour” in cyberspace, a consensus about what was off-limits — like attacks on power grids or safety systems, for example — few were thinking about the use of the technology to influence elections.
Yet, thinking about how to regulate that kind of activity is tying the West in knots.
President Emmanuel Macron in France is proposing that government authorities be able to take down “fake news” during elections, declaring in his New Year’s speech that, “if we want to protect liberal democracies, we must be strong and have clear rules”.
But, those rules cannot survive in the US, where First Amendment protections would prohibit the government from stepping in and declaring what is fake and what is not.
There have been a few successes in setting norms of behaviour, particularly when it comes to banning child pornography or cracking down on intellectual property theft. But, those are the easiest issues on which to agree.