Cyber-security Rules Report

Cyber-security:
The vexed question

of global rules
An independent report
on cyber-preparedness
around the world
With the support of
A Security & Defence Agenda report
Author: Brigid Grauman
Publisher: Geert Cami
Date of publication: February 2012
The views expressed in this report are the personal opinions of
individuals and do not necessarily represent the views of the
Security & Defence Agenda, its members or partners.
Reproduction of this report, in whole or in part, is permitted providing that
full attribution is made to the author, the Security & Defence Agenda and
to the source(s) in question, and provided that any such reproduction,
whether in full or in part, is not sold unless incorporated in other works.
About the report
This report is published as part of the Security & Defence Agenda's
(SDA) cyber-security initiative. It is intended as a snapshot of current
thinking around the world on the policy issues still to be resolved, and
will form the basis of SDA debates and future research during 2012.
About the SDA
The SDA is Brussels only specialist security and defence think-tank. It is
wholly independent and this year celebrates its 10
th
anniversary.
About the author
Brigid Grauman is an independent Brussels-based journalist whose work
appears widely in international media like the Financial Times and The
Wall Street Journal. Shes currently engaged on a number of projects
for institutions, including the European Commission.
Report advisory board
Jeff Moss, Vice-president and Chief Security Offcer at ICANN and
founder of the Black Hat and DEF CON computer hacker conferences
Reinhard Priebe, Director for Internal Security, Directorate General
for Home Affairs, European Commission
Andrea Servida, Deputy Head of the Internet, Network and Information
Security Unit, Information Society and Media Directorate General,
European Commission
Jamie Shea, Deputy Assistant Secretary General for Emerging Security
Challenges at NATO
Brooks Tigner, Editor and Chief Policy Analyst at Security Europe
My thanks to all those who contributed to this report, both those I have
quoted and those I have not. Special thanks to Melissa Hathaway and
Jamie Shea for their helpful comments on my draft text, to McAfee's
Dave Marcus, Phyllis Schneck and Sal Viveros, and to the SDAs Pauline
Massart and Igor Garcia-Tapia.
1
Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
PART ONE
Section I. Clearing the booby traps from the cyber-security mineeld. . . . . . . . 6
Terminccgy Cyber-var and cyber-attack have many meanings ts time tc sette
cn j.st cne . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Mcving intc .ncharted vaters Cyber-crime pays beca.se its prctabe,
cv-risk and ancnymc.s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Tr.st is a mcst e.sive ncticn The internet vas b.it cn tr.st, and thats vhy its sc
v.nerabe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Section II. Tracking the cyber-revolution: New threats and changing ethics . . 10
Cracking L.q. The vir.s admired by experts . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Shc.d ve be taking c a nev ethcs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Smart phcnes pcse sec.rity chaenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Cc.d ccmp.ting The chaenges c separating netvcrk rcm ccntent. . . . . . . . . 15
Section III. Cyber-defence strategies: The hottest debates and conditions
for success. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Levecping an censive stance, Cyber-crime and p.nishment, Prctecting an
increasingy integrated gcba system, Hcv sae are SClLl systems, Net ne.traity
Tcvards internaticna r.es, E.iding a mcre scid architect.re, Tacking veakest-
ink cc.ntries, Sec.ring the s.ppy chain, ncreasing avareness c the scae c the
prcbem, Taking a hcistic apprcach, Prcmcting diacg.e betveen techies and
decisicn-makers, Lening the rce c gcvernments, Ccvernments m.st take greater
care vhen taking advice, ncrmaticn-sharing at an internaticna eve, Thinking
dierenty abc.t cyber-sec.rity, hed.cing secrecy, Harmcnising ccdes and avs,
citizen avareness, Lening pre-emptive cyber-attacks
Section IV. The quest for rules and regulations to govern cyber-space . . . . . . . 22
Cyber ncrms and ccmmcn sec.rity standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
The dic.ties c gcing gcba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ldapting existing r.es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
The ack c internaticna mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
The 'impcssibe dream c a gcba treaty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
l reaistic aternative tc a peace treaty Cyber-ccndence meas.res . . . . . . . . . . .27
The bcdies ccmpeting tc gcvern cyber-space. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
nternet gcvernance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Standardisaticn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
av encrcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
ncrmaticn-sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2
Cyber-security: The vexed question of global rules
Section V. Breaking down the walls between the cyber-communities. . . . . . . . 32
The generaticn divide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
mprcving tr.st betveen ind.stry stakehcders . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Cverccming the barriers betveen rivas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
lre cyber-crime and cyber-sec.rity cne and the same . . . . . . . . . . . . . . . . . . . . 34
Steps tcvards gcba sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Section VI. The private sectors privacy dilemma . . . . . . . . . . . . . . . . . . . . . . . . 35
Why the private sectcr vc.d be better advised tc share incrmaticn . . . . . . . . . . 35
Making reg.aticns that make sense cr everycne . . . . . . . . . . . . . . . . . . . . . . . . . 36
The bame game Frcm sctvare ccmpanies tc service prcviders, vhc shc.d be
respcnsibe cr vhat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Section VII. Bearing the costs of cyber-insecurity . . . . . . . . . . . . . . . . . . . . . . . . 38
The ins.rance sectcr vakes .p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Section VIII. Private citizens : issues of freedom and protection. . . . . . . . . . . . 42
nternet respcnsibiity Frcm private .sers tc ccrpcrate giants . . . . . . . . . . . . . . . . 43
The cyber-sec.rity skis gap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
PART TWO
Section I. A worldwide brainstorming of experts. . . . . . . . . . . . . . . . . . . . . . . . . 45
Key attit.des. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Section II. Country-by-country stress tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
l.straia. . . . . . . . . 51
l.stria . . . . . . . . . . 52
Erazi . . . . . . . . . . . 53
Canada . . . . . . . . . 54
China. . . . . . . . . . . 55
Lenmark . . . . . . . . 57
hstcnia . . . . . . . . . . 58
The h.rcpean
Unicn. . . . . . . . . . . 59
Finand. . . . . . . . . . 61
France . . . . . . . . . . 62
Cermany . . . . . . . . 64
ndia . . . . . . . . . . . 65
srae . . . . . . . . . . . 66
tay . . . . . . . . . . . . 67
apan . . . . . . . . . . . 68
Mexicc. . . . . . . . . . 70
NlTC. . . . . . . . . . . 71
The Netherands . . 72
Pcand . . . . . . . . . . 74
hcmania . . . . . . . . 75
h.ssia . . . . . . . . . . 76
Spain . . . . . . . . . . . 78
Sveden . . . . . . . . . 79
United Kingdcm. . . 80
United Naticns . . . . 82
United States
c lmerica . . . . . . . 83
Section III. Indices and glossaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Cyber sc.rces-ccntrib.tcrs tc this repcrt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Ccssary c crganisaticns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Ccssary c ccmpanies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
About the Sec.rity Leence lgenda. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
3
Part One
Introduction
This report is made up of a survey of some 250 leading authorities
worldwide and of interviews carried out in late 2011 and early 2012 with
over 80 cyber-security experts in government, companies, international
organisations and academia. It offers a global snapshot of current thinking
about the cyber-threat and the measures that should be taken to defend
against it, and assesses the way ahead. It is aimed at the infuential
layperson, and deliberately avoids specialised language.
For the moment, the bad guys have the upper hand whether they are
attacking systems for industrial or political espionage reasons, or simply
to steal money - because the lack of international agreements allows them
to operate swiftly and mostly with impunity. Protecting data and systems
against cyber-attack has so far been about dousing the fames, although
recently the focus has been shifting towards more assertive self-protection.
The preparation of this report has been greatly helped by Robert Lentzs
framework for measuring levels of cyber-security in governments and
private companies. Lentz is President and CEO of Cyber Security Strategies,
and has 34 years experience working for the U.S. government. His Cyber
Security Maturity Model explains the fve stages towards resilience against
cyber-attack, through conventional threat to advanced persistent threat,
and was used as the measurement tool for our country-by-country stress
test in the second part of the report.
Even if everyone accepts the need for standards, rules, laws, codes of
conduct and maybe even a global treaty to protect cyber-space against
cyber-crime, not everyone agrees on how to get there. The debate is also
about who should make the rules, and to what extent dominance by the
military is a good or a bad thing. The fact that cyber-space knows no
borders implies that cyber-security is only as good as its weakest link,
and that something must be done about unregulated countries that can
offer a haven for cyber-criminals.
The frst part of this two-part report concentrates on the main issues that
are slowing progress, starting with the absence of agreement on what we
mean by terms like cyber-war or cyber-attack. It refects sharp divisions
over the rights of individuals and states in cyber-space. Most Western
countries believe that freedom of access to the internet is a basic human
right, and that he or she also has a right to privacy and security that should
be protected by laws. UNESCO argues that the right to assemble in cyber-
space comes under Article 19 of the Declaration of Human Rights.
4
At the other end of the spectrum are those countries, like Russia and
China, that favour a global treaty but nevertheless believe that access
to the internet should be limited if it threatens regime stability, and that
information can also be seen as a cyber-threat. For these countries, any
state has the right to control content within its sovereign internet space.
Linked to the rights and responsibilities of states is the thorny issue of
attribution. There are those countries that say that attribution to a specic
attacker is impossible, and that the focus has to be defence from attacks.
Others argue that attribution is possible, but requires international
cooperation, sharing of information and assistance from local authorities.
Some states believe that cooperation is a threat to their sovereignty;
others say they cant be held responsible for the activities of individuals
or private companies. And a number apparently fear openness because
they dont want to see restrictions on their political or military objectives.
Some clear themes emerge from the report, and they are issues that
need fairly urgent resolution. Among these is how and to what degree
should a more proactive, some would say more bellicose, stance be
developed both in the military and private arenas; the need for much
greater international cooperation; introducing a more solid security
architecture to the internet; and establishing cyber-condence building
measures as an easier alternative to any global treaty, or at least as a gap-
ller until a treaty is agreed.
The second part of this report are 21 country stress tests, complemented
by ndings from the global survey the SDA conducted in the autumn
of 2011 among 250 top cyber-security specialists in 35 countries. They
included government ministers, staff at international organisations,
leading academics, think-tankers and IT specialists, and their views
diverged widely on how to improve international cooperation in cyber-
space, which over half of them now consider a global common like the
sea or space.
Everyone agrees that cyber-security presents a global rather than a national
challenge. But how global should our attempts at a solution be? It would
be my hope and that of the SDA that this report will help show where
global thinking on cyber-security currently stands, and how to improve it.
The following recommendations are a step in that direction. They are not
directed at specic bodies or institutions, but are intended as a checklist
for achieving international solutions to global regulatory questions.
Brigid Grauman, February, 2012
5
Recommendations
1. Build trust between industry and government stakeholders by
setting up bodies to share information and best practices, like
the Common Assurance Maturity Model (CAMM) and the Cloud
Security Alliance (CSA).
2. Increase public awareness of how individuals can protect their own
internet data, and promote cyber-security education and training.
3. New problems and opportunities created by smart phones and
cloud computing must be examined. Cloud computing needs an
appropriate architecture to achieve optimum security levels.
4. Prioritise information protection, knowing that no one size ts all.
The three key goals that need to be achieved are condentiality,
integration and availability in different doses according to the
situation.
5. Consider establishing cyber-condence building measures as an
alternative to a global treaty, or at least as a stopgap measure,
knowing that many countries view a treaty as unveriable,
unenforceable and impractical.
6. Improve communication between the various communities, from
policy-makers to technological experts to business leaders both at
national and international levels.
7. Enhance attribution capabilities by investing in new technologies,
and establishing rules and standards.
8. Follow the Dutch model of a third party cyber-exchange for
improved private-public partnership on internet security.
9. Despite the many practical hurdles in the way of transparency,
both for private companies and for governments, nd ways of
establishing assurance or trust through the use of security
mechanisms and processes.
10. Move the ball forward and encourage integration of cyber into
existing processes and structures. Make sure cyber considerations
and investment are present at every level.
6
PART ONE
Section I. Clearing the
booby traps from the
cyber-security mineeld
There is little agreement between experts and national
authorities on terminology, and without that the prospects for
regulating cyber-space are poor
l centra eat.re c the cyber revc.ticn is that nc cne agrees cn the
terminccgy Theres the ang.age c the miitary and the ang.age c the
geeks, and a vide variety c interpretaticns in betveen The pace tc start
any gcba disc.ssicn cn cyber-sec.rity is therecre tc agree ccmmcn
deniticns, b.t sc ar this hasnt happened
lnd yet i ve are tc set .p saety r.es in this vast ccean c gccd and bad,
c gcba inter-ccnnectivity that cpens the dccrs eq.ay tc ed.caticna
cppcrt.nity and tc gcba crime, ve have tc agree cn vhat ve are taking
abc.t Lc ve vant tc take the mcre miitary stance c the US, cr dc ve vant
a ccnsens.s in vhich a stakehcders participate
hxperts ccmpare the need cr r.es and reg.aticns tc thcse c the rcad n
the eary days c the mctcr car, the ev drivers vhc tcck tc the rcad earned
as they vent acng Ncvadays, ve snap cn c.r seatbets amcst by instinct
The r.es c the rcad make cr saer cars, saer drivers, saer pedestrians
Scme arg.e that the apprcach tc the internet shc.d be simiar
Terminology: Cyber-war and cyber-attacks have many meanings.
Its time to settle on just one
The three distinct activities in cyber-space are cyber-espicnage, cyber-crime
and cyber-var, each vith its cvn mctivaticns and gcas Cyber-var is the
mcst ccntentic.s Fcrmer US cyber-sec.rity tsar hichard Carke describes
in his bcck Cyber War an lmerican lrmageddcn c aircrat drcpping rcm
the sky and crashing s.bvays lthc.gh nct everycne shares this chiing
visicn c the .t.re, many tak c cyber as a 'veapcn c mass disr.pticn
Stewart Baker is cear abc.t vhat he means by cyber-var The Steptce
chnscn partner and crmer lssistant Secretary c Hcmeand Sec.rity .nder
President Cecrge W E.sh says 'The pecpe vhc pcch-pcch cyber-var dc
7
Part One
sc mainy by saying that nc var takes pace in cyber-space cny Thats ike
saying air vars cny tcck pace in the air, vhen air varare is avays part c
a arger batte
lcccrding tc Eaker, in a 2!
st
-cent.ry var cyber-veapcns might be the
rst depcyed, acne cr vith cther veapcns 'ts nct .nike air pcver, he
says 'Cyber-veapcns acv yc. tc dc a b.nch c things that eave it a itte
ambig.c.s as tc vhether cr nct this is a state c var lre nc-y zcnes an act
c var hven i it vas cny mcderatey eective, the attack against Cecrgia
in 200S vas a cyber-var
Isaac Ben-Israel, cyber-sec.rity adviser tc sraei Prime Minister Eenjamin
Netanyah., p.ts it s.ccincty He taks c the specics that make a cyber-var
'l cyber-var can inict the same type c damage as a ccnventicna var
yc. vant tc hit a cc.ntry severey yc. hit its pcver and vater s.ppies
Cyber technccgy can dc this vithc.t shccting a singe b.et
If you want to hit a country severely you hit its power and water
supplies. Cyber technology can do this without shooting a single
bullet.
Isaac Ben-Israel
Cthers think ve havent yet seen a cyber-var Mohd Noor Amin is Chairman
c the Maaysia-based NCC mpact (nternaticna M.tiatera Partnership
lgainst Cyber Threats, He p.ts it dierenty ' beieve that vhat happened
in Cecrgia in 200S vas a ccnventicna var vith censive cyber eements
C.r viev is that ve havent yet seen a p.re and signicant cyber-var
Tim Scully, ChC c stratsec and Head c Cyber-Sec.rity at Elh Systems
l.straia, intrcd.ces a n.ance, and that is tc .se vcrds pr.denty sc as nct
tc t.rn cyber-space intc a pctentia batteed 'The cver-.se c the terms
cyber-var and varare tends tc p.sh the cyber-sec.rity prcbem intc the
gcvernment and deence spheres, thereby pctentiay igncring the impact
c the cyber-threat cn the private sectcr and creating an imbaance in
gcvernment .nding try tc avcid the .se c the vcrds cyber-var cr varare
as they can ead tc the miitarisaticn c cyber-space
ets think in terms c vhat ve aready kncv tc get c.r minds arc.nd it,
says James Lewis, Lirectcr c the Technccgy and P.bic Pcicy prcgramme
at the Center cr Strategic and nternaticna St.dies (CSS, in Washingtcn
LC 'ts time tc ccate thinking abc.t cyber ccnict intc the ramevcrk c
existing internaticna av and strategy The attack against hstcnia vas nct
an attack and didnt trigger NlTCs lrtice S' t vas nct a miitary acticn
* Article 5 of NATOs Washington Treaty calls on its member states to collectively defend any NATO
nation that is attacked
8
Moving into uncharted waters: Cyber-crime pays because its
protable, low-risk and anonymous
Unike the n.cear threat and cthers becre it, the cyber-threat vas .pcn
.s vith itte varning and had a very shcrt gestaticn pericd lcccrding tc
Mclee, every year sees cne miicn nev vir.ses, rcm vcrms tc cgic bcmbs,
and that g.re is cimbing The threats ccme rcm sc.rces ranging rcm the
crimina (cnine ra.d ncv dvars a cther crms c ra.d,, cther states,
.s.ay cr reascns c espicnage, acrcss tc pciticay mctivated hacktivists
and terrcrists vhc .se it mcsty cr recr.itment p.rpcses
Three actcrs make cyber-crime sc tantaising cr criminas Costin Raiu, an
anti-vir.s expert at the h.ssian sec.rity ccmpany Kaspersky ab, says its a
'three-headed hydra The rst is that its prctabe The seccnd is that its
cv-risk The third and mcst impcrtant is that its ancnymc.s lttrib.ticn is
cne c cyber-crimes trickiest prcbems
I try to avoid the use of the words cyber war or warfare as they can
lead to the militarisation of cyber-space.
Tim Scully
'The ccre prcbem is that the cyber-crimina has greater agiity, arge
.nding streams and nc ega bc.ndaries tc sharing incrmaticn, and can
th.s chcrecgraph ve-crchestrated attacks intc systems, says Phyllis
Schneck, Chie Technccgy Ccer cr P.bic Sectcr at Mclee 'The gccd
g.ys have tc attend meetings and p.bish repcrts tc enabe even minima
data sharing tc track their cppcnent Unti ve can pcc c.r data and eq.ip
c.r pecpe and machines vith inteigence, ve are paying chess vith cny
ha the pieces
Ncv that cyber-space means bcrders nc cnger mean anything, cc.ntries
have tc vcrk tcgether as dces everycne vhc caims a stake in it lnd that
means decisicn-makers and inteigence services dcvn tc the citizen at
hcme cn his cr her ccmp.ter cr smart phcne
With cyber-attacks, the n.mber c targets is amcst imitess t tcck scme 20
tc 30 years ater the advent c the n.cear age tc p.t arms ccntrc systems in
pace We can prcbaby expect the setting .p c an internaticna system c
cyber-r.es and reg.aticns tc take time tcc
'Were mcving intc nev territcry, says Alastair MacWillson, Ccba
Managing Lirectcr c lccent.res gcba sec.rity practice 'The dynamics
c cyber is mcving sc ast its intent, its .ses and the pace c change There
9
Part One
are many b.siness mcdes Nc cne has reay gct their mind arc.nd vhat a
this reay means and vhat ve shc.d dc abc.t it
Hype is inevitabe vith any attack invcving triicns c c.rrency csses,
athc.gh the g.re is cten p.re extrapcaticn Hcv dc yc. eva.ate the css
c a sc.rce ccde Cr the thet c inteect.a prcperty What are ve act.ay
deending What dc ve need tc prctect
Lars Nicander vhc heads the Centre cr lsymmetric Threat St.dies at the
Svedish Naticna Leence Ccege beieves the main threat is penetraticn
c pccry prctected systems 'St.xnet, he says reerring tc the ccmp.ter
vcrm that in 20!0 damaged the centri.ges at the Nantaz n.cear pant
in ran, 'vas mcre abc.t inteigence gathering Thats vhat ve shc.d
be vcrrying abc.t q.aied terrcrists getting access tc bady prctected
incrmaticn systems lthc.gh yc. need tc be a state actcr tc dc scmething
reay dic.t
'n scme cases, vhc cares vhc did it, says Canadian expert and practiticner
Rafal Rohozinski 'We need tc arrive at a mcre graded deniticn c cyber-
attacks Ncv ve have this .niversa vay c taking abc.t them, vhich dcesnt
acv cr dierent deniticns c c.pabiity Scmetimes ve j.st vant tc kncv
vhat j.risdicticn tc hcd respcnsibe
Trust is a most elusive notion: The internet was built on trust,
and thats why its so vulnerable
ls sraei sec.rity adviser Isaac Ben-Israel says, the mcst v.nerabe
target cr cyber-attacks is a cc.ntrys critica inrastr.ct.res pcver, vater,
teeccmm.nicaticns, transpcrt, hcspitas, banks n mcst cc.ntries, these assets
are in private hands, sc the chaenge ncv is tc devecp a strcng enc.gh
private-p.bic partnership tc sec.re these systems, and tc ccnvince pecpe tc
make that investment lnticipaticn is cten seen as a vaste c mcney
The internet vas amc.sy b.it cn tr.st, vith ev saeg.ards tc prctect it
hary-day hackers attacked systems cr the chaenge they pcsed Ncv its
abc.t making mcney and steaing inteect.a prcperty and miitary and
ind.stria secrets E.t tr.st is sti very m.ch the cperative vcrd
Scme pecpe ca it 'ass.rance What are the saeg.ards ve need tc p.t .p tc
make s.re ve can tr.st the systems ve .se daiy Shc.d sctvare ccmpanies
be hed iabe cr their prcd.cts Shc.d internet service prcviders Hcv can
ve make s.re the ccmpcnents in the entire T chain are tr.stvcrthy Lces
cc.d ccmp.ting give rise tc insc.be iss.es c j.risdicticn Shc.d ve be
creating internaticna agreements tc estabish vhc takes respcnsibiity cr
scvereign cyber-space Cccd brains arc.nd the vcrd are thinking abc.t
these iss.es Nct everycne shares the same vievs, b.t mcst kncv that the
internet is here tc stay and that its a gcba nct a naticna iss.e
10
Section II. Tracking the
cyber-revolution: New
threats and changing
ethics
Time for a change of mindset
How dangerous is the cyber-threat? Are we more vulnerable now,
or are we developing promising new defensive technologies?
The near-.nanimc.s percepticn is that ve are mcre v.nerabe than becre
The n.mber c systems ccming cn ine is grcving expcnentiay, and c.r
reiance cn technccgies increases daiy ast year, internet picneer \int Cer
amc.sy s.ggested that ve dc a massive rebcct and start a cver again in
a mcre reg.ated envircnment, b.t mcst pecpe think thats pie-in-the-sky
'lre ve beccming part c a tctay .nreg.ated data revc.ticn asks UK
incrmaticn and sec.rity ect.rer Christopher Richardson hichardscn
dcesnt think the pict.re is as dramatic as scme pecpe paint 'Theres a big
degree c hype We dcnt kncv vhats reay happening He s.ggests that
ve are given a skeved idea c hcv many incidents reay ccc.r, bcth in the
p.bic and private sectcrs beca.se c secrecy ccncerns He nctes hcv ev
c the many st.dents he teaches every year have sc ar been attacked
'Yc. have this percepticn rcm the papers that everything is grcving
vcrse and vcrse, says Olivier Caleff, Senicr Sec.rity Ccns.tant at the
ccns.tancy Levcteam, 'b.t its nct very dierent rcm vhat ve had becre
Mcre pecpe are ccnnected, mcre pecpe are trying tc get arc.nd sec.rity
systems, mcre pecpe are invcved in sec.rity, ve have mcre tccs tc detect
iss.es We have mcre c everything, inc.ding kncvedge
Whatever the hype, the rise in cyber-crime is inevitaby gcing tc see mcre
r.es, avs and imitaticns cn hcv pecpe can .se the internet What 40
years agc vas a gentemens grc.p c .sers is ncv a .crative and cv-
ecrt paying-ed cr cyber-criminas 'The internet acvs anycne tc send
anything anyvhere and it vi ikey get there, says Phyllis Schneck c
Mclee 'We m.st destrcy the prct eement by imprcving c.r ccntrc cver
the rc.ting, deivery and exec.ticn c maicic.s instr.cticns, and bcck the
threat Svimming pccs have chemica ters Netvcrks and ccmp.ters need
inteigence ters tc prevent enemy instr.cticns rcm nding their target
11
Part One
Swimming pools have chemical lters. Networks and computers need
intelligence lters.
Phyllis Schneck
lncther prcbem is that the intrcd.cticn c nev technccgies brings
.ncreseen ca.ses and eects When researchers dened the prctccc
behind the emai system, they didnt ccnsider spam vas a threat beca.se
it ccst tcc m.ch tc send an emai 'E.t technccgy evcved and spam tcck
cver beca.se c a veakness in the crigina prctccc, says eading Lanish
expert Christian Wernberg-Tougaard Thats been cne c the catches c
the T ind.stry cr a n.mber c years We need tc ccnsider care.y hcv tc
impement nev technccgy
Wernberg-Tc.gaard reccmmends that the 'better minds in the p.bic and
private sectcrs get tcgether vith researchers tc disc.ss the impact c tcdays
technccgy cn tcmcrrcvs vcrd
Fcr men ike Richard Crowell, prcesscr at the US Nava War Ccege
in Nevpcrt, hhcde sand, ve need tc think ccc-headedy abc.t the nev
dcmain the cyber-threat represents tc .nderstand the nev risks 'Were at
the same pcint ve vere in the inter-var years, he says 'The (WW, batte
c Caipci vas a big ai.re cr the lies and it ta.ght .s never tc dc
amphibic.s varare again We had tc s.ccess.y earn tc mcve rcm cne
dcmain tc ancther, rcm sea tc and Thats vhat the thinking vas a abc.t at
service cceges in the !930s and 40s lnd veve reached that stage again
'Were thinking increasingy abc.t bc.ndaries and prctecting c.r cvn
incrmaticn better, says Crcve E.t he ccncedes that ater 30 years in the
Navy thrc.gh the Ccd War, he has a mindset that is radicay dierent rcm
his scns 'My scns idea c access tc incrmaticn is m.ch mcre cpen that
mine think yc.ng pecpe need tc think mcre abc.t vhat they pcst cn the
internet, and my generaticn needs tc think mcre cpeny
Cracking Duqu, the virus admired by experts
lt the time c vriting in eary 20!2, the mcther c a Trcjans is caed L.q.
That is .nti the next cne t.rns .p Fcr many pecpe ike Costin Raiu,
gcba directcr cr hesearch and lnaysis at the h.ssian sec.rity ccmpany
Kaspersky ab, this vas by ar the mcst exciting attack c his career
Fcr severa mcnths, Kaspersky ab and sec.rity sctvare ccmpany Symantec
have been st.dying L.q. tc try tc .nderstand hcv the vir.s cperated
12
.ndetected cr c.r years 'Understanding it vi acv .s tc design the data
sec.rity technccgies c the .t.re, says hai.
Young people need to think more about what they post on the
internet, and my generation needs to think more openly.
Richard Crowell
What has L.q. ta.ght hai.
lmcng cther things, that the L.q. and St.xnet vcrms vere invented by
the same sctvare ccmpany, and that they str.ck ar and vide intrating
ccmp.ters in France, the UK, Taivan, Cermany, Sc.th lrica, and
esevhere 'We s.spect, says hai., 'that St.xnets cc.sed attack cn the
n.cear centri.ges in ran vas dcne thanks tc incrmaticn previc.sy stcen
by L.q.
hai. greaty admires the skis invcved 'L.q. .sed exciting technccgies
in brand nev vays Mcst Trcjans stea incrmaticn and send it cn With
L.q., every acticn is spit intc sc many ccmpcnents that yc. cant te this
THE CYBER-SECURITY VENDORS VIEW
D
avid Marcus is Director of Advanced Research and
Threat Intelligence at McAfee Labs, and writes his own
blog. Hes not so much interested in whats next after Duqu
as curious as to its long-term potential repercussions. The
unique thing about Duqu is that it potentially targeted
certicate authorities, and used stolen and forged
certicates to create rogues that became whitelisted
drivers. How is this potential in the attack going to evolve? he asks.
McAfees work, he says, gives him a vendor-specic way of looking at the
universe. Its all about protecting customers data and assets and ensuring safe
communications, and about preventing bad things from happening.
From his perspective, cyber-spies and cyber-criminals are in many ways much
the same. They may use exactly the same tools and techniques. Sometimes,
the same attack can have both cyber-crime and cyber-espionage goals. Often,
they differ only in how they intend to use the stolen data or IP.
Although Marcus recognises that smart phones and cloud computing raise
issues of sovereignty, responsibility and ownership, he says they dont
13
Part One
is a maicic.s attack When yc. bring the ccmpcnents tcgether, then it
cbvic.sy is
Fcr Kaspersky and cther anti-vir.s abs, the chaenge ncv is tc create
prctecticn against simiar technccgies taken apart, they seem innccent,
b.t p.t tcgether they are very dangerc.s
represent a truly new threat. They are evolutionary rather than revolutionary.
Its the same types of threat thrown at an evolving technology. The problem is
nobody is going to want to own responsibility for the data because its spread
out geographically.
A self-styled connectivity libertarian, he says he struggles every day with the
question of dening success conditions for good global cyber-security. Im a
fan of self-policy, he says, but I realise the limitations of business and users
regulating themselves. In the meantime, he cant see any country that has got
its cyber-security act under control. We are a collection of weak-link countries,
he says.
One major problem is that too many companies, enterprises and governments
are busy guring out technology from a year and a half ago. Technology
develops before business gets a handle on it. He isn't convinced government
has the right perspective because most politicians and elected ofcials have
such a limited understanding of technology, often due to their age. They are
not techies, he says. They have no idea how quickly technology changes, how
volatile it is. At least the younger generation has an implicit understanding of
how fast information changes hands, the nature of changing data.

Should we be talking of a new ethos?
hverycne agrees that gacping changes in cyber-space dcnt mean the
system has reached mat.rity 'ln immense set c changes is cn the vay, says
CSS expert James Lewis, 'and that inc.des hcv tc pay c.t the extensicn
c scvereignty, changes in gcvernance and perhaps even reccnsider c.r
kind c reevheeing apprcach tc the internet
avs and internaticna agreements are key, says Svedens Lars Nicander.
'Tc take cne exampe, vhen hstcnia t.rned tc h.ssia cr ega assistance
d.ring the 200/ cyber-attacks, h.ssia decined tc hep beca.se they hadnt
signed an agreement tc prctect critica inrastr.ct.re We have tc expand
gcvernance systems
Fcr John Meakin, Chie Sec.rity ncrmaticn Ccer at ci giant EP, 'there is
nc q.esticn that rcm vhere am sitting at EP the advent c nev technccgies
14
is ca.sing .s tc change c.r sec.rity mcde The cd mcde c internet sec.rity
basicay said, 'ts sec.re beca.se ve cvn it Whereas ncv the chaenge is
hcv dc ve keep it sec.re vhen ve dcnt cvn the internet We may cvn the
data b.t ve dcnt cvn the internet When ve dcnt cvn the datas ccntainer,
vhat happens Thats reay it in a n.tshe in terms c changing ethcs
The nev thinking in the T sec.rity ccmm.nity is that nev revas, nev
encrypticn agcrithms and sc crth, are nct enc.gh tc make pecpe ee
sae 'Sc ar in h.rcpe, lmerica and lsia, veve been cc.ssing cn the
mechanisms req.ired tc prctect the nev internet envircnment, says Jesus
Luna, vhc eads a sec.rity research grc.p at the Technica University c
Larmstadt in Cermany, 'b.t veve started tc reaise that ve asc need
ass.rance abc.t thcse mechanisms
lss.rance is abc.t estabishing metrics and meas.rements tc generate
tr.st in prctective mechanisms 'Fcr instance, yc. pay yc.r SP (internet
service prcvider, cr its services, b.t hcv can yc. be s.re that the SPs
sec.rity mechanisms are prctecting yc. against mavare cr any cther
cyber-threat Hcv can yc. be s.re they are prcviding the right ass.rance
eves .na asks
lmcng cther s.ch grc.ps, the Ccmmcn lss.rance Mat.rity Mcde
(ClMM, and the Cc.d Sec.rity liance (CSl, that cc.nt Cccge and
Mclee amcng its members, are vcrking cn technccgy and techniq.es
that give this ass.rance ClMM cers g.idance cn hcv m.ch tc invest in
sec.rity by .sing metrics, cr the 'eccncmics c sec.rity Says .na 'We
the academics have been devecping the sec.rity metrics that vi give
this ass.rance
Smart phones pose security challenges
Levecpments ike smart phcnes and cc.d ccmp.ting mean ve are seeing
a vhce nev set c prcbems inked tc inter-ccnnectivity and scvereignty
that req.ire nev reg.aticns and nev thinking hxperts tak c the internet
c things and services, and things are smart phcnes, andrcids (mcbie
cperating systems,, tabets and senscrs, and services inc.ding the cc.d
'The mcbie internet is changing things, says Canadian expert Rafal
Rohozinski 'The next tvc biicn .sers vi be ccnnecting rcm mcbie
devices, and many c thcse devices are in devecping cc.ntries The sheer
n.mbers are ikey tc have sccia impacts ike ash mcbs l ct mcre pcitics
is migrating tc cyber-space, vith parae cas tc reg.ate cyber-space The
gcvernance c the internet as a vhce is reinvesting states vith the a.thcrity
tc reg.ate cyber-space
The iss.e is asc abc.t sec.rity and privacy l smart city - cne vith senscrs cn
trac ights, senscrs in cars, eectric smart grids, patients vearing senscrs
15
Part One
raises many nev prcbems 'What is perscna incrmaticn and hcv are ve
gcing tc prctect the data in these devices lre these devices reay giving
.s the right sec.rity and privacy eves .na asks
'Were taking again abc.t ass.rance, says .na 'We need a ct mcre
egisaticn We need tc p.sh ccmpanies tc encrce data prctecticn mechanisms
that prctect the privacy c citizens The hU is dcing q.ite gccd vcrk cn this
This is gcing tc take scme time b.t the eary steps are being taken
Cloud computing: The challenges of separating network from
content
ls cr cc.d ccmp.ting, c.tsc.rcing the ing c data has been arc.nd
cr 40 years Whats nev is the gecgraphica spread c this stcrage The
Naticna nstit.te c Standards and Technccgy (NST, prcvides the standard
deniticn cr cc.d ccmp.ting a rapid, cn-demand netvcrk access tc a
shared pcc c ccmp.ting resc.rces These are nct in the stratcsphere, they
are basicay hangars . c servers
C.tsc.rcing means ccnsiderabe ccst savings, and many ccmpanies are
ncv .sing it cr ccmp.taticn and data stcrage Eandvidths are ncv arge
enc.gh tc transer arge amc.nts c data tc data stcrage aciities lmazcn,
eEay, Cccge, Facebcck and a the big names are c.tsc.rcing ccmp.taticn
tc cc.d
Cloud computing means separating the network from content in ways
that didnt exist before.
Rafal Rohozinski
'Cc.d ccmp.ting means separating the netvcrk rcm ccntent in vays that
didnt exist becre, says hchczinski 'The avs ve have gcverning ccpyright
and territcria sec.rity get skeved lmcng cther iss.es raised by cc.d
ccmp.ting is the ccst c prccessing pcver and ccnnectivity and the vhce
iss.e c net ne.traity E.t .na varns that these nev stcrage aciities give
rise tc prcbems c sec.rity and j.risdicticn 'Whc are yc. gcing tc s.e i
theres a prcbem
Cccge, cr instance, keeps cne third c its cc.d in Canada 's that
incrmaticn s.bject tc US cr Canadian av asks hchczinski Cc.d
ccmp.ting creates nev q.esticns cr the avyers 'What dces it mean rcm
a iabiity pcint c viev Hcv dces cne hande dierent data retenticn and
privacy avs What happens vhen data shits ccaticn Whc determines the
na resting pace c j.risdicticn
16
Section III. Cyber-defence
strategies: The hottest
debates and conditions for
success
What are now the hottest debates in cyber-space defence
strategies? Twenty themes emerged from the interviews
conducted for this report
1. Developing an offensive stance
Severa cc.ntries are crm.ating pans tc respcnd mcre aggressivey tc
cyber-attacks, and are making investments in this directicn The UKs nev
cyber-strategy reeased in ate 20!! brings .p the ncticn c se-deence
This mcre beiccse stance appies bcth in the miitary and private arenas
William Beer, Lirectcr c ncrmaticn and Cyber-sec.rity Practice at PvC,
reers tc the UKs White Paper c September 20!! that s.ggests ccmpanies
shc.d be mcre vcca and .se ega means tc prctect their crganisaticns
'Fcr instance, instead c vriting c csses, they shc.d invest intc activey
targeting thcse crganisaticns that have been attacking them, he says 'The
cd apprcach vas ' vcnt te pecpe Ncv the attit.de is ' .se every ega
means at my dispcsa tc prctect my ccmpany
2. Rating countries offensive capabilities
'hverybcdy cny disc.sses censive cyber-strategy via veied reerences tc
the h.ssians and the Chinese vithc.t any strcng, p.bic, q.antiabe prcc,
says David Marcus, Lirectcr c ldvance hesearch and Threat nteigence
at Mclee abs 'Nc cne has stepped back and said, ets take the 30 cr
sc cc.ntries ve think have censive cyber capabiities and grade vhat
they are and hcv they dier He beieves ve need a cc.ntry-by-cc.ntry
rating methcdccgy cr censive capabiities as ve as deensive, and says
mcst cyber-sec.rity prcessicnas pretty m.ch kncv vhat mcst cc.ntries
are capabe c dcing- 'ts the cc.ntries that have cyber-censive training
prcgrammes at a miitary cr gcvernment eve, its thcse that ccnsider cyber
as part c the var theatre
Marc.s beieves there cant be strcng a deence vithc.t a scid, q.antied
kncvedge c censive capabiities, and that mcst gcvernments have
17
Part One
devecped cr are devecping cyber-tccs and attack tccs 'We dance arc.nd
this iss.e b.t is there reay any dierence betveen devecping ghters
and cyber-veapcns i they are bcth .sed in varare hverycne bames the
Chinese cr everything tcday, b.t i vere gcing tc p.sh cr gcvernment
reg.aticns and pcicy then ets ay c.t vhc ve think has the tcp cyber
capabiities dc.bt yc. cc.d nd a cc.ntry that is nct vcrking cn it
3. Protecting an increasingly integrated global system
We are ccking at an increasingy integrated cyber-vcrd vith m.ch mcre
system-sharing and crcss-bcrder services, s.ch as cc.d ccmp.ting, and
ve need the system tc be .ncticna and sae vherever it is ccated
'Hcv dc ve prctect c.r inrastr.ct.re asks Lanish sec.rity expert Christian
Wernberg-Tougaard 'ts great tc have shared service and cc.d, he says,
'b.t hcv dc ve prctect this m.ti-aceted str.ct.re
a ccmpcnent vere tc be attacked, cr i a cc.ntry vere tc beccme .nstabe,
yc. might ace a seric.s chaenge The disc.ssicn betveen the hU and the
US right ncv asks s.ch q.esticns as, can yc. have cc.d services vithin
the dcmain c the US Patrict lct vhie asc being .nder the hUs data
prctecticn act
4. How safe are SCADA systems?
SClLl systems, kncvn as S.perviscry Ccntrc and Lata lcq.isiticn Systems
in the US, have avays been arc.nd They are the physica eements
that ccntrc p.mps and barres, and cther inrastr.ct.ra and ind.stria
prccesses The chaenge is that they .sed tc be iscated systems and ncv
they are cten ccnnected tc the internet cr accessibe .sing data transer
devices ike USE sticks ncreasing ccnnectivity means mcre v.nerabiity
' yc. can ccntrc a SClLl system, yc. ccntrc the aciity cr the ind.stry,
says Bart Smedts, Senicr Captain and hesearch Fecv at Eegi.ms hcya
Higher nstit.te cr Leence '\ia SClLl, yc. can ccntrc the eccncmic
vcrk c any naticn Cnce yc. reaise yc. have a vir.s cn a SClLl system cr
the internet yc. can expect it tc spread ike an epidemic
'Many c these systems are .nprepared cr cyber attacks, says Frank
Asbeck, Cc.nsecr cr Sec.rity and Space Pcicy at the h.rcpean
hxterna lcticn Service 'l ct c damage can be dcne thrc.gh igncrance,
careessness cr maicic.s intent ike cther experts, he beieves ve need
tc think hard abc.t hcv these nev actcrs aect systems physicay and
technicay, and then decide vhat tc dc abc.t it
18
5. Security versus privacy
The iss.e is vhether netvcrk data ike P addresses is ccnsidered private
Cyber-sec.rity prcviders need tc track mavare .sing these P addresses i
they are tc bcck attacks, vhich is very dierent rcm thcse vhc ccect the
same data cr marketing cr behavic.r tracking p.rpcses 'n act, i cyber-
sec.rity prcviders and netvcrk prcviders can .se P addresses tc track
mavare, ve beieve that mcre data vi be kept private, says Mclees
Phyllis Schneck, 'beca.se ve vi be mcre s.ccess. at preventing the
bad g.ys rcm ccmp.ter intr.sicn and .na.thcrised access tc perscna
incrmaticn, nancia data, inteect.a prcperty, and systems that ccntrc
and mcnitcr physica inrastr.ct.re
6. Net neutrality
The heated debate cver net ne.traity is abc.t vhether brcadband prcviders
shc.d be acved tc exert a vetc cn appicaticns that .se arge amc.nts c
bandvidth cr discriminate amcng ccntent prcviders Erazi and lrgentina,
amcng cthers, are mcving crvard vith net ne.traity and cpening their
market tc everycne n the US, the arg.ment is sharpy divided, President
Earack Cbama is a beiever in it 'nd.stries are ccmpetey against it, says
Melissa Hathaway, vhc r.ns the ccns.tancy Hathavay Ccba Strategies
and vas crmery cyber-adviscr tc the Lepartment c Hcmeand Sec.rity
' myse dcnt think that net ne.traity is a gccd idea, she says 'nd.stry
needs tc be that rcntine c deence SPs, the ccnd.it cr deivering ccntent,
shc.d be respcnsibe cr nct deivering scme ccntent
7. Towards international rules
With the increasing threat c states engaging in maicic.s cyber activities
against the critica inrastr.ct.re c cther states, the need cr internaticna
cccperaticn grcvs daiy mcre .rgent 'We need tc prepare the batteed,
says Vytautas Butrimas, Chie Cyber-Sec.rity ldviscr at ith.anias
Ministry c Leence 'There are hces in the systems We need tc red.ce the
risk c ancther state pacing scmething ike a cgic bcmb that vc.d ca.se
systems tc sh.t dcvn There is nc s.ch thing as zerc risk b.t ve can make
the risk acceptabe
8. Building a more solid cyber architecture
'We are ccsing the stabe dccr ater the hcrse has bcted, acccrding
tc Christopher Richardson, ect.rer cr the UK Ministry c Leence
The c.rrent ad hcc apprcach tc reg.aticn isnt gcing tc make the cyber
envircnment a sae pace tc dc b.siness 'There are tcc many pecpe vith
tcc many vievs, he says 'We need tc cck beycnd partic.ar attacks and
imprcve ass.rance hxperts tak c imprcving asset management sc as tc
kncv vhat ve are trying tc deend and creating a 'patched .p envircnment
'We dcnt need tc be scared b.t ed.cated, says hichardscn
19
Part One
Nev technccgy is ncv cc.sed becv the cperating system t ccmm.nicates
directy vith the ccmp.ter hardvare and chips tc reccgnise maicic.s
behavic.r and be smart enc.gh nct tc acv it 'The b.ck stcps here,
says Mclees Phyllis Schneck 'This is the nevest and deepest ayer and,
tcgether vith mcre inteigence in the cther ayers, a key part c the .t.re
c cyber-sec.rity Ccmm.nicaticn vith the hardvare is the q.een c the
chessbcard - it can stcp the enemy amcst immediatey cr ccntrc a cnger
game hither vay, ve vin
9. Tackling weakest-link countries
'The chaenge in the digita eccncmy is that nc chain is strcnger than its
veakest ink, says Christian Wernberg-Tougaard c the Lanish Cc.nci
cr Creater T Sec.rity
Weakest ink cc.ntries are thcse vhere absence c egisaticn creates havens
cr cyber-criminas Cne viev is tc take the drastic cpticn c disccnnecting
them rcm the internet lncther is tc .se tccs tc ter c.t internet prcviders
rcm that cc.ntry l n.mber c ccmpanies in the US bcck a nternet
Prctccc (P, rcm China
'The best sc.ticn, says Costin Riau, directcr cr hesearch and lnaysis at
Kaspersky ab, 'is tc try tc imprcve the eccncmic sit.aticn in thcse cc.ntries
nternet crime is avays ccnnected tc .nempcyment rates
10. Securing the Internet supply chain
l nev disc.ssicn centres cn the iss.e c sec.ring the internet s.ppy chain,
partic.ary in sensitive areas c gcvernment that crm part c the critica
naticna inrastr.ct.re This is abc.t vhere yc. get yc.r hardvare devices,
rccters, servers, svitches and sc cn Cc.d mavare be intrcd.ced d.ring
man.act.ring Wi ccmpanies vant tc vcrk cny vith certain cc.ntries
Alastair MacWillson c lccent.re says 'This can be seen as a crm c
prctecticnism, b.t it may asc be abc.t pr.dent sec.rity mechanisms
11. Increasing awareness of the scale of the problem
We need greater avareness at a eves and in a sectcrs, and mcre
diacg.e a arc.nd 'ts nct gcing tc happen cvernight b.t ve need m.ch
tighter private-p.bic ccabcraticn acrcss bcrders and acrcss c.t.res
Says William Beer, directcr incrmaticn and sec.rity practice, PvC
12. Taking a holistic approach
Hamadoun Tour, Secretary Cenera c the nternaticna Teeccmm.nicaticn
Unicn (TU,, is adamant 'ls cng as ve carry cn thinking that the sc.ticn is
cny technica ve vcnt get anyvhere We need a hcistic apprcach invcving
20
ega, reg.atcry and technica meas.res, as ve as an ethica apprcach We
asc need an ntegrated S.ppy Netvcrk vithin an internaticna ramevcrk
13. Dening the role of governments
The viev rcm ind.stry is that there are things that gcvernments can and
shc.d dc tc imprcve the cvera state c sec.rity, and things they shc.dnt
and cannct dc 'Ccvernments shc.d be invcved in ccmmcnaity cver
bcrders, says John Meakin, head c cyber-sec.rity at EP, 'b.t they dcnt
have a rce tc pay in the detaied dispcsiticn c sec.rity mechanisms arc.nd
any cne enterprises internet estate
14. Governments must take greater care when taking advice
Whc is advising gcvernments lcccrding tc EPs Meakin, key decisicn-
making cr.ms are pcp.ated vith career civi servants, partic.ary in the
US and the UK Meakin and cthers ike him beieve that diacg.e at the
tcp needs mcre experts rcm the 'b.ying side c the ind.stry, as ve as its
seing side
15. Information-sharing at an international level
There is nc singe internaticna agency cr bcdy vith the mandate tc dea vith
cyber-sec.rity lsc, naticna and regicna crganisaticns have tc imprcve
cccperaticn 'Sec.rity is sc vast that there is a cng vay tc gc becre ve
reach tr.st, says taian cyber-expert Stefano Trumpy.
'We need mcre and mcre incrmaticn sharing, says apans Suguru
Yamaguchi, a eading speciaist cn netvcrk sec.rity systems 'Thats the
dic.t part Ccba ccmpanies are gccd at sharing incrmaticn They cc.d
act as cataysts tc encc.rage gcvernments tc be mcre cpen
16. Thinking differently about cyber-security
Cyber-sec.rity advccates ike l.straian Tim Scully arg.e that ve are vrcng
tc prctect c.r inter-ccnnected systems at the expense c the incrmaticn
they ccntain 'hight ncv, c.r mcde is systems-centric, he says 'Private
and p.bic crganisaticns are being attacked and arge amc.nts c data
are being stcen despite traditicna bc.ndary deensive meas.res, ike
revas, anti-vir.s and intr.sicn preventicn and detecticn appicaticns
He arg.es that ve shc.d think in terms c trcphy incrmaticn 'Pecpe
need tc cc.s cn prctecting their mcst sensitive incrmaticn rather than the
system itse, he says 'S.bseq.ent segregaticn c data might even mean
that scme incrmaticn is air-gapped rcm the internet i its css vere tc have
catastrcphic ccnseq.ences
21
Part One
17. Citizen awareness
There has tc be mcre videspread avareness that cyber-sec.rity starts vith
everycnes behavic.r and avareness Far tcc many pecpe at a eves c
the hierarchy havent reaised that they shc.d take respcnsibiity cr their
hcme ccmp.ters and the T system at vcrk ts a batte that vi never be
entirey vcn 'There vi avays be scmecne tc cick cn a ink they shc.d
nct cick cn, says Sc.y 'Hackers expcit sccia v.nerabiity, that is vhy
spear-phishing is sc s.ccess.
18. Reducing secrecy
Cver-cassicaticn c data skevs the pict.re c vhat is gcing cn 'Secrecy
ccncerns are the bane c cyber-sec.rity, says l.strian Alexander
Klimburg, anayst vith the l.strian nstit.te cr nternaticna lairs 'We
shc.d p.t mcre stcck in ncn-state attrib.ticn, sec.rity tr.st netvcrks c.tside
gcvernment, tc attrib.te cyber-attacks
19. Harmonising codes and laws
Liscrepancies betveen ccde and avs can ead tc ab.se and shc.d be
rescved Florian Walther, senicr T sec.rity ccns.tant at C.resec, says this
is vhat happened in Cermany vhen the inteigence services vere c.nd
tc be .sing spyvare in a mcre intr.sive vay than speed by av 'The
ccde dened vhat it cc.d dc and vhat pcice crces cc.d dc, b.t the av
didnt, says Wather 'The prcgram vas making the av, and dening vhat
vas and vas nct pcssibe
Cyber-attacks can cten be seen vithin netvcrk cv patterns, m.ch as
stcrms can be seen crming cn a veather radar map, says Mclees
Phyllis Schneck 'The ccecticn and ccrreaticn c cyber-data req.ires
internaticna agreement, she says, 'and its .rgent beca.se the bad g.ys
at present have the advantage Withc.t these agreements, their behavic.r is
nct avays seen in time tc thvart an attack
20. Dening pre-emptive cyber-attacks
lncther dic.t q.esticn is hcv tc dene pre-emptive cyber-attacks
What are they Hcv vc.d yc. ccme .p vith the evidence Hcv strcng
can retaiaticn be What is prcpcrticnate 'F.rthermcre, yc. cant attack i
yc. havent rst penetrated the system, says Jamie Shea, NlTCs Lep.ty
lssistant Secretary Cenera cr hmerging Sec.rity Chaenges 'ts a game
c mirrcrs, ike the Menin hidge at Messines in !9!/ Where is the ine
betveen deence and aggressicn
22
Section IV. The quest for
rules and regulations to
govern cyber-space
It has taken the spectacular increase in cyber-attacks for
political leaders in the United States, the European Union and
parts of Asia to sit up and take stock of the costs involved and
the loss in competitive positions.
've been vcrking in ccmp.ter sec.rity cr 23 years, says EPs Chie
ncrmaticn Sec.rity Ccer John Meakin, 'and its reay cny in the ast
tvc cr three years that pcicy-makers have beg.n tc vake .p
Cn the cther hand, ' the internet had started vith sec.rity and ccntrc in
mind it vc.d never have taken c, says Alastair MacWillson, lccent.res
gcba managing partner c gcba sec.rity 'Cne c its strength is that it is
.nreg.ated ts nct in anybcdys interest tc reg.ate
He recas his ccncern vhen US President Cecrge W E.sh vanted
the a.thcrity tc reg.ate and mcnitcr the internet .nder the Patrict lct
'Hcvever, he adds, 'ccmpanies that .se the internet shc.d be m.ch mcre
sensitive tc the act that its an cpen highvay They need tc invest in the
technccgy that ens.res they kncv vhc they are dcing b.siness vith
ls the medi.m mat.res, the need cr gcba r.es has grcvn and there are
ncv scme 20 pcitica grc.ps and eccncmic cr.ms vcrdvide addressing
cyber-sec.rity iss.es
mprcving ccrpcrate gcvernance cc.d scve a n.mber c prcbems
Christopher Richardson vhc ect.res at the UKs Leence Ccege c
Ccmm.nicaticns and ncrmaticn Systems (LCCS,, thinks that many
ccmpanies hcd cn tc data they dcnt need and that strcng interna
a.dits shc.d p.t a stcp tc this 'We need tc cck at hcv ve reg.ate
data management and prctecticn everyvhere, he says hncrypting arge
amc.nts c data dcesnt make sense 'We vant smaer .nits c data and cny
vhat is necessary Why vere Scny reccrding C\\ ccdes cn credit cards
Hcv ese can ve make things saer hstabishing market best practices is a
gccd rst step that is bcth practica and cv-ccst, and can be impemented
q.icky n the hU, the missicn c hNSl, the h.rcpean Netvcrk and
ncrmaticn Sec.rity lgency, inc.des sharing this kind c incrmaticn
betveen the 2/ member states
23
Part One
Cyber norms and common security standards
hNSl asc vcrks at the ccmpex task c dening standards 'Lierent
hU member states are at dierent stages, says the head c the technica
department Steve Purser 'l ct c c.r vcrk is rst seeing hcv cc.ntries
dea vith things, then dening ccmmcn standards
Hcv dc yc. ens.re that these standards are cbserved 'Yc. can either
impcse them cr et the market scrt things c.t Many crganisaticns ncv .se
the SC 9000 standard, i yc. have that abe yc. have credibiity We can
dc the same vith the sec.rity market
The vay tc gc, says researcher Jesus Luna c the LhhLS sec.rity research
grc.p in Cermany, is tc encc.rage ind.stria and academic ccnscrtia, interest
grc.ps and speciaised ccmm.nities, tc set .p de actc standards that sccner
cr ater vi beccme videy accepted The cc.d sec.rity aiance ClMM
(Ccmmcn lss.rance Mat.rity Mcde, is cne s.ch instance 'Fcrt.natey,
scme private ccmpanies reaise that vcrking vith ccmpetitcrs can benet
them, says .na Having internaticna standards is an eccncmic necessity,
ve need technccgy that is inter-cperabe betveen cc.ntries
The difculties of going global
Naticna scvereignty is cne thing, b.t in cyber-space ccective respcnsibiity
cant be avcided Cc.ntries arc.nd the vcrd have set .p naticna ChhTs, cr
are in the prccess c dcing sc arge ccmpanies and p.bic instit.ticns have
asc set .p these rapid respcnse teams tc act in emergencies and incrm
citizens abc.t ccmp.ter sec.rity, and they are asc increasingy taking part
in gcba netvcrks c ChhTs
' yc. vant tc sh.t dcvn a bctnet, yc. be .cky i its in yc.r cvn cc.ntry,
says P.rser 'nternaticna ccabcraticn is essentia Sec.rity vithin naticna
bc.ndaries dcesnt make sense hverything is gcbay ccnnected l
h.rcpean apprcach dcesnt make sense .ness aigned tc the apprcach c
internaticna partners
E.t cpinicns abc.t hcv tc egisate vary There are thcse vhc arg.e that the
internet is changing sc ast that reg.aticns vi never keep .p, cthers vhc
beieve egisaticn sties creativity, and cc.ntries that vant tc exert ccntrc
cver ccntent s it .nreaistic tc expect gcba r.es cr cyber-sec.rity and
cyber-privacy
Prcbaby, says Stewart Baker, vhc vcrked cr Hcmeand Sec.rity and is ncv
a partner in the av rm Steptce chnscn 'Theres tcc m.ch advantage
in breaking thcse r.es He is hcstie tc the hUs data prctecticn directive,
aimed at reg.ating the prccessing c perscna data, caing it an attempt at
a 'nec-cccnia impcsiticn c privacy ncticns cn the rest c the vcrd
24
The rit betveen the US and the hU cn the prctecticn c privacy is cne bcne
c ccntenticn b.t there are cthers 'We shc.d strive cr gcba r.es, says
Tim Scully, ChC c Stratsec and Head c Cyber-Sec.rity at Elh Systems
l.straia, 'thc.gh they vi be dic.t tc achieve ike many, he thinks it
vc.d be m.ch easier tc start vith gcba standards that prctect incrmaticn
and tc train and certiy cyber-sec.rity prcessicnas
Jaan Priisalu, vhc heads the hstcnian ncrmaticn Systems l.thcrity, thinks
ve vcnt get anyvhere .nti the pcitica and the technccgica vcrds
.nderstand vhat the cther is saying ' see h.ge mis.nderstandings in
every cc.ntry, he says 'The technccgica pecpes c.t.re is hcv tc .se
the netvcrk ecienty and they .s.ay dcnt ike tc tak lt the same time,
yc. hear pciticians making st.pid and arrcgant statements abc.t appying
and reg.ating the av
'We need r.es and agreements tc keep the cyber vcrd r.nning, says
Kamlesh Bajaj, Chie Sec.rity Ccer at ndias Lata Sec.rity Cc.nci
'The prcbem is vhen pcicy-makers start tc reg.ate vithc.t .nderstanding
the iss.es Fcr Eajaj, these iss.es are nct scey abc.t ccmpiance 'The
chaenges pcsed by the mcvement c data mean that stringent ccmpiance
reg.aticns arent enc.gh Yc. might appy them in cne cc.ntry and p.t
yc.r cvn cc.ntry at a disadvantage We need tc cck at a sides c the
arg.ment
IMPACT, THE CYBER-TALK PLATFORM
With the fast spread of smart phones, including in the least
developed countries, cyber-security is in the process of
shifting east and south of the globe. Conventional wisdom
dictated that cyber-security focus on the richer countries.
That view is changing. If we are to avoid safe havens for
criminals in countries with no cyber-laws, we urgently need
to help those countries.
Mohd Noor Amin, head of IMPACT, the cyber-security alliance headquartered
in Malaysia, says even the most sophisticated countries now realise you have
to assist the poorer ones. The ITU-backed platform has 137 member nations
and brings together governments, academia, industry and international
organisations from developed, developing and the least developed countries.
25
Part One
Adapting existing rules
Lc the experts think many r.es are aready here vaiting tc be adapted
Scme dc n many cases, it might be simper tc extend the sccpe c existing
avs than tc revrite crimina ccdes rcm scratch and design nev egisaticn,
they say 't dcesnt take that m.ch c an adaptaticn c existing crimina ccdes
tc take eective acticn against cyber-criminas, says EPs John Meakin.
'The prcbem is that payers cn the av encrcement side, prcsec.tcrs and
j.dges are cten igncrant c the vay ccmp.ter systems vcrk
ve cck at internaticna treaties ike the Ceneva Ccnventicn, many existing
r.es c var may asc appy tc cyber-space 'There are thcse vhc say cyber-
space is the th dimensicn c varare, says l.straian Tim Scully 'n that
regard, m s.re avyers cc.d gc thrc.gh scme c the existing r.es and
appy them at an internaticna eve tc cyber-space
The thcrny iss.e c attrib.ticn may appear tc get in the vay Nct sc, says Vytautas
Butrimas, ith.anias Cyber-Sec.rity adviser at the Ministry c Leence 't
may be tcc dic.t tc track dcvn the ccmp.ter tc the very apartment, the very
b.iding, the very perscn vhc is pressing the enter the key, b.t it is technicay
pcssibe tc pinpcint the cc.ntry vhere the attack criginated
His viev, shared by many, is that ve need an internaticna agreement
that makes every cc.ntry respcnsibe cr its scvereign cyber-space and
th.s crced tc take s.ch steps as bccking inected ccmp.ters rcm the
internet 'Yc.d act in the same vay vith a chcera pandemic, he says 'The
attrib.ticn debate asc has its cac.ating and cynica side States that vant
tc keep their cpticns cpen vhen seeking tc achieve a pcitica cr miitary
cbjective are cppcsed tc any restraint cn their .se c cyber-veapcns
We are not a treaty, but a voluntary cooperation platform, says Amin. We
tackle cooperation issues between countries in different jurisdictions. That
cooperation is going to get stronger. Nobody wants cyber-crime to operate in
their jurisdiction. The problem is not that nothing is being done, but that those
governments with cyber-criminals working in their territory dont know what
is going on.
IMPACT runs an electronic platform jointly with the ITU involving law enforcement,
ISPs, telecoms regulators and policy-makers. Amin believes that successful
information-sharing among IMPACT members will not replace the benets of an
international treaty. Its a signicant rst step to getting people around the table. If
business competitors can sit at the same table to do something good for the world,
why cant governments? A treaty would enhance levels of cooperation.
26
The lack of international mechanisms
Fcr the time being, there are nc internaticna mechanisms that cccrdinate
naticna cyber-deences, inc.ding inteigence gathering lcccrding tc
Canadian expert Rafal Rohozinski, the best cccrdinaticn and expertise
sharing sc ar is betveen the Five hyes Canada, the US, the UK, l.straia
and Nev eaand 'The ccncentric circes arc.nd that are ten.c.s, he says
'They inc.de NlTC, the Cc.nci c h.rcpe, and the Ccective Sec.rity
Treaty Crganizaticn (CSTC,
Cccne Emilio Sanchez De Rojas, vhc heads the Lepartment c Strategy
and nternaticna heaticns at Spains Ministry c Leence, arg.es cr
a ccmprehensive apprcach that vc.d inc.de a the main actcrs and
crganisaticns the UN, the Crganisaticn cr Sec.rity and Cccperaticn in
h.rcpe (CSCh,, the hU and NlTC, as ve as m.tinaticna b.sinesses
deaing vith cyber-sec.rity 'E.t, he stresses, 'these r.es have tc be
accepted nct cny by main pcvers ike China and h.ssia, b.t asc by mcre
cyber aggressive cc.ntries ike Nigeria and cthers in lrica We need tc
reach a ccmprcmise betveen sec.rity and reedcm
apans Suguru Yamaguchi, crmer adviscr cn ncrmaticn Sec.rity tc
the Cabinet c the Ccvernment c apan and a prcesscr at Nara nstit.te
c Science and Technccgy, beieves a sma rst step is the E.dapest
Ccnventicn, the Cc.nci c h.rcpes ccnventicn cn cyber-crime, the rst
internaticna treaty tc seek tc address internet crime, vhich has been
ratied by apan, the US and China, amcng !!/ cther cc.ntries 'We are
encc.raging mcre cc.ntries tc sign the treaty, Yamag.chi says, 'beca.se
it cers a ccmprehensive ramevcrk cr capabiity and ccabcraticns in
investigating cyber-crime State-spcnscred attacks are a crimina activity
and req.ire the same cyber-sec.rity meas.res
The impossible dream of a global treaty
n 20!0 becre the UNs TU (nternaticna Teeccmm.nicaticns Unicn,
ccnerence in Mexicc, Secretary Cenera Hamadoun Tour said he vanted
a 'cyber peace treaty E.t cr many, simpy agreeing cn ccmmcn r.es and
setting .p a gcba bcdy are a big enc.gh chaenge
Fcr the mcre havkish, ike US avyer Stewart Baker, an internaticna treaty
is a vaste c time 'lt vcrst, it vi de.de vestern cc.ntries intc thinking they
have scme prctecticn against tactics that have been .niateray abandcned
by cther treaty signatcries, he says
The cndcn Ccnerence cn Cyber-space in Ncvember 20!! vanted tc be
the a.nching pad cr an agreement cn designing a cyber-sec.rity treaty,
b.t that vas nct tc be Tcc many cc.ntries didnt share the same vievpcint
'm a reaist, says Erik Frinking, vhc vcrks cr the Centre c Strategic
St.dies (HCSS, in The Hag.e, 'and sc seric.sy dc.bt ve can have a
27
Part One
gcba ega agreement Ccdes c ccnd.ct are aready a sc.rce c ccnicts
vith the h.ssians, Chinese and cthers
Where cyber-ccnict raises its .gy head, Frinking beieves ve shc.d .se the
same r.es c engagements as cr ccnventicna var 'h.es c engagement
can be agreed at a very abstract eve, b.t its hard tc see cc.ntries agree
at this mcment cn r.es appying tc cther dcmains l n.mber c chaenges
can be handed incrmay
I seriously doubt we can have a global legal agreement.
Codes of conduct are already a source of conicts with the
Russians, Chinese and others.
Erik Frinking
ve see cyber-sec.rity as a netvcrk c sae cc.ntries, says Eaker, ve shc.d
think in terms c a rc.gh vcrking ccnsens.s that t.rns c.tiers intc pariahs
'We .sed tc have that prcbem vith banking l n.mber c mcney-a.ndering
centres sav cppcrt.nities tc prct rcm nct encrcing mcney-a.ndering
r.es, he says 'The bigger nancia participants in the gcba nancia
system sh.nned these cc.ntries pretty eectivey, red.cing the n.mber c
paces vhere yc. can hide mcney Simiar mechanism cc.d be appied tc
iscate cc.ntries that dcnt respcnd tc investigative req.ests
'Cyber is a dangerc.s space, says the TUs Tc.r, 'and ve m.st create
a ramevcrk c cccperaticn tc prctect basic h.man rights Ccvernments
have tc ccmmit themseves nct tc attack cne ancther, and ve m.st set .p a
ramevcrk cccperaticn tc arrest criminas vherever they are lre ve ready
cr s.ch a negctiaticn We dcnt have a chcice, veve gct tc dc it cr the
saety c c.r chidren, c.r b.sinesses and c.r cc.ntries
A realistic alternative to a peace treaty: Cyber-condence
measures
l n.mber c schcars, inc.ding James Lewis c the CSS, Pa. Ccrnish,
prcesscr c nternaticna Sec.rity at the University c Eath, and Theresa
Hitchens, Lirectcr c the UN nstit.te cr Lisarmament hesearch (UNLh,,
have been vcrking cn designing cyber-ccndence meas.res 'l treaty isnt
gcing tc vcrk, says evis 'There are tcc many vericaticn, ccmpiance
and deniticna prcbems
Cyber-ccndence b.iding meas.res inc.de, 'agreeing cn ncrms tc str.ct.re
expectaticns abc.t state behavic.r, says evis 'Yc. vant transparency,
partic.ary cr naticna dcctrine cn hcv tc .se cyber-attacks in a miitary
ccntext Mcst cc.ntries have these dcctrines b.t dcnt tak abc.t them
28
lmcng cther things, CEMs inc.de av encrcement cccperaticn against the
.se c prcxy crces 'The h.ssians and the Chinese .se prcxies, says evis,
'citizens acting at the behest c gcvernment l traditicna arms ccntrc treaty
that restricts technccgy vcnt vcrk beca.se the veapcns are scmetimes
teenagers vith aptcps Hcv can yc. set .p a treaty in this ccntext The
meas.res vc.d inc.de s.ch ccmmitments as sharing incrmaticn cn third
party threats, and taking respcnsibiity cr activities c individ.as resident
in yc.r cvn territcry Cyber-ccndence meas.res are c.rrenty being
disc.ssed at the ChCL and the UN
evis is scathing abc.t the a.t.mn 20!! cndcn Ccnerence cn Cyber-
Space 'l giant missed cppcrt.nity, as he p.ts it With ccv-.ps in
E.dapest in 20!2 and in Sc.th Kcrea the year ater, he hcpes esscns vi
have been earned in vhat he sees as a seric.s prcbem c narrative and
.nderstanding c the iss.es 'Pecpe have tc stcp saying that a ree and cpen
internet prcd.ces veath The devecpment agenda is a aved ccncept
China is nct ree and it seems tc be dcing j.st ne ls he sees it, cndcn
'danced gingery arc.nd va.es, and avcided the arg.ment as tc vhy a
sec.re internet based cn demccratic va.es serves a cc.ntries interests
'That vas the prcverbia eephant in the rccm everycne tried tc igncre
The bodies competing to govern cyber-space
The internet is a messy paying ed, r.n by a patchvcrk c crganisaticns,
and dierent cc.ntries have dierent vievs abc.t vhc shc.d be in charge
Lc ve vant mcre gcvernment ccntrc Cr dc ve vant tc avcid that at a
ccst Cr dc ve simpy vant tc see gcvernments get scmething mcving lnd
hcv dc ve ccv a bc.ncing ba
The big-pict.re pcicy is principay in the hands c the hU, NlTC, the UN and
lPhC, the lsia-Pacic hccncmic Cccperaticn hvery year, the UNs nternet
gcvernance Fcr.m (CF, cers a m.ti-stakehcders taking shcp ts a ivey
and demccratic Eabes Tcver n the caccphcny c naticns, ndia, Erazi and
Sc.th lrica have caed cr a nev gcba bcdy tc ccntrc the internet China
and h.ssia vant the UN Cenera lssemby tc adcpt their nternaticna Ccde
c Ccnd.ct cr ncrmaticn Sec.rity that vc.d give gcvernments mcre c a
rce tc pay, and greater ccntrc cn ccntent
These cc.ntries vc.d ike the UNs nternaticna Teeccmm.nicaticn Unicn
(TU, tc have a s.perviscry rce, scmething rmy resisted by the US and
cther Western cc.ntries 'The UN is a cr.m and nct the right pace tc make
decisicns, says Frank Asbeck, Cc.nsecr cr Sec.rity and Space Pcicy at the
h.rcpean hxterna lcticn Service, the hUs creign dipcmatic arm 'We are
iving in an envircnment vhere ve need pragmatic and scciay acceptabe
sc.ticns q.icky We cant get intc negctiaticns that take decades
Many Western gcvernments preer a m.ti-stakehcder apprcach, ike that
prcmcted by the Crganisaticn cr hccncmic Cccperaticn and Levecpment
29
Part One
(ChCL, 'We shc.d keep the m.ti-stakehcder apprcach, says lsbeck,
'vhie at the same time seeking cptim.m baance betveen enterprises,
gcvernments and av encrcement instit.ticns My g.ideine vc.d be as
m.ch state invcvement as absc.tey necessary, b.t as itte as pcssibe
Internet governance
Whc gets tc ccntrc dcmain name systems Western gcvernments vc.d ike
tc reign in scme c the in.ence c the nternet Ccrpcraticn cr lssigned
Names and N.mbers (ClNN,, the internets address system, cne c the ev
bcdies vith a gcba, centraised in.ence in the internet Cther cc.ntries
vc.d ike tc see the TU in charge c dcmain names The TU asc invcves
m.ti-stakehcderism, b.t .nder gcvernment eadership, vhich vcrries
many internet ccmm.nity actcrs
The US-based, private-sectcr-ed ClNN, vhich brings tcgether net .sers,
the private sectcr and gcvernment, manages P addresses, assigns n.mbers,
and handes dcmain name registraticn and its management
'The iss.e betveen ClNN and the TU is m.ti-stakehcderism, says
Stefano Trumpy rcm tays Naticna Cc.nci cr hesearch 'This vcrries
many pecpe lt the CF in Naircbi in September 20!!, ndia, Erazi and
Sc.th lrica s.ggested setting .p an ad hcc ccmmittee vithin the UN tc
dea vith p.bic pcicy ccncerning the internet, inc.ding standards ts a
vcrrying idea Standards vere started by the private sectcr and shc.dnt be
ccntrced by gcvernment
'There is nc perect gcvernance mcde, says Tr.mpy 't has tc evcve and
gain the ccndence c the vcrd ccmm.nity via ccntin.c.s .pdates and a
q.est cr transparency, and by istening tc dierent stakehcders tc arrive at
decisicns
Standardisation
Technica standardisaticn is the seccnd ccmpcnent in the gcvernance c
cyber-sec.rity and it is c.rrenty in the hands c the nternet hngineering
Task Fcrce (hTF,, vhich ccabcrates vith the TU and ind.stry 'We need
an cpen prccess, says apanese expert Suguru Yamaguchi, 'vith the
cpen participaticn c ind.stry and the p.bic sectcr Severa cther ven.es
are ccmpeting tc hande gcba inter-cperabiity and ccmmcn criteria,
amcng them the nternaticna Crganisaticn cr Standardisaticn (SC,,
and the prcessicna asscciaticn, the nstit.te c hectrica and hectrcnic
hngineers (hhh,
Law enforcement
The third ccmpcnent is av encrcement nterpc has designed a strcng
ega ramevcrk, and cther internaticna ramevcrks are being set .p
30
nterpcs ramevcrk is .sed tc hande cyber-crime rcm cc.ntries that dcnt
have a ega ramevcrk cn cyber-crime
Many cc.ntries beieve in the eectiveness c the !!-year-cd E.dapest
Ccnventicn, the ccnventicn cn cyber-crime that acvs a.thcrities in cne
cc.ntry tc p.rs.e criminas in ancther The US, apan and Canada have
signed .p, b.t cthers havent and dcnt agree abc.t the meaning c cyber-
crime h.ssia, cr instance, cppcses the idea c 'trans-bcrder access,
preerring a UN treaty that vc.d respect bcrders
Information-sharing
The c.rth is incrmaticn-sharing Sharing incrmaticn gcbay is a gcba
headache b.t its key tc internet hygiene The gcba Ccmp.ter hmergency
hespcnse Team (ChhT, cr.m caed FhST dces this very eectivey, b.t
nc cne thinks thats enc.gh 'We need mcre and mcre ccabcraticn tc
encc.rage gcba incrmaticn-sharing, says Yamag.chi
lmcng the bcdies ccking at the iss.e, the TU-spcnscred MPlCT in Maaysia
is an advance varning system in the teeccmm.nicaticn ccmm.nity 'The
iss.e is that its a very ve teing the US there is a prcbem b.t vhat can
the teeccms dc abc.t it , asks lccent.res Alastair MacWillson The US-
based Meridian Ccnerence and Prccess, vith its ann.a CP ccnerences, is
ancther key payer in tr.st-b.iding and internaticna cccperaticn limed at
senicr gcvernment pcicy-makers, it is cpen tc a cc.ntries
Ccncern abc.t state-s.ppcrted attacks cten gets in the vay c incrmaticn
sharing n many regicns, specia cra have been set .p, ike the lsian
hegicna Fcr.m (lhF, spcnscred by the lShlNo cc.ntries tc ease tensicn
in the Kcrean penins.a
'Sti there is a basic ack c tr.st amcng scme cc.ntries and ve need mcre
cpen diacg.e tc ease that tensicn, says Yamag.chi 'Hcpe may ccme
rcm ind.stry With many rms ncv gcing gcba, they are q.ite cpen and
aggressive abc.t sharing incrmaticn vith varic.s entities hcpe that gcba
ccmpanies can act as cataysts tc encc.rage gcvernments tc cpen their
dccr tc diacg.e
THE ITU TAKES ON SMART PHONES
I
t took 125 years for xed phones to reach the rst
billion, and only 11 years for the mobile phone to do
so, says Hamadoun Tour, Secretary General of the
Geneva-based International Telecommunication Union
(ITU). An engineer by training, he says bre optic networks
are speeding up our worldwide connectivity much faster
31
Part One
than he had expected. With broadband, the volume of data is going much
faster than infrastructure growth. Thats a little worrisome. We risk a trafc
jam in cyber-space.
The Broadband Commission was set up in 2010 to address the issue of fast
growth. Tour stresses that a high-speed, high-capacity internet is essential to
achieving the Millennium Development Goals. Broadband improves healthcare,
education, energy efciency. Its a global phenomenon and its safety needs a
global response done in a global framework of cooperation. Tour insists that
security in cyber-space is the same as security in the conventional world.
A rst and easier step at creating a global framework is the Child Online
Protection Initiative (COP), aimed at protecting children in cyber-space.
Children are our most common denominator, says Tour. Whether or not
a country legalises pornography, everyone agrees that child pornography is a
crime. Its easy to take concrete action in that direction. The same type of work
can then be done in other areas.
Tour says the next war will take place in cyber-space. With criminal activities
and espionage on the increase, he rmly believes we need a global cooperation
framework. His view is that an ITU cooperation framework would be negotiated
around a large round table. It wouldnt just involve our 193 member states,
but also the private sector and consumer groups. Are we ready for such a
negotiation? We have no choice. We have to do it for the safety of our children,
our businesses and our countries.
Tours to-do list
ncreasing access tc brcadband as a vay c heping pecpe increase
sccia and eccncmic devecpment
ncreasing gcba ecrts tc cccrdinate cyber-sec.rity, and making
s.re gcvernments vcrk hand-in-gcve vith the private sectcr Crdinary
.sers asc need tc ee ccmcrtabe vith their cvn sec.rity
Spectr.m accaticn 20!S is the deadine cr the mcve cver rcm
anacg.e tc digita brcadcasting l seric.s technica disc.ssicn is
abc.t tc take pace abc.t vhat tc dc vith the reed-.p spectr.m
Preparing cr the reviev c the internaticna teeccmm.nicaticn
reg.aticns The !9SS agreement is cbscete Ncv that sc many nev
systems and technccgies have ccme intc pace, iss.es and pricrities
have changed ccmpetey
32
Section V. Breaking down
the walls between the
cyber communities
To achieve workable international rules governing cyber-space,
the walls dividing sectors, countries and even generations must
be razed
Cyber-space is hcneyccmbed vith vas There are vas betveen
generaticns, vas betveen prcessicna sectcrs, and vas betveen
cc.ntries The trc.be is these vas arent b.it cn hard grc.nd and they
make itte sense n as gcba and pcrc.s an envircnment as cyber-space,
the b.iding c any ega and reg.atcry ramevcrk needs speciaists tc
brcaden their c.tcck and cc.ntries tc vcrk tcgether
'Ccvernments tend tc mcve scvy, b.t vith cyber-sec.rity ve need tc mcve
ast, says cyber-sec.rity advccate Tim Scully 'Cyber-sec.rity is a sccia
prcbem, nct j.st a miitary prcbem We tak in terms c naticna sec.rity,
b.t ve shc.d tak in the ccntext c naticna interest He taks c the need
cr strcng ccabcraticn and eadership tr.st betveen gcvernment, ind.stry
and academia, mcre sc than in many cther areas l.straias Cyber White
Paper tc be p.bished in 20!2 is a step in this directicn
The generation divide
The mcst archaic divide is betveen generaticns Many experts menticn that
their chidrens viev cn internet privacy is ccmpetey dierent rcm their
cvn, epitcmised by their attit.des tc sccia netvcrks
If an information security person is not using Twitter or Facebook,
he is not in the right place to make a decision about the use of those
tools
William Beer
'My kids generaticn has nc ear c ccmp.ters and they dcnt care abc.t
privacy, says Eritish cyber-expert Peter Sommer n 20!!, vhen Scnys
// miicn cients perscna detais vere hacked, the ccmpany sh.t its
PayStaticn netvcrk cr tvc veeks Mcst yc.ng .sers vere angrier at nct
being abe tc pay than abc.t the privacy breach
33
Part One
When citing this incident, Scmmer says he makes nc va.e j.dgment He
thinks the Scny incident vas symptcmatic 'Yc. have tc be very care. i
yc.re right cr vrcng abc.t this think the yc.nger generaticn cten see .s
as bcring cd arts and they may be right ts a changing vcrd
Canadian speciaist Rafal Rohozinski, ChC c the SecLev Crc.p, thinks
the generaticn divide is a very rea prcbem 'Pcicy-makers are cten !0
tc !S years behind the internet generaticn, and they are deaing vith
q.esticns they cant reay .nderstand Nct cny that, adds William Beer,
vhc heads ncrmaticn and Cyber-sec.rity Practice at PvC, b.t these same
pcicy-makers need tc take intc accc.nt that technccgy has permanenty
changed yc.nger pecpes ccncepticn c privacy He gces a step .rther '
an incrmaticn sec.rity perscn is nct .sing Tvitter cr Facebcck, he is nct in
the right pace tc make a decisicn abc.t the .se c thcse tccs
Improving trust between industry stakeholders
Private ccmpanies are ear. that incrmaticn they prcvide cc.d be mis.sed
by gcvernment cr the ccmpetiticn hxperiments in tr.st-b.iding are gcing
cn arc.nd the vcrd, and this cten means vcrking vith ccmpetitcrs ls
a res.t c grcving ra.d, the US nancia services set .p the Financia
Services ncrmaticn Sharing and lnaysis Center (FS-SlC, tc share
incrmaticn cn attack techniq.es and cyber-threats tc the banking systems
Cn a m.ch smaer scae, the Eegian Financia Sectcr Federaticn (Feben,,
vith 23S members, dces simiar vcrk .sing reeance experts
l ccmparabe initiative has been set .p by the ci and gas ind.stries in
the vake c the sc-caed Night Lragcn attacks that brc.ght dcvn and
reccng.red systems t is FS-SlCs gcba mirrcr 'Fcr the rst time,
severa big ci ccmpanies have gct tcgether, says lccent.res Alastair
MacWillson, 'tc start a ccmm.nicaticn chain that has t.rned intc an
ind.stry grc.p These are eary days b.t predict mcre and mcre c this
happening at ind.stry eve arc.nd the vcrd
Overcoming the barriers between rivals
That incrmaticn-sharing is tc the advantage c prcessicna ccmpetitcrs
and shc.d be cbvic.s says researcher Costin Raiu c Kaspersky ab in
h.ssia 'There are benets cr everycne Ccvernments and the miitary
vi see marked imprcvements in their sec.rity lcademia vi be abe tc
devecp nev prctcccs and design nev architect.res lnd i .sers are better
prctected, cyber-crime vi gc dcvn
William Beer, head c sec.rity at PvC, thinks that aciitatcrs can hep these
prcessicna grc.ps ccmm.nicate ' vcrk vith behavic.ra g.ys, he says,
'beca.se they can hep .nderstand vhat makes a miitary prcessicna tick,
cr vhat makes a b.sinessman cr vcman tick, and hcv yc. take that intc
34
accc.nt tc share incrmaticn We have reied tcc cng cn sec.rity pecpe
vith their sighty restricted ski set nd.stry has .sed the technc ang.age
ar tcc cng
Are cyber-crime and cyber-security one and the same?
Take crime b.sting n this vcrd c b.rred bc.ndaries, the distincticn
betveen cyber-crime and cyber-sec.rity may nct be a .se. cne tc make
l better cc.s, says Victoria Baines, strategic adviser cn cyber-crime at
the h.rcpean av encrcement agency h.rcpc, is tc have a ccabcrative
respcnse tc regicna and gcba threats, and tc encc.rage the private and
p.bic sectcrs and academia tc vcrk tcgether
She cites as an exampe the s.ccess. dismanting in 2009 c Spains
nctcric.s Maripcsa cyber-scam bctnet, cr vhich academics, the miitary,
av encrcement, the private sectcr and third cc.ntries vcrked tcgether tc
bring dcvn 'What h.rcpc and nterpc bring that vas acking becre is
internaticna cccrdinaticn c cyber-crime, she says 'Mcre than cr cther
crime sites, yc. cant investigate cyber-crime vithin naticna bc.ndaries

'We dea vith a.tcmaticn c maicic.s sctvare distrib.ticn, denia c service
and the mcney-making side c things, she says, 'b.t ve are asc very active
in cccrdinating respcnses tc cyber-crime vhen it ccmes tc hackers empcyed
in the cr.ms c the .ndergrc.nd digita eccncmies These pecpe hack cr
dcars, they cten dcnt kncv the rea identity c their bcsses and theyre
spread ar and vide
More than for other crime sites, you cant investigate cyber-crime
within national boundaries
Victoria Baines
Steps towards global sharing
Cne step amcng cthers tcvards sharing incrmaticn abc.t the cyber-threat
betveen cc.ntries in the hast and West is being handed by Maaysia-based
MPlCT, the ed.caticn, training and incrmaticn-sharing arm c the TU (the
United Naticns agency cr incrmaticn and ccmm.nicaticn technccgies,
Chairman Mohd Noor Amin is a rm prcpcnent c the m.ti-stakehcder
patcrm apprcach 'The na .ser has tc be ed.cated tc behave respcnsiby,
he says, 'and the private sectcr and gcvernments have tc invest in sec.rity,
despite the shcrtage c mcney Scme !3/ naticns have signed .p as MPlCT
partners, b.t lmin stresses that cc.ntries that havent, ike the UK and the
US, engage activey 'They kncv yc. have tc ccnnect vith the rest c the
vcrd ts cny a matter c time becre every cc.ntry jcins
35
Part One
Section VI. The private
sectors privacy dilemma
Commercial secrecy is of key importance to companies
investing in cyber, but it also risks compounding the problems of
cyber-security and its dangers
n many pecpes viev, the Netherands cers the best exampe c s.ccess.
private-p.bic partnerships vith its patcrm cr cyber-sec.rity, a scrt
c cyber-exchange 'ts an exceent vay c disc.ssing the iss.es and
transating them intc scme crm c acticn, and even vc.ntary cr mandatcry
reg.aticns, says Alastair MacWillson c lccent.re 'M.ch mcre c this
shc.d happen gcbay
Cccd vcrk is asc being dcne in the United States E.t arc.nd the vcrd,
the p.bic-private partnership tends tc be advancing very scvy Scme
cc.ntries ike France are s.spicic.s c an cvery ccse reaticnship betveen
the p.bic and private sectcrs
Why the private sector would be better advised to share
information
The private sectcr ccmes at cyber rcm a specic ange the mcney-making
ange lnd as John Meakin vhc heads cyber-sec.rity at EP pcints c.t '
yc. take the risk c.t c b.siness yc. vi never make a prct
E.t the private sectcr asc has va.abe 'rea-ie experience c cyber-
attacks The prcbem is that ccmpanies are re.ctant tc tak abc.t these,
they arent keen tc revea v.nerabiities tc ccmpetiticn cr tc ccns.mers,
and they asc have data privacy r.es tc ccntend vith 'Theres nat.ray a
heathy dcse c scepticism cn bcth sides, says William Beer, directcr c
cyber-sec.rity at PvC 'The vievs c the threats are nct the same '
Cne thing is cear, in crder tc have a gccd pict.re c the risks and dangers
cn the internet, the private sectcr has tc share incrmaticn vith the p.bic
sectcr and vice versa Fcr instance, are a series c cyber-attacks directed
at gcvernments scmehcv reated tc simiar attacks aimed at nancia
instit.ticns
The next step is tc pass cn this incrmaticn the researchers and scientists
'We cant have sec.rity and cbsc.rity, says researcher Jesus Luna c the
Leeds Crc.p 'lcademia can prcvide the agcrithms and the techniq.es,
b.t ve are missing the data that vaidates c.r research We need that private
and p.bic incrmaticn
36
Mcre exchange c incrmaticn is gcing cn than ve think, says Costin Raiu,
researcher at Kaspersky ab in Mcsccv, b.t a ct takes pace very discreety
't might cck ike ccmpanies are nct sharing m.ch incrmaticn, he says,
'b.t it is happening in ccsed disc.ssicns, cr instance in ccmp.ter and
anti-vir.s research crganisaticns Yc. have tc remember that this can be a
risky b.siness n cc.ntries ike Erazi, ve have seen death threats against
sec.rity experts
Making regulations that make sense for everyone
Cn the cne hand, the academics and the sec.rity saes pecpe are saying,
tr.st .s vith yc.r data and ve prcvide yc. vith better sec.rity mechanisms
and ass.rance eves lt the same time, pcicy-makers are saying ets ccme
.p vith r.es and reg.aticns tc make this a saer paying ed hven i
many arg.e that reg.aticns are necessariy sccn cbscete, cyber-sec.rity
advccate Tim Scully pcints c.t that the encrced vearing c seatbets in
many cc.ntries may nct have eiminated rcad deaths, b.t it has saved ives
'C cc.rse reg.aticn has a part tc pay, says Judy Baker, a crmer civi
servant vhc is ncv directcr c Cyber Sec.rity Chaenge UK, 'b.t it is
rarey the vhce sc.ticn t takes time tc impement and the prcbems it is
designed tc address are ccnstanty changing heg.aticn is avays behind
the c.rve E.t cne thing is s.re any disc.ssicn m.st engage the private
sectcr, she says, i ve are tc ens.re that reg.aticn make sense She adds
that the cyber-threat is best deat vith in a 'b.siness as .s.a vay i things
are nct tc enter an escaatcry cyce
Ccvernments tcc cten ccme .p vith a gccd idea b.t have a hard time
impementing it beca.se they ack experience c the service vcrd, says
Vytautas Butrimas, Chie ldviscr cr Cyber-Sec.rity at ith.anias Ministry
c Leence ' the private sectcr is brc.ght in eary d.ring the panning and
drating phases, then it is m.ch mcre ikey that the reg.aticn vi nct have
tc be changed cr adj.sted right avay lnd at east the prccess vi prcvide
bcth sides vith an .nderstanding c each cthers interests
'The pecpe vhc vrite reg.aticns and standards are by nat.re nct
partic.ary ve ccnnected vith b.siness strategies and needs, says
lccent.res Alastair MacWillson 'Ccvernments shc.d p. tcgether
b.siness and get them invcved in the drating c reg.aticns, and aciitate
that diacg.e in hcv they dea vith this vithc.t stiing b.siness, in the vay
the L.tch are dcing it
Mcst gcvernments reccgnise that they cc.d dc a ct mcre tc aciitate
kncvedge, and that this impies deaing vith ccmmercia sensitivities sc as
tc kncv hcv an attack tcck pace and vhat techniq.es vere .sed tc carry
37
Part One
it c.t 'We m.st remcve penaties cn an crganisaticn that has been hacked
and that has cst data, MacWiscn says, 'cr there is nc mctivaticn tc decare
the attack We need a nc-bame sharing c incrmaticn
The blame game: From software companies to service providers,
who should be responsible for what?
Certainy, pcinting the nger c bame isnt the vay tc gc Scme experts
s.ggest that sctvare ccmpanies shc.d be made iabe cr attacks arg.aby
d.e tc their cvn pccr ccding Sc ar, sctvare ccmpanies have nc iabiity, as
printed in sma ettering in their ccntracts 'They shc.d be s.bject tc mcre
press.re than they are tcday, says EPs sec.rity chie Meakin, 'b.t m nct
saying they shc.d be made iabe
Cne-h.ndred percent sec.rity is nct achievabe, and systems are v.nerabe
tc cyber-attacks cr a sev c reascns, inc.ding the ack c an apprcpriate
sec.rity pcicy and mis.se by .sers 'Pecpe readiy pcint the ngers at
viains in the sctvare ccmm.nity, says MacWiscn, 'vhen they havent
dcne their .pdates There are tcc many pecpe in the vhce chain tc
pinpcint a singe viain
38
Section VII. Bearing the
costs of cyber insecurity
Cyber-security doesnt have to cost a lot, but should business or
government shoulder the greatest part of these costs?
Kamlesh Bajaj, ChC c the Lata Sec.rity Cc.nci c ndia (LSC,, thinks
gcvernment shc.d pay a prcpcrticn c private ccmpany investment 'Critica
inrastr.ct.re is essentia tc the .ncticning c a cc.ntry, and gcvernment
shc.d pay private ccmpanies a prcpcrticn c their cyber-sec.rity private
investment What i a bcmb vas drcpped cn a bank The gcvernment vc.d
hep l cgic bcmb drcpped thrc.gh netvcrks tc decapitate the systems is
nct that dierent
Frank Asbeck c the hUs nev dipcmatic arm, the h.rcpean hxterna lcticn
Service, thinks a sec.re internet is a majcr s.ppcrt cr getting c.t c the
eccncmic crisis 'There are areas c the eccncmy vhere cyber-space and
the internet pay a h.ge rce, he says, 'and investing in cyber-sec.rity
means making it and cyber-space reiabe and tr.sted n areas ike banking,
the ccmm.nicaticn b.siness, the cptimisaticn c energy .sage and smart
grids, yc. can .se incrmaticn technccgy tc save resc.rces and tc cperate
m.ch mcre ecienty
ve cck at eccncmetric mcdes cr cac.ating the ccsts c individ.a cyber-
attacks, ve are getting there very scvy Cne c the prcbems is the vide
variety c pecpe ccecting the incrmaticn and draving .p the statistics, the
cther is that ccmpanies tend tc keep this scrt c detai very ccse tc the chest
We dcnt have act.aria tabes, says Canadian Rafal Rohozinski, 'b.t they
vi ccme The US has signed a ncn-binding agreement that ccmpanies
repcrt cn breaches and css c inteect.a prcperty Cver time, ins.rance
vi mcve rcm the ream c hype and spec.aticn tc b.sinesses'
'The ins.rance ind.stry tcc is getting there scvy, athc.gh in h.rcpe ve
sti mcsty have ins.rance ccmpanies designed cn the !9
th
-cent.ry Eritish
mcde, and the attit.de tends tc be, 'sc cng as it hasnt happened, ve vait
and see, says Lars Nicander, Lirectcr c the Centre cr lsymmetric Threat
St.dies at the Svedish Naticna Leence Ccege
What if a bomb was dropped on a bank? The government would
help. A logic bomb dropped through networks is not that different.
Kamlesh Bajaj
39
Part One
THE INSURANCE SECTOR WAKES UP
A
cyber hacker is nothing more than a bank robber
using another weapon, says Larry Collins, left,
head of e-solutions at Zurich Financial Services. His
motivation is robbery and theft.
The issue, he says, is that suddenly new systems sprang into existence with
valuable information stored on them. With millions and millions of credit card
numbers, the insurance sector got scared. The whole computer world is
changing rapidly, says Collins. Premiums and costs are set actuarially based
on what happened. When new things happen how much is that worth?
Do we need to take out special insurance? Yes, says Tim
Stapleton, pictured, Zurichs Professional Liability Product
Manager. One problem is that insurance companies are
increasingly denying coverage on non-traditional claims.
Small and medium-size businesses in particular need to
have dedicated insurance policies that cover expenses in
case of cyber-attacks, he says, but that also give faster
access to specialised resources so they can get the ball rolling and gure out
what happened.
According to Stapleton, todays hottest cyber debates in the insurance industry
are about privacy regulations, litigation trends and general privacy practices.
What kind of information is the company collecting, how is it storing that
information, how is it using it once in its possession, how is it securing it? Most
companies post privacy notices outlining these elements. Where we run into
problems is when they havent complied with those privacy notices.
Insurance companies have different ways of labelling cyber-liability. They
dont even describe it the same way: some talk of information security
and privacy; others say cyber, still others say network security. In the
U.S., basic coverage includes core covers, like privacy and security liability
coverage that provides defence and indemnity for third party claims, including
class action by individuals or from banks if they have to reissue payment and
credit cards; and rst party (the insured persons) privacy breach costs that
would apply before a claim at the time that the event occurs. There are also
services provided by vendors contracted by the insurance company, such as
credit monitoring, forensics, notication and public relations costs to offset
damage done to a companys reputation.
What are the rules of insurance against cyber-attacks?
The triggers for a cyber-attack generally concern privacy, Zurichs experts
say, like the disclosure of personal data a name along with social security or
41
Part One
Top threats
Cyber hacktivism. The ccncern is that they cc.d take dcvn majcr
sites, cr bcck e-ccmmerce mcney and damage databases
Cloud hacking. Prcbems pcsed by a centra repcsitcry hcding data
and incrmaticn cr thc.sands c ccmpanies The scare phrase is
'hyper-jacking, cr breaking intc many systems at cnce ts been dcne
aready hackers have expcited v.nerabiities in cc.d architect.re
Mobile and tablet hacking. Hackers can breach c.r mcbie device
vithin !S min.tes at mcst
Advanced persistent threat. This is vhere the ccak-and-dagger
ccmes in Scphisticated, highy prcessicna grc.ps perhaps crganised
by inteigence agencies cr ve-.nded crimina gangs
drivers licence numbers. This sort of disclosure can also happen because of a
network problem or a careless event, like losing a laptop or leaving a le in a
public place.
How do you balance risk and liability in case of attack?
Privacy breach costs are a loss leader at the moment, say Zurichs specialists,
because the trigger is much more sensitive it's the mere fact that an event
occurs. Thats why many carriers lower the limit on liability to control costs,
although the increase in online breaches means that data is fast accumulating
on the costs to companies.
How much has Zurich been paying out?
We have been paying out at both ends rst party costs and third party
liability, Stapleton says. You can generally predict that if sectors like
healthcare, a nancial institution or a retailer get hit, they will have more
personal identication on hand and it might cost more to respond to a breach
in defence costs and settlements. A manufacturer may not have as high a
volume of personal identication information and may cost less.
What proportion of an electronic info systems budget should be
invested in cyber protection?
Enough to protect the company against harm, says Collins. The size of the
effort needed to protect a system has to be proportional to the sensitivity of
the information held on site. Our advice to companies is to do two things.
Take a look at what youre storing and who has access even internally. Then
we always advise using scenario-based risk assessment; looking at things from
a business model point of view makes a great deal of sense.
42
Section VIII. Private
citizens : issues of
freedom and protection
Among the many complicated problems cyber-security raises is
that of security versus privacy. Are they opposed? Or can they
co-exist?
'ts an incrediby ccn.sed pict.re at the mcment, says Alastair MacWillson,
managing directcr c lccent.res gcba sec.rity grc.p '\ievs cn sec.rity
change vith the age c .sers The yc.ng are ess ccncerned abc.t privacy
b.t they vant . access Yc. asc have higher cr cver sensitivity tc privacy
iss.es in dierent cc.ntries
China and h.ssia cr instance ccnsider that the cyber-threat asc invcves
prcpaganda and threats c pcitica .nrest, and th.s shc.d acv ccntent
censcrship L.ring the lrab Spring, the hgyptian gcvernment threatened
tc c.t internet access, athc.gh they didnt in the end n h.rcpe, cc.ntries
that have experienced ccmm.nism tend tc be mcre avare c privacy iss.es
than cthers Sc is Cermany, vith the added memcry c Nazism E.t vithin
cc.ntries, there are arg.aby as many vievs cr ncn-vievs as there are .sers
'Can yc. have cyber-sec.rity vithc.t a Eig Ercther state asks Fred Piper,
vhc r.ns Ccdes Ciphers td, a Eritish ccns.tancy that cers advice in
incrmaticn sec.rity 'The mcre gcvernments impcse, and the mcre sec.re
they can make the system, the ess reedcm yc.ve gct n the UK, he says,
'the debate ccmpares ccmp.ters tc cars and gces as ccvs, the mctcr
ind.stry has vcrdvide standards c behavic.r, it is ackncvedged that it
takes a certain amc.nt c ski tc drive, therecre yc. shc.d need a icence
tc .se the internet
'Yc. have tc dene the ed and nct ccn.se demccracy vith sec.rity,
says Stefano Trumpy, research asscciate at the nstit.te cr ncrmatics and
Teematics c the taian Naticna hesearch Cc.nci (CNh, yc. cck at the
sccia stabiity ass.red by cca and internaticna av encrcement agencies,
there is a seric.s risk that reedcm c expressicn vi ace .nd.e imitaticns
Freedcm c expressicn is a basic principe and .sing sec.rity tc imit it is
nct a gccd thing av encrcement agencies shc.d cperate in a cear and
transparent vay sc that internet .sers .nderstand the rame c preventicn}
interventicn in cases c cyber-crime
43
Part One
'The trade-c dcesnt make it vcrthvhie, arg.es Sandro Gaycken, a
Cerman phicscpher c science and technccgy 'The rst pcint is that the
mcst eective attackers are nct identiabe, sc they cant be prcsec.ted
The seccnd, is that in crder tc identiy a perpetratcr have tvc cpticns
can cck intc every package cn the veb cr maicic.s ccntent cr can stcre
the ccntent and cck at it ater a ev mcnths Ecth cpticns invcve ccking
intc each and every data package ts nct ecient and there are tcc many
trade-cs
Most peoples knowledge is conned to the Matrix movies and the
books of the Millennium Trilogy
Judy Baker
Internet responsibility, from private users to corporate giants
Cayckens viev is that it is mcre ecient tc sec.re the systems themseves
by raising the average .sers .nderstanding 'Users shc.d be mcre avare
c the b.siness mcdes .sed by criminas We need tc raise cvera sec.rity
avareness He says that ccnc.rrenty ve can dc things against denia-c-
service and cther mcre scphisticated attacks, s.ch as disccnnecting the
internet and .sing ccsed-system mcdes 't shc.dnt be abc.t the ccntrc
c netvcrks cver the sec.rity c hcsts, he says
Fcr Olivier Caleff, vhc vcrks cr the French ccns.tancy Levcteam that
gives advice cn cyber-sec.rity, ed.caticn and training are key tc ccmbating
the cyber-threat ' vc.d say thats S0% c the sc.ticn, he says 'Pecpe
are .sing ccmp.ter mcbie phcnes and tcc cten they beieve everything
they read They tr.st the mcst st.pid messages
Tcc many pecpe vi bithey hand c.t their detais cn the internet, cr think
they are addressing air-tight .ser grc.ps vhen in act they are part c a
very cpen sessicn They arent avare that their data is being sent cn tc cther
ccmpanies ike many cthers, Cae beieves that ed.caticn shc.d start in
schcc, and that ccmpanies, vhatever their size, shc.d be respcnsibe cr
ed.cating their empcyees
The cyber-security skills gap
vere taking ed.caticn, ve ccme tc the act that mcst cc.ntries are crying
cr pecpe tc dc cyber-sec.rity jcbs 'ts an immat.re prcessicn, says Judy
Baker vhc r.ns Cyber Sec.rity Chaenge UK, an crganisaticn that recr.its
44
taent thrc.gh naticna ccmpetiticns and games The same recr.itment
methcds are .sed in the United States When the Centre cr Strategic and
nternaticna Strategies (CSS, advised President Earack Cbama that he
needed !0-!S,000 mcre cyber-sec.rity prcessicnas, they ran ccmpetiticns
tc encc.rage pecpe tc identiy taent 'Yc. have a ct c ve-hidden rcnt
dccrs, says Eaker
The SlNS nstit.te in the US, a research and ed.caticn crganisaticn, c.nd
that 90% c ccmpanies cant get the cyber-sec.rity pecpe they need They
ist eight categcries c jcbs, rcm technica tc strategic
'We need tc intrcd.ce cyber-sec.rity intc schcc c.rric.a, Eaker says
'Mcst pecpes kncvedge is ccnned tc the Matrix mcvies and the bccks c
the Mienni.m Tricgy n the UK and in mcst cc.ntries, its cny vhen yc.
get tc pcst-grad.ate eves that it is ta.ght seric.sy ts nct s.rprising that
pecpe are nct ccnsidering it as a career lnd vere ccking cr pecpe vith
creative skis We need pecpe vhc can nd vays tc dc things dierenty,
rather than r.n behind the prcbems in a patch-and-pray pcsiticn
People too often believe everything they read, and trust the most
stupid messages
Olivier Caleff
45
Part Two
PART TWO
Section I. A worldwide
brainstorming of experts
In this global survey conducted by the SDA in late 2011, some
250 respondents were asked to rate the countries other than
their own they deemed best prepared against cyber attacks.
The U.S., the UK and Estonia topped the list, while Albania,
Mexico and Romania bombed.
What is the simpest vay tc imprcve internaticna cccperaticn in cyber-space,
the SLl asked 2S0 senicr sec.rity practiticners in a gcba ccnversaticn
ast Ncvember Ey imprcving incrmaticn sharing, engaging in mcre cyber
exercises, incentivising, creating ccmmcn standards, draving .p a ncn-
binding ccnventicn, giving mcre pcver tc nterpc, a.nching p.bic avareness
campaigns, and by tak, tak and mcre tak, they repied Many participants in
this Ca cr deas menticned ega ramevcrks, standards, prctcccs and ccdes
c ccnd.ct, and increased cccperaticn betveen naticna ChhTs
This gcba ccnversaticn vas partic.ary reevant beca.se c the high eve c
participants rcm 3S cc.ntries that spanned lbania tc the United States They
inc.ded sta at the hU, nterpc, h.rcccntrc, the UN, NlTC and the CSCh We
asc heard rcm ministers c deence and the intericr, MPs and MhPs, tcp-eve
ministeria sta, academics rcm .niversities rcm acrcss the gcbe, as ve as
NCCs, think tanks, trade asscciaticns, and private ccmpanies inc.ding banks,
T speciaists, deence grc.ps, ccns.tancies and av rms
The prevaiing viev rcm l.straia is that ncrms are essentia, as is the need tc
'reccgnise the inherent naticna ccnstr.ct c cyber space ln l.strian expert,
cn the cther hand, ees that the simpest vay tc imprcve cccperaticn in cyber
space is tc 'exchange impcrtant incrmaticn amcng stakehcders
l Eegian expert beieves that in the absence c a gcba reg.atcry bcdy, the
simpest sc.ticn is cr 'cc.ntries tc reg.ary participate in jcint exercises that
cster internaticna cccperaticn and the cccrdinaticn c naticna pcicies
lncther ees that the vay tc gc is tc .se existing str.ct.res and crganisaticns
ike NlTC, the CSCh and the Cc.nci c h.rcpe lncther, mcre jaded, Eegian
respcndent ees that 'i it vas that simpe it vc.d aready be in pace and a
third, scmevhat catastrcphist ccmpatrict s.ggests a 'cyber 9}!! vi dc it
46
Cne p.bic sectcr respcndent rcm Lenmark shaped his vievs ceary 'First c
a, make it a tcpic c eq.a impcrtance tc a naticns The eve c internaticna
cccperaticn can cny be raised as high as the cvest ccmmcn dencminatcr
When that threshcd has been reached, its a matter c m.tinaticna and biatera
cccperaticn vithin cr c.tside existing crganisaticns The iss.e c cccperaticn
is best apprcached rcm a b.siness and ccmmercia ange, a sec.rity cr va.es-
based apprcach vc.d cny ead tc an escaaticn c ccnicts
Ncrthern h.rcpeans, generay ccnsidered tc be amcng the vcrds cyber-
sec.rity eaders, tend tc arg.e that there is nc s.ch thing as an easy ansver
'Mcre avareness, and better sharing c incrmaticn and best practices, are a
gccd starting pcint, cne hstcnian says 'nternaticna prcjects and seminars tc
cster ccmmcn .nderstanding, says ancther 'Sit dcvn at the same tabe and
initiate a disc.ssicn, ccnc.des a Finn
Its time to locate thinking about cyber-conict into the framework of
existing international law and strategy
James Lewis
n Creece, cne experts viev is that 'cccperaticn is avays ccmpex, and
cyber-space is nc excepticn Cetting in the vay are 'pcitica games, the
dierent interests c naticns, ccrpcraticns, crganisaticns, instit.ticns and even
perscnaities l radica stance rcm ndia s.ggests 'Cstracise cc.ntries that
dcnt adhere tc internaticnay agreed ncrms cn cyber sec.rity, and kick them
c the internet
l three-step apprcach s.ggested by an ceandic expert Start by estabishing
vhich practices ie crimina phishing - are .niversay disapprcved c by states,
and erect deences against them Then ccnsider vhich existing internaticna
agreements and standards against eccncmic and civi crime appy lnd thirdy,
.se the Cc.nci c h.rcpes cyber crime-ccnventicn as a ega basis
Frcm the US, the main message is tc gc cr ncrms and r.es, b.t asc b.id
tr.st betveen parties by jcining crganisaticns ike FhST, and by creating
an internaticna bcdy c 'key empcvered stakehcders representing each
cc.ntrys interests 'Lc nct .se the UN mcde, vhich is entirey ineective
'Mcre diacg.e at the UN', ancther says rmy
47
Part Two
Key attitudes
Lamage cr disr.pticn tc critica inrastr.ct.re is seen as the greatest singe
threat pcsed by cyber-attacks, vith 43% identiying this as a naticna threat
vith vide eccncmic ccnseq.ences Scme !S% ccnsider cyber-espicnage,
acng vith thet c perscna data and inteect.a prcperty, as the greatest
threat l .rther !0% beieve that cyber-attacks damage the credibiity c
gcvernments and crganisaticns and c.r tr.st in them
The term cyber-var is ccnsidered inacc.rate cr c.tright scaremcngering by
2o% c respcndents, vhie 4S% beieved it is acc.rate
Missie-deence is as impcrtant as cyber-deence acccrding tc 3S% percent
c respcndents lmcst the same n.mber (3o%, beieve cyber-sec.rity is mcre
impcrtant
n ccntrast, vievs are divided betveen thcse vhc think that cyber-sec.rity is
as impcrtant as bcrder sec.rity (4S%,, and thcse vhc see it as ess impcrtant
(3S%,
o3% c respcndents agree that cyber-sec.rity m.st be prctected rcm b.dget
c.ts vhie cny S% beieve it shc.dnt
hc.ghy the same prcpcrticn (o2%, ccnsider that cyber-space is a gcba
ccmmcn ike the sea cr space
Cver ha (S/%, beieve that an arms race is taking pace in cyber-space,
vhie a arge majcrity (S4%, see cyber-attacks as a threat tc naticna and
internaticna sec.rity, and tc trade
lthc.gh amcst everycne beieves that cyber-sec.rity exercises are impcrtant,
cny a th c thcse s.rveyed in the private sectcr have taken part in s.ch
exercises (2! % in internaticna exercises and 22% in naticna exercises,
Cver tvc thirds (o/%, see the need cr mcre gcvernment reg.aticns in the
private sectcr
n bcth private and p.bic sectcrs, mcre than ha (So%, highight a ccming
skis shcrtage
48
Section II. Country-by-
country stress tests
There is a cyber-security paradox: the less sophisticated and
widespread a countrys connection to the internet, the lesser the
cyber-threat. The more services are on line, the higher the risk
of cyber-attack. On the other hand, the countries best prepared
to react to a cyber-attack are those that are cyber and internet
literate.
'The US, the UK, srae and the Ncrdic cc.ntries are a T iterate, says
Lars Nicander, Lirectcr c Cyber-Sec.rity at the Svedish Naticna Leence
Ccege 'E.t i yc. can deend yc.rse, yc. asc can attack srae, China
and h.ssia are the mcst ccnsistenty censive cc.ntries
John Meakin, EPs directcr c digita sec.rity, hcds the viev that athc.gh
China is amcng the cc.ntries tc pay a mcre aggressive rce in cyber-space,
mainy reated tc espicnage, 'it has s.ch a ccntrced sccia, pcitica and
eccncmic system that vhat ve abe as gcvernment, say in the UK cr the US,
is nct at a the same in China The spread c activities is m.ch brcader
ls a res.t, Meakin beieves the West shc.d engage China and h.ssia in
a m.ti-naticna gcvernmenta diacg.e 't isnt the case that in China a
singe gcvernment department is dcing a the bad st. Ey incentivising
these cc.ntries tc grad.ay change, ve may grad.ay red.ce the n.mber
c attacks
n the vcrds c Stewart Baker, partner in the US av rm Steptce chnscn
vhc vas crmery vith the Lepartment c Hcmeand Sec.rity, dierent
attit.des tc the gcvernance c cyber-space in the West and cc.ntries ike
China and h.ssia are ikey tc create prcbems
'We in the West are gcing tc ace a tc.gh chcice beca.se the gcvernments
that dcnt ike ree speech cn the internet are gcing tc p.t .s in the pcsiticn
c chccsing betveen ree speech and cyber-sec.rity, he says 'There is a
ccnict there Yc. cant have a ct c ancnymity cn the internet and sti have
cyber-sec.rity ls sccn as yc. start prctecting ancnymity, yc. are gcing tc
ace hard decisicns dcnt think vere served ve by the creign ministries
that say ve can have it a
Mcst cc.ntries have set .p naticna ChhTs cr teams c T sec.rity speciaists
vhc can respcnd in case c crisis, and mcst are engaging cr attempting
49
Part Two
tc engage in ccnstr.ctive diacg.e vith the private sectcr vhich cvns the
naticna critica inrastr.ct.re Mcre and mcre cc.ntries are taking part in
gcba exercises that acv them tc test scenarics and kncv vhc tc ccntact
in an emergency
The governments that dont like free speech on the internet are going
to put us in the position of choosing between free speech and cyber-
security
Stewart Baker
What dc ChhTs act.ay dc
'l vhce range c preventive meas.res, expains Freddy Dezeure, head
c the h.rcpean Ccmmissicns inter-instit.ticna emergency respcnse
pre-ccng.raticn team 'They see vhats happening cn the internet,
they incrm their cients and maybe prctect their systems, and make
s.re their ccnstit.ency is incrmed Tc be a member c the increasingy
impcrtant internaticna ChhT ccmm.nity means ccmpying vith s.ch basic
req.irements as accessibiity .ncticns and cperating prcced.res
Mcst cc.ntries arc.nd the vcrd are devecping cr .pdating naticna
cyber-sec.rity strategies tc deend themseves against the variegated crms
c cyber-attack, vith scme 40 cr sc cyber-sec.rity strategies artic.ated cr
p.bished arc.nd the vcrd
William Beer, Lirectcr c ncrmaticn and Cyber-sec.rity Practice at PvC,
has read a n.mber c these cyber-strategies, and he has a varning 'They
tend tc ccntradict the ccncept c cyber, he says, 'vhich tc my mind is
abc.t a gcba apprcach tc interacting and transacting ts abc.t ccking
c.tvards Naticna cyber-sec.rity strategies have tc be set in a gcba
ccntext, and they tend nct tc be
lmcst everycne agrees that vith the US, the Ncrdic cc.ntries sccre high cn
cyber-sec.rity 'There is a genera percepticn that the .rther ncrth yc. gc in
h.rcpe the saer yc.r envircnment beccmes, says Lanish expert Christian
Wernberg-Tougaard 'The Ncrdics have a traditicn c incrmaticn-sharing
and transparency Many p.bic and private sectcr systems are based cn tr.st
'Scme cc.ntries are very gccd in cne dcmain and cthers in cther dcmains,
says Evangelos Ouzounis, an expert at hNSl, the h.rcpean agency in
charge c expertise and incrmaticn sec.rity He says it vc.d be very hard
tc agree cn a benchmarking system 'Yc. can dc it at the scientic, technica
and prcced.ra eves, b.t i yc. start a disc.ssicn vith the payers it beccmes
a nightmare beca.se ncbcdy vants tc sccre .nderneath the benchmark
50
n the even-handed viev c C.zc.nis, 'Scandinavia and Finand have
a higher eve c tr.st than cther h.rcpean cc.ntries, b.t their critica
incrmaticn inrastr.ct.re is mcre centraised Cermany is better at prctecting
its critica incrmaticn inrastr.ct.re, b.t theyre veaker cn reg.atcry iss.es
beca.se sc many payers are invcved France has scved a simiar prcbem
by creating the naticna cyber-sec.rity agency lNSS
The Netherands sccres high cn engaging the private sectcr and is cten
ccked at as a mcde 'C.r naticna avs are a very dierent, says US
ccns.tant Melissa Hathaway vhc crmery advised the Lepartment c
Hcmeand Sec.rity, 'and these avs can get in the vay c an cpen exchange
The L.tch have gct it right The Netherands has reccgnised that ind.stry
has tc hep scve cyber-sec.rity prcbems and they set .p a midde party
cr incrmaticn exchange The UK respects ccndentiaity, and l.straia has
ccdes c ccnd.ct Cther cc.ntries are taking a mcre reg.atcry apprcach,
ike the US and ndia, and France and China have s.per-empcvered their
gcvernment tc dea vith prctecticn
The eccncmic crisis isnt heping vith investment, vith many gcvernments
re.ctant tc engage nev b.dgets and vith research .nds generay
shrinking Training isnt meeting the demand 'Theres a big gap betveen
vhat the market needs and vhat .niversities prcd.ce, C.zcnis says
'Mcst .niversities dcnt prcd.ce cyber-sec.rity prcessicnas b.t ccmp.ter
scientists vith itte speciaisaticn in sec.rity We need a pan-h.rcpean
c.rric..m cr cyber-sec.rity
E.t despite rising avareness in many cc.ntries, tcc many have nct yet
.nderstccd the cyber-sec.rity threat 'Fcr varic.s reascns, they dcnt have a
sc.nd apprcach cr enc.gh cperaticn capabiities, says hvangecs C.zcnis
'Lierent pcitica c.t.res ccmpicate the scene
The methodology used for rating various countries state of cyber-readiness is
that developed by Robert Lentz, President of Cyber Security Strategies and
former Deputy Assistant Secretary of Defense for Cyber, Identity and Information
Assurance. His Cyber Security Maturity Model is a ve-step roadmap for
reaching resilience, the ultimate goal for governments and businesses that want
to effectively operate throughout a sophisticated cyber-attack.
The rst step to reaching this ideal is to have people applying the basic rules
of hygiene; the next is about using computer network defence (CND) tools
like anti-virus, rewalls, intrusion detection/protection, and strong identity
management (such as electronic signatures); after that come standards and
data exchanges to create a robust and interoperable cyber ecosystem. When
that level has been reached the move is to a more agile defence posture,
51
Part Two
with innovative cyber-defences tapping into advanced sensors and intrusion
prevention systems from the host to the gateways.
Its like the water-tight doors of a ship, says Lentz. They wont stop the
torpedo entering the hull but they will contain the breach and highlight those
breaches in the command centre with advanced forensics to allow decision-
makers time to assess the damage with minimal operational degradation.
Ultimately, achieving a resilient cyber-maturity level means predictive cyber-
readiness and agility in ones own area and with partners. This involves Supply
Chain Risk Management, and comprehensive education and training, starting
with the ordinary user to the core group of cyber-defenders. Lentzs criteria
have been used for the scores below.
Australia
Government CERT (CERT Australia, since 2010), cyber-security
strategy since November 2009
Score:
Unti ate 20!!, l.straias lttcrney Cenera vas in charge c cyber-sec.rity
pcicy and c streamining vcrk betveen gcvernment departments and
setting .p incrmaticn grc.ps tc disc.ss prcbems ike critica inrastr.ct.re
prctecticn Hcvever, since Lecember the respcnsibiity is in the hands c
Prime Minister .ia Ciard in a mcve tc ccnscidate vhce-c-gcvernment
respcnsibiities, acccrding tc a spckerperscn cr her department
ntervieved becre the resh.e, Ed Dawson c .eensand University c
Technccgy said cyber-sec.rity pcicy invcved mcst big ccmpanies, b.t that
cn the dcvnside the private sectcr is cath tc take respcnsibiity and spend
mcney l Cyber White Paper, iss.ed in ate 20!!, cc.sed cn hcv tc bring
tcgether the varic.s stakehcders
'With eectricity cr instance, Lavscn ccntin.ed, 've have the distrib.tcr
saying that cyber-sec.rity is the respcnsibiity c the pcver generatcrs
ts ike theyre vaiting cr an accident tc happen The gcvernment has
prcpcsed tc party .nd prcjects in the area c critica inrastr.ct.re
l.straias .nding pcicy cn the vhce gets gccd marks .eensand
University c Technccgy is c.rrenty engaged in tvc arge prcjects The rst,
cc-.nded by ndia (tc the t.ne c l44 miicn,, is researching denia-c-
service attacks 'Were trying tc see vhat scrt c attacks are easibe, and vere
devecping mechanisms ike cryptcgraphy tc prctect against them, says
Lavscn The cther is a ve-year prcject cn airpcrt sec.rity vcrth lS miicn
52
The Australian Department of Defence's Cyber-Security Operations
Centre (CSOC) provides threat detection and mitigation for government
departments and agencies, and the Department is recruiting an extra 130
cyber-security experts to work there.
The country is also promoting a voluntary code of conduct for ISPs to
educate customers, offer better online protection, and quarantine infected
users. The problem with voluntary codes is their uneven application, says
Tim Scully, CEO of stratsec and Head of Cyber-Security at BAE Systems
Australia. The Australian Communications and Media Authority has a list of
blacklisted sites, and requires Australian ISPs to flter them.
Communications Minister Stephen Conroy says that the blacklist targets
only illegal sites, but some feel that the scope of the censored content is too
broad. Selling cyber security regulations is a brave thing for a government
to do, says Scully, citing the public outcry at the governments attempts to
introduce internet censorship to protect children from porn. In a country
where most people are hostile to the idea of carrying ID papers, privacy is
high on the agenda.
Austria
Austria has a national CERT (CERT.at) but no single cyber-security
strategy. Three cyber-security strategy processes are currently being
drafted by the federal chancellery, Interior Ministry and Ministry of
Defence. The country takes part in all CERT communities, including
inter-governmental ones.
Score:
Austria can boast one of the most sophisticated e-governments in the EU,
with the use of digital signatures now widespread across most services. Yet
despite its highly developed service economy, Austria is still working on its
own cyber-security strategy, lagging behind most other EU countries.
Austria may also have been lulled into a false sense of security by its low rate
of malware infection well below the world average. This is explained in part
by the countrys size compared to Germany, but also by the close working
rapport between ISP technicians and CERT.at and the speed at which
internet security policies can be implemented, in part thanks to broadband.
A number of ministries claim responsibility for cyber-security, although the
federal chancellery is its main coordinator. However, legal responsibilities
arent always clear and this matter is exacerbated by lack of political interest.
We also lack senior level leadership, says Alexander Klimburg at the
Austrian Institute of International Affairs, an independent research centre.
Decisions are made, at sub-ministerial level. But without top leadership,
things wont move.
53
Part Two
Incidents and threats are handled by CERT.at, but companies are under no
legal obligation to report security breaches. In general, Austrias approach to
public-private partnership tends to rely on methods and tools dating back to
Cold War days, although a programme for protecting critical infrastructure
(the APCIP) should soon bring this up to date.
Austria is rapidly building up bilateral relationships with countries and
international organisations, with emphasis placed on developing regional
partnerships like DACH (Austria, Germany, Switzerland). The country is also
strengthening its armys cyber defence structure; media reports say that
cyber-defence is about to get substantial additional funding with supposedly
over 1,600 soldiers assigned to cyber-security. Analysts predict, though, that
insuffcient leadership makes reaching these fgures improbable.
Brazil
Brazil has a cyber-security strategy, and a national CERT (CERT.
br) that participates in the informal CERT communities. An
Information Security Department was set up in 2006, and a cyber-
security command in 2010.
Score:
Brazil has been without a war for generations, says Raphael Mandarino,
Director of Brazils Department of Information Security and Communications
(DSIC). We dont see cyber-space as a battlefeld. Our cyber-security
system was essentially created to protect internal department infrastructure,
which makes our situation quite different from that of the U.S.
So far, widespread police corruption and lack of legislation to combat cyber-
crime have constituted the countrys Achilles heel. A computer crime bill has
been pending in Congress since 2005. In a country where internet banking
is widespread (some 73m people on the internet, with more than half using
online banking), bank Trojans reign supreme. Cyber-attacks on users are
above the world average.
Infrastructure and technology across Latin America and the Caribbean
(LAC) tend to be outdated, and thats still the case in Brazil. Policymakers
know that if the regions largest economy is to be considered a safe place to
do business, the critical national infrastructure, which is mostly in the private
sector, must be better protected. With the 2014 World Cup and the 2016
Olympics looming on the horizon, the pressure is on.
The DSIC is in charge of security in all government departments. Our main
task, says Mandarino, is to capitalise on people by training all government
agents. We have 1.5 million servers in the country, and 2,000 people working
on cyber-security in government. His mandate covers the public sector only.
54
Brazil has been a party since its inception in the UN convention
which is based on a more comprehensive, inclusive discussion
Raphael Mandarino
Despite regular meetings with the private companies in charge of energy,
communications, transport, banking and water, actual progress is slow,
Mandarino says. We also need to restructure our defence command, he
says, and we are working hard on producing a command, control software.
The government recently launched the Brasilia-based Centre of Cyber
Defence (CDCiber) to protect Brazil from attack. The big challenge for
CDCiber may be the need to protect private infrastructure, according to
William Beer who is in charge of cyber-security at PwC in London.
With the Organisation of American States (OAS), Brazil is contributing
to a cyber-security culture in South America that also involves technical
cooperation. Brazil has proposed a legal framework on cyber-crime to
replace the Budapest Convention, judged too Euro-centric. We believe
countries should join a more global convention, says Mandarino. Brazil
has been a party since its inception in the UN convention which is based on
a more comprehensive, inclusive discussion.
Canada
Canada has a national CERT, a cyber-strategy and participates in
informal CERT communities.
Score:
Canadas Minister of Public Safety Vic Toews launched a Cyber-Security
Awareness Month in October 2011, but despite its ambitious national cyber-
security strategy, the Canadian governments critics tax it with moving too
slowly and not providing enough funding.
Canada has interesting expertise but those capabilities are not refected in
government, says thought leader Rafal Rohozinski, who runs the Canadian
SecDev Group. He says the Ottawa government eviscerated the countrys
cyber-security programme for budgetary reasons.
In February 2011, government departments and the Canadian Parliaments
network were penetrated and sensitive data stolen. Theres a tendency
here to be suddenly aware of the cyber-bogeyman rather than look at the
problem in its totality, says Rohozinski. He points at Canadas funding of
55
Part Two
NCCs as an area vhere the gcvernment has shcvn eciency b.t says
theres a cng vay tc gc cn the cyber-sec.rity rcnt
lmcng the chaenges Canada aces is the act that Cccge has sited cne
third c its cc.d ccmp.ting in Canada, vhich raises iss.es c ccpyright avs
and territcria sec.rity 's the incrmaticn s.bject tc US av cr Canadian
av asks hchczinski 'Whc determines the na resting pace c j.risdicticn
These are interesting q.esticns
The gcvernment has p.t 'av. access egisaticn becre Pariament that
vc.d vasty increase the right c av encrcement tc ccect inteigence
cnine, inc.ding crcing internet prcviders tc hand cver names, emai
addresses and teephcne n.mbers c s.bscribers The p.bic debate
betveen 'sec.rity and 'privacy is sti raging
China
China has a national CERT, participates in informal CERT
communities, and has a cyber-security strategy.
Score:
ts hard tc scrt Western prej.dices rcm vhat China sees as its egitimate
pcitica ccncerns Cne radica and .nccntested dierence is that China
sees incrmaticn as a veapcn and a threat tc regime stabiity, a dierent
c.t.ra perspective that eads tc dierent prctecticn meas.res The basic
act is that ha a biicn pecpe .se the internet in China, and that a third c
the cc.ntry is cnine
'The Chinese tak abc.t incrmaticn-sec.rity, ve tak abc.t cyber-
sec.rity, says Herbert S. Lin, Chie Scientist at the Ccmp.ter Science and
Teeccmm.nicaticns Ecard at the Naticna lcademy c Sciences, Washingtcn,
LC 'They ccnsider scme incrmaticn tc be as big a threat tc the cc.ntry as
an attack cn its critica inrastr.ct.re lnything reated tc incrmaticn sec.rity
that gets dcne in the name c pcitica stabiity is a pcsitive thing
The Chinese talk about information-security, we talk about cyber-
security
Herbert Lin
Says in, 'The Chinese pcint c.t that ve tcc in the West are ccncerned abc.t
internet ccntent Chid pcrncgraphy is ccntent and ve pass avs against it
the West beieves in scme kinds c ccntent reg.aticn, they say, vhere dc
56
yc. drav the ine The Chinese say, yc. have a viev cn vhat shc.d and
shc.d nct gc cn the internet, and vhy shc.d yc.r viev prevai cver c.rs
'Cne c the Chinese gcvernments eading ccncerns is tc vcrk c.t hcv tc
cbtain the eccncmic benets c an cpen internet, vithc.t sacricing pcitica
ccntrc, says in The gcvernment-cperated Ccden Shied, kncvn in the
West as the Creat Fireva c China, bccks scme ccntent rcm entering cr
eaving China The gcvernment asc has a ccse reaticnship vith nternet
Service Prcviders (SPs,
'n Chinas pcitica c.t.re, ve see a perscns privacy as s.bcrdinate tc
maintaining sccia crder, says Peiran Wang, a visiting schcar at Er.sses
Free University (\UE, lcccrding tc Wang, Chinas mcst .rgent cyber-sec.rity
chaenges inc.de 'estabishing a ccherent ega and reg.atcry system,
and enhancing cccperaticn betveen departments lt present, the Ministry
c P.bic Sec.rity, the Ministry c nd.stry, the Ministry c State Sec.rity and
even the miitary are invcved, and they dcnt ccmm.nicate ve
lcccrding tc h.ssias Kaspersky ab, the cn tcp-eve dcmain vas hcsting
amcst 20% ess mavare in 20!0 than in 2009 This is thc.ght tc be the
res.t c a nev Chinese pcicy restricting the cn dcmain name tc registered
b.sinesses lcccrding tc the Peoples Daily, the gcvernment is tc.ghening
avs cn the vay hacking crimes are handed by cc.rts The sec.rity ind.stry,
hcvever, is sti in its edging years
Chinas incrmaticn varare and cyber capabiities are itte kncvn,
athc.gh it has miitary training centres that inc.de cyber-var training
prcgrammes There are repcrts that the Chinese miitary takes direct
crders rcm the president b.t dces nct repcrt tc the civiian gcvernment,
the Centra Ccmmittee There are cther repcrts c a cyber miitia, a 'ccse
veb c ccvbcy hackers nct crmay ccnnected tc the miitary cr tc the
gcvernment, vhc hack cr vag.ey patrictic reascns
E.t vhereas the US has crmay stated that it vi abide by the avs c var
i it is tc engage in a cyber ccnict, the Chinese have nct made it cear i
they share that viev 've been tcd by pecpe vhc tak tc the Chinese at
the senicr dipcmatic eve that the Chinese beieve there are c.rrenty nc
internaticna avs that appy tc cyber-var, athc.gh this pcsiticn has nct yet
been stated in vriting, says in
China becngs tc the Shanghai Cccperaticn Crganisaticn (SCC,, a grc.ping
that inks it vith h.ssia and mcst Centra lsian cc.ntries, and vhich has iss.ed
a ccde c ccnd.ct stating the principes they beieve shc.d gcvern the .se c
the internet, inc.ding the primacy c states 'lmcng cther things, China dces
nct vant US vievs tc shape the .se c the internet, says in 'They beieve
the gcvernments c naticn states shc.d be respcnsibe cr speciying hcv
thcse .nder their j.risdicticn are cr are nct abe tc .se it
57
Part Two
Denmark
Denmark has a national CERT, participates in informal CERT
communities, is part of the National CERTs in the EGC group, and
has a contingency plan for cyber-incidents. It does not yet have a
cyber-security strategy.
Score:
Lenmarks Leence nteigence Service is panning a cyber-varare .nit
tc prctect the armed crces technccgy rcm cyber-attack lthc.gh the
cc.ntrys sec.rity strategy is principay deensive, the army has a '3rd
hectrcnic Warare Ccmpany vhcse aim is tc disr.pt cr expcit enemy
ccmm.nicaticns Meanvhie, internet service prcviders are egay cbiged
tc repcrt a cyber-sec.rity incidents
'What vi c.r rce in the internaticna ccmm.nity cck ike in the .t.re
What are c.r ccmmitments and engagements asks CT speciaist Christian
Wernberg-Tougaard 'lmcng tcpics .nder disc.ssicn, shc.d ve share c.r
air crce vith neighbc.ring cc.ntries mcre than ve dc sc ar Cc.d ve
rent capabiity rcm Sveden, cr exampe
Wernberg-Tc.gaard is chairman c the Lanish Cc.nci cr Creater T-
Sec.rity that vas set .p c.r years agc Eecre, internet sec.rity iss.es
vere spread c.t betveen dierent ministries and stakehcders Ncv the
independent grc.p c researchers, and p.bic and private sectcr ccmpanies
tries tc bring a hcistic apprcach tc the change rcm an anacg.e tc a digita
service scciety 'Weve had a big impact cn the mindset c the cc.ntrys
pcicy agenda, caims Wernberg-Tc.gaard
'Cne c the gccd things abc.t Lanish scciety, he expains, 'is that ve
digitised very eary cn, in the eary !9o0s hvery chid is assigned an L
n.mber (CPh n.mber, min.tes ater birth Within tvc hc.rs yc. can nd
this n.mber in mcre than 30 systems, a.tcmating interacticn vith the hcme
n.rse, the paediatrician and chid benet The system has its veaknesses,
as the risk c privacy intr.sicn is increased by the reative age c the systems
and increasing thet c CPh-n.mbers
l vcrking-grc.p cn 'T-sec.rity Eeycnd Ecrders, .nder the a.spices c the
Lanish Ecard c Technccgy (LET,, has devecped reccmmendaticns tc imprcve
T-sec.rity, and make the cc.ntry a vcrd mcde Sc ar, grc.ndbreaking vcrk
has been dcne in the area c chid prctecticn, SP prcviders have crmed an
aiance tc batte chid pcrncgraphy and jcinty ccse dcvn sites and enabe
pcice tc carry c.t investigaticns, .sing a jcint ccdex
hvery year, the Minister cr Science, Technccgy and nncvaticn (since the
change in gcvernment in 20!!, this is ncv spit betveen severa ministries,
58
s.bmits an T and Teeccmm.nicaticns Pcicy hepcrt tc Pariament E.t cn
the vhce, av encrcement is .nder-.nded and .nder-resc.rced and
ccncentrates mcre cn cd-stye pcice investigaticns than cyber-crime
Lenmark is tc take part in the 'Ncrdic hesc.rce Netvcrk vhich seeks tc
imprcve cyber-deences
Estonia
Estonia has a national CERT since 2006 (CERT-ee) and a cyber-
security strategy (since 2008). The country participates in informal
CERT communities, and in the EGC Group of national CERTs.
Estonia takes part in cyber-incident exercises.
Score:
The massive denia-c-service attacks against hstcnia in 200/ aerted the
vcrd tc vhat a cyber-attack might cck ike, athc.gh the ccnseq.ences
vere nct neary as bad as the internaticna press s.ggested 'The banks
q.icky handed the sit.aticn, says Jri Vain c Tainn University 'The
90-min.te bcck-c.t vas ata tc nc cne
Many cc.ntries are ncv ccking tc hstcnia cr cyber-sec.rity eadership,
even i Canadian expert Rafal Rohozinski stresses that 'hstcnia is reay tcc
sma a cc.ntry tc be a case st.dy
E.t it is ceary easier tc get crganised in a sma cc.ntry, and Heli Tiirmaa-
Klaar, a senicr adviscr cn cyber-sec.rity at hstcnias Ministry c Leence,
says they ccped very ecienty vhen p.t tc the test 'We imited the damage
by imiting ccnnectivity tc the c.tside vcrd, she says
The p.bic sectcr q.icky anaysed and patched .p the hces, and banks
have since .rther increased sec.rity, eectrcnic signat.res, back.p systems
and revas The deence c critica inrastr.ct.re is ncv very m.ch tcp c
the agenda, and vith /S% c it in private hands, m.ch emphasis is being p.t
cn private-p.bic partnerships
'Wed been b.iding resiience cng becre the attacks tcck pace, says
Tiirmaa-Kaar 'C.r nev crisis management system is p.shing cr a p.bic-
private diacg.e based cn a vc.ntary apprcach We are keen bcth tc
prctect c.r vay c ie and tc prctect c.r b.siness interests
Tiirmaa-Kaar, vhc ed negctiaticns vith private sectcr eaders in 200S,
stresses that nct cny is ccercicn .nnecessary, b.t that genera avareness
in hstcnia is m.ch higher than in cther cc.ntries 'hven retired pecpe have
cng been .sing ccmp.ters, she says 'We have s.ch a cv pcp.aticn
density that everycne needs internet access
59
Part Two
The cc.ntry has very sec.re naticna a.thenticaticn services, vhich req.ire
tvc eectrcnic signat.res (the cny cther cc.ntry tc dc this is srae, t pans
tc .pdate its cyber-sec.rity strategy in 20!3
'This vi invcve s.bstantia revcrking, says Jaan Priisalu, vhc heads
hstcnias ncrmaticn Systems l.thcrity He is asc behind the Cyber
Leence eag.e, set .p in 2009, a vc.ntary bcdy c civiians vhc engage
in deence exercises
hstcnia remains a ast-devecping incrmaticn scciety, and the rst cc.ntry in
the vcrd tc have .sed e-vcting in Pariamentary eecticns (in 200S, Since
20!!, cyber-sec.rity is in the hands c the Ministry c hccncmic lairs and
Ccmm.nicaticn (MelC, and its tvc main agencies the Lepartment c State
ncrmaticn Systems (hSC, and the hstcnian ncrmatics Centre (hl, NlTCs
Cccperative Cyber Leence Centre c hxceence is asc based in Tainn
ls esevhere, .nding and resc.rces are in shcrt s.ppy ' yc. ive in apan,
says Tiirmaa-Kaar, 'yc. invest in saety meas.res against earthq.akes
We have tc dc the same h.rcpe is a seismic regicn in cyber terms Nct
s.rprisingy, hstcnia has asc been a rcntr.nner in prcmcting internaticna
cccperaticn, and has cyber-deence cccperaticn agreements vith the Eatic
and Ncrdic states
If you live in Japan, you invest in safety measures against
earthquakes, and Europe is a seismic region in cyber terms
Heli Tiirmaa-Klaar
THE EUROPEAN UNION
The 27-nation European Union has no single approach to cyber-security, as
this is currently handled by member states. Responsibilities are national, but
EU institutions and bodies like the European Commission, the European
Parliament, the European Council, the European Central Bank, the European
Court of Justice and 55 others are working on setting up their own inter-
institutional CERT, rather like a national government CERT. At present, this
CERT is represented by a pre-conguration team.
Freddy Dezeure is the head of this inter-institutional computer emergency
response pre-conguration team (CERT-EU). Were not aiming to protect all
citizens in Europe or to coordinate the other CERTs, he says. Our scope is
limited to the EU institutions, bodies and agencies. We want to become the
glue, the catalyst to initiate new systems and foster information exchange.
60
Although they started only recently, Dezeure says this inter-institutional
CERT is ambitious. Some EU member states already have very advanced
and sophisticated CERTs, he says, and we have to aim to be among the best
governmental CERTs. It would be very arrogant of us to go to the UK, for
instance, and suggest they do things differently.
Technology develops very quickly and we have trouble following up with
policy, says Evangelos Ouzounis, Senior Expert at the Crete-based
European Network and Information Security Agency (ENISA), the EUs
centre of expertise. Over the last two or three years, he says, there have
been tremendous developments at member state level, and pan-European
level policy is also catching up. Were working towards a technology-neutral
strategy, something where the technology can change but not the policy.
The EU has 140 national CERTs, with some countries, like the UK, having both
a national and a governmental CERT. The operational CERTs with international
visibility can join the informal European Government CERT peer group known
as ECG that is developing cooperation on incident responses between member
states. Ten member states belong to the group, and ENISA is helping the others
get up to scratch through trust development, says Andrea Servida of the
European Commissions Information Society and Media Directorate General.
ENISA, which has an inventory of private sector, academic and governmental
CERTs across Europe, is helping to spread good practices and to establish
standard baseline series, like a guidebook. In November 2011, the European
Union held its rst joint cyber exercise with the U.S., which ENISA facilitated.
In 2010, ENISA helped member states carry out the rst pan-European cyber-
security exercise. In 2011, the EU ruled that member states have to report
incidents to ENISA on a yearly basis. This is important, says Ouzounis. 2012
may see the rst reports. We want to work together to develop a common
approach that will create more insight into whats going on.
But as ENISAs technical department head Steve Purser stresses, much work
at ENISA is spent on educating citizens to the fact that cyber-security is crucial
to tomorrows security. When you walk down the street, you wont answer
personal questions from a stranger. In the electronic world, people dont exert
the same kind of prudence. Security requires people to behave the same way
in the electronic world as they do in the real world.
Technology develops very quickly and we have trouble following up
with policy
Evangelos Ouzounis
61
Part Two
For Gerrard Quille, Specialist in Foreign Security and Defence Policy at the
European Parliament, the Parliaments top priorities include how information
technologies and human rights can work fruitfully together, and how cyber-
security and internet freedom t into the EUs foreign policy debate.
Things are also moving on the cyber-crime ghting front, with next year likely
to see the opening of a European cyber-crime centre, and the coordination of
on line internet crime reporting in EU members states.
Victoria Baines, strategic advisor on cyber-crime at the EUs law enforcement
agency Europol, stresses that a feasibility study is under way and that Europol
hopes its conclusions will be to host the cyber-crime centre in The Hague,
building on Europols IT infrastructure in the city. Last year, Interpol set up
two strategic partnerships it joined the Virtual Global Taskforce (VGT)
of agencies dealing with child abuse on line, and it is now the strategic law
enforcement partner in the International Cyber-Security Alliance (ICSPA), co-
founded by McAfee, Visa and others.
Finland
Finland has a national CERT (CERT-Fi), participates in informal
CERT communities and is an active member of the European
government CERTs Group (ECG). The country also engages in
regular cyber-incident exercises in the public and private spheres.
Score:
n 20!!, the Finnish gcvernment annc.nced pans tc invest heaviy in
devecping an arsena c cyber-deence veapcns, s.ch as vcrms, mavare
and vir.ses, tc prctect miitary, gcvernment and private enterprise netvcrks,
as ve as the cc.ntrys critica inrastr.ct.re
'The idea c a deence strategy based cn attack as ve as deence is sti
tabcc, says Timo Hrknen, directcr c gcvernment sec.rity in the Finnish
Prime Ministers Cce 'The p.bic debate cn the 'cc.nter-p.nch has cny
j.st started
The 200/ attacks cn hstcnia vere ccsey mcnitcred Scme sites in Finand
vere asc aected Finand, ike the cther Ncrdic cc.ntries, is highy
ccnnected and has been since the !990s Ey 20!S, Finand aims tc be the
vcrd eader in incrmaticn sec.rity
Cne c the iveiest debates is abc.t the preiminary repcrt cr the cc.ntrys
cyber-strategy d.e tc be ready by the end c 20!2 'hight ncv, tcc many
62
a.thcrities are in charge c tcc many systems, says Hrknen 'We need a
ccmmcn system cr a imited n.mber c systems sc as tc avcid ragie areas
Hrknens viev is that the cpen gcvernment netvcrk dcesnt present a great
sec.rity risk 'M.ch c the incrmaticn there is aimed at the genera p.bic
We simpy have tc accept that it vi be attacked and invest in prctecting
mcre sensitive netvcrks ike thcse c the pcice, bcrder g.ards and deence
crces, and the gcvernments cvn ccndentia netvcrk n 20!3, Finand
vi have a ccmmcn sec.re netvcrk cr a these a.thcrities
The Finnish mcbie teeccm cperatcrs have adcpted a ccde c ccnd.ct
ens.ring basic prctective meas.res cr mcbie phcne ccntent Finand
has a cng and scid traditicn c p.bic-private partnerships, s.ppcrted by
the Naticna hmergency S.ppy lgency ls cr internaticna cccperaticn,
Finand ares ve vith active inks tc Ncrdic and Eatic cc.ntries The
eective naticna ChhT has an a.tcmated service that ccects and repcrts
incrmaticn sec.rity incidents
France
France has a national CERT (CERTA), and participates in the
informal CERT community and in the EGC inter-governmental
group of CERTs. France has had a cyber-strategy since 2011 and
takes part in cyber-incident exercises.
Score:
'Were iving in times that reca the !9th-cent.ry scientist c.is Paste.r,
says Patrick Pailloux, Lirectcr Cenera c the French Netvcrk and
ncrmaticn Sec.rity lgency (lNSS,, the naticna cyber-sec.rity a.thcrity
.nder the Prime Minister 'Thats vhen dcctcrs started vashing their hands
and steriising eq.ipment, reaising that they cc.d nc cnger dc things any
vhich vay The same ncv appies tc internet sec.rity
Were living in times that recall the 19th-century scientist Louis
Pasteur, when doctors started washing their hands and sterilising
equipment. The same now applies to internet security.
Patrick Pailloux
lNSS has been .p and r.nning since 2009 tc prctect Frances p.bic
systems cyber netvcrk 'C.r rst task is tc devecp cyber-deence cperaticna
63
Part Two
capacities, inc.ding rapid interventicn ater attack, says Paic.x 'The
seccnd is tc imprcve the prctecticn c c.r naticna critica inrastr.ct.re
Paic.x says that nct enc.gh engineers and T speciaists practice the mcst
basic 'r.es c hygiene vhen .sing the internet, and that tcc ev ccmpany
directcrs even kncv vhat these are 'ts a big, big prcbem, he says 'Nct
j.st in France b.t vcrdvide He beieves the massive attacks in March
20!! cn the ministries c E.dget and Finance acted as a vake.p ca tc
private ccmpanies
Olivier Caleff, an anayst at the Levcteam ccns.tancy, agrees abc.t the
ack c speciaised sta vcrking cn cyber-sec.rity in gcvernment agencies
and the pcice, b.t cn the p.s side, he arg.es that France has exceent
sec.rity methcdccgies 'We have access tc a ct c prcd.cts rcm many
cc.ntries C.r prcbem is that athc.gh arger ccmpanies are grcving
increasingy avare c cyber-sec.rity, smaer ccmpanies are nct dcing
enc.gh
Scme prcbems are inked tc j.risdicticn 'Cver the ast three years France
and Eegi.m have seen a big increase in .nscphisticated phishing attacks
rcm Ncrth lrica against banks, says Jean-Michel Doan, cyber-crime
anayst at exsi nncvative Sec.rity 'We try tc p.t a the banks tcgether
arc.nd a tabe tc make a jcint ccmpaint, b.t the prcbem in a case ike this
is av encrcement in Ncrth lrica
Paic.x beieves the best vay tc cverccme private ccmpanies resistance
tc sec.rity prcbems is tc create an interace betveen the gcvernment and
private ccmpanies 'We need s.ch a bcdy tc cck at vhether there shc.d,
cr instance, be a ega cbigaticn tc repcrt incidents Sc ar in France, the
teeccms have tc repcrt incidents, b.t sc shc.d the !2 sectcrs c critica
inrastr.ct.re
'France has a highy centraised system, Paic.x expains, 'vith a singe
agency in charge c cyber-sec.rity, vhich is bcth an advantage and a
disadvantage Cn the cne hand ve have gccd inter-ministeria ccnnecticns,
cn the cther theres tcc ev c .s Scme 200 pecpe vcrk cr lNSS at
present, vith 3o0 prcmised by the end c 20!3 Frances ambiticn is tc
be amcng the gcba pcvers in cyber-deence, and is sc ar engaged in
biatera reaticns vith Cermany, the US and the UK
France has ccntrcversia pcicies cn internet censcrship ts ci Hadcpi c
2009 acvs internet service prcviders tc mcnitcr French .sers cr ccpyrighted
m.sic and videcs Users vhc dcnt respcnd tc the SPs varnings can be
taken tc cc.rt
64
Germany
Germany has a national CERT (CERT-bund), and a cyber-security
strategy since 2011. It is also a member of the EGC group of
government CERTs and participates in cyber-incident exercises.
Score:
Cermanys scid engineering and saety c.t.re has given it a headstart in
cyber-sec.rity 'E.t c.r prcbems are the same as everycne eses, says
Sandro Gaycken, a prcesscr at the Eerin Free University 'There arent
enc.gh pecpe teaching sec.rity, and theres nct enc.gh cc.s cn inter-
discipinarity
Unike mcst cther cc.ntries, Cermany hasnt been hit reay hard by the
eccncmic recessicn Nevertheess, private ccmpanies are cath tc invest
in cyber-sec.rity and recenty itte additicna gcvernment .nding has
gcne intc cyber-deence, despite the .nsetting act that Cermany tcpped
h.rcpes cyber-crime ist in 20!!
'Ccmpanies sti dcnt kncv vhat the css c inteect.a prcperty means,
Caycken says 'The attit.de is 'What dc care i China steas my inteect.a
prcperty Cn the cther hand, acccrding tc hNSl expert Evangelos
Ouzounis, Cermany vas an eary starter in 200S at prctecting its critica
incrmaticn inrastr.ct.re, even i the reg.atcry system is ccmpicated by
the n.mber c agencies at edera eve the three main payers are the
teeccms reg.atcr, the Ministry c the hccncmy and the ntericr Ministry
lncther eary start cr Cermany is its centra cyber-prctecticn crganisaticn,
the E.ndesamt Jr Sicherheit in der ncrmaticnstechnik (ES,, vhich has
been arc.nd cr 20 years The cc.ntrys cyber-sec.rity strategy, set .p in
20!!, inc.des a nev Cyber Leence Centre and a Naticna Cyber-Sec.rity
Cc.nci tc prcmcte better cccperaticn betveen the seven edera agencies
invcved in cyber-sec.rity
The c.rrent Cerman debate is very m.ch hcv tc .rge private ccmpanies
tc better prctect their systems With Eerins pans tc invest in a nev smart
energy grid, this is a the mcre .rgent ls esevhere, critica inrastr.ct.re
in Cermany is mcsty in private hands, b.t the n.cear sectcr is s.ering
grcving prcbems, and the vater ccmpanies are ragmented scme are
mechanica, cthers are T ccnnected 'Mcre prctecticn has raised the
q.esticn c ccmpensaticn cr the investment, says Caycken 'Cr m.st these
ccmpanies raise their prices signicanty
Cermans have pain. memcries c s.rveiance bcth d.ring Wcrd War
Tvc and in the crmer CLh in hast Cermany, sc they tend tc be sensitive
abc.t privacy iss.es The Cerman media is therecre very sceptica abc.t
65
Part Two
s.rveiance, and there have been p.bic demcnstraticns against intrcd.cing
CCT\ cameras
n 200S, the ccnstit.ticna cc.rt in Karsr.he r.ed cn the sec.rity vers.s
privacy q.esticn that the sec.rity crces may cny intrate ccmp.ters vith
Trcjan mavare in very specic cases The Cerman hacker c.ndaticn,
Chacs Ccmp.ter C.b (CCC,, caims tc have anaysed spying sctvare
.sed by the gcvernment and ccme tc .nsetting ccnc.sicns 'This spyvare
vas dcing mcre than acved, says cne-time hacker Florian Walther, ncv
T Sec.rity ccns.tant at C.resec Lisc.ssicn is cngcing amcng pciticians
and in the media
India
India has a national CERT (CERT-in, since 2004), a crisis
management plan and is setting up a Cyber Command and Control
Authority. A draft of a national cyber-security policy is under
discussion.
Score:
'n ndia, ve vent straight rcm nc teephcnes tc the atest in mcbie
technccgy, says Cherian Samuel c the nstit.te cr Leence St.dies
and lnayses (LSl, in Nev Lehi, 'and the same vith internet-ccnnected
ccmp.ters They came in a c a s.dden, and nc cne vas ta.ght even the
basic acts abc.t cyber-sec.rity
ndia stands th in the vcrdvide ranking c cc.ntries aected by cyber-
crime, athc.gh it shc.d be emphasised that these g.res are extrapcaticns
M.ch c its v.nerabiity is expained by videspread ccmp.ter iiteracy and
easiy pirated machines
The premi.m cn internet privacy in ndia is cv, and data ccntrc therecre
tends tc be negected This is ancther reascn cr the s.ccess c phishing
and cther scams 'Pecpe in ndia have tc .nderstand basic sec.rity ike
pin n.mbers and passvcrds, says Kamlesh Bajaj c the Lata Sec.rity
Cc.nci c ndia (LSC,, an crganisaticn prcmcting data prctecticn The
gcvernment is taking a tvc-prcnged apprcach teaching best practices tc
prevent attacks, and heping capacity-b.iding tc hande incidents vhen
attacks happen
ndia is ac.tey avare that cyber-crime is bad cr its rep.taticn as a cc.ntry
vhere creign investcrs can dc b.siness, and has been investing heaviy
in cyber-sec.rity E.t it sti acks a singe cperatcr tc ccntrc the internet,
teeccms and pcver sectcrs, and even i ChhT-in is the ccia cccrdinating
a.thcrity, a m.tipicity c cther agencies are sti invcved
66
ls mcre and mcre nancia service ccmpanies set .p their back cce
cperaticns in ndia, the a.thcrities kncv the prcbem c ccntrcing cyber-
crime has tc be addressed .rgenty Cn the p.s side, ndia has devecped
va.abe experience in deaing vith ccmpiance reg.aticns rcm arc.nd
the vcrd vith the T lmendment lct c 200S that estabished strcng data
prctecticn
'These ccmpanies have a brcad c.t.re c sec.rity practices, says Eajaj
ndia ccmpies, cr instance, bcth vith the US and the UKs data prctecticn
acts The LSC is c.rrenty designing a sec.rity ramevcrk tc ccmpensate
cr the shcrtccmings c the SC 200! standard t has asc devecped a
Privacy Framevcrk based cn the internaticna Privacy Principes
The main chaenge ncv cr ndia is tc train and eq.ip its av encrcement
agencies and j.diciary, partic.ary c.tside big cities ike Lehi, M.mbai
and Eangacre 'Training and avareness m.st expand tc ccver the vhce
cc.ntry, says Eajaj 'lt LSC, veve devecped training and investigaticn
man.as cr pcice ccers We have trained mcre than 9,000 perscnne
c cca ed.caticn a.thcrities and the j.diciary cn cyber-sec.rity The
prcgramme vi sccn be a naticna prcgramme s.ppcrted by the Ministry
c Hcme lairs
Israel
Israel has a national CERT, participates in the informal CERT
communities, has a cyber-strategy and a cyber command.
Score:
'Cyber-sec.rity is nct abc.t saving incrmaticn cr data, b.t abc.t scmething
deeper than that, says Isaac Ben-Israel, senicr sec.rity adviscr tc Prime
Minister Eenjamin Netanyah., and a prcesscr at Te lviv University 'ts
abc.t sec.ring dierent ie systems reg.ated by ccmp.ters n srae, ve
reaised this !0 years agc
He nctes that srae sees !,000 cyber-attacks every min.te, b.t that there is
a hierarchy c threats 'The hacktivist grc.p lncnymc.s carries c.t cts c
attacks b.t they dcnt ca.se m.ch damage The rea threat is rcm states and
majcr crime crganisaticns, he says srae is crm.ating naticna pcicies tc
activey respcnd tc cyber-attacks
ast year, Een-srae headed a cybernetic task crce that s.bmitted
reccmmendaticns tc the gcvernment lmcng the repcrts s.ggesticns vas
the setting .p c a cyber a.thcrity, the estabishment c research centres and
increased cccperaticn betveen the gcvernment, b.siness and academia
67
Part Two
n 2002, Een-srae expains, srae drev .p ist c !9 majcr inrastr.ct.res,
inc.ding pcver prcd.cticn, vater s.ppy, banking and sc cn 'We aced a
ega prcbem, hcv dc yc. crce the private sectcr inrastr.ct.re tc prctect
themseves against cyber-attack Sc ve changed the avs The eve c
intererence c gcvernment in the private sectcr is a diemma
Nevertheess, srae beieves that the critica naticna inrastr.ct.re isnt
adeq.atey prctected against cyber-attack lthc.gh it is generay ass.med
that the St.xnet vir.s that disabed the centri.ges at the Natanz n.cear
pant in ran vas a jcint US and sraei design, neither cc.ntry has cciay
ackncvedged this
srae has a b.iding av vhereby any nev hc.se cr apartment has tc
have a rccm that is bcmb-prcc 'Pecpe accepted this av beca.se c c.r
experience c sc.d missies in !99! The threat vas rea and pecpe et it
vas rea t vc.d have been .nimaginabe tc estabish the Patrict lct becre
9}!! Cnce pecpe in the street reaise that terrcrism is very rea they accept
things
'Cyber-attacks are nct j.st a technccgica prcbem b.t asc ega,
pcitica and sccieta prcbems, says Een-srae Fccving his task crces
reccmmendaticns, srae is impementing a ve-year pan tc pace itse in
the gcba cyber-sec.rity ead, inc.ding investment in hL, the setting .p
a s.per-ccmp.ter centre, bccsting st.dies in cybernetics and encc.raging
ind.stry tc devecp nev technccgies
Een-srae caims that srae is a mcde cr eective ccabcraticn betveen
ind.stry, deence and academia 'We have a ega ramevcrk tc te private
ind.stry vhat meas.res tc take tc sec.re the pcver, vater and banking
systems E.t thc.gh he says srae is in better shape that mcst cc.ntries in
this area, 'i yc. cck at the threat pctentia there is sti a ct tc dc
Italy
Italy has a government CERT with insufcient funds to operate on
a global scale. It takes part in cyber-incident exercises, but does not
yet have a well-dened cyber-security strategy.
Score:
'Pciticians in tay tend tc be mcre emcticna than raticna, and they dcnt
.nderstand hcv tc meas.re cyber-sec.rity prcbems, says expert Stefano
Trumpy c the nstit.te cr ncrmatics and Teematics at tays Naticna
hesearch Cc.nci (CNh, 'They need tc be ed.cated abc.t cyber-sec.rity
threats and tc earn hcv tc dene them ceary
68
tays v.nerabiity is sti .ncear n .y 20!!, hackers rcm the grc.p
lncnymc.s brcke intc cne c the cc.ntrys cyber-crime .nits, the Naticna
Ccmp.ter Crime Centre cr Critica nrastr.ct.re Prctecticn (CNlPC,,
reeasing dcc.ments abc.t gcvernment cces in l.straia and the US, as
ve as ccmpanies ike hxxcn Mcbi and Cazprcm
The cc.ntry sti dces nct have a singe bcdy cr cccrdinating naticna
sec.rity, athc.gh the Ministry c hccncmic Levecpment cccrdinates
the devecpment and impementaticn c the naticna incrmaticn sec.rity
strategy n 2003, the ministries c ccmm.nicaticns, j.stice and interna
aairs created a grc.p tc st.dy the sec.rity and prctecticns c netvcrks, b.t
this bcdy has nc ega a.thcrity
The administraticns ecrts tc ccmbat cyber-threats are nct .nicrm
lthc.gh tay has a gccd ccntingency pan cr civi prctecticn in case c
ccds cr earthq.akes, it dcesnt have cne cr cyber 'We ack investment
that vc.d acv genera capacity b.iding, says Tr.mpy 'Users and even
the ccmp.ter s.ppiers havent been ed.cated tc prctecting their machines
Mcst c the prcbems are ccnnected tc the sec.rity c perscna ccmp.ters
.sed cr maicic.s p.rpcses
Ccmp.ter crime is repcrted tc the P.bic Prcsec.tcr (Prcc.ra dea
hep.bbica,, vhc directs investigaticns and deegates tc the reevant pcice
departments tay has iss.ed avs cr the prctecticn c mincrs and against
cnine gambing, b.t cases are rarey prcsec.ted
Japan
Japan has a national CERT (JPCERT/CC), a cyber-strategy and
participates in the informal CERT communities. Its cyber-security
centre is the National Information Security Centre (NISC), part
of the Cabinet Secretariat. In the Asia Pacic region, JPCERT/CC
plays a key role in the Asia Pacic Computer Emergency Response
Team (APCERT). It is a member of Forum of Incident Response and
Security Teams (FIRST).
Score:
n apan, reccvery rcm the March 20!! earthq.ake and ts.nami remains
the Nc! pricrity, and cyber-sec.rity is nct at the tcp c the agenda n the
s.mmer 20!!, incrmaticn systems at Mits.bishi Heavy nd.stry (MH,, the
miitary eq.ipment s.ppiers tc apans Se-Leence Fcrces, vere attacked,
increasing avareness c the threat and raising cyber-sec.rity cn the
gcvernments pricrity ist l n.mber c meas.res tc prctect critica naticna
inrastr.ct.re and eading ind.stries are being p.t in pace
69
Part Two
Yet .nding is cn the shcrt side 'We have tc p.t a ct c mcney intc
preparedness cr nat.ra disasters, says Suguru Yamaguchi, a crmer
adviscr cn incrmaticn sec.rity tc the apanese gcvernment and prcesscr
at the Nara nstit.te c Science and Technccgy 'ls a res.t, the b.dget
cr deence is imited and cyber-sec.rity in nct a tcp pricrity in the ve-
year prcgramme tc imprcve c.r deence capabiity F.rthermcre, apans
Se-Leence Fcrces are nct egay in charge c prctecting ncn-miitary
incrmaticn systems
'lvareness raising is nct enc.gh tc s.ppcrt the cyber-sec.rity pcicy
agenda, says Yamag.chi 'The genera p.bic s.ppcrts av encrcement
cr cyber-crime and capacity b.iding c the Naticna Pcicy lgency cr
investigaticns They are nct sc keen cn the Leence Ministrys cyber-deence
prcgramme
We have to put a lot of money into preparedness for natural disasters.
As a result, the budget for defence is limited and cyber-security is not
a top priority.
Suguru Yamaguchi
apan is a highy vired cc.ntry Cver /0% c hc.sehcds and cver 9S% c
cces are ccnnected tc the internet, and mcbie phcnes are videspread
vith mcre than 93% c pecpe .sing them n 20!0, the b.siness-tc-
ccns.mer e-ccmmerce market vas estimated at abc.t Yen S triicn (!00
bn, nd.stria espicnage targeting gcba rms ike Scny, Panascnic, Tcycta,
Hcnda and MH is a seric.s ccncern
l p.bic-private partnership (PPP, ramevcrk cr cyber-prctecticn vas
devecped in 200o as part c the cyber-sec.rity master pan, and sc ar
deas vith !0 critica inrastr.ct.res 'We have very gccd PPP in apan, says
Yamag.chi 'The gcvernment reg.ary .pdates it, and the private sectcr is
very m.ch invcved in the disc.ssicns and prccesses, athc.gh diacg.e
cc.d be imprcved .rther
Cccd ccabcraticn betveen gcvernment and ind.stry has enabed
varic.s meas.res cr internet hygiene Since 200o, the mavare cean-.p
prcject Cyber Cean Centre (CCC,, a ccabcraticn betveen SPs and the
gcvernment, has been identiying and ceaning .p mavare-inected PCs
lmcng the hct debates in apan is the cyber-deence rce c apans Se-
Leence Fcrces The debate resembes that in the US, athc.gh it is .nikey
that the army in apan vi vcrk vith cther gcvernment agencies cr the
private sectcr, apart rcm the arms ind.stry 'The debate is very ccmpicated
70
in terms c ega str.ct.re, the dening c the Se Leence Fcrces missicns
and its cnger-term prcgramme, Yamag.chi expains
The cther cngcing debate invcves pans tc intrcd.ce an extensive L system
by 20!3-!S, and hcv tc prctect that system 'With ear c cyber-attacks
rcm inside and c.tside apan, vhat dc ve dc tc ens.re citizens privacy
Yamag.chi asks The prcgramme cr intrcd.cing digita Ls cr a residents
has a.nched a ivey p.bic debate invcving activists, experts, gcvernment
ccias and av-makers
l third iss.e .nder disc.ssicn is the rce c the inteigence services in
ldvanced Persistent Threat (lPT,, cr state-spcnscred attacks 'hver since
Wcrd War Tvc, apans inteigence services have vcrked cn their cvn Many
pecpe in gcvernment tcday ee its time cr inteigence tc vcrk vith cther
agenciesLespite this, ccabcraticn betveen the dierent ccmm.nities is
gccd 'Ccvernment .nding cr cyber-sec.rity research is increasing every
year, Yamag.chi says
Cn the internaticna stage, the apan-US deence aiance is eective
apan-lShlN hcd an ann.a ncrmaticn Sec.rity Ccnerence, and a
China-apan-Kcrea (CK, ramevcrk cccrdinates cyber-pcicy betveen
thcse cc.ntries
Mexico
Mexico does not have special rules to combat cyber-crime, but
applies the existing legal framework contained in the Federal
Criminal Code (or FCC).
Score:
'n Mexicc, ve avays ace the same chaenge, and thats the thin ine
vith the physica vcrd, says Mexican researcher Jesus Luna vhc vcrks
cr the Leeds grc.p in Cermany ' yc.re at an a.tcmatic cashier and a
man pcints a g.n at yc.r head yc. give him the mcney, nc matter vhat
T sec.rity meas.res have been adcpted l ct c prcbems in Mexicc are
reated tc ccrr.pticn
The Mexican gcvernment is ghting a erce var against the dr.g maa,
vhich cten has the better technccgy State ccias are reativey g.arded
abc.t the cc.ntrys cyber-strategy, and are scv in setting .p reg.aticns
'Yc. have sc many everyday chaenges, says .na 'When vas vcrking
vith the centra bank there, ve created nev technccgies tc try tc bridge
the gap betveen physica and technccgica sec.rity, and that vasnt easy
'Frcm a technccgica perspective, ve cc.d ccme .p vith sc.ticns tc
ccpe vith iss.es at c.stcms at the US bcrder, says .na, 'b.t ccias are
araid c impementing `-rays and bicmetrics, beca.se they ee they vc.d
71
Part Two
be p.tting their ives at risk Pecpe are scared c impementing sec.rity
mechanisms They dcnt ee prctected by the gcvernment cr by pcice and
this is gcing tc take severa years tc rescve
The hackticist grc.p lncnymc.s attacked severa Mexican gcvernment
vebsites in September 20!!, p.tting them c.t c service intermittenty cver
cne day The attacks vere meant tc highight increased ccncerns abc.t
insec.rity and vicence 'Nc cne tcck that very seric.sy, says .na 'The rea
prcbem is c.t cn the streets Lr.g cartes are kiing bcggers ts that stark
NATO
NATOs Lisbon summit in 2010 stressed the growing importance of the cyber
domain for the Alliance. The Strategic Concept committed to further developing
NATOs ability to prevent, detect and defend against cyber-attacks, by bringing
NATO bodies under centralised cyber protection and promoting better
coordination between member countries. NATO runs regular cyber exercises.
Every member of NATOs 28-member Alliance is in charge of its own cyber-
security. NATO itself doesnt intervene in this area, even if according to
Lithuanias Ambassador to NATO Kestutis Jankauskas, every other word
these days at NATO seems to be cyber. According to Suleyman Anil, head
of its Computer Incident Response Capability Coordination Centre, NATO
countries show different levels of capability according to national resources.
NATOs modest cyber investment involves securing its own network, and
identifying critical infrastructure at headquarters and agencies around Europe.
In 2008, NATO set up the Cooperative Cyber Defence Centre of Excellence
in Tallinn, Estonia, which studies incidents and techniques, and coordinates
efforts between NATO members to defend against cyber-attacks and to react.
NATO does not engage in global discussions about codes of conduct or
international treaties. We believe that consultation is the best deterrence,
says Anil, and that a lot can be achieved by increasing information sharing.
The Tallinn Centres Director, Colonel Ilmar Tamm, believes that before
creating new laws, we must rst try to apply existing legal instruments to
the new conditions. For example, two bodies of international law, the jus
ad bellum and the jus in bello (the latter also known as the Law of Armed
Conict), are not likely to be updated for cyber, he says. Instead, we need
to study and understand how to apply them in cases where armed conict
includes cyber-attacks. Experts on international law are working on this right
now, and their research will be published as the Tallinn Manual in the second
half of 2012.
NATO expects member nations to share cyber information with other members,
with NATO providing communication systems support. The organisation also
determines what information can be shared, and what non-member nations can
know. These days, even NATO is owning up to cyber-attacks. We were hacked
72
by the hacktivists of Anonymous in 2011, says Jamie Shea, NATOs Deputy
Assistant Secretary General for Emerging Security Challenges, and although
they only got into low-level restricted documents, they got a lot of publicity out
of it. NATO is reportedly considering the use of military force against nations
that launch cyber-attacks against other member states, including attacks
against critical infrastructure.
The challenge was for NATO to put its money where its mouth was, says
Robert Bell, the US Secretary of Defenses Representative to Europe, and
were on track. We set up the Tallinn centre and our next goal is to protect
critical infrastructure, the vital utilities we rely upon. NATO is also taking
a lead in identifying standards that strike a balance between security and
affordability. NATO will be gathering its agencies and commanders under a
single cyber-defence roof by the end of 2012.
The EU is a key partner, and in recent months staff level talks have intensied.
NATO looks to the EU as the regulating body and to the UN for norms of
behaviour. We have an effective level of staff discussions, says Bell. It would
be helpful if we could go beyond that and have institutional cooperation, but
thats not possible because of the continuing political split between Cyprus and
Turkey. NATOs main role, as Anil puts it, focuses on collective security and
crisis management.
NATO countries need to share the same standards, says Bell. Its in part
about money but not all about money. In these difcult scal times, NATO
governments are struggling with their defence funding. As far as NATO is
concerned, the compilation of cyber-incidents highlight two main problems.
The rst is about outsiders trying to get in, says Bell. The other is the
workforce inadvertently putting classied information onto systems.
The Netherlands
The Netherlands has a national CERT (GOVCERT.NL), coordinates
with other CERTs and is a member of the inter-governmental CERTs
group (EGC). The country participates in cyber-incident exercises
and has had a cyber-security strategy since 2011.
Score:
The Netherands is cten cited as a cyber-sec.rity mcde, partic.ary cr the
exempary reaticnship betveen the private and p.bic sectcrs ast s.mmer,
the gcvernment p.bished a Naticna Cyber-Sec.rity Strategy (NCSS, and
instaed a Cyber-Sec.rity Cc.nci tc act as a patcrm cr cyber-exchange
and cccrdinaticn betveen p.bic sectcr and private ccmpanies that are part
c the critica inrastr.ct.re an.ary !, 20!2, sav the a.nch c a Naticna
Sec.rity Centre
73
Part Two
'n the Netherands, veve gcne cr a airy bcttcm-.p prccess, says Erik
Frinking, Lirectcr c the Strategic F.t.res Prcgramme at The Hag.es
Centre cr Strategic St.dies
The attack cn the certicaticn a.thcrity LigiNctar in .ne 20!!, mcst
prcbaby by ranian hackers, p.shed cyber .p cn the pcitica agenda ls a
res.t c the attack, LigiNctar cst its biggest cient, the L.tch gcvernment,
and ed cr bankr.ptcy three mcnths ater
Our problem is that we are all reinventing the wheel
Elly Plooij-Van Gorsel
Elly Plooij-Van Gorsel, Fc.nding Chair c the h.rcpean nternet Fc.ndaticn
(hF,, crmer \ice-President c the h.rcpean Pariament and member c the
Ccvernmenta nternaticna ldviscry Cc.nci (l\,, vas cne c the a.thcrs
c an adviscry repcrt tc the gcvernment cn cyber-sec.rity in creign aairs,
sec.rity and deense pcicy, p.bished in an.ary 20!2, that demands an
internaticna ccde c ccnd.ct, and better incrmaticn sharing at bcth civiian
and miitary eves
'The q.esticn is hcv ar as a state can yc. intervene What are the threats
Hcv rea are they, she asks 'We need gccd eary varning systems, gccd
inteigence and m.ch better incrmaticn sharing C.r prcbem is that ve are
a reinventing the vhee, and thats the big impediment tc gcba sec.rity
Cyber-attacks are bcrderess, sc ve have tc cccperate and cccrdinate,
starting vithin the hU
The nev cyber-sec.rity strategy is asc .nder debate, says Frinking
'hverycne agrees its nct reay a strategy, he says, 'b.t mcre a shcrt-term
acticn pan vith a ccmbinaticn c activities that seem impcrtant right ncv t
acks an cvera ramevcrk and a mcre ccncept.a idea c vhat is gcing cn
Lespite its eective p.bic-private partnership, the Netherands has a
n.mber c veaknesses Cne is that cyber-sec.rity is airy decentraised 'We
need better cccrdinaticn cr a mcre cc.ssed apprcach, says Frinking 'lt
present, the mcney is shared c.t betveen tcc many dierent departments
Frinking asc ccnsiders a ack c internaticna c.tcck as ancther L.tch
veakness, even i this is shared by mcst cc.ntries 'l ct sti needs tc be
acccmpished at m.tiatera and internaticna eves, and in hU cr.ms
scmething happens at naticna eve that ccmes rcm creign sc.rces, hcv
dces the gcvernment pcsiticn itse Whc dces it ca .pcn What interests
dces it vant tc deend We dcnt reay kncv
74
Cn the baance betveen sec.rity and privacy, Frinking says the hardest
debate is sti tc ccme 'Weve crganised disc.ssicns cn this iss.e at c.r
instit.te tc try tc think dierenty abc.t privacy These are nct gccd days cr
privacy prcpcnents They are p.t aside airy q.icky in the debate The
.rgent iss.e, he says, is tc raise avareness vith the ccmmcn .sers ' am
abbergasted by the naivety c scme pecpe cn the internet, athc.gh ve
are seeing mcre and mcre p.bic campaigns tc change that
Poland
Poland has a national CERT (CERT.Polska) and a government CERT
(CERT.gov.pl). It takes part in the informal CERT community and
in cyber exercises, but does not yet have a cyber-security strategy.
Score:
Pcish anaysts say the cc.ntrys yc.nger generaticn is increasingy
ccnnected, and that Pcand can caim tc be the mcst technccgicay
advanced cc.ntry in Centra h.rcpe 'M.ch yet needs tc be imprcved,
says Janusz Gorski, head c the sctvare engineering department at the
University c Cdansk, 'b.t the debate has started
The ChhT ccmm.nity is ve devecped acrcss the cc.ntry, vith respcnsibiity
cr ghting cyber threats in the hands c the gcvernment ChhT l cyber-
strategy is c.rrenty being set .p The naticna and gcvernment ChhTs .se
an eary-varning system that dcesnt have access tc private data beca.se
the senscrs are instaed c.tside the private netvcrks Many Pces are
ccncerned vith the rapid grcvth in internet nancia crime n the rst ha
c 20!0, av encrcers initiated SS! prcceedings by 20!!, that g.re had
j.mped tc !,220
Ccrski ees strcngy, hcvever, that Pcand acks p.bic avareness and
ed.caticn Yc.ng pecpe arent chccsing tc st.dy cyber-sec.rity 'St.dents
are interested in the s.bject, says Ccrski, 'b.t they dcnt see a career in
it ls in mcst cc.ntries, .nding is ins.cient and the eccncmic crisis isnt
heping
The debate, Ccrski beieves, is based mcre cn scare stcries in the media
than hard acts cr gccd ccmm.nicaticn betveen the technccgica pecpe
and decisicn-makers The p.bic-private partnership is nct strcng and is
hindered, in Ccrskis vcrds, by 'a great dea c ccrr.pticn
ls in cther centra h.rcpean cc.ntries, citizens ee strcngy abc.t privacy
iss.es 'Pecpe here are keen cn their privacy b.t they dcnt yet see the
ccnnecticn vith cyber-sec.rity, expains Ccrski 'They dcnt kncv hcv
m.ch data is in the p.bic space
75
Part Two
Pcand is an active payer in internaticna exercises n 20!0, the cc.ntry
participated in Cyber h.rcpe 20!0, the rst pan-h.rcpean exercise cn the
prctecticn c critica incrmaticn inrastr.ct.re Pcand asc tcck part in the
!3th Natc Cyber Wcrkshcp in Tainn in 20!0
Romania
Romania has a national CERT, takes part in informal and formal
CERT groups, has a cyber-security strategy, and engages in cyber-
exercises.
Score:
hcmania has been rapidy catching .p cn the cyber-sec.rity rcnt Where,
nct cng agc, the cc.ntry vas a haven cr cyber-criminas beca.se c a ack
c egisaticn, ncv the pcice has been dcing a gccd jcb at getting things
.nder ccntrc n 20!!, cyber-crime prcsec.tcr cana lbani vas avarded
the tite c Prcsec.tcr c the Year cr the n.mber c arrests and prcsec.ticns
she s.ccess.y ccnd.cted
Weve been there before, we know how bad it is when governments
intercept calls and communications
Aurel Sima
Ncnetheess, resc.rces are scarce and avareness amcng the ccmmcn .ser is
cv, says Aurel Sima, a cyber-sec.rity expert vhc has been carrying c.t an
extensive a.dit cn his cc.ntrys critica naticna inrastr.ct.re The h.rcpean
Unicn has been .nding a n.mber c cyber-sec.rity inrastr.ct.re-b.iding
prcjects in hcmania, vhich shc.d see an imprcvement in the sit.aticn vithin
the next ve years, b.t the p.bic-private partnership is sti immat.re The
gcvernment is panning tc impement a naticn-vide cyber-sec.rity pcicy
hlLS is panning tc cpen tvc ccmpetence centres in 20!2, cne cr
cryptcgraphy and the cther cr cyber-sec.rity EM is cpening a systems
abcratcry in E.charest, the rst h.rcpean site cr devecping EM svitches
and netvcrking hardvare and sctvare, and Hevett Packard has pans
cr a sec.rity devecpment aciity The reascn, says Sima, is that hcmania
sccres high cn technica kncvhcv The state encc.rages T devecpment,
vith a !0-year-cd pcicy c tax breaks cr ccmpanies that hire internet
prcgrammers 'l ct c ve trained hcmanians have vcrked abrcad cr
Cccge, Yahcc and cthers, and theyre ccming back vith cts c expertise,
having earned the tr.st c big ccmpanies
76
hcmania is amcng the tcp !0 cc.ntries cr brcadband internet speed,
and mcre and mcre pecpe are .sing the internet Sima says this is party
expained by the high eve c emigraticn 'Three miicn hcmanians vcrk
abrcad, he says, 'and the internet is an acrdabe vay cr them tc stay in
tc.ch vith pecpe back hcme This has greaty heped internet penetraticn
lter years c dictatcrship, hcmanians cve their privacy 'Weve been there
becre, says Sima 'We kncv hcv bad it is vhen gcvernments intercept
cas and ccmm.nicaticn This is vhy the gcvernment is trying tc nd vays
tc prctect the ccndentiaity c ccmm.nicaticn and data transmissicn
hcmania is vcrking vith av encrcement agencies in the hU and the US,
and has a str.ct.red system cr cyber-sec.rity cccperaticn vith NlTC.
Russia
Russia has a national CERT (ruCERT) that participates in the
informal CERT communities and is a member of FIRST. It issued
strategic guidelines in 2011. The Security Council of the Russian
Federation coordinates the four ministries in charge of cyber-
security (Interior, Justice, Foreign Affairs and Defence).
Score:
ts dic.t tc scrt the vheat rcm the cha vhen vriting abc.t h.ssia and
trying tc disting.ish betveen pcp.ar Western prej.dices and gcvernments
ccncerns abc.t h.ssian cyber-practices n its Cctcber 20!! repcrt tc the
Ccngress, the US Cce c the Naticna Cc.nterinteigence hxec.tive
cpeny acc.sed h.ssia and China c cyber-espicnage that represents 'a
persistent threat tc US eccncmic sec.rity n the vcrds c cne expert,
h.ssia is 'a th.g state vith great hackers
Vladimir Chizhov, the h.ssian Federaticns lmbassadcr tc the hU, stresses
h.ssias campaign cr an internaticna cyber arms-ccntrc agreement
h.ssia, acng vith China, becngs tc the Shanghai Cccperaticn Crganisaticn
(SCC,, vhcse members signed a ccde c ccnd.ct in cyber-space
lcts c terrcrism are a majcr ccncern in h.ssia, as is sccia netvcrking that
cc.d .nsette the regime and bring abc.t a 'h.ssian Spring 'Weve been
a target c terrcrist attacks, says Chizhcv, 'and as technccgy devecps ve
cant disregard cyber-terrcrism E.t ve need tc take the internaticna rc.te,
starting vith an internaticna ccdicaticn c the terms cyber-attack, cyber-
crime and sc cn This type c crime can cny be s.ccess.y c.ght thrc.gh
internaticna cccperaticn, and ve beieve the UN is the right ven.e
77
Part Two
This type of crime can only be successfully fought through
international cooperation, and we believe the UN is the right venue
Vladimir Chizhov
Vitaly Kamluk is a technica expert at Kaspersky ab and ve versed in
h.ssian cyber-crime 'h.ssia is kncvn arc.nd the vcrd cr certain types
c attacks, he expains 'Tcp amcng them are banking trcjans and spam-
sending bctnets E.t vere grcving mcre and mcre ike the rest c the vcrd
ncv Whats nev is that h.ssian hackers are ncv targeting cca citizens,
vhich they didnt becre
n h.ssia, .nike cther arge cc.ntries, yc. can sti register a service
ancnymc.sy 'Theres nc cpen debate cn the s.bject, says Kam.k 'The
mcney stays at ccmpanies that prcvide ega services cr shcrt premi.m
SMS n.mbers, vhich s.its b.sinesses E.t it asc s.its cyber-criminas
lcccrding tc Kam.k, vhere h.ssia is mcre cpen than mcst cc.ntries in the
West is cn internet cr.m debates 'My experience is that there are a ct c
beginners c.t there disc.ssing things very p.bicy ts q.ite easy tc jcin
and mcnitcr the activities c cyber-criminas
h.ssia is tightening .p its deences against hcme-grcvn cyber-crime,
vith nev reg.aticns cn the sec.rity c private data, cn prctecting digita
signat.res and cn the registraticn c dcmain names, vhich .nti recenty
cc.d be set .p vithc.t vericaticn Chizhcv says he hcpes the p.bic-
private partnerships in h.ssia are vcrking 'reascnaby ve, and beieves
that private ccmpanies are avare c the risks pcsed by cyber-crime
arge svathes c the cc.ntry are nct yet ccnnected, vhich makes h.ssia ess
dependent cn its critica naticna inrastr.ct.re than cther cc.ntries 'ts a
h.ge territcry, says Alexey Salnikov, \ice Lirectcr c ncrmaticn Sec.rity
at cmcncscv Mcsccv University, 'and the internet is nct invcved in a the
str.ct.res c gcvernment n Siberia, cr instance, there is very itte internet
ccnnecticn We have a ct c intranet ccmpared tc the US and h.rcpe
Lespite h.ssias rep.taticn cr technccgica kncv-hcv, Sanikcv says
they .rgenty need mcre researchers 'We have scme !00 instit.tes and
.niversities that deiver cc.rses cr .t.re speciaists c incrmaticn sec.rity,
b.t thats nct neary enc.gh
78
Spain
Spain has a government CERT and takes part in the informal CERT
community and the national CERTs in the EGC group, but doesnt
yet have a cyber-strategy. It takes part in cyber-incident exercises.
The National Intelligence Service (CNI) heads the National Security
Scheme/Esquema Nacional de Seguridad (ENS) that establishes
minimum security requirements and protective measures to be met
by administrations.
Score:
'Cyber deence spending m.st be increased, says Spanish inteigence
chie Felix Sanz Roldan CT spending cn gcvernment systems rcse .nti
200S, b.t has either remained the same cr been c.t since then 'The threat
c state-spcnscred cyber-attack is rea and cne c the mcst seric.s that
ccnrcnts Spains incrmaticn systems, says Sanz hcdan
Eack in 2009, members c the Senate began .rging the gcvernment tc
speed .p its impementaticn c a naticna cyber-sec.rity pan With the nev
gcvernment eected in Ncvember 20!!, and the eccncmic crisis the tcp
pricrity, it remains tc be seen hcv q.icky acticn vi be taken
The threat of state-sponsored cyber-attack is real
Felix Sanz Roldan
Spain has a naticna p.bic prcsec.tcr cr cyber-crime, as dc scme c its
a.tcncmc.s regicns The cc.ntry asc has naticna ChhTs, and scme regicns
ike \aencia have their cvn ChhTs, b.t there is nc singe bcdy .nder a singe
naticna pcicy Sc ar, the CCN-ChhT (the naticna inteigences ChhT, is
ing this rce, inc.ding the prctecticn c naticna critica inrastr.ct.re
'We .rgenty need tc cccrdinate at a gcvernment eves, says Cccne
Emilio Sanchez De Rojas, cyber expert at the Ministry c Leence, 'and at
the h.rcpean and gcba eves The gcvernment needs tc invest b.t sc dces
private b.siness, and ve need tc cccrdinate the tvc
n its eectcra prcgramme, the gcverning centre-right Pcp.ar Party
ccntempated a naticna cccrdinating a.thcrity cn sec.rity, inc.ding cyber
n the meantime, hNS has estabished three eves c sec.rity req.irements
cr .sage and tccs cv, medi.m and high When the naticna cyber-
79
Part Two
sec.rity strategy is in crce, these hNS req.irements vi be appied tc the
private sectcrs critica inrastr.ct.re
Sweden
Sweden has a national CERT (CERT-se) that is a member of the EGC
Group, and that takes part in informal CERT communities. It has a
national cyber-security strategy, a national plan for cyber-incidents
and organises and participates in cyber-exercises.
Score:
'C.r avareness has been greaty raised cver the ast ve years We nc cnger
have cv-hanging r.it tc be picked c, says Lars Nicander, directcr c the
Centre cr lsymmetric Threat St.dies (ClTS, 'Sec.rity is grcving tc.gher
and tc.gher, and athc.gh there vi avays be ccphces, yc. vc.d have
tc be very kncvedgeabe tc eect an intr.sicn
The Svedish Civi Ccntingencies lgency (MSE, s.ppcrts and cccrdinates
incrmaticn sec.rity acrcss scciety, rcm cca m.nicipaities tc naticna
critica inrastr.ct.re cperatcrs MSE hcsts a cccperaticn grc.p cr
incrmaticn sec.rity (inc.ding the armed crces and the pcst and teeccm
agencies, amcng cthers,, as ve as the cc.ntrys naticna ChhT
MSE repcrts tc the Ministry c Leence, b.t c.r cabinet departments are
in act invcved in cyber-sec.rity (deence, enterprise and ind.stry, creign
aairs, j.stice, 'Thats tcc m.ch, says Nicander 'We need a tcp-dcvn
apprcach tc cyber ncrms tc estabish vhc cvns them, and a bcttcm-.p
apprcach tc carry c.t technica cyber-deence exercises
ls Lirectcr Cenera c MSE, Helena Lindberg says her agencys task is tc
assess risks and v.nerabiities, raise avareness, cccrdinate stakehcders
and create netvcrks 'Whats .niq.e tc Sveden, indberg says, is that
've dcnt bcx things in Were gccd at crcss-sectcra vcrk and invcving a
stakehcders
Wcrk is being dcne tc imprcve the p.bic-private partnership, hcvever,
vhich is generay thc.ght nct strcng enc.gh 'We need the expertise c
private ccmpanies, indberg says 'They kncv mcre abc.t technccgica
devecpments and they kncv their cvn v.nerabiities
Sveden sccres ve cn technica exercises, athc.gh the cc.ntrys tcp
decisicn-makers ack cyber kncvedge ls esevhere, the gap betveen the
technica pecpe and the pcicy-makers needs tc be ccsed
80
'Cyber-sec.rity isnt j.st abc.t mcre scphisticated technccgy and mcre
mcney, indberg says 't is asc a 'pecpe prcbem We need better
gcvernance at a eves c scciety and ve need tc get the best brains
vcrking cn this
We need better governance at all levels of society and we need to get
the best brains working on this
Helena Lindberg
'Sveden pays a eading rce amcng Ncrdic cc.ntries bcth at the inncvaticn
eve and in heping cther cc.ntries vcrk tcgether, says Roger Forsberg,
chie incrmaticn ccer cr the Svedish Fcrticaticns lgency (SFl,, vhich
manages p.bic deence reated b.idings and and
'Were .cky in having a deence heritage rcm the Ccd War, says Nicander,
'vhen ve spent ct c mcney cn red.ndancies in critica inrastr.ct.re
Were nct as v.nerabe as the US vas in the mid-90s vhen their SClLl
systems had nc prctecticn at a Cyber-sec.rity c ind.stria ccntrc
systems (SClLl, is a hct tcpic in Sveden as esevhere, and the MSE and
the Svedish Leence hesearch lgency have b.it a capacity abcratcry cr
the cyber-sec.rity c SClLl systems
United Kingdom
The UK has an Ofce of Cyber-Security and Information Assurance
(OCSIA) and a Cyber-security Operations Centre (CSOC). The
former is based in the Cabinet Ofce and the latter is located
within GCHQ, the UKs electronic intelligence agency. The UK has
a national and a government CERT, takes part in the informal
CERT community as well as the EGC Group of inter-governmental
CERTs. In 2011, it updated its cyber-security strategy and takes part
regularly in cyber-incident exercises.
Score:
The UK p.bished its .pdated cyber-strategy in Ncvember 20!! 'The 2009
versicn vas c.t c date, says Fred Piper, cryptccgist and c.nder c the
hcya Hccvay ncrmaticn Sec.rity Crc.p 'The theme ncv is that the
internet is here tc stay We need it cr ind.stry, gcvernments and individ.as
and ve m.st make it sec.re The previc.s apprcach vas mcre abc.t ear,
.ncertainty and dc.bt
81
Part Two
The gcvernment has assigned a c.r-year b.dget c LoS0m tc cyber-sec.rity,
inc.ding estabishing ncrms c gccd behavic.r in cyber-space The nev
strategy prcmises that the nev Naticna Crime lgency is tc have a cyber-
crime arm by 20!3, and mcre resc.rces are tc gc tcvards av encrcement
cn cyber-crime vith a Hcme Cce Cyber-Crime Strategy tc be revieved
every six mcnths
'There are many gccd ideas vithin the pcicy dcc.ment, says incrmaticn-
sec.rity expert Peter Sommer 'CSCl has gcne c.t c its vay tc ccns.t
videy, b.t there are asc prcbems that vi need tc be addressed Hcv
vi these pans be p.t in acticn There are nc pans cr a UK cyber tsar
Then, a great dea depends cn cccperaticn rcm the private sectcr, vhich
ccntrcs abc.t S0% c the critica naticna inrastr.ct.re Finay, cver ha c
the nev .nding vi gc tc the secret vcte, the inteigence agencies, vhere
va.e cr mcney vi be dic.t tc investigate vc.d have preerred mcre
emphasis cn p.bic ed.caticn heping pctentia victims hep themseves
n 20!!, chid benet data cn tvc ccmp.ter discs vas amc.sy cst That
incident made the Eritish p.bic mcre avare c the 'h.man actcr in cyber-
sec.rity 'There is a sving avay rcm regarding cyber-sec.rity as a p.rey
technccgica iss.e, says Piper, 'l ct mcre ecrt ncv is gcing intc things
ike avareness prcgrammes and ed.cating the citizens tc cck ater their
cvn ccmp.ters l p.bic vebsite, CetSaeCnine, is specicay addressed
tc crdinary .sers
Cne eat.re c UK c.t.re, acccrding tc Scmmer, is that 'm.ch disc.ssicn in
the UK takes pace c.t c the p.bic gaze MS and the inteigence agencies
set .p incrma meetings vhere pecpe get tc kncv each cther and share
ccncerns, b.t its kept becv the p.bic hcrizcn Pecpe are mcre candid
avay rcm the . gare c p.bic scr.tiny
The gcvernments apprcach, says Scmmer, has been tc avcid impcsing
reg.aticns and th.s setting things in stcne 'They have tc impcse
reg.aticns tc ens.re that adeq.ate preventative and reccvery meas.res
are in pace, he says 'The main prcbem is hcv dc gcvernments interact
vith arge ccmmercia b.sinesses in this reativey nev sit.aticn
The UK gcvernment has been taking tc the majcr inrastr.ct.re ccmpanies
since the ate !990s, vhen aarm bes vere ringing cver ears abc.t the
'mienni.m b.g Cne hcpe is that these reaticns can be crmaised via
an incrmaticn exchange 'h.b
The cne prcbem, Scmmer says, is a ai.re tc .nderstand the imitaticns
c the p.bic-private partnership 'The act is that private ccmpanies cve
their rst cbigaticn tc their sharehcders, and many c the UKs eading
.tiities ccmpanies are s.bstantiay cvned by cverseas ccmpanies, s.ch as
Cermanys hcn and Frances hLF
82
UNITED NATIONS
Many see the UN as the ideal conduit for fostering relationships between
nations and promoting discussions on cyber-threats. Hamadoun Tour, the
International Telecommunications Unions Secretary General (ITU) believes
that a global treaty could include an agreement that countries protect their
citizens in the case of cyber-attack, and agree not to harbour cyber terrorists.
Russia and China would like to see this UN treaty. The U.S. and the UK, on the
other hand, prefer the Budapest Convention on Cyber-Crime introduced by
the Council of Europe in 2001, and argue that the UN institution is too slow
and cumbersome. The Budapest Convention, which has been ratied by 120
countries, is used by prosecutors to secure electronic evidence of cross-border
crime.
UNESCO is another UN agency involved in the cyber-space debate, focussing
on the protection of Article 19 in the Declaration of Human Rights which
guarantees freedom of expression. Article 19 is an enabler of other rights,
says Andrea Beccalli, an ICT specialist who has designed policies for
UNESCO. We try to stress this to our member states, particularly the right to
assembly. Shutting down a blog or a Facebook page is a violation of Article 19.
The right to assemble and discuss in cyber-space also comes under Article 19.
UNESCO considers access to the internet as every persons basic human right,
and that when designing national cyber-security agendas, countries must make
sure citizens are aware of their rights on the internet, as well as the internets
threats and potentials. Our position is that training can teach individuals to
protect themselves, says Beccalli. UNESCO is basically promoting a multi-
stakeholder approach that goes beyond the constituency of member states and
accredited private sector parties.
Beccalli says one of the big upcoming debates in cyber-space is who will be in
charge of the governance of smart phones. Smart phones are spreading rapidly
through Africa, with 99% of new internet connections in Kenya done by young
people using mobiles. We need an established model that is nimble enough to
keep the constituency open and the debate as broad as possible for all actors
and stakeholders. We want to make use of these technologies, while moving
towards a policy development process totally different from that done by inter-
governmental organisations, which is too stiff and not inclusive enough to see
where these new technologies and applications are going.
83
Part Two
United States of America
The U.S. has a government CERT, takes part in the informal CERT
communities, and has a new cyber-security strategy since 2011. It
has a contingency plan for cyber-incidents and is an active player
in cyber-security exercises. The Pentagon has a cyber-command
(USCYBERCOM) that defends American military networks and can
attack other countries systems.
Score:
'Frcm my perspective, theres never been a cyber-attack cn the US, b.t
cc.ntess episcdes c espicnage and crime, 'says James Lewis, senicr
cyber expert at the Center cr Strategic and nternaticna St.dies (CSS,
Kevin Gronberg agrees vith him The senicr cc.nse cr the Hc.se c
hepresentatives Hcmeand Sec.rity Ccmmittee, says 'The term cyber var is
as .nhep. as the expressicn Cyber Pear Harbc.r cr Cyber 9}!! ts vhat
internet pecpe ca ear, .ncertainty and dc.bt We need n.ance beca.se
this iss.e is ccmpex and tc.ches cn sc many eements c c.r eccncmy and
vay c ie
The naming c a White Hc.se cyber cccrdinatcr, kncvn as the Cyber Tsar, in
20!! has mcved the US avay rcm vhat evis cnce described as a 'triba
apprcach, in vhich tcc many payers hed the ed
From my perspective, theres never been a cyber-attack on the U.S.,
but countless episodes of espionage and crime
James Lewis
'ts an impcrtant pcsiticn tc hep cccrdinate thrc.ghc.t gcvernment, says
Melissa Hathaway, a ccns.tant in Washingtcn, LC, vhc ed President
Cbamas Pcicy reviev, 'b.t the pcsiticn is nct ranked high enc.gh in the
White Hc.se str.ct.re tc have the a.thcrity needed tc drive change
The Ncvember 20!! strategic g.ideines cn cyber-sec.rity add .p tc a ve-
thc.ght-c.t dcc.ment, says evis, that is deiberatey nct set in stcne 'The
day ater the g.ideines vere reaised, he says, 'the Lepartment c Leense
hed a sma meeting vith experts The rst thing they said is that they vere
aready vcrking cn the next versicn
evis says the g.ideines have been videy misinterpreted, cr instance
cn the iss.e c vhen tc .se deterrence, cr vhen and hcv tc .se censive
84
capabiities cr deensive p.rpcses 'Threatening miitary retaiaticn cr
maicic.s acticn in cyber-space makes sense tc prevent attacks, he says,
'b.t it dcesnt vcrk against espicnage cr crime beca.se neither c them
invcve the .se c crce Sc it dcesnt appy in many cases
lnd its the expcitaticn c the internet by strategic ccmpetitcrs that is mcst
damaging tc the US and h.rcpe 'China and h.ssia are the mcst active,
he says, 'b.t China is ncisier than h.ssia Lces the US itse ind.ge in
cyber-espicnage Nc, says evis, and cr tvc reascns 'Fcr cne thing, c.r
avs dcnt acv .s tc avc.r cne ccmpany cver ancther, sc vc.d ve be
spying cr Eceing, cr vhc Seccndy, .nti recenty they didnt have m.ch
in vay c technccgy ve vc.d vant tc stea hather than designing an
internaticna cyber-sec.rity treaty, the US avc.rs imprcved ccabcraticn
vith internaticna av encrcement agencies
Hcv gccd is p.bic-private partnership in the US The Lepartment c
Leense has a scid reaticnship vith the deence ind.stria base, says
Crcnberg cckheed Martin, cr instance, has devecped a ega ramevcrk
cr sharing cyber-sec.rity incrmaticn vith cther ccmpanies 'This hasnt
been the siver b.et that scves a prcbems, says Crcnberg, 'b.t it has
gcne a cng vay tc imprcving eves c tr.st in that sectcr and its the mcst
inncvative cyber-sec.rity devecpment c the ast ve years The mcde
cc.d be expanded tc the cther .tiities ike the pcver grid and nancia
service sectcrs, amcng cthers
E.t there are barriers that dcnt make this easy tc dc Crcnberg bames
the avs that imit incrmaticn sharing 'We need tc address this prcbem
in Ccngress, he says, 'b.t Ccngress mcves extremey scvy We need
gcvernment and the private sectcr tc vcrk tcgether better, aster and acrcss
mcre sectcrs Cthers beieve the reaticnship is a 'big brcther-itte brcther
cne, rather than a partnership c eq.as, adding 'in the US, ve str.gge
vith the idea c tr.sting gcvernment
lmcng the hcttest cyber-sec.rity debates, says Hathavay, is the extent tc
vhich the US gcvernment is ccnsidering reg.ating ind.stry 'nd.stry
is .nhappy vith reg.aticn cn a ct c eves, says Hathavay, 'inc.ding
ccsts Cn the baance betveen sec.rity and privacy, she thinks the privacy
advccates vi vin every time 'E.t a ct mcre cc.d be dcne tc prctect
privacy vhie enhancing c.r sec.rity pcst.re, she says 'They dcnt have
tc be cppcsing crces They cc.d vcrk in tandem This req.ires .pdating
scme c c.r avs, and having a rcb.st diacg.e abc.t vhat needs tc be
cverha.ed vhen the threat and technccgy are ccnstanty changing
85
Part Two
A lot more could be done to protect privacy while enhancing our
security posture
Melissa Hathaway
lmcng interesting experiments at state eve is that carried c.t by the p.bic
aairs rm hesc.te Ccns.ting, vhich set .p a !2-member task crce tc
cck at vhat incis shc.d dc tc prctect its critica inrastr.ct.re rcm cyber-
attack 'Lata in incis vas a cver the pace, and ve vcrked cn hcv tc
sec.re netvcrks and increase resiiency, says hesc.te Ccns.ting \ice
President Jake Braun They hcpe tc dc simiar vcrk in cther states
The US is engaging primariy at a biatera eve, vhich is avays easier
than brcader, m.ti-state internaticna engagement, says Hathavay 'E.t in
crder tc make a dierence, a cc.ntries have tc take respcnsibiity cr vhats
happening in their cvn inrastr.ct.re, and the cny vay tc achieve that is
thrc.gh internaticna crganisaticns We have tc agree in the C20, NlTC
and the UN abc.t vhat is acceptabe
'Nc cne cvns the internet, ancther senicr lmerican says, 'nct even the US
ls s.ch, engaging in a hegemcnistic reaticnship vith ancther scvereign
naticn is nct the vay tc gc We need tc share c.r expertise vith aies nc
matter vhat the iss.e, energy prcd.cticn, cyber-sec.rity cr deence tactics,
and that shc.d gc bcth vays l bcats cat cn a rising tide
86
INDICES AND
GLOSSARIES
Cyber sources
Contributors to this report
Mohd Noor Amin is the Chairman c the nternaticna M.tiatera Partnership
lgainst Cyber Threats (MPlCT,, a United Naticns-backed p.bic-private
partnership With !3/ partner cc.ntries, MPlCT has beccme the argest
cyber-sec.rity aiance c its kind
Suleyman Anil is Head c Cce at the NlTC Ccmp.ter ncident hespcnse
Capabiity Cccrdinaticn Centre (NChC - CC, He has cver 20 years
experience in incrmaticn-sec.rity and cyber-sec.rity vith NlTC
Frank Asbeck is Principa Cc.nsecr cr Sec.rity and Space Pcicy cr the
h.rcpean hxterna lcticn Service
Ioannis G. Askoxylakis is Cccrdinatcr c FChTHcert in Creece that
prcvides ccmp.ter sec.rity incident respcnse cr the Fc.ndaticn cr
hesearch and Technccgy - Heas
Victoria Baines is a strategic anayst cr the h.rcpean Pcice Cce
(h.rcpc,, vhere she is respcnsibe cr devecping strategies tc ccmbat
cybercrime
Kamlesh Bajaj is ChC c the Lata Sec.rity Cc.nci c ndia (LSC, and
vas c.nding Lirectcr c the ndian Ccmp.ter hmergency hespcnse Team
(ChhT-n, at the Ministry c Ccmm.nicaticns and T
Judy Baker is Lirectcr c Cyber Sec.rity Chaenge UK td Previc.sy,
she heped set .p the UK Ccvernments Naticna nrastr.ct.re Sec.rity
Cccrdinaticn Centre (NSCC, and the Centre cr the Prctecticn c Naticna
nrastr.ct.re (CPN,
Stewart Baker is a Partner at Steptce chnscn in the US He served as
lssistant Secretary cr Pcicy at the Lepartment c Hcmeand Sec.rity, vith
respcnsibiity cr internaticna and pcicy iss.es reating tc cyber-sec.rity,
and as Cenera Cc.nse c the Naticna Sec.rity lgency
Andrea Beccalli is an lsscciate hxpert at the ncrmaticn Scciety Livisicn
c UNhSCC and has extensive experience in the ed c ncrmaticn
and Ccmm.nicaticn Technccgy (CT, cr devecpment, internaticna
ccmm.nicaticn and incrmaticn pcicies
87
William Beer is a Lirectcr in Pricevaterhc.secccpers (PvC, Cyber and
ncrmaticn Sec.rity practice in cndcn and vcrks vith cients tc devecp
sc.ticns cr cyber-reated matters ccmbining ccmp.ter crensics, data
anaysis, mavare anaysis, cyber-s.rveiance and crisis management
Robert G. Bell is the Senicr Civiian hepresentative c the US Secretary
c Leense in h.rcpe He is respcnsibe cr panning, reccmmending,
cccrdinating and mcnitcring Lepartment c Leense (LcL, pcicies,
prcgrammes and initiatives thrc.ghc.t h.rcpe
Isaac Ben-Israel is Chairman c the srae Naticna Cc.nci cr hesearch
and Levecpment and the srae Space lgency He ed a team that s.bmitted
reccmmendaticns tc the sraei gcvernment cn hcv tc prepare cr the threat
c cyber-attack, and vas the Senicr Cyber-Sec.rity ldviscr tc the sraei
Prime Minister
Gorazd Boi is the Head c the lcademic and hesearch Netvcrk c
(lhNhS, ChhT in Scvenia and a member c the hNSl management bcard
Jake Braun is hxec.tive \ice-President at hesc.te Ccns.ting in Chicagc
His respcnsibiities inc.de designing and impementing p.bic aairs
campaigns cc.sing cn the rms hcmeand and cyber-sec.rity practice
Vytautas Butrimas is Chie ldviscr cr Cyber-Sec.rity at the ith.anian
Ministry c Leence, having vcrked in incrmaticn technccgy and
ccmm.nicaticns cr cver 20 years
Oliver Caleff is CShT Manager at ChhT-Lh\CThlM in France and is a
senicr sec.rity ccns.tant vith experience in T and cther eds c sec.rity
Vladimir Chizhov is Permanent hepresentative c the h.ssian Federaticn
tc the hU l crmer Lep.ty Minister c Fcreign lairs, he has extensive
kncvedge c cyber-sec.rity iss.es and their impact cn internaticna sec.rity
Larry Collins is \ice-President cr e-sc.ticns at .rich Financia Service
vhere he devecps and deivers cn-ine cyber risk preventicn tccs
Richard Crowell is an lsscciate Prcesscr c jcint miitary cperaticns at
the US Nava War Ccege ldditicnay, he serves as the Ccege c Nava
Warare cccrdinatcr cr ccntempcrary cperating envircnments
Ed Dawson is Senicr ldviscr at the ncrmaticn Sec.rity nstit.te at
.eensand University, l.straia He has vritten mcre then 200 papers cn
cryptccgy and has been invcved in prcjects reated tc sec.re eectrcnic
ccmmerce and mcbie ccmm.nicaticns
88
Freddy Dezeure is Head c the nter-instit.ticna Ccmp.ter hmergency
hespcnse Pre-Ccng.raticn Team cr h.rcpean Unicn instit.ticns (ChhT-
hU,
Jean-Michel Doan is a cyber-crime anayst at exsi nncvative Sec.rity
Roger Forsberg is Chie ncrmaticn Sec.rity Ccer cr the Svedish
Fcrticaticns lgency .nder the Svedish Ministry c Finance He is
respcnsibe cr sec.ring gcvernment-cvned deence reated b.idings
rcm cyber-threats
Erik Frinking is Lirectcr c the Strategic F.t.res Prcgramme at The Hag.e
Centre cr Strategic St.dies (HCSS, He payed an impcrtant rce in the
devecpment and impementaticn c the L.tch Naticna Sec.rity Strategy
Nick Galletto is the Naticna eader cr ncrmaticn Technccgy hisk
cr Lecitte in Canada He has cver 20 years experience in incrmaticn
technccgy, netvcrking and systems management and the impementaticn
c incrmaticn technccgy sc.ticns
Sandro Gaycken is a researcher and prcesscr c cyber-sec.rity at the
nstit.te c Ccmp.ter Science at the Freie Universitt Eerin, Cermany
Thierry Gobillon is an ncrmaticn Sec.rity Ccer, hisk Management
Ccmpiance cr NC bank in Er.sses, Eegi.m His rce req.ires him tc
sec.re banking incrmaticn rcm cyber-threats
Janusz Grski is Prcesscr c Sctvare hngineering at the Fac.ty c
hectrcnics, Teeccmm.nicaticns and ncrmatics at Cdansk University c
Technccgy in Pcand
Peter Gridling is the Lirectcr c the Federa lgency cr State Prctecticn and
Cc.nter Terrcrism in the l.strian Ministry c ntericr
Kevin Gronberg is Senicr Cc.nci cn cyber-sec.rity iss.es tc the United
States Hc.se c hepresentatives, ccmmittee cn Hcmeand Sec.rity He vas
the ega cc.nse tc LHSs US-ChhT
Timo Hrknen is Lirectcr c Ccvernment Sec.rity cr the Cce c the
Prime Minister in Finand His respcnsibiities inc.de sec.rity panning,
preparedness panning and crisis management at gcvernment eve
Melissa Hathaway is President c Hathavay Ccba Strategies, an
independent ccns.tancy based in the US She served in the Cbama
ldministraticn as lcting Senicr Lirectcr cr Cyberspace at the Naticna
Sec.rity Cc.nci and ed the Cyberspace Pcicy heviev
89
Jun Inoue is First Secretary and Teeccm lttach at the Missicn c apan tc
the hU
Timothy Jordan is a Senicr ect.rer at Kings Ccege University in cndcn
His areas c expertise inc.de internet st.dies, hacking and hacktivism
Vitaly Kamluk is chie mavare expert at Kaspersky abs in h.ssia and
speciaises in threats tc gcba netvcrk inrastr.ct.res, mavare reverse
engineering and cyber-crime investigaticns
Alexander Klimburg is a Fecv and Senicr ldviscr at the l.strian nstit.te
c nternaticna lairs He has p.bished videy cn the s.bject c naticna
cyber-sec.rity and is the principe a.thcr c a ccmmissicned st.dy tc the
h.rcpean Pariament entited 'Cyber-pcver and Cyber-sec.rity
Robert F. Lentz is President and ChC c Cyber Sec.rity Strategies, C
and crmer Lep.ty lssistant Secretary c Leense cr Cyber, dentity and
ncrmaticn lss.rance (Cl, in the Cce c the lssistant Secretary c
Leense, Netvcrks and ncrmaticn ntegraticn}Chie ncrmaticn Ccer
James Lewis is a Senicr Fecv and Lirectcr c the Technccgy and P.bic
Pcicy Prcgramme at CSS, vhere he cc.ses cn naticna sec.rity and the
internaticna eccncmy
Herbert Lin is chie scientist at the Ccmp.ter Science and Teeccmm.nica-
ticns Ecard c the Naticna hesearch Cc.nci (NhC, c the Naticna lcademies
in the US He has directed severa st.dies cn cyber-sec.rity iss.es
Helena Lindberg is Lirectcr Cenera c the Svedish Civi Ccntingencies
lgency and is respcnsibe cr .niying, cccrdinating, and s.ppcrting tasks
in preparaticn cr, d.ring and ater emergencies, inc.ding thcse reated tc
cyber-sec.rity
Jesus Luna is a researcher cr The Leeds grc.p in Cermany His areas c
expertise inc.de sec.rity metrics, cc.d and grid sec.rity, bctnet mitigaticn,
sec.rity and privacy
Alastair MacWillson is Ccba Managing Lirectcr c lccent.res Ccba
Sec.rity practice He has been adviser tc a n.mber c gcvernments cn
technccgy strategy, critica inrastr.ct.re prctecticn, cyber-sec.rity and
cc.nter-terrcrism
Raphael Mandarino Jr. is Lirectcr c the nstit.ticna Sec.rity Cabinet cr
the Lepartment c ncrmaticn Sec.rity and Ccmm.nicaticns in Erazi He
has extensive experience in the cccrdinaticn ecrts c naticna CShT and
their av encrcement agencies
90
Dave Marcus is Lirectcr c Sec.rity hesearch cr Mclee abs He has
extensive experience in netvcrk sc.ticns and T sec.rity, vith a cc.s cn
advanced inteigence gathering, digita crensics, intr.sicn detecticn and
preventicn, and netvcrk and hcst anaysis
Marina Martinez-Garcia is Prcgramme Ccer at the Centre cr nd.stria
Technccgica Levecpment (CLT, in Spain and is respcnsibe cr cstering
Spanish science and technccgy participaticn and assistance at the hU eve
John I. Meakin is Lirectcr c Ligita Sec.rity and CSC c EP He is a speciaist
in incrmaticn systems sec.rity vith mcre than 20 years experience
Lars Nicander is Lirectcr c the Centre cr lsymmetric Threat and Terrcrism
St.dies (ClTS, at the Svedish Naticna Leence Ccege (SNLC,
Satoshi Noritake is the Senicr Manager, Certied ncrmaticn Systems
Sec.rity Prcessicna (CSSP, cr NTT Ccmm.nicaticns Ccrpcraticn
Andres Ortega is the crmer Lirectcr Cenera c the Lepartment c lnaysis
and hesearch in the Spanish Prime Ministers Cce He vas respcnsibe cr
anaysing incrmaticn cn cyber-sec.rity threats
Evangelos Ouzounis is Head c hesiience and Critica ncrmaticn
nrastr.ct.re Prctecticn Unit c hNSl
Patrick Pailloux is Lirectcr Cenera c Frances Netvcrk and ncrmaticn
Sec.rity lgency (lNSS, He is respcnsibe cr a matters reated tc cyber-
sec.rity in the French gcvernment
Fred Piper vas the c.nding Lirectcr c the hcya Hccvay ncrmaticn
Sec.rity grc.p, a member c the permanent stakehcder grc.p at hNSl
and a member c the nternaticna ldviscry Ecard c the nternaticna
M.tiatera Partnership lgainst Cyber Threats (MPlCT,
Elly Plooij-Van Gorsel is a member c the nternaticna ldviscry Cc.nci
(l\, vhere she advises the L.tch gcvernment and pariament cn creign
aairs and deence inc.ding cyber-sec.rity
Jaan Priisalu is the Lirectcr Cenera c the hstcnian ncrmaticn Systems
l.thcrity and vas head c T hisk Management at Svedbank His
respcnsibiities inc.de the cversight and prctecticn c hstcnias critica
p.bic and private incrmaticn systems
Steve Purser is Head c hNSls Technica Ccmpetence Lepartment vhere
he is respcnsibe cr agreeing the ann.a vcrk prcgramme vith stakehcders
and ens.ring that this vcrk prcgramme is s.ccess.y impemented
91
Gerrard Quille is a creign, sec.rity and deence expert at the Lirectcrate-
Cenera cr hxterna Pcicies c the h.rcpean Pariament He has been
invcved in varic.s prcjects reating tc cyber-sec.rity
Costin Raiu is Lirectcr cr Ccba hesearch and lnaysis at Kaspersky
ab and speciaises in maicic.s vebsites, brcvser sec.rity and expcits,
e-banking mavare, enterprise-eve sec.rity and Web 20 threats
Christopher Richardson is a research engineer and ect.rer at the Ministry
c Leence Ccege in the UK He cc.ses cn incrmaticn risk management
and netvcrk sec.rity management in the miitary and NlTC and is devecping
system and trac anaysis and sim.aticn c McL depcyed CS
Rafal Rohozinski is the c.nder and ChC c the SecLev Crc.p and Psiphcn
nc He is asc a Senicr Fecv at the M.nk Schcc c Ccba lairs c the
University c Tcrcntc His vcrk in incrmaticn sec.rity spans tvc decades
and 3/ cc.ntries, inc.ding ccnict zcnes
Alexey Salnikov is \ice-Lirectcr nstit.te c ncrmaticn Sec.rity at
cmcncscv Mcsccv University He speciaises in discrete mathematics,
cyber-terrcrism, pcitica and h.manitarian iss.es c incrmaticn sec.rity
and internaticna cyber-pcicy
Cherian Samuel is lsscciate Fecv at the nstit.te cr Leence St.dies and
lnayses in ndia He is an expert in ndc-US reaticns and has vritten cn
ndian cyber-sec.rity and ndc-US cccperaticn cn cyber-sec.rity iss.es
Emillo Sanchez De Rojas is Head c Lepartment c Strategy and
nternaticna heaticns at the Centre cr Naticna Leence St.dies in Spain
vhere he asc advises cn cyber-sec.rity pcicy and strategy
Felix Sans Roldan is Lirectcr c the Naticna nteigence Centre in Spain
He is asc respcnsibe cr the Naticna Cryptccgica Centre and cversees
Spanish cyber-inteigence and deence
Phyllis Schneck is \ice-President and Chie Technccgy Ccer, Ccba
P.bic Sectcr at Mclee
Tim Scully is ChC c Stratsec and Head c Cyber Sec.rity at Elh Systems
l.straia He has extensive experience b.iding and eading inteigence
and sec.rity capabiities and teams in the Lepartment c Leence
Andrea Servida is Lep.ty Head c Unit cr nternet, Netvcrk and ncrmaticn
Sec.rity in the Lirectcrate-Cenera cr ncrmaticn Scciety and Media c the
h.rcpean Ccmmissicn
92
Jamie Shea is the Lep.ty lssistant Secretary Cenera cr hmerging Sec.rity
Chaenges at NlTC
Aurel Sima is a Sec.rity l.ditcr cr Cencs Ccns.ting in hcmania and is
respcnsibe cr sec.ring data centres and databases and prcviding sec.rity
training tc cients
Bart Smedt is a hesearch Fecv at the Eegian hcya Higher nstit.te
cr Leence His areas c expertise ccver prcieraticn iss.es, critica
inrastr.ct.re prctecticn, cyber-deence and emergency panning
Peter Sommer is a reader at the UKs Cpen University and a crmer \isiting
Prcesscr at the cndcn Schcc c hccncmics speciaised in ccmp.ter
sec.rity and cyber-threats
Tim Stapleton is lssistant \ice-President and Prcessicna iabiity Prcd.ct
Manager cr .rich Ncrth lmerica
Ilmar Tamm is Lirectcr c the NlTC Cccperative Cyber Leence Centre c
hxceence in Tainn
Brooks Tigner is the hditcr c Sec.rity h.rcpe in Er.sses He has repcrted
cn sec.rity and deence iss.es acrcss h.rcpe cr many years
Heli Tiirma-Klaar is Senicr ldviscr tc the Undersecretary c Leence in
hstcnia She ed the vcrking grc.p that devecped the hstcnian Cyber-
sec.rity Strategy in 200S
Hamadoun Tour is Secretary Cenera c the nternaticna Teeccmm.ni-
caticn Unicn (TU,
Stefano Trumpy is hesearch Manager at the nstit.te cr ncrmatics and
Teematics c the taian Naticna hesearch Cc.nci and the taian deegate
in the Ccvernmenta ldviscry Ccmmittee (ClC, c the nternet Ccrpcraticn
cr lssigned Names and N.mbers (ClNN,
Jri Vain is Lirectcr c the Lepartment c Ccmp.ter Science at Tainn
University c Technccgy His main areas c expertise are ded.ctive
vericaticn, mcde-based testing and mcde checking
Wouter Vlegels is Critica ncrmaticn nrastr.ct.re Prctecticn expert at
hNSl and has a partic.ar interest in the interreaticnships and incrmaticn
sharing betveen NlTC the naticna a.thcrities in the capitas c member
naticns and the hU
93
Florian Walther is a senicr T sec.rity ccns.tant at C.resec ccns.ting in
Cermany He is an active member c the Cerman hacker ccmm.nity and
has spcken at the Chacs Ccmp.ter Ccngress, Signt and ph-ne.tra
Peiran Wang is a PhL Candidate at hast China Ncrma Universitys Schcc
c ldvanced nternaticna and lrea St.dies and a visiting researcher at the
\rije Universiteit Er.sses (\UE, His areas c research inc.de internaticna
sec.rity and cyber-sec.rity
Christian Wernberg-Tougaard is a member c the ncrmaticn Sec.rity
ldviscry Ecard at the Ministry c Science, Technccgy and nncvaticn in
Lenmark and a member c hNSl Permanent Stakehcders Crc.p He
prcvides advice cn incrmaticn sec.rity tc the Lanish gcvernment
Suguru Yamaguchi is a Prcesscr at the Crad.ate Schcc c ncrmaticn
Science at Nara nstit.te c Science and Technccgy in apan and a crmer
ldviscr cn ncrmaticn Sec.rity tc the Cabinet c the gcvernment
Takeo Yoshida is the Lep.ty directcr c the Ministry c nterna aairs
and Ccmm.nicaticns (MC, in apan He is respcnsibe cr advising and
crm.ating pcicy and strategy cn apans cyber-deence and cyber-sec.rity
prctcccs
94
Glossary of organisations
Asia-Pacic Economic Cooperation (APEC) -
Telecommunications and Information Working Group (TEL)
Where: Singapcre
Funding: Member eccncmies l.straia, Er.nei, Canada, Chie, China,
Hcng Kcng, ndcnesia, apan, hep.bic c Kcrea, Maaysia, Mexicc, Nev
eaand, Pap.a Nev C.inea, Per., Phiippines, Singapcre, h.ssia, Taivan,
Thaiand, US, \ietnam
Mission: lPhCs Th aims tc imprcve teeccmm.nicaticns and incrmaticn
inrastr.ct.re in the lsia-Pacic regicn by devecping and impementing
teeccmm.nicaticns and incrmaticn pcicies The c.r s.bgrc.ps
vithin Th are the Sec.rity and Prcsperity Steering Crc.p (SPSC,, the
CT Levecpment Steering Crc.p (CTLSC,, lPhC-Th Mhl and the
iberaisaticn Steering Crc.p The SPSC and CTLSC are c partic.ar
impcrtance tc cyber-sec.rity in lsia The SPSCs respcnsibiities inc.de
cyber-crime preventicn and prcmcting sec.rity and tr.st in netvcrks,
e-ccmmerce and inrastr.ct.res CTLSC prcmctes CT appicaticns tc
sccic-eccncmic devecpments s.ch as smart grids, crisis management and
advanced technccgies
Website: http}}vvvapeccrg}Crc.ps}SCM-Steering-Ccmmittee-
cn-hccncmic-and-Technica-Cccperaticn}Wcrking-Crc.ps}
Teeccmm.nicaticns-and-ncrmaticnaspx
Email: inc_apeccrg
Association of South East Asian Nations (ASEAN) -
Telecommunication and IT (TELMIN)
Where: akarta, ndcnesia
Funding: Member eccncmies Er.nei, Cambcdia, ndcnesia, acs,
Maaysia, Phiippines, Singapcre, Thaiand, \ietnam
Mission: ThMN is a s.b-grc.ping c lShlN ts missicn is tc devecp a
ccmmcn ramevcrk tc cccrdinate exchange c incrmaticn, estabishment
c standards and cccperaticn amcng encrcement agencies Part c the
ThMN ann.a prcgramme inc.des sessicns vith the lShlN Liacg.e
Partners cn a P.s Three basis (vith the Pecpes hep.bic c China, apan
and the hep.bic c Kcrea, and a P.s Cne basis (vith ndia, ThMN asc
engages vith the teeccmm.nicaticns and T ind.stry payers in lShlN
thrc.gh the e-lShlN E.siness Cc.nci ccmprising representatives c the
private sectcr rcm a lShlN member cc.ntries
Website: http}}vvvaseanseccrg}!9S94htm
Council of Europe
Where: Strasbc.rg, France
Funding: ts 4/ member states
95
Mission: The Cc.nci c h.rcpe prcvides three mechanisms !, 'Cccperaticn
against cyber-crime vhich aims tc estabish a gcba ramevcrk cr ecient
cccperaticn against cyber-crime, 2, the 'Cybercrime Ccnventicn Ccmmittee
vhich s.ppcrt the strengthening c egisaticn and capacity b.iding, and 3,
the 'Ccntact pcints cr pcice and j.dicia cccperaticn vhich aciitates the
impementaticn c the E.dapest Ccnventicn cn Cyber-crime
Website: http}}vvvcceint}t}dgh}cccperaticn}eccncmiccrime}
cybercrime}Lea.t_enasp
Email: cybercrime_cceint
Commonwealth Telecommunications Organisation (CTO)
Where: cndcn, United Kingdcm
Funding: Members c the Ccmmcnveath c Naticns
Mission: The CTC is an internaticna devecpment partnership betveen
the Ccmmcnveath and ncn-Ccmmcnveath gcvernments, b.siness and
civi scciety crganisaticns t prcmctes sccia and eccncmic devecpment
in the Ccmmcnveath and beycnd, heping tc bridge the digita divide
by aciitating the devecpment c teeccmm.nicaticns amcng devecping
member states and tc achieve the Mienni.m Levecpment Ccas cr CT
Website: http}}vvvctcint}
Email: inc_ctcint
European Network and Information Security Agency (ENISA)
Where: Crete, Creece
Funding: h.rcpean Unicn and third cc.ntries
Mission: hNSl is the h.rcpean Unicns cyber-sec.rity agency and centre c
expertise ts respcnsibiities inc.de ens.ring the smccth .ncticning c the
nterna Market, and imprcving the daiy ives c the citizens and b.siness,
.sing brcadband, cnine banking, e-ccmmerce and mcbie phcnes hNSl
aims tc achieve a high and eective eve c Netvcrk and ncrmaticn
Sec.rity vithin the hU, tc assist the h.rcpean Ccmmissicn, member states
and b.sinesses tc respcnd tc and prevent sec.rity prcbems, and tc assist
in the technica preparatcry vcrk cr .pdating and devecping Ccmm.nity
egisaticn in the ed c Netvcrk and ncrmaticn Sec.rity
Website: http}}vvvenisae.rcpae.}
European Commission
Where: Er.sses, Eegi.m
Funding: hU member states
Mission: n 20!0, the h.rcpean Ccmmissicn p.t crvard a prcpcsa cr
a Lirective cn attacks against incrmaticn systems ts main ncvety is the
criminaisaticn c the .se, prcd.cticn and sae c tccs tc eect attacks
against incrmaticn systems n ine vith the nterna Sec.rity Strategy, the
Ccmmissicn vi be setting .p a h.rcpean Cyber-crime Centre by 20!3
96
The Ccmmissicn has asc stepped .p diacg.e vith the private sectcr, vhich
ccntrcs a arge part c incrmaticn inrastr.ct.res
Websites: http}}ece.rcpae.}dgs}hcme-aairs} http}}ece.rcpae.}
dgs}incrmaticn_scciety}index_enhtm
European Police Ofce (EUROPOL)
Where: The Hag.e, the Netherands
Mission: ls the hUs av encrcement agency it is h.rcpcs respcnsibiity tc
assist member states in the ght against internaticna crime h.rcpc deas
vith the crensics and investigaticn c cnine crimes and has prcd.ced a threat
assessment cn internet aciitated crganised crime (iCCTl, tc ccntrib.te tc
the strategic panning cr a h.rcpean cyber-crime centre in 20!2 h.rcpc
encc.rages internaticna strategic and cperaticna partnerships vith the
private sectcr and academia, raising avareness and pcints c ccntact and
s.ppcrts the .se c crcvd sc.rcing tc gather inteigence cn cyber-crime
rcm internet .sers
Website: vvve.rcpce.rcpae.
Forum of Incident Response and Security Teams (FIRST)
Where: Mcrrisvie, Ncrth Carcina, US (Secretariat,
Funding: Member ChhTs
Mission: The Fcr.m c ncident hespcnse and Sec.rity Teams (FhST, brings
tcgether sec.rity and incident respcnse teams, inc.ding specia prcd.ct
sec.rity teams rcm the gcvernment, ccmmercia and academic sectcrs
Website: http}}vvvrstcrg}
Email: rst-sec_rstcrg
G8 Subgroup on high-tech crime
Funding: CS member states
Mission: The CSs S.bgrc.p cn High-Tech Crime vas started tc enhance
the abiities c CS cc.ntries tc prevent, investigate and prcsec.te
crimes invcving ccmp.ters, netvcrked ccmm.nicaticns and cther nev
technccgies Cver time, that missicn has expanded tc inc.de vcrk vith
third cc.ntries cn s.ch tcpics as ccmbating terrcrist .ses c the internet and
prctecticn c critica incrmaticn inrastr.ct.res Cc.ntries are represented
in the s.bgrc.p by m.ti-discipinary deegaticns that inc.de cyber-crime
investigatcrs and prcsec.tcrs, and experts cn ega systems, crensic anaysis
and internaticna cccperaticn agreements
Internet Corporation for Assigned Names and Numbers (ICANN)
Where: Marina de hey, Caicrnia, US
Funding: Nct-cr-prct p.bic-benet ccrpcraticn vith participants rcm a
cver the vcrd
97
Mission: The nternet Ccrpcraticn cr lssigned Names and N.mbers
(ClNN, Sec.rity and Stabiity ldviscry Ccmmittee (SSlC, advises the ClNN
ccmm.nity and Ecard cn matters reating tc the sec.rity and integrity c the
internets naming and address accaticn systems This inc.des cperaticna
matters, administrative matters, and registraticn matters SSlC engages
in cngcing threat assessment and risk anaysis c the internet naming and
address accaticn services tc assess vhere the principa threats tc stabiity
and sec.rity ie, and advises the ClNN ccmm.nity acccrdingy
Website: http}}vvvicanncrg}
International Multilateral Partnership Against Cyber Threats
(IMPACT)
Where: Cyberjaya, Maaysia
Funding: Nct-cr-prct ccmprehensive gcba p.bic-private partnership
Mission: MPlCT is the cyber-sec.rity exec.ting arm c the United Naticns
speciaised agency - the nternaticna Teeccmm.nicaticn Unicn (TU, ls
the vcrds rst ccmprehensive aiance against cyber-threats, MPlCT
brings tcgether gcvernments, academia and ind.stry experts tc enhance
the gcba ccmm.nitys capabiities in deaing vith cyber-threats
Website: http}}vvvimpact-aiancecrg}hcme}indexhtm
Email: ccntact.s_impact-aiancecrg
Interpol
Where: ycns, France
Mission: nterpcs missicn is tc ccnnect av encrcement in a member
states and prcvide them vith means tc share cr.cia incrmaticn nterpc
assists cc.ntries in the event c a cyber-attack and heps identiy emerging
threats and respcnses
Website: http}}vvvinterpcint}en
International Telecommunications Union (ITU)
Where: Ceneva, Svitzerand
Funding: UN member states, and cver /00 private ccmpanies and eading
academic instit.ticns
Mission: The TU is the UN agency cr incrmaticn and ccmm.nicaticn
technccgies (CT, ts respcnsibiities inc.de accating gcba radic
and sateite crbits, devecping technica standards and ens.ring that
technccgies interccnnect and imprcve CT vcrdvide TU s.ppcrts ecrts
tc prctect CTs rcm cyber-threats The TU has asc set .p the Ccba
Cyber-Sec.rity lgenda (CCl,, a ramevcrk cr internaticna cccperaticn
aimed at enhancing ccndence and sec.rity in the incrmaticn scciety The
CCl is designed cr cccperaticn and eciency, encc.raging ccabcraticn
98
vith and betveen a reevant partners and b.iding cn existing initiatives tc
avcid d.picating ecrts
Website: http}}vvvit.int}en}Pages}dea.taspx
Email: it.mai_it.int
NATO Cooperative Cyber Defence Centre of Excellence
(CCDCOE)
Where: Tainn, hstcnia
Funding: NlTC member states
Mission: The NlTC CCLCCh vas estabished tc enhance capabiity,
cccperaticn and incrmaticn sharing amcng NlTC, its members and
partners in cyber-deence thrc.gh ed.caticn, research and devecpment,
esscns earned and ccns.taticn ts aim is tc be the main sc.rce c
expertise in the ed c cccperative cyber-deence by acc.m.ating and
disseminating kncvedge ts main areas c research inc.de the ega
and pcicy eds, ccncepts and strategy, tactica envircnment and critica
ncrmaticn nrastr.ct.re Prctecticn The centre asc devecps a vide range
c prcd.cts and services cr NlTC
Website: http}}vvvccdccecrg}
Email: ccdcce_ccdccecrg
NATO Communication and Information Systems Services
Agency (NCSA)
Where: SHlPh, Eegi.m
Funding: NlTC member states
Mission: NCSl is a service prcvider tc NlTC and its naticna c.stcmers
Wherever NlTC depcys cn cperaticns cr exercises, NCSl is there, prcviding
ccmm.nicaticn and incrmaticn systems (CS, services in s.ppcrt c the
missicn NCSl is NlTCs rst ine c deence against cyber-terrcrism and
enccmpasses NlTC ncrmaticn lss.rance Technica Centre (NlTC, and
NlTC Ccmp.ter ncident hespcnse Capabiity (NChC, NChC prcvides
NlTC vith a range c highy speciaised ccmp.ter services, inc.ding
incident detecticn, respcnse and reccvery that hep ens.re the sec.rity c
NlTC CS These services are deivered acrcss the vhce c the NlTC CS
andscape, enccmpassing bcth cperaticna and peacetime ccaticns
Website: http}}vvvncsanatcint}
Email: ncsapac_ncsanatcint
Organisation of American States (OAS)
Where: Washingtcn LC, USl
Funding: ts 3S member states
Mission: The nter-lmerican Cccperaticn Pcrta cn Cyber-Crime and the
Wcrking Crc.p are tvc c the majcr c.tccmes c the prccess c Meetings
99
c Ministers c .stice cr Cther Ministers cr lttcrneys Cenera c the
lmericas (hhMl, aimed at strengthening hemispheric cccperaticn in the
investigaticn and prcsec.ticn c cyber-crimes
Website: http}}vvvcascrg}en}
Organisation for Economic Co-operation and Development
(OECD)
Where: Paris, France
Funding: ts 34 member states and partner crganisaticns
Mission: The ChCL prcmctes pcicies tc imprcve the eccncmic and sccia
ccnditicns c pecpe arc.nd the vcrd t prcvides a cr.m cr gcvernments
tc seek sc.ticns tc iss.es inc.ding cyber-sec.rity t aims tc sec.re privacy
and data prctecticn and a.nched an anti-spam tcckit cr actcrs tc better
crientate their pcicies tcvards prctecting against spam
Website: http}}vvvcecdcrg}
Organisation for Security and Co-operation in Europe (OSCE)
Where: \ienna, l.stria
Funding: ts So member states and partner crganisaticns
Mission: The CSCh seeks tc prcmcte the r.e c av, inter aia by training
c j.dges, prcsec.tcrs, avyers, pcice and ccrrecticna ccers, as ve as
thrc.gh prcjects cn crimina j.stice recrm and egisative reviev, seeking tc
bring dcmestic avs in ine vith CSCh ccmmitments and cther reccgnised
internaticna standards, inc.ding thcse reated tc cyber-sec.rity
Website: http}}vvvcscecrg}
Email: inc_cscecrg
United Nations Interregional Crime and Justice Research
Institute (UNICRI)
Where: T.rin, tay
Funding: UN
Mission: UNCh is a UN entity mandated tc assist intergcvernmenta,
gcvernmenta and ncn-gcvernmenta crganisaticns in crm.ating and
impementing imprcved pcicies in the ed c crime preventicn and
crimina j.stice t aims tc share and appy kncvedge tc assist gcvernments
tc prevent and dea vith cyber-crime
Website: http}}vvv.nicriit}
Email: incrmaticn_.nicriit
100
Glossary of companies
Accenture is the argest management ccns.ting ccmpany in the vcrd
lccent.re Cyber Sec.rity Sc.ticns cers crcss-.ncticna cyber-sec.rity
prcgrammes tc sec.re vita T-inrastr.ct.re
BAE Systems is a Eritish m.tinaticna deence, sec.rity and aercspace
ccmpany headq.artered in cndcn t is amcng the vcrds argest miitary
ccntractcrs, and has extensive experience in the research and devecpment
c inncvative ccmp.ter netvcrk cperaticns technccgies
BP is the third argest energy ccmpany in the vcrd and is invcved in ci,
gas, petrcchemicas, pcver generaticn and renevabe energy
Curesec is an T sec.rity ccns.ting ccmpany based in Eerin, Cermany
Deloitte Touche Tohmatsu is cne c the argest accc.ntancy and
prcessicna services ccmpany in the vcrd Lecittes Ccba P.bic Sectcr
grc.p is asc vcrking in the ed c cyber-sec.rity
DEVOTEAM is an internaticna incrmaticn and ccmm.nicaticn technccgy
ccns.ting ccmpany headq.artered in Er.sses
Hathaway Global Strategies is an independent sec.rity ccns.ting
ccmpany
ING is a gcba nancia instit.ticn invcved in retai and investment banking
and ins.rance services t is therecre expcsed tc cyber-attacks and r.ns a
big T-sec.rity divisicn
Kaspersky Lab is a h.ssian ccmp.ter sec.rity ccmpany n additicn tc
ccns.mer prcd.cts, Kaspersky ab cers sec.rity appicaticns designed cr
sma b.siness ccrpcraticns and arge enterprises
Lexsi innovative security is an internaticna incrmaticn sec.rity
ccns.tancy ccmpany speciaised in prctecting incrmaticn assets, strcngy
driven tcvards inncvaticn and headq.arted in France
McAfee is a ccmp.ter sec.rity ccmpany headq.artered in Santa Cara,
USl t markets sctvare and services tc hcme .sers, b.sinesses and the
p.bic sectcr
NTT Communications is a s.bsidiary c Nippcn Teegraph and Teephcne
(NTT, Ccrpcraticn, cne c the argest teeccmm.nicaticns ccmpanies in the
vcrd
101
PwC is cne c the vcrds argest prcessicna services rms Within its crensic
services, PWC asc vcrks vith cients tc devecp creative apprcaches tc
ccmpex cyber-reated matters
Resolute Consulting is an lmerican ccns.ting ccmpany
Security Europe is an incrmaticn service speciaised in hU civi sec.rity
iss.es ls s.ch, it asc repcrts cn devecpments in the hU cyber gcvernance
Genos Consulting is a hcmanian incrmaticn sec.rity ccns.tancy rm
Steptoe & Johnson is an internaticna av rm Cyber-sec.rity is cne c its
cc.s areas
Stratsec, a s.bsidiary c Elh Systems, is an incrmaticn sec.rity ccns.tancy
ccmpany based in l.straia and Sc.th hast lsia
The SecDev Group is a Canadian ccmpany that prcvides ccns.tancy
services and ccnd.cts nct-cr-prct research in gcba sec.rity and vicence
t eq.ay .ndertakes research and ccns.tancy cn cyber-sec.rity
Zurich is a nancia services ccmpany cc.sed primariy cn ins.rance, asc
cering services in T-sec.rity
102
Jaap de Hoop Scheffer
former Secretary General of NATO
Javier Solana
former EU High Representative for
Common Foreign and Security Policy
The SLl this year ceebrates its !0
th
anniversary as the eading Er.sses-
based think-tank cn sec.rity and deence iss.es The SLl remains the cny
cr.m tc bring tcgether tcp representatives rcm acrcss naticns, instit.ticns
and sectcrs tc disc.ss pressing gcba chaenges, reaching bcth p.bic
and private sectcr decisicn-makers tc make a rea dierence
SDA Co-Presidents
The SLl raises avareness and anticipates the pcitica agenda thrc.gh
internaticna ccnerences, rc.ndtabes, evening debates, pcicymakers
dinners, st.dies and disc.ssicn papers \isit vvvsec.ritydeenceagendacrg
tc dcvncad c.r p.bicaticns and nd c.t mcre abc.t c.r activities
If current trends in the
decline of European defence
capabilities are not halted and
reversed, many US policymakers
may not consider the return on
Americas investment in NATO
worth the cost.
Robert Gates,
then US Defense Secretary
10 June 2011
We must be careful not to
allow the capability gap to
become the credibility gap
Anders Fogh Ramussen,
NATO Secretary General
21 June 2010
About the SDA
103
Cyber-security initiative
ls cyber-attacks ccntin.e tc make daiy headines, the SLl has a.nched
an ambitic.s cyber-sec.rity initiative hnccmpassing repcrts, debates, and a
strcng cnine presence, this prcgramme aims tc bring ccherence tc the gcba
cyber-debate, tc separate act rcm hype and make sense c the myriad actcrs
in the ed The initiative ens.res that a key stakehcders are heard in a
baanced disc.ssicn, and that c.tp.t reaches the key decisicn-makers
This is a battle we may not win.
We need to act and to protect as
quickly as possible
Cecilia Malmstrm, European
Home Affairs Commissioner
9 November 2011
Cyber has redened the front
lines of national security. Just
as our air and missile defences
are linked, so too do our cyber
defence networks need to be.
William J. Lynn, III, then US
Deputy Secretary of Defense
15 September 2010
\isit the cyber-sec.rity vebsite at vvvsec.ritydeenceagendacrg cr the
rest c the years prcgramme, videc intervievs, backgrc.nd dcc.ments, and
SLl repcrts cn cyber-sec.rity
104
Security jam
The SLl ccnstanty inncvates tc p.sh the debate .rther n 20!0, it
crganised the rst ever gcba sec.rity brainstcrming, the Sec.rity am,
vhich brc.ght tcgether cver 4,000 pecpe rcm !24 cc.ntries cr a S-day
disc.ssicn The repcrt vas presented tc NlTC Secretary Cenera Anders
Fogh Rasmussen, Madeleine Albright and her grc.p c experts vcrking
cn NlTCs Strategic Ccncept, and Felipe Gonzalez and his grc.p c
h.rcpean visemen
Cn March !9-23 20!2, the SLl and EM vi partner vith NlTC lCT, the
h.rcpean hxterna lcticn Service, the h.rcpean Ccmmissicn, hUCCM
and the US Missicn tc NlTC tc bring tcgether thc.sands c gcba sec.rity
stakehcders hepresentatives c naticna gcvernments and armed crces,
internaticna instit.ticns, NCCs, think-tanks, ind.stry and the media vi
.se this .niq.e cppcrt.nity tc ccectivey dene the sc.ticns tc pressing
sec.rity iss.es The mcst inncvative reccmmendaticns vi be presented tc
the NlTC and hU eaderships ahead c the May 20!2 Chicagc s.mmits
cg cn tc vvvsec.rityjamcrg tc register cr this .niq.e event
VIP Jammers in 2010 included
Adm. James Stavridis,
Supreme Allied
Commander Europe,
NATO
Anne-Marie Slaughter,
Former Director of Policy
Planning, US Department
of State
Alain Hubert,
Explorer, International
Polar Foundation
Gen. Stphane Abrial,
Supreme Allied
Commander
Transformation, NATO
Josette Sheeran,
Executive Director of the
World Food Programme
Carl Bildt,
Minister for Foreign Affairs
of Sweden
A Security & Defence Agenda report
Author: Brigid Grauman
Publisher: Geert Cami
Date of publication: February 2012
The views expressed in this report are the personal opinions of
individuals and do not necessarily represent the views of the
Security & Defence Agenda, its members or partners.
Reproduction of this report, in whole or in part, is permitted providing that
full attribution is made to the author, the Security & Defence Agenda and
to the source(s) in question, and provided that any such reproduction,
whether in full or in part, is not sold unless incorporated in other works.
About the report
This report is published as part of the Security & Defence Agenda's
(SDA) cyber-security initiative. It is intended as a snapshot of current
thinking around the world on the policy issues still to be resolved, and
will form the basis of SDA debates and future research during 2012.
About the SDA
The SDA is Brussels only specialist security and defence think-tank. It is
wholly independent and this year celebrates its 10
th
anniversary.
About the author
Brigid Grauman is an independent Brussels-based journalist whose work
appears widely in international media like the Financial Times and The
Wall Street Journal. Shes currently engaged on a number of projects
for institutions, including the European Commission.
Report advisory board
Jeff Moss, Vice-president and Chief Security Offcer at ICANN and
founder of the Black Hat and DEF CON computer hacker conferences
Reinhard Priebe, Director for Internal Security, Directorate General
for Home Affairs, European Commission
Andrea Servida, Deputy Head of the Internet, Network and Information
Security Unit, Information Society and Media Directorate General,
European Commission
Jamie Shea, Deputy Assistant Secretary General for Emerging Security
Challenges at NATO
Brooks Tigner, Editor and Chief Policy Analyst at Security Europe
My thanks to all those who contributed to this report, both those I have
quoted and those I have not. Special thanks to Melissa Hathaway and
Jamie Shea for their helpful comments on my draft text, to McAfee's
Dave Marcus, Phyllis Schneck and Sal Viveros, and to the SDAs Pauline
Massart and Igor Garcia-Tapia.
SECURITY & DEFENCE AGENDA
Bibliothque Solvay, Parc Lopold,
137 rue Belliard, B-1040, Brussels, Belgium
T: +32 (0)2 737 91 48 F: +32 (0)2 736 32 16
E: info@securitydefenceagenda.org W: www.securitydefenceagenda.org

Cyber-security Rules Report

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber-security Rules Report

Uploaded by

Copyright:

Available Formats

Cyber-security:

The vexed question

You might also like