From cybersecurity to cyber defense?

Anastasiya Kazakova, CEO Projects Coordinator

For the last several years, cybersecurity has become “topic du jour” for almost everyone: for companies as they need to protect their facilities and assets; for individuals as they seek protection for their mobile devices, banking accounts, personal data etc.; and, of course, for governments where most of them are now on the verge of critical re-thinking of what cyberspace is and which threats/advantages it creates.

As a result, 2017-2018 have become the years when states, one by one, adopt new laws, strategies allowing to enhance cybersecurity and critical infrastructure protection as well as stress on bigger spending in a bid to become more resilient and cyber secure. Not surprisingly, such a trend in policy-making eventually ends with an idea of greater cyber defense capacities as a response to even more complicated threat landscape. Just to illustrate, there are several examples: 2018 French Strategic Review of Cyber defense; goals of the EU Common Security and Defence Policy and announced €13 billion budget for the European Defence Fund; the UK Cyber Security Capacity Building Programme along with Theresa May’s outlined priorities in the national security such as cyber warfare, intelligence-gathering and special forces; 2018 NATO Brussels Summit Declaration which announced NATO’s willingness to implement the Cyber Defence Pledge fully.

The most interesting issue raised in many of those discussions is the importance of cyber attacks attribution (e.g. 2018 European Commission Joint Communication), though this is not an easy task – states are not always ready to publicly attribute cyberattacks to particular actors due to diplomatic and technical challenges (attribution and investigation takes much time and requires profound technical expertise).

In May 2018, Kaspersky, among the others, took part in the hearing of the Parliamentary committee on cyber defense in the National Assembly (France) where was asked about ideas of protecting critical networks and tools to avoid cyber attacks. The published report covers problems of methodology and definition of both cyber defense and cybersecurity; describes cybersecurity governing structures in key countries and explains the French model of cyber protection. At the end, the report lists several recommendations:

To develop a “cyber” law covering the whole range of issues and actors;
To create national and European sovereign storage spaces to store sensitive data in territories under national or European jurisdiction;
To develop bug bounties programs for public authorities;
To support the development of cryptography and encryption and invest in the development of “cyber-offensive” solutions;
To increase budget and human resources of ANSSI;
To crease a Cyber Defence School to develop a shared culture among the different actors in the cyber chain etc.

Reading this and similar policy papers, we would like to urge states from adopting protectionist measures and “playing geopolitics” in cyberspace as it would weaken cybersecurity for everyone. Eugene explained it before, we will repeat - geopolitics in cyberspace will lead to creation of “national providers” as we clearly need a vendor that protects against all cyberthreats – regardless of their origin, language or purpose. Besides, harsh protectionist cyber-offensive policies will severely impact the international cooperation and, thus, cybersecurity.

What is essential instead for greater cybersecurity is trust, transparency and openness which practically imply vulnerability disclosure programs and legal protection for security researchers which identify them; greater investment in cyber skills and cyber hygiene among citizens; dialogue with industry and security providers and a larger number of public-private partnerships (PPPs) in cybersecurity.

Kaspersky is one of those vendors who sets the trend – in 2017, we announced our Global Transparency Initiative to engage the broader information security community and other stakeholders in validating and verifying the trustworthiness of our products and business operations (practically, this year we’re opening the first Transparency Center in Zurich – a separate facility where governments and other stakeholders will get access to Kaspersky source code, software updates and threat detection rules).

So, we expect to see more attempts to regulate cyberspace, but, at the same time, hope that governments will do policy-making cautiously and reasonably. Meanwhile, we continue doing our job – to protect the world from cyber threats.