Governments need to act now to protect citizens and society from cyber-war
Governments need to act now to protect citizens and society from cyber-war
We have reached a tipping point quite a while ago, at which citizens and businesses have become an autonomous cyber-militia. Incredible though it may sound, general industry - and not just critical national infrastructure (CNI) providers – have employed military concepts that should be alien to them in their IS strategy. These include defence in depth, threat intelligence and situational awareness, as well as defensive and offensive postures.

Private global cyber-security corporations now gather, hold and sell more cyber-intelligence than most nation state intelligence agencies. These commercial organisations are instrumental in detecting, defending and attributing nation state and cyber-cartel attacks, a role once retained by governments and the United Nations. The routine nature by which commercial organisations suffer, defend and respond to cyber-criminal and nation state-affiliated attacks using their own commercial resources is a real barometer of the speed of evolution in the arena of cyber-security.

Simultaneously, it illustrates the inability of nation states to keep up with this evolution, or to offer effective protection to its citizens, businesses or the state's own agencies. In fact, an argument could be made that some countries' state agencies designated to protect its citizens and businesses have done more harm than good. Think Stuxnet as one of the first targeted CNI worms, or more recently the NSA EternalBlue hacking toolkit breach and consequent Wannacry fallout.

Drifting towards cyber-war

The term cyber-war has been used to describe the current state of play between nation states. However, we are not yet at a state of significant violence or loss of life associated with cyber-activities, whether cyber, kinetic or hybrid warfare, to have reached a state of cyber-war. There is no doubt, though, that we are drifting in that direction as states refine and test their capabilities and where the red line of cyber-attack activity lies. There is a real danger of unintentionally drifting into war by pushing the envelope too far or through careless significant collateral damage arising from a planned smaller but uncontained attack.

Containing the cyber-threat to society requires both coherent government leadership and strategy, which has thus far been absent. In my opinion there are eight major initiatives that governmentsnow need to undertake to protect their citizens and global society at large:

1. Build a consensus of international law on cyber activities – Cyber-activities and their impact should be mapped onto existing legal treaties and frameworks and through existing structures such as the United Nations. This consensus should cover cyber-warfare, cyber-espionage and the protection of “non-combatants” including citizens, business and CNI providers in war and peace time. 

Estonia, one of the first states to have suffered significant attacks on its own CNI back in 2007, has shown some real thought-leadership producing the manual. Microsoft has proposed a digital Geneva Convention. However, efforts by global governments and the UN to date to put in place this consensus have stalled.

International consensus would help to establish the boundaries of moral, ethical and lawful cyber-activities, and clarify what activities can be used and when by states in their defence.

2. Build international alliances of societal stakeholders – Political, defence, commercial and citizen representatives should be appointed to help govern, mediate and enforcethese international laws

3. Governments need to commit to being part of the solution, not the problem – A global commitment to moral and ethical behaviour with respect to cyber-laws would mean disclosure of and assistance with remediate vulnerabilities and exploits. By committing to quickly containing/eradicating rogue agents governments can help to ease the current situation.

4. Regulate and enforce robust standards of accreditation – Lack of accreditation has led to widespread vulnerabilities; increased emphasis on an international product and service security standard accreditation can counteract this.

5. Resume policing and patrolling activities – Identifying and taking down rogue infrastructure and organisations is crucial. This may be achieved in conjunction with vetted cyber-defence and policing reservists comprising of both citizens and industry to augment the state's scale, resources and capabilities.

6. Drive a comprehensive national strategy of education and awareness at all levels within
society – Education is key to defeating the cyber-threat, and needs to start with education of
our politicians, policy and lawmakers on cyber-security and safety to tackle the paralysis that
exists globally with respect to the state's role in cyber-security. Attacking CNI specifically is a potentially efficient way that a cyber-adversary may harm or disrupt a state – eg disabling a power grid or banking system, resulting in large scale societal or commercial chaos.

Protecting CNI should be a significant priority for governments. Governments also need to consider the whole risk to state and society and seek to remediate the entire risk rather than focusing too narrowly on one area of risk in overall nation state protection.

7. Establish deterrence – Once boundaries are defined, governments will seek to establish a
deterrence strategy encompassing a mix of sanctions, kinetic options and perhaps MADD –
(mutually assured digital disruption), ensuring an adversary thinks twice before using a
cyber-attack as a weapon. This will mean adding more cyber-weapons to national armouries
alongside traditional kinetic weapons. Under the approach proposed these weapons should
be protected from falling into the wrong hands and only be utilised for prescribed lawful purposes where non-combatants and CNI have appropriate protection.

8. Isolate pariahs – Nation states, organisations, companies who do not adhere to these principles should be shunned and isolated – politically, economically, socially, digitally. This isolation could be achieved with or without politics. The new digital age potentially allows a responsible and ethical new cyber-militia or citizens, commercial and non-commercial organisations, vendors to gather intelligence, attribute blame, deliver economic and digital isolation to pariahs with or without political assistance. 

The bottom line – cyber-attack activity including state enabled cyber-attack is stifling innovation, damaging business, citizens, costing organisations money, resources. It will lead significant physical, economic, societal disruption and will lead to potentially significant loss of life.

Through the implementation of these types of initiatives, governments have the opportunity to
make a real difference and better protect citizens, businesses and state assets.

Contributed by Pat Larkin, CEO, Ward Solutions

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.