Although cyber-risk is s"ll a rela"vely new term, the volume of a#acks has been rising and their sophis"ca"on is increasing. As cri"cal informa"on, related assets and devices are becoming more instrumented and interconnected, the damage and knock-on effects of a
major cyber-a#ack can be felt not only in ICT, but can affect cri"cal business and infrastructure opera"ons.
As the world becomes more digi"sed, more instrumented and interconnected, the door to emerging threats and leaks has opened wider. Recent media a#en"on has highlighted the prolifera"on of security breaches affec"ng enterprises across industries. These security failures have not only resulted in significant expense to the affected enterprises, but have damaged consumer trust and brand reputa"on.
Cyber-threats represent a real and significant danger to many countries, their ci"zens, businesses and overall economy. It is essen"al that we maintain confidence in services that are cri"cal to economic well-being which sustain everyday life. IBM understands this is a serious issue and we are engaged in this dialogue with leaders in government and industry.
The core of enabling trusted infrastructure needs to be resilient in managing security issues.
There is no magic bullet to protect against cyber-risk – it is much more complex than that.
You need a range of measures: it goes from technical countermeasures with your network and the way you test and secure your applica"ons, all the way to educa"ng employees and thereby crea"ng a culture of security awareness within your organisa"on.
This is true whether talking about tradi"onal compu"ng, cloud compu"ng or the development of new compu"ng models, or indeed a combina"on of those and other models to address issues around crea"ng smarter ci"es and infrastructures. Cyber-security should focus on desired business outcomes: organisa"ons need to take a balanced open standards team within IBM Government Programmes. His role is to cover the EMEA geography repor"ng to the global leader in Washington. Prior to taking on this role, Jonathan was in the global IBM Strategic Change prac"ce working predominantly in the Public Sector. He was also the IBM global leader for European Commission Research projects and framework programmes liaising between business units, the consul"ng group and the research labs.
29
need to follow the cycle of: learn, monitor, analyse, decide and respond. Today’s cyber-threats require a con"nual inspec"on and analysis of high volumes of dynamic data from sensors and other devices to gain accurate insights into possible threats and system compromise in real "me. It is about enabling intelligence across an increasingly instrumented and connected landscape of technology and business.
Understanding pa#ern and behavioural analysis across diverse data streams from many channels is necessary to detect evasive a#acks. Advanced situa"onal awareness provides the context to enable decision-making and an appropriate response in circumstances where humans cannot keep up with the pace of the threat when under a#ack. Defences
need to be able to fuse informa"on from a variety of sources, including real-"me observa"ons and make them available within the right context. Such real-"me analysis will
have an impact on business processes that will need to be carefully thought through and automated in order to adapt and respond to the threat dynamically.
Any real-"me analysis should also be supported by concerted and globally consistent ac"on and by both the public and private sectors working in a coordinated way. There is no one single ac"on, treaty, or piece of legisla"on that can be pursued to solve the problem.
Wherever possible, na"onal-level responses should be interna"onally coordinated and globally consistent, especially as they relate to informa"on technology a#ributes given our industry's global model, and especially given the global markets and resources that industry in general now relies upon. IBM is doing its part to help make progress via our own technical contribu"ons and via par"cipa"on in public-private ini"a"ves such as Common Criteria, Trusted Technology Forum etc., and we stand ready to engage on na"onal and interna"onal policy ini"a"ves and dialogues, just as we are able to support opera"onal ini"a"ves via our comprehensive array of security capabili"es.
Perhaps the biggest cyber-risk within an organisa"on lies in complacency. While you are never going to be able to have 100% security against the myriad of cyber-threats out there, what you can do is implement and enforce security excellence where employees and partners are aware of the risks and how to address them. Many organisa"ons worry about how they can possibly keep pace with cyber-risks that are geWng ever more sophis"cated.
While there is no doubt that a systema"c and proac"ve approach to addressing
cyber-threats combined with technical controls is key, the human side should not be underes"mated.
The culture needed must come from the top. More than ever, each member of the enterprise’s leadership owns a significant stake – and a powerful role – in securing the data and intellectual capital that flows through the organisa"on; whether it is the CMO evalua"ng the poten"al risk to the brand, the CFO understanding the financial implica"ons of adverse events, or the COO assessing the impact of IT systems’ disrup"ons for ongoing opera"ons.
So how does this relate to what is happening in Europe? The European Commission is rightly concerned with differing levels of cyber-preparedness across the EU – while some member states have state-of-the-art measures and response teams using public-private partnerships, others are s"ll developing and planning capabili"es to respond in the case of
SECURITY & DEFENCE AGENDA
Public-private coopera!on in cyber-security
30
Where cyber-security is heading
an a#ack. The same could well be true of public and private enterprises across the EU. The Commission is likely to aim at assuring a minimum level of preparedness across the EU, combined with general awareness-raising campaigns to achieve be#er consistency and pan-European coordina"on. Although it is s"ll too early to judge, since the proposed regula"on and other ac"ons are not yet available for comment, the general direc"on is the right one.
SECURITY & DEFENCE AGENDA
31
Original Photo Source: WordPress.com
Evolving the public-private partnerships to address cyber challenges
Paul Nicholas, Senior Director, MicrosoV Trustworthy Compu"ng Ini"a"ve
Public-private partnerships are a well-established mechanism for addressing cyber-security challenges on the na"onal level. Many countries have created public-private partnerships to address areas where governments see a dis"nct risk to cyber-security or public safety, or to enhance incident response, and the private sector owns and/or operates the underlying infrastructure or process. From an industry perspec"ve, we have seen public-private partnerships deliver considerable progress in cri"cal infrastructure protec"on, incident response, supply chain security, and informa"on sharing about cyber-threats.
We are, however, facing an inflec"on point where these partnerships need to evolve to address new topics and broader, global challenges. The best illustra"on of this point is the emerging public discussion about cyber-security norms, or norma"ve behavior for na"on-states in cyberspace. Currently, the substan"ve delibera"ons about technical norms are limited to bilateral or mul"lateral discussions among governments and, to some extent, academics and think-tanks.
Not all government-to-government discussions require private sector par"cipa"on at the level of a partnership because that requires shared obliga"on, as well as commitment and trust earned through prior experience. Cyber-security is suited to technical collabora"on given the leading role that the private sector plays in the ownership and opera"on of the internet, and the cri"cal importance of the internet to governments and its ci"zens. As governments and industry look towards a transi"on to a deeper partnership, one of the primary measures for success should be to what extent the private sector is integrated into the technical aspects of discussions emerging between governments on cyber-security norms.
SECURITY & DEFENCE AGENDA
Paul Nicholas is a Senior Director for MicrosoV's Trustworthy Compu"ng ini"a"ve and leads the Global Security Strategy and Diplomacy Team, which focuses on addressing complex challenges and shaping policies affec"ng cyber-security, cri"cal infrastructure protec"on, and future security needs for a safer, more trusted internet. Paul currently serves on the World Economic Forum's Global Agenda Council on Internet Futures. He has helped establish two interna"onal non-profit organisa"ons: one designed to improve soVware security and the other to advance incident response.
Prior to joining MicrosoV in 2005, Nicholas spent over eight years in the US Government where he served as a White House Director for Cybersecurity, a Senior Policy Advisor in the US Senate, and an Assistant Director at the Government Accountability Office. He is also a Cer"fied Informa"on Systems Security Professional.
Public-private coopera!on in cyber-security
OP-ED
32
The challenge of figh"ng botnets is demonstra"ve of successful partnerships focused on global problems. To disrupt or ‘take down’ a botnet requires full par"cipa"on by industry players across borders and across ver"cals (e.g. service providers, security vendors, etc.).
While ini"al botnet take-down efforts were spearheaded by industry as civil legal ac"ons, this work has evolved into a strong area of public-private collabora"on, where law enforcement agencies and other government stakeholders have clearly defined roles. For example, recent botnet take-downs – led by the private sector, with public sector support – have resulted in extradi"ons from Brazil, Russia, and other loca"ons.
Another important opportunity for cross-border collabora"on is the European Union’s efforts to reduce risk, improve response, and increase resiliency through suprana"onal
public-private partnerships. The commitment to build a European Public Private Partnership for Resiliency (EP3R) is no small undertaking. The long-term success of EP3R
lies in the ability of its public and private partners to jointly agree on outcomes and work past specific na"onal concerns to build regional capabili"es that support EU desires to ensure resiliency of key infrastructures and opera"ons when confronted by all manner of cyber-security hazards.
I would encourage policymakers to work towards public-private partnerships that help address technical cyber-security issues globally. There is no single model for mee"ng this challenge; it will most likely require a mix of new partnership ini"a"ves, an alliance of exis"ng partnerships that are focused on common goals, as well as the cri"cal evalua"on of how certain partnerships can be scaled-up to work at a global level. No ma#er what the way forward is, I am confident that policymakers will find willing partners in industry who are ready to leverage their experience and exper"se in support of a more secure cyber-space.
SECURITY & DEFENCE AGENDA
Where cyber-security is heading
33
Original Photo Source: 123RF
Interna!onal coopera!on on
cyber-security
Speakers:
Antoaneta Angelova-Krasteva, Head of Unit, Internet, Network and Informa"on Security, European Commission
Troels Oer!ng, Assistant Director of Opera"ons, EUROPOL
Chris M. Painter, Coordinator for Cyber Issues, US State Department Jeffrey C. Snyder, Vice President, Cyber Programs, Raytheon
Heli Tiirmaa-Klaar, Cyber Security Policy Advisor, European External Ac"on Service (EEAS)
Moderator:
Giles Merri;, Director of the Security & Defence Agenda