“If cyberattacks really pose a significant threat, governments need to start thinking of them like they think of other incidents in the physical world,” says a new policy paper from the Australian Strategic Policy Institute (ASPI). “It is telling that Prime Minister Theresa May made public attribution of the Salisbury poisonings in a matter of days and followed up with consequences shortly thereafter. Her decisive action also helped galvanise an international coalition in a very short time frame,” it says. “Obviously that was a serious matter that required a speedy response, but the speed was also possible because government leaders are more used to dealing with physical world incidents. They still don’t understand the impact or importance of cyber events or have established processes to deal with them.” The paper, titled Deterrence in cyberspace, was released on Friday. The author is Chris Painter, formerly the world’s first top cyber diplomat at the US State Department, now a Commissioner on the Global Commission for the Stability of Cyberspace (GCSC), and distinguished non-resident fellow at ASPI’s International Cyber Policy Centre (ICPC).
Painter notes that while there’s been progress in creating a set of cyberspace norms, or standards of behaviour, they mean little if there are no consequences for states that violate them. “This is as true in the cyber world as in the physical one. Inaction creates its own norm, or at least an expectation on the part of bad state actors that their activity is acceptable because there are no costs for their actions and no likely costs for future bad acts,” he writes.
Painter’s solution is to speed up the attribution of cyber attacks, name and shame as soon as possible, and create a credible response beyond that — ideally doing all of this as part of a collective multilateral action. “Although attribution is often achievable, even if difficult, it still seems to take far too long — at least for public announcements of state attribution,” he writes.
Delays can be due to the technical difficulty of gathering evidence; balancing the benefits of going public against the risk of compromising the “sources and methods” of intelligence gathering, and “the need to summon the political will to announce blame and take action”.
“All of these cycles need to be shortened,” Pointer writes.