chertoff2_NICOLAS ASFOURIAFP via Getty Images_hackers

The SolarWinds Wake-Up Call

Dec 16, 2020 Michael Chertoff , Latha Reddy, Alexander Klimburg

The recently discovered SolarWinds hack holds obvious lessons for governments around the world, particularly after a year in which cyber attacks on critical infrastructure have surged. International action is urgently needed, not to write new treaties or codes of conduct, but to enforce existing norms.

WASHINGTON, DC – The recent discovery of the devastating Sunburst hacking campaign against US and global targets is once again challenging the international community to respond to an increase in cyber attacks. Over the past year, cybersecurity personnel worldwide have faced a surge of hacks against critical infrastructure, including institutions fighting the COVID-19 pandemic. While governments have openly condemned some of this behavior, more collective action is clearly needed.

There is no international treaty for cyber matters, and the 11 non-binding norms of responsible state cyber behavior endorsed by the United Nations General Assembly are somewhat ambiguous. Additional norms are being put forward all the time, which is a good thing. But norms are not treaties and should not be treated that way. The better option is to concentrate on the spirit – not just the letter – of what the norms convey. Indeed, the latest hacking revelation shows precisely why an international cybersecurity treaty would likely fail.

SolarWinds, a leading US network-management company, produces a monitoring platform that grants IT support staff remote access to devices that have it installed. The recent supply-chain attack hijacked the software’s update function to install the so-called Sunburst malware. As the tech publication The Register reports, SolarWinds is deployed in more than 425 US Fortune 500 corporations, all major US telecoms companies, and most branches of the US government (with a similar presence in many other developed economies). And the cybersecurity company FireEye, whose reported breach early last week was instrumental in uncovering the campaign, said that institutions worldwide may have been compromised, even if the US government was the likely focus.

We hope you're enjoying Project Syndicate.

To continue reading, subscribe now.

Already have an account? Log in

Support High-Quality Commentary

US President-elect Joe Biden may have promised a “return to normalcy,” but the truth is that there is no going back. The world is changing in fundamental ways, and the actions the world takes in the next few years will be critical to lay the groundwork for a sustainable, secure, and prosperous future.

For more than 25 years, Project Syndicate has been guided by a simple credo: All people deserve access to a broad range of views by the world’s foremost leaders and thinkers on the issues, events, and forces shaping their lives. At a time of unprecedented uncertainty, that mission is more important than ever – and we remain committed to fulfilling it.

But there is no doubt that we, like so many other media organizations nowadays, are under growing strain. If you are in a position to support us, please subscribe now.

As a subscriber, you will enjoy unlimited access to our On Point suite of long reads and book reviews, Say More contributor interviews, The Year Ahead magazine, the full PS archive, and much more. You will also directly support our mission of delivering the highest-quality commentary on the world's most pressing issues to as wide an audience as possible.

By helping us to build a truly open world of ideas, every PS subscriber makes a real difference. Thank you.

Subscribe Now

Facing the Cyber Pandemic Innovation
Andriy Onufriyenko/Getty Images

Facing the Cyber Pandemic

Michael Chertoff, et al. urge governments and world leaders to establish new norms against attacks on Internet infrastructure.

3

new comment has been posted. new comments have been posted.

0 Comments on this paragraph, 2 in all 2 Comments on this article

Gerry Hofman Dec 16, 2020

When the first tech companies started up in the US the government sought to protect their advantage by ensuring there would be no regulation to impede their development and no taxation to stop their growth. Their influence now covers every corner of the globe and the data stream they generate as plentiful as the solar wind.
To fix something that isn't right you first need to recognize what went wrong. Then you can work to find a way to correct it. To continue enforcing existing norms would seem monumentally insufficient in managing the problems associated with global data flows.
If you wouldn't want the Chinese communist party or the Russian hacker collectives to be able to trace your daily commute in the New York underground you clearly need to do better than "enforce existing norms". You would need to redesign the tech sphere from the ground up with the aim of keeping the data within a country's borders, control and monitor data flow between countries, and protect citizens privacy from snooping including your own and foreign governments. It's either that, or just give it up.
- Yaroslav Gryaznov Dec 17, 2020
  
  Problem is - they won’t be able to rebuild this industry from the ground up, because the existence of these back doors is basically - one of the main reasons for these technology to exist. We saw it really well in recent Alexey Navalny ft Bellingcat case. Personal mobile data regarding airline databases and mobile triangulation is being used both by intelligence services and can be bought for “personal use”. Hence why would they ever consider changing this? US intelligence uses these tactics just as often, as it gets attacked.
  A new reply to this comment has been posted.
A new reply to this comment has been posted.