Posted by Scott Charney Corporate Vice President, Trustworthy Computing
It is clear to most that the Internet, and related technology advancements, provides significant benefits for individuals, enterprises and governments. However, as global connectivity has grown, so has the cyber threat. This is why Microsoft, along with the ecosystem at large, works to combat the cyber threat and help protect our customers through a variety of mechanisms, including using security-focused development practices (the Security Development Lifecycle), sharing our understanding of the threat landscape through the Security Intelligence Report and working with partners throughout the industry to tackle specific threats like botnets.
For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals and organizations, and craft appropriate responses. Although many organizations have invested significantly in information assurance, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complicated threat.
That is why in a keynote today at the East West Institute Cybersecurity Summit, I will discuss the reasons why cyber attacks often confound those responsible for crafting responses and suggest a new framework for creating effective strategies for responding to potential cyber attacks.
Specifically, I outline six distinct factors that I believe make understanding and quantifying cyber threats a challenge:
Of course, society is not starting with a blank slate: there are existing methods for dealing with bad actors, methods that have been codified in law and that do not necessarily work well in the cyber environment. For example, in the United States, we have a legacy of different organizations that use different authorities to address different threats to public safety and national security. But the agency assigned, and its authorities, depends upon who is attacking and why, two predicates not always known in Internet attacks.
This leads to another key step that I think we need to take – deconstruction of the broad category of “cyber threat” into more granular categories. With regard to categories, I have identified four: cyber crime, military espionage, economic espionage (and other areas where nation-states are in philosophical disagreement on normative behavior) and cyber warfare. By breaking the problem into more focused categories, we are able to incorporate experience and progress we’ve made in the non-cyber world and to develop specific plans that may have very different requirements for progress.
However, to act on the different categories, we are also going to need to improve our ability to identify the “who” and “why” of particular cyber attacks. The initiating party and their motives are frequently unknown due to the open and unauthenticated nature of the Internet. This lack of information complicates the decision of how to respond appropriately. For example, should the attack initiate a law enforcement investigation or is it a national security concern? The key question then is how do we begin to solve this problem?
There is little doubt that the Internet, with its global connectivity, anonymity, and lack of traceability, poses considerable challenges to those in the private and public sectors who are tasked with protecting it. The breadth of criminal activity, the number of actors and motives, and the lack of reliable attribution have all served to make crafting responses to attacks difficult. While there are no easy answers, greater attribution and clearer rules for responding would enable the development and implementation of better strategies and tactics for responding to cyber threats.
I believe the course of future action for forward progress should include these steps:
I look forward to the ongoing dialogue with industry and governments to better help protect our customers and realize a safer, more trusted, Internet. You can download the full paper, which expands on the ideas I’ve outlined, at this link.