Risk

12/6/2017
02:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Why Cybersecurity Must Be an International Effort

The former head of cyber for the US State Department calls for agreements across countries to improve government cybersecurity.

BLACK HAT EUROPE - London, UK - Government cybersecurity won't improve unless nations begin working together, and with their own technical security experts, to improve their understanding of security problems and the tools used to fix them.

"How many people think we're better off today than seventeen years ago?" Chris Painter, the former and first-appointed cyber coordinator for the US State Department asked in his keynote at Black Hat Europe, held this week in London. He didn't seem surprised at the response.

"Okay, that's nobody … not a single person," he noted as everyone in the packed room kept their hands lowered.

Painter then asked how many attendees believed governments were speaking with security experts to inform their policies with technical expertise. A few raised their hands in agreement.

It wasn't too long ago that high-level government officials didn’t want to care about, or understand, cybersecurity. "That has changed, I think, dramatically," Painter observed, as cyber issues more broadly threaten national security, human rights security, and foreign rights policy.

Governments have, in fact, begun to take cyber more seriously as threats carry greater consequences, he said. The Equifax breach, Sony hack, WannaCry, and Petya/not Petya are only a few recent attacks which have captured the international community. Many have begun to worry about attacks on their critical infrastructure, such as that in Ukraine in 2016.

Nations view technology as a threat to their overall stability, Painter said. He divided cyber threats into two categories: technical threats, and threats to policy. There has been greater emphasis on how we counter these problems both nationally and internationally, he explained, and governments have become more organized around cybersecurity.

He emphasized the need for countries to deal collectively with the threats they have in common. Security issues are usually bigger than one country, he said, noting that conflict arises when different nations have different perceptions of how technology should be used. Some countries leverage the Internet to monitor and control citizens, and suppress their freedom of expression, he added.

As countries strengthen their cyber capabilities, Painter explained, they need a stable environment so the beneficial parts of cyber aren't undermined by weak security. He said it's time for nations to discuss cyber policies through the United Nations and multi-government organizations instead of going solo. International law applies in cyberspace, he said; it isn't a "lawless space" where "anything goes."

It sounds simple on the surface but is complex in practice. According to Painter, international agreements must focus on how to prevent cyberattacks that don't necessarily qualify as cyber warfare; right now, policies don't address these types of threats. States shouldn't attack the critical infrastructure of other states, for example. They shouldn't attack one another's computer emergency response teams (CERTs), something Painter likened to "going after ambulances on the battlefield."

We have not done a good job of deterrence in cyberspace, he continued. Sure, there are rules telling actors not to violate other nations. But "those rules are worthless if there's no action taken if people violate them," he said, adding that lack of punishment establishes a norm that [an] activity is acceptable.

As part of this, Painter also called for more efficient attribution, which is necessary to take action on cybercrime. "We have to get to attribution quicker, so we can take action quicker, so we can have a deterring effect," he said. Attribution is "a political issue," he pointed out, and governments can't punish a threat actor unless they are sure he/she is responsible.

International security will only come with international acceptance of rules, Painter said: "We can't have progress if only a few countries agree."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tcritchley07
50%
50%
tcritchley07,
User Rank: Moderator
12/7/2017 | 11:48:18 AM
International Efforts in Cybersecurity
I've been banging on about an international effort for years and this was backed up by Brad Smith (Microsoft legal) at RSA2107 but, as Mark Twain said; 'everybody is talking about the weather, nobody is doing anything about it.' What do we have today? About 10 or more country initiatives (UK and US spring to mind), 25 years late,  with no cooperation whatsoever as far as I can see. This will result in a dog's breakfast.

There have been severe warning to US Presidents in official report after official report since 1992 and the bad guys are still winning.

Watch this space for a screw up of monumental proportions involving 7 billion mobile devices and 30 bn IoT devices as well as the usual servers.
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.