Pat Larkin: We need a radically different approach to ransomware and cybercrime
Aside from the impact on business and civic life, suffering further cyberattacks on critical services may also damage Ireland’s image abroad. Picture: Getty Images
There is some important context to the threats we face. We are one of several countries whose healthcare systems and other critical services have, and continue to, suffer significant cyberattacks.
Attacking a healthcare system, regardless of actor or motivation, is a very insidious and repugnant activity, with a high potential impact on patient care and mortality outcomes. Non-critical organisations and citizens also suffer similar attacks daily.
In some cases, it is solely criminal groups looking to hold society or organisations to ransom for financial gain. In other cases, these groups are closely aligned with malevolent nation states, using them to pursue occasional foreign policy objectives.
Ireland, like all modern societies, is on a rapidly increasing digital adoption curve, with lots of digitally dependent FDI and indigenous business. Our future prosperity is critically dependent on this digital transformation.
Aside from damage to business and civic life, suffering further crippling attacks on critical services may increase brand damage to Ireland Inc. This could lead to a perception that we do not take national security seriously and therefore are not a safe place to do business or invest in.
Well-intentioned approaches to date, nationally and globally, are failing by any objective measure.
The solution lies in full-blooded, visionary commitment to a new international consensus on cybercrime, and leadership to build and enforce this consensus.
We have some cards to play that may have been a factor in the recent events. We have a vibrant, emerging cybersecurity sector, good non-aligned international relationships, a seat at the UN Security Council, and recent street-cred of being a relatively innocent victim to a crippling attack.
We now need to lead a reshaping of our national and the global approach to this online terrorism, crime, and warfare. Doing so will project a strong message of our commitment to securing our country and its services, undoing any brand damage to Ireland Inc. resulting from this attack.
Industry, customers, and regulators often focus their blame on the victim organisations, citing inadequate security on their part as reasons for the attack. This incorrect focus adds pressure to the organisation under attack.
Fear of loss of customers, regulatory fines etc. increases pressure on organisations to pay ransoms or not to disclose attacks. Instead, our collective efforts should be to support the victim, relentlessly pursue and neutralise the perpetrators, and disclose the attack without shame so we all can learn.
The debate as to whether current international law is adequate for cyberspace needs to end.
Ireland can help establish a clear Digital Geneva Convention and definitive international cyber norms governing international behaviour in cyberspace, covering cyberwarfare, cyber weaponisation, and cybercrime. Microsoft president Brad Smith first proposed the idea of a digital Geneva Convention in 2017.
Once consensus is established, we need a structure to effectively govern, regulate, and enforce this new norm.
The United Nations seems to be the obvious organisation, but longstanding questions as to the effectiveness of the UN Security Council in relation to current international crises as well as cybercrime and cyberwarfare would suggest that a change of modus operandi is required. Some of the alleged malevolent and ambivalent states with respect to cyberwarfare and cybercrime currently sit on the UN Security Council with a veto.
We then need to establish the treatment of cyberattacks on healthcare and critical national infrastructure as a higher order of international crime.
Attacking critical national infrastructure or health systems is effectively a combination of potential offences. If nation states are involved, then it is a potential act of war and a breach of the Geneva Convention.
If cybercriminals are solely involved, given the scale and cost of destruction and the inevitable impact on citizens and patients in terms of poorer patient outcomes and increased mortality, effectively the offence is a combination of international terrorism, arguably reckless endangerment, and potentially large-scale manslaughter or murder. Lastly, it is a traditional financial crime.
New offence definitions may be needed to cover the cyber realm. We should seek to turn the cybercrime ecosystem into pariahs in the international community. They need to be brought to trial with suitable agreed substantial common punishment.
If necessary, we may need to bring them to trial using the International Criminal Court, particularly from ambivalent or malevolent states. The consensus would also treat nation states that are ambivalent to or supportive of cybercrime or cyberwarfare as pariahs.
We need to advocate for and lead in the construction of coordinated and sustained use of all global policy tools such as trade and digital sanctions, including internet isolation, in a graduated fashion until they either cease their support or their support becomes ineffective.
Consensus allows states to invest in and focus our local and global intelligence, policing, defence, and industry resources on a coordinated and fully committed effort in pursuing, harassing, attacking, and eliminating the attackers and their safe havens. This response should also ruthlessly pursue the attacker’s assets.
We should regulate the cryptocurrency and related payment systems that shield and launder the attacker’s ill-gotten gains. Cyberweapons have equivalent potential societal disruptive effect as controlled weapons such as chemical, nuclear, cluster mines, etc.
We have seen examples of nation-state stockpiling of vulnerabilities, and cyberweapons co-development with questionable third parties. We need international consensus, legislation, and control of their production, distribution, and use.
We need to appropriately task and fully resource all national defence, policing, intelligence, and foreign policy resources to make cybersecurity one of our top priorities in our national and global security.
We need to be more innovative, eliminating traditional internal silos and legacy mindsets within our collective national security apparatus. Every soldier should be a cyber soldier in addition to their skills in land, sea, and air.
An Garda Síochána has made innovative investments in adding cyber skills and tools to their personnel, and work innovatively with academic and research institutions nationally and internationally in cyber policing. We need to build national and global capabilities collaboratively between government, industry, and academia to develop new tools and capabilities to constantly outgun the bad guys in cyber policing.
Unfortunately, in the absence of consensus and an improved coordinated global response in the digital world, the only alternative may be to enter a cyber arms race with cartels and nations states with a zero-sum position of Mutually Assured Digital Destruction (MADD) as a deterrent to cyberattacks. Ireland should lead such an alternative path.
- Pat Larkin is CEO of Ward Solutions one of Ireland's largest cybersecurity companies and has over 25 years’ experience in the information security industry. Pat is a former officer in the Irish Defence Forces, where he held line plus information security roles. Pat is a board member of Cyber Ireland.
