{"id":38645,"date":"2018-04-18T09:55:15","date_gmt":"2018-04-17T23:55:15","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=38645"},"modified":"2018-04-18T11:47:53","modified_gmt":"2018-04-18T01:47:53","slug":"naming-shaming-unshameable","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/","title":{"rendered":"Naming and shaming the unshameable"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"380\" class=\"alignnone size-full wp-image-38646 aligncenter\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z.jpg 500w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z-205x156.jpg 205w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/figure>\n<p>Imagine the scene: you run a large multinational company and you\u2019ve just had US$300\u00a0million stolen from your bank account. A few months down the track the government steps in and, to much fanfare, names the person who stole your money. And then does nothing else.<\/p>\n<p>Two months later you lose another large chunk of money. This time the government again identified the culprit\u2014a second thief who copied the first thief\u2019s behaviour. After letting everyone know the second thief\u2019s name, again you hear nothing. Another two months later and one of these two thieves is called out publicly again for planning a major attack on your company. For a third time there\u2019s no follow-up.<\/p>\n<p>Unfortunately, this situation is not too far from reality. Yesterday, Australia and its allies racked up <a href=\"https:\/\/www.smh.com.au\/politics\/federal\/turnbull-government-blames-russia-after-hack-targets-australian-organisations-20180417-p4za07.html\" target=\"_blank\" rel=\"noopener\">their third attribution<\/a> of a major cyber incident in four months. Russian state-sponsored actors were accused of \u2018using compromised routers to \u2026 potentially lay a foundation for future offensive operations\u2019. (The Australian Cyber Security Centre issued <a href=\"https:\/\/www.acsc.gov.au\/news\/routers-targeted.html\" target=\"_blank\" rel=\"noopener\">guidance in August 2017<\/a> about the vulnerability, but the united attribution to Russia came today.)<\/p>\n<p>In <a href=\"https:\/\/www.ncsc.gov.uk\/news\/joint-us-uk-statement-malicious-cyber-activity-carried-out-russian-government\" target=\"_blank\" rel=\"noopener\">their joint statement<\/a>, the UK and the US noted that \u2018the targets of this malicious cyber activity are primarily government and private-sector organisations, critical infrastructure providers, and the internet service providers (ISPs) supporting these sectors\u2019.<\/p>\n<p>This followed the public attribution in February that Russia was behind the NotPetya \u2018ransomware\u2019 incident and the announcement in December that North Korea was behind WannaCry. As my colleague Tom Uren <a href=\"https:\/\/www.aspistrategist.ru\/australias-offensive-cyber-capability\/\" target=\"_blank\" rel=\"noopener\">has noted<\/a>, the WannaCry worm spread worldwide and seriously affected many industries, notably the UK\u2019s National Health Service. NotPetya caused worldwide damage well in excess of US$1\u00a0billion and affected companies as diverse as Merck (US pharmaceuticals), Maersk (Danish shipping), Fedex (US logistics), Saint-Gobain (French construction) and Mondelez International (UK chocolate).<\/p>\n<p>So, these attacks are no small matter. But do we really expect to be able to change behaviour when we do nothing but name the perpetrators? And does naming and shaming work if the adversaries aren\u2019t actually shamed? If the only penalty for committing arson was being publicly named, arsonists would quickly come to expect that lighting fires involved no other cost. Some of them might even enjoy the infamy, making the naming potentially worse than doing nothing.<\/p>\n<p>If there are no costs associated with reckless behaviour in cyberspace, then the behaviour is unlikely to stop. These costs don\u2019t have to be imposed in the cyber domain. There are a range of other options, including diplomatic measures, economic sanctions and, at the extreme, military responses.<\/p>\n<p>But the West needs to get more of its ducks lined up if it\u2019s planning to continue down the attribution path. (Former US State Department Coordinator for Cyber Issues and White House Senior Director for Cybersecurity Policy, Chris Painter, has an ICPC policy brief coming out shortly on the need for consequences if deterrence in cyberspace is going to work.)<\/p>\n<p>Already there\u2019s considerable delay between the actual incidents and the attribution: WannaCry launched in May\u00a02017 and was attributed in December, for example. There can be multiple reasons for such delays that aren\u2019t necessarily linked to identifying the perpetrator (for example, lining up diplomatic support), but this lag is clearly suboptimal and needs to be reduced. But if we\u2019re already going to wait months before making attributions, then we might as well wait a little longer to agree retaliatory measures as well.<\/p>\n<p>The new \u2018<a href=\"https:\/\/assets.documentcloud.org\/documents\/4419681\/Command-Vision-for-USCYBERCOM-23-Mar-18.pdf\" target=\"_blank\" rel=\"noopener\">Command Vision<\/a>\u2019 from US Cyber Command sets out a much <a href=\"https:\/\/lawfareblog.com\/united-states-cyber-commands-new-vision-what-it-entails-and-why-it-matters\" target=\"_blank\" rel=\"noopener\">more assertive approach<\/a>. It builds on a key insight:<\/p>\n<blockquote><p>The spread of technology and communications has enabled new means of influence and coercion. Adversaries continuously operate against us below the threshold of armed conflict. In this \u2018new normal,\u2019 our adversaries are extending their influence without resorting to physical aggression. They provoke and intimidate our citizens and enterprises without fear of legal or military consequences. They understand the constraints under which the United States chooses to operate in cyberspace, including our traditionally high threshold for response to adversary activity. They use this insight to exploit our dependencies and vulnerabilities in cyberspace and use our systems, processes, and values against us to weaken our democratic institutions and gain economic, diplomatic, and military advantages.<\/p><\/blockquote>\n<p>Based on this insight, it notes that the US must \u2018defend forward as close as possible to the origin of adversary activity, and persistently contest malicious cyberspace actors to generate continuous tactical, operational, and strategic advantage\u2019.<\/p>\n<p>Unfortunately, as with many things associated with the Trump administration these days, key leadership on this issue has been lost. Yesterday, the White House confirmed that <a href=\"https:\/\/www.wired.com\/story\/rob-joyce-tom-bossert-white-house-cybersecurity-policy\/\" target=\"_blank\" rel=\"noopener\">cybersecurity coordinator Rob Joyce will be leaving<\/a> (returning to the National Security Agency). This comes a week after his boss, Tom Bossert, was forced out.<\/p>\n<p>In this fluid and evolving melange, Australia and its allies need to move to stage two of our response and start imposing <a href=\"https:\/\/www.aspistrategist.ru\/strategist-six-chris-painter\/\" target=\"_blank\" rel=\"noopener\">timely and credible costs<\/a>. Otherwise things will get worse.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Imagine the scene: you run a large multinational company and you\u2019ve just had US$300\u00a0million stolen from your bank account. A few months down the track the government steps in and, to much fanfare, names the &#8230;<\/p>\n","protected":false},"author":685,"featured_media":38646,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[2138],"class_list":["post-38645","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cybersecurity"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Naming and shaming the unshameable | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Naming and shaming the unshameable | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Imagine the scene: you run a large multinational company and you\u2019ve just had US$300\u00a0million stolen from your bank account. A few months down the track the government steps in and, to much fanfare, names the ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2018-04-17T23:55:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-04-18T01:47:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"500\" \/>\n\t<meta property=\"og:image:height\" content=\"380\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fergus Hanson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fergus Hanson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z.jpg\",\"width\":500,\"height\":380},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/\",\"name\":\"Naming and shaming the unshameable | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/#primaryimage\"},\"datePublished\":\"2018-04-17T23:55:15+00:00\",\"dateModified\":\"2018-04-18T01:47:53+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Naming and shaming the unshameable\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f\",\"name\":\"Fergus Hanson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g\",\"caption\":\"Fergus Hanson\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/fergus-hanson\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Naming and shaming the unshameable | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/","og_locale":"en_US","og_type":"article","og_title":"Naming and shaming the unshameable | The Strategist","og_description":"Imagine the scene: you run a large multinational company and you\u2019ve just had US$300\u00a0million stolen from your bank account. A few months down the track the government steps in and, to much fanfare, names the ...","og_url":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2018-04-17T23:55:15+00:00","article_modified_time":"2018-04-18T01:47:53+00:00","og_image":[{"width":500,"height":380,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z.jpg","type":"image\/jpeg"}],"author":"Fergus Hanson","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Fergus Hanson","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2018\/04\/3463941734_9f689edbde_z.jpg","width":500,"height":380},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/","url":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/","name":"Naming and shaming the unshameable | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/#primaryimage"},"datePublished":"2018-04-17T23:55:15+00:00","dateModified":"2018-04-18T01:47:53+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/naming-shaming-unshameable\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Naming and shaming the unshameable"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/7eb1098c6aa7cd08e874d9b8dc1d376f","name":"Fergus Hanson","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fbd719c7258d6f0affed7dd4223f32eb?s=96&d=mm&r=g","caption":"Fergus Hanson"},"url":"https:\/\/www.aspistrategist.ru\/author\/fergus-hanson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/38645"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/685"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=38645"}],"version-history":[{"count":4,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/38645\/revisions"}],"predecessor-version":[{"id":38658,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/38645\/revisions\/38658"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/38646"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=38645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=38645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=38645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}