Recent cyberattacks underscore the need for international norms of responsible behavior, and an institutionalized process to support them.
Article by Amb. (ret.) Paul Meyer, Senior Advisor, ICT4Peace in Policy Options, Canada (29 January 2021)
“It is not easy for a great power like the United States to admit to having been taken to the cleaners by a rival state, but that is what Washington was obliged to do mid-December. The Department of Homeland Security announced that the U.S. had been the victim of a massive cyber espionage operation that posed “a grave risk” to the government. Offensive cyber operations like this one have been escalating in recent years and to date the United Nations, despite twenty years of discussing cyberthreats to international peace and security, has not been able to agree on effective measures to counter them.
For some six months, a wide array of U.S. government agencies as well as numerous non-governmental entities had been penetrated by a sophisticated “supply chain” attack utilizing compromised software upgrades (an unknown number of Canadian entities were also impacted). “Solar Wind,” the manufacturer of the infected software, indicated that 18,000 of its customers had downloaded the upgrade in their systems. No one may ever know the full extent of the information extracted or whether the intruders succeeded in creating “back doors” that would grant them ongoing access.
Cyber security teams will now have to undertake the Herculean task of expelling the intruders from the infected systems. There will always be the lingering doubt as to whether they have succeeded completely in doing so – the psychological equivalent of planting a “mole” in a rival intelligence service. If this all seems like something out of a spy novel – it is. We are dealing with a real-life incident of espionage. One which given its superior “tradecraft” has led it to being attributed to the Russian foreign intelligence service SVR (a successor to the KGB).
While the previous president has sought to downplay the episode and even has falsely attributed it to China rather than Russia, President Joe Biden has responded with vigour and rather belligerent language. He has vowed to impose “substantial costs” on those responsible and stated: “A good defense isn’t enough. We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place.” This sounds good, but who determines what is a “significant” attack and for that matter what actions are we to understand as constituting a “cyberattack”?
Please continue to read this article here:
An international response to offensive cyber operations is long overdue