When the chips are down, we find that governments, businesses, communities and individuals all depend upon each other. We need look no further than our collective successes and failures in managing the COVID-19 pandemic to see this. And the same is true in managing the escalation of conflict in cyberspace: We need to work together.
Unfortunately, we’re not.
State-led and state-sponsored cyberattacks have transformed the internet into a new battlefield. This wartime metaphor implies, however, old school thinking of front lines and fortifications, of surgical strikes and heroic last stands. Instead, the reality is that cyber conflict isn’t happening ‘somewhere over there’ but rather ‘right here, right now’ — and all of us are targets.
As state-originated attacks increase in sophistication, the list of victims expands to include more government agencies, more critical infrastructure such as healthcare systems, and ever more private citizens.
The recently revealed state-sponsored cyberattack on software company SolarWinds not only exposed the vulnerabilities of our whole internet infrastructure but also highlighted the low level of preparedness amongst the organizations affected, from government agencies to private businesses. Just as worryingly, a new survey carried out by the Economist Intelligence Unit (EiU) on behalf of the Cybersecurity Tech Accord indicates a seemingly false sense of security or complacence amongst private organizations: Almost 7-in-10 respondents stated that their organization was “very” or “completely” prepared to handle a cyberattack.
When an attack occurs, this perception tends to change, and companies find themselves exposed. These new attacks are being perpetrated by highly motivated actors backed by substantial nation state capabilities. A private sector security team cannot hold the line indefinitely against opponents that have both advanced attack technologies and unmatchable practical resources, from finance to human intelligence.
The problem is not getting any better. More than 8-in-10 respondents to the same EiU survey acknowledged that cyberattacks were advancing faster than their defenses, and almost the same number of respondents felt that COVID-19 had increased the likelihood of a state-led or state-sponsored cyberattack on their organization. These are not the views of amateurs, but of senior executives from around the world with genuine familiarity with their organizations’ cybersecurity strategies. What’s more, they don’t just come from sectors that we might consider to be typical targets for state cyberattacks — i.e. ICT and finance — but also from more ‘civilian’ industries, such as retail and consumer goods.
If we cannot expect businesses to be on a level playing field with foreign governments when it comes to cyber capabilities, we should expect home governments to provide the necessary helping hand. This is not to say that companies — whichever sector they are from — can escape their responsibility to understand their security environment and build the appropriate defenses. But governments must enable businesses to act, for example by removing bureaucratic barriers that inhibit the adoption and deployment of new defensive capabilities where they are most needed.
Furthermore, governments need to deliver the international cooperation and agreements that are essential to reducing the frequency and harmfulness of state-led and state-sponsored attacks. If we are to cultivate a safer online environment by reining in these attacks, then ongoing cybersecurity discussions at the United Nations should become a top priority for all governments. These discussions need to include not just diplomats but experts from the technology industry, which owns and manages the global internet infrastructure, and from civil society groups. Multi-stakeholder approaches such as the Paris Call for Trust and Security in Cyberspace need to become the norm if we’re to achieve meaningful and positive change in the rules governing cyberspace.
We’re all in this together. States need to protect their citizens, communities and companies from other states online as well as offline.
Businesses need to take the evolving state cyber-threat seriously and make proper preparations.
Communities and individuals need to think more critically about the risks they run online.
And if we engage with one-another — and build those engagements into the policy-making processes going on right now, then we could create a system where international law truly applies to cyberspace. If we do that, then the states currently launching or sponsoring cyberattacks with near impunity will have no choice but to think twice and step back from the brink.
Annalaura Gallo is Head of Secretariat for the Cybersecurity Tech Accord (@cybertechaccord), a collaboration among 147 global companies to improve the security, stability and resilience of cyberspace.