January 24, 2021

Toka’s Yaron Rosen in Foreign Policy: The World Needs a Cyber-WHO to Counter Viruses in Cyberspace

As details about the SolarWinds hack come to light, it appears to be one of the most consequential and intrusive cyberattacks against the U.S. government to date. By accessing SolarWinds software used by thousands of large organizations to manage their computer networks, intruders were able to create a backdoor to enter computer networks at several U.S. federal agencies and private companies, including Microsoft.

While former U.S. President Donald Trump refused to acknowledge the attack’s provenance, the U.S. intelligence community’s unanimous opinion is that Russia and its SVR intelligence agency launched it.

Determining who carried out a cyberattack, also called attribution, is critical to punishing the attackers and deterring further action or future operations by others. The United States, with world-leading cybersecurity and technical capabilities, can determine attribution relatively easily, as could maybe a dozen other countries.

But what about the 183 nations that cannot?

Imagine if only a dozen or so nations were able to diagnose COVID-19, understand how it spread, the damage it could cause, and how to prevent and treat it. In addition, these privileged nations kept that information to themselves. This is, effectively, the situation we have with cybersecurity. Virtually all countries are at a higher risk of attack because of their inability to identify their attackers, to say nothing of defending themselves and remediating the damage.

The international community doesn’t tolerate this hoarding of knowledge with a viral disease—just look at the backlash against China for its early reticence to share information about COVID-19. Similarly, the world shouldn’t tolerate information-hoarding with viral cyberattacks. Just as there is a global health body, the World Health Organization (WHO), to better understand and combat health threats, we need a “cyber-WHO” to better understand and combat cyberthreats.

The internet has evolved into a complex digital landscape with billions of users, millions of apps and websites, and thousands of network providers and infrastructure nodes from satellites to Wi-Fi routers. Add to this the exponential growth of the Internet of Things, and virtually everything—from cars to coffee makers—is, or will be, part of our digital landscape.

In such a world, there are infinite points of access to a network. (In the SolarWinds attack, for instance, it appears the Russians targeted that company because its software is so ubiquitous in the U.S. government and corporations.) Anyone with a laptop can launch an attack. And those with enough skill can sufficiently mask an offensive operation by routing it through internet service providers in countries all over the world.

If the risk of getting caught and suffering any consequences is low, the deterrent to launching an attack drops dangerously low, destabilizing the global order. As the chairmen of the bipartisan, blue-ribbon U.S. Cyberspace Solarium Commission wrote, “Today most cyber actors feel undeterred, if not emboldened, to target our personal data and public infrastructure.”

The result has been a relentless wave of cyberattacks. In the United States, ransomware incidents, in which criminals freeze a health system’s or local government’s networks until they are paid, grew 365 percent from 2018 to 2019. The United Nations estimates that in 2019, North Korea stole $2 billion from banks and cryptocurrency exchanges to fund its weapons programs. And over the past decade, Chinese hackers have stolen personal information from Marriott, the U.S. Office of Personnel Management, and the credit reporting agency Equifax—to name just three targets.

Attribution is difficult but possible for a cyber-superpower like the United States or Israel or for a sophisticated tech company like Microsoft or FireEye. But it is virtually impossible for everyone else. That’s why when the central bank of Bangladesh was the victim of a cyberheist, it had to hire two U.S. companies to investigate, and why Banco de Chile had to do similarly when it was attacked in 2018.

To effectively deter cyberattacks, national governments will need to build national-level cybercapacities—to invest in their people to create a cybercapable workforce, procure the right technologies, and restructure their governments and militaries so that they have accountable campaign leaders and the processes to defend and deter cyberattacks.

This will take years for even the most developed nations, and for others, they may never fully develop these capabilities. This is where the international community must step in to fill the gap. We need a cyber-WHO, a global body that could develop norms about behavior in cyberspace; share knowledge about threats and attacks, specifically their digital signatures; establish attribution where possible; establish protocols to share best practices; and provide technical support to countries at all stages of cyberbuilding.

To create incentives for nations to join, a cyber-WHO could publish a cyber-safety rating, as the credit rating agencies do (S&P and others), with the same implications on a country’s economy. In my experience working with developing nations, they seek validation from international bodies to create more certainty for investors and other partners.

Of course, coordinating on health issues in which the common enemy is a virus is more straightforward than when the threat may very well have come from another country. There may be nations, such as Iran and North Korea, that refuse to participate in such a body, and others—such as the United States and China—that may offer varying levels of cooperation because they do not want to erode their strategic advantage.

A similar dynamic occurred when countries began to establish their own cyber-emergency response teams or integrated cybercommands. Banks, for instance, did not want to share information about breaches for fear of appearing weak and, if they prevented them, for sharing information that gave them a leg up on their competition.

Quickly, though, these companies realized that they were only as strong as their weakest link. No one was asking them to reveal their methods or technology; what was required was the sharing of digital signatures on malware or viruses to help others detect infiltration. This helped others bolster their defenses and helped government bodies determine attribution and, if necessary, act against perpetrators. The resulting deterrence—no matter how small—was good for everyone.

A cyber-WHO would act similarly. It would ask participating nations—and companies within them—to share information on digital signatures and, where possible, attribution.
While I hope that a cyber-WHO would share best practices with countries looking to build their cybercapacities, it is fair to assume that the most advanced countries would not share all the details of their technologies and methods. But moving to a world in which a cooperative effort is made to share what these countries know (as opposed to how they know it) to determine attribution and thus establish norms and share best practices is an upgrade from the status quo.

There are international collaborations already, such as NATO’s Cyberspace Operations Centre, and the U.N. has a working group to debate acceptable behavior in cyberspace. But none has the breadth of participation or depth of mission that WHO has in global health and that a cyber-WHO would need on cybersecurity. As a result, the world is relying on the dozen or so cyberpowers and an even smaller number of private companies such as Kaspersky, Broadcom, and Microsoft to provide information about cyberthreats out of goodwill.

A cyber-WHO would dramatically increase the amount of information shared, create a framework to help uncover who launched a cyberattack, and serve as a resource to nations looking to build their cybercapacity. This will not eliminate cyberthreats—much as the existence of WHO did not prevent the spread of COVID-19—but it will give the global community an avenue to create a deterrent, use economic incentives to encourage and discourage bad behavior, bend the curve in the growth of cyberattacks, and start to bring order to the cyber-realm.