How to Prevent Future Cyber Attacks

https://commons.wikimedia.org/wiki/File:US_Navy_120208-N-TU894-022_Air-Traffic_Controller_2nd_Class_Gregory_Clemmons_stands_the_departure_position_watch_as_Air-Traffic_Controller_3rd_Clas.jpgWednesday’s indictment of Russian hackers, including from Russia’s Federal Security Service, over cyberthefts against Yahoo and the continuing controversy around cyberattacks by Russia against the Democratic National Committee have highlighted the challenge of internet vulnerability….

As challenging as such attacks are, they can be met if the United States and like-minded countries undertake to do so. The first step would be to organize properly, working across national jurisdictions to ensure the stability of the global internet system. An International Cyber Stability Board of highly cyber capable nations consisting initially of the United States, Canada, France, Germany, the United Kingdom, Japan, the Republic of Korea and Australia could join together to create international standards, protect infrastructures and undertake common approaches to develop a more resilient future internet. Such an approach could both go far beyond what current institutions can do, but also build on and make enforceable standards and other actions undertaken by existing entities. The key is combined efforts by like-minded nations across international borders, rather than reliance on narrowly focused expert groups – an approach which the attacks noted above demonstrate has been an abject failure….

First, the board could protect the critical infrastructure backbone of the internet – those entities that are systemically important to internet stability….

[T]he Board could help establish, or adopt from existing expert groups, appropriate controls to create significant resilience for such crucial infrastructures. It could likewise support contingency planning for cross-border crisis management during or in response to future attacks. Such actions are beyond the capacity of a single business or single government, and no expert group operating narrowly has the capacity for an international enforceable approach such as contingency planning.

Second, the board could establish an enforceable set of standards for the rapidly emerging so-called internet of things. …

While such connectivity comes with promises of better living standards, greater efficiencies and lower costs, the recent attacks reveal the potential of the internet of things to be exploited to further cybercrime, increase personal vulnerabilities and cause structural failures of critical infrastructures ranging from transportation to food chains and health care. Such downsides could be significantly mitigated, however, if proper controls for connected devices were required, including software designed only to operate in specific ways without the ability to be modified….

Third, the national members of the proposed board have all been subject to cyber espionage, politically motivated intrusions and criminal activity. The board could help coordinate international responses to these activities, including the sharing of data, analysis and tools, and undertaking coordinated campaigns and responses. A multinational effort coordinated by the board to utilize intelligence, cyber capability, financial, law enforcement and other powers to disrupt the actions of malicious actors would have significant impact. For the board to be fully effective, it should go beyond the establishment of information-sharing standards and to undertake a coordinated operational approach….

Cyber capability has become an integral part of modern life, and modern institutions are necessary to safeguard it. Currently, no entity has the information or the capacity to formulate an assessment broader than one based solely on a nationwide or sector-specific basis of the evolving risks to the stability of the internet. An International Cyber Stability Board could help to ensure that national and international authorities, relevant international supervisory bodies and expert groups can effectively promote international internet stability and reduce systemic risk.

Franklin Kramer is a distinguished fellow and board member at the Atlantic Council and a former assistant secretary of defense. Robert Butler is an adjunct fellow at the Center for a New American Security and served as the first U.S. deputy assistant secretary of defense for cyber policy. Catherine Lotrionte is the director of the CyberProject in the School of Foreign Service at Georgetown University and former counsel to the president’s foreign intelligence advisory board and former assistant general counsel at the Central Intelligence Agency.

Image: Air traffic controllers aboard the aircraft carrier USS George H.W. Bush, Feb. 8, 2012 (photo: Specialist 3rd Class Kasey Krall/US Navy)