Better understanding of cybersecurity issues, cross-border agreements and the tools to take action will offer better security for governments.
Asking for a show of hands from the opening keynote at Black Hat Europe in London, Chris Painter, the first and former coordinator for cyber issues at the US State Department, found that only a few members of the audience felt governments were doing a good job of talking to the security industry about threats and problems.
Running through some of the news highlights and technical threats, Painter called the Sony Pictures incident a “watershed moment” as it stopped the company from expressing free speech, there were physical threats involved and the CEO lost his job, “so companies take it more seriously.”
The other form of threat he focused on was policy, and the impact of policy upon the future of technology. Painter said that different countries have a different vision of how they view technology, and this translates into how we talk about issues. This, he said, turns into information security versus cybersecurity and countries try to draw a “sovereign boundary” around themselves, and try to restrict technology.
He called to move conversations to multi-government agencies and the United Nations, and be less state driven as now more than 100 countries develop offensive capabilities and this could make cyber-space a domain of war. “Cyber is the new black and everyone cares more than ever before”, he argued, and more governments are concerned about cyber, where it used to be siloed government departments talking about it.
“We have done things to advance areas, we had dialogues such as China, Russia, Korea, Japan and Israel and created cyber diplomats around the world and worked with law enforcement colleagues to have cybercrime laws.” He added that more governments understood this as President Obama set up a cyber space policy review, the UK launched the new National Security Strategy and Painter’s old state department was the first to have a dedicated offer for issues of cybersecurity and cybercrime.
Painter said that there needs to be agreements on how to prevent cyber-conflict, and while international law applies in cyber-space, it is not a lawless space where anything goes.
He said that part of the commission for cyberspace is protect core of the internet such as routers and DNS, and a bad job has been done of promoting deterrence in cyber-space and while we have rules to not violate, they are “worthless if no action is taken when they are violated”.
He said: “We need to make sure there are consequences for bad actions, and deterrence by denial and deterrence by having a credible and timely response.”
Painter concluded by saying that attribution is “a political issue as you can never have 100% attribution” and you need 100% attribution to take action. He also said that bad actors need to be aware of how aware governments are on cybersecurity, and better tools are needed “as current diplomatic and law enforcement tools” were not effective and while there are economic sanctions and cyber sanctions that are not often used, there is no red button to shut down an attack.
“The toolset is limited and we need to work with the technical community to expand it and policy people can benefit from technical community.”