Where cyber-security is heading

(1)

Where cyber-security is heading

An independent discussion paper on cyber-security

(2)

The views expressed in this discussion paper are the personal opinions of individuals and do not necessarily represent the views of the Security & Defence Agenda, its members or partners.

Reproduc"on of this report, in whole or in part, is permi#ed providing that full a#ribu"on is made to the author, the Security & Defence Agenda and to the source(s) in ques"on, and provided that any reproduc"on, whether in full or in part, is not sold unless incorporated in other works.

About the paper

This paper is published as a part of the Security & Defence Agenda's (SDA) cyber-security ini"a"ve, launched in November 2011. It is intended to oﬀer an overview of recent debates with high-level policymakers on topics such as improving global cyber-governance, public- private coopera"on against cybercrime and protec"on of cri"cal infrastructure, as well as opinion ar"cles by key players to oﬀer an in-depth analysis of the topic.

About the SDA

The SDA is Brussels’ only specialist security and defence think-tank. It is wholly independent and last year celebrated its 10th anniversary.

Cover Photograph: © Uninstallpcvirus.blogspot.be A Security & Defence Agenda Discussion Paper Publisher: Geert Cami

Project Managers: Pauline Massart and Andrea Ghianda Project Assistant: Seán Smith

Photographs: © Flickr

Date of publica!on: January 2013

SECURITY & DEFENCE AGENDA 4 Rue de la Science, 1000 Brussels, Belgium

T: +32 (0)2 300 29 92 F: +32 (0)2 300 29 90 E: info@securitydefenceagenda.org W: www.securitydefenceagenda.org

(3)

This SDA discussion paper offers a snapshot of the first year of its successful cyber-ini"a"ve built around insighGul debates and a cyber-study a#rac"ng worldwide media a#en"on. It compiles the perspec"ves of policymakers, industry experts, and major stakeholders from around the world brought together to define what cyber-security is, iden"fy the main threats at the public-private and interna"onal levels and examine which strategies offer the best likelihood of success, along with a series of short opinion ar"cles wri#en by keynote actors.

This paper sets the ground for the Ini"a"ve’s 2013 ac"vi"es, which will start by examining the background to the European Commission’s proposed direc"ve on a cyber-security strategy, and by analysing the thinking in na"onal capitals and the private sector on the issues involved.

3

(6)

Deﬁning cyber-security

(7)

Keynote speech by:

Cecilia Malmström, European Commissioner for Home Aﬀairs

Speakers:

Robert G. Bell, Senior Civilian Representa"ve of the Secretary of Defense in Europe &

Defense Advisor of the US Ambassador to NATO

Maj. Gen. Isaac Ben-Israel, Senior Cyber-Security Advisor to the Prime Minister, Israel

Maj. Gen. Patrick Fermier, Director, NATO HQ C3 Staﬀ

Paul MacGregor, Director, Finmeccanica Cyber Solu"ons

Troels Oer!ng, Assistant Director for Opera"ons, Europol

Florian Walther, Senior IT-Security Consultant, Curesec

Moderator:

Giles Merri;, Director of the Security & Defence Agenda

Deﬁning cyber-security

Report 9 November 2011

5

A Security & Defence Agenda Report

Rapporteur: Jonathan Dowdall Photos: Philippe Molitor - Gleamlight Publisher: Geert Cami

Date of publica!on: November 2011

(8)

At the inaugural launch of the SDA’s Cyber-security Ini"a"ve, a high-ranking panel and assembled experts gathered to discuss the core ques"on of “deﬁning cyber-security”.

In her keynote address, European Commissioner for Home Aﬀairs Cecilia Malmström cau"oned that denial about the scale of threats in cyberspace is naïve. “This is a ba#le we may not win”, she warned, with cyberspace being a domain in which “we need to act and need to protect as quickly as possible”.

The Commissioner went on to outline three key ini"a"ves being undertaken by the EU in this area. Firstly, a European cybercrime centre will be set up by 2013. This will provide a central hub for all cybercrime ac"ons undertaken by na"onal authori"es, computer emergency response teams (CERTs) and Europol; as “without informa"on sharing, there are very few concrete ac"ons we can take”.

Secondly, the Commission will develop an overarching cyberspace strategy by 2012, to help establish the hierarchy and chain of informa"on sharing between all relevant actors. In this ﬁeld, “currently, some are working be#er then others, it is a work in progress”, she explained.

Finally, the Commissioner aﬃrmed that “we will not be able to do this unless we cooperate with other global partners”, with NATO and the Council of Europe highlighted as being of par"cular importance. Above all, Malström called “on all governments and industry, to put this high on their agenda”, and to partake in what is a “highly "mely; highly relevant, discussion and exchange of views.”

Senior Civilian Representa"ve of the Secretary of Defense in Europe & Defense Advisor to the US Ambassador to NATO Robert Bell agreed that the scale of the threat goes far beyond typical defence and security policy. Ci"ng recent high-level reports regarding the

“Without informa#on sharing, there are very few concrete ac#ons we can take.”

Cecilia Malmström

Deﬁning cyber-security

Deﬁning cyber-security

REPORT

6

(9)

industrial espionage ac"vity of Chinese and Russian hackers, Bell aﬃrmed that “we have to be a#uned to the economic dimensions of this – this could undercut our ability to enact policies… or even the economy and our ability to generate jobs.”

Urgent ac"on is clearly essen"al in the face of this challenge. Yet whilst NATO has a role to play, it is only “taking a lead, not the lead, on iden"fying standards that strike a balance between security on the one hand and aﬀordability on the other.”

Bell believes the future of cyber-security policy will be “an invita"on for partnership. We are reaching out to countries around the world to build a consensus on the ideals of security, openness, transparency and innova"on” in cyberspace. In this, “we have made progress”, he aﬃrmed.

Bell’s ﬁnal cau"on was about the crea"on of common standards. “It doesn’t do us any good if the 28 member states at NATO recommend certain standards, when the 27 EU na"ons gathered down the road recommend another”.

Next, Isaac Ben-Israel, Senior Cyber-Security Advisor to the Prime Minister of Israel, outlined a non-EU perspec"ve. Ben-Israel explained how his government had prepared a list of 19 major infrastructures in need of urgent protec"on in cyberspace, with power and water high on the list. However, “we faced a legal problem”, he explained, “most of them were private sector infrastructures. We faced a dilemma: how do we encourage them to protect themselves from cyber-a#acks?”

This private-public debate lies at the core of cyber-security, the he aﬃrmed. “We found that it is a mul"dimensional problem, not a technological problem. There are legal, poli"cal and societal aspects – it is very complicated.” Yet whilst complicated, it is also urgent. “We have a lot of a#acks which are either criminal or hacking, but which are surely ini"ated by states – it is another form of warfare”, he hinted.

From the military perspec"ve, Maj. Gen. Patrick Fermier, Director of the NATO HQ C3 Staff, provided some insight to what NATO is doing in the cyber domain. The General urged par"cipants to be cau"ous in the face of such a vast and challenging area. “Defining cyber- security is difficult – I’m not even sure we can do that right now, given the scope of the problem. I think we need to be humble in front of this threat.”

He went on to explain how the North Atlan"c Council had put the protec"on of NATO’s cri"cal systems high on the agenda, calling on them to “draw up an ac"on plan for the policy implementa"on, and accelera"ng the already exis"ng capability to protect NATO

“We have a lot of aBacks which are either criminal or hacking, but which are surely ini#ated by states – it is another form of warfare.”

Isaac Ben-Israel

7

(10)

networks.” For Fermier, the focus should be not just on preven"ng cyber-a#acks, but also increasing resilience to their eﬀects, as they will inevitably occur. “We need to be humble, and we need to develop this step by step”, he concluded.

Paul MacGregor, Director of Finmeccanica Cyber Solu"ons, explained the technological challenges from an industry perspec"ve. “We’ve all been seduced by the promises of cost eﬃciency and speed in cyberspace – that seduc"on has become an addic"on, leaving us vulnerable to a new range of threats.” Poin"ng out that cyber-a#acks give an opponent the ability “to establish control over us using non-lethal power”, MacGregor felt that the rise of informa"on technology had made “everywhere a ba#leﬁeld”.

Yet despite this widespread threat, the industry representa"ve urged a level headed response. “There’s a tendency to say that threats are now un-a#ributable, or that it is impossible to stop a#acks – it isn’t – in fact, 80% of vulnerabili"es can be removed by simple technology, educa"on and good prac"ces.” Once you have taken out this majority,

“the remaining 20% is part of the bigger problem – ideological or state sponsored cyber- a#acks”, he explained. He was nonetheless conﬁdent a major leap forward in security could be facilitated by educa"ng the public, and the purchase of basic cyber-security tools.

Tackling the issue of cybercrime, Troels Oer!ng, Assistant Director for Opera"ons at Europol, conﬁrmed that “the range of internet crime has reached huge levels – it now outpaces drug crime in scale.” Whilst the range of tools at criminals’ disposal has expanded to include more targeted and sophis"cated methods, he did concede that not every act of cybercrime carries the same signiﬁcance. “Not everything in cybercrime is big cybercrime – there are ‘Bicycle theVs’ on the internet – it is our job to iden"fy what are big a#acks, and what are smaller threats.”

However, geWng this “big picture” will require more communica"on and awareness about cybercrime. “We do not have all the resources we need yet” he lamented, “so we welcome the EU ini"a"ve for a cybercrime centre”, as discussed by the Commissioner. Such a centre should help Europol and other actors begin to “map” cybercrime – to understand its networks and key players. “In this area we do not have the same knowledge as we do for conven"onal crime: we do not know if it is next door, or in Africa, or working by proxy”. Yet Oer"ng was conﬁdent that “this will be solved.”

Florian Walther, Senior IT-Security Consultant at Curesec, brought the debate round full circle to the ques"on of deﬁning cyber-security. Walther asked the provoca"ve ques"on to the panel: “Why do we see all this cybercrime and a#acks going up and up? We have had laws against cybercrime and hacking for half a decade, but s"ll, it con"nues.” Why, he

“There’s a tendency to say that threats are now un-aBributable, or that it is impossible to stop aBacks – it isn’t – in fact, 80% of vulnerabili#es can be removed by simple technology, educa#on and good prac#ces.”

Paul MacGregor

8

(11)

asked, is our basic cyber-security going down, even whilst we simultaneously give more a#en"on to this policy area?

CuWng through the high level policy, the former hacker provided a simple answer. “Every threat and exploit is based on a vulnerability in our soVware”, he explained. These vulnerabili"es, propagated in cheap or poorly made soVware, “are the root cause” of our cyber-security problems. Walther thus put the fundamental ques"ons of cyber-security at the door of the computer soVware industry. “If I sell a car and the brakes don’t work, we have to recall that car – I am liable. But in IT, we can roll out soVware that is full of bugs and vulnerabili"es – and it is the public that pays the price.”

However, whilst many on the panel agreed this was a strong sugges"on, Isaac Ben-Israel refuted the idea. “It sounds very convincing – the problem is all soVware; and all we need to do is legislate liability. But this is not really the problem,” he countered. Using the car analogy, he pointed out that “car manufacturers only hold liability for malfunc"on, but not for damage caused by someone a#acking a car.” In Ben-Israel’s opinion, the adversarial nature of cyber-security makes liability alloca"on irrelevant – a thinking opponent will seek out gaps in a system using all their ingenuity. “You cannot hold someone liable for this”, he aﬃrmed.

Walther responded the issue was not ingenuity of the a#acker, but the gross inep"tude of the coding in soVware we expect to be secure. Referencing the infamous infec"on of nuclear centrifuges by the Stuxnet virus, he pointed out that these units had “lots and easy to exploit vulnerabili"es” in their soVware.

“ If I sell a car and the brakes don’t work, we have to recall that car – I am liable. But in IT, we can roll out so4ware that is full of bugs and vulnerabili#es – and it is the public that pays the price.”

Florian Walther

9

(12)

The European cyber-security strategy

Neelie Kroes, Vice President, European Commission

First of all, what is cyber-security? There is no clear single defini"on. In the EU, we consider three key aspects: economy, market and growth; preven"on and figh"ng against online crime; external dimension, respect of fundamental rights and defence. We are par"cularly sensi"ve to the rela"ons between these three aspects and strive to reflect this in our policies and ac"vi"es.

The digital environment and in par"cular the internet has become truly pervasive. Every day, the internet and the digital ecosystem boost produc"vity, drive innova"on and s"mulate growth and high-quality jobs. At the same "me, threats are growing, as is the vulnerability of our networks. We cannot just wait for the worst to happen, since the cost of our iner"a would be higher than the cost of taking ac"on. Meanwhile, a lack of security could in turn undermine the trust of all those who use digital technologies and hence represents a cost in terms of lost opportuni"es for businesses and for social ac"vi"es online.

The EU has a special role to play on the ma#er, given the relevance of cyber-security to several EU policy areas. The EU has undertaken ac"vi"es to foster coopera"on between the public and the private sectors. No one can do this alone as security is a joint responsibility.

The private sector, which owns or runs most of the networks and infrastructure, should cooperate with the public sector to adopt measures to prevent or react to disrup"ons. This close dialogue would help ensure that the private sector receives appropriate incen"ves.

To step up the EU's efforts in this field, I am now working closely with Home Affairs Commissioner Cecilia Malmström and with High Representa"ve Catherine Ashton to develop a European Strategy for Cyber-Security. The strategy is to be launched in the coming weeks, and will bring forward specific ac"ons to build a robust line of defence against cyber-disrup"ons.

Our policy will hinge on the need to improve the overall resilience of networks and informa"on systems. The strategy will include ac"ons to s"mulate the compe""veness of the European ICT industry and s"mulate user demand to provide security func"onali"es in ICT products and services. Horizon2020 will support its research and innova"on goals.

Neelie Kroes is Vice President of the European Commission and European Digital Agenda Commissioner. Prior to her appointment in 2010, she served as the European Commissioner for Compe""on (2004-2009). Between 1991 and 2000 she was the President of Nyenrode University, Netherlands. During this period she also served on various company boards, including Lucent Technologies, Volvo, and P&O Nedlloyd. From 1982-1989 she served as Minister for Transport, Public Works and Telecommunica"on in the Netherlands.

OP-ED

10

(13)

I will ensure we increase our ac"vi"es with key partners in mul"lateral fora in crucial areas such as: ﬁgh"ng botnets, the cyber-security of industrial control systems and smart grids, security standards, research and development, awareness raising and interna"onal coopera"on.

Given the relevance of cyber-security to the internal market, I also plan to present a legisla"ve proposal to ensure a high common level of cyber-security within the EU. This will

seek to increase the security at na"onal and EU levels by establishing appropriate mechanisms for cross-border and public-private coopera"on, and informa"on exchange.

We need to make sure that there are no weak links. We have been running a public consulta"on on improving network and informa"on security in the EU that ended on 15 October 2012.

Overall, the new strategy will help Europe put its cyber-security house in order, and will thus strongly contribute to be#er placing the EU interna"onally. Since the EU and its member states should start addressing cyber-security at the highest poli"cal level, I see the strategy as a step in the right direc"on.

The European Parliament and relevant stakeholders across different sectors and countries have long called on the EU to adopt a strategic vision in this field. The support of public and private stakeholders and of individual ci"zens will be crucial in making the upcoming strategy a success in terms of effec"veness and achieving concrete results.

Original Source: CPA Prac"ce Advisor

11

(14)

The role of cyber in smart defence

Gabor Iklody, Assistant Secretary General for Emerging Security Challenges, North Atlan"c Treaty Organisa"on (NATO)

At their Chicago Summit in May 2012, na"onal leaders agreed to embrace Smart Defence to ensure that the Alliance develops, acquires and maintains the capabili"es required for NATO Forces 2020. In prac"ce this means that NATO needs a new way of thinking about genera"ng modern defence capabili"es for the coming decade and beyond. In other words, we need a renewed culture of coopera"on that encourages allies to undertake the essen"al core tasks agreed in the new NATO strategic concept. That means pooling and sharing capabili"es, seWng priori"es and coordina"ng efforts more effec"vely. The current budgetary environment, which is unlikely to improve soon, underlines the need to find these mul"na"onal solu"ons.

Threats from cyberspace have over the past few years increased tremendously in their frequency and sophis"ca"on, with a#acks regularly targe"ng NATO and the allies’

communica"on tools. This threatens na"onal and Euro-Atlan"c security and represents a strategic evolu"on which compels NATO to strengthen its cyber-defences. It also entails modernising our deﬁni"on of collec"ve defence, making cyber-defence a core capability.

When looking at how to apply the concept of Smart Defence with regard to cyber-defence, the situa"on is different from other, more conven"onal capability areas. In conven"onal capability development, the purpose is to develop and have access to exis"ng capabili"es at a lower cost, more efficiently and with less risk. On ma#ers related to cyber-defence, allies must first and foremost develop capabili"es needed for in-depth cyber-defence. To put it bluntly, to respond effec"vely we need allies to invest more in cyber-defence.

This means the allies need to develop na"onal policies on cyber-defence and related legisla"on, and establish cyber-defence structures coherent with NATO. They must also implement a centralised computer incident response capability and create a comprehensive cyber-defence awareness and educa"on programme. Last, but certainly not

least, they should deal more seriously with supply chain risk management requirements in the acquisi"on process.

Ambassador Gábor Iklódy is NATO’s Assistant Secretary General for Emerging Security Challenges. He is the Secretary General’s primary advisor on emerging security challenges and their poten"al implica"ons for the security of the Alliance, as well as a member of the Secretary General’s senior management team.

The Division, which he directs and manages, aims to provide a coordinated approach by the Alliance to the challenges of the 21^st Century. These include terrorism, the prolifera"on of Weapons of Mass Destruc"on, cyber-threats, as well as energy security challenges, including those posed by environmental changes.

OP-ED

12

(15)

NATO should play a central role in ensuring that this happens in a coordinated fashion and that the Alliance as a whole develops cyber-defence capabili"es, so as to achieve its NATO Forces 2020 goals. The NATO defence planning process should serve as a major vehicle to further develop the Alliance’s ability to prevent, detect, defend against and recover from cyber-a#acks.

Speciﬁcally, NATO can assist in the design, implementa"on and veriﬁca"on of interoperable na"onal cyber-defence capabili"es. This could include helping allies develop their na"onal cyber capabili"es, but it could also promote specialisa"on ‘by design’ in such areas as forensics analysis or the establishment of Rapid Response Teams (RRT), where mul"na"onal capabili"es could also be developed.

The challenges NATO faces in the cyber-domain are unlike any of those from the past.

When it comes to Smart Defence, NATO can act as an intermediary and help na"ons to establish what they can do together more eﬃciently. On cyber-defence, this primarily means that NATO can help ensure a coherent approach and establish mechanisms that could bring a surge capacity to bear during a crisis.

13

Original Photo Source: WordPress.com

(16)

Deﬁning cyber-security and cyber-resilience

Hamadoun Toure, Secretary-General, Interna"onal Telecommunica"on Union

In this second decade of the 21^st century, we live in a hyper-connected world with well over six billion mobile cellular subscrip"ons, and close to two and a half billion people using the internet. This global connec"vity allows us to leverage the power of technology – especially mobile technologies – to make the world a be#er place. But it also brings with it new vulnerabili"es and threats in cyberspace which oﬀer real challenges to peace and stability.

With informa"on and communica"on technologies (ICTs) increasingly used to control and monitor cri"cal infrastructures, and na"ons becoming ever more dependent on them, cybercrime has the poten"al to become much more dangerous and more targeted than in the past. Last year saw more targeted a#acks, more poli"cally and ﬁnancially mo"vated a#acks, and more data breaches and a#acks on cer"ﬁcate authori"es than ever before.

We are also seeing a worrying prolifera"on of so-called cyber weapons – with Stuxnet in 2010, Duku last year and now Flame. Malware and cyber weapons have shown how the power of ICT networks acts as a lure to terrorism and espionage, shaping a new concept of war. Cyber-war is launched in cyberspace using ICTs, but can quickly spread beyond the virtual world, aﬀec"ng governments, businesses and individuals.

We need to start thinking seriously about the poten"al global nega"ve impact that this may have on interna"onal security, and to put aside any poli"cal or other diﬀerences that might jeopardise the process of achieving cyber-peace.

The need for cyber-resilience

To ensure cyber-peace, we need cyber-resilience. We at the ITU are proud of the work accomplished under the banner of our Global Cyber-security Agenda, the GCA, which

Hamadoun I. Touré has been Secretary-General of the Interna"onal Telecommunica"on Union (ITU) since January 2007,

winning re-elec"on for a second four-year term in October 2010.

As Secretary-General, Touré is commi#ed to the ITU’s mission of connec"ng the world, and to helping achieve the Millennium Development Goals through harnessing the unique poten"al of Informa"on and Communica"on Technologies (ICTs).

A long-standing champion of ICTs as a driver of social and economic development, Touré previously served as Director of

ITU’s Telecommunica"on Development Bureau from 1998-2006. In this role he placed considerable emphasis on implemen"ng the outcomes of the World Summit on the Informa"on Society, launching projects based on partnerships with interna"onal organisa"ons, governments, the private sector and civil society.

OP-ED

14

(17)

comprises ﬁve pillars, ac"ng together as key measures in helping to achieve cyber- resilience, and foster cyber-peace and cyber-security.

The ﬁve pillars are:

1. Legal measures – which are essen"al as a deterrent and in ensuring appropriate responses to cybercrime;

2. Technical and procedural measures – which use technology itself to help increase cyber- resilience;

3. Organisa"onal structures – which need to be in place to maximise coopera"on and partnership between all stakeholders;

4. Capacity building – which is of course essen"al in ensuring that people know and understand the technology they are using;

5. Interna"onal coopera"on.

As a result of the work already done within the framework of the GCA, we now need to look further at broadband access, protec"on of fundamental rights, state involvement and interna"onal coopera"on. If the digital divide is to be successfully bridged, universal, equitable and aﬀordable broadband access must clearly be a priority for all states.

When taking measures to ensure the stability and security of cyberspace, as well as to ﬁght cybercrime and counter online threats, states also need to respect cyber-freedom and the fundamental rights of users. This is a complex and some"mes controversial area, with a vigorous debate over the need to ensure security on the one hand, and to protect privacy and users’ rights on the other. These two goals are not mutually exclusive: security is essen"al in guaranteeing rights such as privacy and freedom of expression.

It is important to be aware of the poten"al risks and dangers associated with cyber-a#acks, and to recognise that cri"cal infrastructures are now becoming common targets, whose destruc"on or damage could seriously compromise security and the safety of states, as well as human life. In the real world, just as in the virtual world, any state involvement must nevertheless take into account the exis"ng provisions related to the respect of human rights, state territorial integrity and sovereignty.

To achieve cyber-resilience – and therefore ensure cyber-peace and cyber-security – greater interna"onal coopera"on will be required. Cyberspace is global, and so building cyber-resilience and ensuring cyber-peace will require global eﬀorts – ideally in the form of an interna"onal framework which takes into account the needs and wishes of all stakeholders. States should be encouraged to share best prac"ces and experiences and to transfer technologies which are able to strengthen conﬁdence in cyberspace.

Working towards a cyber-resilient future

Cyber-security and cybercrime aﬀect every country, every business, and each and every individual online. As we push forward the UN agenda for peace and safety, we must remember that cyber-peace and cyber-security are very much part of this in the 21st

century.

15

(18)

As leader of the ITU, I am working to encourage the remaining na"ons which have not yet come on board to join the 144 countries which are already a part of the ITU-IMPACT ini"a"ve – the ﬁrst truly global mul"-stakeholder and public–private alliance against cyber- threats. I am also working to encourage the private sector to come on board with ITU- IMPACT, along with intergovernmental agencies and non-governmental bodies.

We must work together to set interna"onal policies and standards, and to build cyber- resilience through an interna"onal framework of norms and principles for cyber-security and cyber-peace. We must also listen to all the stakeholders to build a be#er future for all the world’s people – a cyber-resilient future, where cyber-peace and cyber-security replace cyber-threats and cybercrime.

16

Original Photo Source: Top Rank, Online Marke"ng Blog

(19)

Deﬁning cyber-security

Lorenzo Fiori, Senior Vice President and Chief Technology Oﬃcer, Finmeccanica

Protec"ng the cyber-domain has in the last few years become a global priority. Entry points to cyberspace are everywhere, and the cyber-dependence of other sectors is high and growing. It is this pervasiveness that makes its protec"on so challenging.

Why are cyber-threats diﬀerent? Consider two simple facts:

•

A cyber weapon can be ‘assembled’ by almost anybody, anywhere.

•

The nature of the cyber-domain makes the detec"on of the threat very diﬃcult and permits an extremely rapid diﬀusion of malware.

In other words, the cyber threat it is not conﬁned in space and "me and the counter- reac"on is extremely challenging. Therefore, cyber-security and cyber-warfare (broadly referred to as ‘cyber-defence’) may require the development of unconven"onal concepts and taking a diﬀerent approach compared to ‘tradi"onal’ doctrines.

The sophis"ca"on of cyber-a#ackers and the resources they may have can make it impossible to guarantee 100% security. There is no such thing as an impenetrable network unless it can operate without any access point from the outside. Behind most APTs (Advanced Persistent Threats) lie the organisa"on and the ﬁnancial resources of state actors. These a#ackers can deploy large numbers of programmers dedicated to crack very speciﬁc targets and can engineer their intrusion according to modali"es that make them barely detectable.

In these cases what ma#ers most is the resilience of the system and the capability to respond to the a#ack. Resilience is the ability to operate in the face of persistent a#acks, preven"ng network and informa"on systems from collapsing. This involves the iden"ﬁca"on of the key assets that support the mission and the implementa"on of those

Since July 2010, Fiori has been Senior Vice President and Chief Technology Oﬃcer at the Finmeccanica Group.

From 1996 un"l 2007, he carried out assignments of increasing responsibility, ranging from design and development to quality assurance, marke"ng and sales, in addi"on to opera"ons and programme management for radar and electro-op"cs products and capabili"es.

He was previously Proposal Director and successively Programme Director of the Euroﬁrst Consor"um selected for the design,

development and produc"on of the PIRATE – an infrared search and track sensor – for the Euroﬁghter aircraV.

OP-ED

17

(20)

ac"ons that allow for the protec"on of assets, thereby sustaining their ability to operate under stress and recover from disrup"ve a#acks.

With mutable and rapidly deployable threats, the key to successful cyber-defence is comprehensive informa"on sharing on the threats themselves and on their poten"al sources. Informa"on sharing is an extensive concept. It not only includes data on malware, but also the assessment of poten"al vulnerabili"es. In other words, it covers elements like data intelligence and exploita"on, threat assessment, vulnerability and risk related assessment (methodology included), and technology.

To be eﬀec"ve, informa"on sharing requires trust and coopera"on among the stakeholders. This implies:

•

Transparency across ins"tu"ons and industry on intrusions and threat evolu"on;

•

A coordinated approach to malware detec"on;

•

The establishment of a minimum set of standards for cyber-resilience;

•

Transna"onal interoperability between Security Opera"on Centres of cri"cal na"onal infrastructure;

•

Improvement of the procedures for risk analysis & risk assessment;

•

A common approach to the simula"on/experimenta"on and development of common cyber ba#le-lab environments to test cyber-resilience and procedures;

•

A coordinated approach in security intelligence collec"on and understanding the implicit rela"onships within data coming from diﬀerent sources.

Stakeholders’ trust and coopera"on may be be#er achieved within a formal framework and Public Private Partnerships may prove to be the most suitable instrument to align the interest of diﬀerent actors, leveraging the peculiar strengths of both the private sector and public ins"tu"ons.

18

Original Photo Source: ansonalex.com

(21)

Public-private coopera!on on

cyber-security

(22)

Speakers:

Gábor Iklódy, Assistant Secretary General for Emerging Security Challenges, North Atlan"c Treaty Organisa"on (NATO)

Neelie Kroes, Vice President of the European Commission and responsible for the Digital Agenda

Craig Mundie, Chief Research & Strategy Oﬃcer, MicrosoV Harry van Dorenmalen, Chairman, IBM Europe

Moderator:

Giles Merri;, Director of the Security & Defence Agenda

Public-private coopera!on in cyber-security

Report 30 January 2012

Public-private coopera!on in cyber-security

20

A Security & Defence Agenda Report Rapporteur: Jonathan Dowdall Photos: Philippe Molitor - Gleamlight Publisher: Geert Cami

Date of publica!on: February 2012

(23)

SDA Director Giles Merri; opened up this high-level policymakers’ debate with some tough ques"ons about cyber-security: “What costs are involved, who will bear them? How do we balance between public and private? How do we try and create an interna"onal fabric of responsibility?”

Such tough ques"ons defy easy answers, but all of the assembled experts from industry, governments, the EU and NATO agreed on one basic principal. As Vice President of the European Commission responsible for the Digital Agenda Europe Neelie Kroes stated, “we need to exchange good prac"ces, before we run out of "me.”

Indeed, "me is running out, agreed Assistant Secretary General (ASG) for Emerging Security Challenges at NATO, Amb. Gábor Iklódy. He argued that the character of the cyber challenge requires new thinking about defence and security. “We should concentrate a lot more on preven"on and resilience, the good old concepts of defence and deterrence do not work,” he opined.

NATO looks at challenges coming from cyberspace from a defence perspec"ve. But it needs to accept that cyber is diﬀerent from tradi"onal domains, like land, air, sea and space. One key diﬀerence stems from the problem of a#ribu"on, whereby the perpetrators oVen remain anonymous. NATO’s tradi"onal deterrence power (i.e. deterrence by retalia"on) does not really work here. Nonetheless, the problem of a#ribu"on is not absolute. In a coopera"ve interna"onal environment, through strong public-private partnership and building on the advances in technology we can cope with the problem.

“We should concentrate a lot more on preven#on and resilience, the good old concepts of defence and deterrence do not work.”

Gábor Iklódy

Public-private coopera!on in cyber-security

REPORT

21

(24)

Cyberspace is a global phenomenon, where there are no boundaries and no distances in

"me. Cyberspace does not belong to governments, the vast majority of cyber assets are in the hands of private and commercial actors. They are also the ones who can come up with technology solu"ons. Establishing close collabora"on between them is a shared interest, which governments should promote.

Speaking from exactly that posi"on, Chief Research and Strategy Officer at MicrosoV Craig Mundie, spoke of some radical “home-truths” of the new cyber-threat environment. “What defence agencies in the US and NATO are coming to understand is that the speed of a cyber-a#ack, and the scale, is a force of magnitude faster and larger in effect than any classical mode of conflict.”

Faced with this unprecedented pace of a#ack, Mundie was unequivocal. “Ac"ve defence is going to have to occur without people in the loop….we need to think about the design of computers to which we will entrust ac"ve counter-measures, without awai"ng further authorisa"on from people.”

This “will require a level of trust in computer systems people will not be very comfortable with,” he added, but that is the price we must pay to catch up with the breakneck speed of ICT.

Mundie also railed against out-dated intellectual and legal concepts that hold back a robust response to cyber-threats. “We have trans-sovereign threats which we have retro-ﬁ#ed to laws framed in terms of sovereign boundaries,” he lamented. Such laws “need upda"ng to be eﬀec"ve.”

Harry van Dorenmalen, Chairman of IBM Europe, pointed out that "me is not all we are out of – we are also out of money. “We all know we don’t have enough money to ﬁx these problems in today’s climate, so we have to ﬁnd smart and intelligent solu"ons,” he explained.

To the industry representa"ve, such solu"ons should focus pragma"cally on best prac"ces across Europe. “We really need to look at countries and companies that have solu"ons, that show leadership, and learn from them.”

“The speed and scale of a cyber-aBack is a force of magnitude faster and larger in eﬀect than any classical mode of conﬂict.”

Craig Mundie

“We need to look at countries and companies that have solu#ons, that show leadership, and learn from them.”

Harry van Dorenmalen

22

(25)

To facilitate this, van Dorenmalen recalled an ini"a"ve launched in The Netherlands, where a mul"-sectoral cyber-security council was formed to help share points of view. “The interes"ng thing is, that coming from the private sector, I hear things I have not heard before,” the representa"ve remarked.

In a frank speech, van Dorenmalen demanded that we ask ourselves some fundamental ques"ons when looking for eﬀec"ve solu"ons — even if they are abroad. “Is this working in the UK, or the Netherlands? If yes, we should take this and use it widely,” he opined. Above all, “we need a plan, an approach — there is no more "me.”

But does Europe have a plan? Vice President Kroes believes it does, when outlining her priori"es in this important policy area. “I want public and private stakeholders to exchange informa"on on a#acks and incidents,” because “the credibility of cyber-security in Europe relies on the delivery of reports.”

The Commissioner outlined how the EU was also stepping up collabora"on with global partners, including a conference to be held this September with the US Department of Homeland Security. Such coopera"on means that “we can deal with a#acks, even when they are across borders”, she explained.

To support such eﬀorts, the Commissioner avowed that the EU could be willing to contribute research funding and exper"se to drive innova"on. “We will give industry the

opportunity to test new security technology in real life scenarios, including demonstra"ons.”

To back this up, the Commissioner re-aﬃrmed the EU’s commitment to a robust budget in these areas. “We must invest in security technologies and innova"on” at “all sectors, all levels – we need to safeguard the security of the ci"zen.”

Such strong asser"ons are all well and good, but with the dangerous reali"es of the ongoing ﬁnancial crisis, just how high should cyber-security really be on a European state’s list of budgetary priori"es?

This point was taken up by the SDA’s Senior Manager, Pauline Massart, who pointed out that 63% of experts surveyed in the recent SDA cyber-security report believed cyber- security budgets should be protected from further cuts. “Are we in fact inves"ng enough?”

Iklódy agreed that the diﬀerent member states of NATO were coming to some widely diverging conclusions in this area. “The problem is the cyber landscape is extremely varied

“We must invest in security technologies and innova#on at all sectors and all levels. We need to safeguard the security of the ci#zen.”

Neelie Kroes

23

(26)

— some [allies] are advanced, with considerable capabili"es, considerable preparedness — there are others where this is not the case.”

Nonetheless, the ASG aﬃrmed that NATO had the tools and mechanisms to help level out this disparity. “We are trying to integrate cyber-defence into the NATO defence planning process. This is a fantas"c instrument to encourage increased spending.”

Van Dorenmaelen took a diﬀerent track, and instead focused on op"mising the resources already allocated to this area. As well as increasing eﬃciencies, the IBM representa"ve also raised a controversial idea — that it may be "me to start disconnec"ng certain networks, rather than making more.

“It is amazing some"mes how many bodies, en""es and people are connected — but some bring value, and some do not. Don’t waste "me and money,” he warned.

Reinhard Priebe, Director for Internal Security at the Commission’s DG Home Affairs, also agreed that coordina"ng what is already spent is a viable solu"on. The EU hopes to help with this, through the establishment of new agencies to support member state efforts. The European Cybercrime Centre, to be established in the coming years, is a classic example of this effort.

“Our approach is not so much to legislate, it is to exchange best prac"ces, while bearing in mind that within the 27 club, some are more advanced,” he explained. However, the oﬃcial was clear that the EU would not take the lead. “There is a big community of people dealing with this at many diﬀerent levels….we expect many answers from elsewhere.”

However, some fundamentally challenged the premise that cyber-security needs to be priori"sed so highly. Former UK Deputy Permanent Representa"ve to NATO Paul Flaherty suggested a “very unpalatable” idea — that exis"ng structures of physical deterrence will largely shield us from the worst a cyber-adversary would dare unleash.

Much like the overwhelming US military response to unconven"onal terrorist a#acks aVer

24

(27)

9/11, Flaherty proposed that a large scale cyber-a#ack would risk an unbearable physical response. As few would be foolhardy enough to accept the weight of that response, perhaps cyber-security is not such an overwhelming priority?

However, MicrosoV’s Craig Mundie disagreed with this inherently reac"ve policy. “You’d have to wait for an a#ack to run its course ﬁrst”, before you could respond, with all the poten"al damage that would entail. “That’s not ideal”, he noted bluntly.

Speaking from the experience of a na"on that has had to “pick up the pieces” of a large- scale cyber-a#ack, Senior Advisor of the Estonian Undersecretary of Defence, Heli Tiirmaa- Klaar, weighed in. In the aVermath of the 2007 distributed denial of service a#ack in Estonia , she claimed that one thing had become clear — “you must deﬁne what is absolutely cri"cal” before you invest money into counter-measures. For her, this involves a

survey of energy, transport, ﬁnance and other sectoral infrastructures, to iden"fy which is fundamental to the opera"on of the state.

Once iden"ﬁed, only targeted investment will work. “Iden"fy what is cri"cal, and then what services that cri"cal infrastructure relies on to func"on.” Once you have found these underlying elements in need of reinforcement, “put your money there, to really deal with your cyber-vulnerabili"es.”

Yet such processes take "me. Given the impera"ve of "me expressed by all who spoke during this evening’s discussion, it is clear that the cyber-security clock is "cking.

25

(28)

Working with the private sector on a global scale

Philip Victor, Director of Policy & Interna"onal Coopera"on at the Interna"onal Mul"lateral Partnership Against Cyber Threats (IMPACT)

We work in and depend on a networked world. The internet is highly complex and this dynamic and sophis"cated threat environment places cyber-security beyond the reach of any single en"ty. Organisa"ons must collaborate with governments as well as industry

players to address cyber-security challenges, especially when it comes to cri"cal infrastructure.

Studies and white papers have proven over the years that many government and private industry organisa"ons have made considerable investments in public-private partnerships.

Now it is up to ITU-IMPACT to explain that more can be done to expand these public-private partnerships within the countries’ Na"onal Infrastructure Protec"on Plans.

Expansion can vary from risk and incident management to informa"on sharing and privacy

policies, interna"onal coopera"on, capacity building, research, and awareness programmes.

Risk management: Government and industry could u"lise exis"ng interna"onal standards and work through consensus-building bodies such as ITU-IMPACT to develop and strengthen interna"onal standards for cyber-security. Government and industry need to

recognise that their risk management perspec"ves stem from diﬀerent roles and responsibili"es.

As Director of Policy & Interna"onal Coopera"on at the Interna"onal Mul"lateral Partnership Against Cyber Threats (IMPACT), Philip Victor oversees the development of IMPACT’s rela"onships between partners in the industry, interna"onal

organisa"ons, academia and governments. He is also responsible for the Centre for Training & Skills Development,

designing and delivering training courses to cyber-security professionals and prac""oners worldwide.

Prior to joining IMPACT, Victor led training and outreach courses for a na"onal cyber-security agency. He headed na"onal cyber-security programmes focused on increasing awareness for all internet users. Victor also spearheaded na"onal capacity-building programmes and successfully reduced the ra"o of

cyber-security professionals to internet users. Through these ini"a"ves, he also increased the number of cyber-security professionals in Cri"cal Na"onal Informa"on Infrastructure Protec"on-related organisa"ons.

He has over 19 years in the ﬁeld of Informa"on Technology and 10 years in cyber-security related industries.

OP-ED

26

(29)

Incident management: Governments could fully establish industry’s seat in the integrated response centre and begin evalua"on processes to ensure growth and visibility of the private sector. Industry could ensure a long-term plan to ﬁll the watch centre seats, and par"cipants could report lessons learned from collabora"ve exercises as soon as possible so that improvement measures are undertaken in a "mely manner.

Informa!on sharing and privacy policies: Government and industry could clearly ar"culate informa"on needs and eﬀec"vely promote informa"on sharing to address those needs;

informa"on sharing for cyber-security purposes should be transparent and should comply with fair principles of prac"ce. Government could therefore consider how it can share more classiﬁed and sensi"ve informa"on, par"cularly the pieces of informa"on that would help the private sector defend its systems. Interna"onal coopera"on enables government to create a plaGorm, on which the various stakeholders such as interna"onal organisa"ons or industries could come together and collaborate, thereby reinforcing the knowledge and tools that will ensure a safer, more secure cyberspace.

This plaGorm could also contribute to the formula"on of new policies and the harmonisa"on of na"onal laws around a variety of issues rela"ng to cyber-threats, including cybercrimes. The public-private partnership should be used to create an authen"c na"onal cyber-security research and development plan with priori"sed, na"onal-level objec"ves and a detailed road map that speciﬁes the respec"ve roles of each partner. The implementa"on road map could be regularly reviewed and adjusted accordingly at a pre- determined "me by the stakeholders involved.

The cyber-security vulnerabili"es in cri"cal infrastructure pose risks to na"onal security, public safety and economic prosperity. It is essen"al to coordinate na"onal ini"a"ves focused on cyber-security awareness, educa"on, training, and professional development.

Countries should be encouraged to spread and share cyber-security competence throughout the na"ons and build an agile and highly skilled workforce capable of responding to a dynamic and rapidly developing array of threats. The public-private partnership could incorporate policies and relevant programmes to enhance cyber-security public awareness and educa"on, which would increase the number of science and technology students gradua"ng each year and in turn, boost the number of cyber- professionals available to both government and business.

ITU-IMPACT’s global partnership now embraces over 200 industry, academia and interna"onal organisa"ons coming together to enhance the global community’s capability

and capacity to combat cyber-threats. As the cyber-security execu"ng arm of ITU, IMPACT is entrusted with the task of providing cyber-security support and services to ITU’s member states and other organisa"ons within the UN system.

With 144 countries now part of the ITU-IMPACT coali"on, ITU-IMPACT is one of the largest cyber-security organisa"ons in the world and has been an important plaGorm bridging public and private sectors within its partner countries in handling cyber-security ma#ers.

With the increasing complexi"es of cyber-a#acks and the con"nuously evolving threat

landscape, it is impera"ve that any endeavour towards mi"ga"ng those risks be con"nuously supported.

27

(30)

ITU-IMPACT enacts private-public partnership in carrying out ini"a"ves and ac"vi"es in various areas of cyber-security – assis"ng partner countries including the least developed and developing countries to have aﬀordable access to state-of-the-art cyber-defence strategies and programmes such as capacity building programmes, CIRT (Computer Incident Response Team) readiness assessments, CIRT implementa"on, vulnerability assessments, deployment of scholarships, cyber drills, academic partnerships – with purposely designed goals: to improve awareness, enhance workforce structures, and ensure workforce development in cyber-security. We at ITU-IMPACT are always open to work with global counterparts who share our vision of enhancing formal cyber-security programmes.

Through shared ideas and concepts these partnerships will s"mulate the development of innova"ve new cyber-security programmes.

28

Original Photo Source: WordPress.com

(31)

Deﬁning cyber-risk

Jonathan Sage, IBM Governmental Programmes

Although cyber-risk is s"ll a rela"vely new term, the volume of a#acks has been rising and their sophis"ca"on is increasing. As cri"cal informa"on, related assets and devices are becoming more instrumented and interconnected, the damage and knock-on eﬀects of a

major cyber-a#ack can be felt not only in ICT, but can aﬀect cri"cal business and infrastructure opera"ons.

As the world becomes more digi"sed, more instrumented and interconnected, the door to emerging threats and leaks has opened wider. Recent media a#en"on has highlighted the prolifera"on of security breaches affec"ng enterprises across industries. These security failures have not only resulted in significant expense to the affected enterprises, but have damaged consumer trust and brand reputa"on.

Cyber-threats represent a real and signiﬁcant danger to many countries, their ci"zens, businesses and overall economy. It is essen"al that we maintain conﬁdence in services that are cri"cal to economic well-being which sustain everyday life. IBM understands this is a serious issue and we are engaged in this dialogue with leaders in government and industry.

The core of enabling trusted infrastructure needs to be resilient in managing security issues.

There is no magic bullet to protect against cyber-risk – it is much more complex than that.

You need a range of measures: it goes from technical countermeasures with your network and the way you test and secure your applica"ons, all the way to educa"ng employees and thereby crea"ng a culture of security awareness within your organisa"on.

This is true whether talking about tradi"onal compu"ng, cloud compu"ng or the development of new compu"ng models, or indeed a combina"on of those and other models to address issues around crea"ng smarter ci"es and infrastructures. Cyber-security should focus on desired business outcomes: organisa"ons need to take a balanced approach to protec"ng their assets by weighing up the risks against the costs of taking mi"ga"ng ac"ons.

Cyber-security is more than any one individual step, it is a con"nuous process where you

OP-ED

Jonathan Sage is a member of the global intellectual property and open standards team within IBM Government Programmes. His role is to cover the EMEA geography repor"ng to the global leader in Washington. Prior to taking on this role, Jonathan was in the global IBM Strategic Change prac"ce working predominantly in the Public Sector. He was also the IBM global leader for European Commission Research projects and framework programmes liaising between business units, the consul"ng group and the research labs.

29

(32)

need to follow the cycle of: learn, monitor, analyse, decide and respond. Today’s cyber- threats require a con"nual inspec"on and analysis of high volumes of dynamic data from sensors and other devices to gain accurate insights into possible threats and system compromise in real "me. It is about enabling intelligence across an increasingly instrumented and connected landscape of technology and business.

Understanding pa#ern and behavioural analysis across diverse data streams from many channels is necessary to detect evasive a#acks. Advanced situa"onal awareness provides the context to enable decision-making and an appropriate response in circumstances where humans cannot keep up with the pace of the threat when under a#ack. Defences

need to be able to fuse informa"on from a variety of sources, including real-"me observa"ons and make them available within the right context. Such real-"me analysis will

have an impact on business processes that will need to be carefully thought through and automated in order to adapt and respond to the threat dynamically.

Any real-"me analysis should also be supported by concerted and globally consistent ac"on and by both the public and private sectors working in a coordinated way. There is no one single ac"on, treaty, or piece of legisla"on that can be pursued to solve the problem.

Wherever possible, na"onal-level responses should be interna"onally coordinated and globally consistent, especially as they relate to informa"on technology a#ributes given our industry's global model, and especially given the global markets and resources that industry in general now relies upon. IBM is doing its part to help make progress via our own technical contribu"ons and via par"cipa"on in public-private ini"a"ves such as Common Criteria, Trusted Technology Forum etc., and we stand ready to engage on na"onal and interna"onal policy ini"a"ves and dialogues, just as we are able to support opera"onal ini"a"ves via our comprehensive array of security capabili"es.

Perhaps the biggest cyber-risk within an organisa"on lies in complacency. While you are never going to be able to have 100% security against the myriad of cyber-threats out there, what you can do is implement and enforce security excellence where employees and partners are aware of the risks and how to address them. Many organisa"ons worry about how they can possibly keep pace with cyber-risks that are geWng ever more sophis"cated.

While there is no doubt that a systema"c and proac"ve approach to addressing cyber-

threats combined with technical controls is key, the human side should not be underes"mated.

The culture needed must come from the top. More than ever, each member of the enterprise’s leadership owns a significant stake – and a powerful role – in securing the data and intellectual capital that flows through the organisa"on; whether it is the CMO evalua"ng the poten"al risk to the brand, the CFO understanding the financial implica"ons of adverse events, or the COO assessing the impact of IT systems’ disrup"ons for ongoing opera"ons.

So how does this relate to what is happening in Europe? The European Commission is rightly concerned with diﬀering levels of cyber-preparedness across the EU – while some member states have state-of-the-art measures and response teams using public-private partnerships, others are s"ll developing and planning capabili"es to respond in the case of

Where cyber-security is heading