How can nation states win the unfolding cyberwar?

Hawkishness and 'Swiss' neutrality go head-to-head at RSA Conference 2017

Army tank

Nation state hacking is putting democracy and civilian welfare at risk, but there is little consensus on how to deal with this issue.

In two contrasting talks at RSA Conference 2017, Michael McCaul, chairman of the House Homeland Security Committee in the US, and Brad Smith, Microsoft chief legal officer, struck markedly different tones when discussing how to approach these issues.

In his keynote, McCaul said: "It's clear to me that our adversaries are turning digital breakthroughs into digital bombs ... our cyber rivals are overtaking our defences."

"The combatants are everywhere and the phones in your pockets are the battle space," McCaul continued. "Our democracy itself is at risk. Last year, there's no doubt in my mind that the Russian government tried to undermine and influence our elections.

Advertisement - Article continues below
Advertisement - Article continues below

"The crisis was the biggest wakeup call yet that cyber intrusions have the potential to jeopardise the very fabric of our republic."

McCaul pointed to several issues making things harder for those trying to defend against attacks, including a lack of resources.

"There are more cyber outlaws than cyber sheriffs to round them up. A lot of hackers out there should be behind bars, but law enforcement agencies at all levels are struggling to keep up with the volume and complexity of network intrusions.

"Today, in some cases, the United States government is fighting 21st Century threats with 20th Century technology and a 19th Century bureaucracy," he claimed.

McCaul also said there's "a real paradox between national security and digital security".

"Nowhere is this more obvious than with the terror threat," McCaul claimed. "We have a new generation of terrorists who are recruiting over the internet and using virtual safe havens to escape detection and force their propaganda on a global internet scale.

Advertisement - Article continues below

"We have the brutal attacks in Paris and Brussels as tragic examples and reminders of how terrorists stay under the radar by using end-to-end encryption on their phones to cover their tracks."

However, McCaul said governments "must resist the temptation to go after [them] with simple knee-jerk responses".

"We cannot undermine encryption ... it's the bedrock of our internet security. But at the same time we can't allow groups like ISIS to remote control terrorist attacks using the darkness of the web," he added.

Nevertheless, the US "must respond to attacks decisively" if it's to win the war against these varied adversaries, he said.

Advertisement - Article continues below

"We're feeling tectonic shifts on the virtual ground beneath us and our current cyber plans just won't cut it," said McCaul. "Our ability to win the war in cyberspace depends on our ability to deliver consequences by striking back when appropriate."

McCaul's somewhat hawkish tone was in stark contrast to Smith's keynote, however.

Advertisement - Article continues below

Microsoft's Smith called for a digital Geneva Convention and an equivalent of the International Atomic Energy Association (IAEA) to protect civilians.

"We suddenly find ourselves living in a world where nothing seems off limits to nation state attacks. Conflicts between nations are no longer confined to the ground, sea and air, as cyberspace has become a potential new and global battleground," said Smith.

This, he said, is something that needs to change, with the introduction of new international norms.

"Just as the world's governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, we need a Digital Geneva Convention that will commit governments to ... [protecting] civilians on the internet in times of peace."

As for the digital IAEA equivalent, Smith said: "This organisation should consist of technical experts from across governments, the private sector, academia and civil society with the capability to examine specific attacks and share the evidence showing that a given attack was by a specific nation-state. Only then will nation-states know that if they violate the rules, the world will learn about it."

Finally, there's an important role for the tech sector to play. It must be a neutral "digital Switzerland", said Smith, meaning tech companies agree never to help governments of any stripe attack civilians and civilian infrastructure.

Advertisement - Article continues below

"This commitment to 100% defense and 0% offense has been fundamental to our approach as a company and an industry. And it needs to remain this way in the future," he concluded.

Features editor Jane McCallion is on the ground at RSA Conference 2017 in San Francisco all week. Follow her on Twitter for live updates and bookmark our dedicated page for more coverage from the business security conference.

Image credit: Jane McCallion

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


cloud computing

Microsoft has an edge on AWS, according to IT executives

8 Jan 2020

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Microsoft Surface Laptop 3 13in review: Almost the perfect laptop

6 Dec 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020