Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
possible. Military “cyberweapons” are therefore s<strong>in</strong>gle-use <strong>in</strong> nature <strong>and</strong> require various levels<br />
of effort <strong>and</strong> resources, which makes these attacks very costly compared to everyday<br />
cybercrime.<br />
As also discussed <strong>in</strong> other sessions, the panelists argued that attribut<strong>in</strong>g cyberattacks is one of<br />
the biggest challenges of cybersecurity. Although this is complex, it is theoretically possible;<br />
however, it requires <strong>in</strong>ternational cooperation.<br />
It was emphasized that one of the key aspects of defend<strong>in</strong>g aga<strong>in</strong>st, detect<strong>in</strong>g, <strong>and</strong> counter<strong>in</strong>g<br />
military hack<strong>in</strong>g is to know one’s own system better than any attacker <strong>and</strong> to keep develop<strong>in</strong>g<br />
<strong>and</strong> question<strong>in</strong>g its security constantly. The speaker added that a further defense mechanism is<br />
to enhance threat detection <strong>and</strong> diagnosis, which will reduce response time <strong>and</strong> thus m<strong>in</strong>imize<br />
damage. The development of offensive defense mechanisms could also be an option, for<br />
example, hav<strong>in</strong>g a team of experts gather <strong>in</strong>telligence on the attackers <strong>and</strong> analyze zero-day<br />
exploits. Many therefore argue that the ability to hack others is a requirement for successful<br />
defense. At the <strong>in</strong>ternational level, one panelist also proposed that <strong>in</strong>telligence agencies <strong>and</strong><br />
militaries should share vulnerabilities, knowledge of unknown attack mechanisms <strong>and</strong> zero-day<br />
exploits, while mak<strong>in</strong>g use of trusted sources for attack <strong>and</strong> defense tools. Restrict<strong>in</strong>g the spread<br />
of malware, penaliz<strong>in</strong>g <strong>in</strong>ternet service providers (ISPs) for host<strong>in</strong>g malware, <strong>and</strong> mak<strong>in</strong>g the<br />
software <strong>in</strong>dustry liable for their products were also proposed as options. In contrast to these<br />
new approaches to high-end cybersecurity, most products of the IT-security <strong>in</strong>dustry currently<br />
<strong>in</strong> place <strong>and</strong> marketed as advanced were considered to be of low or negligible value <strong>in</strong> the<br />
defense aga<strong>in</strong>st sophisticated attackers. The IT-security <strong>in</strong>dustry was criticized for<br />
scaremonger<strong>in</strong>g about the wrong th<strong>in</strong>gs <strong>and</strong> for sell<strong>in</strong>g a false sense of security <strong>in</strong>stead of actual<br />
security.<br />
TRACK 2.3<br />
REGULATING CYBERSECURITY<br />
The f<strong>in</strong>al Track exam<strong>in</strong>ed the potential for <strong>in</strong>ternational regulation <strong>in</strong> the cyber realm. While the<br />
need for <strong>in</strong>ternational cooperation <strong>and</strong> public law regulat<strong>in</strong>g the response to challenges <strong>and</strong><br />
attacks orig<strong>in</strong>at<strong>in</strong>g <strong>in</strong> cyberspace has not been questioned, it is, however, difficult to determ<strong>in</strong>e<br />
how exist<strong>in</strong>g law can be applied to the cyber realm. Among the key challenges – a panelist<br />
argued – is the lacuna <strong>in</strong> <strong>in</strong>ternational law regard<strong>in</strong>g cybersecurity or cyber activity, especially<br />
regard<strong>in</strong>g the laws of armed conflict, s<strong>in</strong>ce warfare is still pictured <strong>in</strong> conventional terms. So far<br />
few attacks have triggered state responses <strong>and</strong> the progress <strong>in</strong> def<strong>in</strong><strong>in</strong>g what responses are<br />
legitimate is considered to be very slow, not least because of the attribution problem. A speaker<br />
argued that the present situation does not permit the exercise of Article 51 of the UN Charter,<br />
the right to self-defense, which requires several prerequisites to be met: the damage caused by<br />
an attack should be comparable to armed attacks, the identity of the attacker must be known,<br />
<strong>and</strong> a state needs to be attributed with the attack. The panelist also expla<strong>in</strong>ed that the measures<br />
taken <strong>in</strong> response have to be proportional. As attribution – among other th<strong>in</strong>gs – is not always<br />
currently possible, the expert concluded that Art. 51 is currently <strong>in</strong>applicable. Regard<strong>in</strong>g<br />
precautionary measures, <strong>in</strong>ternational environmental law could be considered to be transferrable<br />
to the cybersphere, accord<strong>in</strong>g to the next panelist, as “exist<strong>in</strong>g <strong>in</strong>ternational law governs state<br />
activities wherever they are carried out, <strong>in</strong>clud<strong>in</strong>g <strong>in</strong> cyberspace.” Nonetheless, the expert<br />
po<strong>in</strong>ted out, the unique <strong>and</strong> specific attributes of the cyber doma<strong>in</strong> complicates the application<br />
of exist<strong>in</strong>g law, norms, <strong>and</strong> term<strong>in</strong>ology. It was argued that some of the key challenges could be<br />
resolved by <strong>in</strong>terpret<strong>in</strong>g treaties us<strong>in</strong>g “common sense”, while others depend upon “unanimous<br />
19