Speaking on the ‘Fighting Shadows' panel at the Davos convention in Switzerland on Saturday,Toomas Hendrik Ilves joined senior figures from Kaspersky, Microsoft and the United Nations in calling for improved cyber-crime policing, laws and collaboration – whilst also calling into question how – and if - countries can respond to cyber-attacks.
Estonian websites were famously hit by distributed-denial-of-service (DDoS) attacks in 2007, which at the time was rumoured to be work of the Russian government. Subsequently, the country became one of the world's most advanced countries on cyber-security, even establishing the NATO Cooperative Cyber Defence of Excellence in Tallinn in August 2010.
Ilves – who said that the country also helped with similar DDoS attacks against Georgian websites a year later – admitted that DDoS and nation-state attacks are very different things, but said that defending against cyber-criminals is almost impossible considering outdated laws, the obfuscation techniques used by hackers and the various jurisdictions involved. On the latter, he pinpointed China and Russia's failure to sign the Budapest Convention as an example that international cyber-crime collaboration remains some way off.
“Somewhere, somebody in an organisation has to be brought to justice and held accountable for what they do,” he said on the panel.
“Two countries that are home to the greatest source of cyber-crime refuse to sign or ratify the [Budapest] Convention…Russia and China.” The Budapest Convention, which was signed almost 15 years ago, was the first international treaty regarding internet and computer crime and it has since sought to harmonise national laws on the matter.
Eugene Kaspersky, CEO of Kaspersky Labs, had earlier faced questions on country bias during the panel, and he interjected that these are not the only countries with state-sponsored activities, or harbouring cyber-criminals who may have committed crimes in other countries. “”What about Brazil, what about Ukraine?” he asked.
Jean-Paul Laborde, executive director for the counter-terrorism executive directorate (CTED) at the Assistant-Secretary General level at the UN, said that steps need to be taken for countries to get on the ‘counter narrative' in regard to cyber-attacks.
“The counter narrative is not done very well, either at state level, media level or at a civic society level.” He added that countries need to “work with private companies on these issues”.
“I think it is very difficult to criminalise under legal issues and very difficult to trigger international cooperation on these issues," added Laborde.
IIves went onto say that cyber-crime was ‘not just criminals, not just states, but it's the in-between' – a reference perhaps to state-employed hackers, and compared these to the Barbary pirates who, in the 17th and 18thcentury, would kidnap fishermen and sell them into slavery.
And while he called for laws and legislators to be revaluated in the face of an ever changing threat landscape, he said that it should also be ascertained how a country can respond to such attacks.
“Is something that is defending you offensive or not? It's hard to find where [the line] is.”
On attribution, he said that you can track a physical missile hitting a power plant, but this was much more difficult if it was a ‘cyber missile'
“The same effect can be achieved via a cyber-missile that takes out the plant. Who did it? First of all, you don't know who did it. In general in cyber-forensics you can finally figure out who did it, but it takes a long time. What's the appropriate response? The question is how you respond in a cyber way.”
“The point is what is response, what is an act of war, what is an act of terrorism, who is responsible, and what do you do back?” he asked.