Researchers call for a determined path to cybersecurity

Despite our continuous research efforts to detect cyberattacks and enable defense, we often feel that we, as members of a global community, are failing to achieve an adequate level of cybersecurity.

This is threatening the proper development and use of information technologies and digital assets, and as a consequence, most of society’s current and future activities, from entertainment to democratic processes, including business, healthcare and industrial production.

We believe that such a failure can be explained by a lack of global willpower, double-dealing activities, and the lack of global regulations. Here, we develop these hypotheses and outline ideas to advance cybersecurity.

What we do, and how it is failing

Kaspersky’s Global Research and Analysis Team (GReAT) is made up of cybersecurity researchers. Our shared capabilities and expertise stem from multifaceted individual experiences and perspectives that can always be traced back to strong technical backgrounds. Each and every day, our skills are focused on clear goals: to anticipate, discover, detect, track and report cyberattacks. But our activities and findings are, first and foremost, a contribution to a broader mission: to build a safer world. Since our inception more than a decade ago, we have worked very hard – from awareness raising and media interviews to embedded firmware reverse engineering, as well as incident-response support, vulnerabilities research, malicious infrastructure hunting, code similarity heuristics development, discovery of major threat actors or advanced malicious frameworks, open-sourced tools, specialized training and expert talks at world-class conferences. As far as our expertise is concerned, we believe that we provide beneficial results to our customers, partners and the global community. We know from previous collaboration and published content that our colleagues at government bodies, other cybersecurity providers and private companies work just as hard and achieve tremendous results as well.

Yet, somehow, we are still failing. Cyberattack numbers, whatever their impact, from digital activities to unwanted or disastrous effects, keep skyrocketing every year. Cybercrime has never been so prevalent and real, reaching every possible device, from IoT to supercomputers, as well as network routers, smartphones and personal computers. Cyberattacks have become a go-to companion, wherever there is malicious intent to tackle competition, hijack accounts, spy on a partner, persecute a minority, disrupt critical infrastructure, influence electoral processes, steal knowledge or obtain money. Cyber-based conflicts keep escalating, to the point where there is now a trend around the globe to proclaim that cyberwar capabilities are being developed, and kinetic force could be used as a response to cyberattacks whenever deemed fit. And ransomware or state-sponsored cyberattacks kept hitting hard even when we are all confronted with a pandemic.

Our hypotheses and beliefs

Why does all that outstanding technical effort, an abundance of cybersecurity solutions, highly skilled workforces, and decades of awareness raising fail to tackle cyberthreats? Although a lack of concern, specialized technical knowledge, skilled resources and training may have kept the defense a few steps behind for a while, we think these factors are no longer a major barrier. Instead, we believe that issues surrounding governance and a sense of responsibility are now what primarily prevent mission success.

A lack of global willpower and instruments

First of all, we believe that there is a lack of high-level global desire for cooperation and governance to properly tackle cyberattacks and protect what is at stake. We all agree that every human being should be guaranteed a minimum set of rights, that the development of nuclear warheads should be limited, if not outlawed, or that warfare should be regulated and overseen. These crucial safeguards to peace and freedom did not come about by chance; they came from political willpower, international cooperation, continuously improved governance and determined enforcement.

However, states have not agreed yet about a binding treaty or about how existing international law applies to keep our digital world at peace. There are regular examples demonstrating the major negative effects of cyberattacks on businesses, nations and citizens (or “civilians”), and there have been some initiatives to assess how international law would apply to cyber operations, to globally combat cybercrime, or to establish norms of responsible behavior in cyberspace for states. But these initiatives are not coordinated or global enough, they don’t actually come with the expected regulations, cooperation and clear instruments to increase stability in cyberspace.

Are we waiting for more dramatic effects than those already caused by cyberattacks and cybercrime to advance cybersecurity with strong governance and regulation instruments? We believe that, on top of the intrinsic complexity of international cooperation, a crucial lack of willpower from states is preventing substantial advancement on cybersecurity.

Double-dealing

We believe that lots of players are double-dealing in the digital age. Cyberattacks appear to be highly profitable in the short-term, as they allow attackers and their sponsors to quickly and stealthily gather foreign and domestic intelligence, make money, disrupt or deter third parties, gain a strategic advantage over competitors or in warfare, circumvent regulations, or efficiently disseminate information. As a bonus, these malicious activities have a low entry cost, are subject to no monitoring, and for the most part go unattributed (thanks to, amongst other things, complex digital layers, bulletproof services and factors limiting interstate police cooperation). Therefore, perpetrators do not have to take responsibility for their actions and go unpunished – even when they do get exposed. Due to these convenient “cyber features”, state or non-state actors might easily be tempted to publicly promote and even act in favor of a safer world, while making sure they can also benefit from offensive activities that remain undetected and go unpunished. Such activities also promote the public and private development of cyberweapons, mercenary services, criminal activities, and the monetization of vulnerabilities instead of responsible disclosure. All this, in turn, harms the efforts of cybersecurity and enables proliferation.

But that’s not all when it comes to double-dealing: government bodies dedicated to cybersecurity and non-state actors can even play this dangerous game to some extent. Cybersecurity threat intelligence and data are of topmost interest to national defense and security management, as well as very valuable to the competitive cybersecurity business. It is a vital asset to the economy, and for detecting or deterring strategic threats. As a result, threat intelligence may not be shared and actioned as easily and broadly as it should, in a common determined path to cybersecurity, but might rather be guarded jealously for private interests. Private companies such as Kaspersky, however, do their best to proactively share intelligence and insights on investigations to the community for free.

Existing regulations are not (global) enough

We also feel that achieving cybersecurity is not possible without a stronger sense of responsibility from all public and private actors that play a role in the development and operation of our global digital space. Governments have already gone some way to fostering this sense over the years by creating or strengthening regulations on personal data processing or protection for critical information systems. While this has been a significant advancement towards cybersecurity, it has unfortunately not been enough.

Most of the cyberattacks we face and analyze do not actually leverage sophisticated technical vulnerabilities or tools, because they don’t need to. It is often way too easy to access the devices and networks owned by a public or private organization because elementary cybersecurity measures are still not implemented, and because the organization’s very own digital assets are not clearly identified or not controlled sufficiently. Every organization that processes digital data of personal significance, or develops or operates digital services, starting with those that benefit us the most, or contribute to our most vital needs, including governments, should be required to implement and demonstrate elementary cybersecurity frameworks. The associated regulations should be global, because cyberspace and digital assets are shared amongst all users around the world. It may not be possible to become invulnerable, but making cyberattacks more costly for the attackers while protecting our digital world a little more is doable.

On top of the lack of preventive and protective measures from many public and private organizations, another responsibility issue is blocking the road to cybersecurity. Cyberattacks cannot be carried out without leveraging publicly available commercial services, such as content hosting, development, infrastructure provision and mercenary services. First, it would seem obvious that any private organization that purposely engages in cyberattack operations or cyberweapons development should have its activities limited by regulations, and controlled by an impartial third party, in order to ensure that malicious activities are constrained by design, and that cyberweapons do not proliferate. Also, in order to maintain peace in the cyberworld, it is critical that any organization whose services are demonstrated to be leveraged to carry out cyberattacks is required to cooperate with cybersecurity organizations designated by an impartial third party, to contribute to cybersecurity investigations and demonstrate efforts to continuously prevent the malicious use of exposed services.

Digital services and information technologies that unintentionally support malicious cyber activities are – most of the time – developed to bring sound and useful outcomes. However, and for decades, vulnerability disclosures and cyberattacks have demonstrated that some technologies or uses are flawed by design and can be exploited by malicious actors. We can probably collectively accept that when the first information technologies were developed and deployed, it wasn’t easy to anticipate malicious uses, which is why cybersecurity efforts only came afterwards. But it is no longer possible nor tolerable to develop, deploy and operate technologies and services that have a global use potential, while ignoring existing threats, and without making them secure by design. Yet, even more vulnerabilities and malicious uses affect relatively modern services and technologies, from IoT and artificial intelligence systems to cloud infrastructures, robotics and new mobile networks. In order to anticipate and prevent malicious exploitation of modern technologies as much as it is reasonably possible, we believe that transparent vulnerability management and disclosure practices need to be developed further by both state and non-state actors; and that technologies or services that are used globally should be assessed by a global community of experts more often.

Last but not least, we also think that more threats could be better anticipated in the future if future generations are globally and systematically educated on information technologies and cybersecurity, whatever their origin or path. This will contribute to a safer world.

Our call and plans

It is rather unusual for cybersecurity researchers and experts to write on governance matters. We don’t pretend that our hypotheses are the most suitable, or the most comprehensive. But we definitely feel concerned, and strongly believe that the points we have raised are obstructing a common path to cybersecurity. Furthermore, we are pleased to note that most of our hypothesis and beliefs are actually shared with many others, as demonstrated in 2020 Paris Call consultation key takeaways, or the latest reports from the UN’s OEWG on “developments in the field of information and telecommunications in the context of international security”, to which Kaspersky contributed.

We feel it is now a good time to send a call to all governments and international bodies (and ultimately any citizen) that aim for a safer world: we urge you to demonstrate more willpower, and a more determined approach to cybersecurity, by tackling the exposed causes of failure. We ask you to cooperatively choose the long-term peace of our common digital assets, over short-term nationalistic or private interests. We do our part, and we want our expert efforts to be transformed and developed further. We hope for a safer world, and a long-standing peaceful common digital space. We will never achieve this without determined leadership and a global change towards a better common behavior.

A cooperative and global governing instrument

We need strong political and technological leaders to drive governments and international bodies towards a cooperative, determined and fast-paced road to cybersecurity. In order to continuously rationalize efforts, share insights and thoughts, enable regulation, control and take global measures, we need them to build a dedicated, strong, permanent and focused international instrument.

We believe that such an instrument could be hosted by the UN, should seek to tackle the causes of the failures that we exposed, and should help governments to enforce regulations and cooperatively take measures when they are needed.

In order to ensure a cooperative approach by design, to consider the whole spectrum of what is at stake, and to truly take the transnational nature of cyberspace into consideration, we believe that such an instrument should guarantee a continuous dialogue with representatives of governments, the private sector, civil society and the technical community. This would enable the creation of cooperative task forces that would provide broad cybersecurity expertise and assessments on various matters, including preventive and protective cybersecurity measures, vulnerability research, incident response, attribution, regulation, law enforcement, security and risk assessment of modern technologies, and cyber capacity building. It would also ensure that most findings are shared across nations and among cybersecurity players.

This governing instrument should also be able to build norms and regulations, and a cooperative approach to control the attribution of cyberattacks and sanctions against non-compliant behavior or crime, risk analysis, capacity building, and education for cybersecurity.

A binding treaty of responsible behavior in cyberspace

Nearly two decades ago, the UN started to task groups of government experts (GGE) to anticipate international security developments in the field of IT, and to advance responsible state behavior in cyberspace. One of the most notable outcomes, despite GGE’s debatable results and limited reach, is the definition of 13 principles that constitute the norms of responsible behavior in cyberspace. But after more than a decade, these principles are non-binding, apply to governments only, and have only been endorsed on a voluntary basis. We believe this is not enough, and that it may reflect the lack of willpower and commitment from our governing leaders to cybersecurity.

We believe that the norms for responsible behavior in cyberspace should be further developed together with guidance on how these norms should be implemented, be better at including non-state actors such as the private sector, civil society and the technical community. After that they should become binding for the international community – if they remain voluntary, why should the bad guys care?

As far as private companies are concerned, the norm could set transparency and ethics baselines. We must not fail to mention Kaspersky’s own Global Transparency Initiative, which we truly believe to be a good source of inspiration for setting a number of private sector norms. This includes (but is not limited to) independent reviews of processes, security controls and software code, relocation of data processing, as well as the ability for trusted partners, customers and government stakeholders to directly access and check software code or threat detection rules. A code of ethics or ethics principles, from the “FIRST” international CSIRTs community or from Kaspersky, that tackle the responsible disclosure of security vulnerabilities, could also be leveraged as inspiration for private company norms.

Global regulations and shared means for cybersecurity

In order to tackle residual double-dealing issues and regulation needs that we exposed in our hypotheses, the global governing instrument or guidance should build and support further common regulations, on top of the previously mentioned norms of behavior. Such global regulations would ensure a consistent baseline of security requirements, to prevent proliferation of cyberweapons, prevent and firmly condemn cyberattacks, implement cybersecurity controls, foster responsibility and facilitate cooperation. How, where, and under which terms this governing instrument or guidance can be established should be a discussion for both state and non-state actors to ensure that we all fully recognize our responsibility to keep the digital space secure.

Conclusion

We deal with cyberattacks of all kinds every day and monitor their context from various sources. Over the years, we have seen more and more malicious activities from more and more actors, but global cybersecurity has reached a ceiling, and it appears that the potential for cyber-based conflicts is still growing. During the COVID-19 pandemic we have once again observed just how vital information technologies and digital assets are to democracy, the economy, the development of society, security and entertainment.

We believe that now is still a good time for world leaders, international and regional organizations, the private sector, the technical community and civil society to collaborate on achieving long-term peace in cyberspace rather than focusing on the short-term interests of individual countries or private organizations.