In the fourth in our special features marking Cyber Awareness Week, David Atkinson, CEO of cyber security start-up Senseon, discusses how private companies can play a significant role in collaborating with the Government to seek solutions to combat cyber warfare.
The lack of rules and norms in cyber warfare is a well-documented problem. What is slightly less discussed, however, is how and why nation states target foreign enterprise. With vast swathes of cyber activity in this arena of doubtful legality, and even of doubtful morality, it looks increasingly likely that the lack of rules and norms could unintentionally lead to a real-world escalation in tensions, perhaps resulting in conflict.
When cyber attacks of sometimes unclear origin target privately owned businesses, the question of attribution has real impact on the appropriate response. These issues must be discussed, as only through discussion will we move closer to solutions.
Before the Information Age, if you wanted access to a company’s internal information you had to have someone on the inside who could help. This could be difficult, costly and, if the person was caught, result in severe diplomatic and international repercussions. However, with an increasing level of company information stored online, physical access is no longer necessary. By infiltrating a company’s network you can, with relative ease, siphon off data to elsewhere. Attribution is difficult, assuming you can even detect an attack has taken place. You can’t just catch the person in the act and question them.
This difficulty of attribution has opened corporate theft to many actors who otherwise, fearing among other things the consequences of being caught, might have refrained from participation. Nation states now have the opportunity to engage in a new kind of cyber warfare, one that is even more poorly defined than conventional cyber attacks against infrastructure and the military. Recent events have thrown this new form of cyber warfare into the limelight. Russia’s military intelligence arm, the GRU, was caught trying to hack into both the World Anti–Doping Agency and the Organisation for the Prohibition of Chemical Weapons, which were independently investigating allegations of wrongdoing by the Russian state. China, too, has been accused by the United States of engaging in IP theft on behalf of Chinese enterprise.
Such nation state espionage and theft on enterprise is often done by Advanced Persistent Threat (APT) groups. APTs specialise in highly sophisticated cyber attacks, and are often well funded and highly trained. They are either government groups or so-called patriotic hackers, who arise organically and then later fall under informal government auspices. APTs target just a few individuals either at the company in question or at a company within the supply chain. They will research these individuals and use that information to launch a targeted attack. This type of attack, known as spear phishing, is just one example of many, but serves to illustrate the ingenuity and innovation associated with APTs.
There is no consensus over either the legality or the morality of this new form of cyber warfare. Where state and enterprise interests overlap, or where enterprise is merely an arm of the state, the issue becomes more complicated. In such a country, the state could exercise its cyber capabilities on behalf of enterprise, or may even believe that such activity is a crucial part of national security, both for strengthening the economy and for aligning the balance of power. It is almost inconceivable to imagine western intelligence handing stolen foreign IP to western companies, yet many argue that elsewhere this is exactly what governments do.
The current US-China trade war is a good example of how these issues may play out. President Trump argues that China engages in widespread IP theft from American companies. He alleges that, since there are such close ties between the Communist Party of China (CPC) and many leading Chinese companies, the CPC is passing them stolen American IP. This presents a strategic advantage, as Chinese companies benefit from IP gained without investing in R&D, readdressing the balance of power in their favour. The President’s trade war is his attempt to tilt this balance back towards America by combating nation–state–on–corporate cyber attacks. Tit-for-tat actions, such as stealing Chinese IP and giving it to American companies, are inconceivable options. Aside from the issue of to whom would the stolen IP be given, such action would also risk raising hostilities. It is partly as a result of this consideration that the trade war has arisen.
This risk of hostilities reminds us how it is unclear at what point a nation state hack of foreign enterprise becomes an act of war. Without clear rules and norms, a misunderstanding could result in a rapid increase in tension, leading to unwanted conflict. Clear government-sanctioned attacks might meet far more robust responses than those by patriotic hackers, the responsibility for whose actions is more ambiguously attributed. At the same time, merely individual criminal hacks could be misinterpreted as nation state sanctioned operations, with all the diplomatic fallout that would entail. An unintentional escalation of hostilities resulting in war is somewhat unwelcome.
Nation states should keep pushing to introduce clear codes of conduct. With a lack of unity rendering a global agreement unlikely, perhaps individual countries should state their professed cyber norms regardless of international consensus. In this way, we may at least increase trust and understanding in cyberspace. Furthermore, conversation between nation states and enterprise should be encouraged. Innovations such as GCHQ’s creation of the National Cyber Security Centre have done and will continue to do good work to promote security in the UK; and with the cradle of innovation steadily moving from government to enterprise, private sector technologies will increasingly be a help to government in cyber warfare.
We can’t fix these problems overnight, but by shoring up our defences and saying clearly what we think, while promoting nation-state-enterprise dialogue, we can make the world a slightly safer place.
If you would like to join our community and read more articles like this then please click here.
Cyber Essentials is a government-backed, industry-supported scheme. It helps businesses win more public sector contracts, by ensuring that they comply with mandatory requirements for cyber security. To learn more click here.
The post Cyber Awareness Week: Why enterprise has a crucial role to play in cyber warfare appeared first on Defence Online.