Cyber wrap
25 Jun 2014|

Jason Healey

It’s a grim picture in this week’s cyber wrap as news of attacks and vulnerabilities pile up. According to the Australian Signals Directorate (ASD), foreign-state sponsored cyberattacks on Australian targets have surged by 21%, with thousands more likely unreported. The ASD Cyber Security Picture 2013 is chock-full of interesting statistics, explores how adversaries have diversified their tradecraft, and offers a critical warning that supply chain, contractor and third party vulnerability could compromise individuals’ personal information security.

This uptick of cyber malfeasance was certainly on show last week, with the New York Times exploring the increased popularity of cyber extortion schemes like those that hit Feedly and Evernote in recent days. Meanwhile, Hong Kong’s unofficial referendum on chief executive nominations was hit by ‘one of the largest and most persistent’ distributed-denial-of-service (DDoS) attacks ever, while news broke of state-sponsored attacks targeting 75 US airports, two falling to the advanced persistent threat (APT) operation.

Increasingly public cyber incidents have spurred the business community into action. Unfortunately, the legal scope for the kind of action businesses can take remains muddled, with questions surrounding honey-pot liability and the right to retaliate. With the default Department of Justice response to corporate retaliation—‘Oh wow, now I have two crimes’—many companies are turning to insurance to limit the cyber damage to their tangible bottom-lines. Although cyber insurance is hyped as a booming market, the reality is that the cyberinsurance industry is a mess. Even in the vaunted critical infrastructure sector, underwriters cite a lack of data points as a major hindrance to cyber insurance. For instance, Carter Schoenberg points out that ‘Flo’ (a well-known character on US insurance ads) certainly doesn’t know her way around cyber insurance, however he does offer a few helpful hints.

Although countries like India are scrambling to boost their cybermaturity, the booming private sector demand for skilled cybersecurity professionals has left governments struggling to secure their own systems. Despite a title sourced from the turn of the millennium, RAND’s report H4CKER5 WANTED, has pertinent, contemporary findings. The report finds scarcity, high competition, and even crisis in the cybersecurity labour market. However, with educational initiatives already in-place ‘the best steps may already have been taken’ and it’ll simply be a matter of time before the labour lag catches up with market demand.

The French Ministère de la Défense has instituted its own response:  France is circumventing the cyber labour market altogether by looking to train its own cadre of cyber defence experts. While other governments could easily adopt this measure, in the US a skilled workforce isn’t the only government challenge in cyberspace. The Federal Bureau of Investigations has been proverbially caught NIFOC with an FOI release of its official glossary of ‘Twitter shorthand’ which has left many questioning, AYFKMWTS?

Of course, it’s not all doom and gloom. With cyber experts worldwide working to improve cyber security, policy, education, and awareness, there’s always hope for the future of cyberspace. The ASPI International Cyber Policy Centre hosted one such thought leader last week when it welcomed Jason Healey (pictured above), Director of the Cyberstatecraft Initiative at the Atlantic Council in Washington, DC.

Jason’s presentation looked to the history of cyber conflict to draw lessons for today’s cyber cohort. Three key lessons included 1) the constant dynamics of cyber conflict, despite changing technology levels, 2) the consistent overestimation of the impact of cyber attacks, which has led to a focus on disruptive attacks at the expense of more prevalent issues such as cyber espionage, and 3) that the more strategically significant a cyber conflict, the more similar it is to conflicts in the air, on land, and on the sea.

Following the short presentation, Jason was joined by Andrew Bewick, General Manager, Defence at IBM and Justin Bassi, National Security Advisor at the Office of the Attorney-General for an engaging discussion moderated by ICPC Director Tobias Feakin. The conversation touched on the need to convince senior policymakers of the importance of cyber issues, the critical role for education and awareness raising, as well as the need for the private sector to drive the issue forward. Live tweets from the event can be found @ASPI_ICPC.

Lastly, ICANN50 wraps up in London tomorrow. Keep your eyes on London50 for releases from the event and on the Strategist next week for a special edition Governing the Net overview of what went down.

Klée Aiken is an analyst in ASPI’s International Cyber Policy Centre.