Not All Nations A Slam Dunk For U.S. Global Internet Cybersecurity Policy

The U.S. and China were able to find common ground on antispam efforts, but don't expect them to do the same when it comes to the complex cat-and-mouse game that is cyberespionage. And that's just one of the challenges the White House faces in implementing its new global cybersecurity policy, which calls for international cooperation among nations in defining the norms of online behavior and consistently enforcing unlawful activities.

The White House on Monday published its historic policy document, which drew a line in the sand for how the U.S. envisions keeping the Internet secure, open, interoperable, and reliable worldwide. The "International Strategy For Cyberspace: Prosperity, Security, and Openness in a Networked World" policy document also makes it clear that, when necessary, the U.S. will defend itself from cyberattacks, including drawing on its military might.

A cornerstone of the policy is the U.S.'s plan to reach out to other nations in an effort to keep the Internet safe, secure, and open, and to better protect it from cybercriminals, cyberattacks, and cyberespionage. The policy has been applauded by security experts.

While traditional U.S. allies, such as Western Europe, are likely to follow suit with their own policy documents that echo some of the same themes, experts say, it won't be so easy to get those nations on board that traditionally have been home for cybercrime and cyberespionage, or have turned a blind eye to that activity in their countries.

Jeff Moss, vice president and CSO of the Internet Corporation for Assigned Names and Numbers (ICANN) and founder of Black Hat, says there are a couple of security issues that most countries can agree on. "I don't think you're going to find any government standing up for spam. [Most] agree that botnets and spam are bad. So those are two good starting points," Moss says. Those two issues could initially be identified as international "norms" of misbehavior on the Internet, he says.

China and the U.S. recently formed a bilateral arrangement to quell spam between the two countries, but the news came with little fanfare. At the time of the announcement, Karl Frederick Rauscher, CTO of think tank EastWest Institute, who brokered the bilateral arrangement along with Yonglin Zhou, director of the network security committee of the Internet Society of China, said that the antispam efforts were part of a larger initiative between the two cyberpowers.

While the think tank considers this a first step in talks between the two nations on cybercrime issues, moving beyond antispam efforts is a much taller order. Chinese hackers have been implicated in so-called targeted, advanced persistent threat (APT)-type attacks against U.S. government agencies for years and, most recently, against U.S. businesses, such as Google, Intel, Adobe, and others.

It's too soon to tell whether the U.S.'s new global policy will at all meaningfully pressure Eastern Europe to crack down on cybercrime, or get China to acknowledge or make changes to its worst-kept secret of hackers within its borders, who have been stealing intellectual property from U.S. government agencies and companies, for instance.

Eric Rosenbach, principal and lead for the cybersecurity practice at Good Harbor Consulting, says even if a particular country is interested in fighting cybercrime within its borders, for example, it may not have the legal infrastructure do so. "But it's a great idea to start at it and keep grinding away, and hope that it bears fruit," he says. "But no one in the administration is naive" to believe that this global initiative will kill cyberespionage," for example, he says.

The bottom line is that setting a policy is a big step. "It's very important and has been lacking until now. It's extremely significant that this strategy was unveiled [together] by five cabinet secretaries," Rosenbach says.

ICANN's Moss expects the U.S. policy to spur more of a global debate on cybersecurity and Internet openness issues. "The U.K., France, The Netherlands, and Australia, [for instance], will want to respond" with their own written policies, he says.

There have been some successes in multinational efforts in the past year, including botnet takedowns that relied, in part, on cooperation from across the pond. Attorney General Eric Holder pointed to those efforts at the rollout of the U.S. International Strategy for Cyberspace.

"In recent months, the Justice Department has announced takedowns of significant criminal groups operating from Romania, Egypt, and elsewhere that had been victimizing American businesses and citizens -- including children. We’ve also brought multiple criminal conspirators to justice for their roles in coordinated cybercrimes that, according to court documents, netted nearly 1.5 million dollars from U.S. victims," Holder said. "And, just a few weeks ago, we announced an operation to disable an international criminal network that had infected more than 2 million computers worldwide with malicious software. Until we stepped in -- with the help of industry and security experts, as well as key international partners -- this malware was allowing criminals to capture bank account numbers, user names, and other sensitive and financial information online."

But Holder said it's time to take the global fight to "to the next level." The U.S. policy basically reiterates support for the so-called Budapest Convention initiative to create a rule of law on the Internet, he said.

Another loose end is the U.S. Defense Department's policy on defending cyberspace. "The DoD will be coming forward in a month with its updated vision based on [the White House policy document]. That will attempt to help clarify their thinking as well as align with this," ICANN's Moss says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.