Yes, it’s happened again. And I’m not altogether surprised. The latest cyber attack, a breach compromising the data of up to four million of Talk-Talk’s loyal customers, is yet another in a growing line of pernicious cyber attacks against corporate infrastructure.
Worryingly, this isn’t the first time for Talk-Talk; the telecom provider experienced concerted attacks from last December through to February as well as a breach of up to 2 million of its customers’ data in August. T-Mobile US Inc., Dixons Carphone Plc and Sony Corp. have also sustained attacks over the last twelve months. Despite this growing trend, Talk-Talk have made scant effort in the fallout of its previous attacks to install even the most basic security measures such as encrypting customer data. British MP Keith Vaz, Chairman of the Home Affairs Select Committee, was absolutely right to brand this complacency as ‘alarming and unacceptable’ and it is only appropriate that the company and those responsible come under immediate scrutiny.
If anything is to be applauded, it’s that Talk-Talk’s CEO, Lady Harding, has finally recognised that more could have been done, but this reactive posture is all to prevalent in our society when it comes to cyber. Preemptive measures to secure against cyber attacks are few and far between and only embryonic steps are taken to manage the aftermath when an attack does occur. This sends a clear signal that not only are companies not serious in tackling this threat, but that they simply don’t understand it. And this is the real issue – what are we talking about?
On Wednesday, the U.K. and China agreed a non-aggression pact to tackle cyber-crime, pledging to end the ‘cyber-enabled theft of intellectual property, trade secrets or confidential business information’. In a similar vein to an earlier agreement between China and the U.S., the agreement is highly problematic for it exposes just how little government – much like the individuals at Talk-Talk – understand about cyber. The pact is essentially meaningless – what has been agreed does not concern crime, rather espionage. When states steal confidential information and trade secrets it falls within the remit of espionage; states cannot commit crime in the same manner as an individual.
As President Obama commented in the wake of the Office of Personal Management (OPM) attack, “it’s non-state actors who are engaging in criminal activity and potential theft… in the case of state actors, they’re probing for intelligence”. Indeed, the practice of state espionage is widely accepted within the international community. Brigham Young University professor of law and former U.S. Army Judge Advocate Eric Talbot Jensen reinforces the fact that “true espionage is by definition not illegal under international law”. States will no doubt continue to engage in it and those who fail to do so will only fall victim to it. The failure to make the distinction between espionage and crime reveals the crux of the issue – there is no clear paradigm or terms of reference for defining sinister activity in the cyber domain. Without an explicit set of terms and definitions for the cyber (fifth) domain, government will invariably remain ignorant in what they are talking about.
When I spoke with No. 10 recently about the U.K.-China pact, they were not readily capable of providing any exact details or explanation of what the pact entailed, instead directing me to the gov.uk website. The website, in just two sentences, simply reiterated the hollow promise of agreeing not to conduct espionage in the cyber domain.
However, government is not alone in its misunderstanding. The media equally highlight this mass confusion – some calling it a cyber crime pact, some a cyber security pact and the BBC calling it a cybercrime truce. How can there be a truce when we are not at war? With no agreed understanding or delineation between different forms of sinister cyber activity amongst international actors, the government has agreed a pact which it cannot define or understand; it is scrambling in the margins to show its competence but has made an agreement that is wholly ineffectual. In a paper I published in 2013 (link below), I highlighted the requirement for explicit terms and definitions for all sinister cyber activity and developed the helpful acronym of cyber TWESC (terrorism, warfare, espionage, sabotage and crime). Each category is preceded by the prefix of cyber and can be distinguished from one other.
Since making a clear distinction between crime and espionage in 2013, I have repeatedly appealed to government to develop these much-needed terms of reference but such pleas have fell on deaf ears. How can the government formulate coherent and meaningful policy if it cannot even agree or define what it is talking about?
There is an ancient Chinese proverb that states “when reading, don’t let a single word escape your attention; one word may be worth a thousand pieces of gold”. Simply put, the adage stresses that study requires undivided attention and that no single word should be passed over before one fully understands it. David Cameron should heed the sagacious advice of the Chinese, grasp the nettle and begin developing the requisite definitions for all forms of sinister cyber activity. Enough talk, time for action.