What is Essentially Needed is a NATO or Similar Structure Organization for Cyberwarfare
In case you missed it, Canada and China have just announced signing an agreement vowing not to hack each other for the purpose of economic espionage. The agreement specifically cites confidential business information and stealing trade secrets. It does not refer to national intelligence gathering or espionage.
As we stated back in 2012, agreements and treaties will be far more effective and cost effective than trying to secure our fundamentally flawed supply chains and infrastructure, and less risky and potentially ineffective than the insane idea of active defense and hackback (although no-one seems to have told the UK government this).
According to the Verizon Data Breach report 2017, the main target of economic espionage is the manufacturing sector, with the pharmaceutical sector a close second. Verizon identified 620 breaches targeting the manufacturing sector,with 94% defined as economic espionage and attributable to nation state actors. 91% of the targeted and stolen data was classified as “secret”, indicating that these were trade secrets and intellectual property. In many instances, the targeted business units were Research & Development or related departments.
Worryingly, the majority of attacks against manufacturing and pharmaceutical companies are not opportunistic. Due to the fact that trade secrets are obviously a valuable and critical data type, and also actively developed and kept in specific business units and assets, they are better secured than most companies infrastructure.
R&D is expensive. It can require many years of iterative research that is difficult to begin from scratch or catch up, and can also frequently be a gamble without a guaranteed payoff. In the pharmaceutical industry for example, the success rate of a new medication getting through FDA approval is only 9.6%. This makes R&D a very lucrative and worthwhile target of cyberwar.
Most people will however have noticed that there is a lot less news around the topic of Chinese hacking recently. This can be partially explained due to a similar agreement between the USA and China that was conclused in 2015. The common wisdom is that this was based on the potential negative impact from the threat of economic sanctions. Similar agreements have also been concluded with Germany, the United Kingdom and Australia.
The threat of economic sanctions was however not new, may have had only a negligible impact and China would of course have had the ability to retaliate in many different ways. So this begs the question, why did they agree to do this when they did?
There may be two fundamental reasons why China has agreed to cooperate in recent years. The first is that they are now not the ones just copying anymore, they are also being copied, as Andreessen-Horrowitz have recently stated. In essence, they now have to protect their own intellectual property and trade secrets and are experiencing the same difficulties in securing their digital infrastructure as any other nation. The second is a little more sobering: China may have already acquired the majority of the data that they needed or wanted from the USA and Canada.
Even though chinese cyber-espionage activity focused on the USA has diminished, It appears as though China is still very much active in other regions, if you trust the attribution.
We may now see a wave of increased activity against other nation states targeting trade secrets and IP. In each case, there will be a window of opportunity before the targeted nation will be able to reliably attribute the attacks (if at all, not every nation has the same capabilities in this regard as the USA), and before the slow wheels of governance begin to pivot towards threatening sanctions or other disincentives – at which point China will in some cases, depending on the clout of threats, be willing to offer an agreement such as with the USA or Canada. Bilateral agreements with China will only be a viable path for some nations and be based on the geopolitical and economic relations that they have with China. This bodes badly for Taiwan, South Korea and Japan for example. China has been very shrewd and an observer may note that the agreements so far have been with the Five-Eyes and related nations, who’s cyberwarfare capabilities are equal if not superior to China’s. This was to an extent predictable and is based purely on power dynamics.
The same approach will also sadly not work with Russia. There are already a large number of sanctions in place and Putin’s government is motivated more by geopolitical than economic strategic objectives. However, the lifting of certain sanctions may provide an alternative incentive to limit certain types of cyberwar activity.
But the real solution lies the creation of agreements and governance that will provide protection for everyone. One possible example sanction would be to disconnect rogue nations entirely from the internet, but as the internet has no discernible borders this would require the cooperation of many countries. Nations refusing to join and adhere to any agreements could be firewalled off, with all traffic originating there being treated as potentially hostile with increased monitoring and restricted access. The internet is a shared commons with such a strategic importance for everyone, and it is time to stop pretending that it is a self-enclosed world without rules. What is essentially needed is a NATO or similar structure for cyberwarfare.