Peter Membrey, Contributor. 27 October 2021, 3:44 pm
The attack on the US Colonial Pipeline company was simply too big for the US Government to ignore.
While ransomware attacks on hospitals and schools have been met with an immediate outcry, these have been mostly limited in scale. But when an attacker can shut down a piece of critical national infrastructure, now the entire nation is potentially at risk. Now it’s a matter of national security.
To help prevent this from happening again, the Biden administration earlier this month held a two-day virtual meeting on cybercrime. Thirty countries, including New Zealand, were among those participating. Our Five Eyes partners, Australia, Canada and the United Kingdom also attended.
However, a core theme of the event was that everyone needs to work together to solve this problem. Jack Sullivan (the US national security advisor) went as far as to say that “no one country, no one group can solve this problem”. That all sounds terribly impressive, so it really is a pity that the initiative is probably not going to accomplish much of anything.
The 30 nations agreed in general terms to do more to tackle cybercrime. A joint statement noted that:
“Efforts will include improving network resilience to prevent incidents when possible and respond effectively when incidents do occur; addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable; and disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement.”
It all sounds worthy, but making progress in real terms will be difficult.
The borderless internet
Unlike the real world which has been carved up into countries or regions with their own jurisdictions and legal systems, the internet is for most purposes borderless. That means that even a simple transaction can cross dozens or more countries and in turn different legal systems. So when a crime is committed, who has jurisdiction? Is it the location of the server that was attacked or is it the location of the attacker? If a server in a third location was used, does that location have jurisdiction? And what if the ill-gotten gains of the crime were deposited into a bank account in yet another location – who has jurisdiction over that?
Trying to untangle that mess even between friendly countries is difficult but between countries who aren’t on good terms, it becomes all but impossible. Even if both countries want the same result, the political challenges can make that extremely difficult.
Even if you could figure out who has jurisdiction, there’s still the issue that some things are legal in one place that aren’t legal in another. For example, under US federal law, the possession of cannabis for any reason is illegal. However despite this, most US states have legalised cannabis specifically for medical use. Other states such as Arizona, Connecticut and California have gone further still and made recreational usage legal. There are enough differences in the legalities of possession, transportation and cultivation to make your head spin, and all of this exists within a single country. This problem isn’t new either. We’ve long seen pirated software, music and movies downloaded via the internet. The DMCA was meant to stop the pirates, but in reality, it had very little impact as applying the DMCA to people outside of the United States proved to be challenging (indeed the US had to actually trick someone into visiting the US so that they could arrest them under the DMCA.
Cybersecurity efforts key
Even when countries agree that something is bad (such as human trafficking or exploitation of minors), have laws and resources in place, and truly work together, stamping them out is really really hard. Applying politics and enforcing the law does not translate well to a digital communication platform.
In my opinion, simply getting countries talking to each other and discussing the issues is really not going to do very much. As long as cybercrime is remotely profitable, there will always be people willing to engage in it. Instead, we need to recognise the importance of cybersecurity (to be fair, the Biden administration has done so) and focus on making our systems resilient such that cyberattacks have nowhere to go.
So, have your discussions, come up with plans for finding and prosecuting those behind cyberattacks, but at the same time, realise that it’s a rather scary game of whack-a-mole – sooner or later you’ll miss one and it’ll be game over. Better to focus on ensuring that even if one does get through, there’s nowhere for it to go. Of course, the last ship declared to be unsinkable was the Titanic…
Peter Membrey is Chief Architect at ExpressVPN, based in Hong Kong. He is responsible for driving engineering excellence within ExpressVPN and has co-authored over a dozen books and a number of research papers on information security issues. He is a member of IT Professionals NZ.