It’s hard to crack down on cyberattacks when nations can’t even agree on what a cyberattack is.
Experts in the field are now saying the world needs multilateral cyber diplomacy so all parties can at least come to a mutual understanding of what constitutes a cybercrime.
“If you don’t have a doctrine that says, ‘We do our best to define some things that are acceptable and unacceptable,’ you don’t really have deterrence,” Kevin Mandia, CEO of cybersecurity firm Mandiant, said at Fortune’s Brainstorm Tech conference in Half Moon Bay, Calif., on Tuesday, adding that breaches like the one at SolarWinds will continue to occur without one. “We’re all just playing goalie all the time. Even with the best goalies, sometimes the puck gets in the net.”
When asked what a diplomatic doctrine would look like in practice, Mandia noted the inherent difficulties. First, so much of the critical infrastructure of cyber command and control is held by the private sector; the government would need more access to get it right. Second, it’s hard to draw a red line in cyber.
“We have different definitions with cyberwar, cyberattack; nobody agrees on what you want to call it. But a crime is a crime, and I think you can have rules of the road internationally for criminal behavior,” he said. One obvious example of unacceptable behavior would be a cyberattack that costs lives. “I think if you have a doctrine that’s a little bit elusive and say you will proportionally respond, I’d say that’s good enough.”
Until such time that a more sustainable solution exists, Alex Stamos, partner at cybersecurity consultancy Krebs Stamos, urged businesses to take a more comprehensive approach to cyberattacks. “It’s effectively impossible to prevent the initial intrusion. Think about the kill chain—all of the steps an attacker has to take before they’re successful with their goal. Breaking in is generally not the goal of a professional attacker. They want to steal data, like with [Russia’s Foreign Intelligence Service agency]. They want to plant code. They want to put themselves in a persistent position to be able to shut down stuff,” he said. “You have to realize: The breach is not the end but the beginning of your response cycle.”
Large companies—the Northrop Grummans, General Dynamics, and Amazons of the world—have the resources to bolster defenses against breaches, says Stamos. But small and medium-size businesses (SME) are sitting ducks. “There’s this whole set of companies that are legitimate national security targets now, and they don’t know it,” Stamos said, adding that the U.S. has made very little progress getting into the SME space after the 2020 SolarWinds hack. “That’s what’s really scary for me,” Stamos said.
The reality is that the prevalence of cyberattacks will continue to spike at companies across the board until a more formidable defense—diplomatic or otherwise—is found, especially since there’s money to be made. “In the Bitcoin era, the ability to make money from hacking is pretty amazing,” Stamos said. “There’s an economic incentive to be a bad guy.”
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.
