Security Report: Cyber Arms Race Real, Governments Unable to Respond Adequately

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Slide Show

Five Security Predictions for 2012

McAfee just released its global cybersecurity report, which was done by SDA (Security and Defense Agenda), an independent security think tank and the results are chilling. The majority of experts believe we are in a cyber arms race, over a third believe (given the threat) that cybersecurity is more important than missile defense, nearly half think cyber attacks will have wide economic impact (up 8 percent from last year), and nearly half also believe that cybersecurity is as important as border security.


While it points to a global need to address this growing global problem and consensus to that need, the underlying politics of blame and control all but assure a global solution is beyond anyone's grasp. At the core of the problem is the typical bureaucratic issue that no one wants to accept the blame or the responsibilities necessary to mitigate the problem. This typically changes after there is a major breach that compromises high-placed politicians and with the increasing attacks both by governments against other governments and by Anonymous, who has been doing a nice job of showcasing just how unsecure everyone is.


This creates an untenable situation where the only time there will be an adequate response to a major cyber threat globally is after a global event and likely after many of the folks currently in office are removed or motivated to change their positions.


Let's highlight the problems, summarize McAfee's recommendations and suggest some others.


The Problem


Cyber threats have become global with attackers operating across borders but where enforcement can't cross those borders to address the threat quickly enough to eliminate it. Typically, treaties exist between states that border each other to prevent the escape of criminals into those countries, but extradition can prove difficult even then, which focuses enforcement on catching them before they could leave. In a cyber landscape, the criminal never needs to enter the country where the crime is committed.


While this kind of problem has existed since the invention of mail, and certainly phishing attacks by phone long preceded the Internet, there was a limit to the scale of the attack using these older methods. Now, with massive technology improvements, attacks can be levied using massive server farms and across multiple companies, industries and states with the potential of catastrophic damages, both monetary and physical (imagine, for instance, the result of a successful hack on a power plant or large piece of automated construction machinery or an armed military drone).


Even though that potential continues to approach because there is no 9/11 event yet to drive change, enough change hasn't been forthcoming. One additional concern, given the overreaction to the 9/11 attack, is that a response after a successful catastrophic attack would also be overreacting by using a military option resulting in massive avoidable casualties.


Bureaucracy in Action


McAfee reports that the reasons states aren't cooperating is that they disagree on what a crime is, who should have jurisdiction and they really don't like the idea of a foreign state enforcing foreign laws on domestic turf. For instance, the rules around free speech vary country to country. In some countries, speaking out against the state is allowed if not encouraged; in others it is treated as a cyber attack by insurgents wishing to overthrow the government. Can you imagine China or Russia entering the U.S. to go after people who were speaking out against the Chinese or Russian government? Yet, under their laws, the government would be well within its rights. Conversely, the laws regarding malware are vastly different. It is illegal in the U.S., but legal in places like Russia, similar to the way we protect gun manufacturers from being prosecuted criminally when their guns are used in a crime.


To make this work globally, you need a core set of laws that everyone agrees to and we appear to be rather far away from that, let alone have any agreement on jurisdiction or enforcement methods. In addition, some states feel that any cooperation reduces their own sovereignty, that they become part of something bigger with jurisdiction over them and few want to be held accountable for the activities of their citizens. And finally, some clearly want to be able to maintain the freedom to act militarily with hostile code with impunity should the need arise.


Of course, this last kind of sounds like "we want the option to go in and rob your banks if we decide we are entitled to your money."


Wrapping Up


The researchers recommend a series of actions - all of which fall short of the ideal treaty because there was agreement that such a treaty would be "unverifiable, unenforceable, and impractical."


Most came about to make sure people are aware of the threat and know what to do in case of a crisis, continue to work on tools that mitigate the danger and put in place a system of milestones that will showcase improvement over time. You can sense an apparent frustration in working with a political structure that clearly values control over keeping their citizens safe.


However, until and unless there is a centralized independent law enforcement body with both the jurisdiction and authority to take action across states, it is unlikely this threat will do anymore than continue to grow at an increasing rate with eventual corrective action only when real damage goes beyond a state's tolerance for it and reprisals reach a point that is in itself intolerable. The report clearly showcases that we are on the edge of a crisis and that the solution may be to let the crisis occur so that an agency to prevent a future like crisis can be created with the powers it needs to assure it never happens again.


To address problems like this between U.S. states, the FBI was created, and a similar agency is needed with similar authority to act between world states, but the UN is too weak to host it and until that changes, it is likely states will act unilaterally and that the collateral damage will be vastly higher. Eventually, I expect that will be the outcome, but only after the alternatives clearly become too painful for the major powers, or the citizens that support them, to tolerate.


This means that expecting adequate help from any government is likely foolish and you'll need to make sure your contingency plans address what would likely happen in a major successful attack. This would be similar to a large-scale natural disaster and it means anticipating significant infrastructure outages, including traditional communications.