(Ed note: Follow co-author Dr. Catherine Lotrionte’s sessions at RSA this week: Nation States Behaving Badly: The Evolving Rules of the Game in Cyberspace March 6, 8:00am and Engaging Internationally in Support of Cybersecurity for Critical Functions, March 6, 9:20am.)
One of the fundamental issues for geopolitical leaders is to determine when existing international institutions no longer meet present needs and new institutions and methods of operation are required. Such an issue now faces the cyber realm.
The internet is structurally and operationally international, and as the internet, the cloud, and all forms of the digital economy and digital society develop, cross-border cybersecurity becomes increasingly crucial. Already, the critical infrastructures of telecommunications, the electric grid, and finance are cyber dependent, and the Internet of Things – where virtually all devices from homes to medical devices to self-driving cars are cyber-controlled – is increasingly upon us. The scope of the cross-border challenges is substantial, including:
- vulnerability of key cross-border infrastructures like the SWIFT financial network and the key elements of the internet system itself as exemplified by the denial of service attacks against the Domain Name System provider Dyn, Inc.;
- the exposure to cyber attacks that the Internet of Things will bring without appropriate security measures, and the potential for cross-border cascading effects, including those that already exist particularly among the electric grid, telecoms, and finance; and
- the use of the darknet by criminals, the interaction between criminals and state actors, and the continued persistence of bot technology as a means of significant attacks replicated across multiple national jurisdictions.
The nature of these risks was underscored by the NotPetya attacks, aimed at Ukraine but spilling into multiple countries, which followed only a few weeks after the WannaCry ransomware attacks that had consequences in over 150 countries. In combination, those attacks affected both governmental entities such as the UK health system and state governments in India, as well as multiple private sector corporations such as the Maersk shipping companies, Telefonica telecommunications and Deutsche Bahn railway operator and infrastructure owner.
The attacks’ speed and breadth demonstrate both the international community’s vulnerability and the heightened risk as the malware not only held victims to ransom, but also wiped out data, greatly increasing its impact.
Yet, despite these well-known vulnerabilities, what has not happened is any effectively coordinated international effort to prevent serious economic and national security consequences for the United States and its close partners. Simply by way of example, a significant attack on electric power, telecommunications or finance could have consequential economic results not only for the country being attacked, but also for its economic partners. Yet cybersecurity could be significantly enhanced if the United States and like-minded countries combined internationally to prevent such cascading cyber attacks.
An effective international effort would include four key elements:
- an International Cyber Stability Board to coordinate actions by like-minded governments;
- alignment of standards to enhance international protection of key critical infrastructures;
- an ongoing campaign to deter, limit and take action in anticipation of and in response to significant cyber attacks; and
- engagement with key private sector entities.
Many governments have already undertaken unilateral steps to enhance their national cyber capabilities. The United Kingdom has established a National Cyber Security Centre; France has created its own cyber command and increased its cyber defense budget for the military; Germany likewise has established a Cyber and Information Space Command; and Canada recently passed a bill underscoring the growing role of cyber operations in national security
However, a group of such like-minded states with significant cyber capabilities – initially to include Australia, Canada, France, Germany, Japan, the Republic of Korea, the United Kingdom and the United States – could establish an International Cyber Stability Board to create effective cybersecurity cooperation across national jurisdictions.
Modeled on both the Financial Stability Board, a voluntary organization that establishes financial standards, which participating countries put into place via their own governmental structures, as well as the Proliferation Security Initiative, which organizes voluntary cooperation among governments for counter-proliferation operations, the International Cyber Stability Board would lend much needed support to global cybersecurity, protection of critical infrastructures and rapid response to crises.
The board would have both a standards-setting mechanism and an operational center, each organized on a voluntary basis. It could build on and coordinate exiting standards-setting efforts or, as necessary, undertake to identify gaps in already existing regulatory arrangements, and where necessary, establish new standards for the protection and resilience of critical infrastructures, including both governmental and key international private sector infrastructures such as telecommunications and the electric grid as well as others like the SWIFT financial network.
Interconnectedness means that all have an interest in appropriate standards developed to create stability, as has been illustrated in the financial arena with the creation of the Financial Stability Board establishing standards for the stability of the global financial networks. While the precise implementation would be left to each nation’s own governing mechanisms, the commonality of approach would lay the basis for common operational efforts to deter, limit, and respond to cyber attacks.
Operationally, the proposed board would act much as the fusion and joint operations centers developed in several countries to meet terrorism threats have done, except on an international basis. To be effective, it will be important to go beyond purely defensive measures and to raise the costs to cyber attackers.
To be sure, part of the board’s program would be to generate deterrence by denial and resilience at a truly international level, as the standards discussed above would seek to limit the consequences of any attack. Defense through strictly denial and resilience is not sufficient for effective cybersecurity in the face of more aggressive and harmful behavior by nation states engaged in cyber exploitation and attack activities. Attackers need to suffer costs for their activities. A multinational set of actions would be key to creating such costs. The key common operational effort would be an ongoing campaign among the nations of the board to deter and defeat significant cyber attackers.
An effective cybersecurity campaign would utilize the full spectrum of national and multinational resources. It would necessarily include intelligence and information sharing as well as law enforcement, and work across jurisdictions enhancing ongoing efforts. But it will also be critical to find means of both active defense and offense that would be consequential against cyber attackers.
Four key elements suggest themselves. First, defenders could use techniques of deception and tracking such as honeypots and beaconing to reduce attackers’ effectiveness and to be able to help identify them after an attack.
Second, while identified cyber attackers are already subject to indictment and other comparable law enforcement procedures, once identification is made, the finances of any cyber attacker should be subject to sanction and restriction, potentially by freezing and forfeiture of assets through sanctions by governments or legal actions by private sector entities especially if governments establish a legal remedy allowing for the prompt attachment of such assets.
Third, in the case of significant attacks, governments should be ready to use proportionate offensive measures against offending nations in accordance with the international law of countermeasures. These could include blocking harmful internet traffic from within the offending country and where necessary disabling the command and controls sites within another country when the country is unwilling or unable to stop the attacks from their territory.
Fourth, a key element will be to act multinationally. That should include multinational campaigns against botnets, multinational sanctions adopted in response to attacks on a single member country, and multinational blocking of all internet traffic from a country where the attacks are controlled.
A critical requirement for the board to be successful will be for key private sector entities to be involved, as governments alone do not have control over much of the key portions of cyber space and also will benefit from sector specific and internet infrastructure expertise. Accordingly, in addition to the eight countries noted above, the board should invite relevant private sector companies or associations such as the Financial Systemic Analysis & Resilience Center (FSARC) to participate in standards development – when appropriate, the board could rely on standards already being developed by existing organizations – and to assist in operations.
Not all private entities would be involved in all such activities. For example, in focusing on standards for telecommunications companies, the board could limit engagement to representative companies or key associations in the telecommunications arena perhaps along with the participation of key operational internet companies. In taking operational actions against cyber attacks, governments should authorize and then work with companies who have been approved in the role of certified active defenders and who have planned and exercised with governmental cyber authorities. Such private sector operational support, acting in accord with governmental guidelines and control, would increase governmental capabilities and enhance deterrence and response.
The board could also be a forum for agreement on active defense measures that could be undertaken by the private sector more generally. Such measures, particularly focused on intelligence gathering and deception, could be complementary to more intrusive efforts that government and certified defenders could utilize.
Like-minded governments have long recognized that coordinated actions are critical to meeting multiple global challenges. An International Cyber Stability Board of like-minded countries will be key to meeting the challenges of global cybersecurity.
Franklin D. Kramer a former U.S. Assistant Secretary of Defense for International Security Affairs. He is a distinguished fellow and board member at the Atlantic Council.
Robert J. Butler is a former U.S. Deputy Assistant Secretary of Defense for Cyber Policy. He is currently Senior Vice President for Critical Infrastructure Protection Operations at AECOM and an adjunct fellow at the Center for a New American Security.
Catherine Lotrionte is a former Counsel to the President’s Foreign Intelligence Advisory Board and a former assistant general counsel at the Central Intelligence Agency. She is now a distinguished fellow at the Atlantic Council.