Growing digitalization in the industrial sector makes attacking critical infrastructure (CI) easy for cybercriminals. For example, ransomware attacks on critical sectors hit headlines in 2021. But what can we do about it? Can the international community cooperate across borders to respond fast and effectively?
I’ve written before on how the world could improve its cross-border firefighting. Now there’s a new UN cyber dialog with diplomats from 193 countries getting together to discuss using information and communication technologies (ICTs) for cyber stability, security and peace.
And we may now be a step closer to a solution. Kaspersky organized the workshop, One click to attack critical infrastructure: What can we do? at the 2021 UN Internet Governance Forum (IGF) with experts from cyber diplomacy, cybersecurity research and incident response worldwide.
In the event of an attack, those affected look around for the right person to call. What can we do?
Many national perspectives
We looked at national approaches and existing good practice in critical infrastructure protection and heard how states implement the UN cyber agreements and critical infrastructure protection norms.
Germany: Cyber protection is a whole-of-society issue
Ambassador Regine Grienberger (@GERonCyber) of Germany’s Federal Foreign Office said Germany’s approach to critical infrastructure protection is whole-of-government and whole-of-society. Close public-private cooperation with sharing information and lessons learned are essential parts of it.
Ambassador Grienberger says, “In Germany, we’ve built a national framework for critical infrastructure protection, which is embedded in the legal framework at European Union level and complemented by our cooperation with our international partners. Lack of human resources remains a serious challenge. We need greater investments in cyber capacity building.”
Switzerland: Sharing responsibility
Daniel Klingele, Senior Advisor at Switzerland’s International Security Division of the Federal Department of Foreign Affairs, said cost of regulatory action versus incentives, decentralized structure of responsibilities and building an inventory of critical functions all guide their regulatory approach.
Mr. Klingele also thinks it’s important to focus on public-private partnerships to ensure a shared responsibility, but critical infrastructure operators must also understand their responsibilities to manage cyber risks.
Singapore: Three areas for international cooperation
Dan Yock Hau is Assistant Chief Executive for National Cyber Resilience at Singapore’s Cyber Security Agency.
Mr. Dan highlights three areas for international cooperation: Consensus (states agreeing on ‘rules of the road’,) collaboration (keeping digital domain safe and secure through effective collaboration and partnerships) and capabilities (investing in capacity building to spearhead a systemic response to cybersecurity.)
Mr. Dan believes governments should lead in strengthening cooperation because the weakest link can provide an entry point to a system but also risk to other countries.
He says, “Cyber threats are not confined within geographical boundaries. Bilateral, multilateral cooperation are key to share timely information and respond to incidents swiftly.”
Australia: Mandatory reporting requirements for operators
Johanna Weaver (@_johannaweaver) Director of Tech Policy Design Centre, Australian National University, highlighted Australia’s new legislation outlines mandatory reporting requirements for critical infrastructure operators and extends government powers to take control of infrastructure if there’s a serious cyberattack.
Ms. Weaver says governments and the private sector must have regularly tested plans for effective incident response. “All states have now agreed they should protect critical infrastructure and they are not going to intentionally damage other states’ critical infrastructure using ICTs. But not enough countries are being transparent about the use and development of offensive cyber capabilities. Australia is among the few countries that publicly commit that we are not going to use these to damage other states’ critical infrastructure.”
A UN cyber emergency phonebook?
We also explored the idea of a UN ‘cyber emergency phonebook’ in our workshop. If an attacked state can’t respond and protect itself, who should it ask for help? And where a cyberattack affects critical infrastructure in several jurisdictions, how should cross-border cooperation happen?
Serge Droz, Board of Directors at Forum of Incident Response and Security Teams (FIRST,) said most incident response teams run into limits handling incidents and don’t have access to infrastructure operated by third parties.
Mr. Droz says the international community should invest in developing trusted relationships, but trust is hard to institutionalize. Regular collaboration helps, and trust between individuals spreads further into teams.
Mr. Droz also highlighted the importance of neutrality in Computer Emergency Response Teams (CERTs.) “CERTs’ key role is to respond to incidents. They shouldn’t be party to other activity like attribution or using offensive capabilities. Focusing on their role is key to ensuring their neutrality during a cyber emergency.”
Carmen Corbin, Head of Counter Cybercrime Programming for West and Central Africa, UN Global Programme on Cybercrime (UNODC,) agreed with Mr. Droz and added the need to keep an ongoing focus on capacity building and training in helping states be more effective in protecting critical infrastructure. “Experiencing cyber emergencies together helps experts and communities build closer and trusted relationships.”
Pierre Delcher, Senior Security Researcher at Kaspersky, said multiple factors trigger cooperation – like common values, shared commitments and compatible capabilities – but trust underpins it all. He believes continuous collaboration and experiencing common events develops trust.
“Cybersecurity incidents are usually global, but the response, almost never. Cross-border cooperation should bring better results,” says Mr. Delcher. “An emergency phonebook may be a good start. It could be done through existing cooperation mechanics.”
What should happen next?
We’re not alone in the wilderness when dealing with critical infrastructure incidents. Since 1998, states have talked about working with ICTs in the interests of peace and security. The new five-year long round of the UN cyber dialog continues soon. Hopefully the international community will have new practical achievements even sooner.