carloscastilla - Fotolia

Private sector over-investing against nation-state attacks

The creator of a routing technique that protects the domain name system says the money spent on guarding against nation-state actors could have been better used for other purposes

Nation states that conduct cyber operations against private companies in a bid to compromise military and government targets are costing huge sums of money that could have been better spent on making the internet better, faster and available to more people, it has been claimed.

“We are all spending a lot of money trying to defend ourselves against attacks that are conducted using tax money that we are paying to our governments,” said Bill Woodcock, executive director of Packet Clearing House, a non-governmental organisation that builds and supports critical internet infrastructure, at Black Hat Asia 2018 in Singapore this week.

Pointing to examples including the alleged attack by the US and Israel to cripple Iran’s Natanz nuclear complex that also involved the use of stolen digital certificates from Taiwan’s JMicron Technology and RealTek Semiconductor, Woodcock said state-sponsored attacks are here to stay.

He said this is because governments that launch cyber attacks against other countries care little about collateral damage, and this is not something that citizens have a say in. As a result, Packet Clearing House has had to overbuild critical internet infrastructure to defend against cyber attacks from nation states.

“We could be providing services in 1,000 times as many more locations, operating name servers in more cities….and addressing the digital divide more successfully,” he said. “Instead, we are building things way bigger than they need to be to provide an actual service at a huge cost.

“Enterprises would also have to invest in cyber insurance policies to cover their losses, and while they balance out the investment ratios, they are still over-investing against these attacks with money they could be putting into other things.”

Woodcock, who developed the anycast routing technique that protects the domain name system, sits on the Global Commission on the Stability of Cyberspace (GCSC), a 25-member group that hopes to stop state-sponsored attacks against critical internet infrastructure, following unsuccessful efforts by Russia in 1998 to push for a United Nations treaty to deter cyber aggression by nation states.

“When you look at how these treaties work, there are two problems,” he said. “One, the language is always carefully crafted to institutionalise the status quo that what is happening now is the default, and that we shouldn’t expect to do better. The other problem is that many countries happily sign treaties that they do not abide by themselves.”

With the US, China, Russia, Israel and Iran valuing their ability to attack targets on the internet more than the safety and economic stability of the internet, treaties that curtail those countries’ ability to conduct offensive operations will not work, said Woodcock.

Read more about cyber security

Rather than take a treaty-based approach, the GCSC, whose key partners are the governments of The Netherlands, France and Singapore, along with the Internet Society and Microsoft, has formed two working groups. One develops cyber norms that describe practices and behaviour that constitute non-aggression in cyber space by governments against the private sector, and the other group defines the parts of critical internet infrastructure that nation-state actors should steer clear of.

The GCSC commissioners, comprising mostly diplomats, met in November 2017 in New Delhi, India, and composed a one-page document on cyber norms, but time ran out before they could work on the critical internet infrastructure portion.

The group has already developed a list of core internet functions that it thinks nation states should not attack. Broadly, these cover packet routing and forwarding, naming and numbering systems, cryptographic mechanisms of authentication and privacy, and physical transmission.

However, Woodcock said the GCSC has not formalised the list into an official document, and called for cyber security practitioners to identify other systems that should also be included on the list. “We have a three-year scope for the GCSC, and we are just past one year now,” he said. “The cyber norms got done very well by diplomatic standards, so there is no reason why this can’t be incorporated quickly.”

Read more on Hackers and cybercrime prevention