Stop treating cyber like a 'boutique technical issue': report

Governments need to treat cybersecurity like “a core national and economic security concern and not a boutique technical issue,” global cyber expert Chris Painter said in a report released today.

This was one of several recommendations provided by Painter in a cyberwarfare policy paper, ‘Deterrence in cyberspace’, released by The Australian Strategic Policy Institute and Australian Computer Society.

“If cyberattacks really pose a significant threat, governments need to start thinking of them like they think of other incidents in the physical world,” said Painter.

“It is telling that [U.K.] prime minister Theresa may made public attribution of the Salisbury poisonings in a matter of days and followed up with the consequences shortly thereafter. Her decisive action also helped galvanise an international coalition in a very short time frame,” he said in the report.

“Obviously that was a serious matter than required a speedy response, but the speed was also possible because government leaders are more used to dealing with physical world incidents. They still don’t understand the impact or importance of cyber events or have established processes to deal with them.”

Painter added that mainstreaming the cyber issue also expands and makes existing response options more effective. A prime reason for the US-China accord on intellectual property theft was the fact that it was considered a core economic and national security issue that was worth creating friction in the overall US-China relationship, he added.

Meanwhile, the report also recommended shortening the attribution cycle. Making progress on speeding technical attribution will take time but delays caused by equity reviews, interagency coordination, political willingness, and securing agreement among several countries to share in making attribution are all areas that can be streamlined, the report said.

“Often the best way to streamline these kinds of processes is to simply exercise them by doing more public attribution while building a stronger political commitment to call bad actors out.

“The WannaCry and NotPetya public attributions are a great foundation for exercising the process, identifying impediments and speeding the process in the future. Even when attribution is done privately, practice can help shorten interagency delays and equity reviews,” Painter said in the report.

Read more: ​How Google is trying to close the tech gender gap

He said that attribution six months or one year after the fact with the vague promise of future consequences will often ring hollow particularly given the poor track record of imposing consequences in the past.

“When attribution can be made quickly, the promise of a future response is understandable but delaying the announcement until it can be married with a response may be more effective,” Painter added.

Other recommendations included building flexible alliance of like-minded countries to impose costs on bad actors; improving diplomatic messaging, and work out potential adversary-specific deterrence strategies.

ACS president Yohan Ramasundara, said that manty of the major malware outbreaks of the past few years have been developed from tools stolen or copied from the products of state-sponsored hacking groups. This has had an impact far wider than national security, he said.

Read more: 53% of IT workers coming from outside tech sector

 “The malware developed from these tools have affected businesses and individuals as well. If we deter the use of these tools, then the internet will become safer for all of us.”

IDG Insider


« Ecovacs Deebot OZMO 930 review: This robot vacuum can mop, too


Hands-on: HP's Envy x2 is a Surface clone boasting 20 hours of battery life »
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail


Do you think your smartphone is making you a workaholic?