The idea that the promises of diplomats and statesmen will render cyberspace a safe place is a fantasy you can ill afford to entertain if you want to remain a going concern.
Many positive things have been said about the recent memorandum of understanding between China and the US, in particular the section dealing with cyber security. Just as much derision has been heaped upon it. From the perspective of the diplomats the agreement is a win because it gives us ammunition to use in the future. When another data breach or attack takes place and is attributed to China they can say “You are breaking your promise and what follows is on you.”
From the perspective of the nay-sayers the point is simple: because you cannot verify the actions – or inaction – of your adversary, they will always have deniability. Yes, you can shave most of these problems with Occam’s razor, but when you are talking about taking legal action that may deny someone their liberty, or in an extreme case strategic action, you kind of want to base your decision on something more than ‘it stands to reason.’
Talk is cheap. Actions speak louder than words. Clichés that could not be more apt when it comes to the issue of computer and information security. The US indicting five PLA officers for cyber-crimes is motion; actually arresting an American woman in China is action. One of the six aforementioned people knows what a prison cell looks like. Guess which country is showing it’s hard on (alleged) bad actors?
I’m like most people in that I would be happy if diplomacy led to concrete action, but until the online world is actually sunshine and lollipops it is important for everyone to remember that on a practical level, all this hand-shaking means nothing. You are still primarily responsible for your own cyber defense and no one is going to make you whole if you fail. Memorandum, treaty, or pinky-swear, attacks – state-sponsored/sanctioned or not – are not going to stop. IP theft isn’t going away. Data breaches will continue apace. We have no way of stopping bad things from happening online short of a global re-engineering effort that remakes the Internet and everything that rides on it securable and surveil-able.
That is never going to happen.
If what happened last week reminds you of another famous event in ironic diplomatic history, you’re not far off. Until people die in sufficient numbers due to a cyber-attack, do not expect radical or even incremental change because the foreseeable future of online security is still death-by-a-thousand-cuts . . . something I would point out the Chinese invented.