Balance is not the first word that comes into one’s mind when thinking about cybersecurity. To most of us, we tend to focus on threat actors such as state-sponsored hackers and advanced persistent threat groups or the types of an attack such as ransomware and malicious code.
However, to an expert who has dedicated more than 25 years in the cyber domain, balance is the essence of cybersecurity. To make cyberspace safe, each country has to find the right balance between protecting data and releasing information.
◇ Hiding is not an answer
“You can share, or you can hide,” said Cormac Callanan, the cybersecurity coordinator for the Enhancing Security Cooperation In and With Asia, or ESIWA, to The Readable. “Hiding doesn’t help you.”
On December 15, The Readable met with the cybersecurity coordinator of ESIWA, who was visiting country to participate in the Hongneung Defense Forum’s special session for South Korea and the European Union. ESIWA is a project co-funded by the EU which aims to cooperate in four areas, including cybersecurity with six partner countries in Asia: South Korea, Japan, India, Vietnam, Singapore, and Indonesia.
The expert explained that in the past, countries tried to hide the fact that their governments suffered from cyberattacks, regarding it as a weakness. Nowadays, it is not only difficult to conceal the attacks since the actors publicly announce their activities online, but the decision to hide could itself hinder the preemptive measures that other countries could take to defend themselves from the same attacks.
Callanan strongly asserted that cooperation is “not even a discussion” in cybersecurity. “The criminals are very organized. They are located all across the world communicating with each other and planning bad things,” stressed the cybersecurity coordinator. “Let’s get the good guys sitting around the different places in the world planning good things, like catching them and stopping them.”
This means that countries have to work together to defend themselves from threat actors and at the same time make the criminals to take responsibility for their actions. The expert compared the situation to a tenant having a water leak in his room. “You expect them to do something. Knock on the door and say please stop it,” Callanan said.
◇ The dilemma of protecting and sharing information
Releasing information to others could lead to critical problems especially when it is linked with someone’s personal data. The expert explained the complex nature between these two aspects by sharing a case from his home country of Ireland.
“We have cases at the moment in Ireland where a person was convicted based on mobile phone data for the crime of murder, and the person claimed that the data shouldn’t have been kept in the first place because the state wasn’t allowed to have that information,” said the cybersecurity coordinator.
“That brings out the ultimate complexity of how you balance rights of privacy against being murdered by somebody.”
As in the words of the expert, finding the right balance is not like selecting a single definite answer on a test where there are only two options to choose from. In reality, it goes beyond that because there are multiple factors that need to be dealt with. In some cases, it could be a decision between life and death.
Nobody knows the right answer, but the important part is knowing that there could be disagreements and trying to reach a common understanding. “Balancing is really difficult. It is not easy to say what is the right amount,” said the expert. “We can tell you what each country in Europe has done, but it is an activity for your country to decide what is right for you.”
◇ Technology is not always a solution
Only with such efforts, could there be a safe cyberspace where people pay their taxes every day and surf online without worrying about security. This also means that children could be protected from criminal activities which take place online.
In the early 2000’s, Callanan worked on preventing child abuse in cyberspace. He was also the president of the International Association of Internet Hotlines, dealing with illegal child abuse material on the internet.
Contrary to some of the common belief in the information technology industry, problems are not “always solved by technology,” stated the expert, speaking from his experience.
He explained one case in the United Kingdom where a child was abused by a stranger. The expert asserted that this is not a story about the badness of the criminal’s behavior. Although the victim’s father, who was a computer scientist, put in place numerous security controls on the family’s home network, he did not do one of the most basic things which was “talking to his child about who and why the child was meeting certain people.”
“Technology on its own is not the solution, and even technology companies on their own are not the solutions,” asserted Callanan. “You still have to do the parenting part of that whole process, which is communication.”