- By Jamie Shea
On November 3 1988, computer users were surprised by one of the first large-scale malware attacks. The so-called Morris Worm paralysed an estimated 10% of all computers connected to the internet. The incident also motivated the creation of CERTs – Computer Emergency Response Teams dedicated to cyber-security.
Since then, the internet has gone through dramatic changes. In 1988, it connected just 60,000 computers. Today there are 3.2bn users, 40% of the world’s population. By 2020, the number of connected devices is expected to reach 50bn – from refrigerators to “smart” jewellery. Computers control services and devices that make our daily life work. Attacks on them could damage the core functions of society, threatening the health and well-being of citizens and the security of any state.
In 2015 cyber-attacks have become a 24/7 reality. Yet policy makers seem to have only a fragmented understanding of their nature. Most cyber-security discussions centre on improving defensive instruments and systems, forgetting that the most effective defence is actually interrupting attacks and striking at the attackers’ motivation.
Most cyber-security discussions centre on improving defensive instruments and systems, forgetting that the most effective defence is striking at the attackers’ motivation
The cyber-security market today seems to focus on the business of building fences and locks without really knowing who they are defending against. It is common in high-level cyber-security discussions to hear statements comparing computer users with gun owners, placing blame on average users whose computers are hijacked for use in cyber-attacks without their knowledge. This kind of approach seems to forget some basics: that a computer in itself is not a high-risk threat source; that average users are probably unable to defend themselves against advanced attackers; and that responsibility for attacks should first and foremost be placed with the attacker who has created a malicious use for technology.
In order to find cyber-security solutions, it is therefore important to focus on the real threat – the attacker. There are as many ways of stopping attackers as there are motives behind the attacks. From the international law perspective, substantial work has already been done, such as within the Tallinn Manual on the International Law Applicable to Cyber Warfare, to clarify perspectives for the use of force against cyber-attackers.
However substantial gaps remain in both legal policy and instruments for international co-operation in situations that fall below those where the use of force could be evoked. Most of the attacks that cyber-security professionals are faced with on a daily basis fall into this category, outside the context of military conflict. Even these can however endanger critical infrastructure and may pose a direct threat to human life.
Has a private person the right to defend himself or herself in a cyber-attack in a same way as with physical attacks? Timid discussions about the possibilities for active defence measures have so far been held mainly within the viewpoint of military conflict.
Yet in everyday life, people responsible for handling cyber-incidents are faced with a grim choice: when all passive measures have been exhausted, can the defender stop the attacker’s access to platforms being used for the ongoing attack? What if this platform is physically located in another country and requests for help directed at authorities there go unanswered? It seems quite clear such action to protect life, property and the state should be possible and legal if all other means to stop the attack are ineffective.
However, although work on the second volume of the Tallinn Manuel should provide a more transparent and sophisticated approach to self-defence in cyber-space from a nation state’s military perspective by 2016, there is a lack of similar discussions on the right of self-defence for citizens or companies.
In many countries cyber-security agencies operate under different institutional frameworks, with varying working methods and mandates that hinder effective cross-border collaboration
International co-operation in the cyber-security domain is not easy. In many countries cyber-security agencies operate under different institutional frameworks, with varying working methods and mandates that hinder effective cross-boarder collaboration. One solution could be to standardise risk-management and notification procedures so authorities can better understand the frameworks and practices used by others.
This is where the Network and Information Security (NIS) Directive currently under discussion in the European Union could come into play. The directive should improve member states’ national cyber-security capabilities. It should boost co-operation between member states, and between public and private sectors. It will require key internet services as well as companies in critical sectors – such as energy, transport, banking and health – to adopt risk management practices and report major incidents to the national authorities.
Discussions on the directive showed, that although state practices in cyber-security vary, there is a shared level of concern and an acknowledgement of the need to improve co-operation across the EU.
Cyber-security co-operation among state authorities, and between the private and public spheres, should be quick and efficient taking into account the often rapid escalation of cyber-attacks. Artificial bureaucratic barriers must be overcome.
Cyber-security is vital to the security of European citizens and the defence of state security. It can only be achieved through practical co-operation that keeps its focus on the attackers themselves. EU policy seems to be moving in the right direction, but states must work together more.
- By Dharmendra Kanani
- By Xavier Bento
- By Dr Werner Hoyer