EWI’s Executive Vice President Bruce McConnell was a guest speaker at the second International Cybersecurity Congress, which took place from June 20-21 in Moscow. During a session on Legal Environment, McConnell emphasized the risk of destabilization and escalation from state-sponsored cyber attack campaigns. The conference was hosted by Sberbank.

Beyond Cyber Defense

McConnell’s remarks focused on the accountability of malicious actors in cyberspace, which remains one of the key challenges to protect cyberspace. While the international community has been working towards “rules of the road” to restrain the use of cyber weapons, it remains an open question how to effectively enforce them. When states break such rules, common responses include diplomatic outreach and threats, economic sanctions, indictments, public shaming and joint investigations, among others.

“Such techniques are proving ineffective and potentially destabilizing,” McConnell noted. “These methods can create unexpected collateral damage to civilian populations, raising the risk of escalation. In today’s world, state and state-sponsored cyber attack campaigns present a grave threat to the stability and long-term viability of cyberspace.”

Current practices in which major cyber powers put malicious implants in each other’s electric grid and other critical infrastructure paint a grim outlook on the future direction of states’ and actions and responsibility for their behavior in cyberspace. In fact, the more aggressive practices of states are contrary to what many experts have been working towards, include groups like the Global Commission on the Stability of Cyberspace.

Role of the Private Sector

As regards the role of the private sector, McConnell noted that companies, particularly in the ICT industry and operators of critical infrastructure, can play an important role. Essentially, cyberspace is owned and operated by the private sector. The EastWest Institute has been asking how this vantage point can be best leveraged by private firms to take appropriate actions, such as raising the attacker’s cost of conducting an illegal cyber act. For example, ICT companies and Internet service providers can increasingly take steps such as:

1. Scan customer devices and request/require them to improve their security;
2. Send a notice of findings to the hosting services that the attacker is using;
3. Circulate attribution evidence in the community;
4. Block or quarantine selected traffic coming from the attacker; and
5. Stop doing business with the attacker.

McConnell suggested that any adverse consequences resulting from such actions can be mitigated by legislative protections that states would have to enact.

This year’s Cybersecurity Congress was attended by leading international cybersecurity experts, business leaders as well as senior level government officials from Russia and worldwide and included dignitaries such as the Russian Prime Minister Dmitry Medvedev, who addressed the main plenary on Day 2. The plenary panel also featured the Governor of the Central Bank of Russia Elvira Nabiullina, Herman Gref, CEO, Chairman of the Executive Board, Sberbank, Alois Zwinggi, Member of the Managing Board, Head of the Centre for Cybersecurity, World Economic Forum, Kairat Kelimbetov, Governor, Astana International Financial Centre, and Maxim Akimov, Deputy Prime Minister, Russian Federation.