The thoughtful cyber-consultant, evaluator, or internal manager has quite a bit of work to do—with little to no time to spare. There is also the added pressure from industry, government, and super-governments (EU, OECD, UN, etc.) to take action, especially in high need areas such as critical infrastructure, medicine, nuclear power, and such.
There is also pressure from clients and from within individual organizations to ensure safety and compliance.
But, how much safety, and compliance with what? Researcher Elaine Fahey in her article “The EU’s Cybercrime and Cyber-Security Rulemaking: Mapping the Internal and External Dimensions of EU Security” notes that this pressure is “in the absence of a defined basis of the specific risk to be defended against.” Just in case we missed the irony, she notes that “regulation is proceeding in the absence of quantifiable harms or an empirically testable and consistent definition of cybercrime and cyber security.”
There out to be a law. This is easier said than done, however, since a law might be anything from a by-law at the municipal level, to a statute at the sub-national or national level, a regulation or target at the multi-state level (EU, ASEAN, etc.) or a UN matter attempting to cover the world.
Surprising perhaps, it is China and Russia which have most energetically called for a binding international treaty on cyber security. There’s been no take up, and UK researcher Kubo Macak notes this has left a “power vacuum.” What is emerging is documented in his article “From Cyber Norms to Cyber Rules: Re-engaging States as Law-makers. Microsoft and others have issued white papers and suggested international standards for about 20 years.
There are “non-binding norms” and we can thus pick and choose compliance regimes and standards to judge our efforts. The best news in this article is that we may be in a similar situation that we were in as we developed laws to deal with Antarctica and nuclear safety. It took a while, but we got there. What we need eventually is a “Digital Geneva Convention.” But that may be years in the future.
More than 20 years ago, France proposed a Charter for International Cooperation on the Internet, and later China and Russia proposed a Code of Conduct for Information Security. This was later submitted to the UN General Assembly in 2011 and 2015.
Unfortunately for us, the initiatives died on the proverbial order paper. Yet we do have “the 1992 Constitution of the International Telecommunication Union, the 2001 Budapest Convention on Cybercrime and its 2006 Protocol on Xenophobia and Racism, the 2009 Shanghai Cooperation Organization’s Information Security Agreement, and the 2014 African Union’s Cyber Security Convention.” This may sound impressive, but only six states support the Shanghai agreement and none yet for the African Union’s initiative. In the end “there is no complex regulatory mechanism governing state cyber activities.”
NATO is not so sure. Its seven-year project in Estonia produced the Tallinn Manual. This document cites 95 cases of “rules of customary international law” which related to the use of force and armed conflict. A second edition cited more, and yet critics say most cyber operations “fall below the threshold of use of force.”
On the level of one particular nation, there appear to be emerging rules. The US has its National Institute of Standards and Technology, which has issued a Framework for Improving Critical Infrastructure Cybersecurity. It’s current, as of December, 2017.
The executive summary notes the risk to a company’s bottom line. It notes that the “Cybersecurity Enhancement act of 2014 (CEA) statutorily updated the role of … (NIST) to include identifying and developing cybersecurity risk frameworks … by critical infrastructure owners and operators.”
Yet hopes are dashed when it is also noted that these are to “for voluntary use”. In the end we have a working definition of critical infrastructure as defined in the Patriot Act as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
There are good ideas in this voluntary document. Protecting the supply chain – Supply Chain Risk Management (SCRM) is one. Protecting data at rest vs in transit is another. Keeping testing separate from actual production environments is a third. In the end, good ideas in a voluntary checklist are, by definition, just voluntary.
A researcher or evaluator might logically look for best practices and benchmarks. But where? Two ends of the spectrum of need might be fruitful. The highest need organization is surely the military, and the military in nuclear nations. So much is at stake that it is hoped that the US Department of Defense security checklist might prove useful. It might. But probing the meaning of the combination of military and computer jargon is surely beyond most organizations in need. One is first struck with confusing categories:
O= Open finding or non-compliance
NF= Not a Finding or in compliance
NA= Not Applicable or the item is not applicable to the database version, database use or host platform being reviewed
NR= Not Reviewed or the procedure was not completed so compliance is not determined
MR= Manual review. Can be the following check types:
Interview—Requires information found outside the DBMS
Manual– Requires information found outside the DBMS
Verify—Requires verification of information found in the DBMS
One can clearly see that someone dreamt up these terms, and someone else is inevitably led to ponder what they might mean. Meanwhile, an attack may be imminent.
At another part of the spectrum is Canadian lawyer David Potts, who has been sounding the alarm about cyberattacks and cyber libel for more than 25 years. He thinks about the legal, technological, social, and other aspects of this all at the same time.
In the manuscript for a forthcoming book, he notes that defamed people must have reputations to protect in order to allege defamation. The material must be downloaded somewhere, and, as pervasive as the Internet is, how likely is it that millions of people will be interested in criticism of you? He cites countless court cases which definitively prove that on the one hand, something may be irrelevant or crucial. On the other hand, a future court ruling may render both moot.
But author and lawyer Potts is also a keen student of military history. So he also notes that “the attackers are persons with the power”—the reverse of normal military doctrine in which an attacking force needs three times the power of the defenders, because they’re dug in. He also notes the war of all against all in that “everyone can be a publisher and can be sued as a publisher.” He likens some skirmishes as “similar to guerilla warfare.
Your adversaries may suddenly proliferate then evaporate or mutate to other forms or migrate to other locations in cyberspace.” As in guerilla warfare, he notes that you “may transform a problem into a disaster” with the wrong response.
Various types of links involve far more people than when newspaper baron William Randolph Hearst engaged in one-way communication with the customer/masses. What’s new though is the absence of editors. We can do an interview or exchange emails with a reporter from a reputable national newspaper and see the posting of the story minutes later—no gatekeeper, no sober second thought. Potts calls much Internet content “self-indulgent, poorly researched, unfocussed, biased, and often patently inaccurate.”
There’s clearly quite a bit of work to do. Unfortunately, the risk of an imminent threats globally is what will drive our political decision makers to swift action on all fronts, including cyber.