Researchers call for a determined path to cybersecurity

[harlan4096]

Contents

• What we do, and how it is failing
  
• Our hypotheses and beliefs
  
• A lack of global willpower and instruments
  
• Double-dealing
  
• Existing regulations are not (global) enough
  
• Our call and plans
  
• A cooperative and global governing instrument
  
• A binding treaty of responsible behavior in cyberspace
  
• Global regulations and shared means for cybersecurity
  
• Conclusion
  

Despite our continuous research efforts to detect cyberattacks and enable defense, we often feel that we, as members of a global community, are failing to achieve an adequate level of cybersecurity.

This is threatening the proper development and use of information technologies and digital assets, and as a consequence, most of society’s current and future activities, from entertainment to democratic processes, including business, healthcare and industrial production.

We believe that such a failure can be explained by a lack of global willpower, double-dealing activities, and the lack of global regulations. Here, we develop these hypotheses and outline ideas to advance cybersecurity.

What we do, and how it is failing

Kaspersky’s Global Research and Analysis Team (GReAT) is made up of cybersecurity researchers. Our shared capabilities and expertise stem from multifaceted individual experiences and perspectives that can always be traced back to strong technical backgrounds. Each and every day, our skills are focused on clear goals: to anticipate, discover, detect, track and report cyberattacks. But our activities and findings are, first and foremost, a contribution to a broader mission: to build a safer world. Since our inception more than a decade ago, we have worked very hard – from awareness raising and media interviews to embedded firmware reverse engineering, as well as incident-response support, vulnerabilities research, malicious infrastructure hunting, code similarity heuristics development, discovery of major threat actors or advanced malicious frameworks, open-sourced tools, specialized training and expert talks at world-class conferences. As far as our expertise is concerned, we believe that we provide beneficial results to our customers, partners and the global community. We know from previous collaboration and published content that our colleagues at government bodies, other cybersecurity providers and private companies work just as hard and achieve tremendous results as well.

Yet, somehow, we are still failing. Cyberattack numbers, whatever their impact, from digital activities to unwanted or disastrous effects, keep skyrocketing every year. Cybercrime has never been so prevalent and real, reaching every possible device, from IoT to supercomputers, as well as network routers, smartphones and personal computers. Cyberattacks have become a go-to companion, wherever there is malicious intent to tackle competition, hijack accounts, spy on a partner, persecute a minority, disrupt critical infrastructure, influence electoral processes, steal knowledge or obtain money. Cyber-based conflicts keep escalating, to the point where there is now a trend around the globe to proclaim that cyberwar capabilities are being developed, and kinetic force could be used as a response to cyberattacks whenever deemed fit. And ransomware or state-sponsored cyberattacks kept hitting hard even when we are all confronted with a pandemic.

Our hypotheses and beliefs

Why does all that outstanding technical effort, an abundance of cybersecurity solutions, highly skilled workforces, and decades of awareness raising fail to tackle cyberthreats? Although a lack of concern, specialized technical knowledge, skilled resources and training may have kept the defense a few steps behind for a while, we think these factors are no longer a major barrier. Instead, we believe that issues surrounding governance and a sense of responsibility are now what primarily prevent mission success.

A lack of global willpower and instruments

First of all, we believe that there is a lack of high-level global desire for cooperation and governance to properly tackle cyberattacks and protect what is at stake.

We all agree that every human being should be guaranteed a minimum set of rights, that the development of nuclear warheads should be limited, if not outlawed, or that warfare should be regulated and overseen. These crucial safeguards to peace and freedom did not come about by chance; they came from political willpower, international cooperation, continuously improved governance and determined enforcement.

However, states have not agreed yet about a binding treaty or about how existing international law applies to keep our digital world at peace. There are regular examples demonstrating the major negative effects of cyberattacks on businesses, nations and citizens (or “civilians”), and there have been some initiatives to assess how international law would apply to cyber operations, to globally combat cybercrime, or to establish norms of responsible behavior in cyberspace for states. But these initiatives are not coordinated or global enough, they don’t actually come with the expected regulations, cooperation and clear instruments to increase stability in cyberspace.

Are we waiting for more dramatic effects than those already caused by cyberattacks and cybercrime to advance cybersecurity with strong governance and regulation instruments? We believe that, on top of the intrinsic complexity of international cooperation, a crucial lack of willpower from states is preventing substantial advancement on cybersecurity.

Double-dealing

We believe that lots of players are double-dealing in the digital age. Cyberattacks appear to be highly profitable in the short-term, as they allow attackers and their sponsors to quickly and stealthily gather foreign and domestic intelligence, make money, disrupt or deter third parties, gain a strategic advantage over competitors or in warfare, circumvent regulations, or efficiently disseminate information. As a bonus, these malicious activities have a low entry cost, are subject to no monitoring, and for the most part go unattributed (thanks to, amongst other things, complex digital layers, bulletproof services and factors limiting interstate police cooperation). Therefore, perpetrators do not have to take responsibility for their actions and go unpunished – even when they do get exposed.

Due to these convenient “cyber features”, state or non-state actors might easily be tempted to publicly promote and even act in favor of a safer world, while making sure they can also benefit from offensive activities that remain undetected and go unpunished. Such activities also promote the public and private development of cyberweapons, mercenary services, criminal activities, and the monetization of vulnerabilities instead of responsible disclosure. All this, in turn, harms the efforts of cybersecurity and enables proliferation.

But that’s not all when it comes to double-dealing: government bodies dedicated to cybersecurity and non-state actors can even play this dangerous game to some extent. Cybersecurity threat intelligence and data are of topmost interest to national defense and security management, as well as very valuable to the competitive cybersecurity business. It is a vital asset to the economy, and for detecting or deterring strategic threats. As a result, threat intelligence may not be shared and actioned as easily and broadly as it should, in a common determined path to cybersecurity, but might rather be guarded jealously for private interests. Private companies such as Kaspersky, however, do their best to proactively share intelligence and insights on investigations to the community for free.

Existing regulations are not (global) enough

We also feel that achieving cybersecurity is not possible without a stronger sense of responsibility from all public and private actors that play a role in the development and operation of our global digital space. Governments have already gone some way to fostering this sense over the years by creating or strengthening regulations on personal data processing or protection for critical information systems. While this has been a significant advancement towards cybersecurity, it has unfortunately not been enough.

Most of the cyberattacks we face and analyze do not actually leverage sophisticated technical vulnerabilities or tools, because they don’t need to. It is often way too easy to access the devices and networks owned by a public or private organization because elementary cybersecurity measures are still not implemented, and because the organization’s very own digital assets are not clearly identified or not controlled sufficiently. Every organization that processes digital data of personal significance, or develops or operates digital services, starting with those that benefit us the most, or contribute to our most vital needs, including governments, should be required to implement and demonstrate elementary cybersecurity frameworks. The associated regulations should be global, because cyberspace and digital assets are shared amongst all users around the world. It may not be possible to become invulnerable, but making cyberattacks more costly for the attackers while protecting our digital world a little more is doable.

On top of the lack of preventive and protective measures from many public and private organizations, another responsibility issue is blocking the road to cybersecurity. Cyberattacks cannot be carried out without leveraging publicly available commercial services, such as content hosting, development, infrastructure provision and mercenary services. First, it would seem obvious that any private organization that purposely engages in cyberattack operations or cyberweapons development should have its activities limited by regulations, and controlled by an impartial third party, in order to ensure that malicious activities are constrained by design, and that cyberweapons do not proliferate. Also, in order to maintain peace in the cyberworld, it is critical that any organization whose services are demonstrated to be leveraged to carry out cyberattacks is required to cooperate with cybersecurity organizations designated by an impartial third party, to contribute to cybersecurity investigations and demonstrate efforts to continuously prevent the malicious use of exposed services.

Digital services and information technologies that unintentionally support malicious cyber activities are – most of the time – developed to bring sound and useful outcomes. However, and for decades, vulnerability disclosures and cyberattacks have demonstrated that some technologies or uses are flawed by design and can be exploited by malicious actors. We can probably collectively accept that when the first information technologies were developed and deployed, it wasn’t easy to anticipate malicious uses, which is why cybersecurity efforts only came afterwards. But it is no longer possible nor tolerable to develop, deploy and operate technologies and services that have a global use potential, while ignoring existing threats, and without making them secure by design. Yet, even more vulnerabilities and malicious uses affect relatively modern services and technologies, from IoT and artificial intelligence systems to cloud infrastructures, robotics and new mobile networks. In order to anticipate and prevent malicious exploitation of modern technologies as much as it is reasonably possible, we believe that transparent vulnerability management and disclosure practices need to be developed further by both state and non-state actors; and that technologies or services that are used globally should be assessed by a global community of experts more often.

Last but not least, we also think that more threats could be better anticipated in the future if future generations are globally and systematically educated on information technologies and cybersecurity, whatever their origin or path. This will contribute to a safer world.
...

Continue Reading