Where is the Upton Sinclair for cybersecurity?
The drumroll of ransomware attacks featured on the evening news, such as the recent Kaseya incident or the Colonial Pipeline incident in the US, has brought the issue further into the public’s awareness. Cyberattacks have become increasingly commonplace as modern organizations become more dependent on technology. Technology is both our greatest strength and our Achilles’ heel. Wars, theft and even murder are more easily conducted remotely through technology.
Taking remote control of someone’s self-driving car from a secluded island in the middle of the Pacific Ocean is far less likely to face prosecution than turning up at someone’s door with a baseball bat. A lack of international cooperation, and an inability to attribute attacks to the source, results in criminals not facing the proper repercussions. That, coupled with massive payouts, are encouraging existing cybercriminals to escalate and creating copycats. DarkSide, the attackers involved in the pipeline attack, faced no criminal charges, though it is believed that US authorities managed to compromise the Bitcoin wallet and reduce some of their gains. Payouts for high-profile ransomware attacks are commonly lucrative, drawing very talented individuals. Some of these criminal organizations even have annual conferences, run training courses and supply ransomware software to criminal organizations.
The first question that arises as ransomware is featured almost weekly in the news is what role do governments have in protecting their citizens and businesses? At what point does a cyberattack become a nation-state attack? We know groups such as DarkSide reportedly check if the keyboard is Russian and, if so, the ransomware software will not become active. One could guess that the reason for DarkSide’s ransomware software checking what language the keyboard is in is to prevent angering authorities in its home country. As long as nations keep shielding cybercriminals or do not update their legal systems to even recognize that a given cyber activity is criminal, the cyberthreat landscape will be akin to the “Wild West.”
In my country, the United States, we see this happening. There’s an increase of cybercriminal activities, ransoms being demanded and critical targets being aimed at. Without repercussions, we can guess that this will only grow. Each business becomes responsible for its security and there’s no unity of command. All the oars need to move in the same direction to steer businesses safely and securely and yet we have no single entity navigating the ship of digital commerce. Legal authority and public pressure are virtually nonexistent. Although the US government appears to be stepping up its efforts, we still have to rely on each business to do the right thing. This is like building a million little forts, with each fort acting as its own island. We are not linking arms to create a global approach. Without enforcement in a complex, interconnected world, we are at risk from our supply chain as much as from our own lack of cyber hygiene. Perpetrators of cybercrime and their victims can be in different regions, and its effects can ripple through societies around the world, highlighting the need to mount an urgent, coordinated international response. The current global state of cyber legislation is maintained by the UN here.
According to the United Nations Office on Drugs and Crime, there is no international definition of cybercrime nor cyberattacks. Cybercriminals often locate in countries that are least likely to take punitive action. Most countries struggle with creating a mandate around cybersecurity in the same way that we have regulation around food safety. A large part of this can be attributed to a lack of global cooperation. The fact that cybercrime and sovereignty violations through cyber actions do not have a UN dedicated office, but rather falls into the general area of the UN office for drugs and crimes, shows that even the UN is failing to understand that cyber needs to have its own dedicated reporting chain. In May 2021, the resolution Countering the use of information and communications technologies for criminal purposes, proposed by Russia, was adopted unanimously by UN members following intensive discussion and three approved amendments. The UN has a target of creating an international cybercrime treaty by 2023.
The US formed The Cybersecurity and Infrastructure Security Agency (CISA), whose mission is to promote a cohesive effort between government and industry that will improve CISA’s ability to anticipate, prioritize and manage national-level ICS risk. CISA was a step in the right direction and may be a model that should be mirrored by other nations struggling with cybercrime, but some fundamental challenges may hamper CISA’s ability to protect US industry that other nations should pay attention to. CISA does provide best practices around information security but there is a dearth of information sharing. CISA also doesn’t have the power to enforce cybersecurity standards. Without enforcement, it is reasonable to question to what extent CISA can successfully protect national security.
CISA, much like an organization’s CISO, needs to be directly reporting to the highest level. There currently is no direct reporting line from CISA to the president. CISA is instead part of the Department of Homeland Security, and DHS has a large portfolio, so cybersecurity is seen as just one of many priorities. Ideally, countries around the world can learn from CISA’s challenges and their battles against cybercrime will be better supported by the creation of government agencies with a sole focus on cybersecurity that directly advises the government and has the authority to give liability protection to private industry, leveraging tools and capabilities of the intelligence agencies.
Finally, the conflict between government and citizens’ need for privacy is preventing the further global empowerment of cybersecurity enforcement agencies. Cybercrime-related legislation often involves increased internet surveillance or increased wiretapping powers. The fear that governments will collect data under the broad umbrella of tracking criminals, which could potentially be leveraged instead for political gain and oppression, is a grave concern. Human rights organizations have highlighted concerns around cybercrime legislation and its impact on citizens’ privacy.
To come full circle in this blog post, you may wonder who Upton Sinclair is and why we need the next Upton to rescue us from our current cyber pains. It was Sinclair’s sensational story, “The Jungle,” that stoked public outrage and drove President Theodore Roosevelt to push through the Meat Inspection Act and Pure Food and Drug Act in 1906. These two laws are the basis for today’s regulation of the food industry by the FDA and USDA. The public fear created by Sinclair’s exposé on the violations around food safety created laws that enforced the standards needed to protect consumers. Businesses were shut down if they didn’t have sufficient standards in place to ensure that their products were sanitary. At what point will be public become fearful and angry enough that enforcement of cybersecurity standards will become as commonplace as the enforcement of workplace safety or food safety? Without public outrage, cybersecurity standards will never be sufficiently enforced, and without this enforcement, ransomware perpetrators and other cybercriminals will continue to wreak havoc on all of us.