Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2017
02:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Why Cybersecurity Must Be an International Effort

The former head of cyber for the US State Department calls for agreements across countries to improve government cybersecurity.

BLACK HAT EUROPE - London, UK - Government cybersecurity won't improve unless nations begin working together, and with their own technical security experts, to improve their understanding of security problems and the tools used to fix them.

"How many people think we're better off today than seventeen years ago?" Chris Painter, the former and first-appointed cyber coordinator for the US State Department asked in his keynote at Black Hat Europe, held this week in London. He didn't seem surprised at the response.

"Okay, that's nobody … not a single person," he noted as everyone in the packed room kept their hands lowered.

Painter then asked how many attendees believed governments were speaking with security experts to inform their policies with technical expertise. A few raised their hands in agreement.

It wasn't too long ago that high-level government officials didn’t want to care about, or understand, cybersecurity. "That has changed, I think, dramatically," Painter observed, as cyber issues more broadly threaten national security, human rights security, and foreign rights policy.

Governments have, in fact, begun to take cyber more seriously as threats carry greater consequences, he said. The Equifax breach, Sony hack, WannaCry, and Petya/not Petya are only a few recent attacks which have captured the international community. Many have begun to worry about attacks on their critical infrastructure, such as that in Ukraine in 2016.

Nations view technology as a threat to their overall stability, Painter said. He divided cyber threats into two categories: technical threats, and threats to policy. There has been greater emphasis on how we counter these problems both nationally and internationally, he explained, and governments have become more organized around cybersecurity.

He emphasized the need for countries to deal collectively with the threats they have in common. Security issues are usually bigger than one country, he said, noting that conflict arises when different nations have different perceptions of how technology should be used. Some countries leverage the Internet to monitor and control citizens, and suppress their freedom of expression, he added.

As countries strengthen their cyber capabilities, Painter explained, they need a stable environment so the beneficial parts of cyber aren't undermined by weak security. He said it's time for nations to discuss cyber policies through the United Nations and multi-government organizations instead of going solo. International law applies in cyberspace, he said; it isn't a "lawless space" where "anything goes."

It sounds simple on the surface but is complex in practice. According to Painter, international agreements must focus on how to prevent cyberattacks that don't necessarily qualify as cyber warfare; right now, policies don't address these types of threats. States shouldn't attack the critical infrastructure of other states, for example. They shouldn't attack one another's computer emergency response teams (CERTs), something Painter likened to "going after ambulances on the battlefield."

We have not done a good job of deterrence in cyberspace, he continued. Sure, there are rules telling actors not to violate other nations. But "those rules are worthless if there's no action taken if people violate them," he said, adding that lack of punishment establishes a norm that [an] activity is acceptable.

As part of this, Painter also called for more efficient attribution, which is necessary to take action on cybercrime. "We have to get to attribution quicker, so we can take action quicker, so we can have a deterring effect," he said. Attribution is "a political issue," he pointed out, and governments can't punish a threat actor unless they are sure he/she is responsible.

International security will only come with international acceptance of rules, Painter said: "We can't have progress if only a few countries agree."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tcritchley07
50%
50%
tcritchley07,
User Rank: Moderator
12/7/2017 | 11:48:18 AM
International Efforts in Cybersecurity
I've been banging on about an international effort for years and this was backed up by Brad Smith (Microsoft legal) at RSA2107 but, as Mark Twain said; 'everybody is talking about the weather, nobody is doing anything about it.' What do we have today? About 10 or more country initiatives (UK and US spring to mind), 25 years late,  with no cooperation whatsoever as far as I can see. This will result in a dog's breakfast.

There have been severe warning to US Presidents in official report after official report since 1992 and the bad guys are still winning.

Watch this space for a screw up of monumental proportions involving 7 billion mobile devices and 30 bn IoT devices as well as the usual servers.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: He still insists that security by obscurity is the way to go.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9681
PUBLISHED: 2019-09-17
Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X...
CVE-2019-9009
PUBLISHED: 2019-09-17
An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.
CVE-2018-20336
PUBLISHED: 2019-09-17
An issue was discovered in Asuswrt-Merlin 384.6. There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
CVE-2019-12755
PUBLISHED: 2019-09-17
Norton Password Manager, prior to 6.5.0.2104, may be susceptible to an information disclosure issue, which is a type of vulnerability whereby there is an unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
CVE-2019-14826
PUBLISHED: 2019-09-17
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.