Posted by Scott Charney
Corporate Vice President, Trustworthy Computing
It is clear to most that the Internet, and related technology advancements, provides significant benefits for individuals, enterprises and governments. However, as global connectivity has grown, so has the cyber threat. This is why Microsoft, along with the ecosystem at large, works to combat the cyber threat and help protect our customers through a variety of mechanisms, including using security-focused development practices (the Security Development Lifecycle), sharing our understanding of the threat landscape through the Security Intelligence Report and working with partners throughout the industry to tackle specific threats like botnets.
For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals and organizations, and craft appropriate responses. Although many organizations have invested significantly in information assurance, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complicated threat.
That is why in a keynote today at the East West Institute Cybersecurity Summit, I will discuss the reasons why cyber attacks often confound those responsible for crafting responses and suggest a new framework for creating effective strategies for responding to potential cyber attacks.
Specifically, I outline six distinct factors that I believe make understanding and quantifying cyber threats a challenge:
- Actors: there are many. Malicious actors include individuals, organized crime groups, terrorist groups, and nation-states.
- Motives: there are many. These motives may relate to traditional areas of criminal activity, economic espionage, military espionage or cyber warfare.
- Attacks: they often look alike. Different actors may use similar techniques, such as DDoS attacks. This means the nature of an attack may not yield reliable clues about the identity of the attacker and/or his or her motives.
- Structure: it’s shared and integrated. The Internet is a shared integrated domain between consumers, businesses and governments, where it is not easy to segregate one group from another. It is also shared between those engaging in socially protected activities and cyber attackers, thus raising concerns about security responses (e.g., network monitoring for criminal activity may result in the monitoring of civilians engaged in lawful activities).
- Consequences: they are unpredictable. The potential consequences of a response targeted at one group could have a significant and destructive effect on the whole ecosystem.
- Impact: can be dire. Worst-case scenarios are scary because of society’s increased reliance on technology.
Of course, society is not starting with a blank slate: there are existing methods for dealing with bad actors, methods that have been codified in law and that do not necessarily work well in the cyber environment. For example, in the United States, we have a legacy of different organizations that use different authorities to address different threats to public safety and national security. But the agency assigned, and its authorities, depends upon who is attacking and why, two predicates not always known in Internet attacks.
This leads to another key step that I think we need to take – deconstruction of the broad category of “cyber threat” into more granular categories. With regard to categories, I have identified four: cyber crime, military espionage, economic espionage (and other areas where nation-states are in philosophical disagreement on normative behavior) and cyber warfare. By breaking the problem into more focused categories, we are able to incorporate experience and progress we’ve made in the non-cyber world and to develop specific plans that may have very different requirements for progress.
However, to act on the different categories, we are also going to need to improve our ability to identify the “who” and “why” of particular cyber attacks. The initiating party and their motives are frequently unknown due to the open and unauthenticated nature of the Internet. This lack of information complicates the decision of how to respond appropriately. For example, should the attack initiate a law enforcement investigation or is it a national security concern? The key question then is how do we begin to solve this problem?
There is little doubt that the Internet, with its global connectivity, anonymity, and lack of traceability, poses considerable challenges to those in the private and public sectors who are tasked with protecting it. The breadth of criminal activity, the number of actors and motives, and the lack of reliable attribution have all served to make crafting responses to attacks difficult. While there are no easy answers, greater attribution and clearer rules for responding would enable the development and implementation of better strategies and tactics for responding to cyber threats.
I believe the course of future action for forward progress should include these steps:
- There must be innovation related to attribution. This includes both technological innovation and legal/diplomatic innovation.
- We must establish rules for responding when attribution is not possible.
- To deal with cyber crime, it is important for countries to adopt national laws that protect cyber space, build law enforcement capability and capacity, and support international efforts to fight cybercrime.
- To address economic espionage and other areas of philosophical disagreement, there must be international discussions leading to the establishment of norms that are then enforced through national policies and international organizations.
- To address military espionage, nation states must improve the state of their own computer security, build offensive capabilities as appropriate, and rely upon existing diplomatic and political mechanisms to address disputes.
- To address cyber warfare issues, countries must first develop domestic positions on what the rules for this new domain should be, taking due care to recognize the shared and integrated nature of the domain. Then there must be an international dialogue designed to create international norms for cyber space behavior. Such a dialogue will be as difficult as it sounds, but it is still both necessary and, ultimately, unavoidable. Absent such an agreement, unilateral and potentially unprincipled actions will lead to consequences that will be unacceptable and regrettable.
I look forward to the ongoing dialogue with industry and governments to better help protect our customers and realize a safer, more trusted, Internet. You can download the full paper, which expands on the ideas I’ve outlined, at this link.