Cyber strategies, policies and practices

Cyber strategies, policies and practices

Today’s computer networks require governments to maintain a robust defense plan on pace with cyberspace evolution


The rapid development and spread of the internet of things — so-called smart devices enabled to collect and exchange data — and technology create the unavoidable need for policymakers and digital security experts to adapt to an ever-changing environment. Doing so means remaining flexible in creating cyber strategies to deter potential foes, defend critical infrastructures and adjust tactics when unique threats arise.

“Securing our cyberspace … requires us to have a better situational awareness of our overall cyber environment,” Dr. Yaacob Ibrahim, the Singaporean minister for communications and information and minister-in-charge of cybersecurity, said during the Association of Southeast Asian Nations (ASEAN) Ministerial Conference on Cyberspace in October 2016. “This is key to improving our collective cyber hygiene, as we can better direct our prevention and remediation efforts when we know where we are vulnerable and where there may be suspicious cyber activities.”

A man uses a computer in an internet cafe in Beijing.

The 10 member states of ASEAN — Brunei, Burma, Cambodia, Indonesia, Laos, Malaysia, the Philippines, Singapore, Thailand and Vietnam — remain keen on a comprehensive strategy, having launched in April 2017 the ASEAN Cyber Capacity Programme (ACCP). Its main objectives include raising awareness and fostering deeper regional discussions on cyber norms, enhancing regional coordination of capacity building and incident response by developing metrics to assess effectiveness in these areas, building regional capacity in strategy development and cyber legislation and contributing to global efforts to develop a set of cyber security internet of things standards.

“Countries today face a full spectrum of cyber threats — cyber crime, attacks, espionage and other malicious activities,” Ibrahim said. “We in ASEAN have not been immune to this. … Southeast Asian governments are more likely to be the target of a cyber attack than other organizations in the region, and advanced persistent threats remain one of our biggest threats.”

Attacks could range from financial to data theft, reputational damage or disruption to critical information infrastructure. Any of these could harm economies and societies.

These risks reinforced the need for ASEAN to establish the ACCP. Among the ACCP’s goals: Create a secure and resilient cyberspace that enables economic progress and better living standards.

Regardless of the assessment, that’s no small feat. Malware, for example, presents itself like any other business. Cyber threat groups compete and innovate. The most successful grow and spread.

International initiatives

Globally, cyber crime costs about U.S. $3 trillion a year, according to Keshav Dhakad, regional director for Microsoft Asia’s Digital Crimes Unit. A survey revealed that 71 percent of interviewed companies admitted to falling victim to cyber attacks in 2015, according to Dhakad. The potential risk for more victimization will only increase because of the sheer volume of users.

The Indo-Pacific, for example, will grow to roughly 4.7 billion internet users by 2025, with nearly half of those gaining access between 2012 and 2025, according to a Microsoft Cyber 2025 Model.

“Cyber security cannot be a piecemeal effort, and each organization must have a 360-degree security framework,” Dhakad said. “This includes having a comprehensive protect, detect, respond posture and commensurate investments and resources, coupled with regular assessment and review of its cyber security practices to protect its identity, data, apps, devices and infrastructure.”

Few treaties exist that directly deal with cyber operations. Those that do have a limited scope.

A man is reflected on the electronic board of a securities firm in Tokyo. Governments worry that a cyber attack could cripple financial systems. [THE ASSOCIATED PRESS]

This lack of cyber-specific international law, however, does not mean that cyber operations exist in a world with disregard for rules and regulations. In fact, cyber experts gather often to tweak agreements, suggest new guidelines as the space evolves and maintain forums where governments and experts can collaborate and expand commerce.

“A secure and resilient cyberspace is an enabler of economic progress and better living standards,” according to ASEAN cyber program documents. “States can contribute to the security and resilience of cyberspace by adhering to well-defined and practical voluntary norms of behavior that are supported by robust confidence-building measures.”

Public and private actors in the cyber realm gather often to foster support and confidence building. One such gathering took place at the Center for Strategic and International Studies (CSIS) in Washington, D.C., in March 2017. During the daylong Cyber Disrupt Summit — the first hosted by CSIS — experts and government officials assessed the evolving international security environment and offered potential responses to increased hostilities in cyberspace.

Thomas Bossert, assistant to U.S. President Donald Trump for homeland security and counterterrorism, detailed lessons on cyber the United States has learned in the past decade and offered insight on emerging U.S. policy. One of Bossert’s most important messages was that countries — as well as corporate and individual actors — recognize norms when operating in the cyber realm.

“Norms are important. They are our statement, as a country, that we have a certain expectation for how people will behave themselves on an open, interoperable platform that allows for innovation, free trade, fair trade and other things that we think are important to our societal organization [and] socio-economic organization,” Bossert said. “You start by candidly telling other countries how we expect them to behave and how we promise to behave in return. And if they accept those norms and then fail to abide by them, we have a responsibility to call them out on it, and we have a responsibility to do something about it.”

The cyber threat to U.S. critical infrastructure has outpaced efforts to reduce pervasive vulnerabilities, according to a February 2017 report by the U.S. Department of Defense Science Board Task Force on Cyber Deterrence.

“For the next decade at least, the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries,” Craig Fields, Defense Science Board (DSB) chairman, wrote in the report, acknowledging the need for a “more proactive and systematic approach” to cyber deterrence.

Foremost, not all cyber attacks can be deterred, the DSB report noted.

“As one important example, even the certain promise of severe punishment may not deter terrorist groups bent on wreaking havoc on the United States and our allies,” the DSB report said. “As a second and quite different example, if the United States were in a major war with another nation, we should not expect to be able to deter even debilitating cyber attacks on U.S. military capabilities that produced little or no collateral damage to civilian society.”

The DSB report defined cyber deterrence as the use of both deterrence by denial and deterrence by cost imposition to convince adversaries not to conduct cyber attacks or costly cyber intrusions. The U.S., in some instances, extends its deterrence practices to protect allies and partners.

Anti-cyber war force police officers march during a National Day parade in Vietnam. As a member of the Association of Southeast Asian Nations, Vietnam is cooperating with other member states on cyber security. [REUTERS]

“Just as cyber is a relatively new domain, cyber deterrence is a relatively new endeavor. For the most part, to date the United States has been establishing its cyber deterrence posture step-by-step, in response to attacks,” according to the DSB report. “Although the United States responded with diplomatic moves and economic sanctions to North Korea’s Sony hack, China’s IP theft and Russia’s meddling in U.S. elections, it is far from clear that such responses have established effective deterrence of future cyber attacks and costly cyber intrusions.”

Defensive practices

A strong information technology (IT) and “internet hygiene” process provide the foundation for a robust cyber security posture, according to Dhakad. He recommends that organizations develop an “assume breach” posture, which deploys an active defense strategy and investments into identifying vulnerabilities to avoid a reactionary situation.

Leaders in ASEAN agree that the ever-expanding realm of cyber requires conversations to avoid digital conflict.

“It is timely for ASEAN to start our dialogue on cyber norms. Global discussions on cyber norms have kicked off in the last decade, catalyzed by platforms such as the United Nations Group of Governmental Experts,” Ibrahim said during the ASEAN cyber gathering in October 2016. “While staying plugged in to the global conversations, we should also make sure that norms and behaviors are kept relevant and applicable to our unique ASEAN context and cultures. This ASEAN perspective can be our joint contribution to global conversations.”

Internal conversations by governments should also include a checklist for ensuring a vigorous cyber security posture that can withstand and respond effectively to cyber attacks and malware infections. Dhakad offered these recommendations:

•  Keep your house in order. The question is not whether cyber criminals are going to attack, it’s just a matter of when. That said, the usage of IT assets that are old, unprotected or are nongenuine in nature substantially increase the chances for a cyber attack. For example, pirated and counterfeit software are known to come with embedded malware infections. The case for having a strong IT (software and hardware) asset procurement, usage, maintenance and periodic upgradation is more critical than ever before.

•  Start from within. Poor cyber hygiene of IT users, negligent employee behavior or weak credentials/password protection within an organization, adds a high degree of vulnerability for system compromise. With more and more personal devices being used at the workplace, the higher the chance they are infected, including unprotected interconnected devices (internet of things), which can be easy targets for cyber criminals to inflict damage.

•  Monitor all systems in real time. Invest in modern threat protection technologies to monitor, detect and remove common and advanced cyber threats in real time, and develop in-house expertise to undertake threat analytics. Some studies have suggested that the average time to discover a cyber threat from the time of infiltration in the Indo-Pacific is 510-plus days, which far exceeds the global average rate of 140-200 days.

•  Maintain a trusted IT supply chain and regular review. Only use genuine, current and updated software. Have a trusted supply chain across software, hardware and the internet of things. Bring your own device and regularly review and assess cyber security investments and performance of both software and hardware deployment, including customer and vendor access to the corporate/government network.

Momentum continues to build as conversations expand on cyber security. For example, a bill introduced in the U.S. Congress in May 2017 (and still pending approval when FORUM went to press) aims to help the Indo-Pacific increase cyber cooperation with allies. If passed, it would authorize U.S. $2.1 billion for security initiatives in the region.

“No one needs reminding of the escalating tensions in the Asia-Pacific,” U.S. House Armed Services Committee Chairman Rep. Mac Thornberry, who introduced the bill, said in a prepared statement, according to The Hill. “It is essential that the United States reassure our allies and friends that we are committed to stability and security in that region now and in the future. One of the best ways to do that is to increase our military presence and enhance our readiness there. To do that, we need to invest in a broad range of defense capabilities, and this legislation does just that.”

Australia boosts cyber crime cooperation with Asian allies

The Associated Press

Australia is intensifying cooperation with its Asian neighbors on cyber crime amid growing criminal threats and the need to boost regional commercial security.

The agreement, signed in Bangkok in June 2017, means Australia is now working in tandem with Thailand, Singapore and China on issues of cyber crime and security. Australian Ambassador for Cyber Affairs Tobias Feakin said cooperation was vital in the face of growing challenges posed by cyber-criminal networks in the Indo-Pacific.

“Criminals and nefarious actors can adapt and absorb all [this information] so much quicker than governments,” Feakin said. “So if we’re not talking about it, sharing best practices and keeping on the move as well, then we will soon find ourselves behind by quite a margin.”

Feakin held talks with senior leadership of the Thai Royal Police, national security and foreign affairs officials with Australia to provide support in cyber crime digital forensic development.

Tobias Feakin, Australian ambassador for cyber affairs, bottom left, signs a memorandum of understanding with David Koh, chief executive of Singapore’s Cyber Security Agency as Australian Prime Minister Malcolm Turnbull, top left, and Singapore’s Prime Minister Lee Hsien Loong, top right, look on in June 2017. [THE ASSOCIATED PRESS]

Australia already cooperates with Thailand through the Royal Thai Police and Office of Narcotics Control Board, based on threats by transnational criminals, including Australian biker gangs linked to drug trafficking of amphetamine-type stimulants into Australia. Thailand is also a base for securities fraud operators, known as boiler room share scams, where foreign expatriates, including British and American, target Australia and New Zealand investors with fake online investments.

Feakin said cooperation was directed to “upskilling the digital forensics capability of the Royal Thai Police” to ensure evidence was credible when presented at court. “To get the evidence, how you secure it, to a degree that it is admissible in a court and then, what is your investigative processes to actually try and find the individual or group who may be responsible,” he said.

Officials said support to Thai police was a “cornerstone of digital forensics about capturing electronic evidence on various devices, how to process and extract data.” They said increasingly transnational crime investigations centered on the use of digital media for communications, storing of information by organized crime gangs. The agreement with Thailand comes after the signing of a pact between Australia and Singapore on cyber security, including information sharing, training and joint exercises in safeguarding critical information infrastructure.

In April 2017, an agreement with China enhanced cyber security cooperation, after Australia pressed China on issues of cyber-enabled intellectual property theft.

“What you saw through the agreement that we signed with China was an acknowledgement that it needs to be a key part of discussions together,” Feakin said. “China is a huge economic partner. There are some [common] areas, there are some differences. That we got to a point of signing an agreement which said we agree to not conduct cyber-enabled intellectual property theft — I think it’s a good point.”