The number of countries bending the rules to allow spies and state authorities to conduct cyberattacks is escalating and constitutes a major security threat which should be addressed by an international convention, the security chief of a leading Chinese telecoms firm told EurActiv.
“I am more and more worried about seeing more and more countries beginning to say we want our local justice departments and police and intelligence to be able to go and hack other people’s machines around the world, and to spy on people,” said John Suffolk, global cybersecurity officer at Huawei.
Suffolk, formerly an advisor and chief information officer to the UK government, cited recent reports that Australia and the Netherlands are considering giving law enforcement bodies the authority to conduct cyber attacks if they believe they may be under threat.
Justifying attacks is dangerous
“But the more that people make that the norm you then move onto the next level which will see this escalating. The issue is not that countries are doing it [state-sponsored cyberattacks], it is that they are legitimising it, which means that the next thing is that they would accept something more,” Suffolk said in an interview with EurActiv.
“We have to have an international convention whereby there is a clear agreement not to do this. It needs a convention,” he said, adding: “There has to be a digital line in the sand between what is ethical and what is moral.”
The intervention by a security chief for a large Chinese company comes at a time of heightened tension between the US and China on the issue of cybersecurity.
A recent report by the US Department of Defence accused China's government and military of targeting US government computers as part of a cyberespionage campaign.
The report said that Chinese attacks aimed to scoop up intelligence on US diplomatic, economic and defence sectors which could benefit China's own military capabilities, and was the first the first time the Pentagon's annual report directly linked such attacks to the Beijing government.
China dismissed the report as "groundless", saying it was evidence of harmful "US distrust".
The New York Times reported last year that “the US is also rapidly developing capabilities to counter cyberattacks and to go on the offensive itself.”
The report said President Barack Obama was conscious that US-backed cyberattacks on Iran – codenamed ‘Olympic Games’ – were “pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade.”
Addressing the awkward US-China cyber relationship, Suffolk said: “It has become more exacerbated from a government-to-government basis, there is more public debate. I am a fan of diplomacy: quiet conversations in quiet rooms, solving issues. The moment things become political, that’s when the emotion comes in, rather than level-headedness.”
Most cybersecurity incidents are often not reported or detected even though they can affect millions of citizens and businesses, according to ENISA, the security agency. cyber attacks can lead to losses of millions of euros or even bankruptcy.
According to figures from the office of Internal Affairs Commissioner Cecilia Malmström, 95% of companies are "aware" of cyber attacks made to their business.
- 2013: Council and Parliament to consider Commission's proposed cybersecurity strategy
EU official documents
- European Commission: EU Cybersecurity Strategy
- New York Times: Obama ordered wave of cyber-attacks against Iran
- EurActiv Greece: Σοβαρ? ερωτ?ματα για τις «κρατικ?ς» επιθ?σεις στον Κυβερνοχ?ρο