Cyber attacks against the private sector are an increasingly common hazard of doing business. Media and financial organizations in the US and South Korea have suffered persistent attacks lasting months, with China, Iran and North Korea as the primary suspects. Last year Saudi Aramco was targeted by an unknown attacker with a virus that wiped all data from thousands of computers, but did not succeed in its aim to disrupt oil and gas production.
These are just some of the incidents that have unfolded in public. Based on past experience, it is certain that malicious and damaging activity is happening now, but will not be discovered or made public for months or years. What can be done to alleviate immediate problems while making long-term efforts to improve cyber security, and who should lead the way? Progress is needed on two parallel tracks.
First, the private sector must be meaningfully engaged by governments and incentivized to share cyber threat information. The challenge is finding areas where (a) there is sufficient overlap in the interests of governments and businesses to make sharing a productive exercise and (b) industry can participate without exposing themselves to excessive financial or reputational liability.
The UK Government is making progress in this area. Last week, Francis Maude MP launched the Cyber Security Information Sharing Partnership (CISP) at Chatham House. This partnership shares information on cyber threats between the government and businesses in real time. CISP currently engages over 160 UK and UK-based companies and organizations, and plans to expand to include small and medium-sized enterprises. This is a welcome step, as the private sector has long been a target of cyber attacks and espionage, and is increasingly caught in the middle of inter-state tensions.
Companies are then faced with a difficult choice: attempt a solo defence against well-resourced state, state-sanctioned or criminal adversaries, or share sensitive information with a friendly government in an attempt to leverage their expertise. The CISP initiative aims to make this choice a little easier for UK businesses, by improving situational awareness of cyber threats and by laying the ground for something akin to collective defence. The UK approach has the double benefit of being more inclusive than similar initiatives in Washington, while also being conducted in a less politically polarized atmosphere.
Second, reliance on technical measures alone to provide security will only result in disappointment, and greater attention is needed on developing norms of behaviour in cyberspace, to build confidence between governments and prevent escalation of hostilities.
Here again the UK government can build and expand on existing initiatives. For the past three years it has facilitated a series of annual conferences, under a programme of activity known as the London Agenda, which will conclude in Seoul later this year. Representatives from around the world have gathered to discuss issues including cyber crime and espionage, along with the economic and social benefits of cyberspace. This is where the foundations of long-term progress will be laid - in regular interaction and candid discussion between governments - some of who disagree strongly on cyber security policy but are economically dependent on each other.
What is needed now are mechanisms for building the relationships that have been developed over the past few years, and turning them into tangible policy progress. This could come through an enhanced London Agenda, with additional conferences that address the full range of desired topics, supplemented by multi-lateral fora throughout the year to address particularly difficult topics. Another possible initiative is a European Union-wide visiting fellow programme, for example with China and India, to build relations between cyber security experts in government and academia.
This requires an honest broker, such as the UK, to build trust and bring decision-makers around the table while maintaining an international perspective. In turn, this will require a government that can maintain its principles and ideals while being willing to disagree with traditional allies, in private and in public, when necessary.
This leadership role is increasingly necessary as countries around the world becomes ever more dependent on networked technologies. Through its multi-faceted programme of activities the UK government has developed credibility and capacity, which can be translated into political capital. Spending some of this capital to improve international cyber security would be a worthwhile and laudable goal.
If you would like to comment on this article, please contact [staff 178707 0]
Cyber Security and Global Interdependence: What Is Critical?
Programme Report, Dave Clemente, February 2013
Project on Cyber Security