Tackling the effects of malicious cyberattacks

Muhammad Zamir | Monday, 8 April 2019

Spiteful cyber activities have been gradually evolving into a growing threat. This is being recognised all over the world after the recent terrorist attack in peaceful Christchurch, New Zealand. This led to the death of 50 innocent civilians. They had only one thing in common. They were Muslims praying inside two different mosques. This outrage subsequently drew the attention not only of community leaders but also the heads of governments across the globe. All of them have come forward and agreed that necessary measures need to be taken to ensure cyber security and responsible use of the social media.
Europe, in particular, has in recent years been subject of several massive cyberattacks. This has persuaded the European Union (EU) to be active in the field of cyber security and try and create tools for responding effectively to situations that might be attributed to cyberattacks. Special study teams have been created within the European Commission to study the development of a cyber diplomacy toolbox containing measures, from preventive ones to the use of sanctions. This is still not complete or operational.
The attribution of cyberattacks poses a number of challenges, both technical and political. This casts its own shadow on the matrix. This creates sensitivity as European states like that of other countries in Asia, Africa, the Middle East or in Latin America do not possess a similar level of the required cyber and intelligence capabilities. There is also lack of uniformity in aspects pertaining to the political and administrative processes necessary to properly attribute cyberattacks. In addition to this, there is in Europe, as in Asia, the question of attribution of the crime. This assumes a sensitive dynamics given the political nature of such attribution that to a great extent is associated with foreign policy decisions which are subject to diverse geo-political considerations.
The rest of the world needs to monitor what the European Council is doing in this regard - with great care. The EU Council has been trying to overcome differences of opinion by ascertaining what are the least common denominators that may promote, instead of hindering, collective action as a common diplomatic response. In this regard, EU institutions are trying to develop common threat assessments and a shared culture of attribution of cyberattacks. To achieve this, cyber experts from EU member states are advising member countries not only as to how to upgrade their information sharing but also exercising the Cyber Diplomacy Toolbox. In this context emphasis is being given on necessary strengthening of cyber capabilities, both defensive and offensive.
While doing so, importance is being underlined with regard to required investment in human and technical capacities and also in creating and updating internal procedures so that the work of cyber security professionals feeds into the political decision-making process. This is being taken very seriously because at the end of the day a cyberattack on any EU state will have the culpability of possible sanction being imposed by the EU on the perpetrating state. The EU in this regard is treading the ground with care as the public attribution of attacks or the use of sanctions will have to be wielded carefully, based on strong compelling evidence.
The EU, while undertaking such an exercise is aware that attributing attacks or adopting sanctions can potentially worsen relations with the particular country concerned. However, at the same time their cyber experts have pointed out that, not reacting to cyberattacks is likely to encourage similar or even more damaging behaviour. Consequently, the EU's cyber diplomacy toolbox is intended to play a role in the calculations of potential aggressors and also acting as a deterrent against bad behaviour.
In this regard, the EU, USA and Canada are pursuing cooperation with the private sector and with international partners. The EU is doing whatever is required keeping in mind the delicate and sensitive scenario that might emerge with post-Brexit dynamics round the corner.
Japan, South Korea, Singapore and the BRICS (Brazil, Russia, India, China and South Africa) community are taking special note of how the situation is evolving in the EU. They are seeing this as part of EU's continued investment in confidence-building measures. There is also consensus that there is urgent necessity to develop norms at the UN level. There is agreement in principle that there needs to be global, regional and bilateral cyber dialogues to limit some of the alarming developments occurring in cyberspace.
This approach is being underlined to point out that while the cyber diplomacy toolbox might be complementary to actions by individual member states, acting together would allow countries all over the world to be more credible and send a stronger deterrent message. By responding to cyber threats as a united actor, we can then all be better placed to defend our security, our political and economic interests and be able to further enhance our credibility as an international actor.
Today, the need for ensuring cyber security within our socio-economic paradigm has come to the foreground also through several occurrences that clearly indicate that previous warning in this regard is becoming a reality. Due to the growing risks posed by malicious cyber activities hospitals have to cancel operations, factories are temporarily shutting down; global companies are going offline and incurring huge losses. The increasing number of cyber incidents is also demonstrating that different international actors are continuing to deploy malevolent cyberattacks that can spread rapidly across borders, even beyond their intended targets, compromising ICT (Information and communications technology) systems and causing significant damage. It is also evident that despite international dialogue on cyber security at the United Nations and G20, several states still continue to employ cyberattacks against various entities.
It may be recalled that in May 2017, the WannaCry ransom ware attack quickly spread around the world, encrypting data and demanding ransom payments in the crypto currency Bitcoin. The attack was estimated to have affected more than 300,000 computers across 150 countries, causing between US$ 4.0 to 8.0 billion worth of damages. Among others, carmakers Renault, Nissan and Honda were affected by the attack and were forced to reduce or even stop production at a number of sites in France, the United Kingdom (UK), Romania, Slovenia, Japan, and India. The attack also hit the national healthcare system in the UK, which left hospitals and doctors unable to access patient data and led to the cancellation of operations and medical appointments.
Such unwanted incidents have been taking place even before that for the last three decades. In this context one remembers the 2007 cyberattacks on Estonia amid Tallinn's disagreement with Russia about the relocation of a Soviet-era statue. It drew particular attention to this security challenge. More recently, Ukraine has also suffered a series of cyberattacks, including on its electricity grid, which temporarily disrupted electricity supply in 2015 and 2016.
In June 2017, the major NotPetya cyberattack spread from its target Ukraine, to the rest of the world, affecting numerous companies in Europe. The attack severely affected the Danish company A.P. Møller-Mærsk, the world's largest container shipping company, which saw a large part of its IT infrastructure taken offline, creating a loss of US$ 200-300 million. Losses of similar size were registered by the pharmaceutical company Merck & Co., one of the largest in the world, which had to shut down production of one of its pediatric vaccines. According to a White House assessment, the NotPetya cyberattack created damages amounting to more than US$ Dollar 10 billion.
Recognising the reality of the threat, the EU, United States, Canada, Japan, South Korea and Singapore have been working over the past few years in strengthening cyber security in Europe and tackling cyberattacks against infrastructures, cyber-espionage, intellectual property theft, and hybrid threats using cyber means. They have all been primarily investing in increased prevention, early warning mechanisms, resilience and coordination.
It would be pertinent to mention that unlike the EU and other regional groups, the US, benefiting from a less fragmented decision-making system and better equipped cyber agencies, have been more active both in bringing criminal charges against government-sponsored hackers and in putting in place sanctions against them and their organisations.
In September 2018, the US Department of Justice formally charged a North Korean programmer for several cyberattacks, including for his role in the creation and spread of the Wanna Cry attack. In October 2018, the US Department of Justice announced criminal charges against seven Russian military officers for several hacking operations. These included the hacking of various sporting and antidoping organisations, a US nuclear power company, the Netherlands-based OPCW and the Switzerland-based Spiez Laboratory. Both the laboratory and the OPCW were investigating the poisoning of a former Russian agent in Salisbury in the UK.
In the current situation cyber security has become an important element within our governance structure. It enables us to ensure accountability and also prevent encroachment into privacy. It assists in restricting and controlling the after-effects of fundamentalism, terrorism, sectarianism and populism.
However, in order for us to succeed in defeating malicious cyberattacks we need to guarantee - both in the case of countries or institutions - preventive measures, including confidence-building measures, awareness raising and also cyber capacity building. There also has to be cooperative measures, including the use of political and thematic dialogues and demarches, thematic dialogues and also the potential for applying restrictive measures on the guilty party through lawful responses.
There is international consensus that existing international law is applicable to cyberspace. Existing international legislation includes principles agreed in the reports of the United Nations Groups of Governmental Experts (UN GGE). It would be pertinent to point out that the 2015 UNGEE report offered a non-exhaustive list of the principles of international law that states must observe in their use of information and communications technologies. Among them are "State sovereignty, sovereign equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other States", as well as the respect and protection of human rights and fundamental freedoms.

Muhammad Zamir, a former Ambassador, is an analyst specialized in foreign affairs, right to information and good governance.
[email protected]