Article in Neue Zürcher Zeitung (NZZ) by Paul Meyer and Daniel Stauffacher.
“The U.S. recently fell victim to a cyberattack of staggering proportions: Using a compromised software upgrade, a foreign actor had gained access to a large amount of sensitive data. More than 18,000 organizations inside and outside the government had installed the software, and it took six months for the vulnerability to be detected.
Exactly how much data was stolen will never be known. U.S. cybersecurity officials face the daunting task of removing the unwanted intruders from computer systems and preventing the attacks from continuing in secret. The attack was extremely sophisticated, like something out of a spy thriller. And that’s exactly what it was – an act of espionage, carried out in all likelihood by Russian foreign intelligence.
Ex-President Trump, however, downplayed the significance of the cyberattack, insinuating that China, not Russia, was responsible. Joe Biden’s stance is more hawkish. He has promised that those responsible will pay for their actions, stating that a good defense is not enough: The U.S. must prevent its adversaries from being able to carry out such cyberattacks in the first place. The activism of such announcements may be reassuring, but it also risks further escalation. It remains unclear what constitutes a “significant cyberattack” and exactly what a proportionate response would need to look like.
Biden’s statement also makes clear that the term “cyberattack” is often used sweepingly. In the future, there should be a better distinction between activities; it would be more correct to refer to them collectively as “offensive cyber operations.”
Three main types should be identified: A Computer Network Exploitation (CNE) is an action that aims to penetrate and extract data from a foreign computer system without the operators of the system being aware of it. A Computer Network Attack (CNA) aims to disrupt, damage or even delete data in the system. Information Operations (IO), on the other hand, are cyber activities that aim to manipulate the opinion of citizens in a state in the interest of an attacking (state) actor.
Civil society and the private sector are also increasingly expressing concern about irresponsible actions by state actors in cyberspace. This underscores the need for international cooperation. To counter cyberthreats, an appropriate strategy must be formulated for each of the three offensive cyberattacks mentioned above. CNAs pose the greatest threat to the civilian sector. They can damage critical public and civilian services and infrastructure. Such attacks, moreover, are also difficult for the attackers to control. Consider the “Not Petya” and “Wanna Cry” cyber operations of recent years.
The normative framework to regulate international cyber activities is only in development. Since 2015, eleven voluntary norms of conduct have been agreed upon at the UN. Of note is the norm that protects critical public infrastructure from becoming a target of attack. The Biden Administration should advocate for a bilateral U.S.-Russian (or with China, even a trilateral) “ceasefire” agreement that would apply to CNA operations.
Information operations also pose a growing threat, particularly because they enable massive dissemination of “fake news.” International agreements in this area are struggling because one person’s propaganda is another’s freedom of expression. National regulations or control mechanisms by the owners of social media platforms are the most viable solution, at least in the short term. In the long term, the goal would be to ban cyber operations that target election infrastructure or processes.
With respect to CNE, little can be expected. Espionage is a proven state tool and has so far escaped the scrutiny of the international community. In 2015, the U.S. and China had agreed to curb cyber theft of intellectual property and corporate data. However, it was not pursued after tensions rose. It is likely that the U.S. government will not support measures that could also restrict its own foreign cyber activities.
Cyberspace is essential to the well-being of modern societies. However, it is vulnerable to abuse by malicious private actors as well as by aggressively behaving states. Effective protection against hacking cannot be dispensed with.”
Paul Meyer is former Ambassador of Canada and associate professor at Simon Fraser University.
Daniel Stauffacher is a former Delegate of the Swiss Federal Council, Ambassador of Switzerland and founder of the Think Tank ICT4Peace.
From the NZZ e-paper of 11.02.2021
The original article in NZZ in German language you find here and with translation into English here:
Translated with www.DeepL.com/Translator (free version)
