Cyber wrap
20 May 2015|

The German Bundestag

Last week German Bundestag internal servers fell victim to an external hacking attempt. The government is keeping details close to its chest, but a spokesperson for the German Lower House confirmed that the attack had indeed taken place. Spiegel Online reported just days before the attack that German domestic intelligence experts and the internal Bundestag team had noticed an increase in the number of attempts to access the House’s servers. No information has been released as to what, if any sensitive data was compromised in the attack, but the attempt was serious enough for sections of the network to be locked down temporarily.

Jarno Limnéll has some advice for his European cyber colleagues, suggesting they could learn  a thing or two from the latest US DoD cyber strategy. He commends the strategy’s transparency surrounding U.S. cyber doctrine, government roles, policy formation, and more generally, for better integrating cyber strategy into its foreign and security policies. He urges European countries to think more strategically about cyber, in an open, level-headed manner that clarifies their own doctrine, roles, and policy.

Foreign Policy has put together a nice profile on Chris Painter, the US State Department’s mercurial cyber director. The article chronicles some of the most pressing problems Painter faces in his international engagement agenda. Painter shared details of his goal to establish a set of voluntary international cyber standards, including one that would see nations not deliberately targeting civilian critical infrastructure.

On Thursday Painter spoke in greater detail about the international standards and US foreign cyber policy, before the Senate Foreign Relations Committee Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy. You can check out his full testimony here. The subcommittee recently absorbed responsibility for international cyber policy and it’s increasing  prominence is being seen as an attempt by the government ‘to get serious about cyber as a foreign policy issue’.

The Reserve Bank of India is reportedly pondering the creation of its own cyber security body. The Bank’s Governor confirmed that negotiations were taking place on the establishment of a subsidiary entity that ‘(would) supervise and formulate policies for cyber security among other information technology issues related to banks.’ Internet banking has taken off on the subcontinent in recent years and it’s encouraging that the RBI has taken such a direct interest in improving cyber practices, particularly given the delays the Indian government has had in implementing its national cyber strategy.

In the past week, three interesting pieces have analysed the implications of over-hyping the cyber threat. The first, from the Harvard Belfer Centre, looks specifically at the consequences of exaggerating the Chinese cyber threat. The policy brief argues that spreading inflated misperceptions around Chinese capabilities and intentions increases the risk of miscalculation and backlash in cyberspace. The second article, took issue with a recently released brief that claimed U.S. critical national infrastructure had experienced ‘more than 500,000 attacks on Industrial Control systems over the last 24 months,’ laying blame primarily at the feet of Iran. As the commentary in the article points out, it’s difficult to attribute the source of attacks to any one country, and using the primary IP addresses (which were located in Iran) as a key evidence base is fraught with problems. The final article appeared in Foreign Affairs, rejected the hyper-alarmist idea of a ‘cyber pearl harbour’ by arguing that  we are headed towards a period of ‘cyberpeace’. While the authors concede that the number of cyber-attacks are on the rise, the number of attacks that have resulted in a kinetic or physical impact had remained steady, if not dropped. They contend that offensive cyber-attacks alone are not an effective means to air grievances, and that as a result states have entered into a ‘protocol of restraint’.

And finally, for those that are more technically inclined, the Army has released its new cloud computing strategy. For the rest of us, be sure to check out New America‘s Peter Singer and Passcode‘s Sara Sorcher’s latest cybersecurity podcast. This month they interview Bruce Schneier, Nate Fick, and Kim Zetter discussing ‘Stuxnet, sexism, CEOs, and surveillance.’