A current challenge in cybersecurity practice is how to understand threat and vulnerability at a time of state conflict.
Events in Ukraine prompted national technical authorities in the US, Europe and the Anglosphere to warn of threats to National Critical Infrastructure. Businesses are forced to raise protections against known vulnerabilities, most of which are exploited by criminals, but also to prepare for the novel. To look for anomalies. To detect state actors.
Sometimes we get a glimpse of the melee combat going on in cyberspace. In April, the US announced that it had taken action to pre-attack actors who planned to use the ‘Cyclops Blink’ botnet chain to carry out command-and-control attacks from routers and firewalls. . Occasionally in my cyber practice assisting companies through crises, a state actor emerges. Occasionally, rarely, “zero day” exploits are used to infiltrate (perhaps where a commercial exploit would fail?) sifting and filtering data for intelligence purposes or in advance preparation for an unspecified future purpose thereafter. What is not seen are destructive “semi-kinetic” attacks or those that disrupt the entire system from the equipment of advanced state hacking programs. They are in reserve. Their use or even the presence of malware could be an intervention or act of war and would cross a threshold hitherto taken seriously.
Most cybersecurity practitioners don’t see novel OC techniques to infiltrate or circumvent. They rely on government agencies to advise them – to complement the “lagging” indication of commercially known commercial threats and vulnerabilities with “potential customer” insight ” comes only from state-level intelligence coverage. Insight also comes from having an OC program. The Cybersecurity and Infrastructure Agency in the US and the National Cyber Security Center in the UK would be worth listening to simply summarizing their threats. A little-understood “secret sauce” is the insight from approaching their own offensive teams. It helps them understand what is possible and what is vulnerable even if the full details cannot be made public.
What should legislators and regulators do in the face of these uncertainties as they attempt to design technology-agnostic and long-term compliance laws and regimes. There’s a contrast between those who benefit from real national security advice and those who don’t: or at least a difference of mindset. In a recent article for the European Union’s Institute for Strategic Studies, I questioned whether the EU is organized to make sound decisions about cybersecurity and privacy. I argued that because it did not have an effective formal mechanism for gathering national security insights from the most cyber-capable member states, it risked adjustment without balance. appropriate prompt. My working example is the Digital Markets Act and whether the risk from disrupting app stores for competitive reasons has been subject to proper security consideration. This is in the early days of the Ukraine crisis when the EU Commission is discussing creating a “ring of resistance” around the EU. That aspiration is like a stretch.
Two recent contrasting developments have brought these issues back into focus.
First, it was reported that as the EU worked towards bringing the DMA into force this October, the two member states proposed that representatives of the EU’s cybersecurity advisory body, ENISA, be included in the European Group of Senior Digital Regulators to facilitate coordination. between Member States and the EU on implementation decisions. Three highlights: (I) Existing deployment plans do not have a security component. (II) This step was proposed but not agreed and (III) ENISA was the agency of choice even though it lacked reliable access to OC insights on national security, which made CISA and NCSC became powerful.
Second, meanwhile the UK Department for Culture, Media and Sport (DCMS), facing the possible change that the DMA will bring to the distribution of the Application, is consulting about a code of conduct and then possibly regulation to “protect consumers from malicious threats and underdeveloped applications”. The responsibility may fall to the app developers and app stores responsible. It’s hard to say whether there are national security details behind this or if it’s just driven by consumer protection. There are certainly examples where applications are a vector for stateful actions like blocking or monitoring.
Both are cross-sections of ongoing legislative processes. The EU may not be in the right place yet. More digital laws will apply in the EU, UK and elsewhere. This needs to be informed by the reality of cybersecurity and data privacy and, for every regulation, the question that arises “how does this improve our cyber resilience?” in these uncertain times?”. That question has not been asked clearly enough yet.
Information about the Authors
Paddy McGuinness of Venari Security is a former UK Deputy National Security Advisor for Intelligence, Security and Resilience and leads the Cyber Program. Now, he advises businesses and governments globally on issues of resilience to technology, including cyber crises..
Featured image: © Peshkova