Political borders don't stop cyberattacks, but they prevent defense, study finds
Cyberspace is a global commons without international boundaries, but the political divisions of the real world hamper the defense of this shared resource, according to a new study of government and private sector IT officials.
There is a lack of common standards of behavior, goals and even language in discussing the challenges faced in cyberspace, according to the Cyber Defense Report released Jan. 30 by McAfee. As a result, threats are growing faster than the ability to counter them because of barriers to information sharing and cooperation that do not constrain our adversaries.
“We are really up against a formidable enemy that can execute,” said Phyllis Schneck, chief technology officer of McAfee’s Global Public Sector and a contributor to the report. “We’ve made a lot of progress, but our enemies are a lot better and faster than we are.”
The cyberattack that awakened the Pentagon
Nation's cybersecurity suffers from a lack of information sharing
The report, written by the Belgian think tank Security & Defense Agenda, is intended to define critical questions for discussion rather than find answers, Schneck said. It offers a number of recommendations for improving cooperation between governments and between the government and the private sector.
The report also includes the results of a “stress test” on 21 countries, based on a cybersecurity maturity model developed by Robert Lentz, former U.S. Deputy Assistant Secretary of Defense for Cyber, Identity and Information Assurance. The model includes five stages of resilience against attacks. None of the countries measured achieved a five-star rating. The United States received four stars, along with Denmark, Estonia, France, Germany, the Netherlands, the United Kingdom and Spain, and behind Finland, Israel and Sweden, which scored 4.5 stars.
Factors contributing to the four-star rating for the United States are a government Computer Emergency Response Team that takes part in informal CERT communities and has a new cyber-security strategy announced in 2011. It has a contingency plan for cyber-incidents and is an active player in cybersecurity exercises. The Defense Department also created the U.S. Cyber Command that defends American military networks and can attack other countries’ systems.
The report is based on interviews done with 80 cybersecurity experts in government, companies, international organizations and academia. The results identified some consensus on issues that need urgent resolution, including:
- To what degree should information sharing be more proactive, in both the military and private arenas?
- The need for much greater international cooperation.
- The introducing a more solid security architecture to the Internet.
- Establishing cyber-confidence building measures as an easier alternative to any global treaty.
Contributors to the report generally were pessimistic about the chances than an international treaty could provide the framework needed for essential cooperation.
“A treaty isn’t going to work,” said James A. Lewis director of the technology and public policy program at the Center for Strategic and International Studies. “There are too many verification, compliance and definitional problems.”
The study recommends instead establishing cyber-confidence building measures between countries as an alternative to a global treaty, or at least as a stopgap measure. This would include agreements on “expectations about state behavior,” Lewis said. “You want transparency, particularly for national doctrine on how to use cyber-attacks in a military context. Most countries have these doctrines but don’t talk about them.”
One of the hot debates identified in the study is the degree to which government should regulate and defend cyberspace. But even as that debate continues, the military has emerged as a model for the type of defense needed for IT resources.
The military model assumes that it will be attacked and will suffer losses and that it will have to operate in a degraded environment to succeed. There is a growing awareness in cybersecurity that compromise of IT systems probably is inevitable and that operators must focus on mitigating damage and restoring services as well as preventing attacks.
“Can we do what the military does so well?” Schneck asked. “Can we run while under attack?”
Schneck said the realization of the need for international cooperation is fairly new, and that organizations are hampered in their cooperation by laws, interests and liabilities that the bad guys do not have to deal with.
“It’s difficult for us to quickly share everything we know,” she said. “The enemy doesn’t have these restrictions, and that’s why they can move so quickly.”
Establishing clear lines of communication, authority and responsibility to allow and enable information sharing will not be easy.
“The Internet is a messy playing field, run by a patchwork of organizations, and different countries have different views about who should be in charge,” the report says. It includes a laundry list of governmental, international and private sector organizations that share and compete for authority in cyberspace.