Should the UK follow the US in cyber security?

Cyber war

ANALYSIS Often people in the security industry compare the UK and the US' stance on cyber security and who can learn what from who.

This month, the US has made some strong statements in the cyber crime sphere.

Last week, the White House put forward a range of legislative proposals, outlining ideas designed to bolster the nation's security.

The new rules would allow Government intervention in private companies who need help bolstering defences, as well as a data breach notification requirement for businesses.

This week, the US released its first International Strategy for Cyberspace, outlining its approach to the digital challenges the country and indeed the world faces.

What has emerged is that the US is taking a strong stance on cyber crime/warfare, bringing real-world concepts into the digital arena. President Obama, in the introduction to the strategy report, was clear about this.

"While offline challenges of crime and aggression have made their way to the digital world, we will confront them consistent with the principles we hold dear: free speech and association, privacy, and the free flow of information," Obama said.

In the report itself, there were numerous indications that the US is taking cyber threats as seriously as real-world dangers.

"When warranted, the US will respond to hostile acts in cyberspace as we would to any other threat to our country," the report read.

"We reserve the right to use all necessary means - diplomatic, informational, military, and economic - as appropriate and consistent with applicable international law, in order to defend our nation, our allies, our partners, and our interests."

Essentially, the US is saying "try to DDoS us and we'll launch

missiles at you," according to Mikko Hypponen, chief research officer at F-Secure.

The strategy report outlined how cyber attacks on the US could lead to genuine, terrestrial warfare.

"We will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible," the report read.

"We will seek to encourage good actors and dissuade and deter those who threaten peace and stability through actions in cyberspace."

The right approach?

Is the US taking the right approach? Should other nations learn from America's ideas and actions in the security space, particularly those outlined in the past seven days?

Earlier this week, Rob Cotton, chief executive of NCC Group, said the Government should look across the pond for inspiration. "We should be looking at the US and following suit as they face the problem head on," he said.

Hypponen praised the US for taking a strong stance. "We're never going to curb cyber crime if we don't do a better job in catching cybercriminals and putting them behind the bars," Hypponen said.

"I'm glad to see the US is making here a clear commitment to help international law enforcement in this regard."

The notion of following in the US' footsteps does not wash with everyone, however.

Chris Boyd, senior threat researcher at GFI Software, questioned the actual applicability of the way the US said it would retaliate to cyber attacks.

"Military or law enforcement intervention in retaliation for a cyber attack will be hard to justify given that IP address spoofing can easily disguise the point of origination and misdirect those looking for it to another place or country," Boyd told IT PRO.

Furthermore, local issues need to be taken into account, so just following the US would be a little nave.

"It is important for countries to tackle their cyber crime issues locally, in order to take into account local laws, conventions and cultural differences," Boyd said.

"It is unlikely that the US plan can be used as a roadmap for everyone. Far better that countries cherry pick things that will work, and indeed visa versa as the US revisits the plan it announced to revise and improve it."

It is clear countries can learn from one another, but this does not necessarily mean the UK should go with what the US believes is right. As Boyd said, taking whatever is relevant would be the best approach, rather than taking a copycat stance.

Working together

The US certainly got one thing right in its report: cyber crime is a global problem that needs global answers. Yet there was little mention of how other nations could get involved, just an open invitation.

This was what was lacking from the strategy report: detail. Yes, nations as well as private and public sector organisations need to come together to ensure security of information, whilst not hindering innovation and progress. But without clearer guidelines on how different parties can get involved, little will happen.

Historically speaking, the US has occasionally been a proactive force in forming global organisations, particularly those covering defence. Just look at the formation of Nato the North Atlantic Treaty was signed in Washington DC.

James Lyne, director of technology and strategy at Sophos, said collaboration has improved over the last few years, but the situation was "far from perfect."

"I personally believe we should have a more formalized international body, or processes for the exchange of information to make life hard for cyber criminals," Lyne told IT PRO.

"I don't think we want an overarching body that owns the internet, but we all need to buy into the fact that this is an international problem and we all need to treat cyber criminals with similar policies, similar disdain and equal severity."

Global security frameworks can be effective. The US and others clearly wants a global approach, yet no one has presented an innovative, workable solution to date.

It is up to Governments across the world to get moving on collaboration, otherwise businesses and citizens themselves could suffer unnecessarily.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.