This article was written by Peter Bullock, Yonah Baker and Daniella Phair.
The Center for Strategic and International Studies (CSIS), a non-profit policy research organisation in the United States, estimates that the theft of data and other IP results in a global cost between US$450-600 billion each year.
To help counter this threat, the CSIS recently published a set of cybersecurity recommendations for the incoming Trump administration (CSIS Recommendations). In fact, cybersecurity issues were a recurring concern throughout the recent US presidential election campaign, and despite the CSIS recommending against a wholesale review, it was widely thought that on coming into power President Trump would sign an executive order mandating an immediate review of all US cyber defences and vulnerabilities. While no such order has yet been made, there is every likelihood that the Trump administration will give weight to the CSIS Recommendations, with Karen Evans, the co-chair of the recommendation taskforce, being a member of Trump's transition team.
Broadly, the CSIS Recommendations aim to streamline the US government's approach to cybersecurity and revise its international strategy to emphasise partnerships with like-minded nations, whilst deterring attackers. The CSIS considers that more government intervention is required to improve cybersecurity defences, as the private sector has so far not been able to effectively nullify cybersecurity threats on its own. The CSIS Recommendations are closely aligned with the Australian government's four year cybersecurity strategy, released in early 2016, the Hong Kong Monetary Authority's Cybersecurity Fortification Initiative, and Singapore's impending Cybersecurity Bill.
What are some of the key CSIS Recommendations?
Key recommendations include:
- Implementing more effective deterrence measures:
The CSIS recommends streamlining the information sharing process between the US military (charged with defending the US from cyberattacks) and intelligence agencies. They also recommend the increased use of sanctions and indictments to deter international cyberattacks.
For example, in 2015 the US threatened to use a combination of sanctions to put financial pressure on China to force the Chinese government to clamp down on commercial espionage by Chinese companies. By contrast, Australia has adopted a less punitive approach, perhaps reflecting our less powerful economic influence and dependence on international trade. Australia has actively engaged with other nations across the Asia-Pacific region, including China and India, with the aim of taking a practical and cooperative approach to mitigating cybersecurity risks.
- Increasing collaboration between the public and private sectors on data protection issues:
The CSIS recommends treating protection of personal data as a cybersecurity issue, and that the public and private sectors should work together to develop an effective framework for safeguarding personal data.
In Australia, the Office of the Australian Information Commissioner has already published guidance for companies on how to combat cybersecurity risks. Consistent with the CSIS Recommendations, Australia's cyber security strategy also seeks to build cyber resilience in our economy through the development of national voluntary cyber security guidelines co-designed by public and private sector organisations. Both the CSIS and the Australian strategies also encourage the use of ethical hacking programs to expose cyber weaknesses.
- Promoting information exchange and creating greater transparency around cyberattacks:
As there is often a reluctance to release information following a cyberattack due to legal and reputational repercussions, the CSIS recommends creating a framework for liability-free and anonymous information sharing about cyberattacks. Notably, while there are mandatory data breach reporting laws in some US states, there is no consistent national regime in place.
Australia's cyber security strategy also places a heavy emphasis on the need for information sharing between the private and public sectors, and Australia is already in the process of making data breach notification mandatory. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was introduced into the House of Representatives at the end of last year, and is likely to be passed sometime this year as it has received broad bipartisan support. The Australian government has also flagged the possibility of targeted legislation for the telco sector to mandate information sharing on threats to national security, though these proposals have so far met with strong criticism from industry representatives about their uncertain scope and the broad coercive powers they would confer on government.
- Being more assertive about combatting cybercrime:
The Budapest Convention, which came into effect in 2004 and is the first international treaty addressing cybercrime, aims to harmonise the international approach to investigating and prosecuting cybercrime. However, it has not been adopted by key nations such as Russia, China and India whose nationals have allegedly been involved in cybercrime against the US and others. CSIS recommends imposing penalties on non-signatories to encourage adoption and renegotiating the Convention with input from more countries. Australia's cyber security strategy also strives for international harmonisation to prevent malicious cyber activity.
- Protecting the weakest link:
With increased interest and investment in the Internet of Things (IOT), the CSIS recommends encouraging consumer and business groups to collaborate to develop standards and principles for IOT security and to develop IOT cyber resilience frameworks. As with any network, the IOT is only as secure as its weakest link. Worryingly, a 2014 HP study found that 70% of common IOT devices had some sort of significant security vulnerability.
Australia's cybersecurity strategy also recognises the challenges and opportunities inherent in the IOT (which is predicted to have an economic impact of up to US$625 billion per year by 2030). Our strategy seeks to encourage collaboration between public and private sector leaders to elevate cybersecurity awareness in this area, both as a business risk that needs addressing and as a strategic opportunity that could be exploited (e.g. through development of products and services for identifying neutralising cybersecurity threats).
- Making structural changes to streamline cyber focus:
The CSIS recommends the White House create a new position of "cybersecurity coordinator" and appoint that person as an assistant to the President. Australia has taken a similar approach, with the Australian government appointing an Ambassador for Cyber Affairs to deal with international cyber affairs. The Australian government has also created a standalone cybersecurity cabinet portfolio.
To meet growing cybersecurity labour demands, the CSIS has also recommended that the President implement educational programs to increase the cybersecurity workforce. Australia is also looking to establish itself as a cybersecurity hub in the Asia-Pacific region, with the Australian government recently investing more than $30 million to establish a new industry-led growth centre to grow and strengthen Australia's cybersecurity industry.
What does the future hold for other countries?
There is no telling how Trump will choose to deal with the cybersecurity threats he is faced with. To date, CSIS and equivalent Australian agencies have charted a very similar approach to cybersecurity. Given this, any action taken by the Trump administration on cybersecurity is likely to be closely monitored by the Australian government and may influence future policy development in Australia. However, President Trump has already shown that he can be unpredictable, and it could also be that our strategies will diverge. One particularly interesting area to watch will be how the President deals with cyber threats from China, one of Australia's main trading partners in the Asia-Pacific region, and whether he takes a consistent approach to threats from other countries like Russia.
Irrespective of how things play out on the political stage, Australian businesses should be aware that the importance of having an effective strategy for mitigating cybersecurity threats will only increase into the future.
While the CSIS Recommendations repeatedly warn that, currently, only nation states are capable of launching true cyber attacks, and name North Korea, Russia, Iran and China as the US's chief "opponents", Hong Kong does not (at least openly) regard any of these regimes as opponents. Indeed, Hong Kong has for generations sought to eschew aggressive power play and concentrate on riding the free market. It comes as no surprise, therefore, that Hong Kong's response to cybersecurity is led by the financial services sector.
May 2016 saw the launch of the Hong Kong Monetary Authority's (HKMA) Cybersecurity Fortification Initiative to enhance cyber resilience in the banking sector. This consists of three pillars, which resonate with the CSIS Recommendations:
- the Cyber Resilience Assessment Framework is a risk-based framework for HKMA's Authorised Institutions to assess their own risk profiles;
- reflective of what is probably a worldwide shortage of cybersecurity professionals, there is a Professional Development Programme, alongside a vocational training institute, to increase the supply of qualified cyber professionals; and
- a Cyber Intelligence Sharing Platform, for dissemination of alerts or warnings within the financial services sector.
Cyber developments in Singapore perhaps more closely resemble the stance taken by CSIS. Singapore has historically felt somewhat dependent upon its neighbours for various basic necessities. CSIS writes "The most likely targets for actual attacks remain critical infrastructures – chief among them energy, telecommunications, finance, government services, and transportation."
This is mirrored by Singapore's Cybersecurity Bill (to be tabled in Parliament this year). This will require operators of Singapore's critical information infrastructure to secure that infrastructure and report cyber breaches, and will empower the Cyber Security Agency to manage cyber incidents and raise standards. This informs part of the "smart nation" vision to make Singapore a "Trusted and Robust Infocomm Hub" by 2018.