Risk

12/6/2017
02:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Why Cybersecurity Must Be an International Effort

The former head of cyber for the US State Department calls for agreements across countries to improve government cybersecurity.

BLACK HAT EUROPE - London, UK - Government cybersecurity won't improve unless nations begin working together, and with their own technical security experts, to improve their understanding of security problems and the tools used to fix them.

"How many people think we're better off today than seventeen years ago?" Chris Painter, the former and first-appointed cyber coordinator for the US State Department asked in his keynote at Black Hat Europe, held this week in London. He didn't seem surprised at the response.

"Okay, that's nobody … not a single person," he noted as everyone in the packed room kept their hands lowered.

Painter then asked how many attendees believed governments were speaking with security experts to inform their policies with technical expertise. A few raised their hands in agreement.

It wasn't too long ago that high-level government officials didn’t want to care about, or understand, cybersecurity. "That has changed, I think, dramatically," Painter observed, as cyber issues more broadly threaten national security, human rights security, and foreign rights policy.

Governments have, in fact, begun to take cyber more seriously as threats carry greater consequences, he said. The Equifax breach, Sony hack, WannaCry, and Petya/not Petya are only a few recent attacks which have captured the international community. Many have begun to worry about attacks on their critical infrastructure, such as that in Ukraine in 2016.

Nations view technology as a threat to their overall stability, Painter said. He divided cyber threats into two categories: technical threats, and threats to policy. There has been greater emphasis on how we counter these problems both nationally and internationally, he explained, and governments have become more organized around cybersecurity.

He emphasized the need for countries to deal collectively with the threats they have in common. Security issues are usually bigger than one country, he said, noting that conflict arises when different nations have different perceptions of how technology should be used. Some countries leverage the Internet to monitor and control citizens, and suppress their freedom of expression, he added.

As countries strengthen their cyber capabilities, Painter explained, they need a stable environment so the beneficial parts of cyber aren't undermined by weak security. He said it's time for nations to discuss cyber policies through the United Nations and multi-government organizations instead of going solo. International law applies in cyberspace, he said; it isn't a "lawless space" where "anything goes."

It sounds simple on the surface but is complex in practice. According to Painter, international agreements must focus on how to prevent cyberattacks that don't necessarily qualify as cyber warfare; right now, policies don't address these types of threats. States shouldn't attack the critical infrastructure of other states, for example. They shouldn't attack one another's computer emergency response teams (CERTs), something Painter likened to "going after ambulances on the battlefield."

We have not done a good job of deterrence in cyberspace, he continued. Sure, there are rules telling actors not to violate other nations. But "those rules are worthless if there's no action taken if people violate them," he said, adding that lack of punishment establishes a norm that [an] activity is acceptable.

As part of this, Painter also called for more efficient attribution, which is necessary to take action on cybercrime. "We have to get to attribution quicker, so we can take action quicker, so we can have a deterring effect," he said. Attribution is "a political issue," he pointed out, and governments can't punish a threat actor unless they are sure he/she is responsible.

International security will only come with international acceptance of rules, Painter said: "We can't have progress if only a few countries agree."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tcritchley07
50%
50%
tcritchley07,
User Rank: Moderator
12/7/2017 | 11:48:18 AM
International Efforts in Cybersecurity
I've been banging on about an international effort for years and this was backed up by Brad Smith (Microsoft legal) at RSA2107 but, as Mark Twain said; 'everybody is talking about the weather, nobody is doing anything about it.' What do we have today? About 10 or more country initiatives (UK and US spring to mind), 25 years late,  with no cooperation whatsoever as far as I can see. This will result in a dog's breakfast.

There have been severe warning to US Presidents in official report after official report since 1992 and the bad guys are still winning.

Watch this space for a screw up of monumental proportions involving 7 billion mobile devices and 30 bn IoT devices as well as the usual servers.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.