As details about the SolarWinds hack emerge, it appears to be one of the most momentous and intrusive cyberattacks against the US government. By accessing SolarWinds software, used by thousands of large companies to manage their computer networks, intruders have created a backdoor for entering computer networks at several US federal agencies and private companies, including Microsoft.
While former US President Donald Trump refused to acknowledge the origin of the attack, the US intelligence community is unanimous of the view that Russia and its SVR intelligence agency launched it.
Determining who carried out a cyber attack, also known as an attribution, is critical to punishing the attacker and deterring further action or future operations by others. The United States, with world-leading cybersecurity and technical capabilities, can determine the mapping relatively easily, as can perhaps a dozen other countries.
But what about the 183 nations that can't?
Imagine if only a dozen or so nations could diagnose COVID-19, understand how it spreads, what harm it could cause, and how it can be prevented and treated. In addition, these privileged nations kept this information to themselves. This is effectively the situation we have with cybersecurity. Virtually all countries are at higher risk of attack because they cannot identify their attackers, let alone defend themselves and repair the damage.
The international community does not tolerate this hoarding of knowledge with a viral disease. Just look at the backlash against China as it holds back early on from sharing information on COVID-19. Likewise, the world should not tolerate information hoarding with viral cyber attacks. Just as there is a global health organization, the World Health Organization (WHO), to better understand and combat health threats, we need a “cyber WHO” to better understand and combat cyber threats.
The Internet has become a complex digital landscape with billions of users, millions of apps and websites, and thousands of network providers and infrastructure nodes from satellites to Wi-Fi routers. Add to this the exponential growth of the Internet of Things, and virtually everything – from cars to coffeemakers – is or will be part of our digital landscape.
In such a world there are an infinite number of access points to a network. (In the SolarWinds attack, for example, the Russians appear to have targeted this company because its software is so ubiquitous in the US government and corporate environments.) Anyone with a laptop can launch an attack. And those with sufficient skills can adequately mask an offensive process by routing it through Internet service providers in countries around the world.
When the risk of getting caught and suffering the consequences is low, the deterrent against attack decreases dangerously low and destabilizes the global order. The chairmen of the non-partisan US Cyberspace Solarium Commission with a blue ribbon wrote: "Today most cyber actors do not feel put off, if not encouraged, to use our personal data and public infrastructure in a targeted manner."
The result was a relentless wave of cyber attacks. In the United States, ransomware incidents, in which criminals freeze the networks of a healthcare system or local government until paid, grew 365 percent from 2018 to 2019. The United Nations estimates North Korea stole $ 2 billion from banks and cryptocurrency exchanges to fund its weapons programs in 2019. Over the past decade, Chinese hackers have stolen personal information from Marriott, the U.S. Human Resources Bureau, and the Equifax credit bureau, to name just three targets.
The assignment is difficult, but possible for a cyber superpower like the USA or Israel, or for a highly developed technology company like Microsoft or FireEye. But for everyone else it is practically impossible. As a result, when the central bank of Bangladesh fell victim to a cyberheist, it had to hire two US companies to investigate, and the Banco de Chile had to act similarly in an attack in 2018.
In order to ward off cyberattacks effectively, national governments must build cyber capacities at the national level – investing in their people to create a cyber-capable workforce, procuring the right technologies, and restructuring their governments and military so that they have responsible campaigners and the processes to be defended and deter cyberattacks.
This will take years for even the most developed countries, and for others they may never fully develop these skills. This is where the international community must step in to close the gap. We need a Cyber WHO, a global organization that can develop norms for behavior in cyberspace;; Share knowledge about threats and attacks, especially their digital signatures; make an attribution if possible; Create best practice exchange protocols; and technical support for countries in all phases of cyberbuilding.
To create incentives for nations to join, a cyber WHO like the rating agencies (S&P and others) could publish a cyber security rating that has the same impact on a country's economy. In my experience of working with developing countries, they seek confirmation from international bodies in order to create more security for investors and other partners.
Of course, coordinating health issues where the common enemy is a virus is easier than when the threat might originate in another country. There may be nations like Iran and North Korea that refuse to participate in such a body and others – like the United States and China – that may offer different levels of cooperation because they do not want to undermine their strategic advantage.
A similar dynamic emerged as countries began to set up their own cyber emergency teams or built-in cyber commands. Banks, for example, refused to share information about violations for fear of appearing weak and, if they prevented it, information that would give them an edge over their competitors.
However, these companies quickly realized that they were only as strong as their weakest link. Nobody asked them to reveal their methods or technologies; It was necessary to share digital signatures for malware or viruses so that others could see the infiltration. This helped others strengthen their defenses and helped government agencies determine the attribution and, if necessary, take action against the perpetrators. The resulting deterrent – no matter how small – was good for everyone.
A cyber WHO would act similarly. It would encourage participating nations – and companies within them – to share information about digital signatures and, where possible, attributions. While I hope a cyber WHO will share best practices with countries looking to build cyber capabilities, it is fair to assume that the most advanced countries would not share all the details of their technologies and methods. Moving to a world where collaborative efforts are made to share what these countries know (as opposed to what they know), to determine attribution, and thereby set standards and share best practices, is an improvement of the status quo.
There are already international collaborations such as NATO's Cyberspace Operations Center, and the United States has a working group to discuss acceptable behavior in cyberspace. But none has the breadth of participation or the depth of mission that WHO has in global health that a cyber WHO would need for cybersecurity. As a result, the world relies on a dozen or so cyber forces and an even smaller number of private companies like Kaspersky, Broadcom, and Microsoft for goodwill information about cyber threats.
A cyber WHO would dramatically increase the amount of information exchanged, provide a framework for finding out who launched a cyberattack, and serve as a resource for nations looking to expand their cyber capacity. This will not eliminate cyberthreats – just as the existence of WHO did not prevent the spread of COVID-19 – but it will provide a way for the global community to create a deterrent to use economic incentives to encourage and encourage bad behavior discourage the curve of the growth of cyberattacks and begin to bring order to the cyber realm.