You are here

As govts dither, cyber crooks snigger

Differences over how to deal with cybercrime will cost the world very dearly.

BT_20191204_BPCYBER_3967637.jpg
The ability of governments to effectively confront cyber threats depends on robust collaboration in the international community. But the regulatory landscape has been fragmented, with limited guidance around response and recovery beyond basic principles.

AFTER extreme weather events, failure to mitigate climate change, natural disasters and massive incidents of data fraud, the World Economic Forum (WEF) this year marked cyber attacks as the fifth biggest risk to society.

The WEF estimates the economic cost from an attack on a single cloud computing provider to be US$50 billion-US$120 billion. To put that in context, 2012's Hurricane Sandy inflicted around US$70 billion worth of damage, while Hurricane Katrina in 2005 caused more than US$125 billion in damage.

The total economic cost of all natural disasters in 2017 is estimated at US$300 billion, but the annual economic cost of cybercrime is thought to exceed US$1 trillion.

Due to the increasing interconnectedness of digital devices and networks, both domestically and across borders, an attack on one or more institutions can have significant cascading effects, which can quickly become systemic. A single-point attack on an intermediary responsible for payments, clearing or settlement could spread to the entire system, leading to widespread outages among payments services.

sentifi.com

Market voices on:

In 2017 a series of cyber attacks using the WannaCry ransomware, a virus that encrypts user data that is then released following payment, affected manifold systems across the globe.

The total cost of these attacks is believed to have exceeded US$1 billion. The NotPetya virus followed, wiping data records of targeted systems of many organisations, which cost shipping operator Maersk almost US$300 million in revenue. Both attacks were suspected to be state sponsored.

Other cyber attacks on critical infrastructure include the disabling of an Iranian nuclear power plant in 2010 and power outages in Ukraine in 2015 following a supervisory control and data acquisition attack. Between 2015-16, a North Korean group hacked Swift payment systems and stole more than US$100 million from unauthorised payment messages.

The ability of governments to effectively confront these threats depends on robust collaboration in the international community. But to date the regulatory landscape has been fragmented, with limited guidance around response and recovery beyond basic principles. Firm-specific strategies to nullify cyber attacks have included custom detection, response and recovery methods. Individual government-led national strategies, without international collaboration, have increased the divergence of cybersecurity approaches.

HARMONISING CYBER LAWS

The ideal would be to realise a cyberspace that is open, interoperable, secure and reliable - one that does not sacrifice functionality for security. One way of achieving this admittedly ambitious goal is to establish a set of core principles based on freedom, privacy, property rights and the right to self-defence.

The Budapest convention on cybercrime, drawn up by the Council of Europe at the start of the century, attempted to set global consensus and bring nations together in the development and implementation of cybersecurity programmes. It was the first international treaty seeking to address cybercrime by harmonising national laws, improving investigative techniques and boosting national co-operation.

Despite having existed for almost two decades, the convention's effect has been limited. Asymmetry in values and differing geopolitical objectives has meant some major players - Russia, China, Brazil and India - have declined to participate. A key issue concerns the convention clause allowing transborder access to stored computer data during cybercrime investigations by the special services of various nations. Russian authorities believe this could undermine their national security and sovereignty.

India, however, has said it will reconsider its position.

A regime can only be effective if all major powers participate and accept the relevant provisions. Either the current convention must be improved in a way that attracts more signatories, or a new unifying treaty must be created.

Thus far, bilateral co-operation and regional agencies, such as the European Union Agency for Cybersecurity, have been used by countries to address cybercrime matters internationally. The United Nations Group of Government Experts tried in 2015 to establish an international governmental code of conduct for cyber norms, but failed to reach consensus by June 2017.

One way to generate more support for the group's agenda would be to grant it greater official status by adding it as a resolution in the UN General Assembly and allowing all permanent members of the Security Council to be involved in its construction. Despite a UN resolution being non-binding, it would be a step towards institutionalising cybersecurity standards.

Another suggestion for improving international cyber strategy is for the US and Russia to restart a dialogue. Both countries are crucial to global cyber policy and diplomacy, but disagreements between the two have escalated, manifesting most plainly in the accusations of Russian interference in the 2016 US presidential election.

Cyber rules between the two nations differ. The US is aligned with a group of countries arguing that international law applies fully to cyberspace, whereas Russia is aligned with another group demanding a new treaty tailored to this domain. Washington and Moscow could sign a pact similar to the US-China cyber economic-espionage agreement, which led to a significant drop in the number of China-based attacks on the US, while keeping open the channel for future cooperation.

Another idea could be to punish nations that refuse to co-operate in combating cybercrime through penalties such as travel bans, asset freezes, arms embargoes, capital restraints, foreign aid reductions and trade restrictions.

Other proposals include creating a separate independent institution such as an international cyber court that could adjudicate government-level cyber conflicts.

The long-term strategy should be to incorporate cybersecurity legislation into international law. Building better and more inclusive international ties is essential. Doing so will help establish best practice, enable better information sharing on cyber threats, expand and enhance cybercrime legislation, improve law enforcement and judicial co-operation. If policy-makers fail to take concrete steps, the costs of cybercrime to the world economy will continue to spiral.

  • The writer is senior economist and head of fintech research at OMFIF