This article is part of the series—Raisina Edit 2021
As technologies keep evolving and the digital domain expands, we must improve our online defences. Not only that, we must also ensure that the exploitation of discovered vulnerabilities stops being a norm. Today, both governments and other sophisticated threat actors are taking advantage of vulnerabilities found in mass-market hardware and software products or services and are creating cyberweapons by applying tools and techniques to exploit those weaknesses.
These techniques are meaningfully distinct from the conventional weapons of modern warfare given the scale, reach and indiscriminate impact they can have. Most alarmingly, these are being used on a daily basis — effectively during peace time. We saw this in 2017 with the WannaCry attack that compromised computers in 150 countries or the recent SolarWinds breach that affected roughly 18,000 businesses and government organisations. Against this backdrop, there is also a growing industry of companies and cybercriminals that are creating and selling cyberweapons that enable their customers to break into computers, phones, and internet-connected devices. Taken together, these trends have the potential of causing significant destabilising societal effects.
Stakeholders’ dilemmas
With this context, the question of how corporations, communities, and governments can cooperate to prevent the export of digital vulnerabilities comes to the forefront. Although there are tradeoffs to consider, protecting the public interest in cyberspace should be of central importance.
Within government, when it discovers or purchases digital vulnerabilities, the dilemma of disclosing such vulnerabilities — and thus allowing them to be fixed — or retaining them for national security purposes surfaces. This has to be weighed against the government’s role to protect the nation in cyberspace — which may require the use of such vulnerabilities. However, any decision to retain a digital vulnerability undercuts general cybersecurity since threat actors can also find it and exploit it. This calls for governments to adopt a vulnerabilities equities process that offers transparency in their decision-making and carries a presumption for disclosure.
Within government, when it discovers or purchases digital vulnerabilities, the dilemma of disclosing such vulnerabilities — and thus allowing them to be fixed — or retaining them for national security purposes surfaces.
In the private sector, protecting users is of upmost importance, so active participation in the awareness and mitigation of new vulnerabilities is critical. Developers are expected to be transparent about when and how they receive or discover a vulnerability — at times as a result of communications with external researchers. This allows companies to address it in a timely, risk-based manner, and to communicate with affected customers and users about the existence of vulnerabilities and the availability of mitigations. Initiatives such as a recent one by the Cybersecurity Tech Accord, which saw two-thirds of its signatories — 100 companies — adopt a vulnerability disclosure policy is something worth emulating across all entities that develop software.
Looking ahead
The ease and speed with which cyberweapons can be recycled heighten risks in ways that are incomparable to other domains of conflict. While there may be national security benefits from acquiring and retaining digital vulnerabilities, these benefits must be weighed against the risks that those same vulnerabilities could have in rendering societies defenceless and the potential for them to be used against a government’s own computing infrastructure, its citizens and globally. A vulnerabilities equities process that governs how a particular government determines whether to release or retain a digital vulnerability is one way of managing those risks. Ensuring that government agencies that focus on civilian consumer security and protection, aside from defence and intelligence agencies, participate in the process ensures that broader community interests are considered and consequently integrated.
Private sector companies creating, selling and profiting off cyberweapons need to be reined in.
On the industry side, companies should implement coordinated vulnerability disclosure policies to ensure vulnerabilities are addressed and is done so in a prioritised way. While companies have adopted diverse paths to best reflect the needs of their organizations and customers, the Global Forum for Cyber Expertise (GFCE), for example, has identified foundational qualities based on good practices, which include: 1) establishing clear protocols to process incoming reports of vulnerabilities, and to investigate them; 2) allocating necessary resources to implement policies that address and remediate vulnerabilities; and 3) maintaining robust communications with all relevant stakeholders. International Standards Organisation has also developed specific guidelines in this space.
Furthermore, private sector companies creating, selling and profiting off cyberweapons need to be reined in. Some of these companies’ tools are threatening human rights as they are being used to spy on human rights defenders, journalists and other private citizens. Joint efforts to bring awareness, attention and accountability to these firms, like the 2020 amicus brief that Microsoft filed along with Cisco, GitHub, Google, LinkedIn, VMWare and the Internet Association in a legal case brought by WhatsApp against the NSO Group is meaningful step in the right direction.
Full circle
Protecting the public interest in cyberspace and preventing the export of digital vulnerabilities requires a collaborative approach across the public and private sectors. While not all vulnerabilities present an immediate security problem, minimising potential risks requires both governments and industry to have deliberative and transparent processes in place that seek to address those challenges. Additionally, increasing the barrier for access to these weapons by not buying them, or adopting a representative equities process if they are retained, would help reduce future threats.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.