Critical national infrastructure is no longer custom-built but uses off the shelf products and is often connected to the Internet to take advantage of latest innovations. This exposes nations, corporations and individuals to cybercriminality and cyberterrorism that could paralyze countries and threaten the entire global economy.

  • Tackling cybercrime is complicated by :
    • Anonymity of internet users leads to lack of accountability and difficulty in attribution for online actions.
    • Cyberattackers can be governments, terrorists, criminals, hacktivists or random individuals. Locating or understanding the motivation of attackers is difficult.
    • Cyberspace is borderless and timeless: attacks can happen in nanoseconds and across jurisdictions, making legal measures difficult.
    • No single superpower can regulate a cyberwar in flat, open IP world: any individual can attack, not just a limited pool of experts; any state can be attacked.
    • Proliferation of cyberweapons as software and source code easy to replicate and reproduce; danger of government stockpiling arsenal of cyberweapons.
    • Swift and continual evolution of malware and cyberweapons, which can be reused and recycled; there is always someone else going one stage further.
    • Private sector companies heavily involved in provision and operation of critical infrastructure to governments. Cybersecurity needs to be integrated into e-government projects.
    • Law enforcement is ineffective: cybercriminals perceive the risks to be low.
  • Cyberhygiene – effective basic maintenance and good practice – could thwart the vast majority of cyberthreats:
    • Good practice and processes including simple password policies, installing patches, updating scanners and firewalls can make an enormous difference.
    • Invest in maintenance, regular updates and proper management. Updates are very often not implemented for many months.
    • Secure all software suppliers.
    • Focus resources then on small number of high-end, innovative cyberattackers posing persistent threat to national critical infrastructure.
  • Balance security, investigating crime and law enforcement against protecting human rights, privacy, and freedom online. Different countries have widely-differing attitudes to online freedom of speech and national security, with the potential for malicious government use of malware.
  • A meaningful cybersecurity response calls for international cooperation and coordination, given the mutual dependence and interconnectivity of cyberspace:
    • Multi-stakeholder, decentralized dialogue vital given irredeemable link between government and private sector.
    • Share knowledge and cooperate on new malware, technologies, research and ideas; share best practice, cooperating as social responsibility.
    • Develop international normative behaviour standards around critical infrastructure and response to threat.
    • Define frameworks of who, how and when to contact for immediate and timely sharing of information within organizations and internationally; agree to procedure of mandatory reporting of attacks on critical infrastructure.
    • International consensus (and treaty?) on non-use and non-proliferation of cyberweapons; win the war by avoiding the war.
    • Establish personal trust between key players in government, technology, private security sector; create climate of cyberconfidence.
  • The international community is only as strong as its weakest link, which is often in emerging markets where resources, capacity, legal and technical training are more limited.
    • To avoid creating a security divide or safe havens for cybercrime, build capacity in a rational strategy for collective defence.
    • Provide financial instruments for public and private sector investment in law enforcement and training in developing nations.
    • Multinationals for whom emerging markets are increasingly important spaces should dedicate corporate social responsibility budgets to establishing cybersecurity capacity.
    • Find effective mechanism to bring together and operate government funding at national, regional and international levels.
  • Encouraging disclosure of major incidents to enable timely information-sharing:
    • Private companies responsible for providing critical infrastructure services fear loss of investor confidence in disclosing weakness, damage to public image.
    • Force disclosure to trusted third party through contractual clause.
    • Global policy of mandatory reporting.
    • Create trust frameworks with law enforcement agencies or platforms to drive disclosure.
  • Swiftly establish internationally-accepted definitions as basic shared language using lowest common denominator. Define legally what constitutes cyberweapons and cyberterrorism; national critical infrastructure (NCI); strategic threats; laws, rights, duties and penalties for public, corporate and individual stakeholders; code of conduct and key principles around NCI and cybercrime.
  • Redesign software operating systems to incorporate sophisticated security features, prevention and resilience in the event of attack. Establish international standards and checklist of effective security software and updates.
  • Cyberattacks are ultimately conducted by humans. Monitor for anomalies of behaviour and errors to forestall attack.