Going global: the need for international cyber governance

Following another wave of cyber-attacks targeting government agencies and NGOs, Microsoft has called for a greater co-ordinated global approach to cyberspace.

Cyber-attacks are coming thick and fast at the moment and are a major concern for both public and private sector organisations. Only last week, another wave of Russian cyber-attacks targeted government agencies and human rights groups in 24 countries, mostly in the US, according to Microsoft.

The company said about 3,000 email accounts at more than 150 different organisations had been attacked, and that the group responsible – which Microsoft calls Nobelium – was the same one that carried out last year’s SolarWinds attacks, which Russia’s Foreign Intelligence Service (SVR) is accused of orchestrating.

This latest wave of attacks follows a spate of high-profile ransomware hits, with French insurer Axa recently confirming that cyber criminals had targeted its Asia Assistance division, part of Axa Partners, impacting IT operations in Thailand, Malaysia, Hong Kong and the Philippines.

The Axa attack came after the news that a unit of Toshiba Corporation had become the latest high profile target of a ransomware attack by DarkSide, the group the FBI has blamed for the earlier Colonial Pipeline attack.

Such hacks can be extremely costly. According to Verizon, 86% of all cyber breaches are financially motivated, while the World Economic Forum has estimated revenues from cybercrime will be at around $2.2 trillion this year – likely to grow almost five times to $10.5 trillion by 2025.

Specific details of the costs of cyber-crime are also starting to emerge. In the case of Colonial Pipeline, it was subsequently revealed that the company paid $4.4m to the hackers, while CNA Financial paid $40 million to hackers to regain control of its computer systems after it suffered a ransomware attack in March, according to a report from Bloomberg.

International cyber rules

As far as Microsoft is concerned, the time has now come for a co-ordinated global approach to cyberspace, warning in a blog post that nation-state cyberattacks aren’t slowing and calling for “clear rules” governing nation-state conduct in cyberspace and “clear expectations of the consequences for violation of those rules”.

The post continued: “We must continue to rally around progress made by the Paris Call for Trust and Security in Cyberspace, and more widely adopt the recommendations of the Cybersecurity Tech Accord, and the CyberPeace Institute. But, we need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.”

Several nations already provide forums where government and business collaborate in response to cyberattacks. In the US, for example, CISA’s National Cyber Incident Response Plan defines cyber defence as a “shared responsibility” of individuals, the private sector and government, spells out the roles government departments will play in responding to attacks, and commits federal officials to safeguarding the privacy and intellectual property of companies.

Meanwhile the UK’s National Cyber Security Centre, an arm of the GCHQ intelligence agency, coordinates similar responses and sets out which private-sector cyber specialists it will collaborate with.

The Paris Call

Looking beyond counter-measures on the national level, the Paris Call for Trust and Security in Cyberspace of 12 November 2018 represents a broader call for nation states to come together to face the new threats endangering citizens and infrastructure in cyberspace. It commits supporters to work together to adopt responsible behaviour within cyberspace.

The Paris Call was sent in 2018 by French President Emmanuel Macron, during the Internet Governance Forum held at UNESCO and the Paris Peace Forum, and is based around nine common principles to secure cyberspace, which are intended to act as areas for discussion and action. The nine common principles include:

  • Lifecycle security – strengthening the security of digital processes, products and services, throughout their lifecycle and supply chain
  • Cyber hygiene – supporting efforts to strengthen an advanced cyber hygiene for all actors
  • International norms – promoting the widespread acceptance and implementation of international norms of responsible behaviour as well as confidence-building measures in cyberspace

The scale of the challenge here should not be underestimated, according to Oliver Wyman because, unlike many other operational risks, cyber-risk is primarily a frontierless criminal activity where only 0.5% of criminals are prosecuted. As such, Oliver Wyman suggests four ways that government and business can join forces in the battle for cybersecurity:

  1. Share threat intelligence

Governments and companies have different sources of information, insight and intelligence. Pooling them in a timely manner will create a clearer and more current picture of cyberthreats.

  1. Align cyber education with market needs

Governments, companies and other institutions around the world face a shortage of cybersecurity professionals estimated at more than 3 million – nearly as many as the estimated 3.5 million people currently working in the field. Arguably, there is labour capacity that could be marshalled here. The challenge is twofold: attracting more people to retrain in cybersecurity, and ensuring that curricula enable students and trainees to keep pace with fast-changing threats.

  1. Sharpen incident-response capabilities

Even the best cyber defence is likely to be cracked. That’s why effective organisations have well-rehearsed plans in place to deal with attackers. Such plans should include real training exercises, not just role-playing discussions.

  1. Build security by design

Human error, such as falling for a phishing attack and downloading malware, is involved in 95% of successful cyberattacks. We can’t eliminate that vulnerability, but we should be able to reduce it by building better security into technology devices in the first place – something many tech firms overlook or ignore in the rush to bring new products and services to market.

If it wasn’t clear before that a more co-ordinated approach – not just between the public and private sectors but also between nation states ­– is now needed then surely it is abundantly clear now. The only issue is how quickly and effectively a greater degree of co-ordination can be affected in the continuing fight against cyber risk, as both the scale and ingenuity of the threat itself continues to grow alarmingly.

According to Verizon, 86% of all cyber breaches are financially motivated, while the World Economic Forum has estimated revenues from cybercrime will be at around $2.2 trillion this year – likely to grow almost five times to $10.5 trillion by 2025.