19 January 2019

International Risk: Cyberwarfare Rules of Engagement...

When the financial private sector views the actions of government, in terms of regulation and compliance, it is often considered another risk to its operations. Why? More rules and the need to report on oversight, creates new obstacles to other more valuable revenue producing activities.

CDOs were a focus in the movie "The Big Short" and is an example of a financial product that explains why the government regulation mechanisms continue to exist. Yet the implementation of internal controls, to thwart the embezzlement of funds or the theft of proprietary intellectual secrets, is something that is encouraged and welcomed in the banking community. This paradox is something that continues to occur in the cyber risk management domain.

The dawn of Internet banking, spawned many of the Operational Risks associated with using public networks for our various banking transactions. The oversight of cyber risk management in the financial institution, is still a major challenge yet becoming more mature by the day.

Government is more effectively learning how to apply the right oversight with private sector institutions, through the use of International Standards such as ISO 27001 and NIST best practices to protect Critical Infrastructure.

The newest strategies for cyber risk management have been a robust topic of global conversation. New reports on the origin of state sponsored hacking and cyber crime data breach incidents, has produced some new theories on how to address these international Operational Risks:

"Deadly force against organized hackers could be justified under international law, according to a document created by a panel of legal and cyber warfare experts. Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I. Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press."

Even the most knowledgeable cyber experts, are at odds over the topic of "Active Defense" and the use of asymmetric cyber force, to retaliate against a so called attack or denial of service. A kinetic response is much more clear, based upon the source or attribution evidence of the attack. In the cyber domain, the word "Attribute" has some very interesting ramifications.

The State-of-Play will remain the same and for good reason. The governments of the world do not have issue with each other performing reciprocal cyber espionage. This practice is just a new version of intelligence collection and the next manifestation of Tinker Tailor Soldier Spy. However, if there should be any visible or kinetic damage to infrastructure, then the Tallinn Manual will be a vital resource for all. The question remains, what is a cyberattack? Jim Lewis said over five years ago:
“Cyberattack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions, China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so."
  Cyberwarfare Rules of Engagement remains a significant international Operational Risk...

No comments:

Post a Comment