Nation states need faster and more effective ‘consequences’ for those launching cyber attacks against them, former US State Department lead cyber diplomat Chris Painter, said today.
Painter, who previously served in the White House as the National Security Council senior director for cybersecurity, said the public and private sectors need to “think creatively” about what tools can be used in response to “bad actors”.
“In the nation state realm we don’t really do consequences very well. My worry with that is if you don’t take action, swift action, you create an expectation, a norm, that whenever that bad action is done it’s acceptable,” Painter said at an Australian Information Security Association event in Sydney today.
“That’s bad for all of us in the long term. So how can we up our game with deterrents? Can we think of deterrent tools – consequences – we can bring that are short term, but cause pain and are reversible, so if you change your action we can pull it?”
While some of those consequences could be within the cyber realm – a ‘hack back’ – there were also diplomatic and economic deterrents that could and should be used, Painter said.
Painter was with the State Department when Sony Pictures was hacked in 2014, resulting in the theft of terabytes of sensitive documents, including a salary spreadsheet for 6000 employees, internal emails, pre-release copies of films and vast amounts of personnel data. It also broke thousands of the organisation's computers by using a destructive type of malicious software that wipes files.
After a two-week investigation the US Federal Bureau of Investigation, in a relatively rare move, claimed publicly that North Korea was responsible for the incident.
The following month then US President Barack Obama authorised new economic sanctions against people and organisations linked to the rogue state.
“[But] it’s a limited tool set. It means we need to figure out more creatively what other tools are out there. We have to come up with better consequences,” Painter said.
In all cyber attacks, attribution can be a problem, he continued.
“When the North Korea Sony attack happened, we knew it was North Korea. And everyone knew it was North Korea before we said it was. And then when we said it was, everyone said it wasn’t! We revealed some of why we knew. But we did not reveal everything. No government ever will,” he said.
But governments shouldn’t be too hung up proving responsibility, Painter added.
“As a criminal prosecutor you have to prove beyond reasonable doubt. That doesn’t mean no doubt. It’s a high standard but it’s not absolute,” said Painter, who when Assistant US Attorney prosecuted famed hacker Kevin Mitnick.
“When a country looks at all the evidence and makes an attribution decision – whether they do publicly or not – that’s a political decision,” he said. “What’s the right level depends on the circumstance.
“You don’t want to be wrong obviously. But you don’t want to be so hamstrung that you end up responding to something a year later. Because that is not a deterrent. A deterrent is timely and it’s credible. And a year later it’s not.”
Last week, the Australian government launched its first International Cyber Engagement Strategy, in which it recognised that states have “legitimate rights to develop and use cyber capabilities” but urged they be used in accordance with international law and norms of acceptable behaviour.
The document says Australia has the capability to attribute malicious cyber activity to "several levels of granularity" down to specific states and individuals.
If hit by malicious cyber activity, the strategy explains that Australia could respond with “law enforcement or diplomatic, economic or military measures”, which could include “offensive cyber capabilities that disrupt, deny or degrade the computers or computer networks of adversaries”.
This week it was revealed a hacker exfiltrated non-classified information about Australia's Joint Strike Fighter programme and other military hardware last year.
Government agency, the Australian Cyber Security Centre said the attack on the defence contractor was carried out by a "malicious cyber adversary".
Speaking on ABC Radio, Minister for Defence Industry Christopher Pyne admitted: "I don't know who did it".