In today’s cybersecurity climate, no person, company or agency has immunity. As cybercriminals obtain funding to no end and as their tools become more advanced and prevalent, we are seeing hacking move from a niche crime conducted by a small group of highly technical individuals becoming a mainstream misconduct. With cybercrime having the potential for significant global impact, we’ve seen governments themselves jumping in to steal intellectual property, tamper with elections or interrupt operations of public utilities, energy companies and nuclear plants. In fact, 12 percent of breaches were attributed to nation states, according to Verizon’s 2018 Data Breach Investigations Report.
Gone are the days when the biggest worries around cyberattacks were credit card or identity theft. As the world has become increasingly connected, cyberattacks are now capable of bringing down some of the most critical infrastructure – both physical and digital – on earth.
Recently, we have seen attacks on public infrastructures, such as BlackEnergy and Nuclear17, as well as on our digital grid with VPNFilter and Mirai. Even the PyeongChang 2018 Olympic Winter Games opening ceremonies were partially disrupted by a malware breach.
If governments are sanctioning or even dipping their toes in these attacks, how do we go about protecting civilians from harm? As it stands today, the opportunity for an attacker to target major infrastructure is far too easy. Legal recourse for hacking is largely determined by individual nations in accordance with their local laws. But as we all know, the internet has no global boundaries – it’s just as simple for a hacker in Asia to attack someone in the U.S. as it is for them to attack somebody down the street.
We need to ensure that global attacks have tangible consequences on a global scale.
At the RSA conference this year, Juniper Networks and 33 other security vendors signed the Cybersecurity Tech Accord, forming a coalition determined to prevent nation-state cyberattacks. It was a significant step forward in the private sector as some of the world’s most powerful companies promised they would remain neutral parties in all cyberwarfare.
But we need to go further.
Don’t get me wrong, private companies in a competitive industry banding together to pledge that they won’t help cybercriminals or governments is a real achievement. But the triumph will only come when a large portion of the world’s governments choose to do the same.
A cry has been made in the industry to form a “Digital Geneva Convention” – one that puts the safety of civilians at the utmost importance, requiring a global commitment from governments to protect human life, intellectual property and democracy. Based on the Geneva Conventions of 1949, in which 196 countries agreed to a base standard of humanitarian treatment during war, this agreement would prioritize the treatment of civilians in the midst of cyberwar.
In addition to the efforts being made in the private sector with initiatives such as the Cybersecurity Tech Accord, we are also starting to see some movement in the public sector. International organizations such as NATO and the UN are attempting to solve the cybersecurity issue on a global scale through training, prevention and awareness. Recently, NATO’s Cooperative Cyber Defense Center of Excellence held a workshop that allowed nations to practice cybersecurity incidents in a controlled environment. The exercise, Locked Shields, had 1,000 participants from over 30 countries compete in a cyberwar simulation, offering hands-on experience that could help to prepare for a global cyberattack.
Again, training and awareness are beneficial, of course, but ultimately a formal framework needs to be put in place to protect the world’s civilians from cyberattacks. Instituting a strong global mechanism of international penalties enforced by many countries will be the most effective way to prevent significant widespread attacks. Just as many of the world’s nations have banded together to prevent biological or nuclear warfare, cyberwarfare should be equally regulated and prosecuted.
So, why do we need this now? Simply put, the cloud and IoT.
As more and more data moves to the cloud and as connectivity becomes the default as people rely more and more on IoT devices, the attack surface grows exponentially. It is increasingly possible for cyber attackers to quickly cause harm to civilians, steal our data, disrupt our devices and even cause bodily harm. Technology has enabled new scenarios where nation states can harm civilians by attacking the water or energy grid, hospitals, subways and gas stations. Furthermore, smart homes and personal connected devices like smart watches, augmented reality headsets, connected cars, digital locks and drones all add additional risks. Any device plugged into the network is a risk and has the potential to be remotely controlled and exploited.
Preventing civilian harm from a global cyberwar is more than any company or government can do on its own, but it may be in the cards if they all work together. We all want to prevent major damage before it happens, but unfortunately, history has shown us that it often takes a precipitating event to motivate governments to put this type of framework in place. The current iteration of the Geneva Conventions was enacted directly after World War II, a global conflict that resulted in tens of millions losing their lives. Let’s not wait for Cyber World War I to institute our 21st century Geneva Convention. If we wait for an attack of this magnitude, it could be too late.