Image: © peach_adobe/Stock.adobe.com
Cybersecurity expert, Will Dixon, argues for major investment in cybersecurity organisations and skills development to protect critical national infrastructure.
Cyberattacks have become an issue of public safety. While past attacks, even major incidents involving private and public organisations, have not given rise to calls for concerted government actions, the increased risk posed to society and people’s health and livelihoods means that future attacks may lead to calls for greater action.
We have seen in the past the intended and unintended consequences when governments look to quickly combat new or emerging threats that have captured the attention of the public and media at large. We must all recognise that policies and laws governing action against hackers and threat actors should not be reactive.
Rather than wait until the threat level forces nations to declare a war on cybercrime, governments and organisations can undertake the following steps to proactively protect against cyber criminals and develop strategies for agile cybersecurity advancements.
Defining success
A lot of work has been done by national cybersecurity agencies on mitigation at scale by creating and implementing policies to make organisations more secure.
What does ‘successful’ enforcement mean in cyberspace?
What does not currently exist, however, is a proper definition of what ‘successful’ enforcement means in cyberspace. Are we collectively happy with the current arrest and disruption rates? If not, what is the success criteria we are aspiring to? We need common cybersecurity goals and a shared understanding of what cyber resilience looks like to develop the requisite technologies and skills to protect ourselves.
Improving cybersecurity laws
To improve our cyber resilience, we must consider the options available to law enforcement agencies. These agencies have a wide range of tools and tactics potentially available to them, from arrest and extradition to operations against the systems of criminal groups that disrupt their operations. A clear definition of what is deemed legally acceptable and the conditions under which certain courses of action are available to law enforcement agencies is needed.
Given the murkiness of the cyber underworld and the often deliberate lack of clarity around those that are purely criminal actors versus state-backed, any updated laws must consider the consequences of acting against another state’s threat actors and include measures to avoid such an eventuality. Given current geopolitical tensions, I think we can all appreciate the dangers of actions in the digital realm being misconstrued as precursors of aggression and the potential for escalation.
There needs to be more cooperation on data sharing at a global level so that law enforcement can piece together criminal networks operating in shadowy corners of the world where there is less scrutiny. It is also necessary to allow for the live intercept and disclosure of IP data and computer network exploitation and to make that consistently admissible in courts of law.
While Europol and Interpol have demonstrated some successes in tracking down cyber criminals and arresting them, they have typically done so when these individuals have made the mistake of leaving the safety of the rogue or failed states from which they operate and stray into jurisdictions with better-equipped law enforcement.
To really take on these criminal gangs, it is necessary to forge relationships with countries whose inclination is not to engage in such cooperation, and the price for persuading them to do so would probably be significant and draw criticism.
Bolstering our cybersecurity ecosystem
Updated laws and international agreements will not matter if we do not heavily invest in organisations and people to develop the skills and technologies necessary to protect against cyberattacks.
As it stands, we do not have enough organisations with the skills or headcount needed to protect critical national infrastructure, not in the UK, Europe or the US. Securing the highly complex environments that are created by the confluence of enterprise technology, IoT and operational technology is incredibly difficult. Developing a robust ecosystem of cybersecurity organisations will require concerted effort and collaboration between public and private organisations.
To achieve this, we need positive incentives from national cyber agencies and governments to complement the negative incentives that come in the form of policies and penalties for failing to comply with cybersecurity directives.
Now that cybersecurity is an issue of public safety, the stakes are higher than ever.
We have seen examples of this globally. In the wake of the colonial pipeline attack, the US government made money available to the pipeline operators and other organisations involved to help them improve their cyber resilience.
However, this approach needs to be ramped up if we are to meet the ongoing cybersecurity challenges. National cybersecurity agencies and public bodies must work with industry leaders to share insights, knowledge and technology, to turbocharge the development of organisations that are able to secure critical national infrastructure.
Time to be proactive
Now that cybersecurity is an issue of public safety, the stakes are higher than ever.
Without a much greater investment of time, money and effort into protecting our critical national infrastructure, cyberattacks will increase in occurrence and efficacy. We must shore up our national cyber defences and create an ecosystem of organisations that can export its expertise globally.
Doing this is not simply a ‘nice to have’. If we continue on our current trajectory, the likelihood is that we will find ourselves declaring a war against cybercrime, with all of the messy intended and unintended consequences that will bring.
By Will Dixon
Will Dixon is the global head of the academy and community at Istari, which runs a client-centric cyber resilience platform. Previously, he was head of the Centre for Cybersecurity at the World Economic Forum.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
