The differences between the United States and Europe on issues of Internet privacy make it difficult to agree on something akin to global cybersecurity policies, but the biggest obstacle is simply the speed with which technology is changing. Those are two of the major takeaways from Bloomberg Government’s Cybersecurity Summit, held last month at the Ronald Reagan Building in Washington, D.C.
Mike Walker, a program manager at the Defense Advanced Research Projects Agency (DARPA), compared improvements in cybersecurity to automobile safety – but not in a positive way.
“Tomorrow’s cars are going to be safer than the ones today,” he said. “But cybersecurity is the opposite … Not only do the attackers win more often, they’re getting better faster. The Internet we’re going to use [in the future] will be more dangerous than the one we use today.”
Walker said the current push toward security automation will not address the zero-day exploits that continue to plague the IT field. “Not one security company could come forward and say they could find Heartbleed through automation,” he said.
Another part of the security challenge is the question of who is the threatening party, since each requires its own solutions, policies, and enforcement mechanisms.
Joe Demarest, Assistant Director of the FBI’s Cyber Division, listed five distinct types of cyber foes: the nation-state actors, such as Russia, Iran, and North Korea; cyber terrorists, who seek ways to use their cyber attacks for kinetic effect, such as the attack on Saudi Arabia’s Aramco oil company computer networks that wiped out data on most of the PCs; organized crime, which poses the biggest risk for ordinary citizens in terms of identity theft, card-skimming and other financial crimes; insider threats; and hacktivists, such as those who attacked the Ferguson, Mo., Police Department after the grand jury decision in the Michael Brown case.
Whichever of these groups commits a cyber exploit, the borderless nature of the Internet makes identification and prosecution beyond difficult, said Benoit Godart, Head of Outreach at the European Cybercrime Centre, EUROPOL.
“We are not the United States of Europe,” Godart pointed out. “We are now facing a situation where cybercrime is the speed of electricity.” But it takes time for allies to work together, days, even weeks, to get permissions, he said.
Everyone agreed one critical element must be gaining the active cooperation of the business community, particularly transnational corporations.
“I would like to see the private sector move past the culture of shame and secrecy about what’s happening to them,” said Sen. Sheldon Whitehouse (D-RI), who has been serving on the Judiciary Committee’s Crime and Terrorism subcommittee. “We need government to be a lot more open, classify a lot less, [and] on the private sector side, people simply have to start talking about this … I think the private sector tries to bury [news about attacks on them], and that’s unfortunate.”
Catherine Lotrionte, Director of the Institute for Law, Science, and Global Security at Georgetown University, said building worldwide agreement on what is not acceptable is under way, using the norms established in the physical world.
“Building on something that already exists, though it was not meant for cyber, makes it easier,” Lotrionte said. “The State [Department] is taking rules developed for the physical world and adapting them.”