It seems every day brings news of another high-profile cyberattack or intrusion affecting our personal data, national security or the very integrity and availability of the institutions and infrastructure on which we depend.
This article was written by Christopher Painter, a Commissioner on the Global Commission for the Stability of Cyberspace and formerly the top cyber diplomat at the US Department of State. He was a 2018 Visiting Distinguished Fellow at ASPI’s International Cyber Policy Centre.
These cyber threats come from a range of bad actors including ordinary criminals, transnational organised criminal groups and nation-states.
Indeed, in mid-February, Australia, the United States, the United Kingdom and several other countries attributed the devastating NotPetya ransomware worm—that caused billions of dollars of damage across Europe, Asia and the Americas—to the Russian military as part of the Kremlin’s efforts to destabilise the Ukraine.
At the same time, special counsel Robert Mueller in Washington unveiled a remarkably detailed criminal indictment charging a range of Russian individuals and organisations with a concerted effort to undermine the 2016 U.S. elections.
Although active, Russia is hardly the only prominent nation-state threat actor in cyberspace. North Korea orchestrated the attacks on Sony Pictures and was responsible for the recent WannaCry ransomware that seriously affected the UK’s health-care system. Iran was responsible for attacks on U.S. financial institution websites. And China conducted a prolonged campaign of cyber-enabled theft of trade secrets that targeted businesses in Australia, the U.S. and many other countries.
Some states also pose international policy challenges—using cybertools to monitor and repress their citizens. Criminals and other non-state actors have caused huge financial losses and compromised personal data through ever more sophisticated cyber schemes. Don’t yet attack critical infrastructure through cyberspace, but use the internet to plan, recruit and communicate.
In the 27 years that I’ve been dealing with these issues—first as a U.S. federal prosecutor, then in senior positions at the Department of Justice, FBI, White House and most recently as Coordinator for Cyber Issues at the State Department—I’ve never seen the threats we collectively face in cyberspace to be greater, or the need to address them to be more urgent.
Fortunately, there’s now much greater public and governmental attention on these issues then there was even a few years ago. Australia has launched ambitious cybersecurity and international cyber strategies, created new institutions and appointed seasoned leaders to key posts. The U.S. has focused on cyber issues for the last decade—among many other things enhancing incident response, creating international and domestic strategies, and promoting a framework for cyber stability.
Other governments are also increasingly prioritising cyber issues, as are at least some key business sectors. Moreover, there are now so many ‘cyber summits’ devoted to these issues around the globe that it seems we’re in the middle of the Cyber Alps (European or Australian).
Yet, though cyber may be the new black because of all this attention and activity, something critical is missing. Cyber still hasn’t been woven into the fabric of our core national security and other policies. Too often it’s seen as a separate, boutique issue.
I was in Australia earlier this year—where I completed a stint at ASPI’s International Cyber Policy Centre—going to Canberra directly from the Munich Security Conference (MSC)—a sort of Davos for the international security policy crowd. Every year MSC features a number of political leaders, industry titans and senior policy wonks from around the world debating everything from the future of Europe to Middle East peace (or lack thereof) to the rise of China.
Cyber is there too, represented in an ever-increasing array of side events. But, significantly, it’s not on the main stage.
Though it’s great that MSC focuses on cyber in a myriad of side gatherings and at standalone events, the problem with that approach (and which is similar to other major national and economic security forums) is that the cyber-focused events tend to become echo chambers, with the same cadre of cyber cognoscenti travelling like a nomadic tribe from one meeting to the next.
Heads of government, national security advisors, legislators, generals and ministers who come to high-level policy meetings like MSC should be participating in those discussions, especially because they don’t deal with those issues every day and because they may be well out of their normal comfort zone.
Of course this also requires that the cyber cognoscenti do a better job of putting these issues into a form that senior policymakers understand—as core issues of national security, human rights and foreign policy—rather than as primarily technical issues.
The failure to ‘mainstream’ cyber issues into larger national security and policy debates has real consequences. Though there’s greater awareness these days among senior officials that ‘the cyber’ is important, there’s little understanding of what to do to counter cyber threats or how the full toolset of national capabilities outside the cyber arena can be used.
There’s also a real risk that these issues won’t get the sustained attention they deserve. Although I think the discussion is more mature now, there’s a precedent. The U.S. launched a cybersecurity strategy in 2003. But by 2005 it had been essentially shelved because of a lack of understanding and the rise of other priorities.
Further, really integrating these issues with a sustained strategic focus leads to new solutions to some of the key problems we are facing in cyberspace. When widespread Chinese theft of trade secrets and intellectual property was seen as a cyber issue, there was little understanding of its long-term implications or how to respond. Only when it was finally recognised as a core economic and national security issue was the U.S. willing to risk friction in the overall relationship with China, rather than just trading barbs in cyber channels.
That allowed an expanded range of options across the entire bilateral relationship, coupled with a commitment to a sustained multi-year effort that produced tangible results. Unless cyber issues are understood and integrated by non-cyber, senior policymakers, their approach too often is episodic and ineffectual.
Of course, this is also true in the business community. C-suite folks are increasingly aware that cyber is a big thing, but like many senior government leaders, don’t know what to do about it or how to integrate it into corporate decision-making or risk management. While more corporate boards are paying more attention to cyber risks, the responsibility still often devolves to the chief information security officer who, in far too many cases, has limited access to the CEO or the board, and often is dismissed as a cost centre.
There are some positive signs of change. Though there was no cyber-focused session on the main stage at MSC, the UN secretary-general, the UK prime minister, the U.S. national security advisor and several other leaders raised cyber as part of their keynote remarks. There was increased interaction between the ‘cyber tribe’ and the broader community on the margins, and participation of high-level executives from both technology and other companies. More corporate boards are now getting briefings from cybersecurity advisors and the public, at least for the time being, increasingly appears to care about cyber threats.
Nevertheless, if we are truly to succeed in combating the increasing threats in cyberspace and seize the many opportunities it offers, more needs to be done to demystify cyber policy and make it part and parcel of our larger national and economic discourse. We can’t afford for this to be a passing fad or the province of a select priesthood. Rather, cyber policy should be a core concern of every leader, minister and CEO.