Breadcrumbs

Deterring cyber attacks: old problems, new solutions

6 June 2018

The growing global market in cyber crime is projected to hit US$6 trillion by 2021. from www.shutterstock.com, CC BY-SA
This article originally appeared in The Conversation.

Joe Burton, University of Waikato

As the investigation into Russia’s interference in the US election deepens, it is becoming obvious that the events in 2016 are just the tip of an iceberg.

Ever since the Russian cyber assault on Estonia in 2007, policymakers and cyber security scholars have debated how best to deter cyber attacks that cross international borders. Yet both state and non-state actors continue using the internet for malicious purposes with an unacceptable level of impunity.

The growing global market in cyber crime is projected to hit US$6 trillion by 2021. Curtailing the risk requires new approaches.


Read more:
The public has a vital role to play in preventing future cyber attacks


Old problems

Fundamentally, deterrence is about convincing an adversary that the costs of an attack outweigh the benefits. One of the problems in cyber deterrence policy has been a reliance on ideas that were formulated in the very different security environment of the Cold War.

Cold War concepts rely on deterrence by punishment (striking back at an adversary with retaliatory attacks) and deterrence by denial (denying your adversary the ability of a first strike, for example by having too many hidden nuclear missiles sites). While these binary models may have applied in the context of two nuclear superpowers locked in a decades-long geopolitical conflict, they don’t translate easily to a global network of interconnected computers.


Read more:
Is counter-attack justified against a state-sponsored cyber attack? It's a legal grey area


The first problem is attribution. If you can’t identify the actor responsible for a cyber attack, how can you punish them? Retaliatory cyber attacks can also cause collateral damage. They drag in third parties who may come to the assistance of the adversary, escalate cyber conflict and legitimise the use of cyber capabilities for political and strategic gain. The prospect of using military force to punish cyber attackers is also viewed as disproportionate as a response to most malicious cyber activity.

Deterrence by denial is a similarly problematic framework. The “attack surface” the internet presents is staggeringly large. The number of internet-connected services is set to reach 75 billion by 2025. It is unrealistic to expect that we can ensure that all those devices are secure and cannot be used as back doors into other computer systems.

New solutions

Before leaving office, the Obama administration assigned US$19 billion for research on cyber security.

One of the priorities of this funding was to ensure further improvements to attribution technologies and processes. This could make a big difference to the effectiveness of cyber deterrence, especially when combined with clearer communication by policymakers about the evidence they have about the source of attacks. Cutting through some of the smoke and mirrors put in place around the Putin government’s cyber operations should be a high priority.

Another radical proposal is to change how the internet operates so that it becomes an identified and attributed network where logging in involves providing specific personal identification. This has been given serious attention in the US national security community.

It has obvious implications for maintaining the internet as a free and open global resource. But the internet will have to keep evolving to deal with the growing impact of cyber attacks. Building a more secure domain for some internet traffic is worth considering.

Changing how we think about attacks

New technology may help enhance cyber deterrence, but we will need to change our thinking too. During the Cold War, deterrence was absolute. Even one attack could have proven devastating. In contrast, deterrence in cyberspace will be cumulative. As the scholar Uri Tor has argued, cyber deterrence is about how to “postpone, limit, and shape a series of ongoing conflicts with a variety of state and sub-state actors”. It is not about preventing all attacks at all times.

The role of laws and norms in deterring malicious cyber activity should be given greater attention. Some countries don’t even have current laws that make hacking a criminal offence. This could be solved by more states signing up to the Budapest Convention on cyber crime, which requires the adoption of laws on cyber crime and enables collaborative policing to deal with cyber attackers.

New proposals coming out of the Tallinn Manual 2.0 process suggest the emergence of deterrence mechanisms through international law. This includes holding states to legal account when hackers are operating with impunity from within their territory or being directed by the state. In this scenario, a form of self-deterrence may emerge when governments realise that hackers pose risks to the states themselves.

Resilient systems

Cyber resilience involves having back ups for computer networks and the societal services they provide. A cyber attack would have minimal impact if systems are in place to replace an internet service as quickly as it is taken down.

Cyber resilience holds particular promise for critical infrastructure providers in the transport, health and energy sectors. These organisations will never have the authority to deter cyber attacks through retaliatory cyber countermeasures, but need to find ways to obscure the cyber targets on their backs.

The ConversationSimilarly, given recent efforts to subvert democracy through cyber operations, the resilience concept will have particularly appeal to the electoral governance sector. Building resilience in our elections systems (including election advertising on social media) is a priority for democratic countries, especially in light of the recent scandals around Cambridge Analytica’s misuse of Facebook data during the US election.

Joe Burton, Senior Lecturer, New Zealand Institute for Security and Crime Science, University of Waikato

This article was originally published on The Conversation. Read the original article.


Related stories

Priya profile

Good and meaningful work

University of Waikato alumna, Dr Sripriya Somasekha, received a Public Service Award acknowledging her work…

sir-william-lady-judi-gallagher

Sir William and Lady Judi Gallagher announce further support for University of Waikato with new scholarship

Hamilton philanthropists Sir William and Lady Judi Gallagher will fund eight new scholarships a year…

International alumnus working to minimise cyber security threats

With cyber security threats on the rise, University of Waikato alumnus Eric Wang is working…

youyou-gao

Thanks to Waikato, Youyou Gao is now where she's always wanted to be

Originally from Hefei, China, Youyou Gao thrived at the University of Waikato studying computer graphic…

Brian Tamaki

Spirit of resistance: why Destiny Church and other New Zealand Pentecostalists oppose lockdowns and vaccination

Was anyone surprised when New Zealand’s self-made Apostle Brian Tamaki courted controversy and arrest by…

te-riria-potiki-appeal

Scholarships enable Te Riria to make a difference to the environment faster

As the recipient of several scholarships at the University of Waikato, Te Riria Potiki (Ngāti…

leo-oliver-appeal

Scholarship fast-tracks Leo helping people at risk of cyber attacks

Thanks to scholarship support, current Master of Cyber Security student Leo Oliver-Dowling is well on…

Iain

Nationwide survey launched to understand what the 20-minute city idea will look like in New Zealand

University of Waikato researchers have launched a nationwide survey asking New Zealanders how far they’re…

madeleine-pierard

Internationally renowned soprano named Chair in Opera at the University of Waikato

Opera singer Madeleine Pierard has been named the inaugural Dame Malvina Major Chair in Opera…

Lara Markstein

Sargeson Prize 2021 winners focus on relationships and families

A story about the harm patriarchal communities can do is the overall winner of this…

parekawhia-mclean

From Waikato to Wellington and back again for Distinguished Alumna

Distinguished Alumna Parekawhia McLean's success in the public sector is well-documented, but perhaps lesser-known is…

The call of the Waikato

University of Waikato student Melody Nepe always knew she’d end up working in the health…