Despite our continuous research efforts to detect cyberattacks and enable defense, we often believe that we, as members of a global community, are failing to achieve an adequate level of cybersecurity.
This is threatening the proper growth and use of information technologies and digital assets, and as a consequence, most of society’s current and future activities, from recreation to democratic processes, including business, healthcare and industrial production.
We believe that such a failing can be explained by a lack of global willpower, double-dealing activities, and the lack of world regulations. Here, we develop these hypotheses and outline ideas to advance cybersecurity.
What we do, and how it is failing
Kaspersky’s Global Research and Analysis Team( GReAT) is made up of cybersecurity researchers. Our shared capabilities and expertise stem from multifaceted individual experiences and perspectives that can always be traced back to strong technical backgrounds. Each and every day, our skills are focused on clear purposes: to anticipate, discover, detect, track and report cyberattacks. But our activities and findings are, first of all, a view to contributing to a broader mission: to build a safer world. Since our inception more than a decade ago, we have worked very hard- from awareness raising and media interviews to embedded firmware reverse engineering, as well as incident-response support, vulnerabilities research, malicious infrastructure hunting, code similarity heuristics development, discovery of serious threats performers or advanced malicious frameworks, open-sourced tools, specialized training and expert talks at world-class meetings. As far as our expertise is concerned, we believe that we provide beneficial ensues to our customers, collaborators and the world community. We know from previous collaboration and wrote content that our colleagues at government torsoes, other cybersecurity providers and private corporations operate just as hard and achieve tremendous results as well.
Yet, somehow, we will continue to failing. Cyberattack numbers, whatever their impact, from digital action to unwanted or disastrous effects, keep skyrocketing every year. Cybercrime has never been so prevalent and real, reaching every possible device, from IoT to supercomputers, as well as network routers, smartphones and personal computers. Cyberattacks have become a go-to companion, wherever there is malicious intent to tackle competition, hijack accounts, spy on a partner, persecute a minority, disrupt critical infrastructure, influence electoral processes, steal knowledge or obtain money. Cyber-based conflicts maintain intensifying, to the point where there is now a trend around the globe to proclaim that cyberwar abilities are being developed, and kinetic force could be used as a response to cyberattacks whenever deemed fit. And ransomware or state-sponsored cyberattacks maintained reaching hard even when we are all confronted with a pandemic.
Our hypothesis and faiths
Why does all that outstanding technical endeavor, an abundance of cybersecurity solutions, highly skilled workforces, and decades of awareness raising fail to tackle cyberthreats? Although a lack of concern, specialized technical know-how, skilled resources and training may have kept the defense a few steps behind for a while, we guess these factors are no longer a major barrier. Instead, we believe that issues surrounding governance and a sense of responsibility are now what mainly prevent mission success.
A absence of world willpower and instruments
First of all, we believe that there is a lack of high-level world desire for cooperation and governance to properly tackle cyberattacks and protect what is at stake. We all agree that every human being should be guaranteed a minimum situate of rights, that the development of nuclear warheads should be limited, if not outlawed, or that warfare should be regulated and overseen. These crucial precautions to peace and freedom did not come about by chance; they came from political firmnes, international cooperation, continuously improved governance and specified enforcement.
However, states have not agreed yet about a binding agreement or about how existing international law applies to keep our digital world at peace. There are regular examples demonstrating the major negative effects of cyberattacks on businesses, nations and citizens( or “civilians” ), and there have been some initiatives to assess how international law would apply to cyber operations, to globally combat cybercrime, or to establish standards of responsible behavior in cyberspace for states. But these initiatives are not coordinated or world enough, they don’t actually come with the expected regulations, cooperation and clear instruments to increase stability in cyberspace.
Are we waiting for more dramatic results than those already is generated by cyberattacks and cybercrime to advance cybersecurity with strong governance and regulation instruments? We believe that, on top of the intrinsic complexity of international cooperation, a crucial lack of willpower from states is avoiding substantial promotion on cybersecurity.
We believe that lots of players are double-dealing in the digital age. Cyberattacks appear to be highly profitable in the short-term, as they permit attackers and their patrons to quickly and stealthily gather foreign and domestic intelligence, make money, interrupted or deter third party, gain a strategic advantage over challengers or in war, circumvent regulations, or efficiently inform members. As a bonus, these malicious activities have a low enter expenditure, are subject to no monitoring, and for the essential points get-up-and-go unattributed( thanks to, amongst other things, complex digital layers, bulletproof services and factors limiting interstate police cooperation ). Therefore, perpetrators do not have to take responsibility for their actions and gone unpunished- even though they do get uncovered. Due to these convenient” cyber features”, nation or non-state actors might easily be tempted to publicly promote and even act in favor of a safer world, while inducing sure they can also benefit from offensive activities that remain undetected and go unpunished. Such activities also promote the public and private development of cyberweapons, mercenary services, criminal activities, and the monetization of vulnerabilities instead of responsible disclosure. All this, in turn, harms the efforts of cybersecurity and enables proliferation.
But that’s not all when it comes to double-dealing: government bodies dedicated to cybersecurity and non-state performers can even play this dangerous play to a certain extent. Cybersecurity threat intelligence and data are of topmost interest to national defense and security management, as well as very valuable to the competitive cybersecurity business. It is a vital asset to the economy, and for detect or deterring strategic menaces. As a ensue, threat intelligence may not be shared and actioned as easily and broadly as it should, in a common determined route to cybersecurity, but might instead be guarded jealously for private interests. Private companies such as Kaspersky, nonetheless, do the most appropriate to proactively share intelligence and insights on investigations to the community for free.
Existing regulations are not( global) enough
We also feel that achieving cybersecurity is not possible without a stronger sense of responsibility from all public and private performers that play-act a role in the development and functioning of our world digital space. Governments have already gone some way to fostering this sense over its first year by creating or strengthening regulations on personal data processing or protection for critical information systems. While this has been a significant advancement towards cybersecurity, it has regrettably not been enough.
Most of the cyberattacks we face and analyze do not actually leverage sophisticated technological vulnerabilities or tools, because they don’t need to. It is often way too easy to access the devices and networks owned by a public or private organisation because elementary cybersecurity measures are still not implemented, and because the organization’s very own digital assets are not clearly identified or not controlled sufficiently. Every organization that procedures digital data of personal meaning, or develops or operates digital services, starting with those that benefit us the most, or contribute to our most vital needs, including governments, should be required to implement and demonstrate elementary cybersecurity frameworks. The associated regulations should be world, because cyberspace and digital assets are shared amongst all users various regions of the world. It may not be possible to become invulnerable, but attaining cyberattacks more costly for the attackers while protecting our digital world a little more is doable.
On top of the lack of preventive and protected measures from many public and private organizations, another responsibility issue is blocking the road to cybersecurity. Cyberattacks cannot be carried out without leveraging publicly available commercial services, such as content hosting, growing, infrastructure provision and mercenary services. First, it would seem obvious that any private organization that purposely engages in cyberattack runnings or cyberweapons development should have its activities limited by regulations, and controlled by an impartial third party, in order to ensure that malicious activities are constrained by design, and that cyberweapons do not proliferate. Likewise, in order to maintain peace in the cyberworld, it is critical that any organization whose services are demonstrated to be leveraged to carry out cyberattacks is required to cooperate with cybersecurity organizations to be determined by an impartial third party, to contribute to cybersecurity investigations and demonstrate efforts to continuously prevent the malicious utilize of disclosed services.
Digital services and information technologies that unintentionally support malicious cyber activities are- most of the time- developed to bring sound and useful outcomes. However, and for decades, vulnerability revealings and cyberattacks have demonstrated that some engineerings or utilizes are flawed by design and can be exploited by malicious actors. We can probably collectively accept that when the first information technologies were developed and deployed, it wasn’t easy to anticipate malicious employs, which is why cybersecurity tries simply came afterwards. But it is no longer possible nor tolerable to develop, deploy and operate engineerings and services that have a world apply potential, while ignoring existing menaces, and without attaining them fasten by design. Yet, even more vulnerabilities and malicious uses affect relatively modern services and technologies, from IoT and artificial intelligence systems to cloud infrastructures, robotics and new mobile networks. In order to anticipate and avoid malicious exploitation of modern engineerings as much as it is reasonably possible, we believe that transparent vulnerability management and disclosure practices need to be developed further by both government and non-state actors; and that engineerings or services that are used globally should be assessed by a global community of experts more often.
Last but not least, we also considered that more menaces could be better anticipated in the future if future generations are globally and systematically trained on information technologies and cybersecurity, whatever their origin or route. This will contribute to a safer world.
Our call and plans
It is rather unusual for cybersecurity researchers and experts to write on governance matters. We don’t feign that our hypothesis are the most suitable, or the most comprehensive. But we definitely feel concerned, and strongly believe that the points we have raised are stymie a common route to cybersecurity. Furthermore, we are pleased to note that most of our hypothesis and beliefs are actually shared with many others, as can be seen in 2020 Paris Call consultation key takeaways, or the latest reports from the UN’s OEWG on” developments in the field of information and telecommunications in different contexts of international security”, to which Kaspersky contributed.
We feel it is now a good time to send a call to all governments and international torsoes( and ultimately any citizen) that aim for a safer world: we urge you to demonstrate more willpower, and a more determined approach to cybersecurity, by addressing the exposed causes of failure. We ask you to cooperatively opt the long-term peace of our common digital assets, over short-term nationalistic or private interests. We do our component, and we want our expert efforts to be transformed and developed further. We hope for a safer world, and a long-standing peaceful common digital space. We will never achieve this without ascertained leadership and a global change towards a better common behavior.
A cooperative and global govern instrument
We need strong political and technological leaders to drive governments and international bodies towards a cooperative, determined and fast-paced road to cybersecurity. In order to continuously rationalize attempts, share insights and thinks, enable regulation, control and take global measurings, we need them to build a dedicated, strong, permanent and focused international instrument.
We believe that such an instrument could be hosted by the UN, should seek to tackle the causes of the failures that we uncovered, and should help governments to enforce regulations and cooperatively take measures when they are needed.
In order to ensure a cooperative approach by design, to consider the whole spectrum of what is at stake, and to truly take the transnational nature of cyberspace into consideration, we believe that such an instrument should guarantee a continuous dialogue with representatives of governments, the private sector organizations, civil society and the technological community. This would enable the creation of cooperative task forces that would render broad cybersecurity expertise and assessments on various matters, including preventive and protective cybersecurity measures, vulnerability research, incident response, attribution, regulation, law enforcement agencies, security and risk assessment of modern technologies, and cyber capacity building. It would also ensure that most findings are shared across commonwealths and among cybersecurity players.
This governing instrument should also be able to build standards and regulations, and a cooperative approach to control the attribution of cyberattacks and sanctions against non-compliant behavior or crime, risk analysis, capacity building, and education for cybersecurity.
A binding pact of responsible behavior in cyberspace
Nearly two decades ago, the UN started to task groups of government experts( GGE) to anticipate international security developments in the field of IT, and to advance responsible state behavior in cyberspace. One of the most notable outcomes, despite GGE’s debatable results and limited reach, is the definition of 13 principles that constitute the norms of responsible behavior in cyberspace. But after more than a decade, these principles are non-binding, apply to governments simply, and have only been endorsed on a voluntary basis. We believe this is not enough, and that it may reflect the lack of willpower and commitment from our governing presidents to cybersecurity.
We believe that the norms for responsible behavior in cyberspace should be further developed together with guidance on how these norms should be implemented, to get better at including non-state actors such as the private sector, civil society and the technological community. After that they should become binding for members of the international community- if they remain voluntary, why should the bad guys care?
As far as private companies are concerned, the norm could specify clarity and ethics baselines. We must not fail to mention Kaspersky’s own Global Transparency Initiative, which we truly believe to be a good source of inspiration for define a number of private sector norms. This includes( but is not limited to) independent reviews of process, security controls and software code, relocation of data processing, as well as the ability for trusted collaborators, customers and government stakeholders to directly access and check software code or threat detection rules. A code of ethics or ethics principles, from the ” FIRST” international CSIRTs community or from Kaspersky, that tackle the responsible disclosure of security vulnerabilities, could also be leveraged as inspiration for private corporation norms.
Global the laws and shared means for cybersecurity
In order to tackle residual double-dealing issues and regulation needs that we exposed in our hypothesis, the world governing instrument or counseling should build and support further common regulations, on top of the previously mentioned norms of behavior. Such global regulations would ensure a consistent baseline of security requirements, to prevent proliferation of cyberweapons, avoid and firmly condemn cyberattacks, implement cybersecurity controls, promote responsibility and facilitate cooperation. How, where, and under which words this regulate instrument or guidance can be established should be a discussion for both government and non-state actors to ensure that we all fully recognize our responsibility to keep the digital space secure.
We deal with cyberattacks of all kinds every day and monitor their context from various sources. Over its first year, we have seen more and more malicious activities from more and more performers, but world cybersecurity has reached a ceiling, and it appears that the potential for cyber-based conflicts is still growing. During the COVID-1 9 pandemic we have once again find just how vital information technologies and digital assets are to democracy, the economy, the development of society, security and entertainment.
We believe that now is still a good time for global leader, international and regional organizations, the private sector organizations, the technological community and civil society to collaborate on achieving long-term peace in cyberspace rather than focusing on the short-term interests of individual countries or private organizations.