24 March 2013

International Risk: Cyberwarfare Rules of Engagement...

When the financial private sector views the actions of government in terms of regulation and compliance, it is often considered another risk to its operations.  Why?  More rules and the need to report on oversight creates new obstacles to other more valuable revenue producing activities.  CDOs are an example of a financial product that explains why the government regulation mechanism continues to exist.  Yet the implementation of internal controls, to thwart the embezzlement of funds or the theft of proprietary intellectual secrets, is something that is encouraged and welcomed in the banking community.  This paradox is something that continues to occur in the cyber risk management domain:
Systemic risk as a result of banks' cyber interconnectivity is becoming a key risk for financial institutions, delegates at OpRisk North America in New York heard this week. The transfer of data occurring through this interconnectivity can put many banks at risk in the event of certain types of cyberattack, warned Adrienne Haden, assistant director, operational risk and IT risk policy at the board of governors of the Federal Reserve System. "Some of the key areas of concern for risk management in terms of capital involve information security and cyber security," she told the conference.
The dawn of Internet banking spawned the Operational Risks associated with using public networks for our various banking transactions.  The oversight of cyber risk management in the financial institution is becoming more mature by the day.  Government is more effectively learning how to apply the right oversight with private sector institutions, through the use of International Standards such as ISO 27001 and NIST best practices to protect Critical Infrastructure.

In the last few months, the newest strategies for cyber risk management have been a robust topic of global conversation.  New reports on the origin of state sponsored hacking and cyber crime data breach incidents, has produced some new theories on how to address these international Operational Risks:
Deadly force against organized hackers could be justified under international law, according to a document released Thursday by a panel of legal and cyber warfare experts.  Use of lethal force on those behind a cyberattack on a nation would be legal if the virtual attack meets criteria similar to those currently accepted for real-world warfare, said Michael N. Schmitt, chairman of the International Law Department at the U.S. Naval War College in Newport, R.I.  Schmitt is the editor of the Tallinn Manual on the International Law Applicable to Cyber Warfare, a 300-page book put together by a score of experts at the request of NATO and published by Cambridge University Press.
Even the most knowledgeable cyber experts, are at odds over the topic of "Active Defense" and the use of asymmetric cyber force, to retaliate against a so called attack or denial of service.  A kinetic response is much more clear, based upon the source or attribution evidence of the attack.  In the cyber domain, the word "Attribute" has some very interesting ramifications.
Seoul, South Korea (CNN) -- The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim
The Korea Communications Commission, a South Korean regulator, said that after "detailed analysis," the IP address that was thought to be from China was determined to be an internal IP address from one of the banks that was infected by the malicious code.  It said, though, that "the government has confirmed that the attack was from a foreign land."
The State-of-Play will remain the same and for good reason.  The governments of the world do not have issue with each other performing reciprocal cyber espionage.  This practice is just a new version of intelligence collection and the next manifestation of Tinker Tailor Soldier Spy.  However, if there should be any visible or kinetic damage to infrastructure, then the Tallinn Manual will be a vital resource for all.  The question remains, what is a cyberattack?  Jim Lewis says:
“Cyberattack” is one of the most misused terms in the discussion of Chinese hackers. With very few exceptions, China has not used force against the United States in cyberspace. What it has been doing is spying. And spying, cyber or otherwise, is not an attack or grounds for war, even if military units are the spies. Spying isn’t even a crime under international law, and it wouldn’t be in Washington’s interest to make it so."

No comments:

Post a Comment