Security news that informs and inspires

No Easy Path to Cyber Norms

The recent revelation of a massive intrusion campaign that has been attributed to Russia and has affected government agencies, tech companies, and many other organizations has renewed calls for the establishment of international norms for cyber operations. The concept has been floating around for years, but security and policy experts say that the process of developing and enforcing norms is fraught with potential problems, and it may already be too late.

The scope of the attacks, which first emerged in December when FireEye revealed that an adversary had gained access to its network and made off with its red team tools, quickly expanded to include SolarWinds, Microsoft, several federal government agencies, and a number of other technology providers. Some of the victims were compromised via a malicious update for the SolarWinds Orion IT monitoring platform that thousands of customers downloaded. But others were hit by the same adversary through one of several other initial access vectors, such as password guessing or spraying. The United States government said the operation was likely the work of Russian actors, but stopped short of identifying which group specifically.

Security researchers and government officials have said that the main goal of the adversary was espionage, gathering intelligence, and stealing sensitive data, not destructive actions inside the compromised networks. While espionage is as old as civilization itself and has some relatively established parameters and norms, cyberespionage is a much newer phenomenon and the same kind of guidelines don’t really exist. There have been discussions both nationally and internationally about the need for cyber norms, and some countries have come to agreements in recent years, but establishing one overarching framework may not be a realistic objective.

“The idea of setting norms in cyber is one that’s thrown around a lot. I have this growing feeling, and I have for several years, that the idea of setting norms feels to me like we’re in the decline of the digital Roman empire and we’re telling people it’s not ok to use elephants to cross the Alps and they’re using elephants to cross the Alps, and we will be overrun,” said Katie Moussouris, CEO of Luta Security, during a panel discussion sponsored by Aspen Institute.

“Every country with the capability will preserve their right to gather intelligence. When it comes to cyber weapons, this isn’t something that we can appropriately define or regulate.”

“I want to make sure that the conversations about cyber norms take into account that nuance."

Part of the problem with the concept of cyber norms is that the lines between cyberespionage and other types of intrusions are blurry at best, and in some cases non-existent, with some actors conducting operations across the spectrum at various points. Intelligence agencies maintain teams that conduct offensive cyber operations against foreign targets, which is generally considered business as usual. But some governments also either sponsor or tacitly tolerate organized groups that run cybercrime operations, ransomware campaigns, and other types of attacks. Moussouris, who has helped develop international standards for vulnerability disclosure and cyber arms control, said that any discussions about cyber norms need to take into account the complexity of the issue.

“I want to make sure that the conversations about cyber norms take into account that nuance,” she said. “It’s the behavior that helps preserve order in the world.”

The easy availability of the technology and knowledge necessary to build out a competent offensive team makes cyber operations much more practical and attainable than traditional military or intelligence operations for many countries. That makes the field of adversaries much broader.

“In espionage there’s too much asymmetry, because there are too many countries that can’t compete with us militarily that can compete with us in cyber,” said Kevin Mandia, CEO of FireEye, during the panel discussion.

The lack of international norms for cyberespionage or other related operations has left the floor open for individual countries to set their own ground rules and perhaps dictate those for other nations.

“We’re seeing a country like China that wants to set all of these rules and standards and that ought to scare the heck out of all of us,” said Sen. Mark Warner (D-Va.)