This week’s World Economic Forum (WEF) in Davos, Switzerland featured the launch of the World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society, a global platform for coalitions of public and private sector entities to “collaborate and accelerate progress against shared digital economy goals and to shape a digital future that is sustainable, inclusive, and trustworthy.”
The Forum has partnered with The Boston Consulting Group to produce a report entitled Cyber Resilience Playbook for Public-Private Collaboration, which contextualizes cybersecurity policies through 14 key areas of potential cooperation between governments and corporations. While countries and cultures must make their own choices on how to address the public-private policy challenges facing us in the years ahead, we at McAfee argue that the government and business leaders meeting in Davos this week must answer critical policy questions in four critical areas to truly have a constructive, positive impact in shaping the evolution of cyberspace in 2018 and beyond.
The Uncertainty of Attribution
Attribution is among the most complex and challenging aspects of cybersecurity, and the implications of getting active defense responses wrong based on faulty attribution are particularly daunting. Government and business leaders must be wary of these dynamics as cyber-attacks inflict greater levels of damage, and as cyber-attack victims demand accountability and retaliation based on such imprecise attribution.
Digital forensic work can suggest a perpetrator behind a cyber-attack, but it rarely does so with certitude. Level-headed attackers will naturally seek to implicate some other party in their handiwork, so false flags and red herrings often litter the cyber-attack scene.
For instance, it could be risky to draw conclusions about a cyber-attack’s origin and perpetrators solely on things such as the presence of Cyrillic, Mandarin, Korean, Arabic, or Persian characters or words within an identified piece of malware. Once such methods of attribution become accepted best practices, attackers undoubtedly seek to manipulate that acceptance to hide their tracks.
This marks a profound difference from nuclear strategy or conventional terrorism, where proven techniques can source an incoming missile or trace a bomb’s origin. Cyberspace can allow a bit player terror group seeking to pit nation-states against one another with cyber aggression that appears to come from those countries.
There is a clear need for both the private and public sectors to understand where they add value. Pinpointing blame for a cyberattack takes a blend of cutting-edge digital forensics from the public and private sector, and traditional intelligence from public sector intelligence service or law enforcement partners.
The Unpredictability of Active Defense—Hacking Back
Offensive cyber weapons can be programmed to focus on an intended target. In some ways, they are the ultimate precision ordinance—at least in theory.
In actuality, active defense or “hacking back” cyber-attacks can have unpredictable consequences due to the complex interconnectedness of the today’s internet, and the ability of attackers to use that dense complexity to cover their tracks.
Even in capable, officially-sanctioned hands, retaliatory strikes can inadvertently, directly or indirectly impact online services, third-party assets, and individuals in addition to their intended targets.
Add to this wild card exercise any software bugs or coding errors within these cyber weapons, and small flaws could have large consequences, as cyber-attacks could go awry, damaging more unintended networks and third-party actors.
The unpredictable dynamics of “hacking back” should place a tremendous priority on the responsible governance and coordination of active defense efforts by public and private entities.
Zero day vulnerabilities
Governments must always recognize that the private sector’s willingness and commitment to cybersecurity collaboration reliant in part on how transparent governments are about knowledge critical to their mission, including disclosures of zero day vulnerability discoveries.
Private sector actors must always recognize that governments have the unique responsibility to balance vulnerability disclosures with the necessity to protect real human lives by any means necessary, including digital cyber-weapons exploiting such vulnerabilities.
Once such software vulnerabilities are discovered and publicly released “into the wild,” technology vendors can take action to address those vulnerabilities with security updates. Public knowledge of these vulnerabilities also provides hackers blueprints for exploiting them through cyber-attacks. If withheld, governments can use their knowledge of the zero day vulnerabilities for cyber-espionage or cyber-warfare campaigns.
While it is reasonable to assume that governments should take an active, responsible role in the research and timely public disclosure of such vulnerabilities, it is also reasonable to assume that governments should “stockpile” their knowledge of zero day vulnerabilities for use in future covert cyber activities.
After all, isn’t there real humanitarian value in using cyber-attacks to digitally disable power plants or other physical military targets without the physical destruction and loss of life caused by a kinetic weapon such as a bomb?
Successful public-private cybersecurity partnerships must involve an ongoing dialogue, and a pragmatic give and take exchange between actors. Only by addressing this and other potential trust issues can governments, technology vendors, and other private sector actors hope to work together to gain a step on the cyber-attackers working furiously to uncover and take advantage of the same vulnerabilities.
Threat intelligence sharing
Ultimately, information is the lifeblood of cyber-defense. It’s not an exaggeration to say that success in the previously mentioned critical areas of public-private cybersecurity collaboration relies heavily on getting policies right in the crucial area of threat research, data, and other intelligence sharing. “Getting it right” requires that policies reflect the limitations as well as the advantages of sharing.
Data collected and shared by governments could be out of date in the minds of cybersecurity industry actors. There will always be concerns that government or industry members of information sharing communities might play “free rider,” benefiting from drawing volumes of other organizations’ data and intelligence, while contributing little information of their own.
Strong processes must enable effective, real-time sharing of the data that matters most to enable coordinated responses to security events, such as the cross-industry response to major developments like the WannaCry and NotPetya malware outbreaks, and the Meltdown and Spectre firmware exploit revelations of earlier this month.
Beyond episodic collaboration, information sharing must seek to achieve real security improvements over the long-term, while strong privacy protections must be in place to maintain the trust of those whom security efforts are meant to protect.
While leaders at Davos and beyond may understand that cybersecurity is one of the greatest digital challenges of our time, it’s even more important that they understand that no one organization, entity or sector can solve it alone. There’s a reason McAfee believes in the “Together is Power” mantra. The solutions to cybersecurity lie in collaboration and innovation, and public-private partnerships present one of the greatest challenges and opportunities facing us.