Cybercrime: naming names, protecting our democracies

Source: A. (Andrus) Ansip i, published on Thursday, October 18 2018.

Anyone reading the international news headlines over the last few weeks will know that cyber warfare remains very much alive.

As ever, it provokes havoc - at least part of the hackers' intentions, which may also be more deliberate and criminally targeted.

We don't always know.

And it is not confined to one continent. We have a few months left before the end of 2018 but just think of the many data breaches that hit the headlines this year.

Facebook may be one of the best known but not the largest.

Some attacks have been utterly brazen and were luckily detected.

One that springs to mind, although you could not really call it sophisticated, is Russia's recent botched military intelligence operation against the Organisation for the Prevention of Chemical Weapons (OPCW) in The Hague.

Four Russians and a car packed with of specialised hacking equipment.

One welcome development in this cyber-gloom is that there seems to be more willingness to name perpetrators, whether as individuals or sponsored by a specific country.

That was the case with the OPCW attack.

British and Dutch security agencies went public and pointed the finger at Moscow as the perpetrator.

That indicates a high level of certainty on their part, along with sharing of intelligence to tackle a common - and global - threat.

I say that because attribution of activities carried out via the internet is not easy from a technical point of view.

Not only can identities be easily disguised, it is also difficult to determine whether the attacker is 'state' or 'non-state': financed and sponsored by a national government, in other words.

Given the scale and scope of cyber-threats that democracies face around the world, I am convinced that people should name names - if they can.

Collective attribution makes us stronger against online attacks, wherever they come from. Going public, as the UK and Netherlands did so effectively, propelled this story into the world's media.

In the EU, the presidents of the European Commission and Council, along with the EU’s foreign policy chief, deplored this hostile cyber operation carried out by Russia.

This kind of publicity is not only embarrassing for the perpetrators, it can also help to deter potential aggressors in the future - and increase the chances that those responsible will be held to account.

However, naming and shaming only works for those who feel shame in the first place.

So we need to go further - and impose an effective system of sanctions on cyber-attackers, as requested by EU leaders at their summit today.

And given the proven online interference in democratic elections around the world in the last few years, attribution and sanctions for cyber-attacks may prove to be especially important during the European elections due in May 2019.

We will be watching closely.

The bottom line: it is easier to fight back against attackers when you know who they are.

But if you don't know their identity, then you are fighting in the shadows, one arm tied behind your back and always one step behind the hostile forces.

Let's take that advantage away from them. Another blog soon.