This document is a report on global cybersecurity rules that was produced by the Security & Defence Agenda think tank. It provides an overview of the key issues in establishing international cybersecurity norms based on interviews with over 80 global experts. There are differing views on how to define cyber threats and attacks, and challenges in regulating the internet given its global, decentralized nature. While a comprehensive global treaty is difficult, steps toward confidence building and information sharing could help address growing threats in cyberspace. The report aims to inform debates on developing effective and consensus-based policy responses.
Download Cybercrime And Information Technology The Computer Network Infrastructure And Computer Security Cybersecurity Laws Internet Of Things Iot And Mobile Devices 1St Edition Alex Alexandrou online ebook texxtbook full chapter pdf
This document is a report on global cybersecurity rules that was produced by the Security & Defence Agenda think tank. It provides an overview of the key issues in establishing international cybersecurity norms based on interviews with over 80 global experts. There are differing views on how to define cyber threats and attacks, and challenges in regulating the internet given its global, decentralized nature. While a comprehensive global treaty is difficult, steps toward confidence building and information sharing could help address growing threats in cyberspace. The report aims to inform debates on developing effective and consensus-based policy responses.
This document is a report on global cybersecurity rules that was produced by the Security & Defence Agenda think tank. It provides an overview of the key issues in establishing international cybersecurity norms based on interviews with over 80 global experts. There are differing views on how to define cyber threats and attacks, and challenges in regulating the internet given its global, decentralized nature. While a comprehensive global treaty is difficult, steps toward confidence building and information sharing could help address growing threats in cyberspace. The report aims to inform debates on developing effective and consensus-based policy responses.
This document is a report on global cybersecurity rules that was produced by the Security & Defence Agenda think tank. It provides an overview of the key issues in establishing international cybersecurity norms based on interviews with over 80 global experts. There are differing views on how to define cyber threats and attacks, and challenges in regulating the internet given its global, decentralized nature. While a comprehensive global treaty is difficult, steps toward confidence building and information sharing could help address growing threats in cyberspace. The report aims to inform debates on developing effective and consensus-based policy responses.
of global rules An independent report on cyber-preparedness around the world With the support of A Security & Defence Agenda report Author: Brigid Grauman Publisher: Geert Cami Date of publication: February 2012 The views expressed in this report are the personal opinions of individuals and do not necessarily represent the views of the Security & Defence Agenda, its members or partners. Reproduction of this report, in whole or in part, is permitted providing that full attribution is made to the author, the Security & Defence Agenda and to the source(s) in question, and provided that any such reproduction, whether in full or in part, is not sold unless incorporated in other works. About the report This report is published as part of the Security & Defence Agenda's (SDA) cyber-security initiative. It is intended as a snapshot of current thinking around the world on the policy issues still to be resolved, and will form the basis of SDA debates and future research during 2012. About the SDA The SDA is Brussels only specialist security and defence think-tank. It is wholly independent and this year celebrates its 10 th anniversary. About the author Brigid Grauman is an independent Brussels-based journalist whose work appears widely in international media like the Financial Times and The Wall Street Journal. Shes currently engaged on a number of projects for institutions, including the European Commission. Report advisory board Jeff Moss, Vice-president and Chief Security Offcer at ICANN and founder of the Black Hat and DEF CON computer hacker conferences Reinhard Priebe, Director for Internal Security, Directorate General for Home Affairs, European Commission Andrea Servida, Deputy Head of the Internet, Network and Information Security Unit, Information Society and Media Directorate General, European Commission Jamie Shea, Deputy Assistant Secretary General for Emerging Security Challenges at NATO Brooks Tigner, Editor and Chief Policy Analyst at Security Europe My thanks to all those who contributed to this report, both those I have quoted and those I have not. Special thanks to Melissa Hathaway and Jamie Shea for their helpful comments on my draft text, to McAfee's Dave Marcus, Phyllis Schneck and Sal Viveros, and to the SDAs Pauline Massart and Igor Garcia-Tapia. 1 Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 PART ONE Section I. Clearing the booby traps from the cyber-security mineeld. . . . . . . . 6 Terminccgy Cyber-var and cyber-attack have many meanings ts time tc sette cn j.st cne . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Mcving intc .ncharted vaters Cyber-crime pays beca.se its prctabe, cv-risk and ancnymc.s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Tr.st is a mcst e.sive ncticn The internet vas b.it cn tr.st, and thats vhy its sc v.nerabe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Section II. Tracking the cyber-revolution: New threats and changing ethics . . 10 Cracking L.q. The vir.s admired by experts . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Shc.d ve be taking c a nev ethcs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Smart phcnes pcse sec.rity chaenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Cc.d ccmp.ting The chaenges c separating netvcrk rcm ccntent. . . . . . . . . 15 Section III. Cyber-defence strategies: The hottest debates and conditions for success. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Levecping an censive stance, Cyber-crime and p.nishment, Prctecting an increasingy integrated gcba system, Hcv sae are SClLl systems, Net ne.traity Tcvards internaticna r.es, E.iding a mcre scid architect.re, Tacking veakest- ink cc.ntries, Sec.ring the s.ppy chain, ncreasing avareness c the scae c the prcbem, Taking a hcistic apprcach, Prcmcting diacg.e betveen techies and decisicn-makers, Lening the rce c gcvernments, Ccvernments m.st take greater care vhen taking advice, ncrmaticn-sharing at an internaticna eve, Thinking dierenty abc.t cyber-sec.rity, hed.cing secrecy, Harmcnising ccdes and avs, citizen avareness, Lening pre-emptive cyber-attacks Section IV. The quest for rules and regulations to govern cyber-space . . . . . . . 22 Cyber ncrms and ccmmcn sec.rity standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 The dic.ties c gcing gcba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 ldapting existing r.es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 The ack c internaticna mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 The 'impcssibe dream c a gcba treaty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 l reaistic aternative tc a peace treaty Cyber-ccndence meas.res . . . . . . . . . . .27 The bcdies ccmpeting tc gcvern cyber-space. . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 nternet gcvernance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Standardisaticn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 av encrcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 ncrmaticn-sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2 Cyber-security: The vexed question of global rules Section V. Breaking down the walls between the cyber-communities. . . . . . . . 32 The generaticn divide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 mprcving tr.st betveen ind.stry stakehcders . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Cverccming the barriers betveen rivas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 lre cyber-crime and cyber-sec.rity cne and the same . . . . . . . . . . . . . . . . . . . . 34 Steps tcvards gcba sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Section VI. The private sectors privacy dilemma . . . . . . . . . . . . . . . . . . . . . . . . 35 Why the private sectcr vc.d be better advised tc share incrmaticn . . . . . . . . . . 35 Making reg.aticns that make sense cr everycne . . . . . . . . . . . . . . . . . . . . . . . . . 36 The bame game Frcm sctvare ccmpanies tc service prcviders, vhc shc.d be respcnsibe cr vhat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Section VII. Bearing the costs of cyber-insecurity . . . . . . . . . . . . . . . . . . . . . . . . 38 The ins.rance sectcr vakes .p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Section VIII. Private citizens : issues of freedom and protection. . . . . . . . . . . . 42 nternet respcnsibiity Frcm private .sers tc ccrpcrate giants . . . . . . . . . . . . . . . . 43 The cyber-sec.rity skis gap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 PART TWO Section I. A worldwide brainstorming of experts. . . . . . . . . . . . . . . . . . . . . . . . . 45 Key attit.des. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Section II. Country-by-country stress tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 l.straia. . . . . . . . . 51 l.stria . . . . . . . . . . 52 Erazi . . . . . . . . . . . 53 Canada . . . . . . . . . 54 China. . . . . . . . . . . 55 Lenmark . . . . . . . . 57 hstcnia . . . . . . . . . . 58 The h.rcpean Unicn. . . . . . . . . . . 59 Finand. . . . . . . . . . 61 France . . . . . . . . . . 62 Cermany . . . . . . . . 64 ndia . . . . . . . . . . . 65 srae . . . . . . . . . . . 66 tay . . . . . . . . . . . . 67 apan . . . . . . . . . . . 68 Mexicc. . . . . . . . . . 70 NlTC. . . . . . . . . . . 71 The Netherands . . 72 Pcand . . . . . . . . . . 74 hcmania . . . . . . . . 75 h.ssia . . . . . . . . . . 76 Spain . . . . . . . . . . . 78 Sveden . . . . . . . . . 79 United Kingdcm. . . 80 United Naticns . . . . 82 United States c lmerica . . . . . . . 83 Section III. Indices and glossaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Cyber sc.rces-ccntrib.tcrs tc this repcrt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Ccssary c crganisaticns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Ccssary c ccmpanies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 About the Sec.rity Leence lgenda. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 3 Part One Introduction This report is made up of a survey of some 250 leading authorities worldwide and of interviews carried out in late 2011 and early 2012 with over 80 cyber-security experts in government, companies, international organisations and academia. It offers a global snapshot of current thinking about the cyber-threat and the measures that should be taken to defend against it, and assesses the way ahead. It is aimed at the inuential layperson, and deliberately avoids specialised language. For the moment, the bad guys have the upper hand whether they are attacking systems for industrial or political espionage reasons, or simply to steal money - because the lack of international agreements allows them to operate swiftly and mostly with impunity. Protecting data and systems against cyber-attack has so far been about dousing the ames, although recently the focus has been shifting towards more assertive. The preparation of this report has been greatly helped by Robert Lentzs framework for measuring levels of cyber-security in governments and private companies. Lentz is President and CEO of Cyber Security Strategies, and has 34 years experience working for the U.S. government. His Cyber Security Maturity Model explains the ve stages towards resilience against cyber-attack, through conventional threat to advanced persistent threat, and was used as the measurement tool for our country-by-country stress test in the second part of the report. Even if everyone accepts the need for standards, rules, laws, codes of conduct and maybe even a global treaty to protect cyber-space against cyber-crime, not everyone agrees on how to get there. The debate is also about who should make the rules, and to what extent dominance by the military is a good or a bad thing. The fact that cyber-space knows no borders implies that cyber-security is only as good as its weakest link, and that something must be done about unregulated countries that can offer a haven for cyber-criminals. The rst part of this two-part report concentrates on the main issues that are slowing progress, starting with the absence of agreement on what we mean by terms like cyber-war or cyber-attack. It reects sharp divisions over the rights of individuals and states in cyber-space. Most Western countries believe that freedom of access to the internet is a basic human right, and that he or she also has a right to privacy and security that should be protected by laws. UNESCO argues that the right to assemble in cyber- space comes under Article 19 of the Declaration of Human Rights. 4 Cyber-security: The vexed question of global rules At the other end of the spectrum are those countries, like Russia and China, that favour a global treaty but nevertheless believe that access to the internet should be limited if it threatens regime stability, and that information can also be seen as a cyber-threat. For these countries, any state has the right to control content within its sovereign internet space. Linked to the rights and responsibilities of states is the thorny issue of attribution. There are those countries that say that attribution to a specic attacker is impossible, and that the focus has to be defence from attacks. Others argue that attribution is possible, but requires international cooperation, sharing of information and assistance from local authorities. Some states believe that cooperation is a threat to their sovereignty; others say they cant be held responsible for the activities of individuals or private companies. And a number apparently fear openness because they dont want to see restrictions on their political or military objectives. Some clear themes emerge from the report, and they are issues that need fairly urgent resolution. Among these is how and to what degree should a more proactive, some would say more bellicose, stance be developed both in the military and private arenas; the need for much greater international cooperation; introducing a more solid security architecture to the internet; and establishing cyber-condence building measures as an easier alternative to any global treaty, or at least as a gap- ller until a treaty is agreed. The second part of this report are 21 country stress tests, complemented by ndings from the global survey the SDA conducted in the autumn of 2011 among 250 top cyber-security specialists in 35 countries. They included government ministers, staff at international organisations, leading academics, think-tankers and IT specialists, and their views diverged widely on how to improve international cooperation in cyber- space, which over half of them now consider a global common like the sea or space. Everyone agrees that cyber-security presents a global rather than a national challenge. But how global should our attempts at a solution be? It would be my hope and that of the SDA that this report will help show where global thinking on cyber-security currently stands, and how to improve it. The following recommendations are a step in that direction. They are not directed at specic bodies or institutions, but are intended as a checklist for achieving international solutions to global regulatory questions. Brigid Grauman, February, 2012 5 Recommendations 1. Build trust between industry and government stakeholders by setting up bodies to share information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA). 2. Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training. 3. New problems and opportunities created by smart phones and cloud computing must be examined. Cloud computing needs an appropriate architecture to achieve optimum security levels. 4. Prioritise information protection, knowing that no one size ts all. The three key goals that need to be achieved are condentiality, integration and availability in different doses according to the situation. 5. Consider establishing cyber-condence building measures as an alternative to a global treaty, or at least as a stopgap measure, knowing that many countries view a treaty as unveriable, unenforceable and impractical. 6. Improve communication between the various communities, from policy-makers to technological experts to business leaders both at national and international levels. 7. Enhance attribution capabilities by investing in new technologies, and establishing rules and standards. 8. Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security. 9. Despite the many practical hurdles in the way of transparency, both for private companies and for governments, nd ways of establishing assurance or trust through the use of security mechanisms and processes. 10. Move the ball forward and encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level. 6 Cyber-security: The vexed question of global rules PART ONE Section I. Clearing the booby traps from the cyber-security mineeld There is little agreement between experts and national authorities on terminology, and without that the prospects for regulating cyber-space are poor l centra eat.re c the cyber revc.ticn is that nc cne agrees cn the terminccgy Theres the ang.age c the miitary and the ang.age c the geeks, and a vide variety c interpretaticns in betveen The pace tc start any gcba disc.ssicn cn cyber-sec.rity is therecre tc agree ccmmcn deniticns, b.t sc ar this hasnt happened lnd yet i ve are tc set .p saety r.es in this vast ccean c gccd and bad, c gcba inter-ccnnectivity that cpens the dccrs eq.ay tc ed.caticna cppcrt.nity and tc gcba crime, ve have tc agree cn vhat ve are taking abc.t Lc ve vant tc take the mcre miitary stance c the US, cr dc ve vant a ccnsens.s in vhich a stakehcders participate hxperts ccmpare the need cr r.es and reg.aticns tc thcse c the rcad n the eary days c the mctcr car, the ev drivers vhc tcck tc the rcad earned as they vent acng Ncvadays, ve snap cn c.r seatbets amcst by instinct The r.es c the rcad make cr saer cars, saer drivers, saer pedestrians Scme arg.e that the apprcach tc the internet shc.d be simiar Terminology: Cyber-war and cyber-attacks have many meanings. Its time to settle on just one The three distinct activities in cyber-space are cyber-espicnage, cyber-crime and cyber-var, each vith its cvn mctivaticns and gcas Cyber-var is the mcst ccntentic.s Fcrmer US cyber-sec.rity tsar hichard Carke describes in his bcck Cyber War an lmerican lrmageddcn c aircrat drcpping rcm the sky and crashing s.bvays lthc.gh nct everycne shares this chiing visicn c the .t.re, many tak c cyber as a 'veapcn c mass disr.pticn Stewart Baker is cear abc.t vhat he means by cyber-var The Steptce chnscn partner and crmer lssistant Secretary c Hcmeand Sec.rity .nder President Cecrge W E.sh says 'The pecpe vhc pcch-pcch cyber-var dc 7 Part One sc mainy by saying that nc var takes pace in cyber-space cny Thats ike saying air vars cny tcck pace in the air, vhen air varare is avays part c a arger batte lcccrding tc Eaker, in a 2! st -cent.ry var cyber-veapcns might be the rst depcyed, acne cr vith cther veapcns 'ts nct .nike air pcver, he says 'Cyber-veapcns acv yc. tc dc a b.nch c things that eave it a itte ambig.c.s as tc vhether cr nct this is a state c var lre nc-y zcnes an act c var hven i it vas cny mcderatey eective, the attack against Cecrgia in 200S vas a cyber-var Isaac Ben-Israel, cyber-sec.rity adviser tc sraei Prime Minister Eenjamin Netanyah., p.ts it s.ccincty He taks c the specics that make a cyber-var 'l cyber-var can inict the same type c damage as a ccnventicna var yc. vant tc hit a cc.ntry severey yc. hit its pcver and vater s.ppies Cyber technccgy can dc this vithc.t shccting a singe b.et If you want to hit a country severely you hit its power and water supplies. Cyber technology can do this without shooting a single bullet. Isaac Ben-Israel Cthers think ve havent yet seen a cyber-var Mohd Noor Amin is Chairman c the Maaysia-based NCC mpact (nternaticna M.tiatera Partnership lgainst Cyber Threats, He p.ts it dierenty ' beieve that vhat happened in Cecrgia in 200S vas a ccnventicna var vith censive cyber eements C.r viev is that ve havent yet seen a p.re and signicant cyber-var Tim Scully, ChC c stratsec and Head c Cyber-Sec.rity at Elh Systems l.straia, intrcd.ces a n.ance, and that is tc .se vcrds pr.denty sc as nct tc t.rn cyber-space intc a pctentia batteed 'The cver-.se c the terms cyber-var and varare tends tc p.sh the cyber-sec.rity prcbem intc the gcvernment and deence spheres, thereby pctentiay igncring the impact c the cyber-threat cn the private sectcr and creating an imbaance in gcvernment .nding try tc avcid the .se c the vcrds cyber-var cr varare as they can ead tc the miitarisaticn c cyber-space ets think in terms c vhat ve aready kncv tc get c.r minds arc.nd it, says James Lewis, Lirectcr c the Technccgy and P.bic Pcicy prcgramme at the Center cr Strategic and nternaticna St.dies (CSS, in Washingtcn LC 'ts time tc ccate thinking abc.t cyber ccnict intc the ramevcrk c existing internaticna av and strategy The attack against hstcnia vas nct an attack and didnt trigger NlTCs lrtice S' t vas nct a miitary acticn * Article 5 of NATOs Washington Treaty calls on its member states to collectively defend any NATO nation that is attacked 8 Cyber-security: The vexed question of global rules Moving into uncharted waters: Cyber-crime pays because its protable, low-risk and anonymous Unike the n.cear threat and cthers becre it, the cyber-threat vas .pcn .s vith itte varning and had a very shcrt gestaticn pericd lcccrding tc Mclee, every year sees cne miicn nev vir.ses, rcm vcrms tc cgic bcmbs, and that g.re is cimbing The threats ccme rcm sc.rces ranging rcm the crimina (cnine ra.d ncv dvars a cther crms c ra.d,, cther states, .s.ay cr reascns c espicnage, acrcss tc pciticay mctivated hacktivists and terrcrists vhc .se it mcsty cr recr.itment p.rpcses Three actcrs make cyber-crime sc tantaising cr criminas Costin Raiu, an anti-vir.s expert at the h.ssian sec.rity ccmpany Kaspersky ab, says its a 'three-headed hydra The rst is that its prctabe The seccnd is that its cv-risk The third and mcst impcrtant is that its ancnymc.s lttrib.ticn is cne c cyber-crimes trickiest prcbems I try to avoid the use of the words cyber war or warfare as they can lead to the militarisation of cyber-space. Tim Scully 'The ccre prcbem is that the cyber-crimina has greater agiity, arge .nding streams and nc ega bc.ndaries tc sharing incrmaticn, and can th.s chcrecgraph ve-crchestrated attacks intc systems, says Phyllis Schneck, Chie Technccgy Ccer cr P.bic Sectcr at Mclee 'The gccd g.ys have tc attend meetings and p.bish repcrts tc enabe even minima data sharing tc track their cppcnent Unti ve can pcc c.r data and eq.ip c.r pecpe and machines vith inteigence, ve are paying chess vith cny ha the pieces Ncv that cyber-space means bcrders nc cnger mean anything, cc.ntries have tc vcrk tcgether as dces everycne vhc caims a stake in it lnd that means decisicn-makers and inteigence services dcvn tc the citizen at hcme cn his cr her ccmp.ter cr smart phcne With cyber-attacks, the n.mber c targets is amcst imitess t tcck scme 20 tc 30 years ater the advent c the n.cear age tc p.t arms ccntrc systems in pace We can prcbaby expect the setting .p c an internaticna system c cyber-r.es and reg.aticns tc take time tcc 'Were mcving intc nev territcry, says Alastair MacWillson, Ccba Managing Lirectcr c lccent.res gcba sec.rity practice 'The dynamics c cyber is mcving sc ast its intent, its .ses and the pace c change There 9 Part One are many b.siness mcdes Nc cne has reay gct their mind arc.nd vhat a this reay means and vhat ve shc.d dc abc.t it Hype is inevitabe vith any attack invcving triicns c c.rrency csses, athc.gh the g.re is cten p.re extrapcaticn Hcv dc yc. eva.ate the css c a sc.rce ccde Cr the thet c inteect.a prcperty What are ve act.ay deending What dc ve need tc prctect Lars Nicander vhc heads the Centre cr lsymmetric Threat St.dies at the Svedish Naticna Leence Ccege beieves the main threat is penetraticn c pccry prctected systems 'St.xnet, he says reerring tc the ccmp.ter vcrm that in 20!0 damaged the centri.ges at the Nantaz n.cear pant in ran, 'vas mcre abc.t inteigence gathering Thats vhat ve shc.d be vcrrying abc.t q.aied terrcrists getting access tc bady prctected incrmaticn systems lthc.gh yc. need tc be a state actcr tc dc scmething reay dic.t 'n scme cases, vhc cares vhc did it, says Canadian expert and practiticner Rafal Rohozinski 'We need tc arrive at a mcre graded deniticn c cyber- attacks Ncv ve have this .niversa vay c taking abc.t them, vhich dcesnt acv cr dierent deniticns c c.pabiity Scmetimes ve j.st vant tc kncv vhat j.risdicticn tc hcd respcnsibe Trust is a most elusive notion: The internet was built on trust, and thats why its so vulnerable ls sraei sec.rity adviser Isaac Ben-Israel says, the mcst v.nerabe target cr cyber-attacks is a cc.ntrys critica inrastr.ct.res pcver, vater, teeccmm.nicaticns, transpcrt, hcspitas, banks n mcst cc.ntries, these assets are in private hands, sc the chaenge ncv is tc devecp a strcng enc.gh private-p.bic partnership tc sec.re these systems, and tc ccnvince pecpe tc make that investment lnticipaticn is cten seen as a vaste c mcney The internet vas amc.sy b.it cn tr.st, vith ev saeg.ards tc prctect it hary-day hackers attacked systems cr the chaenge they pcsed Ncv its abc.t making mcney and steaing inteect.a prcperty and miitary and ind.stria secrets E.t tr.st is sti very m.ch the cperative vcrd Scme pecpe ca it 'ass.rance What are the saeg.ards ve need tc p.t .p tc make s.re ve can tr.st the systems ve .se daiy Shc.d sctvare ccmpanies be hed iabe cr their prcd.cts Shc.d internet service prcviders Hcv can ve make s.re the ccmpcnents in the entire T chain are tr.stvcrthy Lces cc.d ccmp.ting give rise tc insc.be iss.es c j.risdicticn Shc.d ve be creating internaticna agreements tc estabish vhc takes respcnsibiity cr scvereign cyber-space Cccd brains arc.nd the vcrd are thinking abc.t these iss.es Nct everycne shares the same vievs, b.t mcst kncv that the internet is here tc stay and that its a gcba nct a naticna iss.e 10 Cyber-security: The vexed question of global rules Section II. Tracking the cyber-revolution: New threats and changing ethics Time for a change of mindset How dangerous is the cyber-threat? Are we more vulnerable now, or are we developing promising new defensive technologies? The near-.nanimc.s percepticn is that ve are mcre v.nerabe than becre The n.mber c systems ccming cn ine is grcving expcnentiay, and c.r reiance cn technccgies increases daiy ast year, internet picneer \int Cer amc.sy s.ggested that ve dc a massive rebcct and start a cver again in a mcre reg.ated envircnment, b.t mcst pecpe think thats pie-in-the-sky 'lre ve beccming part c a tctay .nreg.ated data revc.ticn asks UK incrmaticn and sec.rity ect.rer Christopher Richardson hichardscn dcesnt think the pict.re is as dramatic as scme pecpe paint 'Theres a big degree c hype We dcnt kncv vhats reay happening He s.ggests that ve are given a skeved idea c hcv many incidents reay ccc.r, bcth in the p.bic and private sectcrs beca.se c secrecy ccncerns He nctes hcv ev c the many st.dents he teaches every year have sc ar been attacked 'Yc. have this percepticn rcm the papers that everything is grcving vcrse and vcrse, says Olivier Caleff, Senicr Sec.rity Ccns.tant at the ccns.tancy Levcteam, 'b.t its nct very dierent rcm vhat ve had becre Mcre pecpe are ccnnected, mcre pecpe are trying tc get arc.nd sec.rity systems, mcre pecpe are invcved in sec.rity, ve have mcre tccs tc detect iss.es We have mcre c everything, inc.ding kncvedge Whatever the hype, the rise in cyber-crime is inevitaby gcing tc see mcre r.es, avs and imitaticns cn hcv pecpe can .se the internet What 40 years agc vas a gentemens grc.p c .sers is ncv a .crative and cv- ecrt paying-ed cr cyber-criminas 'The internet acvs anycne tc send anything anyvhere and it vi ikey get there, says Phyllis Schneck c Mclee 'We m.st destrcy the prct eement by imprcving c.r ccntrc cver the rc.ting, deivery and exec.ticn c maicic.s instr.cticns, and bcck the threat Svimming pccs have chemica ters Netvcrks and ccmp.ters need inteigence ters tc prevent enemy instr.cticns rcm nding their target 11 Part One Swimming pools have chemical lters. Networks and computers need intelligence lters. Phyllis Schneck lncther prcbem is that the intrcd.cticn c nev technccgies brings .ncreseen ca.ses and eects When researchers dened the prctccc behind the emai system, they didnt ccnsider spam vas a threat beca.se it ccst tcc m.ch tc send an emai 'E.t technccgy evcved and spam tcck cver beca.se c a veakness in the crigina prctccc, says eading Lanish expert Christian Wernberg-Tougaard Thats been cne c the catches c the T ind.stry cr a n.mber c years We need tc ccnsider care.y hcv tc impement nev technccgy Wernberg-Tc.gaard reccmmends that the 'better minds in the p.bic and private sectcrs get tcgether vith researchers tc disc.ss the impact c tcdays technccgy cn tcmcrrcvs vcrd Fcr men ike Richard Crowell, prcesscr at the US Nava War Ccege in Nevpcrt, hhcde sand, ve need tc think ccc-headedy abc.t the nev dcmain the cyber-threat represents tc .nderstand the nev risks 'Were at the same pcint ve vere in the inter-var years, he says 'The (WW, batte c Caipci vas a big ai.re cr the lies and it ta.ght .s never tc dc amphibic.s varare again We had tc s.ccess.y earn tc mcve rcm cne dcmain tc ancther, rcm sea tc and Thats vhat the thinking vas a abc.t at service cceges in the !930s and 40s lnd veve reached that stage again 'Were thinking increasingy abc.t bc.ndaries and prctecting c.r cvn incrmaticn better, says Crcve E.t he ccncedes that ater 30 years in the Navy thrc.gh the Ccd War, he has a mindset that is radicay dierent rcm his scns 'My scns idea c access tc incrmaticn is m.ch mcre cpen that mine think yc.ng pecpe need tc think mcre abc.t vhat they pcst cn the internet, and my generaticn needs tc think mcre cpeny Cracking Duqu, the virus admired by experts lt the time c vriting in eary 20!2, the mcther c a Trcjans is caed L.q. That is .nti the next cne t.rns .p Fcr many pecpe ike Costin Raiu, gcba directcr cr hesearch and lnaysis at the h.ssian sec.rity ccmpany Kaspersky ab, this vas by ar the mcst exciting attack c his career Fcr severa mcnths, Kaspersky ab and sec.rity sctvare ccmpany Symantec have been st.dying L.q. tc try tc .nderstand hcv the vir.s cperated 12 Cyber-security: The vexed question of global rules .ndetected cr c.r years 'Understanding it vi acv .s tc design the data sec.rity technccgies c the .t.re, says hai. Young people need to think more about what they post on the internet, and my generation needs to think more openly. Richard Crowell What has L.q. ta.ght hai. lmcng cther things, that the L.q. and St.xnet vcrms vere invented by the same sctvare ccmpany, and that they str.ck ar and vide intrating ccmp.ters in France, the UK, Taivan, Cermany, Sc.th lrica, and esevhere 'We s.spect, says hai., 'that St.xnets cc.sed attack cn the n.cear centri.ges in ran vas dcne thanks tc incrmaticn previc.sy stcen by L.q. hai. greaty admires the skis invcved 'L.q. .sed exciting technccgies in brand nev vays Mcst Trcjans stea incrmaticn and send it cn With L.q., every acticn is spit intc sc many ccmpcnents that yc. cant te this THE CYBER-SECURITY VENDORS VIEW D avid Marcus is Director of Advanced Research and Threat Intelligence at McAfee Labs, and writes his own blog. Hes not so much interested in whats next after Duqu as curious as to its long-term potential repercussions. The unique thing about Duqu is that it potentially targeted certicate authorities, and used stolen and forged certicates to create rogues that became whitelisted drivers. How is this potential in the attack going to evolve? he asks. McAfees work, he says, gives him a vendor-specic way of looking at the universe. Its all about protecting customers data and assets and ensuring safe communications, and about preventing bad things from happening. From his perspective, cyber-spies and cyber-criminals are in many ways much the same. They may use exactly the same tools and techniques. Sometimes, the same attack can have both cyber-crime and cyber-espionage goals. Often, they differ only in how they intend to use the stolen data or IP. Although Marcus recognises that smart phones and cloud computing raise issues of sovereignty, responsibility and ownership, he says they dont 13 Part One is a maicic.s attack When yc. bring the ccmpcnents tcgether, then it cbvic.sy is Fcr Kaspersky and cther anti-vir.s abs, the chaenge ncv is tc create prctecticn against simiar technccgies taken apart, they seem innccent, b.t p.t tcgether they are very dangerc.s represent a truly new threat. They are evolutionary rather than revolutionary. Its the same types of threat thrown at an evolving technology. The problem is nobody is going to want to own responsibility for the data because its spread out geographically. A self-styled connectivity libertarian, he says he struggles every day with the question of dening success conditions for good global cyber-security. Im a fan of self-policy, he says, but I realise the limitations of business and users regulating themselves. In the meantime, he cant see any country that has got its cyber-security act under control. We are a collection of weak-link countries, he says. One major problem is that too many companies, enterprises and governments are busy guring out technology from a year and a half ago. Technology develops before business gets a handle on it. He isn't convinced government has the right perspective because most politicians and elected ofcials have such a limited understanding of technology, often due to their age. They are not techies, he says. They have no idea how quickly technology changes, how volatile it is. At least the younger generation has an implicit understanding of how fast information changes hands, the nature of changing data.
Should we be talking of a new ethos? hverycne agrees that gacping changes in cyber-space dcnt mean the system has reached mat.rity 'ln immense set c changes is cn the vay, says CSS expert James Lewis, 'and that inc.des hcv tc pay c.t the extensicn c scvereignty, changes in gcvernance and perhaps even reccnsider c.r kind c reevheeing apprcach tc the internet avs and internaticna agreements are key, says Svedens Lars Nicander. 'Tc take cne exampe, vhen hstcnia t.rned tc h.ssia cr ega assistance d.ring the 200/ cyber-attacks, h.ssia decined tc hep beca.se they hadnt signed an agreement tc prctect critica inrastr.ct.re We have tc expand gcvernance systems Fcr John Meakin, Chie Sec.rity ncrmaticn Ccer at ci giant EP, 'there is nc q.esticn that rcm vhere am sitting at EP the advent c nev technccgies 14 Cyber-security: The vexed question of global rules is ca.sing .s tc change c.r sec.rity mcde The cd mcde c internet sec.rity basicay said, 'ts sec.re beca.se ve cvn it Whereas ncv the chaenge is hcv dc ve keep it sec.re vhen ve dcnt cvn the internet We may cvn the data b.t ve dcnt cvn the internet When ve dcnt cvn the datas ccntainer, vhat happens Thats reay it in a n.tshe in terms c changing ethcs The nev thinking in the T sec.rity ccmm.nity is that nev revas, nev encrypticn agcrithms and sc crth, are nct enc.gh tc make pecpe ee sae 'Sc ar in h.rcpe, lmerica and lsia, veve been cc.ssing cn the mechanisms req.ired tc prctect the nev internet envircnment, says Jesus Luna, vhc eads a sec.rity research grc.p at the Technica University c Larmstadt in Cermany, 'b.t veve started tc reaise that ve asc need ass.rance abc.t thcse mechanisms lss.rance is abc.t estabishing metrics and meas.rements tc generate tr.st in prctective mechanisms 'Fcr instance, yc. pay yc.r SP (internet service prcvider, cr its services, b.t hcv can yc. be s.re that the SPs sec.rity mechanisms are prctecting yc. against mavare cr any cther cyber-threat Hcv can yc. be s.re they are prcviding the right ass.rance eves .na asks lmcng cther s.ch grc.ps, the Ccmmcn lss.rance Mat.rity Mcde (ClMM, and the Cc.d Sec.rity liance (CSl, that cc.nt Cccge and Mclee amcng its members, are vcrking cn technccgy and techniq.es that give this ass.rance ClMM cers g.idance cn hcv m.ch tc invest in sec.rity by .sing metrics, cr the 'eccncmics c sec.rity Says .na 'We the academics have been devecping the sec.rity metrics that vi give this ass.rance Smart phones pose security challenges Levecpments ike smart phcnes and cc.d ccmp.ting mean ve are seeing a vhce nev set c prcbems inked tc inter-ccnnectivity and scvereignty that req.ire nev reg.aticns and nev thinking hxperts tak c the internet c things and services, and things are smart phcnes, andrcids (mcbie cperating systems,, tabets and senscrs, and services inc.ding the cc.d 'The mcbie internet is changing things, says Canadian expert Rafal Rohozinski 'The next tvc biicn .sers vi be ccnnecting rcm mcbie devices, and many c thcse devices are in devecping cc.ntries The sheer n.mbers are ikey tc have sccia impacts ike ash mcbs l ct mcre pcitics is migrating tc cyber-space, vith parae cas tc reg.ate cyber-space The gcvernance c the internet as a vhce is reinvesting states vith the a.thcrity tc reg.ate cyber-space The iss.e is asc abc.t sec.rity and privacy l smart city - cne vith senscrs cn trac ights, senscrs in cars, eectric smart grids, patients vearing senscrs 15 Part One raises many nev prcbems 'What is perscna incrmaticn and hcv are ve gcing tc prctect the data in these devices lre these devices reay giving .s the right sec.rity and privacy eves .na asks 'Were taking again abc.t ass.rance, says .na 'We need a ct mcre egisaticn We need tc p.sh ccmpanies tc encrce data prctecticn mechanisms that prctect the privacy c citizens The hU is dcing q.ite gccd vcrk cn this This is gcing tc take scme time b.t the eary steps are being taken Cloud computing: The challenges of separating network from content ls cr cc.d ccmp.ting, c.tsc.rcing the ing c data has been arc.nd cr 40 years Whats nev is the gecgraphica spread c this stcrage The Naticna nstit.te c Standards and Technccgy (NST, prcvides the standard deniticn cr cc.d ccmp.ting a rapid, cn-demand netvcrk access tc a shared pcc c ccmp.ting resc.rces These are nct in the stratcsphere, they are basicay hangars . c servers C.tsc.rcing means ccnsiderabe ccst savings, and many ccmpanies are ncv .sing it cr ccmp.taticn and data stcrage Eandvidths are ncv arge enc.gh tc transer arge amc.nts c data tc data stcrage aciities lmazcn, eEay, Cccge, Facebcck and a the big names are c.tsc.rcing ccmp.taticn tc cc.d Cloud computing means separating the network from content in ways that didnt exist before. Rafal Rohozinski 'Cc.d ccmp.ting means separating the netvcrk rcm ccntent in vays that didnt exist becre, says hchczinski 'The avs ve have gcverning ccpyright and territcria sec.rity get skeved lmcng cther iss.es raised by cc.d ccmp.ting is the ccst c prccessing pcver and ccnnectivity and the vhce iss.e c net ne.traity E.t .na varns that these nev stcrage aciities give rise tc prcbems c sec.rity and j.risdicticn 'Whc are yc. gcing tc s.e i theres a prcbem Cccge, cr instance, keeps cne third c its cc.d in Canada 's that incrmaticn s.bject tc US cr Canadian av asks hchczinski Cc.d ccmp.ting creates nev q.esticns cr the avyers 'What dces it mean rcm a iabiity pcint c viev Hcv dces cne hande dierent data retenticn and privacy avs What happens vhen data shits ccaticn Whc determines the na resting pace c j.risdicticn 16 Cyber-security: The vexed question of global rules Section III. Cyber-defence strategies: The hottest debates and conditions for success What are now the hottest debates in cyber-space defence strategies? Twenty themes emerged from the interviews conducted for this report 1. Developing an offensive stance Severa cc.ntries are crm.ating pans tc respcnd mcre aggressivey tc cyber-attacks, and are making investments in this directicn The UKs nev cyber-strategy reeased in ate 20!! brings .p the ncticn c se-deence This mcre beiccse stance appies bcth in the miitary and private arenas William Beer, Lirectcr c ncrmaticn and Cyber-sec.rity Practice at PvC, reers tc the UKs White Paper c September 20!! that s.ggests ccmpanies shc.d be mcre vcca and .se ega means tc prctect their crganisaticns 'Fcr instance, instead c vriting c csses, they shc.d invest intc activey targeting thcse crganisaticns that have been attacking them, he says 'The cd apprcach vas ' vcnt te pecpe Ncv the attit.de is ' .se every ega means at my dispcsa tc prctect my ccmpany 2. Rating countries offensive capabilities 'hverybcdy cny disc.sses censive cyber-strategy via veied reerences tc the h.ssians and the Chinese vithc.t any strcng, p.bic, q.antiabe prcc, says David Marcus, Lirectcr c ldvance hesearch and Threat nteigence at Mclee abs 'Nc cne has stepped back and said, ets take the 30 cr sc cc.ntries ve think have censive cyber capabiities and grade vhat they are and hcv they dier He beieves ve need a cc.ntry-by-cc.ntry rating methcdccgy cr censive capabiities as ve as deensive, and says mcst cyber-sec.rity prcessicnas pretty m.ch kncv vhat mcst cc.ntries are capabe c dcing- 'ts the cc.ntries that have cyber-censive training prcgrammes at a miitary cr gcvernment eve, its thcse that ccnsider cyber as part c the var theatre Marc.s beieves there cant be strcng a deence vithc.t a scid, q.antied kncvedge c censive capabiities, and that mcst gcvernments have 17 Part One devecped cr are devecping cyber-tccs and attack tccs 'We dance arc.nd this iss.e b.t is there reay any dierence betveen devecping ghters and cyber-veapcns i they are bcth .sed in varare hverycne bames the Chinese cr everything tcday, b.t i vere gcing tc p.sh cr gcvernment reg.aticns and pcicy then ets ay c.t vhc ve think has the tcp cyber capabiities dc.bt yc. cc.d nd a cc.ntry that is nct vcrking cn it 3. Protecting an increasingly integrated global system We are ccking at an increasingy integrated cyber-vcrd vith m.ch mcre system-sharing and crcss-bcrder services, s.ch as cc.d ccmp.ting, and ve need the system tc be .ncticna and sae vherever it is ccated 'Hcv dc ve prctect c.r inrastr.ct.re asks Lanish sec.rity expert Christian Wernberg-Tougaard 'ts great tc have shared service and cc.d, he says, 'b.t hcv dc ve prctect this m.ti-aceted str.ct.re a ccmpcnent vere tc be attacked, cr i a cc.ntry vere tc beccme .nstabe, yc. might ace a seric.s chaenge The disc.ssicn betveen the hU and the US right ncv asks s.ch q.esticns as, can yc. have cc.d services vithin the dcmain c the US Patrict lct vhie asc being .nder the hUs data prctecticn act 4. How safe are SCADA systems? SClLl systems, kncvn as S.perviscry Ccntrc and Lata lcq.isiticn Systems in the US, have avays been arc.nd They are the physica eements that ccntrc p.mps and barres, and cther inrastr.ct.ra and ind.stria prccesses The chaenge is that they .sed tc be iscated systems and ncv they are cten ccnnected tc the internet cr accessibe .sing data transer devices ike USE sticks ncreasing ccnnectivity means mcre v.nerabiity ' yc. can ccntrc a SClLl system, yc. ccntrc the aciity cr the ind.stry, says Bart Smedts, Senicr Captain and hesearch Fecv at Eegi.ms hcya Higher nstit.te cr Leence '\ia SClLl, yc. can ccntrc the eccncmic vcrk c any naticn Cnce yc. reaise yc. have a vir.s cn a SClLl system cr the internet yc. can expect it tc spread ike an epidemic 'Many c these systems are .nprepared cr cyber attacks, says Frank Asbeck, Cc.nsecr cr Sec.rity and Space Pcicy at the h.rcpean hxterna lcticn Service 'l ct c damage can be dcne thrc.gh igncrance, careessness cr maicic.s intent ike cther experts, he beieves ve need tc think hard abc.t hcv these nev actcrs aect systems physicay and technicay, and then decide vhat tc dc abc.t it 18 Cyber-security: The vexed question of global rules 5. Security versus privacy The iss.e is vhether netvcrk data ike P addresses is ccnsidered private Cyber-sec.rity prcviders need tc track mavare .sing these P addresses i they are tc bcck attacks, vhich is very dierent rcm thcse vhc ccect the same data cr marketing cr behavic.r tracking p.rpcses 'n act, i cyber- sec.rity prcviders and netvcrk prcviders can .se P addresses tc track mavare, ve beieve that mcre data vi be kept private, says Mclees Phyllis Schneck, 'beca.se ve vi be mcre s.ccess. at preventing the bad g.ys rcm ccmp.ter intr.sicn and .na.thcrised access tc perscna incrmaticn, nancia data, inteect.a prcperty, and systems that ccntrc and mcnitcr physica inrastr.ct.re 6. Net neutrality The heated debate cver net ne.traity is abc.t vhether brcadband prcviders shc.d be acved tc exert a vetc cn appicaticns that .se arge amc.nts c bandvidth cr discriminate amcng ccntent prcviders Erazi and lrgentina, amcng cthers, are mcving crvard vith net ne.traity and cpening their market tc everycne n the US, the arg.ment is sharpy divided, President Earack Cbama is a beiever in it 'nd.stries are ccmpetey against it, says Melissa Hathaway, vhc r.ns the ccns.tancy Hathavay Ccba Strategies and vas crmery cyber-adviscr tc the Lepartment c Hcmeand Sec.rity ' myse dcnt think that net ne.traity is a gccd idea, she says 'nd.stry needs tc be that rcntine c deence SPs, the ccnd.it cr deivering ccntent, shc.d be respcnsibe cr nct deivering scme ccntent 7. Towards international rules With the increasing threat c states engaging in maicic.s cyber activities against the critica inrastr.ct.re c cther states, the need cr internaticna cccperaticn grcvs daiy mcre .rgent 'We need tc prepare the batteed, says Vytautas Butrimas, Chie Cyber-Sec.rity ldviscr at ith.anias Ministry c Leence 'There are hces in the systems We need tc red.ce the risk c ancther state pacing scmething ike a cgic bcmb that vc.d ca.se systems tc sh.t dcvn There is nc s.ch thing as zerc risk b.t ve can make the risk acceptabe 8. Building a more solid cyber architecture 'We are ccsing the stabe dccr ater the hcrse has bcted, acccrding tc Christopher Richardson, ect.rer cr the UK Ministry c Leence The c.rrent ad hcc apprcach tc reg.aticn isnt gcing tc make the cyber envircnment a sae pace tc dc b.siness 'There are tcc many pecpe vith tcc many vievs, he says 'We need tc cck beycnd partic.ar attacks and imprcve ass.rance hxperts tak c imprcving asset management sc as tc kncv vhat ve are trying tc deend and creating a 'patched .p envircnment 'We dcnt need tc be scared b.t ed.cated, says hichardscn 19 Part One Nev technccgy is ncv cc.sed becv the cperating system t ccmm.nicates directy vith the ccmp.ter hardvare and chips tc reccgnise maicic.s behavic.r and be smart enc.gh nct tc acv it 'The b.ck stcps here, says Mclees Phyllis Schneck 'This is the nevest and deepest ayer and, tcgether vith mcre inteigence in the cther ayers, a key part c the .t.re c cyber-sec.rity Ccmm.nicaticn vith the hardvare is the q.een c the chessbcard - it can stcp the enemy amcst immediatey cr ccntrc a cnger game hither vay, ve vin 9. Tackling weakest-link countries 'The chaenge in the digita eccncmy is that nc chain is strcnger than its veakest ink, says Christian Wernberg-Tougaard c the Lanish Cc.nci cr Creater T Sec.rity Weakest ink cc.ntries are thcse vhere absence c egisaticn creates havens cr cyber-criminas Cne viev is tc take the drastic cpticn c disccnnecting them rcm the internet lncther is tc .se tccs tc ter c.t internet prcviders rcm that cc.ntry l n.mber c ccmpanies in the US bcck a nternet Prctccc (P, rcm China 'The best sc.ticn, says Costin Riau, directcr cr hesearch and lnaysis at Kaspersky ab, 'is tc try tc imprcve the eccncmic sit.aticn in thcse cc.ntries nternet crime is avays ccnnected tc .nempcyment rates 10. Securing the Internet supply chain l nev disc.ssicn centres cn the iss.e c sec.ring the internet s.ppy chain, partic.ary in sensitive areas c gcvernment that crm part c the critica naticna inrastr.ct.re This is abc.t vhere yc. get yc.r hardvare devices, rccters, servers, svitches and sc cn Cc.d mavare be intrcd.ced d.ring man.act.ring Wi ccmpanies vant tc vcrk cny vith certain cc.ntries Alastair MacWillson c lccent.re says 'This can be seen as a crm c prctecticnism, b.t it may asc be abc.t pr.dent sec.rity mechanisms 11. Increasing awareness of the scale of the problem We need greater avareness at a eves and in a sectcrs, and mcre diacg.e a arc.nd 'ts nct gcing tc happen cvernight b.t ve need m.ch tighter private-p.bic ccabcraticn acrcss bcrders and acrcss c.t.res Says William Beer, directcr incrmaticn and sec.rity practice, PvC 12. Taking a holistic approach Hamadoun Tour, Secretary Cenera c the nternaticna Teeccmm.nicaticn Unicn (TU,, is adamant 'ls cng as ve carry cn thinking that the sc.ticn is cny technica ve vcnt get anyvhere We need a hcistic apprcach invcving 20 Cyber-security: The vexed question of global rules ega, reg.atcry and technica meas.res, as ve as an ethica apprcach We asc need an ntegrated S.ppy Netvcrk vithin an internaticna ramevcrk 13. Dening the role of governments The viev rcm ind.stry is that there are things that gcvernments can and shc.d dc tc imprcve the cvera state c sec.rity, and things they shc.dnt and cannct dc 'Ccvernments shc.d be invcved in ccmmcnaity cver bcrders, says John Meakin, head c cyber-sec.rity at EP, 'b.t they dcnt have a rce tc pay in the detaied dispcsiticn c sec.rity mechanisms arc.nd any cne enterprises internet estate 14. Governments must take greater care when taking advice Whc is advising gcvernments lcccrding tc EPs Meakin, key decisicn- making cr.ms are pcp.ated vith career civi servants, partic.ary in the US and the UK Meakin and cthers ike him beieve that diacg.e at the tcp needs mcre experts rcm the 'b.ying side c the ind.stry, as ve as its seing side 15. Information-sharing at an international level There is nc singe internaticna agency cr bcdy vith the mandate tc dea vith cyber-sec.rity lsc, naticna and regicna crganisaticns have tc imprcve cccperaticn 'Sec.rity is sc vast that there is a cng vay tc gc becre ve reach tr.st, says taian cyber-expert Stefano Trumpy. 'We need mcre and mcre incrmaticn sharing, says apans Suguru Yamaguchi, a eading speciaist cn netvcrk sec.rity systems 'Thats the dic.t part Ccba ccmpanies are gccd at sharing incrmaticn They cc.d act as cataysts tc encc.rage gcvernments tc be mcre cpen 16. Thinking differently about cyber-security Cyber-sec.rity advccates ike l.straian Tim Scully arg.e that ve are vrcng tc prctect c.r inter-ccnnected systems at the expense c the incrmaticn they ccntain 'hight ncv, c.r mcde is systems-centric, he says 'Private and p.bic crganisaticns are being attacked and arge amc.nts c data are being stcen despite traditicna bc.ndary deensive meas.res, ike revas, anti-vir.s and intr.sicn preventicn and detecticn appicaticns He arg.es that ve shc.d think in terms c trcphy incrmaticn 'Pecpe need tc cc.s cn prctecting their mcst sensitive incrmaticn rather than the system itse, he says 'S.bseq.ent segregaticn c data might even mean that scme incrmaticn is air-gapped rcm the internet i its css vere tc have catastrcphic ccnseq.ences 21 Part One 17. Citizen awareness There has tc be mcre videspread avareness that cyber-sec.rity starts vith everycnes behavic.r and avareness Far tcc many pecpe at a eves c the hierarchy havent reaised that they shc.d take respcnsibiity cr their hcme ccmp.ters and the T system at vcrk ts a batte that vi never be entirey vcn 'There vi avays be scmecne tc cick cn a ink they shc.d nct cick cn, says Sc.y 'Hackers expcit sccia v.nerabiity, that is vhy spear-phishing is sc s.ccess. 18. Reducing secrecy Cver-cassicaticn c data skevs the pict.re c vhat is gcing cn 'Secrecy ccncerns are the bane c cyber-sec.rity, says l.strian Alexander Klimburg, anayst vith the l.strian nstit.te cr nternaticna lairs 'We shc.d p.t mcre stcck in ncn-state attrib.ticn, sec.rity tr.st netvcrks c.tside gcvernment, tc attrib.te cyber-attacks 19. Harmonising codes and laws Liscrepancies betveen ccde and avs can ead tc ab.se and shc.d be rescved Florian Walther, senicr T sec.rity ccns.tant at C.resec, says this is vhat happened in Cermany vhen the inteigence services vere c.nd tc be .sing spyvare in a mcre intr.sive vay than speed by av 'The ccde dened vhat it cc.d dc and vhat pcice crces cc.d dc, b.t the av didnt, says Wather 'The prcgram vas making the av, and dening vhat vas and vas nct pcssibe Cyber-attacks can cten be seen vithin netvcrk cv patterns, m.ch as stcrms can be seen crming cn a veather radar map, says Mclees Phyllis Schneck 'The ccecticn and ccrreaticn c cyber-data req.ires internaticna agreement, she says, 'and its .rgent beca.se the bad g.ys at present have the advantage Withc.t these agreements, their behavic.r is nct avays seen in time tc thvart an attack 20. Dening pre-emptive cyber-attacks lncther dic.t q.esticn is hcv tc dene pre-emptive cyber-attacks What are they Hcv vc.d yc. ccme .p vith the evidence Hcv strcng can retaiaticn be What is prcpcrticnate 'F.rthermcre, yc. cant attack i yc. havent rst penetrated the system, says Jamie Shea, NlTCs Lep.ty lssistant Secretary Cenera cr hmerging Sec.rity Chaenges 'ts a game c mirrcrs, ike the Menin hidge at Messines in !9!/ Where is the ine betveen deence and aggressicn 22 Cyber-security: The vexed question of global rules Section IV. The quest for rules and regulations to govern cyber-space It has taken the spectacular increase in cyber-attacks for political leaders in the United States, the European Union and parts of Asia to sit up and take stock of the costs involved and the loss in competitive positions. 've been vcrking in ccmp.ter sec.rity cr 23 years, says EPs Chie ncrmaticn Sec.rity Ccer John Meakin, 'and its reay cny in the ast tvc cr three years that pcicy-makers have beg.n tc vake .p Cn the cther hand, ' the internet had started vith sec.rity and ccntrc in mind it vc.d never have taken c, says Alastair MacWillson, lccent.res gcba managing partner c gcba sec.rity 'Cne c its strength is that it is .nreg.ated ts nct in anybcdys interest tc reg.ate He recas his ccncern vhen US President Cecrge W E.sh vanted the a.thcrity tc reg.ate and mcnitcr the internet .nder the Patrict lct 'Hcvever, he adds, 'ccmpanies that .se the internet shc.d be m.ch mcre sensitive tc the act that its an cpen highvay They need tc invest in the technccgy that ens.res they kncv vhc they are dcing b.siness vith ls the medi.m mat.res, the need cr gcba r.es has grcvn and there are ncv scme 20 pcitica grc.ps and eccncmic cr.ms vcrdvide addressing cyber-sec.rity iss.es mprcving ccrpcrate gcvernance cc.d scve a n.mber c prcbems Christopher Richardson vhc ect.res at the UKs Leence Ccege c Ccmm.nicaticns and ncrmaticn Systems (LCCS,, thinks that many ccmpanies hcd cn tc data they dcnt need and that strcng interna a.dits shc.d p.t a stcp tc this 'We need tc cck at hcv ve reg.ate data management and prctecticn everyvhere, he says hncrypting arge amc.nts c data dcesnt make sense 'We vant smaer .nits c data and cny vhat is necessary Why vere Scny reccrding C\\ ccdes cn credit cards Hcv ese can ve make things saer hstabishing market best practices is a gccd rst step that is bcth practica and cv-ccst, and can be impemented q.icky n the hU, the missicn c hNSl, the h.rcpean Netvcrk and ncrmaticn Sec.rity lgency, inc.des sharing this kind c incrmaticn betveen the 2/ member states 23 Part One Cyber norms and common security standards hNSl asc vcrks at the ccmpex task c dening standards 'Lierent hU member states are at dierent stages, says the head c the technica department Steve Purser 'l ct c c.r vcrk is rst seeing hcv cc.ntries dea vith things, then dening ccmmcn standards Hcv dc yc. ens.re that these standards are cbserved 'Yc. can either impcse them cr et the market scrt things c.t Many crganisaticns ncv .se the SC 9000 standard, i yc. have that abe yc. have credibiity We can dc the same vith the sec.rity market The vay tc gc, says researcher Jesus Luna c the LhhLS sec.rity research grc.p in Cermany, is tc encc.rage ind.stria and academic ccnscrtia, interest grc.ps and speciaised ccmm.nities, tc set .p de actc standards that sccner cr ater vi beccme videy accepted The cc.d sec.rity aiance ClMM (Ccmmcn lss.rance Mat.rity Mcde, is cne s.ch instance 'Fcrt.natey, scme private ccmpanies reaise that vcrking vith ccmpetitcrs can benet them, says .na Having internaticna standards is an eccncmic necessity, ve need technccgy that is inter-cperabe betveen cc.ntries The difculties of going global Naticna scvereignty is cne thing, b.t in cyber-space ccective respcnsibiity cant be avcided Cc.ntries arc.nd the vcrd have set .p naticna ChhTs, cr are in the prccess c dcing sc arge ccmpanies and p.bic instit.ticns have asc set .p these rapid respcnse teams tc act in emergencies and incrm citizens abc.t ccmp.ter sec.rity, and they are asc increasingy taking part in gcba netvcrks c ChhTs ' yc. vant tc sh.t dcvn a bctnet, yc. be .cky i its in yc.r cvn cc.ntry, says P.rser 'nternaticna ccabcraticn is essentia Sec.rity vithin naticna bc.ndaries dcesnt make sense hverything is gcbay ccnnected l h.rcpean apprcach dcesnt make sense .ness aigned tc the apprcach c internaticna partners E.t cpinicns abc.t hcv tc egisate vary There are thcse vhc arg.e that the internet is changing sc ast that reg.aticns vi never keep .p, cthers vhc beieve egisaticn sties creativity, and cc.ntries that vant tc exert ccntrc cver ccntent s it .nreaistic tc expect gcba r.es cr cyber-sec.rity and cyber-privacy Prcbaby, says Stewart Baker, vhc vcrked cr Hcmeand Sec.rity and is ncv a partner in the av rm Steptce chnscn 'Theres tcc m.ch advantage in breaking thcse r.es He is hcstie tc the hUs data prctecticn directive, aimed at reg.ating the prccessing c perscna data, caing it an attempt at a 'nec-cccnia impcsiticn c privacy ncticns cn the rest c the vcrd 24 Cyber-security: The vexed question of global rules The rit betveen the US and the hU cn the prctecticn c privacy is cne bcne c ccntenticn b.t there are cthers 'We shc.d strive cr gcba r.es, says Tim Scully, ChC c Stratsec and Head c Cyber-Sec.rity at Elh Systems l.straia, 'thc.gh they vi be dic.t tc achieve ike many, he thinks it vc.d be m.ch easier tc start vith gcba standards that prctect incrmaticn and tc train and certiy cyber-sec.rity prcessicnas Jaan Priisalu, vhc heads the hstcnian ncrmaticn Systems l.thcrity, thinks ve vcnt get anyvhere .nti the pcitica and the technccgica vcrds .nderstand vhat the cther is saying ' see h.ge mis.nderstandings in every cc.ntry, he says 'The technccgica pecpes c.t.re is hcv tc .se the netvcrk ecienty and they .s.ay dcnt ike tc tak lt the same time, yc. hear pciticians making st.pid and arrcgant statements abc.t appying and reg.ating the av 'We need r.es and agreements tc keep the cyber vcrd r.nning, says Kamlesh Bajaj, Chie Sec.rity Ccer at ndias Lata Sec.rity Cc.nci 'The prcbem is vhen pcicy-makers start tc reg.ate vithc.t .nderstanding the iss.es Fcr Eajaj, these iss.es are nct scey abc.t ccmpiance 'The chaenges pcsed by the mcvement c data mean that stringent ccmpiance reg.aticns arent enc.gh Yc. might appy them in cne cc.ntry and p.t yc.r cvn cc.ntry at a disadvantage We need tc cck at a sides c the arg.ment IMPACT, THE CYBER-TALK PLATFORM With the fast spread of smart phones, including in the least developed countries, cyber-security is in the process of shifting east and south of the globe. Conventional wisdom dictated that cyber-security focus on the richer countries. That view is changing. If we are to avoid safe havens for criminals in countries with no cyber-laws, we urgently need to help those countries. Mohd Noor Amin, head of IMPACT, the cyber-security alliance headquartered in Malaysia, says even the most sophisticated countries now realise you have to assist the poorer ones. The ITU-backed platform has 137 member nations and brings together governments, academia, industry and international organisations from developed, developing and the least developed countries. 25 Part One Adapting existing rules Lc the experts think many r.es are aready here vaiting tc be adapted Scme dc n many cases, it might be simper tc extend the sccpe c existing avs than tc revrite crimina ccdes rcm scratch and design nev egisaticn, they say 't dcesnt take that m.ch c an adaptaticn c existing crimina ccdes tc take eective acticn against cyber-criminas, says EPs John Meakin. 'The prcbem is that payers cn the av encrcement side, prcsec.tcrs and j.dges are cten igncrant c the vay ccmp.ter systems vcrk ve cck at internaticna treaties ike the Ceneva Ccnventicn, many existing r.es c var may asc appy tc cyber-space 'There are thcse vhc say cyber- space is the th dimensicn c varare, says l.straian Tim Scully 'n that regard, m s.re avyers cc.d gc thrc.gh scme c the existing r.es and appy them at an internaticna eve tc cyber-space The thcrny iss.e c attrib.ticn may appear tc get in the vay Nct sc, says Vytautas Butrimas, ith.anias Cyber-Sec.rity adviser at the Ministry c Leence 't may be tcc dic.t tc track dcvn the ccmp.ter tc the very apartment, the very b.iding, the very perscn vhc is pressing the enter the key, b.t it is technicay pcssibe tc pinpcint the cc.ntry vhere the attack criginated His viev, shared by many, is that ve need an internaticna agreement that makes every cc.ntry respcnsibe cr its scvereign cyber-space and th.s crced tc take s.ch steps as bccking inected ccmp.ters rcm the internet 'Yc.d act in the same vay vith a chcera pandemic, he says 'The attrib.ticn debate asc has its cac.ating and cynica side States that vant tc keep their cpticns cpen vhen seeking tc achieve a pcitica cr miitary cbjective are cppcsed tc any restraint cn their .se c cyber-veapcns We are not a treaty, but a voluntary cooperation platform, says Amin. We tackle cooperation issues between countries in different jurisdictions. That cooperation is going to get stronger. Nobody wants cyber-crime to operate in their jurisdiction. The problem is not that nothing is being done, but that those governments with cyber-criminals working in their territory dont know what is going on. IMPACT runs an electronic platform jointly with the ITU involving law enforcement, ISPs, telecoms regulators and policy-makers. Amin believes that successful information-sharing among IMPACT members will not replace the benets of an international treaty. Its a signicant rst step to getting people around the table. If business competitors can sit at the same table to do something good for the world, why cant governments? A treaty would enhance levels of cooperation. 26 Cyber-security: The vexed question of global rules The lack of international mechanisms Fcr the time being, there are nc internaticna mechanisms that cccrdinate naticna cyber-deences, inc.ding inteigence gathering lcccrding tc Canadian expert Rafal Rohozinski, the best cccrdinaticn and expertise sharing sc ar is betveen the Five hyes Canada, the US, the UK, l.straia and Nev eaand 'The ccncentric circes arc.nd that are ten.c.s, he says 'They inc.de NlTC, the Cc.nci c h.rcpe, and the Ccective Sec.rity Treaty Crganizaticn (CSTC, Cccne Emilio Sanchez De Rojas, vhc heads the Lepartment c Strategy and nternaticna heaticns at Spains Ministry c Leence, arg.es cr a ccmprehensive apprcach that vc.d inc.de a the main actcrs and crganisaticns the UN, the Crganisaticn cr Sec.rity and Cccperaticn in h.rcpe (CSCh,, the hU and NlTC, as ve as m.tinaticna b.sinesses deaing vith cyber-sec.rity 'E.t, he stresses, 'these r.es have tc be accepted nct cny by main pcvers ike China and h.ssia, b.t asc by mcre cyber aggressive cc.ntries ike Nigeria and cthers in lrica We need tc reach a ccmprcmise betveen sec.rity and reedcm apans Suguru Yamaguchi, crmer adviscr cn ncrmaticn Sec.rity tc the Cabinet c the Ccvernment c apan and a prcesscr at Nara nstit.te c Science and Technccgy, beieves a sma rst step is the E.dapest Ccnventicn, the Cc.nci c h.rcpes ccnventicn cn cyber-crime, the rst internaticna treaty tc seek tc address internet crime, vhich has been ratied by apan, the US and China, amcng !!/ cther cc.ntries 'We are encc.raging mcre cc.ntries tc sign the treaty, Yamag.chi says, 'beca.se it cers a ccmprehensive ramevcrk cr capabiity and ccabcraticns in investigating cyber-crime State-spcnscred attacks are a crimina activity and req.ire the same cyber-sec.rity meas.res The impossible dream of a global treaty n 20!0 becre the UNs TU (nternaticna Teeccmm.nicaticns Unicn, ccnerence in Mexicc, Secretary Cenera Hamadoun Tour said he vanted a 'cyber peace treaty E.t cr many, simpy agreeing cn ccmmcn r.es and setting .p a gcba bcdy are a big enc.gh chaenge Fcr the mcre havkish, ike US avyer Stewart Baker, an internaticna treaty is a vaste c time 'lt vcrst, it vi de.de vestern cc.ntries intc thinking they have scme prctecticn against tactics that have been .niateray abandcned by cther treaty signatcries, he says The cndcn Ccnerence cn Cyber-space in Ncvember 20!! vanted tc be the a.nching pad cr an agreement cn designing a cyber-sec.rity treaty, b.t that vas nct tc be Tcc many cc.ntries didnt share the same vievpcint 'm a reaist, says Erik Frinking, vhc vcrks cr the Centre c Strategic St.dies (HCSS, in The Hag.e, 'and sc seric.sy dc.bt ve can have a 27 Part One gcba ega agreement Ccdes c ccnd.ct are aready a sc.rce c ccnicts vith the h.ssians, Chinese and cthers Where cyber-ccnict raises its .gy head, Frinking beieves ve shc.d .se the same r.es c engagements as cr ccnventicna var 'h.es c engagement can be agreed at a very abstract eve, b.t its hard tc see cc.ntries agree at this mcment cn r.es appying tc cther dcmains l n.mber c chaenges can be handed incrmay I seriously doubt we can have a global legal agreement. Codes of conduct are already a source of conicts with the Russians, Chinese and others. Erik Frinking ve see cyber-sec.rity as a netvcrk c sae cc.ntries, says Eaker, ve shc.d think in terms c a rc.gh vcrking ccnsens.s that t.rns c.tiers intc pariahs 'We .sed tc have that prcbem vith banking l n.mber c mcney-a.ndering centres sav cppcrt.nities tc prct rcm nct encrcing mcney-a.ndering r.es, he says 'The bigger nancia participants in the gcba nancia system sh.nned these cc.ntries pretty eectivey, red.cing the n.mber c paces vhere yc. can hide mcney Simiar mechanism cc.d be appied tc iscate cc.ntries that dcnt respcnd tc investigative req.ests 'Cyber is a dangerc.s space, says the TUs Tc.r, 'and ve m.st create a ramevcrk c cccperaticn tc prctect basic h.man rights Ccvernments have tc ccmmit themseves nct tc attack cne ancther, and ve m.st set .p a ramevcrk cccperaticn tc arrest criminas vherever they are lre ve ready cr s.ch a negctiaticn We dcnt have a chcice, veve gct tc dc it cr the saety c c.r chidren, c.r b.sinesses and c.r cc.ntries A realistic alternative to a peace treaty: Cyber-condence measures l n.mber c schcars, inc.ding James Lewis c the CSS, Pa. Ccrnish, prcesscr c nternaticna Sec.rity at the University c Eath, and Theresa Hitchens, Lirectcr c the UN nstit.te cr Lisarmament hesearch (UNLh,, have been vcrking cn designing cyber-ccndence meas.res 'l treaty isnt gcing tc vcrk, says evis 'There are tcc many vericaticn, ccmpiance and deniticna prcbems Cyber-ccndence b.iding meas.res inc.de, 'agreeing cn ncrms tc str.ct.re expectaticns abc.t state behavic.r, says evis 'Yc. vant transparency, partic.ary cr naticna dcctrine cn hcv tc .se cyber-attacks in a miitary ccntext Mcst cc.ntries have these dcctrines b.t dcnt tak abc.t them 28 Cyber-security: The vexed question of global rules lmcng cther things, CEMs inc.de av encrcement cccperaticn against the .se c prcxy crces 'The h.ssians and the Chinese .se prcxies, says evis, 'citizens acting at the behest c gcvernment l traditicna arms ccntrc treaty that restricts technccgy vcnt vcrk beca.se the veapcns are scmetimes teenagers vith aptcps Hcv can yc. set .p a treaty in this ccntext The meas.res vc.d inc.de s.ch ccmmitments as sharing incrmaticn cn third party threats, and taking respcnsibiity cr activities c individ.as resident in yc.r cvn territcry Cyber-ccndence meas.res are c.rrenty being disc.ssed at the ChCL and the UN evis is scathing abc.t the a.t.mn 20!! cndcn Ccnerence cn Cyber- Space 'l giant missed cppcrt.nity, as he p.ts it With ccv-.ps in E.dapest in 20!2 and in Sc.th Kcrea the year ater, he hcpes esscns vi have been earned in vhat he sees as a seric.s prcbem c narrative and .nderstanding c the iss.es 'Pecpe have tc stcp saying that a ree and cpen internet prcd.ces veath The devecpment agenda is a aved ccncept China is nct ree and it seems tc be dcing j.st ne ls he sees it, cndcn 'danced gingery arc.nd va.es, and avcided the arg.ment as tc vhy a sec.re internet based cn demccratic va.es serves a cc.ntries interests 'That vas the prcverbia eephant in the rccm everycne tried tc igncre The bodies competing to govern cyber-space The internet is a messy paying ed, r.n by a patchvcrk c crganisaticns, and dierent cc.ntries have dierent vievs abc.t vhc shc.d be in charge Lc ve vant mcre gcvernment ccntrc Cr dc ve vant tc avcid that at a ccst Cr dc ve simpy vant tc see gcvernments get scmething mcving lnd hcv dc ve ccv a bc.ncing ba The big-pict.re pcicy is principay in the hands c the hU, NlTC, the UN and lPhC, the lsia-Pacic hccncmic Cccperaticn hvery year, the UNs nternet gcvernance Fcr.m (CF, cers a m.ti-stakehcders taking shcp ts a ivey and demccratic Eabes Tcver n the caccphcny c naticns, ndia, Erazi and Sc.th lrica have caed cr a nev gcba bcdy tc ccntrc the internet China and h.ssia vant the UN Cenera lssemby tc adcpt their nternaticna Ccde c Ccnd.ct cr ncrmaticn Sec.rity that vc.d give gcvernments mcre c a rce tc pay, and greater ccntrc cn ccntent These cc.ntries vc.d ike the UNs nternaticna Teeccmm.nicaticn Unicn (TU, tc have a s.perviscry rce, scmething rmy resisted by the US and cther Western cc.ntries 'The UN is a cr.m and nct the right pace tc make decisicns, says Frank Asbeck, Cc.nsecr cr Sec.rity and Space Pcicy at the h.rcpean hxterna lcticn Service, the hUs creign dipcmatic arm 'We are iving in an envircnment vhere ve need pragmatic and scciay acceptabe sc.ticns q.icky We cant get intc negctiaticns that take decades Many Western gcvernments preer a m.ti-stakehcder apprcach, ike that prcmcted by the Crganisaticn cr hccncmic Cccperaticn and Levecpment 29 Part One (ChCL, 'We shc.d keep the m.ti-stakehcder apprcach, says lsbeck, 'vhie at the same time seeking cptim.m baance betveen enterprises, gcvernments and av encrcement instit.ticns My g.ideine vc.d be as m.ch state invcvement as absc.tey necessary, b.t as itte as pcssibe Internet governance Whc gets tc ccntrc dcmain name systems Western gcvernments vc.d ike tc reign in scme c the in.ence c the nternet Ccrpcraticn cr lssigned Names and N.mbers (ClNN,, the internets address system, cne c the ev bcdies vith a gcba, centraised in.ence in the internet Cther cc.ntries vc.d ike tc see the TU in charge c dcmain names The TU asc invcves m.ti-stakehcderism, b.t .nder gcvernment eadership, vhich vcrries many internet ccmm.nity actcrs The US-based, private-sectcr-ed ClNN, vhich brings tcgether net .sers, the private sectcr and gcvernment, manages P addresses, assigns n.mbers, and handes dcmain name registraticn and its management 'The iss.e betveen ClNN and the TU is m.ti-stakehcderism, says Stefano Trumpy rcm tays Naticna Cc.nci cr hesearch 'This vcrries many pecpe lt the CF in Naircbi in September 20!!, ndia, Erazi and Sc.th lrica s.ggested setting .p an ad hcc ccmmittee vithin the UN tc dea vith p.bic pcicy ccncerning the internet, inc.ding standards ts a vcrrying idea Standards vere started by the private sectcr and shc.dnt be ccntrced by gcvernment 'There is nc perect gcvernance mcde, says Tr.mpy 't has tc evcve and gain the ccndence c the vcrd ccmm.nity via ccntin.c.s .pdates and a q.est cr transparency, and by istening tc dierent stakehcders tc arrive at decisicns Standardisation Technica standardisaticn is the seccnd ccmpcnent in the gcvernance c cyber-sec.rity and it is c.rrenty in the hands c the nternet hngineering Task Fcrce (hTF,, vhich ccabcrates vith the TU and ind.stry 'We need an cpen prccess, says apanese expert Suguru Yamaguchi, 'vith the cpen participaticn c ind.stry and the p.bic sectcr Severa cther ven.es are ccmpeting tc hande gcba inter-cperabiity and ccmmcn criteria, amcng them the nternaticna Crganisaticn cr Standardisaticn (SC,, and the prcessicna asscciaticn, the nstit.te c hectrica and hectrcnic hngineers (hhh, Law enforcement The third ccmpcnent is av encrcement nterpc has designed a strcng ega ramevcrk, and cther internaticna ramevcrks are being set .p 30 Cyber-security: The vexed question of global rules nterpcs ramevcrk is .sed tc hande cyber-crime rcm cc.ntries that dcnt have a ega ramevcrk cn cyber-crime Many cc.ntries beieve in the eectiveness c the !!-year-cd E.dapest Ccnventicn, the ccnventicn cn cyber-crime that acvs a.thcrities in cne cc.ntry tc p.rs.e criminas in ancther The US, apan and Canada have signed .p, b.t cthers havent and dcnt agree abc.t the meaning c cyber- crime h.ssia, cr instance, cppcses the idea c 'trans-bcrder access, preerring a UN treaty that vc.d respect bcrders Information-sharing The c.rth is incrmaticn-sharing Sharing incrmaticn gcbay is a gcba headache b.t its key tc internet hygiene The gcba Ccmp.ter hmergency hespcnse Team (ChhT, cr.m caed FhST dces this very eectivey, b.t nc cne thinks thats enc.gh 'We need mcre and mcre ccabcraticn tc encc.rage gcba incrmaticn-sharing, says Yamag.chi lmcng the bcdies ccking at the iss.e, the TU-spcnscred MPlCT in Maaysia is an advance varning system in the teeccmm.nicaticn ccmm.nity 'The iss.e is that its a very ve teing the US there is a prcbem b.t vhat can the teeccms dc abc.t it , asks lccent.res Alastair MacWillson The US- based Meridian Ccnerence and Prccess, vith its ann.a CP ccnerences, is ancther key payer in tr.st-b.iding and internaticna cccperaticn limed at senicr gcvernment pcicy-makers, it is cpen tc a cc.ntries Ccncern abc.t state-s.ppcrted attacks cten gets in the vay c incrmaticn sharing n many regicns, specia cra have been set .p, ike the lsian hegicna Fcr.m (lhF, spcnscred by the lShlNo cc.ntries tc ease tensicn in the Kcrean penins.a 'Sti there is a basic ack c tr.st amcng scme cc.ntries and ve need mcre cpen diacg.e tc ease that tensicn, says Yamag.chi 'Hcpe may ccme rcm ind.stry With many rms ncv gcing gcba, they are q.ite cpen and aggressive abc.t sharing incrmaticn vith varic.s entities hcpe that gcba ccmpanies can act as cataysts tc encc.rage gcvernments tc cpen their dccr tc diacg.e THE ITU TAKES ON SMART PHONES I t took 125 years for xed phones to reach the rst billion, and only 11 years for the mobile phone to do so, says Hamadoun Tour, Secretary General of the Geneva-based International Telecommunication Union (ITU). An engineer by training, he says bre optic networks are speeding up our worldwide connectivity much faster 31 Part One than he had expected. With broadband, the volume of data is going much faster than infrastructure growth. Thats a little worrisome. We risk a trafc jam in cyber-space. The Broadband Commission was set up in 2010 to address the issue of fast growth. Tour stresses that a high-speed, high-capacity internet is essential to achieving the Millennium Development Goals. Broadband improves healthcare, education, energy efciency. Its a global phenomenon and its safety needs a global response done in a global framework of cooperation. Tour insists that security in cyber-space is the same as security in the conventional world. A rst and easier step at creating a global framework is the Child Online Protection Initiative (COP), aimed at protecting children in cyber-space. Children are our most common denominator, says Tour. Whether or not a country legalises pornography, everyone agrees that child pornography is a crime. Its easy to take concrete action in that direction. The same type of work can then be done in other areas. Tour says the next war will take place in cyber-space. With criminal activities and espionage on the increase, he rmly believes we need a global cooperation framework. His view is that an ITU cooperation framework would be negotiated around a large round table. It wouldnt just involve our 193 member states, but also the private sector and consumer groups. Are we ready for such a negotiation? We have no choice. We have to do it for the safety of our children, our businesses and our countries. Tours to-do list ncreasing access tc brcadband as a vay c heping pecpe increase sccia and eccncmic devecpment ncreasing gcba ecrts tc cccrdinate cyber-sec.rity, and making s.re gcvernments vcrk hand-in-gcve vith the private sectcr Crdinary .sers asc need tc ee ccmcrtabe vith their cvn sec.rity Spectr.m accaticn 20!S is the deadine cr the mcve cver rcm anacg.e tc digita brcadcasting l seric.s technica disc.ssicn is abc.t tc take pace abc.t vhat tc dc vith the reed-.p spectr.m Preparing cr the reviev c the internaticna teeccmm.nicaticn reg.aticns The !9SS agreement is cbscete Ncv that sc many nev systems and technccgies have ccme intc pace, iss.es and pricrities have changed ccmpetey 32 Cyber-security: The vexed question of global rules Section V. Breaking down the walls between the cyber communities To achieve workable international rules governing cyber-space, the walls dividing sectors, countries and even generations must be razed Cyber-space is hcneyccmbed vith vas There are vas betveen generaticns, vas betveen prcessicna sectcrs, and vas betveen cc.ntries The trc.be is these vas arent b.it cn hard grc.nd and they make itte sense n as gcba and pcrc.s an envircnment as cyber-space, the b.iding c any ega and reg.atcry ramevcrk needs speciaists tc brcaden their c.tcck and cc.ntries tc vcrk tcgether 'Ccvernments tend tc mcve scvy, b.t vith cyber-sec.rity ve need tc mcve ast, says cyber-sec.rity advccate Tim Scully 'Cyber-sec.rity is a sccia prcbem, nct j.st a miitary prcbem We tak in terms c naticna sec.rity, b.t ve shc.d tak in the ccntext c naticna interest He taks c the need cr strcng ccabcraticn and eadership tr.st betveen gcvernment, ind.stry and academia, mcre sc than in many cther areas l.straias Cyber White Paper tc be p.bished in 20!2 is a step in this directicn The generation divide The mcst archaic divide is betveen generaticns Many experts menticn that their chidrens viev cn internet privacy is ccmpetey dierent rcm their cvn, epitcmised by their attit.des tc sccia netvcrks If an information security person is not using Twitter or Facebook, he is not in the right place to make a decision about the use of those tools William Beer 'My kids generaticn has nc ear c ccmp.ters and they dcnt care abc.t privacy, says Eritish cyber-expert Peter Sommer n 20!!, vhen Scnys // miicn cients perscna detais vere hacked, the ccmpany sh.t its PayStaticn netvcrk cr tvc veeks Mcst yc.ng .sers vere angrier at nct being abe tc pay than abc.t the privacy breach 33 Part One When citing this incident, Scmmer says he makes nc va.e j.dgment He thinks the Scny incident vas symptcmatic 'Yc. have tc be very care. i yc.re right cr vrcng abc.t this think the yc.nger generaticn cten see .s as bcring cd arts and they may be right ts a changing vcrd Canadian speciaist Rafal Rohozinski, ChC c the SecLev Crc.p, thinks the generaticn divide is a very rea prcbem 'Pcicy-makers are cten !0 tc !S years behind the internet generaticn, and they are deaing vith q.esticns they cant reay .nderstand Nct cny that, adds William Beer, vhc heads ncrmaticn and Cyber-sec.rity Practice at PvC, b.t these same pcicy-makers need tc take intc accc.nt that technccgy has permanenty changed yc.nger pecpes ccncepticn c privacy He gces a step .rther ' an incrmaticn sec.rity perscn is nct .sing Tvitter cr Facebcck, he is nct in the right pace tc make a decisicn abc.t the .se c thcse tccs Improving trust between industry stakeholders Private ccmpanies are ear. that incrmaticn they prcvide cc.d be mis.sed by gcvernment cr the ccmpetiticn hxperiments in tr.st-b.iding are gcing cn arc.nd the vcrd, and this cten means vcrking vith ccmpetitcrs ls a res.t c grcving ra.d, the US nancia services set .p the Financia Services ncrmaticn Sharing and lnaysis Center (FS-SlC, tc share incrmaticn cn attack techniq.es and cyber-threats tc the banking systems Cn a m.ch smaer scae, the Eegian Financia Sectcr Federaticn (Feben,, vith 23S members, dces simiar vcrk .sing reeance experts l ccmparabe initiative has been set .p by the ci and gas ind.stries in the vake c the sc-caed Night Lragcn attacks that brc.ght dcvn and reccng.red systems t is FS-SlCs gcba mirrcr 'Fcr the rst time, severa big ci ccmpanies have gct tcgether, says lccent.res Alastair MacWillson, 'tc start a ccmm.nicaticn chain that has t.rned intc an ind.stry grc.p These are eary days b.t predict mcre and mcre c this happening at ind.stry eve arc.nd the vcrd Overcoming the barriers between rivals That incrmaticn-sharing is tc the advantage c prcessicna ccmpetitcrs and shc.d be cbvic.s says researcher Costin Raiu c Kaspersky ab in h.ssia 'There are benets cr everycne Ccvernments and the miitary vi see marked imprcvements in their sec.rity lcademia vi be abe tc devecp nev prctcccs and design nev architect.res lnd i .sers are better prctected, cyber-crime vi gc dcvn William Beer, head c sec.rity at PvC, thinks that aciitatcrs can hep these prcessicna grc.ps ccmm.nicate ' vcrk vith behavic.ra g.ys, he says, 'beca.se they can hep .nderstand vhat makes a miitary prcessicna tick, cr vhat makes a b.sinessman cr vcman tick, and hcv yc. take that intc 34 Cyber-security: The vexed question of global rules accc.nt tc share incrmaticn We have reied tcc cng cn sec.rity pecpe vith their sighty restricted ski set nd.stry has .sed the technc ang.age ar tcc cng Are cyber-crime and cyber-security one and the same? Take crime b.sting n this vcrd c b.rred bc.ndaries, the distincticn betveen cyber-crime and cyber-sec.rity may nct be a .se. cne tc make l better cc.s, says Victoria Baines, strategic adviser cn cyber-crime at the h.rcpean av encrcement agency h.rcpc, is tc have a ccabcrative respcnse tc regicna and gcba threats, and tc encc.rage the private and p.bic sectcrs and academia tc vcrk tcgether She cites as an exampe the s.ccess. dismanting in 2009 c Spains nctcric.s Maripcsa cyber-scam bctnet, cr vhich academics, the miitary, av encrcement, the private sectcr and third cc.ntries vcrked tcgether tc bring dcvn 'What h.rcpc and nterpc bring that vas acking becre is internaticna cccrdinaticn c cyber-crime, she says 'Mcre than cr cther crime sites, yc. cant investigate cyber-crime vithin naticna bc.ndaries
'We dea vith a.tcmaticn c maicic.s sctvare distrib.ticn, denia c service and the mcney-making side c things, she says, 'b.t ve are asc very active in cccrdinating respcnses tc cyber-crime vhen it ccmes tc hackers empcyed in the cr.ms c the .ndergrc.nd digita eccncmies These pecpe hack cr dcars, they cten dcnt kncv the rea identity c their bcsses and theyre spread ar and vide More than for other crime sites, you cant investigate cyber-crime within national boundaries Victoria Baines Steps towards global sharing Cne step amcng cthers tcvards sharing incrmaticn abc.t the cyber-threat betveen cc.ntries in the hast and West is being handed by Maaysia-based MPlCT, the ed.caticn, training and incrmaticn-sharing arm c the TU (the United Naticns agency cr incrmaticn and ccmm.nicaticn technccgies, Chairman Mohd Noor Amin is a rm prcpcnent c the m.ti-stakehcder patcrm apprcach 'The na .ser has tc be ed.cated tc behave respcnsiby, he says, 'and the private sectcr and gcvernments have tc invest in sec.rity, despite the shcrtage c mcney Scme !3/ naticns have signed .p as MPlCT partners, b.t lmin stresses that cc.ntries that havent, ike the UK and the US, engage activey 'They kncv yc. have tc ccnnect vith the rest c the vcrd ts cny a matter c time becre every cc.ntry jcins 35 Part One Section VI. The private sectors privacy dilemma Commercial secrecy is of key importance to companies investing in cyber, but it also risks compounding the problems of cyber-security and its dangers n many pecpes viev, the Netherands cers the best exampe c s.ccess. private-p.bic partnerships vith its patcrm cr cyber-sec.rity, a scrt c cyber-exchange 'ts an exceent vay c disc.ssing the iss.es and transating them intc scme crm c acticn, and even vc.ntary cr mandatcry reg.aticns, says Alastair MacWillson c lccent.re 'M.ch mcre c this shc.d happen gcbay Cccd vcrk is asc being dcne in the United States E.t arc.nd the vcrd, the p.bic-private partnership tends tc be advancing very scvy Scme cc.ntries ike France are s.spicic.s c an cvery ccse reaticnship betveen the p.bic and private sectcrs Why the private sector would be better advised to share information The private sectcr ccmes at cyber rcm a specic ange the mcney-making ange lnd as John Meakin vhc heads cyber-sec.rity at EP pcints c.t ' yc. take the risk c.t c b.siness yc. vi never make a prct E.t the private sectcr asc has va.abe 'rea-ie experience c cyber- attacks The prcbem is that ccmpanies are re.ctant tc tak abc.t these, they arent keen tc revea v.nerabiities tc ccmpetiticn cr tc ccns.mers, and they asc have data privacy r.es tc ccntend vith 'Theres nat.ray a heathy dcse c scepticism cn bcth sides, says William Beer, directcr c cyber-sec.rity at PvC 'The vievs c the threats are nct the same ' Cne thing is cear, in crder tc have a gccd pict.re c the risks and dangers cn the internet, the private sectcr has tc share incrmaticn vith the p.bic sectcr and vice versa Fcr instance, are a series c cyber-attacks directed at gcvernments scmehcv reated tc simiar attacks aimed at nancia instit.ticns The next step is tc pass cn this incrmaticn the researchers and scientists 'We cant have sec.rity and cbsc.rity, says researcher Jesus Luna c the Leeds Crc.p 'lcademia can prcvide the agcrithms and the techniq.es, b.t ve are missing the data that vaidates c.r research We need that private and p.bic incrmaticn 36 Cyber-security: The vexed question of global rules Mcre exchange c incrmaticn is gcing cn than ve think, says Costin Raiu, researcher at Kaspersky ab in Mcsccv, b.t a ct takes pace very discreety 't might cck ike ccmpanies are nct sharing m.ch incrmaticn, he says, 'b.t it is happening in ccsed disc.ssicns, cr instance in ccmp.ter and anti-vir.s research crganisaticns Yc. have tc remember that this can be a risky b.siness n cc.ntries ike Erazi, ve have seen death threats against sec.rity experts Making regulations that make sense for everyone Cn the cne hand, the academics and the sec.rity saes pecpe are saying, tr.st .s vith yc.r data and ve prcvide yc. vith better sec.rity mechanisms and ass.rance eves lt the same time, pcicy-makers are saying ets ccme .p vith r.es and reg.aticns tc make this a saer paying ed hven i many arg.e that reg.aticns are necessariy sccn cbscete, cyber-sec.rity advccate Tim Scully pcints c.t that the encrced vearing c seatbets in many cc.ntries may nct have eiminated rcad deaths, b.t it has saved ives 'C cc.rse reg.aticn has a part tc pay, says Judy Baker, a crmer civi servant vhc is ncv directcr c Cyber Sec.rity Chaenge UK, 'b.t it is rarey the vhce sc.ticn t takes time tc impement and the prcbems it is designed tc address are ccnstanty changing heg.aticn is avays behind the c.rve E.t cne thing is s.re any disc.ssicn m.st engage the private sectcr, she says, i ve are tc ens.re that reg.aticn make sense She adds that the cyber-threat is best deat vith in a 'b.siness as .s.a vay i things are nct tc enter an escaatcry cyce Ccvernments tcc cten ccme .p vith a gccd idea b.t have a hard time impementing it beca.se they ack experience c the service vcrd, says Vytautas Butrimas, Chie ldviscr cr Cyber-Sec.rity at ith.anias Ministry c Leence ' the private sectcr is brc.ght in eary d.ring the panning and drating phases, then it is m.ch mcre ikey that the reg.aticn vi nct have tc be changed cr adj.sted right avay lnd at east the prccess vi prcvide bcth sides vith an .nderstanding c each cthers interests 'The pecpe vhc vrite reg.aticns and standards are by nat.re nct partic.ary ve ccnnected vith b.siness strategies and needs, says lccent.res Alastair MacWillson 'Ccvernments shc.d p. tcgether b.siness and get them invcved in the drating c reg.aticns, and aciitate that diacg.e in hcv they dea vith this vithc.t stiing b.siness, in the vay the L.tch are dcing it Mcst gcvernments reccgnise that they cc.d dc a ct mcre tc aciitate kncvedge, and that this impies deaing vith ccmmercia sensitivities sc as tc kncv hcv an attack tcck pace and vhat techniq.es vere .sed tc carry 37 Part One it c.t 'We m.st remcve penaties cn an crganisaticn that has been hacked and that has cst data, MacWiscn says, 'cr there is nc mctivaticn tc decare the attack We need a nc-bame sharing c incrmaticn The blame game: From software companies to service providers, who should be responsible for what? Certainy, pcinting the nger c bame isnt the vay tc gc Scme experts s.ggest that sctvare ccmpanies shc.d be made iabe cr attacks arg.aby d.e tc their cvn pccr ccding Sc ar, sctvare ccmpanies have nc iabiity, as printed in sma ettering in their ccntracts 'They shc.d be s.bject tc mcre press.re than they are tcday, says EPs sec.rity chie Meakin, 'b.t m nct saying they shc.d be made iabe Cne-h.ndred percent sec.rity is nct achievabe, and systems are v.nerabe tc cyber-attacks cr a sev c reascns, inc.ding the ack c an apprcpriate sec.rity pcicy and mis.se by .sers 'Pecpe readiy pcint the ngers at viains in the sctvare ccmm.nity, says MacWiscn, 'vhen they havent dcne their .pdates There are tcc many pecpe in the vhce chain tc pinpcint a singe viain 38 Cyber-security: The vexed question of global rules Section VII. Bearing the costs of cyber insecurity Cyber-security doesnt have to cost a lot, but should business or government shoulder the greatest part of these costs? Kamlesh Bajaj, ChC c the Lata Sec.rity Cc.nci c ndia (LSC,, thinks gcvernment shc.d pay a prcpcrticn c private ccmpany investment 'Critica inrastr.ct.re is essentia tc the .ncticning c a cc.ntry, and gcvernment shc.d pay private ccmpanies a prcpcrticn c their cyber-sec.rity private investment What i a bcmb vas drcpped cn a bank The gcvernment vc.d hep l cgic bcmb drcpped thrc.gh netvcrks tc decapitate the systems is nct that dierent Frank Asbeck c the hUs nev dipcmatic arm, the h.rcpean hxterna lcticn Service, thinks a sec.re internet is a majcr s.ppcrt cr getting c.t c the eccncmic crisis 'There are areas c the eccncmy vhere cyber-space and the internet pay a h.ge rce, he says, 'and investing in cyber-sec.rity means making it and cyber-space reiabe and tr.sted n areas ike banking, the ccmm.nicaticn b.siness, the cptimisaticn c energy .sage and smart grids, yc. can .se incrmaticn technccgy tc save resc.rces and tc cperate m.ch mcre ecienty ve cck at eccncmetric mcdes cr cac.ating the ccsts c individ.a cyber- attacks, ve are getting there very scvy Cne c the prcbems is the vide variety c pecpe ccecting the incrmaticn and draving .p the statistics, the cther is that ccmpanies tend tc keep this scrt c detai very ccse tc the chest We dcnt have act.aria tabes, says Canadian Rafal Rohozinski, 'b.t they vi ccme The US has signed a ncn-binding agreement that ccmpanies repcrt cn breaches and css c inteect.a prcperty Cver time, ins.rance vi mcve rcm the ream c hype and spec.aticn tc b.sinesses' 'The ins.rance ind.stry tcc is getting there scvy, athc.gh in h.rcpe ve sti mcsty have ins.rance ccmpanies designed cn the !9 th -cent.ry Eritish mcde, and the attit.de tends tc be, 'sc cng as it hasnt happened, ve vait and see, says Lars Nicander, Lirectcr c the Centre cr lsymmetric Threat St.dies at the Svedish Naticna Leence Ccege What if a bomb was dropped on a bank? The government would help. A logic bomb dropped through networks is not that different. Kamlesh Bajaj 39 Part One THE INSURANCE SECTOR WAKES UP A cyber hacker is nothing more than a bank robber using another weapon, says Larry Collins, left, head of e-solutions at Zurich Financial Services. His motivation is robbery and theft. The issue, he says, is that suddenly new systems sprang into existence with valuable information stored on them. With millions and millions of credit card numbers, the insurance sector got scared. The whole computer world is changing rapidly, says Collins. Premiums and costs are set actuarially based on what happened. When new things happen how much is that worth? Do we need to take out special insurance? Yes, says Tim Stapleton, pictured, Zurichs Professional Liability Product Manager. One problem is that insurance companies are increasingly denying coverage on non-traditional claims. Small and medium-size businesses in particular need to have dedicated insurance policies that cover expenses in case of cyber-attacks, he says, but that also give faster access to specialised resources so they can get the ball rolling and gure out what happened. According to Stapleton, todays hottest cyber debates in the insurance industry are about privacy regulations, litigation trends and general privacy practices. What kind of information is the company collecting, how is it storing that information, how is it using it once in its possession, how is it securing it? Most companies post privacy notices outlining these elements. Where we run into problems is when they havent complied with those privacy notices. Insurance companies have different ways of labelling cyber-liability. They dont even describe it the same way: some talk of information security and privacy; others say cyber, still others say network security. In the U.S., basic coverage includes core covers, like privacy and security liability coverage that provides defence and indemnity for third party claims, including class action by individuals or from banks if they have to reissue payment and credit cards; and rst party (the insured persons) privacy breach costs that would apply before a claim at the time that the event occurs. There are also services provided by vendors contracted by the insurance company, such as credit monitoring, forensics, notication and public relations costs to offset damage done to a companys reputation. What are the rules of insurance against cyber-attacks? The triggers for a cyber-attack generally concern privacy, Zurichs experts say, like the disclosure of personal data a name along with social security or 41 Part One Top threats Cyber hacktivism. The ccncern is that they cc.d take dcvn majcr sites, cr bcck e-ccmmerce mcney and damage databases Cloud hacking. Prcbems pcsed by a centra repcsitcry hcding data and incrmaticn cr thc.sands c ccmpanies The scare phrase is 'hyper-jacking, cr breaking intc many systems at cnce ts been dcne aready hackers have expcited v.nerabiities in cc.d architect.re Mobile and tablet hacking. Hackers can breach c.r mcbie device vithin !S min.tes at mcst Advanced persistent threat. This is vhere the ccak-and-dagger ccmes in Scphisticated, highy prcessicna grc.ps perhaps crganised by inteigence agencies cr ve-.nded crimina gangs drivers licence numbers. This sort of disclosure can also happen because of a network problem or a careless event, like losing a laptop or leaving a le in a public place. How do you balance risk and liability in case of attack? Privacy breach costs are a loss leader at the moment, say Zurichs specialists, because the trigger is much more sensitive it's the mere fact that an event occurs. Thats why many carriers lower the limit on liability to control costs, although the increase in online breaches means that data is fast accumulating on the costs to companies. How much has Zurich been paying out? We have been paying out at both ends rst party costs and third party liability, Stapleton says. You can generally predict that if sectors like healthcare, a nancial institution or a retailer get hit, they will have more personal identication on hand and it might cost more to respond to a breach in defence costs and settlements. A manufacturer may not have as high a volume of personal identication information and may cost less. What proportion of an electronic info systems budget should be invested in cyber protection? Enough to protect the company against harm, says Collins. The size of the effort needed to protect a system has to be proportional to the sensitivity of the information held on site. Our advice to companies is to do two things. Take a look at what youre storing and who has access even internally. Then we always advise using scenario-based risk assessment; looking at things from a business model point of view makes a great deal of sense. 42 Cyber-security: The vexed question of global rules Section VIII. Private citizens : issues of freedom and protection Among the many complicated problems cyber-security raises is that of security versus privacy. Are they opposed? Or can they co-exist? 'ts an incrediby ccn.sed pict.re at the mcment, says Alastair MacWillson, managing directcr c lccent.res gcba sec.rity grc.p '\ievs cn sec.rity change vith the age c .sers The yc.ng are ess ccncerned abc.t privacy b.t they vant . access Yc. asc have higher cr cver sensitivity tc privacy iss.es in dierent cc.ntries China and h.ssia cr instance ccnsider that the cyber-threat asc invcves prcpaganda and threats c pcitica .nrest, and th.s shc.d acv ccntent censcrship L.ring the lrab Spring, the hgyptian gcvernment threatened tc c.t internet access, athc.gh they didnt in the end n h.rcpe, cc.ntries that have experienced ccmm.nism tend tc be mcre avare c privacy iss.es than cthers Sc is Cermany, vith the added memcry c Nazism E.t vithin cc.ntries, there are arg.aby as many vievs cr ncn-vievs as there are .sers 'Can yc. have cyber-sec.rity vithc.t a Eig Ercther state asks Fred Piper, vhc r.ns Ccdes Ciphers td, a Eritish ccns.tancy that cers advice in incrmaticn sec.rity 'The mcre gcvernments impcse, and the mcre sec.re they can make the system, the ess reedcm yc.ve gct n the UK, he says, 'the debate ccmpares ccmp.ters tc cars and gces as ccvs, the mctcr ind.stry has vcrdvide standards c behavic.r, it is ackncvedged that it takes a certain amc.nt c ski tc drive, therecre yc. shc.d need a icence tc .se the internet 'Yc. have tc dene the ed and nct ccn.se demccracy vith sec.rity, says Stefano Trumpy, research asscciate at the nstit.te cr ncrmatics and Teematics c the taian Naticna hesearch Cc.nci (CNh, yc. cck at the sccia stabiity ass.red by cca and internaticna av encrcement agencies, there is a seric.s risk that reedcm c expressicn vi ace .nd.e imitaticns Freedcm c expressicn is a basic principe and .sing sec.rity tc imit it is nct a gccd thing av encrcement agencies shc.d cperate in a cear and transparent vay sc that internet .sers .nderstand the rame c preventicn} interventicn in cases c cyber-crime 43 Part One 'The trade-c dcesnt make it vcrthvhie, arg.es Sandro Gaycken, a Cerman phicscpher c science and technccgy 'The rst pcint is that the mcst eective attackers are nct identiabe, sc they cant be prcsec.ted The seccnd, is that in crder tc identiy a perpetratcr have tvc cpticns can cck intc every package cn the veb cr maicic.s ccntent cr can stcre the ccntent and cck at it ater a ev mcnths Ecth cpticns invcve ccking intc each and every data package ts nct ecient and there are tcc many trade-cs Most peoples knowledge is conned to the Matrix movies and the books of the Millennium Trilogy Judy Baker Internet responsibility, from private users to corporate giants Cayckens viev is that it is mcre ecient tc sec.re the systems themseves by raising the average .sers .nderstanding 'Users shc.d be mcre avare c the b.siness mcdes .sed by criminas We need tc raise cvera sec.rity avareness He says that ccnc.rrenty ve can dc things against denia-c- service and cther mcre scphisticated attacks, s.ch as disccnnecting the internet and .sing ccsed-system mcdes 't shc.dnt be abc.t the ccntrc c netvcrks cver the sec.rity c hcsts, he says Fcr Olivier Caleff, vhc vcrks cr the French ccns.tancy Levcteam that gives advice cn cyber-sec.rity, ed.caticn and training are key tc ccmbating the cyber-threat ' vc.d say thats S0% c the sc.ticn, he says 'Pecpe are .sing ccmp.ter mcbie phcnes and tcc cten they beieve everything they read They tr.st the mcst st.pid messages Tcc many pecpe vi bithey hand c.t their detais cn the internet, cr think they are addressing air-tight .ser grc.ps vhen in act they are part c a very cpen sessicn They arent avare that their data is being sent cn tc cther ccmpanies ike many cthers, Cae beieves that ed.caticn shc.d start in schcc, and that ccmpanies, vhatever their size, shc.d be respcnsibe cr ed.cating their empcyees The cyber-security skills gap vere taking ed.caticn, ve ccme tc the act that mcst cc.ntries are crying cr pecpe tc dc cyber-sec.rity jcbs 'ts an immat.re prcessicn, says Judy Baker vhc r.ns Cyber Sec.rity Chaenge UK, an crganisaticn that recr.its 44 Cyber-security: The vexed question of global rules taent thrc.gh naticna ccmpetiticns and games The same recr.itment methcds are .sed in the United States When the Centre cr Strategic and nternaticna Strategies (CSS, advised President Earack Cbama that he needed !0-!S,000 mcre cyber-sec.rity prcessicnas, they ran ccmpetiticns tc encc.rage pecpe tc identiy taent 'Yc. have a ct c ve-hidden rcnt dccrs, says Eaker The SlNS nstit.te in the US, a research and ed.caticn crganisaticn, c.nd that 90% c ccmpanies cant get the cyber-sec.rity pecpe they need They ist eight categcries c jcbs, rcm technica tc strategic 'We need tc intrcd.ce cyber-sec.rity intc schcc c.rric.a, Eaker says 'Mcst pecpes kncvedge is ccnned tc the Matrix mcvies and the bccks c the Mienni.m Tricgy n the UK and in mcst cc.ntries, its cny vhen yc. get tc pcst-grad.ate eves that it is ta.ght seric.sy ts nct s.rprising that pecpe are nct ccnsidering it as a career lnd vere ccking cr pecpe vith creative skis We need pecpe vhc can nd vays tc dc things dierenty, rather than r.n behind the prcbems in a patch-and-pray pcsiticn People too often believe everything they read, and trust the most stupid messages Olivier Caleff 45 Part Two PART TWO Section I. A worldwide brainstorming of experts In this global survey conducted by the SDA in late 2011, some 250 respondents were asked to rate the countries other than their own they deemed best prepared against cyber attacks. The U.S., the UK and Estonia topped the list, while Albania, Mexico and Romania bombed. What is the simpest vay tc imprcve internaticna cccperaticn in cyber-space, the SLl asked 2S0 senicr sec.rity practiticners in a gcba ccnversaticn ast Ncvember Ey imprcving incrmaticn sharing, engaging in mcre cyber exercises, incentivising, creating ccmmcn standards, draving .p a ncn- binding ccnventicn, giving mcre pcver tc nterpc, a.nching p.bic avareness campaigns, and by tak, tak and mcre tak, they repied Many participants in this Ca cr deas menticned ega ramevcrks, standards, prctcccs and ccdes c ccnd.ct, and increased cccperaticn betveen naticna ChhTs This gcba ccnversaticn vas partic.ary reevant beca.se c the high eve c participants rcm 3S cc.ntries that spanned lbania tc the United States They inc.ded sta at the hU, nterpc, h.rcccntrc, the UN, NlTC and the CSCh We asc heard rcm ministers c deence and the intericr, MPs and MhPs, tcp-eve ministeria sta, academics rcm .niversities rcm acrcss the gcbe, as ve as NCCs, think tanks, trade asscciaticns, and private ccmpanies inc.ding banks, T speciaists, deence grc.ps, ccns.tancies and av rms The prevaiing viev rcm l.straia is that ncrms are essentia, as is the need tc 'reccgnise the inherent naticna ccnstr.ct c cyber space ln l.strian expert, cn the cther hand, ees that the simpest vay tc imprcve cccperaticn in cyber space is tc 'exchange impcrtant incrmaticn amcng stakehcders l Eegian expert beieves that in the absence c a gcba reg.atcry bcdy, the simpest sc.ticn is cr 'cc.ntries tc reg.ary participate in jcint exercises that cster internaticna cccperaticn and the cccrdinaticn c naticna pcicies lncther ees that the vay tc gc is tc .se existing str.ct.res and crganisaticns ike NlTC, the CSCh and the Cc.nci c h.rcpe lncther, mcre jaded, Eegian respcndent ees that 'i it vas that simpe it vc.d aready be in pace and a third, scmevhat catastrcphist ccmpatrict s.ggests a 'cyber 9}!! vi dc it 46 Cyber-security: The vexed question of global rules Cne p.bic sectcr respcndent rcm Lenmark shaped his vievs ceary 'First c a, make it a tcpic c eq.a impcrtance tc a naticns The eve c internaticna cccperaticn can cny be raised as high as the cvest ccmmcn dencminatcr When that threshcd has been reached, its a matter c m.tinaticna and biatera cccperaticn vithin cr c.tside existing crganisaticns The iss.e c cccperaticn is best apprcached rcm a b.siness and ccmmercia ange, a sec.rity cr va.es- based apprcach vc.d cny ead tc an escaaticn c ccnicts Ncrthern h.rcpeans, generay ccnsidered tc be amcng the vcrds cyber- sec.rity eaders, tend tc arg.e that there is nc s.ch thing as an easy ansver 'Mcre avareness, and better sharing c incrmaticn and best practices, are a gccd starting pcint, cne hstcnian says 'nternaticna prcjects and seminars tc cster ccmmcn .nderstanding, says ancther 'Sit dcvn at the same tabe and initiate a disc.ssicn, ccnc.des a Finn Its time to locate thinking about cyber-conict into the framework of existing international law and strategy James Lewis n Creece, cne experts viev is that 'cccperaticn is avays ccmpex, and cyber-space is nc excepticn Cetting in the vay are 'pcitica games, the dierent interests c naticns, ccrpcraticns, crganisaticns, instit.ticns and even perscnaities l radica stance rcm ndia s.ggests 'Cstracise cc.ntries that dcnt adhere tc internaticnay agreed ncrms cn cyber sec.rity, and kick them c the internet l three-step apprcach s.ggested by an ceandic expert Start by estabishing vhich practices ie crimina phishing - are .niversay disapprcved c by states, and erect deences against them Then ccnsider vhich existing internaticna agreements and standards against eccncmic and civi crime appy lnd thirdy, .se the Cc.nci c h.rcpes cyber crime-ccnventicn as a ega basis Frcm the US, the main message is tc gc cr ncrms and r.es, b.t asc b.id tr.st betveen parties by jcining crganisaticns ike FhST, and by creating an internaticna bcdy c 'key empcvered stakehcders representing each cc.ntrys interests 'Lc nct .se the UN mcde, vhich is entirey ineective 'Mcre diacg.e at the UN', ancther says rmy 47 Part Two Key attitudes Lamage cr disr.pticn tc critica inrastr.ct.re is seen as the greatest singe threat pcsed by cyber-attacks, vith 43% identiying this as a naticna threat vith vide eccncmic ccnseq.ences Scme !S% ccnsider cyber-espicnage, acng vith thet c perscna data and inteect.a prcperty, as the greatest threat l .rther !0% beieve that cyber-attacks damage the credibiity c gcvernments and crganisaticns and c.r tr.st in them The term cyber-var is ccnsidered inacc.rate cr c.tright scaremcngering by 2o% c respcndents, vhie 4S% beieved it is acc.rate Missie-deence is as impcrtant as cyber-deence acccrding tc 3S% percent c respcndents lmcst the same n.mber (3o%, beieve cyber-sec.rity is mcre impcrtant n ccntrast, vievs are divided betveen thcse vhc think that cyber-sec.rity is as impcrtant as bcrder sec.rity (4S%,, and thcse vhc see it as ess impcrtant (3S%, o3% c respcndents agree that cyber-sec.rity m.st be prctected rcm b.dget c.ts vhie cny S% beieve it shc.dnt hc.ghy the same prcpcrticn (o2%, ccnsider that cyber-space is a gcba ccmmcn ike the sea cr space Cver ha (S/%, beieve that an arms race is taking pace in cyber-space, vhie a arge majcrity (S4%, see cyber-attacks as a threat tc naticna and internaticna sec.rity, and tc trade lthc.gh amcst everycne beieves that cyber-sec.rity exercises are impcrtant, cny a th c thcse s.rveyed in the private sectcr have taken part in s.ch exercises (2! % in internaticna exercises and 22% in naticna exercises, Cver tvc thirds (o/%, see the need cr mcre gcvernment reg.aticns in the private sectcr n bcth private and p.bic sectcrs, mcre than ha (So%, highight a ccming skis shcrtage 48 Cyber-security: The vexed question of global rules Section II. Country-by- country stress tests There is a cyber-security paradox: the less sophisticated and widespread a countrys connection to the internet, the lesser the cyber-threat. The more services are on line, the higher the risk of cyber-attack. On the other hand, the countries best prepared to react to a cyber-attack are those that are cyber and internet literate. 'The US, the UK, srae and the Ncrdic cc.ntries are a T iterate, says Lars Nicander, Lirectcr c Cyber-Sec.rity at the Svedish Naticna Leence Ccege 'E.t i yc. can deend yc.rse, yc. asc can attack srae, China and h.ssia are the mcst ccnsistenty censive cc.ntries John Meakin, EPs directcr c digita sec.rity, hcds the viev that athc.gh China is amcng the cc.ntries tc pay a mcre aggressive rce in cyber-space, mainy reated tc espicnage, 'it has s.ch a ccntrced sccia, pcitica and eccncmic system that vhat ve abe as gcvernment, say in the UK cr the US, is nct at a the same in China The spread c activities is m.ch brcader ls a res.t, Meakin beieves the West shc.d engage China and h.ssia in a m.ti-naticna gcvernmenta diacg.e 't isnt the case that in China a singe gcvernment department is dcing a the bad st. Ey incentivising these cc.ntries tc grad.ay change, ve may grad.ay red.ce the n.mber c attacks n the vcrds c Stewart Baker, partner in the US av rm Steptce chnscn vhc vas crmery vith the Lepartment c Hcmeand Sec.rity, dierent attit.des tc the gcvernance c cyber-space in the West and cc.ntries ike China and h.ssia are ikey tc create prcbems 'We in the West are gcing tc ace a tc.gh chcice beca.se the gcvernments that dcnt ike ree speech cn the internet are gcing tc p.t .s in the pcsiticn c chccsing betveen ree speech and cyber-sec.rity, he says 'There is a ccnict there Yc. cant have a ct c ancnymity cn the internet and sti have cyber-sec.rity ls sccn as yc. start prctecting ancnymity, yc. are gcing tc ace hard decisicns dcnt think vere served ve by the creign ministries that say ve can have it a Mcst cc.ntries have set .p naticna ChhTs cr teams c T sec.rity speciaists vhc can respcnd in case c crisis, and mcst are engaging cr attempting 49 Part Two tc engage in ccnstr.ctive diacg.e vith the private sectcr vhich cvns the naticna critica inrastr.ct.re Mcre and mcre cc.ntries are taking part in gcba exercises that acv them tc test scenarics and kncv vhc tc ccntact in an emergency The governments that dont like free speech on the internet are going to put us in the position of choosing between free speech and cyber- security Stewart Baker What dc ChhTs act.ay dc 'l vhce range c preventive meas.res, expains Freddy Dezeure, head c the h.rcpean Ccmmissicns inter-instit.ticna emergency respcnse pre-ccng.raticn team 'They see vhats happening cn the internet, they incrm their cients and maybe prctect their systems, and make s.re their ccnstit.ency is incrmed Tc be a member c the increasingy impcrtant internaticna ChhT ccmm.nity means ccmpying vith s.ch basic req.irements as accessibiity .ncticns and cperating prcced.res Mcst cc.ntries arc.nd the vcrd are devecping cr .pdating naticna cyber-sec.rity strategies tc deend themseves against the variegated crms c cyber-attack, vith scme 40 cr sc cyber-sec.rity strategies artic.ated cr p.bished arc.nd the vcrd William Beer, Lirectcr c ncrmaticn and Cyber-sec.rity Practice at PvC, has read a n.mber c these cyber-strategies, and he has a varning 'They tend tc ccntradict the ccncept c cyber, he says, 'vhich tc my mind is abc.t a gcba apprcach tc interacting and transacting ts abc.t ccking c.tvards Naticna cyber-sec.rity strategies have tc be set in a gcba ccntext, and they tend nct tc be lmcst everycne agrees that vith the US, the Ncrdic cc.ntries sccre high cn cyber-sec.rity 'There is a genera percepticn that the .rther ncrth yc. gc in h.rcpe the saer yc.r envircnment beccmes, says Lanish expert Christian Wernberg-Tougaard 'The Ncrdics have a traditicn c incrmaticn-sharing and transparency Many p.bic and private sectcr systems are based cn tr.st 'Scme cc.ntries are very gccd in cne dcmain and cthers in cther dcmains, says Evangelos Ouzounis, an expert at hNSl, the h.rcpean agency in charge c expertise and incrmaticn sec.rity He says it vc.d be very hard tc agree cn a benchmarking system 'Yc. can dc it at the scientic, technica and prcced.ra eves, b.t i yc. start a disc.ssicn vith the payers it beccmes a nightmare beca.se ncbcdy vants tc sccre .nderneath the benchmark 50 Cyber-security: The vexed question of global rules n the even-handed viev c C.zc.nis, 'Scandinavia and Finand have a higher eve c tr.st than cther h.rcpean cc.ntries, b.t their critica incrmaticn inrastr.ct.re is mcre centraised Cermany is better at prctecting its critica incrmaticn inrastr.ct.re, b.t theyre veaker cn reg.atcry iss.es beca.se sc many payers are invcved France has scved a simiar prcbem by creating the naticna cyber-sec.rity agency lNSS The Netherands sccres high cn engaging the private sectcr and is cten ccked at as a mcde 'C.r naticna avs are a very dierent, says US ccns.tant Melissa Hathaway vhc crmery advised the Lepartment c Hcmeand Sec.rity, 'and these avs can get in the vay c an cpen exchange The L.tch have gct it right The Netherands has reccgnised that ind.stry has tc hep scve cyber-sec.rity prcbems and they set .p a midde party cr incrmaticn exchange The UK respects ccndentiaity, and l.straia has ccdes c ccnd.ct Cther cc.ntries are taking a mcre reg.atcry apprcach, ike the US and ndia, and France and China have s.per-empcvered their gcvernment tc dea vith prctecticn The eccncmic crisis isnt heping vith investment, vith many gcvernments re.ctant tc engage nev b.dgets and vith research .nds generay shrinking Training isnt meeting the demand 'Theres a big gap betveen vhat the market needs and vhat .niversities prcd.ce, C.zcnis says 'Mcst .niversities dcnt prcd.ce cyber-sec.rity prcessicnas b.t ccmp.ter scientists vith itte speciaisaticn in sec.rity We need a pan-h.rcpean c.rric..m cr cyber-sec.rity E.t despite rising avareness in many cc.ntries, tcc many have nct yet .nderstccd the cyber-sec.rity threat 'Fcr varic.s reascns, they dcnt have a sc.nd apprcach cr enc.gh cperaticn capabiities, says hvangecs C.zcnis 'Lierent pcitica c.t.res ccmpicate the scene The methodology used for rating various countries state of cyber-readiness is that developed by Robert Lentz, President of Cyber Security Strategies and former Deputy Assistant Secretary of Defense for Cyber, Identity and Information Assurance. His Cyber Security Maturity Model is a ve-step roadmap for reaching resilience, the ultimate goal for governments and businesses that want to effectively operate throughout a sophisticated cyber-attack. The rst step to reaching this ideal is to have people applying the basic rules of hygiene; the next is about using computer network defence (CND) tools like anti-virus, rewalls, intrusion detection/protection, and strong identity management (such as electronic signatures); after that come standards and data exchanges to create a robust and interoperable cyber ecosystem. When that level has been reached the move is to a more agile defence posture, 51 Part Two with innovative cyber-defences tapping into advanced sensors and intrusion prevention systems from the host to the gateways. Its like the water-tight doors of a ship, says Lentz. They wont stop the torpedo entering the hull but they will contain the breach and highlight those breaches in the command centre with advanced forensics to allow decision- makers time to assess the damage with minimal operational degradation. Ultimately, achieving a resilient cyber-maturity level means predictive cyber- readiness and agility in ones own area and with partners. This involves Supply Chain Risk Management, and comprehensive education and training, starting with the ordinary user to the core group of cyber-defenders. Lentzs criteria have been used for the scores below. Australia Government CERT (CERT Australia, since 2010), cyber-security strategy since November 2009 Score: Unti ate 20!!, l.straias lttcrney Cenera vas in charge c cyber-sec.rity pcicy and c streamining vcrk betveen gcvernment departments and setting .p incrmaticn grc.ps tc disc.ss prcbems ike critica inrastr.ct.re prctecticn Hcvever, since Lecember the respcnsibiity is in the hands c Prime Minister .ia Ciard in a mcve tc ccnscidate vhce-c-gcvernment respcnsibiities, acccrding tc a spckerperscn cr her department ntervieved becre the resh.e, Ed Dawson c .eensand University c Technccgy said cyber-sec.rity pcicy invcved mcst big ccmpanies, b.t that cn the dcvnside the private sectcr is cath tc take respcnsibiity and spend mcney l Cyber White Paper, iss.ed in ate 20!!, cc.sed cn hcv tc bring tcgether the varic.s stakehcders 'With eectricity cr instance, Lavscn ccntin.ed, 've have the distrib.tcr saying that cyber-sec.rity is the respcnsibiity c the pcver generatcrs ts ike theyre vaiting cr an accident tc happen The gcvernment has prcpcsed tc party .nd prcjects in the area c critica inrastr.ct.re l.straias .nding pcicy cn the vhce gets gccd marks .eensand University c Technccgy is c.rrenty engaged in tvc arge prcjects The rst, cc-.nded by ndia (tc the t.ne c l44 miicn,, is researching denia-c- service attacks 'Were trying tc see vhat scrt c attacks are easibe, and vere devecping mechanisms ike cryptcgraphy tc prctect against them, says Lavscn The cther is a ve-year prcject cn airpcrt sec.rity vcrth lS miicn 52 Cyber-security: The vexed question of global rules The l.straian Lepartment c Leences Cyber-Sec.rity Cperaticns Centre (CSCC, prcvides threat detecticn and mitigaticn cr gcvernment departments and agencies, and the Lepartment is recr.iting an extra !30 cyber-sec.rity experts tc vcrk there The cc.ntry is asc prcmcting a vc.ntary ccde c ccnd.ct cr SPs tc ed.cate c.stcmers, cer better cnine prctecticn, and q.arantine inected .sers 'The prcbem vith vc.ntary ccdes is their .neven appicaticn, says Tim Scully, ChC c stratsec and Head c Cyber-Sec.rity at Elh Systems l.straia The l.straian Ccmm.nicaticns and Media l.thcrity has a ist c backisted sites, and req.ires l.straian SPs tc ter them Ccmm.nicaticns Minister Stephen Ccnrcy says that the backist targets cny iega sites, b.t scme ee that the sccpe c the censcred ccntent is tcc brcad 'Seing cyber sec.rity reg.aticns is a brave thing cr a gcvernment tc dc, says Sc.y, citing the p.bic c.tcry at the gcvernments attempts tc intrcd.ce internet censcrship tc prctect chidren rcm pcrn n a cc.ntry vhere mcst pecpe are hcstie tc the idea c carrying L papers, privacy is high cn the agenda Austria Austria has a national CERT (CERT.at) but no single cyber-security strategy. Three cyber-security strategy processes are currently being drafted by the federal chancellery. The country takes part in all CERT communities, including inter-governmental ones. Score: l.stria can bcast cne c the mcst scphisticated e-gcvernments in the hU, vith the .se c digita signat.res ncv videspread acrcss mcst services Yet despite its highy devecped service eccncmy, l.stria is sti vcrking cn its cvn cyber-sec.rity strategy, agging behind mcst cther hU cc.ntries l.stria may asc have been .ed intc a ase sense c sec.rity by its cv rate c mavare inecticn ve becv the vcrd average This is expained in part by the cc.ntrys size ccmpared tc Cermany, b.t asc by the ccse vcrking rappcrt betveen SP technicians and ChhTat and the speed at vhich internet sec.rity pcicies can be impemented, in part thanks tc brcadband l n.mber c ministries caim respcnsibiity cr cyber-sec.rity, athc.gh the edera chanceery is its main cccrdinatcr Hcvever, ega respcnsibiities arent avays cear and this matter is exacerbated by ack c pcitica interest 'We asc ack senicr eve eadership, says Alexander Klimburg at the l.strian nstit.te c nternaticna lairs, an independent research centre 'Lecisicns are made at my eve, at s.b-ministeria eve E.t vithc.t tcp eadership, things vcnt mcve 53 Part Two ncidents and threats are handed by ChhTat, b.t ccmpanies are .nder nc ega cbigaticn tc repcrt sec.rity breaches n genera, l.strias apprcach tc p.bic-private partnership tends tc rey cn methcds and tccs dating back tc Ccd War days, athc.gh a prcgramme cr prctecting critica inrastr.ct.re (the lPCP, shc.d sccn bring this .p tc date l.stria is rapidy b.iding .p biatera reaticnships vith cc.ntries and internaticna crganisaticns, vith emphasis paced cn devecping regicna partnerships ike LlCH (l.stria, Cermany, Svitzerand, The cc.ntry is asc strengthening its armys cyber deence str.ct.re, media repcrts say that cyber-deence is abc.t tc get s.bstantia additicna .nding vith s.ppcsedy cver !,o00 scdiers assigned tc cyber-sec.rity lnaysts predict, thc.gh, that ins.cient eadership makes these g.res imprcbabe Brazil Brazil has a cyber-security strategy, and a national CERT (CERT. br) that participates in the informal CERT communities. An Information Security Department was set up in 2006, and a cyber- security command in 2010. Score: 'Erazi has been vithc.t a var cr generaticns, says Raphael Mandarino, Lirectcr c Erazis Lepartment c ncrmaticn Sec.rity and Ccmm.nicaticns (LSC, 'We dcnt see cyber-space as a batteed C.r cyber-sec.rity system vas essentiay created tc prctect interna department inrastr.ct.re, vhich makes c.r sit.aticn q.ite dierent rcm that c the US Sc ar, videspread pcice ccrr.pticn and ack c egisaticn tc ccmbat cyber- crime have ccnstit.ted the cc.ntrys lchies hee l ccmp.ter crime bi has been pending in Ccngress since 200S n a cc.ntry vhere internet banking is videspread (scme /3m pecpe cn the internet, vith mcre than ha .sing cnine banking,, bank Trcjans reign s.preme Cyber-attacks cn .sers are abcve the vcrd average nrastr.ct.re and technccgy acrcss atin lmerica and the Caribbean (lC, tend tc be c.tdated, and thats sti the case in Erazi Pcicymakers kncv that i the regicns argest eccncmy is tc be ccnsidered a sae pace tc dc b.siness, the critica naticna inrastr.ct.re, vhich is mcsty in the private sectcr, m.st be better prctected With the 20!4 Wcrd C.p and the 20!o Cympics ccming cn the hcrizcn, the press.re is cn The LSC is in charge c sec.rity in a gcvernment departments 'C.r main task, says Mandarinc, 'is tc capitaise cn pecpe by training a gcvernment agents We have !S miicn servers in the cc.ntry, and 2,000 pecpe vcrking cn cyber-sec.rity in gcvernment His mandate ccvers the p.bic sectcr cny 54 Cyber-security: The vexed question of global rules Brazil has been a party since its inception in the UN convention which is based on a more comprehensive, inclusive discussion Raphael Mandarino Despite regular meetings with the private companies in charge of energy, communications, transport, banking and water, actual progress is slow, Mandarino says. We also need to restructure our defence command, he says, and we are working hard on producing a command, control software. The government recently launched the Brasilia-based Centre of Cyber Defence (CDCiber) to protect Brazil from attack. The big challenge for CDCiber may be the need to protect private infrastructure, according to William Beer who is in charge of cyber-security at PwC in London. With the Organisation of American States (OAS), Brazil is contributing to a cyber-security culture in South America that also involves technical cooperation. Brazil has proposed a legal framework on cyber-crime to replace the Budapest Convention, judged too Euro-centric. We believe countries should join a more global convention, says Mandarino. Brazil has been a party since its inception in the UN convention which is based on a more comprehensive, inclusive discussion. Canada Canada has a national CERT, a cyber-strategy and participates in informal CERT communities. Score: Canadas Minister of Public Safety Vic Toews launched a Cyber-Security Awareness Month in October 2011, but despite its ambitious national cyber- security strategy, the Canadian governments critics tax it with moving too slowly and not providing enough funding. Canada has interesting expertise but those capabilities are not refected in government, says thought leader Rafal Rohozinski, who runs the Canadian SecDev Group. He says the Ottawa government eviscerated the countrys cyber-security programme for budgetary reasons. In February 2011, government departments and the Canadian Parliaments network were penetrated and sensitive data stolen. Theres a tendency here to be suddenly aware of the cyber-bogeyman rather than look at the problem in its totality, says Rohozinski. He points at Canadas funding of 55 Part Two NCCs as an area vhere the gcvernment has shcvn eciency b.t says theres a cng vay tc gc cn the cyber-sec.rity rcnt lmcng the chaenges Canada aces is the act that Cccge has sited cne third c its cc.d ccmp.ting in Canada, vhich raises iss.es c ccpyright avs and territcria sec.rity 's the incrmaticn s.bject tc US av cr Canadian av asks hchczinski 'Whc determines the na resting pace c j.risdicticn These are interesting q.esticns The gcvernment has p.t 'av. access egisaticn becre Pariament that vc.d vasty increase the right c av encrcement tc ccect inteigence cnine, inc.ding crcing internet prcviders tc hand cver names, emai addresses and teephcne n.mbers c s.bscribers The p.bic debate betveen 'sec.rity and 'privacy is sti raging China China has a national CERT, participates in informal CERT communities, and has a cyber-security strategy. Score: ts hard tc scrt Western prej.dices rcm vhat China sees as its egitimate pcitica ccncerns Cne radica and .nccntested dierence is that China sees incrmaticn as a veapcn and a threat tc regime stabiity, a dierent c.t.ra perspective that eads tc dierent prctecticn meas.res The basic act is that ha a biicn pecpe .se the internet in China, and that a third c the cc.ntry is cnine 'The Chinese tak abc.t incrmaticn-sec.rity, ve tak abc.t cyber- sec.rity, says Herbert S. Lin, Chie Scientist at the Ccmp.ter Science and Teeccmm.nicaticns Ecard at the Naticna lcademy c Sciences, Washingtcn, LC 'They ccnsider scme incrmaticn tc be as big a threat tc the cc.ntry as an attack cn its critica inrastr.ct.re lnything reated tc incrmaticn sec.rity that gets dcne in the name c pcitica stabiity is a pcsitive thing The Chinese talk about information-security, we talk about cyber- security Herbert Lin Says in, 'The Chinese pcint c.t that ve tcc in the West are ccncerned abc.t internet ccntent Chid pcrncgraphy is ccntent and ve pass avs against it the West beieves in scme kinds c ccntent reg.aticn, they say, vhere dc 56 Cyber-security: The vexed question of global rules yc. drav the ine The Chinese say, yc. have a viev cn vhat shc.d and shc.d nct gc cn the internet, and vhy shc.d yc.r viev prevai cver c.rs 'Cne c the Chinese gcvernments eading ccncerns is tc vcrk c.t hcv tc cbtain the eccncmic benets c an cpen internet, vithc.t sacricing pcitica ccntrc, says in The gcvernment-cperated Ccden Shied, kncvn in the West as the Creat Fireva c China, bccks scme ccntent rcm entering cr eaving China The gcvernment asc has a ccse reaticnship vith nternet Service Prcviders (SPs, 'n Chinas pcitica c.t.re, ve see a perscns privacy as s.bcrdinate tc maintaining sccia crder, says Peiran Wang, a visiting schcar at Er.sses Free University (\UE, lcccrding tc Wang, Chinas mcst .rgent cyber-sec.rity chaenges inc.de 'estabishing a ccherent ega and reg.atcry system, and enhancing cccperaticn betveen departments lt present, the Ministry c P.bic Sec.rity, the Ministry c nd.stry, the Ministry c State Sec.rity and even the miitary are invcved, and they dcnt ccmm.nicate ve lcccrding tc h.ssias Kaspersky ab, the cn tcp-eve dcmain vas hcsting amcst 20% ess mavare in 20!0 than in 2009 This is thc.ght tc be the res.t c a nev Chinese pcicy restricting the cn dcmain name tc registered b.sinesses lcccrding tc the Peoples Daily, the gcvernment is tc.ghening avs cn the vay hacking crimes are handed by cc.rts The sec.rity ind.stry, hcvever, is sti in its edging years Chinas incrmaticn varare and cyber capabiities are itte kncvn, athc.gh it has miitary training centres that inc.de cyber-var training prcgrammes There are repcrts that the Chinese miitary takes direct crders rcm the president b.t dces nct repcrt tc the civiian gcvernment, the Centra Ccmmittee There are cther repcrts c a cyber miitia, a 'ccse veb c ccvbcy hackers nct crmay ccnnected tc the miitary cr tc the gcvernment, vhc hack cr vag.ey patrictic reascns E.t vhereas the US has crmay stated that it vi abide by the avs c var i it is tc engage in a cyber ccnict, the Chinese have nct made it cear i they share that viev 've been tcd by pecpe vhc tak tc the Chinese at the senicr dipcmatic eve that the Chinese beieve there are c.rrenty nc internaticna avs that appy tc cyber-var, athc.gh this pcsiticn has nct yet been stated in vriting, says in China becngs tc the Shanghai Cccperaticn Crganisaticn (SCC,, a grc.ping that inks it vith h.ssia and mcst Centra lsian cc.ntries, and vhich has iss.ed a ccde c ccnd.ct stating the principes they beieve shc.d gcvern the .se c the internet, inc.ding the primacy c states 'lmcng cther things, China dces nct vant US vievs tc shape the .se c the internet, says in 'They beieve the gcvernments c naticn states shc.d be respcnsibe cr speciying hcv thcse .nder their j.risdicticn are cr are nct abe tc .se it 57 Part Two Denmark Denmark has a national CERT, participates in informal CERT communities, is part of the National CERTs in the EGC group, and has a contingency plan for cyber-incidents. It does not yet have a cyber-security strategy. Score: Lenmarks Leence nteigence Service is panning a cyber-varare .nit tc prctect the armed crces technccgy rcm cyber-attack lthc.gh the cc.ntrys sec.rity strategy is principay deensive, the army has a '3rd hectrcnic Warare Ccmpany vhcse aim is tc disr.pt cr expcit enemy ccmm.nicaticns Meanvhie, internet service prcviders are egay cbiged tc repcrt a cyber-sec.rity incidents 'What vi c.r rce in the internaticna ccmm.nity cck ike in the .t.re What are c.r ccmmitments and engagements asks CT speciaist Christian Wernberg-Tougaard 'lmcng tcpics .nder disc.ssicn, shc.d ve share c.r air crce vith neighbc.ring cc.ntries mcre than ve dc sc ar Cc.d ve rent capabiity rcm Sveden, cr exampe Wernberg-Tc.gaard is chairman c the Lanish Cc.nci cr Creater T- Sec.rity that vas set .p c.r years agc Eecre, internet sec.rity iss.es vere spread c.t betveen dierent ministries and stakehcders Ncv the independent grc.p c researchers, and p.bic and private sectcr ccmpanies tries tc bring a hcistic apprcach tc the change rcm an anacg.e tc a digita service scciety 'Weve had a big impact cn the mindset c the cc.ntrys pcicy agenda, caims Wernberg-Tc.gaard 'Cne c the gccd things abc.t Lanish scciety, he expains, 'is that ve digitised very eary cn, in the eary !9o0s hvery chid is assigned an L n.mber (CPh n.mber, min.tes ater birth Within tvc hc.rs yc. can nd this n.mber in mcre than 30 systems, a.tcmating interacticn vith the hcme n.rse, the paediatrician and chid benet The system has its veaknesses, as the risk c privacy intr.sicn is increased by the reative age c the systems and increasing thet c CPh-n.mbers l vcrking-grc.p cn 'T-sec.rity Eeycnd Ecrders, .nder the a.spices c the Lanish Ecard c Technccgy (LET,, has devecped reccmmendaticns tc imprcve T-sec.rity, and make the cc.ntry a vcrd mcde Sc ar, grc.ndbreaking vcrk has been dcne in the area c chid prctecticn, SP prcviders have crmed an aiance tc batte chid pcrncgraphy and jcinty ccse dcvn sites and enabe pcice tc carry c.t investigaticns, .sing a jcint ccdex hvery year, the Minister cr Science, Technccgy and nncvaticn (since the change in gcvernment in 20!!, this is ncv spit betveen severa ministries, 58 Cyber-security: The vexed question of global rules s.bmits an T and Teeccmm.nicaticns Pcicy hepcrt tc Pariament E.t cn the vhce, av encrcement is .nder-.nded and .nder-resc.rced and ccncentrates mcre cn cd-stye pcice investigaticns than cyber-crime Lenmark is tc take part in the 'Ncrdic hesc.rce Netvcrk vhich seeks tc imprcve cyber-deences Estonia Estonia has a national CERT since 2006 (CERT-ee) and a cyber- security strategy (since 2008). The country participates in informal CERT communities, and in the EGC Group of national CERTs. Estonia takes part in cyber-incident exercises. Score: The massive denia-c-service attacks against hstcnia in 200/ aerted the vcrd tc vhat a cyber-attack might cck ike, athc.gh the ccnseq.ences vere nct neary as bad as the internaticna press s.ggested 'The banks q.icky handed the sit.aticn, says Jri Vain c Tainn University 'The 90-min.te bcck-c.t vas ata tc nc cne Many cc.ntries are ncv ccking tc hstcnia cr cyber-sec.rity eadership, even i Canadian expert Rafal Rohozinski stresses that 'hstcnia is reay tcc sma a cc.ntry tc be a case st.dy E.t it is ceary easier tc get crganised in a sma cc.ntry, and Heli Tiirmaa- Klaar, a senicr adviscr cn cyber-sec.rity at hstcnias Ministry c Leence, says they ccped very ecienty vhen p.t tc the test 'We imited the damage by imiting ccnnectivity tc the c.tside vcrd, she says The p.bic sectcr q.icky anaysed and patched .p the hces, and banks have since .rther increased sec.rity, eectrcnic signat.res, back.p systems and revas The deence c critica inrastr.ct.re is ncv very m.ch tcp c the agenda, and vith /S% c it in private hands, m.ch emphasis is being p.t cn private-p.bic partnerships 'Wed been b.iding resiience cng becre the attacks tcck pace, says Tiirmaa-Kaar 'C.r nev crisis management system is p.shing cr a p.bic- private diacg.e based cn a vc.ntary apprcach We are keen bcth tc prctect c.r vay c ie and tc prctect c.r b.siness interests Tiirmaa-Kaar, vhc ed negctiaticns vith private sectcr eaders in 200S, stresses that nct cny is ccercicn .nnecessary, b.t that genera avareness in hstcnia is m.ch higher than in cther cc.ntries 'hven retired pecpe have cng been .sing ccmp.ters, she says 'We have s.ch a cv pcp.aticn density that everycne needs internet access 59 Part Two The cc.ntry has very sec.re naticna a.thenticaticn services, vhich req.ire tvc eectrcnic signat.res (the cny cther cc.ntry tc dc this is srae, t pans tc .pdate its cyber-sec.rity strategy in 20!3 'This vi invcve s.bstantia revcrking, says Jaan Priisalu, vhc heads hstcnias ncrmaticn Systems l.thcrity He is asc behind the Cyber Leence eag.e, set .p in 2009, a vc.ntary bcdy c civiians vhc engage in deence exercises hstcnia remains a ast-devecping incrmaticn scciety, and the rst cc.ntry in the vcrd tc have .sed e-vcting in Pariamentary eecticns (in 200S, Since 20!!, cyber-sec.rity is in the hands c the Ministry c hccncmic lairs and Ccmm.nicaticn (MelC, and its tvc main agencies the Lepartment c State ncrmaticn Systems (hSC, and the hstcnian ncrmatics Centre (hl, NlTCs Cccperative Cyber Leence Centre c hxceence is asc based in Tainn ls esevhere, .nding and resc.rces are in shcrt s.ppy ' yc. ive in apan, says Tiirmaa-Kaar, 'yc. invest in saety meas.res against earthq.akes We have tc dc the same h.rcpe is a seismic regicn in cyber terms Nct s.rprisingy, hstcnia has asc been a rcntr.nner in prcmcting internaticna cccperaticn, and has cyber-deence cccperaticn agreements vith the Eatic and Ncrdic states If you live in Japan, you invest in safety measures against earthquakes, and Europe is a seismic region in cyber terms Heli Tiirmaa-Klaar THE EUROPEAN UNION The 27-nation European Union has no single approach to cyber-security, as this is currently handled by member states. Responsibilities are national, but EU institutions and bodies like the European Commission, the European Parliament, the European Council, the European Central Bank, the European Court of Justice and 55 others are working on setting up their own inter- institutional CERT, rather like a national government CERT. At present, this CERT is represented by a pre-conguration team. Freddy Dezeure is the head of this inter-institutional computer emergency response pre-conguration team (CERT-EU). Were not aiming to protect all citizens in Europe or to coordinate the other CERTs, he says. Our scope is limited to the EU institutions, bodies and agencies. We want to become the glue, the catalyst to initiate new systems and foster information exchange. 60 Cyber-security: The vexed question of global rules Although they started only recently, Dezeure says this inter-institutional CERT is ambitious. Some EU member states already have very advanced and sophisticated CERTs, he says, and we have to aim to be among the best governmental CERTs. It would be very arrogant of us to go to the UK, for instance, and suggest they do things differently. Technology develops very quickly and we have trouble following up with policy, says Evangelos Ouzounis, Senior Expert at the Crete-based European Network and Information Security Agency (ENISA), the EUs centre of expertise. Over the last two or three years, he says, there have been tremendous developments at member state level, and pan-European level policy is also catching up. Were working towards a technology-neutral strategy, something where the technology can change but not the policy. The EU has 140 national CERTs, with some countries, like the UK, having both a national and a governmental CERT. The operational CERTs with international visibility can join the informal European Government CERT peer group known as ECG that is developing cooperation on incident responses between member states. Ten member states belong to the group, and ENISA is helping the others get up to scratch through trust development, says Andrea Servida of the European Commissions Information Society and Media Directorate General. ENISA, which has an inventory of private sector, academic and governmental CERTs across Europe, is helping to spread good practices and to establish standard baseline series, like a guidebook. In November 2011, the European Union held its rst joint cyber exercise with the U.S., which ENISA facilitated. In 2010, ENISA helped member states carry out the rst pan-European cyber- security exercise. In 2011, the EU ruled that member states have to report incidents to ENISA on a yearly basis. This is important, says Ouzounis. 2012 may see the rst reports. We want to work together to develop a common approach that will create more insight into whats going on. But as ENISAs technical department head Steve Purser stresses, much work at ENISA is spent on educating citizens to the fact that cyber-security is crucial to tomorrows security. When you walk down the street, you wont answer personal questions from a stranger. In the electronic world, people dont exert the same kind of prudence. Security requires people to behave the same way in the electronic world as they do in the real world. Technology develops very quickly and we have trouble following up with policy Evangelos Ouzounis 61 Part Two For Gerrard Quille, Specialist in Foreign Security and Defence Policy at the European Parliament, the Parliaments top priorities include how information technologies and human rights can work fruitfully together, and how cyber- security and internet freedom t into the EUs foreign policy debate. Things are also moving on the cyber-crime ghting front, with next year likely to see the opening of a European cyber-crime centre, and the coordination of on line internet crime reporting in EU members states. Victoria Baines, strategic advisor on cyber-crime at the EUs law enforcement agency Europol, stresses that a feasibility study is under way and that Europol hopes its conclusions will be to host the cyber-crime centre in The Hague, building on Europols IT infrastructure in the city. Last year, Interpol set up two strategic partnerships it joined the Virtual Global Taskforce (VGT) of agencies dealing with child abuse on line, and it is now the strategic law enforcement partner in the International Cyber-Security Alliance (ICSPA), co- founded by McAfee, Visa and others. Finland Finland has a national CERT (CERT-Fi), participates in informal CERT communities and is an active member of the European government CERTs Group (ECG). The country also engages in regular cyber-incident exercises in the public and private spheres. Score: n 20!!, the Finnish gcvernment annc.nced pans tc invest heaviy in devecping an arsena c cyber-deence veapcns, s.ch as vcrms, mavare and vir.ses, tc prctect miitary, gcvernment and private enterprise netvcrks, as ve as the cc.ntrys critica inrastr.ct.re 'The idea c a deence strategy based cn attack as ve as deence is sti tabcc, says Timo Hrknen, directcr c gcvernment sec.rity in the Finnish Prime Ministers Cce 'The p.bic debate cn the 'cc.nter-p.nch has cny j.st started The 200/ attacks cn hstcnia vere ccsey mcnitcred Scme sites in Finand vere asc aected Finand, ike the cther Ncrdic cc.ntries, is highy ccnnected and has been since the !990s Ey 20!S, Finand aims tc be the vcrd eader in incrmaticn sec.rity Cne c the iveiest debates is abc.t the preiminary repcrt cr the cc.ntrys cyber-strategy d.e tc be ready by the end c 20!2 'hight ncv, tcc many 62 Cyber-security: The vexed question of global rules a.thcrities are in charge c tcc many systems, says Hrknen 'We need a ccmmcn system cr a imited n.mber c systems sc as tc avcid ragie areas Hrknens viev is that the cpen gcvernment netvcrk dcesnt present a great sec.rity risk 'M.ch c the incrmaticn there is aimed at the genera p.bic We simpy have tc accept that it vi be attacked and invest in prctecting mcre sensitive netvcrks ike thcse c the pcice, bcrder g.ards and deence crces, and the gcvernments cvn ccndentia netvcrk n 20!3, Finand vi have a ccmmcn sec.re netvcrk cr a these a.thcrities The Finnish mcbie teeccm cperatcrs have adcpted a ccde c ccnd.ct ens.ring basic prctective meas.res cr mcbie phcne ccntent Finand has a cng and scid traditicn c p.bic-private partnerships, s.ppcrted by the Naticna hmergency S.ppy lgency ls cr internaticna cccperaticn, Finand ares ve vith active inks tc Ncrdic and Eatic cc.ntries The eective naticna ChhT has an a.tcmated service that ccects and repcrts incrmaticn sec.rity incidents France France has a national CERT (CERTA), and participates in the informal CERT community and in the EGC inter-governmental group of CERTs. France has had a cyber-strategy since 2011 and takes part in cyber-incident exercises. Score: 'Were iving in times that reca the !9th-cent.ry scientist c.is Paste.r, says Patrick Pailloux, Lirectcr Cenera c the French Netvcrk and ncrmaticn Sec.rity lgency (lNSS,, the naticna cyber-sec.rity a.thcrity .nder the Prime Minister 'Thats vhen dcctcrs started vashing their hands and steriising eq.ipment, reaising that they cc.d nc cnger dc things any vhich vay The same ncv appies tc internet sec.rity Were living in times that recall the 19th-century scientist Louis Pasteur, when doctors started washing their hands and sterilising equipment. The same now applies to internet security. Patrick Pailloux lNSS has been .p and r.nning since 2009 tc prctect Frances p.bic systems cyber netvcrk 'C.r rst task is tc devecp cyber-deence cperaticna 63 Part Two capacities, inc.ding rapid interventicn ater attack, says Paic.x 'The seccnd is tc imprcve the prctecticn c c.r naticna critica inrastr.ct.re Paic.x says that nct enc.gh engineers and T speciaists practice the mcst basic 'r.es c hygiene vhen .sing the internet, and that tcc ev ccmpany directcrs even kncv vhat these are 'ts a big, big prcbem, he says 'Nct j.st in France b.t vcrdvide He beieves the massive attacks in March 20!! cn the ministries c E.dget and Finance acted as a vake.p ca tc private ccmpanies Olivier Caleff, an anayst at the Levcteam ccns.tancy, agrees abc.t the ack c speciaised sta vcrking cn cyber-sec.rity in gcvernment agencies and the pcice, b.t cn the p.s side, he arg.es that France has exceent sec.rity methcdccgies 'We have access tc a ct c prcd.cts rcm many cc.ntries C.r prcbem is that athc.gh arger ccmpanies are grcving increasingy avare c cyber-sec.rity, smaer ccmpanies are nct dcing enc.gh Scme prcbems are inked tc j.risdicticn 'Cver the ast three years France and Eegi.m have seen a big increase in .nscphisticated phishing attacks rcm Ncrth lrica against banks, says Jean-Michel Doan, cyber-crime anayst at exsi nncvative Sec.rity 'We try tc p.t a the banks tcgether arc.nd a tabe tc make a jcint ccmpaint, b.t the prcbem in a case ike this is av encrcement in Ncrth lrica Paic.x beieves the best vay tc cverccme private ccmpanies resistance tc sec.rity prcbems is tc create an interace betveen the gcvernment and private ccmpanies 'We need s.ch a bcdy tc cck at vhether there shc.d, cr instance, be a ega cbigaticn tc repcrt incidents Sc ar in France, the teeccms have tc repcrt incidents, b.t sc shc.d the !2 sectcrs c critica inrastr.ct.re 'France has a highy centraised system, Paic.x expains, 'vith a singe agency in charge c cyber-sec.rity, vhich is bcth an advantage and a disadvantage Cn the cne hand ve have gccd inter-ministeria ccnnecticns, cn the cther theres tcc ev c .s Scme 200 pecpe vcrk cr lNSS at present, vith 3o0 prcmised by the end c 20!3 Frances ambiticn is tc be amcng the gcba pcvers in cyber-deence, and is sc ar engaged in biatera reaticns vith Cermany, the US and the UK France has ccntrcversia pcicies cn internet censcrship ts ci Hadcpi c 2009 acvs internet service prcviders tc mcnitcr French .sers cr ccpyrighted m.sic and videcs Users vhc dcnt respcnd tc the SPs varnings can be taken tc cc.rt 64 Cyber-security: The vexed question of global rules Germany Germany has a national CERT (CERT-bund), and a cyber-security strategy since 2011. It is also a member of the EGC group of government CERTs and participates in cyber-incident exercises. Score: Cermanys scid engineering and saety c.t.re has given it a headstart in cyber-sec.rity 'E.t c.r prcbems are the same as everycne eses, says Sandro Gaycken, a prcesscr at the Eerin Free University 'There arent enc.gh pecpe teaching sec.rity, and theres nct enc.gh cc.s cn inter- discipinarity Unike mcst cther cc.ntries, Cermany hasnt been hit reay hard by the eccncmic recessicn Nevertheess, private ccmpanies are cath tc invest in cyber-sec.rity and recenty itte additicna gcvernment .nding has gcne intc cyber-deence, despite the .nsetting act that Cermany tcpped h.rcpes cyber-crime ist in 20!! 'Ccmpanies sti dcnt kncv vhat the css c inteect.a prcperty means, Caycken says 'The attit.de is 'What dc care i China steas my inteect.a prcperty Cn the cther hand, acccrding tc hNSl expert Evangelos Ouzounis, Cermany vas an eary starter in 200S at prctecting its critica incrmaticn inrastr.ct.re, even i the reg.atcry system is ccmpicated by the n.mber c agencies at edera eve the three main payers are the teeccms reg.atcr, the Ministry c the hccncmy and the ntericr Ministry lncther eary start cr Cermany is its centra cyber-prctecticn crganisaticn, the E.ndesamt Jr Sicherheit in der ncrmaticnstechnik (ES,, vhich has been arc.nd cr 20 years The cc.ntrys cyber-sec.rity strategy, set .p in 20!!, inc.des a nev Cyber Leence Centre and a Naticna Cyber-Sec.rity Cc.nci tc prcmcte better cccperaticn betveen the seven edera agencies invcved in cyber-sec.rity The c.rrent Cerman debate is very m.ch hcv tc .rge private ccmpanies tc better prctect their systems With Eerins pans tc invest in a nev smart energy grid, this is a the mcre .rgent ls esevhere, critica inrastr.ct.re in Cermany is mcsty in private hands, b.t the n.cear sectcr is s.ering grcving prcbems, and the vater ccmpanies are ragmented scme are mechanica, cthers are T ccnnected 'Mcre prctecticn has raised the q.esticn c ccmpensaticn cr the investment, says Caycken 'Cr m.st these ccmpanies raise their prices signicanty Cermans have pain. memcries c s.rveiance bcth d.ring Wcrd War Tvc and in the crmer CLh in hast Cermany, sc they tend tc be sensitive abc.t privacy iss.es The Cerman media is therecre very sceptica abc.t 65 Part Two s.rveiance, and there have been p.bic demcnstraticns against intrcd.cing CCT\ cameras n 200S, the ccnstit.ticna cc.rt in Karsr.he r.ed cn the sec.rity vers.s privacy q.esticn that the sec.rity crces may cny intrate ccmp.ters vith Trcjan mavare in very specic cases The Cerman hacker c.ndaticn, Chacs Ccmp.ter C.b (CCC,, caims tc have anaysed spying sctvare .sed by the gcvernment and ccme tc .nsetting ccnc.sicns 'This spyvare vas dcing mcre than acved, says cne-time hacker Florian Walther, ncv T Sec.rity ccns.tant at C.resec Lisc.ssicn is cngcing amcng pciticians and in the media India India has a national CERT (CERT-in, since 2004), a crisis management plan and is setting up a Cyber Command and Control Authority. A draft of a national cyber-security policy is under discussion. Score: 'n ndia, ve vent straight rcm nc teephcnes tc the atest in mcbie technccgy, says Cherian Samuel c the nstit.te cr Leence St.dies and lnayses (LSl, in Nev Lehi, 'and the same vith internet-ccnnected ccmp.ters They came in a c a s.dden, and nc cne vas ta.ght even the basic acts abc.t cyber-sec.rity ndia stands th in the vcrdvide ranking c cc.ntries aected by cyber- crime, athc.gh it shc.d be emphasised that these g.res are extrapcaticns M.ch c its v.nerabiity is expained by videspread ccmp.ter iiteracy and easiy pirated machines The premi.m cn internet privacy in ndia is cv, and data ccntrc therecre tends tc be negected This is ancther reascn cr the s.ccess c phishing and cther scams 'Pecpe in ndia have tc .nderstand basic sec.rity ike pin n.mbers and passvcrds, says Kamlesh Bajaj c the Lata Sec.rity Cc.nci c ndia (LSC,, an crganisaticn prcmcting data prctecticn The gcvernment is taking a tvc-prcnged apprcach teaching best practices tc prevent attacks, and heping capacity-b.iding tc hande incidents vhen attacks happen ndia is ac.tey avare that cyber-crime is bad cr its rep.taticn as a cc.ntry vhere creign investcrs can dc b.siness, and has been investing heaviy in cyber-sec.rity E.t it sti acks a singe cperatcr tc ccntrc the internet, teeccms and pcver sectcrs, and even i ChhT-in is the ccia cccrdinating a.thcrity, a m.tipicity c cther agencies are sti invcved 66 Cyber-security: The vexed question of global rules ls mcre and mcre nancia service ccmpanies set .p their back cce cperaticns in ndia, the a.thcrities kncv the prcbem c ccntrcing cyber- crime has tc be addressed .rgenty Cn the p.s side, ndia has devecped va.abe experience in deaing vith ccmpiance reg.aticns rcm arc.nd the vcrd vith the T lmendment lct c 200S that estabished strcng data prctecticn 'These ccmpanies have a brcad c.t.re c sec.rity practices, says Eajaj ndia ccmpies, cr instance, bcth vith the US and the UKs data prctecticn acts The LSC is c.rrenty designing a sec.rity ramevcrk tc ccmpensate cr the shcrtccmings c the SC 200! standard t has asc devecped a Privacy Framevcrk based cn the internaticna Privacy Principes The main chaenge ncv cr ndia is tc train and eq.ip its av encrcement agencies and j.diciary, partic.ary c.tside big cities ike Lehi, M.mbai and Eangacre 'Training and avareness m.st expand tc ccver the vhce cc.ntry, says Eajaj 'lt LSC, veve devecped training and investigaticn man.as cr pcice ccers We have trained mcre than 9,000 perscnne c cca ed.caticn a.thcrities and the j.diciary cn cyber-sec.rity The prcgramme vi sccn be a naticna prcgramme s.ppcrted by the Ministry c Hcme lairs Israel Israel has a national CERT, participates in the informal CERT communities, has a cyber-strategy and a cyber command. Score: 'Cyber-sec.rity is nct abc.t saving incrmaticn cr data, b.t abc.t scmething deeper than that, says Isaac Ben-Israel, senicr sec.rity adviscr tc Prime Minister Eenjamin Netanyah., and a prcesscr at Te lviv University 'ts abc.t sec.ring dierent ie systems reg.ated by ccmp.ters n srae, ve reaised this !0 years agc He nctes that srae sees !,000 cyber-attacks every min.te, b.t that there is a hierarchy c threats 'The hacktivist grc.p lncnymc.s carries c.t cts c attacks b.t they dcnt ca.se m.ch damage The rea threat is rcm states and majcr crime crganisaticns, he says srae is crm.ating naticna pcicies tc activey respcnd tc cyber-attacks ast year, Een-srae headed a cybernetic task crce that s.bmitted reccmmendaticns tc the gcvernment lmcng the repcrts s.ggesticns vas the setting .p c a cyber a.thcrity, the estabishment c research centres and increased cccperaticn betveen the gcvernment, b.siness and academia 67 Part Two n 2002, Een-srae expains, srae drev .p ist c !9 majcr inrastr.ct.res, inc.ding pcver prcd.cticn, vater s.ppy, banking and sc cn 'We aced a ega prcbem, hcv dc yc. crce the private sectcr inrastr.ct.re tc prctect themseves against cyber-attack Sc ve changed the avs The eve c intererence c gcvernment in the private sectcr is a diemma Nevertheess, srae beieves that the critica naticna inrastr.ct.re isnt adeq.atey prctected against cyber-attack lthc.gh it is generay ass.med that the St.xnet vir.s that disabed the centri.ges at the Natanz n.cear pant in ran vas a jcint US and sraei design, neither cc.ntry has cciay ackncvedged this srae has a b.iding av vhereby any nev hc.se cr apartment has tc have a rccm that is bcmb-prcc 'Pecpe accepted this av beca.se c c.r experience c sc.d missies in !99! The threat vas rea and pecpe et it vas rea t vc.d have been .nimaginabe tc estabish the Patrict lct becre 9}!! Cnce pecpe in the street reaise that terrcrism is very rea they accept things 'Cyber-attacks are nct j.st a technccgica prcbem b.t asc ega, pcitica and sccieta prcbems, says Een-srae Fccving his task crces reccmmendaticns, srae is impementing a ve-year pan tc pace itse in the gcba cyber-sec.rity ead, inc.ding investment in hL, the setting .p a s.per-ccmp.ter centre, bccsting st.dies in cybernetics and encc.raging ind.stry tc devecp nev technccgies Een-srae caims that srae is a mcde cr eective ccabcraticn betveen ind.stry, deence and academia 'We have a ega ramevcrk tc te private ind.stry vhat meas.res tc take tc sec.re the pcver, vater and banking systems E.t thc.gh he says srae is in better shape that mcst cc.ntries in this area, 'i yc. cck at the threat pctentia there is sti a ct tc dc Italy Italy has a government CERT with insufcient funds to operate on a global scale. It takes part in cyber-incident exercises, but does not yet have a well-dened cyber-security strategy. Score: 'Pciticians in tay tend tc be mcre emcticna than raticna, and they dcnt .nderstand hcv tc meas.re cyber-sec.rity prcbems, says expert Stefano Trumpy c the nstit.te cr ncrmatics and Teematics at tays Naticna hesearch Cc.nci (CNh, 'They need tc be ed.cated abc.t cyber-sec.rity threats and tc earn hcv tc dene them ceary 68 Cyber-security: The vexed question of global rules tays v.nerabiity is sti .ncear n .y 20!!, hackers rcm the grc.p lncnymc.s brcke intc cne c the cc.ntrys cyber-crime .nits, the Naticna Ccmp.ter Crime Centre cr Critica nrastr.ct.re Prctecticn (CNlPC,, reeasing dcc.ments abc.t gcvernment cces in l.straia and the US, as ve as ccmpanies ike hxxcn Mcbi and Cazprcm The cc.ntry sti dces nct have a singe bcdy cr cccrdinating naticna sec.rity, athc.gh the Ministry c hccncmic Levecpment cccrdinates the devecpment and impementaticn c the naticna incrmaticn sec.rity strategy n 2003, the ministries c ccmm.nicaticns, j.stice and interna aairs created a grc.p tc st.dy the sec.rity and prctecticns c netvcrks, b.t this bcdy has nc ega a.thcrity The administraticns ecrts tc ccmbat cyber-threats are nct .nicrm lthc.gh tay has a gccd ccntingency pan cr civi prctecticn in case c ccds cr earthq.akes, it dcesnt have cne cr cyber 'We ack investment that vc.d acv genera capacity b.iding, says Tr.mpy 'Users and even the ccmp.ter s.ppiers havent been ed.cated tc prctecting their machines Mcst c the prcbems are ccnnected tc the sec.rity c perscna ccmp.ters .sed cr maicic.s p.rpcses Ccmp.ter crime is repcrted tc the P.bic Prcsec.tcr (Prcc.ra dea hep.bbica,, vhc directs investigaticns and deegates tc the reevant pcice departments tay has iss.ed avs cr the prctecticn c mincrs and against cnine gambing, b.t cases are rarey prcsec.ted Japan Japan has a national CERT (JPCERT/CC), a cyber-strategy and participates in the informal CERT communities. Its cyber-security centre is the National Information Security Centre (NISC), part of the Cabinet Secretariat. In the Asia Pacic region, JPCERT/CC plays a key role in the Asia Pacic Computer Emergency Response Team (APCERT). It is a member of Forum of Incident Response and Security Teams (FIRST). Score: n apan, reccvery rcm the March 20!! earthq.ake and ts.nami remains the Nc! pricrity, and cyber-sec.rity is nct at the tcp c the agenda n the s.mmer 20!!, incrmaticn systems at Mits.bishi Heavy nd.stry (MH,, the miitary eq.ipment s.ppiers tc apans Se-Leence Fcrces, vere attacked, increasing avareness c the threat and raising cyber-sec.rity cn the gcvernments pricrity ist l n.mber c meas.res tc prctect critica naticna inrastr.ct.re and eading ind.stries are being p.t in pace 69 Part Two Yet .nding is cn the shcrt side 'We have tc p.t a ct c mcney intc preparedness cr nat.ra disasters, says Suguru Yamaguchi, a crmer adviscr cn incrmaticn sec.rity tc the apanese gcvernment and prcesscr at the Nara nstit.te c Science and Technccgy 'ls a res.t, the b.dget cr deence is imited and cyber-sec.rity in nct a tcp pricrity in the ve- year prcgramme tc imprcve c.r deence capabiity F.rthermcre, apans Se-Leence Fcrces are nct egay in charge c prctecting ncn-miitary incrmaticn systems 'lvareness raising is nct enc.gh tc s.ppcrt the cyber-sec.rity pcicy agenda, says Yamag.chi 'The genera p.bic s.ppcrts av encrcement cr cyber-crime and capacity b.iding c the Naticna Pcicy lgency cr investigaticns They are nct sc keen cn the Leence Ministrys cyber-deence prcgramme We have to put a lot of money into preparedness for natural disasters. As a result, the budget for defence is limited and cyber-security is not a top priority. Suguru Yamaguchi apan is a highy vired cc.ntry Cver /0% c hc.sehcds and cver 9S% c cces are ccnnected tc the internet, and mcbie phcnes are videspread vith mcre than 93% c pecpe .sing them n 20!0, the b.siness-tc- ccns.mer e-ccmmerce market vas estimated at abc.t Yen S triicn (!00 bn, nd.stria espicnage targeting gcba rms ike Scny, Panascnic, Tcycta, Hcnda and MH is a seric.s ccncern l p.bic-private partnership (PPP, ramevcrk cr cyber-prctecticn vas devecped in 200o as part c the cyber-sec.rity master pan, and sc ar deas vith !0 critica inrastr.ct.res 'We have very gccd PPP in apan, says Yamag.chi 'The gcvernment reg.ary .pdates it, and the private sectcr is very m.ch invcved in the disc.ssicns and prccesses, athc.gh diacg.e cc.d be imprcved .rther Cccd ccabcraticn betveen gcvernment and ind.stry has enabed varic.s meas.res cr internet hygiene Since 200o, the mavare cean-.p prcject Cyber Cean Centre (CCC,, a ccabcraticn betveen SPs and the gcvernment, has been identiying and ceaning .p mavare-inected PCs lmcng the hct debates in apan is the cyber-deence rce c apans Se- Leence Fcrces The debate resembes that in the US, athc.gh it is .nikey that the army in apan vi vcrk vith cther gcvernment agencies cr the private sectcr, apart rcm the arms ind.stry 'The debate is very ccmpicated 70 Cyber-security: The vexed question of global rules in terms c ega str.ct.re, the dening c the Se Leence Fcrces missicns and its cnger-term prcgramme, Yamag.chi expains The cther cngcing debate invcves pans tc intrcd.ce an extensive L system by 20!3-!S, and hcv tc prctect that system 'With ear c cyber-attacks rcm inside and c.tside apan, vhat dc ve dc tc ens.re citizens privacy Yamag.chi asks The prcgramme cr intrcd.cing digita Ls cr a residents has a.nched a ivey p.bic debate invcving activists, experts, gcvernment ccias and av-makers l third iss.e .nder disc.ssicn is the rce c the inteigence services in ldvanced Persistent Threat (lPT,, cr state-spcnscred attacks 'hver since Wcrd War Tvc, apans inteigence services have vcrked cn their cvn Many pecpe in gcvernment tcday ee its time cr inteigence tc vcrk vith cther agenciesLespite this, ccabcraticn betveen the dierent ccmm.nities is gccd 'Ccvernment .nding cr cyber-sec.rity research is increasing every year, Yamag.chi says Cn the internaticna stage, the apan-US deence aiance is eective apan-lShlN hcd an ann.a ncrmaticn Sec.rity Ccnerence, and a China-apan-Kcrea (CK, ramevcrk cccrdinates cyber-pcicy betveen thcse cc.ntries Mexico Mexico does not have special rules to combat cyber-crime, but applies the existing legal framework contained in the Federal Criminal Code (or FCC). Score: 'n Mexicc, ve avays ace the same chaenge, and thats the thin ine vith the physica vcrd, says Mexican researcher Jesus Luna vhc vcrks cr the Leeds grc.p in Cermany ' yc.re at an a.tcmatic cashier and a man pcints a g.n at yc.r head yc. give him the mcney, nc matter vhat T sec.rity meas.res have been adcpted l ct c prcbems in Mexicc are reated tc ccrr.pticn The Mexican gcvernment is ghting a erce var against the dr.g maa, vhich cten has the better technccgy State ccias are reativey g.arded abc.t the cc.ntrys cyber-strategy, and are scv in setting .p reg.aticns 'Yc. have sc many everyday chaenges, says .na 'When vas vcrking vith the centra bank there, ve created nev technccgies tc try tc bridge the gap betveen physica and technccgica sec.rity, and that vasnt easy 'Frcm a technccgica perspective, ve cc.d ccme .p vith sc.ticns tc ccpe vith iss.es at c.stcms at the US bcrder, says .na, 'b.t ccias are araid c impementing `-rays and bicmetrics, beca.se they ee they vc.d 71 Part Two be p.tting their ives at risk Pecpe are scared c impementing sec.rity mechanisms They dcnt ee prctected by the gcvernment cr by pcice and this is gcing tc take severa years tc rescve The hackticist grc.p lncnymc.s attacked severa Mexican gcvernment vebsites in September 20!!, p.tting them c.t c service intermittenty cver cne day The attacks vere meant tc highight increased ccncerns abc.t insec.rity and vicence 'Nc cne tcck that very seric.sy, says .na 'The rea prcbem is c.t cn the streets Lr.g cartes are kiing bcggers ts that stark NATO NATOs Lisbon summit in 2010 stressed the growing importance of the cyber domain for the Alliance. The Strategic Concept committed to further developing NATOs ability to prevent, detect and defend against cyber-attacks, by bringing NATO bodies under centralised cyber protection and promoting better coordination between member countries. NATO runs regular cyber exercises. Every member of NATOs 28-member Alliance is in charge of its own cyber- security. NATO itself doesnt intervene in this area, even if according to Lithuanias Ambassador to NATO Kestutis Jankauskas, every other word these days at NATO seems to be cyber. According to Suleyman Anil, head of its Computer Incident Response Capability Coordination Centre, NATO countries show different levels of capability according to national resources. NATOs modest cyber investment involves securing its own network, and identifying critical infrastructure at headquarters and agencies around Europe. In 2008, NATO set up the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, which studies incidents and techniques, and coordinates efforts between NATO members to defend against cyber-attacks and to react. NATO does not engage in global discussions about codes of conduct or international treaties. We believe that consultation is the best deterrence, says Anil, and that a lot can be achieved by increasing information sharing. The Tallinn Centres Director, Colonel Ilmar Tamm, believes that before creating new laws, we must rst try to apply existing legal instruments to the new conditions. For example, two bodies of international law, the jus ad bellum and the jus in bello (the latter also known as the Law of Armed Conict), are not likely to be updated for cyber, he says. Instead, we need to study and understand how to apply them in cases where armed conict includes cyber-attacks. Experts on international law are working on this right now, and their research will be published as the Tallinn Manual in the second half of 2012. NATO expects member nations to share cyber information with other members, with NATO providing communication systems support. The organisation also determines what information can be shared, and what non-member nations can know. These days, even NATO is owning up to cyber-attacks. We were hacked 72 Cyber-security: The vexed question of global rules by the hacktivists of Anonymous in 2011, says Jamie Shea, NATOs Deputy Assistant Secretary General for Emerging Security Challenges, and although they only got into low-level restricted documents, they got a lot of publicity out of it. NATO is reportedly considering the use of military force against nations that launch cyber-attacks against other member states, including attacks against critical infrastructure. The challenge was for NATO to put its money where its mouth was, says Robert Bell, the US Secretary of Defenses Representative to Europe, and were on track. We set up the Tallinn centre and our next goal is to protect critical infrastructure, the vital utilities we rely upon. NATO is also taking a lead in identifying standards that strike a balance between security and affordability. NATO will be gathering its agencies and commanders under a single cyber-defence roof by the end of 2012. The EU is a key partner, and in recent months staff level talks have intensied. NATO looks to the EU as the regulating body and to the UN for norms of behaviour. We have an effective level of staff discussions, says Bell. It would be helpful if we could go beyond that and have institutional cooperation, but thats not possible because of the continuing political split between Cyprus and Turkey. NATOs main role, as Anil puts it, focuses on collective security and crisis management. NATO countries need to share the same standards, says Bell. Its in part about money but not all about money. In these difcult scal times, NATO governments are struggling with their defence funding. As far as NATO is concerned, the compilation of cyber-incidents highlight two main problems. The rst is about outsiders trying to get in, says Bell. The other is the workforce inadvertently putting classied information onto systems. The Netherlands The Netherlands has a national CERT (GOVCERT.NL), coordinates with other CERTs and is a member of the inter-governmental CERTs group (EGC). The country participates in cyber-incident exercises and has had a cyber-security strategy since 2011. Score: The Netherands is cten cited as a cyber-sec.rity mcde, partic.ary cr the exempary reaticnship betveen the private and p.bic sectcrs ast s.mmer, the gcvernment p.bished a Naticna Cyber-Sec.rity Strategy (NCSS, and instaed a Cyber-Sec.rity Cc.nci tc act as a patcrm cr cyber-exchange and cccrdinaticn betveen p.bic sectcr and private ccmpanies that are part c the critica inrastr.ct.re an.ary !, 20!2, sav the a.nch c a Naticna Sec.rity Centre 73 Part Two 'n the Netherands, veve gcne cr a airy bcttcm-.p prccess, says Erik Frinking, Lirectcr c the Strategic F.t.res Prcgramme at The Hag.es Centre cr Strategic St.dies The attack cn the certicaticn a.thcrity LigiNctar in .ne 20!!, mcst prcbaby by ranian hackers, p.shed cyber .p cn the pcitica agenda ls a res.t c the attack, LigiNctar cst its biggest cient, the L.tch gcvernment, and ed cr bankr.ptcy three mcnths ater Our problem is that we are all reinventing the wheel Elly Plooij-Van Gorsel Elly Plooij-Van Gorsel, Fc.nding Chair c the h.rcpean nternet Fc.ndaticn (hF,, crmer \ice-President c the h.rcpean Pariament and member c the Ccvernmenta nternaticna ldviscry Cc.nci (l\,, vas cne c the a.thcrs c an adviscry repcrt tc the gcvernment cn cyber-sec.rity in creign aairs, sec.rity and deense pcicy, p.bished in an.ary 20!2, that demands an internaticna ccde c ccnd.ct, and better incrmaticn sharing at bcth civiian and miitary eves 'The q.esticn is hcv ar as a state can yc. intervene What are the threats Hcv rea are they, she asks 'We need gccd eary varning systems, gccd inteigence and m.ch better incrmaticn sharing C.r prcbem is that ve are a reinventing the vhee, and thats the big impediment tc gcba sec.rity Cyber-attacks are bcrderess, sc ve have tc cccperate and cccrdinate, starting vithin the hU The nev cyber-sec.rity strategy is asc .nder debate, says Frinking 'hverycne agrees its nct reay a strategy, he says, 'b.t mcre a shcrt-term acticn pan vith a ccmbinaticn c activities that seem impcrtant right ncv t acks an cvera ramevcrk and a mcre ccncept.a idea c vhat is gcing cn Lespite its eective p.bic-private partnership, the Netherands has a n.mber c veaknesses Cne is that cyber-sec.rity is airy decentraised 'We need better cccrdinaticn cr a mcre cc.ssed apprcach, says Frinking 'lt present, the mcney is shared c.t betveen tcc many dierent departments Frinking asc ccnsiders a ack c internaticna c.tcck as ancther L.tch veakness, even i this is shared by mcst cc.ntries 'l ct sti needs tc be acccmpished at m.tiatera and internaticna eves, and in hU cr.ms scmething happens at naticna eve that ccmes rcm creign sc.rces, hcv dces the gcvernment pcsiticn itse Whc dces it ca .pcn What interests dces it vant tc deend We dcnt reay kncv 74 Cyber-security: The vexed question of global rules Cn the baance betveen sec.rity and privacy, Frinking says the hardest debate is sti tc ccme 'Weve crganised disc.ssicns cn this iss.e at c.r instit.te tc try tc think dierenty abc.t privacy These are nct gccd days cr privacy prcpcnents They are p.t aside airy q.icky in the debate The .rgent iss.e, he says, is tc raise avareness vith the ccmmcn .sers ' am abbergasted by the naivety c scme pecpe cn the internet, athc.gh ve are seeing mcre and mcre p.bic campaigns tc change that Poland Poland has a national CERT (CERT.Polska) and a government CERT (CERT.gov.pl). It takes part in the informal CERT community and in cyber exercises, but does not yet have a cyber-security strategy. Score: Pcish anaysts say the cc.ntrys yc.nger generaticn is increasingy ccnnected, and that Pcand can caim tc be the mcst technccgicay advanced cc.ntry in Centra h.rcpe 'M.ch yet needs tc be imprcved, says Janusz Gorski, head c the sctvare engineering department at the University c Cdansk, 'b.t the debate has started The ChhT ccmm.nity is ve devecped acrcss the cc.ntry, vith respcnsibiity cr ghting cyber threats in the hands c the gcvernment ChhT l cyber- strategy is c.rrenty being set .p The naticna and gcvernment ChhTs .se an eary-varning system that dcesnt have access tc private data beca.se the senscrs are instaed c.tside the private netvcrks Many Pces are ccncerned vith the rapid grcvth in internet nancia crime n the rst ha c 20!0, av encrcers initiated SS! prcceedings by 20!!, that g.re had j.mped tc !,220 Ccrski ees strcngy, hcvever, that Pcand acks p.bic avareness and ed.caticn Yc.ng pecpe arent chccsing tc st.dy cyber-sec.rity 'St.dents are interested in the s.bject, says Ccrski, 'b.t they dcnt see a career in it ls in mcst cc.ntries, .nding is ins.cient and the eccncmic crisis isnt heping The debate, Ccrski beieves, is based mcre cn scare stcries in the media than hard acts cr gccd ccmm.nicaticn betveen the technccgica pecpe and decisicn-makers The p.bic-private partnership is nct strcng and is hindered, in Ccrskis vcrds, by 'a great dea c ccrr.pticn ls in cther centra h.rcpean cc.ntries, citizens ee strcngy abc.t privacy iss.es 'Pecpe here are keen cn their privacy b.t they dcnt yet see the ccnnecticn vith cyber-sec.rity, expains Ccrski 'They dcnt kncv hcv m.ch data is in the p.bic space 75 Part Two Pcand is an active payer in internaticna exercises n 20!0, the cc.ntry participated in Cyber h.rcpe 20!0, the rst pan-h.rcpean exercise cn the prctecticn c critica incrmaticn inrastr.ct.re Pcand asc tcck part in the !3th Natc Cyber Wcrkshcp in Tainn in 20!0 Romania Romania has a national CERT, takes part in informal and formal CERT groups, has a cyber-security strategy, and engages in cyber- exercises. Score: hcmania has been rapidy catching .p cn the cyber-sec.rity rcnt Where, nct cng agc, the cc.ntry vas a haven cr cyber-criminas beca.se c a ack c egisaticn, ncv the pcice has been dcing a gccd jcb at getting things .nder ccntrc n 20!!, cyber-crime prcsec.tcr cana lbani vas avarded the tite c Prcsec.tcr c the Year cr the n.mber c arrests and prcsec.ticns she s.ccess.y ccnd.cted Weve been there before, we know how bad it is when governments intercept calls and communications Aurel Sima Ncnetheess, resc.rces are scarce and avareness amcng the ccmmcn .ser is cv, says Aurel Sima, a cyber-sec.rity expert vhc has been carrying c.t an extensive a.dit cn his cc.ntrys critica naticna inrastr.ct.re The h.rcpean Unicn has been .nding a n.mber c cyber-sec.rity inrastr.ct.re-b.iding prcjects in hcmania, vhich shc.d see an imprcvement in the sit.aticn vithin the next ve years, b.t the p.bic-private partnership is sti immat.re The gcvernment is panning tc impement a naticn-vide cyber-sec.rity pcicy hlLS is panning tc cpen tvc ccmpetence centres in 20!2, cne cr cryptcgraphy and the cther cr cyber-sec.rity EM is cpening a systems abcratcry in E.charest, the rst h.rcpean site cr devecping EM svitches and netvcrking hardvare and sctvare, and Hevett Packard has pans cr a sec.rity devecpment aciity The reascn, says Sima, is that hcmania sccres high cn technica kncvhcv The state encc.rages T devecpment, vith a !0-year-cd pcicy c tax breaks cr ccmpanies that hire internet prcgrammers 'l ct c ve trained hcmanians have vcrked abrcad cr Cccge, Yahcc and cthers, and theyre ccming back vith cts c expertise, having earned the tr.st c big ccmpanies 76 Cyber-security: The vexed question of global rules hcmania is amcng the tcp !0 cc.ntries cr brcadband internet speed, and mcre and mcre pecpe are .sing the internet Sima says this is party expained by the high eve c emigraticn 'Three miicn hcmanians vcrk abrcad, he says, 'and the internet is an acrdabe vay cr them tc stay in tc.ch vith pecpe back hcme This has greaty heped internet penetraticn lter years c dictatcrship, hcmanians cve their privacy 'Weve been there becre, says Sima 'We kncv hcv bad it is vhen gcvernments intercept cas and ccmm.nicaticn This is vhy the gcvernment is trying tc nd vays tc prctect the ccndentiaity c ccmm.nicaticn and data transmissicn hcmania is vcrking vith av encrcement agencies in the hU and the US, and has a str.ct.red system cr cyber-sec.rity cccperaticn vith NlTC. Russia Russia has a national CERT (ruCERT) that participates in the informal CERT communities and is a member of FIRST. It issued strategic guidelines in 2011. The Security Council of the Russian Federation coordinates the four ministries in charge of cyber- security (Interior, Justice, Foreign Affairs and Defence). Score: ts dic.t tc scrt the vheat rcm the cha vhen vriting abc.t h.ssia and trying tc disting.ish betveen pcp.ar Western prej.dices and gcvernments ccncerns abc.t h.ssian cyber-practices n its Cctcber 20!! repcrt tc the Ccngress, the US Cce c the Naticna Cc.nterinteigence hxec.tive cpeny acc.sed h.ssia and China c cyber-espicnage that represents 'a persistent threat tc US eccncmic sec.rity n the vcrds c cne expert, h.ssia is 'a th.g state vith great hackers Vladimir Chizhov, the h.ssian Federaticns lmbassadcr tc the hU, stresses h.ssias campaign cr an internaticna cyber arms-ccntrc agreement h.ssia, acng vith China, becngs tc the Shanghai Cccperaticn Crganisaticn (SCC,, vhcse members signed a ccde c ccnd.ct in cyber-space lcts c terrcrism are a majcr ccncern in h.ssia, as is sccia netvcrking that cc.d .nsette the regime and bring abc.t a 'h.ssian Spring 'Weve been a target c terrcrist attacks, says Chizhcv, 'and as technccgy devecps ve cant disregard cyber-terrcrism E.t ve need tc take the internaticna rc.te, starting vith an internaticna ccdicaticn c the terms cyber-attack, cyber- crime and sc cn This type c crime can cny be s.ccess.y c.ght thrc.gh internaticna cccperaticn, and ve beieve the UN is the right ven.e 77 Part Two This type of crime can only be successfully fought through international cooperation, and we believe the UN is the right venue Vladimir Chizhov Vitaly Kamluk is a technica expert at Kaspersky ab and ve versed in h.ssian cyber-crime 'h.ssia is kncvn arc.nd the vcrd cr certain types c attacks, he expains 'Tcp amcng them are banking trcjans and spam- sending bctnets E.t vere grcving mcre and mcre ike the rest c the vcrd ncv Whats nev is that h.ssian hackers are ncv targeting cca citizens, vhich they didnt becre n h.ssia, .nike cther arge cc.ntries, yc. can sti register a service ancnymc.sy 'Theres nc cpen debate cn the s.bject, says Kam.k 'The mcney stays at ccmpanies that prcvide ega services cr shcrt premi.m SMS n.mbers, vhich s.its b.sinesses E.t it asc s.its cyber-criminas lcccrding tc Kam.k, vhere h.ssia is mcre cpen than mcst cc.ntries in the West is cn internet cr.m debates 'My experience is that there are a ct c beginners c.t there disc.ssing things very p.bicy ts q.ite easy tc jcin and mcnitcr the activities c cyber-criminas h.ssia is tightening .p its deences against hcme-grcvn cyber-crime, vith nev reg.aticns cn the sec.rity c private data, cn prctecting digita signat.res and cn the registraticn c dcmain names, vhich .nti recenty cc.d be set .p vithc.t vericaticn Chizhcv says he hcpes the p.bic- private partnerships in h.ssia are vcrking 'reascnaby ve, and beieves that private ccmpanies are avare c the risks pcsed by cyber-crime arge svathes c the cc.ntry are nct yet ccnnected, vhich makes h.ssia ess dependent cn its critica naticna inrastr.ct.re than cther cc.ntries 'ts a h.ge territcry, says Alexey Salnikov, \ice Lirectcr c ncrmaticn Sec.rity at cmcncscv Mcsccv University, 'and the internet is nct invcved in a the str.ct.res c gcvernment n Siberia, cr instance, there is very itte internet ccnnecticn We have a ct c intranet ccmpared tc the US and h.rcpe Lespite h.ssias rep.taticn cr technccgica kncv-hcv, Sanikcv says they .rgenty need mcre researchers 'We have scme !00 instit.tes and .niversities that deiver cc.rses cr .t.re speciaists c incrmaticn sec.rity, b.t thats nct neary enc.gh 78 Cyber-security: The vexed question of global rules Spain Spain has a government CERT and takes part in the informal CERT community and the national CERTs in the EGC group, but doesnt yet have a cyber-strategy. It takes part in cyber-incident exercises. The National Intelligence Service (CNI) heads the National Security Scheme/Esquema Nacional de Seguridad (ENS) that establishes minimum security requirements and protective measures to be met by administrations. Score: 'Cyber deence spending m.st be increased, says Spanish inteigence chie Felix Sanz Roldan CT spending cn gcvernment systems rcse .nti 200S, b.t has either remained the same cr been c.t since then 'The threat c state-spcnscred cyber-attack is rea and cne c the mcst seric.s that ccnrcnts Spains incrmaticn systems, says Sanz hcdan Eack in 2009, members c the Senate began .rging the gcvernment tc speed .p its impementaticn c a naticna cyber-sec.rity pan With the nev gcvernment eected in Ncvember 20!!, and the eccncmic crisis the tcp pricrity, it remains tc be seen hcv q.icky acticn vi be taken The threat of state-sponsored cyber-attack is real Felix Sanz Roldan Spain has a naticna p.bic prcsec.tcr cr cyber-crime, as dc scme c its a.tcncmc.s regicns The cc.ntry asc has naticna ChhTs, and scme regicns ike \aencia have their cvn ChhTs, b.t there is nc singe bcdy .nder a singe naticna pcicy Sc ar, the CCN-ChhT (the naticna inteigences ChhT, is ing this rce, inc.ding the prctecticn c naticna critica inrastr.ct.re 'We .rgenty need tc cccrdinate at a gcvernment eves, says Cccne Emilio Sanchez De Rojas, cyber expert at the Ministry c Leence, 'and at the h.rcpean and gcba eves The gcvernment needs tc invest b.t sc dces private b.siness, and ve need tc cccrdinate the tvc n its eectcra prcgramme, the gcverning centre-right Pcp.ar Party ccntempated a naticna cccrdinating a.thcrity cn sec.rity, inc.ding cyber n the meantime, hNS has estabished three eves c sec.rity req.irements cr .sage and tccs cv, medi.m and high When the naticna cyber- 79 Part Two sec.rity strategy is in crce, these hNS req.irements vi be appied tc the private sectcrs critica inrastr.ct.re Sweden Sweden has a national CERT (CERT-se) that is a member of the EGC Group, and that takes part in informal CERT communities. It has a national cyber-security strategy, a national plan for cyber-incidents and organises and participates in cyber-exercises. Score: 'C.r avareness has been greaty raised cver the ast ve years We nc cnger have cv-hanging r.it tc be picked c, says Lars Nicander, directcr c the Centre cr lsymmetric Threat St.dies (ClTS, 'Sec.rity is grcving tc.gher and tc.gher, and athc.gh there vi avays be ccphces, yc. vc.d have tc be very kncvedgeabe tc eect an intr.sicn The Svedish Civi Ccntingencies lgency (MSE, s.ppcrts and cccrdinates incrmaticn sec.rity acrcss scciety, rcm cca m.nicipaities tc naticna critica inrastr.ct.re cperatcrs MSE hcsts a cccperaticn grc.p cr incrmaticn sec.rity (inc.ding the armed crces and the pcst and teeccm agencies, amcng cthers,, as ve as the cc.ntrys naticna ChhT MSE repcrts tc the Ministry c Leence, b.t c.r cabinet departments are in act invcved in cyber-sec.rity (deence, enterprise and ind.stry, creign aairs, j.stice, 'Thats tcc m.ch, says Nicander 'We need a tcp-dcvn apprcach tc cyber ncrms tc estabish vhc cvns them, and a bcttcm-.p apprcach tc carry c.t technica cyber-deence exercises ls Lirectcr Cenera c MSE, Helena Lindberg says her agencys task is tc assess risks and v.nerabiities, raise avareness, cccrdinate stakehcders and create netvcrks 'Whats .niq.e tc Sveden, indberg says, is that 've dcnt bcx things in Were gccd at crcss-sectcra vcrk and invcving a stakehcders Wcrk is being dcne tc imprcve the p.bic-private partnership, hcvever, vhich is generay thc.ght nct strcng enc.gh 'We need the expertise c private ccmpanies, indberg says 'They kncv mcre abc.t technccgica devecpments and they kncv their cvn v.nerabiities Sveden sccres ve cn technica exercises, athc.gh the cc.ntrys tcp decisicn-makers ack cyber kncvedge ls esevhere, the gap betveen the technica pecpe and the pcicy-makers needs tc be ccsed 80 Cyber-security: The vexed question of global rules 'Cyber-sec.rity isnt j.st abc.t mcre scphisticated technccgy and mcre mcney, indberg says 't is asc a 'pecpe prcbem We need better gcvernance at a eves c scciety and ve need tc get the best brains vcrking cn this We need better governance at all levels of society and we need to get the best brains working on this Helena Lindberg 'Sveden pays a eading rce amcng Ncrdic cc.ntries bcth at the inncvaticn eve and in heping cther cc.ntries vcrk tcgether, says Roger Forsberg, chie incrmaticn ccer cr the Svedish Fcrticaticns lgency (SFl,, vhich manages p.bic deence reated b.idings and and 'Were .cky in having a deence heritage rcm the Ccd War, says Nicander, 'vhen ve spent ct c mcney cn red.ndancies in critica inrastr.ct.re Were nct as v.nerabe as the US vas in the mid-90s vhen their SClLl systems had nc prctecticn at a Cyber-sec.rity c ind.stria ccntrc systems (SClLl, is a hct tcpic in Sveden as esevhere, and the MSE and the Svedish Leence hesearch lgency have b.it a capacity abcratcry cr the cyber-sec.rity c SClLl systems United Kingdom The UK has an Ofce of Cyber-Security and Information Assurance (OCSIA) and a Cyber-security Operations Centre (CSOC). The former is based in the Cabinet Ofce and the latter is located within GCHQ, the UKs electronic intelligence agency. The UK has a national and a government CERT, takes part in the informal CERT community as well as the EGC Group of inter-governmental CERTs. In 2011, it updated its cyber-security strategy and takes part regularly in cyber-incident exercises. Score: The UK p.bished its .pdated cyber-strategy in Ncvember 20!! 'The 2009 versicn vas c.t c date, says Fred Piper, cryptccgist and c.nder c the hcya Hccvay ncrmaticn Sec.rity Crc.p 'The theme ncv is that the internet is here tc stay We need it cr ind.stry, gcvernments and individ.as and ve m.st make it sec.re The previc.s apprcach vas mcre abc.t ear, .ncertainty and dc.bt 81 Part Two The gcvernment has assigned a c.r-year b.dget c LoS0m tc cyber-sec.rity, inc.ding estabishing ncrms c gccd behavic.r in cyber-space The nev strategy prcmises that the nev Naticna Crime lgency is tc have a cyber- crime arm by 20!3, and mcre resc.rces are tc gc tcvards av encrcement cn cyber-crime vith a Hcme Cce Cyber-Crime Strategy tc be revieved every six mcnths 'There are many gccd ideas vithin the pcicy dcc.ment, says incrmaticn- sec.rity expert Peter Sommer 'CSCl has gcne c.t c its vay tc ccns.t videy, b.t there are asc prcbems that vi need tc be addressed Hcv vi these pans be p.t in acticn There are nc pans cr a UK cyber tsar Then, a great dea depends cn cccperaticn rcm the private sectcr, vhich ccntrcs abc.t S0% c the critica naticna inrastr.ct.re Finay, cver ha c the nev .nding vi gc tc the secret vcte, the inteigence agencies, vhere va.e cr mcney vi be dic.t tc investigate vc.d have preerred mcre emphasis cn p.bic ed.caticn heping pctentia victims hep themseves n 20!!, chid benet data cn tvc ccmp.ter discs vas amc.sy cst That incident made the Eritish p.bic mcre avare c the 'h.man actcr in cyber- sec.rity 'There is a sving avay rcm regarding cyber-sec.rity as a p.rey technccgica iss.e, says Piper, 'l ct mcre ecrt ncv is gcing intc things ike avareness prcgrammes and ed.cating the citizens tc cck ater their cvn ccmp.ters l p.bic vebsite, CetSaeCnine, is specicay addressed tc crdinary .sers Cne eat.re c UK c.t.re, acccrding tc Scmmer, is that 'm.ch disc.ssicn in the UK takes pace c.t c the p.bic gaze MS and the inteigence agencies set .p incrma meetings vhere pecpe get tc kncv each cther and share ccncerns, b.t its kept becv the p.bic hcrizcn Pecpe are mcre candid avay rcm the . gare c p.bic scr.tiny The gcvernments apprcach, says Scmmer, has been tc avcid impcsing reg.aticns and th.s setting things in stcne 'They have tc impcse reg.aticns tc ens.re that adeq.ate preventative and reccvery meas.res are in pace, he says 'The main prcbem is hcv dc gcvernments interact vith arge ccmmercia b.sinesses in this reativey nev sit.aticn The UK gcvernment has been taking tc the majcr inrastr.ct.re ccmpanies since the ate !990s, vhen aarm bes vere ringing cver ears abc.t the 'mienni.m b.g Cne hcpe is that these reaticns can be crmaised via an incrmaticn exchange 'h.b The cne prcbem, Scmmer says, is a ai.re tc .nderstand the imitaticns c the p.bic-private partnership 'The act is that private ccmpanies cve their rst cbigaticn tc their sharehcders, and many c the UKs eading .tiities ccmpanies are s.bstantiay cvned by cverseas ccmpanies, s.ch as Cermanys hcn and Frances hLF 82 Cyber-security: The vexed question of global rules UNITED NATIONS Many see the UN as the ideal conduit for fostering relationships between nations and promoting discussions on cyber-threats. Hamadoun Tour, the International Telecommunications Unions Secretary General (ITU) believes that a global treaty could include an agreement that countries protect their citizens in the case of cyber-attack, and agree not to harbour cyber terrorists. Russia and China would like to see this UN treaty. The U.S. and the UK, on the other hand, prefer the Budapest Convention on Cyber-Crime introduced by the Council of Europe in 2001, and argue that the UN institution is too slow and cumbersome. The Budapest Convention, which has been ratied by 120 countries, is used by prosecutors to secure electronic evidence of cross-border crime. UNESCO is another UN agency involved in the cyber-space debate, focussing on the protection of Article 19 in the Declaration of Human Rights which guarantees freedom of expression. Article 19 is an enabler of other rights, says Andrea Beccalli, an ICT specialist who has designed policies for UNESCO. We try to stress this to our member states, particularly the right to assembly. Shutting down a blog or a Facebook page is a violation of Article 19. The right to assemble and discuss in cyber-space also comes under Article 19. UNESCO considers access to the internet as every persons basic human right, and that when designing national cyber-security agendas, countries must make sure citizens are aware of their rights on the internet, as well as the internets threats and potentials. Our position is that training can teach individuals to protect themselves, says Beccalli. UNESCO is basically promoting a multi- stakeholder approach that goes beyond the constituency of member states and accredited private sector parties. Beccalli says one of the big upcoming debates in cyber-space is who will be in charge of the governance of smart phones. Smart phones are spreading rapidly through Africa, with 99% of new internet connections in Kenya done by young people using mobiles. We need an established model that is nimble enough to keep the constituency open and the debate as broad as possible for all actors and stakeholders. We want to make use of these technologies, while moving towards a policy development process totally different from that done by inter- governmental organisations, which is too stiff and not inclusive enough to see where these new technologies and applications are going. 83 Part Two United States of America The U.S. has a government CERT, takes part in the informal CERT communities, and has a new cyber-security strategy since 2011. It has a contingency plan for cyber-incidents and is an active player in cyber-security exercises. The Pentagon has a cyber-command (USCYBERCOM) that defends American military networks and can attack other countries systems. Score: 'Frcm my perspective, theres never been a cyber-attack cn the US, b.t cc.ntess episcdes c espicnage and crime, 'says James Lewis, senicr cyber expert at the Center cr Strategic and nternaticna St.dies (CSS, Kevin Gronberg agrees vith him The senicr cc.nse cr the Hc.se c hepresentatives Hcmeand Sec.rity Ccmmittee, says 'The term cyber var is as .nhep. as the expressicn Cyber Pear Harbc.r cr Cyber 9}!! ts vhat internet pecpe ca ear, .ncertainty and dc.bt We need n.ance beca.se this iss.e is ccmpex and tc.ches cn sc many eements c c.r eccncmy and vay c ie The naming c a White Hc.se cyber cccrdinatcr, kncvn as the Cyber Tsar, in 20!! has mcved the US avay rcm vhat evis cnce described as a 'triba apprcach, in vhich tcc many payers hed the ed From my perspective, theres never been a cyber-attack on the U.S., but countless episodes of espionage and crime James Lewis 'ts an impcrtant pcsiticn tc hep cccrdinate thrc.ghc.t gcvernment, says Melissa Hathaway, a ccns.tant in Washingtcn, LC, vhc ed President Cbamas Pcicy reviev, 'b.t the pcsiticn is nct ranked high enc.gh in the White Hc.se str.ct.re tc have the a.thcrity needed tc drive change The Ncvember 20!! strategic g.ideines cn cyber-sec.rity add .p tc a ve- thc.ght-c.t dcc.ment, says evis, that is deiberatey nct set in stcne 'The day ater the g.ideines vere reaised, he says, 'the Lepartment c Leense hed a sma meeting vith experts The rst thing they said is that they vere aready vcrking cn the next versicn evis says the g.ideines have been videy misinterpreted, cr instance cn the iss.e c vhen tc .se deterrence, cr vhen and hcv tc .se censive 84 Cyber-security: The vexed question of global rules capabiities cr deensive p.rpcses 'Threatening miitary retaiaticn cr maicic.s acticn in cyber-space makes sense tc prevent attacks, he says, 'b.t it dcesnt vcrk against espicnage cr crime beca.se neither c them invcve the .se c crce Sc it dcesnt appy in many cases lnd its the expcitaticn c the internet by strategic ccmpetitcrs that is mcst damaging tc the US and h.rcpe 'China and h.ssia are the mcst active, he says, 'b.t China is ncisier than h.ssia Lces the US itse ind.ge in cyber-espicnage Nc, says evis, and cr tvc reascns 'Fcr cne thing, c.r avs dcnt acv .s tc avc.r cne ccmpany cver ancther, sc vc.d ve be spying cr Eceing, cr vhc Seccndy, .nti recenty they didnt have m.ch in vay c technccgy ve vc.d vant tc stea hather than designing an internaticna cyber-sec.rity treaty, the US avc.rs imprcved ccabcraticn vith internaticna av encrcement agencies Hcv gccd is p.bic-private partnership in the US The Lepartment c Leense has a scid reaticnship vith the deence ind.stria base, says Crcnberg cckheed Martin, cr instance, has devecped a ega ramevcrk cr sharing cyber-sec.rity incrmaticn vith cther ccmpanies 'This hasnt been the siver b.et that scves a prcbems, says Crcnberg, 'b.t it has gcne a cng vay tc imprcving eves c tr.st in that sectcr and its the mcst inncvative cyber-sec.rity devecpment c the ast ve years The mcde cc.d be expanded tc the cther .tiities ike the pcver grid and nancia service sectcrs, amcng cthers E.t there are barriers that dcnt make this easy tc dc Crcnberg bames the avs that imit incrmaticn sharing 'We need tc address this prcbem in Ccngress, he says, 'b.t Ccngress mcves extremey scvy We need gcvernment and the private sectcr tc vcrk tcgether better, aster and acrcss mcre sectcrs Cthers beieve the reaticnship is a 'big brcther-itte brcther cne, rather than a partnership c eq.as, adding 'in the US, ve str.gge vith the idea c tr.sting gcvernment lmcng the hcttest cyber-sec.rity debates, says Hathavay, is the extent tc vhich the US gcvernment is ccnsidering reg.ating ind.stry 'nd.stry is .nhappy vith reg.aticn cn a ct c eves, says Hathavay, 'inc.ding ccsts Cn the baance betveen sec.rity and privacy, she thinks the privacy advccates vi vin every time 'E.t a ct mcre cc.d be dcne tc prctect privacy vhie enhancing c.r sec.rity pcst.re, she says 'They dcnt have tc be cppcsing crces They cc.d vcrk in tandem This req.ires .pdating scme c c.r avs, and having a rcb.st diacg.e abc.t vhat needs tc be cverha.ed vhen the threat and technccgy are ccnstanty changing 85 Part Two A lot more could be done to protect privacy while enhancing our security posture Melissa Hathaway lmcng interesting experiments at state eve is that carried c.t by the p.bic aairs rm hesc.te Ccns.ting, vhich set .p a !2-member task crce tc cck at vhat incis shc.d dc tc prctect its critica inrastr.ct.re rcm cyber- attack 'Lata in incis vas a cver the pace, and ve vcrked cn hcv tc sec.re netvcrks and increase resiiency, says hesc.te Ccns.ting \ice President Jake Braun They hcpe tc dc simiar vcrk in cther states The US is engaging primariy at a biatera eve, vhich is avays easier than brcader, m.ti-state internaticna engagement, says Hathavay 'E.t in crder tc make a dierence, a cc.ntries have tc take respcnsibiity cr vhats happening in their cvn inrastr.ct.re, and the cny vay tc achieve that is thrc.gh internaticna crganisaticns We have tc agree in the C20, NlTC and the UN abc.t vhat is acceptabe 'Nc cne cvns the internet, ancther senicr lmerican says, 'nct even the US ls s.ch, engaging in a hegemcnistic reaticnship vith ancther scvereign naticn is nct the vay tc gc We need tc share c.r expertise vith aies nc matter vhat the iss.e, energy prcd.cticn, cyber-sec.rity cr deence tactics, and that shc.d gc bcth vays l bcats cat cn a rising tide 86 Cyber-security: The vexed question of global rules INDICES AND GLOSSARIES Cyber sources Contributors to this report Mohd Noor Amin is the Chairman c the nternaticna M.tiatera Partnership lgainst Cyber Threats (MPlCT,, a United Naticns-backed p.bic-private partnership With !3/ partner cc.ntries, MPlCT has beccme the argest cyber-sec.rity aiance c its kind Suleyman Anil is Head c Cce at the NlTC Ccmp.ter ncident hespcnse Capabiity Cccrdinaticn Centre (NChC - CC, He has cver 20 years experience in incrmaticn-sec.rity and cyber-sec.rity vith NlTC Frank Asbeck is Principa Cc.nsecr cr Sec.rity and Space Pcicy cr the h.rcpean hxterna lcticn Service Ioannis G. Askoxylakis is Cccrdinatcr c FChTHcert in Creece that prcvides ccmp.ter sec.rity incident respcnse cr the Fc.ndaticn cr hesearch and Technccgy - Heas Victoria Baines is a strategic anayst cr the h.rcpean Pcice Cce (h.rcpc,, vhere she is respcnsibe cr devecping strategies tc ccmbat cybercrime Kamlesh Bajaj is ChC c the Lata Sec.rity Cc.nci c ndia (LSC, and vas c.nding Lirectcr c the ndian Ccmp.ter hmergency hespcnse Team (ChhT-n, at the Ministry c Ccmm.nicaticns and T Judy Baker is Lirectcr c Cyber Sec.rity Chaenge UK td Previc.sy, she heped set .p the UK Ccvernments Naticna nrastr.ct.re Sec.rity Cccrdinaticn Centre (NSCC, and the Centre cr the Prctecticn c Naticna nrastr.ct.re (CPN, Stewart Baker is a Partner at Steptce chnscn in the US He served as lssistant Secretary cr Pcicy at the Lepartment c Hcmeand Sec.rity, vith respcnsibiity cr internaticna and pcicy iss.es reating tc cyber-sec.rity, and as Cenera Cc.nse c the Naticna Sec.rity lgency Andrea Beccalli is an lsscciate hxpert at the ncrmaticn Scciety Livisicn c UNhSCC and has extensive experience in the ed c ncrmaticn and Ccmm.nicaticn Technccgy (CT, cr devecpment, internaticna ccmm.nicaticn and incrmaticn pcicies 87 William Beer is a Lirectcr in Pricevaterhc.secccpers (PvC, Cyber and ncrmaticn Sec.rity practice in cndcn and vcrks vith cients tc devecp sc.ticns cr cyber-reated matters ccmbining ccmp.ter crensics, data anaysis, mavare anaysis, cyber-s.rveiance and crisis management Robert G. Bell is the Senicr Civiian hepresentative c the US Secretary c Leense in h.rcpe He is respcnsibe cr panning, reccmmending, cccrdinating and mcnitcring Lepartment c Leense (LcL, pcicies, prcgrammes and initiatives thrc.ghc.t h.rcpe Isaac Ben-Israel is Chairman c the srae Naticna Cc.nci cr hesearch and Levecpment and the srae Space lgency He ed a team that s.bmitted reccmmendaticns tc the sraei gcvernment cn hcv tc prepare cr the threat c cyber-attack, and vas the Senicr Cyber-Sec.rity ldviscr tc the sraei Prime Minister Gorazd Boi is the Head c the lcademic and hesearch Netvcrk c (lhNhS, ChhT in Scvenia and a member c the hNSl management bcard Jake Braun is hxec.tive \ice-President at hesc.te Ccns.ting in Chicagc His respcnsibiities inc.de designing and impementing p.bic aairs campaigns cc.sing cn the rms hcmeand and cyber-sec.rity practice Vytautas Butrimas is Chie ldviscr cr Cyber-Sec.rity at the ith.anian Ministry c Leence, having vcrked in incrmaticn technccgy and ccmm.nicaticns cr cver 20 years Oliver Caleff is CShT Manager at ChhT-Lh\CThlM in France and is a senicr sec.rity ccns.tant vith experience in T and cther eds c sec.rity Vladimir Chizhov is Permanent hepresentative c the h.ssian Federaticn tc the hU l crmer Lep.ty Minister c Fcreign lairs, he has extensive kncvedge c cyber-sec.rity iss.es and their impact cn internaticna sec.rity Larry Collins is \ice-President cr e-sc.ticns at .rich Financia Service vhere he devecps and deivers cn-ine cyber risk preventicn tccs Richard Crowell is an lsscciate Prcesscr c jcint miitary cperaticns at the US Nava War Ccege ldditicnay, he serves as the Ccege c Nava Warare cccrdinatcr cr ccntempcrary cperating envircnments Ed Dawson is Senicr ldviscr at the ncrmaticn Sec.rity nstit.te at .eensand University, l.straia He has vritten mcre then 200 papers cn cryptccgy and has been invcved in prcjects reated tc sec.re eectrcnic ccmmerce and mcbie ccmm.nicaticns 88 Cyber-security: The vexed question of global rules Freddy Dezeure is Head c the nter-instit.ticna Ccmp.ter hmergency hespcnse Pre-Ccng.raticn Team cr h.rcpean Unicn instit.ticns (ChhT- hU, Jean-Michel Doan is a cyber-crime anayst at exsi nncvative Sec.rity Roger Forsberg is Chie ncrmaticn Sec.rity Ccer cr the Svedish Fcrticaticns lgency .nder the Svedish Ministry c Finance He is respcnsibe cr sec.ring gcvernment-cvned deence reated b.idings rcm cyber-threats Erik Frinking is Lirectcr c the Strategic F.t.res Prcgramme at The Hag.e Centre cr Strategic St.dies (HCSS, He payed an impcrtant rce in the devecpment and impementaticn c the L.tch Naticna Sec.rity Strategy Nick Galletto is the Naticna eader cr ncrmaticn Technccgy hisk cr Lecitte in Canada He has cver 20 years experience in incrmaticn technccgy, netvcrking and systems management and the impementaticn c incrmaticn technccgy sc.ticns Sandro Gaycken is a researcher and prcesscr c cyber-sec.rity at the nstit.te c Ccmp.ter Science at the Freie Universitt Eerin, Cermany Thierry Gobillon is an ncrmaticn Sec.rity Ccer, hisk Management Ccmpiance cr NC bank in Er.sses, Eegi.m His rce req.ires him tc sec.re banking incrmaticn rcm cyber-threats Janusz Grski is Prcesscr c Sctvare hngineering at the Fac.ty c hectrcnics, Teeccmm.nicaticns and ncrmatics at Cdansk University c Technccgy in Pcand Peter Gridling is the Lirectcr c the Federa lgency cr State Prctecticn and Cc.nter Terrcrism in the l.strian Ministry c ntericr Kevin Gronberg is Senicr Cc.nci cn cyber-sec.rity iss.es tc the United States Hc.se c hepresentatives, ccmmittee cn Hcmeand Sec.rity He vas the ega cc.nse tc LHSs US-ChhT Timo Hrknen is Lirectcr c Ccvernment Sec.rity cr the Cce c the Prime Minister in Finand His respcnsibiities inc.de sec.rity panning, preparedness panning and crisis management at gcvernment eve Melissa Hathaway is President c Hathavay Ccba Strategies, an independent ccns.tancy based in the US She served in the Cbama ldministraticn as lcting Senicr Lirectcr cr Cyberspace at the Naticna Sec.rity Cc.nci and ed the Cyberspace Pcicy heviev 89 Jun Inoue is First Secretary and Teeccm lttach at the Missicn c apan tc the hU Timothy Jordan is a Senicr ect.rer at Kings Ccege University in cndcn His areas c expertise inc.de internet st.dies, hacking and hacktivism Vitaly Kamluk is chie mavare expert at Kaspersky abs in h.ssia and speciaises in threats tc gcba netvcrk inrastr.ct.res, mavare reverse engineering and cyber-crime investigaticns Alexander Klimburg is a Fecv and Senicr ldviscr at the l.strian nstit.te c nternaticna lairs He has p.bished videy cn the s.bject c naticna cyber-sec.rity and is the principe a.thcr c a ccmmissicned st.dy tc the h.rcpean Pariament entited 'Cyber-pcver and Cyber-sec.rity Robert F. Lentz is President and ChC c Cyber Sec.rity Strategies, C and crmer Lep.ty lssistant Secretary c Leense cr Cyber, dentity and ncrmaticn lss.rance (Cl, in the Cce c the lssistant Secretary c Leense, Netvcrks and ncrmaticn ntegraticn}Chie ncrmaticn Ccer James Lewis is a Senicr Fecv and Lirectcr c the Technccgy and P.bic Pcicy Prcgramme at CSS, vhere he cc.ses cn naticna sec.rity and the internaticna eccncmy Herbert Lin is chie scientist at the Ccmp.ter Science and Teeccmm.nica- ticns Ecard c the Naticna hesearch Cc.nci (NhC, c the Naticna lcademies in the US He has directed severa st.dies cn cyber-sec.rity iss.es Helena Lindberg is Lirectcr Cenera c the Svedish Civi Ccntingencies lgency and is respcnsibe cr .niying, cccrdinating, and s.ppcrting tasks in preparaticn cr, d.ring and ater emergencies, inc.ding thcse reated tc cyber-sec.rity Jesus Luna is a researcher cr The Leeds grc.p in Cermany His areas c expertise inc.de sec.rity metrics, cc.d and grid sec.rity, bctnet mitigaticn, sec.rity and privacy Alastair MacWillson is Ccba Managing Lirectcr c lccent.res Ccba Sec.rity practice He has been adviser tc a n.mber c gcvernments cn technccgy strategy, critica inrastr.ct.re prctecticn, cyber-sec.rity and cc.nter-terrcrism Raphael Mandarino Jr. is Lirectcr c the nstit.ticna Sec.rity Cabinet cr the Lepartment c ncrmaticn Sec.rity and Ccmm.nicaticns in Erazi He has extensive experience in the cccrdinaticn ecrts c naticna CShT and their av encrcement agencies 90 Cyber-security: The vexed question of global rules Dave Marcus is Lirectcr c Sec.rity hesearch cr Mclee abs He has extensive experience in netvcrk sc.ticns and T sec.rity, vith a cc.s cn advanced inteigence gathering, digita crensics, intr.sicn detecticn and preventicn, and netvcrk and hcst anaysis Marina Martinez-Garcia is Prcgramme Ccer at the Centre cr nd.stria Technccgica Levecpment (CLT, in Spain and is respcnsibe cr cstering Spanish science and technccgy participaticn and assistance at the hU eve John I. Meakin is Lirectcr c Ligita Sec.rity and CSC c EP He is a speciaist in incrmaticn systems sec.rity vith mcre than 20 years experience Lars Nicander is Lirectcr c the Centre cr lsymmetric Threat and Terrcrism St.dies (ClTS, at the Svedish Naticna Leence Ccege (SNLC, Satoshi Noritake is the Senicr Manager, Certied ncrmaticn Systems Sec.rity Prcessicna (CSSP, cr NTT Ccmm.nicaticns Ccrpcraticn Andres Ortega is the crmer Lirectcr Cenera c the Lepartment c lnaysis and hesearch in the Spanish Prime Ministers Cce He vas respcnsibe cr anaysing incrmaticn cn cyber-sec.rity threats Evangelos Ouzounis is Head c hesiience and Critica ncrmaticn nrastr.ct.re Prctecticn Unit c hNSl Patrick Pailloux is Lirectcr Cenera c Frances Netvcrk and ncrmaticn Sec.rity lgency (lNSS, He is respcnsibe cr a matters reated tc cyber- sec.rity in the French gcvernment Fred Piper vas the c.nding Lirectcr c the hcya Hccvay ncrmaticn Sec.rity grc.p, a member c the permanent stakehcder grc.p at hNSl and a member c the nternaticna ldviscry Ecard c the nternaticna M.tiatera Partnership lgainst Cyber Threats (MPlCT, Elly Plooij-Van Gorsel is a member c the nternaticna ldviscry Cc.nci (l\, vhere she advises the L.tch gcvernment and pariament cn creign aairs and deence inc.ding cyber-sec.rity Jaan Priisalu is the Lirectcr Cenera c the hstcnian ncrmaticn Systems l.thcrity and vas head c T hisk Management at Svedbank His respcnsibiities inc.de the cversight and prctecticn c hstcnias critica p.bic and private incrmaticn systems Steve Purser is Head c hNSls Technica Ccmpetence Lepartment vhere he is respcnsibe cr agreeing the ann.a vcrk prcgramme vith stakehcders and ens.ring that this vcrk prcgramme is s.ccess.y impemented 91 Gerrard Quille is a creign, sec.rity and deence expert at the Lirectcrate- Cenera cr hxterna Pcicies c the h.rcpean Pariament He has been invcved in varic.s prcjects reating tc cyber-sec.rity Costin Raiu is Lirectcr cr Ccba hesearch and lnaysis at Kaspersky ab and speciaises in maicic.s vebsites, brcvser sec.rity and expcits, e-banking mavare, enterprise-eve sec.rity and Web 20 threats Christopher Richardson is a research engineer and ect.rer at the Ministry c Leence Ccege in the UK He cc.ses cn incrmaticn risk management and netvcrk sec.rity management in the miitary and NlTC and is devecping system and trac anaysis and sim.aticn c McL depcyed CS Rafal Rohozinski is the c.nder and ChC c the SecLev Crc.p and Psiphcn nc He is asc a Senicr Fecv at the M.nk Schcc c Ccba lairs c the University c Tcrcntc His vcrk in incrmaticn sec.rity spans tvc decades and 3/ cc.ntries, inc.ding ccnict zcnes Alexey Salnikov is \ice-Lirectcr nstit.te c ncrmaticn Sec.rity at cmcncscv Mcsccv University He speciaises in discrete mathematics, cyber-terrcrism, pcitica and h.manitarian iss.es c incrmaticn sec.rity and internaticna cyber-pcicy Cherian Samuel is lsscciate Fecv at the nstit.te cr Leence St.dies and lnayses in ndia He is an expert in ndc-US reaticns and has vritten cn ndian cyber-sec.rity and ndc-US cccperaticn cn cyber-sec.rity iss.es Emillo Sanchez De Rojas is Head c Lepartment c Strategy and nternaticna heaticns at the Centre cr Naticna Leence St.dies in Spain vhere he asc advises cn cyber-sec.rity pcicy and strategy Felix Sans Roldan is Lirectcr c the Naticna nteigence Centre in Spain He is asc respcnsibe cr the Naticna Cryptccgica Centre and cversees Spanish cyber-inteigence and deence Phyllis Schneck is \ice-President and Chie Technccgy Ccer, Ccba P.bic Sectcr at Mclee Tim Scully is ChC c Stratsec and Head c Cyber Sec.rity at Elh Systems l.straia He has extensive experience b.iding and eading inteigence and sec.rity capabiities and teams in the Lepartment c Leence Andrea Servida is Lep.ty Head c Unit cr nternet, Netvcrk and ncrmaticn Sec.rity in the Lirectcrate-Cenera cr ncrmaticn Scciety and Media c the h.rcpean Ccmmissicn 92 Cyber-security: The vexed question of global rules Jamie Shea is the Lep.ty lssistant Secretary Cenera cr hmerging Sec.rity Chaenges at NlTC Aurel Sima is a Sec.rity l.ditcr cr Cencs Ccns.ting in hcmania and is respcnsibe cr sec.ring data centres and databases and prcviding sec.rity training tc cients Bart Smedt is a hesearch Fecv at the Eegian hcya Higher nstit.te cr Leence His areas c expertise ccver prcieraticn iss.es, critica inrastr.ct.re prctecticn, cyber-deence and emergency panning Peter Sommer is a reader at the UKs Cpen University and a crmer \isiting Prcesscr at the cndcn Schcc c hccncmics speciaised in ccmp.ter sec.rity and cyber-threats Tim Stapleton is lssistant \ice-President and Prcessicna iabiity Prcd.ct Manager cr .rich Ncrth lmerica Ilmar Tamm is Lirectcr c the NlTC Cccperative Cyber Leence Centre c hxceence in Tainn Brooks Tigner is the hditcr c Sec.rity h.rcpe in Er.sses He has repcrted cn sec.rity and deence iss.es acrcss h.rcpe cr many years Heli Tiirma-Klaar is Senicr ldviscr tc the Undersecretary c Leence in hstcnia She ed the vcrking grc.p that devecped the hstcnian Cyber- sec.rity Strategy in 200S Hamadoun Tour is Secretary Cenera c the nternaticna Teeccmm.ni- caticn Unicn (TU, Stefano Trumpy is hesearch Manager at the nstit.te cr ncrmatics and Teematics c the taian Naticna hesearch Cc.nci and the taian deegate in the Ccvernmenta ldviscry Ccmmittee (ClC, c the nternet Ccrpcraticn cr lssigned Names and N.mbers (ClNN, Jri Vain is Lirectcr c the Lepartment c Ccmp.ter Science at Tainn University c Technccgy His main areas c expertise are ded.ctive vericaticn, mcde-based testing and mcde checking Wouter Vlegels is Critica ncrmaticn nrastr.ct.re Prctecticn expert at hNSl and has a partic.ar interest in the interreaticnships and incrmaticn sharing betveen NlTC the naticna a.thcrities in the capitas c member naticns and the hU 93 Florian Walther is a senicr T sec.rity ccns.tant at C.resec ccns.ting in Cermany He is an active member c the Cerman hacker ccmm.nity and has spcken at the Chacs Ccmp.ter Ccngress, Signt and ph-ne.tra Peiran Wang is a PhL Candidate at hast China Ncrma Universitys Schcc c ldvanced nternaticna and lrea St.dies and a visiting researcher at the \rije Universiteit Er.sses (\UE, His areas c research inc.de internaticna sec.rity and cyber-sec.rity Christian Wernberg-Tougaard is a member c the ncrmaticn Sec.rity ldviscry Ecard at the Ministry c Science, Technccgy and nncvaticn in Lenmark and a member c hNSl Permanent Stakehcders Crc.p He prcvides advice cn incrmaticn sec.rity tc the Lanish gcvernment Suguru Yamaguchi is a Prcesscr at the Crad.ate Schcc c ncrmaticn Science at Nara nstit.te c Science and Technccgy in apan and a crmer ldviscr cn ncrmaticn Sec.rity tc the Cabinet c the gcvernment Takeo Yoshida is the Lep.ty directcr c the Ministry c nterna aairs and Ccmm.nicaticns (MC, in apan He is respcnsibe cr advising and crm.ating pcicy and strategy cn apans cyber-deence and cyber-sec.rity prctcccs 94 Cyber-security: The vexed question of global rules Glossary of organisations Asia-Pacic Economic Cooperation (APEC) - Telecommunications and Information Working Group (TEL) Where: Singapcre Funding: Member eccncmies l.straia, Er.nei, Canada, Chie, China, Hcng Kcng, ndcnesia, apan, hep.bic c Kcrea, Maaysia, Mexicc, Nev eaand, Pap.a Nev C.inea, Per., Phiippines, Singapcre, h.ssia, Taivan, Thaiand, US, \ietnam Mission: lPhCs Th aims tc imprcve teeccmm.nicaticns and incrmaticn inrastr.ct.re in the lsia-Pacic regicn by devecping and impementing teeccmm.nicaticns and incrmaticn pcicies The c.r s.bgrc.ps vithin Th are the Sec.rity and Prcsperity Steering Crc.p (SPSC,, the CT Levecpment Steering Crc.p (CTLSC,, lPhC-Th Mhl and the iberaisaticn Steering Crc.p The SPSC and CTLSC are c partic.ar impcrtance tc cyber-sec.rity in lsia The SPSCs respcnsibiities inc.de cyber-crime preventicn and prcmcting sec.rity and tr.st in netvcrks, e-ccmmerce and inrastr.ct.res CTLSC prcmctes CT appicaticns tc sccic-eccncmic devecpments s.ch as smart grids, crisis management and advanced technccgies Website: http}}vvvapeccrg}Crc.ps}SCM-Steering-Ccmmittee- cn-hccncmic-and-Technica-Cccperaticn}Wcrking-Crc.ps} Teeccmm.nicaticns-and-ncrmaticnaspx Email: inc_apeccrg Association of South East Asian Nations (ASEAN) - Telecommunication and IT (TELMIN) Where: akarta, ndcnesia Funding: Member eccncmies Er.nei, Cambcdia, ndcnesia, acs, Maaysia, Phiippines, Singapcre, Thaiand, \ietnam Mission: ThMN is a s.b-grc.ping c lShlN ts missicn is tc devecp a ccmmcn ramevcrk tc cccrdinate exchange c incrmaticn, estabishment c standards and cccperaticn amcng encrcement agencies Part c the ThMN ann.a prcgramme inc.des sessicns vith the lShlN Liacg.e Partners cn a P.s Three basis (vith the Pecpes hep.bic c China, apan and the hep.bic c Kcrea, and a P.s Cne basis (vith ndia, ThMN asc engages vith the teeccmm.nicaticns and T ind.stry payers in lShlN thrc.gh the e-lShlN E.siness Cc.nci ccmprising representatives c the private sectcr rcm a lShlN member cc.ntries Website: http}}vvvaseanseccrg}!9S94htm Council of Europe Where: Strasbc.rg, France Funding: ts 4/ member states 95 Mission: The Cc.nci c h.rcpe prcvides three mechanisms !, 'Cccperaticn against cyber-crime vhich aims tc estabish a gcba ramevcrk cr ecient cccperaticn against cyber-crime, 2, the 'Cybercrime Ccnventicn Ccmmittee vhich s.ppcrt the strengthening c egisaticn and capacity b.iding, and 3, the 'Ccntact pcints cr pcice and j.dicia cccperaticn vhich aciitates the impementaticn c the E.dapest Ccnventicn cn Cyber-crime Website: http}}vvvcceint}t}dgh}cccperaticn}eccncmiccrime} cybercrime}Lea.t_enasp Email: cybercrime_cceint Commonwealth Telecommunications Organisation (CTO) Where: cndcn, United Kingdcm Funding: Members c the Ccmmcnveath c Naticns Mission: The CTC is an internaticna devecpment partnership betveen the Ccmmcnveath and ncn-Ccmmcnveath gcvernments, b.siness and civi scciety crganisaticns t prcmctes sccia and eccncmic devecpment in the Ccmmcnveath and beycnd, heping tc bridge the digita divide by aciitating the devecpment c teeccmm.nicaticns amcng devecping member states and tc achieve the Mienni.m Levecpment Ccas cr CT Website: http}}vvvctcint} Email: inc_ctcint European Network and Information Security Agency (ENISA) Where: Crete, Creece Funding: h.rcpean Unicn and third cc.ntries Mission: hNSl is the h.rcpean Unicns cyber-sec.rity agency and centre c expertise ts respcnsibiities inc.de ens.ring the smccth .ncticning c the nterna Market, and imprcving the daiy ives c the citizens and b.siness, .sing brcadband, cnine banking, e-ccmmerce and mcbie phcnes hNSl aims tc achieve a high and eective eve c Netvcrk and ncrmaticn Sec.rity vithin the hU, tc assist the h.rcpean Ccmmissicn, member states and b.sinesses tc respcnd tc and prevent sec.rity prcbems, and tc assist in the technica preparatcry vcrk cr .pdating and devecping Ccmm.nity egisaticn in the ed c Netvcrk and ncrmaticn Sec.rity Website: http}}vvvenisae.rcpae.} European Commission Where: Er.sses, Eegi.m Funding: hU member states Mission: n 20!0, the h.rcpean Ccmmissicn p.t crvard a prcpcsa cr a Lirective cn attacks against incrmaticn systems ts main ncvety is the criminaisaticn c the .se, prcd.cticn and sae c tccs tc eect attacks against incrmaticn systems n ine vith the nterna Sec.rity Strategy, the Ccmmissicn vi be setting .p a h.rcpean Cyber-crime Centre by 20!3 96 Cyber-security: The vexed question of global rules The Ccmmissicn has asc stepped .p diacg.e vith the private sectcr, vhich ccntrcs a arge part c incrmaticn inrastr.ct.res Websites: http}}ece.rcpae.}dgs}hcme-aairs} http}}ece.rcpae.} dgs}incrmaticn_scciety}index_enhtm European Police Ofce (EUROPOL) Where: The Hag.e, the Netherands Funding: hU member states Mission: ls the hUs av encrcement agency it is h.rcpcs respcnsibiity tc assist member states in the ght against internaticna crime h.rcpc deas vith the crensics and investigaticn c cnine crimes and has prcd.ced a threat assessment cn internet aciitated crganised crime (iCCTl, tc ccntrib.te tc the strategic panning cr a h.rcpean cyber-crime centre in 20!2 h.rcpc encc.rages internaticna strategic and cperaticna partnerships vith the private sectcr and academia, raising avareness and pcints c ccntact and s.ppcrts the .se c crcvd sc.rcing tc gather inteigence cn cyber-crime rcm internet .sers Website: vvve.rcpce.rcpae. Forum of Incident Response and Security Teams (FIRST) Where: Mcrrisvie, Ncrth Carcina, US (Secretariat, Funding: Member ChhTs Mission: The Fcr.m c ncident hespcnse and Sec.rity Teams (FhST, brings tcgether sec.rity and incident respcnse teams, inc.ding specia prcd.ct sec.rity teams rcm the gcvernment, ccmmercia and academic sectcrs Website: http}}vvvrstcrg} Email: rst-sec_rstcrg G8 Subgroup on high-tech crime Funding: CS member states Mission: The CSs S.bgrc.p cn High-Tech Crime vas started tc enhance the abiities c CS cc.ntries tc prevent, investigate and prcsec.te crimes invcving ccmp.ters, netvcrked ccmm.nicaticns and cther nev technccgies Cver time, that missicn has expanded tc inc.de vcrk vith third cc.ntries cn s.ch tcpics as ccmbating terrcrist .ses c the internet and prctecticn c critica incrmaticn inrastr.ct.res Cc.ntries are represented in the s.bgrc.p by m.ti-discipinary deegaticns that inc.de cyber-crime investigatcrs and prcsec.tcrs, and experts cn ega systems, crensic anaysis and internaticna cccperaticn agreements Internet Corporation for Assigned Names and Numbers (ICANN) Where: Marina de hey, Caicrnia, US Funding: Nct-cr-prct p.bic-benet ccrpcraticn vith participants rcm a cver the vcrd 97 Mission: The nternet Ccrpcraticn cr lssigned Names and N.mbers (ClNN, Sec.rity and Stabiity ldviscry Ccmmittee (SSlC, advises the ClNN ccmm.nity and Ecard cn matters reating tc the sec.rity and integrity c the internets naming and address accaticn systems This inc.des cperaticna matters, administrative matters, and registraticn matters SSlC engages in cngcing threat assessment and risk anaysis c the internet naming and address accaticn services tc assess vhere the principa threats tc stabiity and sec.rity ie, and advises the ClNN ccmm.nity acccrdingy Website: http}}vvvicanncrg} International Multilateral Partnership Against Cyber Threats (IMPACT) Where: Cyberjaya, Maaysia Funding: Nct-cr-prct ccmprehensive gcba p.bic-private partnership Mission: MPlCT is the cyber-sec.rity exec.ting arm c the United Naticns speciaised agency - the nternaticna Teeccmm.nicaticn Unicn (TU, ls the vcrds rst ccmprehensive aiance against cyber-threats, MPlCT brings tcgether gcvernments, academia and ind.stry experts tc enhance the gcba ccmm.nitys capabiities in deaing vith cyber-threats Website: http}}vvvimpact-aiancecrg}hcme}indexhtm Email: ccntact.s_impact-aiancecrg Interpol Where: ycns, France Funding: hU member states Mission: nterpcs missicn is tc ccnnect av encrcement in a member states and prcvide them vith means tc share cr.cia incrmaticn nterpc assists cc.ntries in the event c a cyber-attack and heps identiy emerging threats and respcnses Website: http}}vvvinterpcint}en International Telecommunications Union (ITU) Where: Ceneva, Svitzerand Funding: UN member states, and cver /00 private ccmpanies and eading academic instit.ticns Mission: The TU is the UN agency cr incrmaticn and ccmm.nicaticn technccgies (CT, ts respcnsibiities inc.de accating gcba radic and sateite crbits, devecping technica standards and ens.ring that technccgies interccnnect and imprcve CT vcrdvide TU s.ppcrts ecrts tc prctect CTs rcm cyber-threats The TU has asc set .p the Ccba Cyber-Sec.rity lgenda (CCl,, a ramevcrk cr internaticna cccperaticn aimed at enhancing ccndence and sec.rity in the incrmaticn scciety The CCl is designed cr cccperaticn and eciency, encc.raging ccabcraticn 98 Cyber-security: The vexed question of global rules vith and betveen a reevant partners and b.iding cn existing initiatives tc avcid d.picating ecrts Website: http}}vvvit.int}en}Pages}dea.taspx Email: it.mai_it.int NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Where: Tainn, hstcnia Funding: NlTC member states Mission: The NlTC CCLCCh vas estabished tc enhance capabiity, cccperaticn and incrmaticn sharing amcng NlTC, its members and partners in cyber-deence thrc.gh ed.caticn, research and devecpment, esscns earned and ccns.taticn ts aim is tc be the main sc.rce c expertise in the ed c cccperative cyber-deence by acc.m.ating and disseminating kncvedge ts main areas c research inc.de the ega and pcicy eds, ccncepts and strategy, tactica envircnment and critica ncrmaticn nrastr.ct.re Prctecticn The centre asc devecps a vide range c prcd.cts and services cr NlTC Website: http}}vvvccdccecrg} Email: ccdcce_ccdccecrg NATO Communication and Information Systems Services Agency (NCSA) Where: SHlPh, Eegi.m Funding: NlTC member states Mission: NCSl is a service prcvider tc NlTC and its naticna c.stcmers Wherever NlTC depcys cn cperaticns cr exercises, NCSl is there, prcviding ccmm.nicaticn and incrmaticn systems (CS, services in s.ppcrt c the missicn NCSl is NlTCs rst ine c deence against cyber-terrcrism and enccmpasses NlTC ncrmaticn lss.rance Technica Centre (NlTC, and NlTC Ccmp.ter ncident hespcnse Capabiity (NChC, NChC prcvides NlTC vith a range c highy speciaised ccmp.ter services, inc.ding incident detecticn, respcnse and reccvery that hep ens.re the sec.rity c NlTC CS These services are deivered acrcss the vhce c the NlTC CS andscape, enccmpassing bcth cperaticna and peacetime ccaticns Website: http}}vvvncsanatcint} Email: ncsapac_ncsanatcint Organisation of American States (OAS) Where: Washingtcn LC, USl Funding: ts 3S member states Mission: The nter-lmerican Cccperaticn Pcrta cn Cyber-Crime and the Wcrking Crc.p are tvc c the majcr c.tccmes c the prccess c Meetings 99 c Ministers c .stice cr Cther Ministers cr lttcrneys Cenera c the lmericas (hhMl, aimed at strengthening hemispheric cccperaticn in the investigaticn and prcsec.ticn c cyber-crimes Website: http}}vvvcascrg}en} Organisation for Economic Co-operation and Development (OECD) Where: Paris, France Funding: ts 34 member states and partner crganisaticns Mission: The ChCL prcmctes pcicies tc imprcve the eccncmic and sccia ccnditicns c pecpe arc.nd the vcrd t prcvides a cr.m cr gcvernments tc seek sc.ticns tc iss.es inc.ding cyber-sec.rity t aims tc sec.re privacy and data prctecticn and a.nched an anti-spam tcckit cr actcrs tc better crientate their pcicies tcvards prctecting against spam Website: http}}vvvcecdcrg} Organisation for Security and Co-operation in Europe (OSCE) Where: \ienna, l.stria Funding: ts So member states and partner crganisaticns Mission: The CSCh seeks tc prcmcte the r.e c av, inter aia by training c j.dges, prcsec.tcrs, avyers, pcice and ccrrecticna ccers, as ve as thrc.gh prcjects cn crimina j.stice recrm and egisative reviev, seeking tc bring dcmestic avs in ine vith CSCh ccmmitments and cther reccgnised internaticna standards, inc.ding thcse reated tc cyber-sec.rity Website: http}}vvvcscecrg} Email: inc_cscecrg United Nations Interregional Crime and Justice Research Institute (UNICRI) Where: T.rin, tay Funding: UN Mission: UNCh is a UN entity mandated tc assist intergcvernmenta, gcvernmenta and ncn-gcvernmenta crganisaticns in crm.ating and impementing imprcved pcicies in the ed c crime preventicn and crimina j.stice t aims tc share and appy kncvedge tc assist gcvernments tc prevent and dea vith cyber-crime Website: http}}vvv.nicriit} Email: incrmaticn_.nicriit 100 Cyber-security: The vexed question of global rules Glossary of companies Accenture is the argest management ccns.ting ccmpany in the vcrd lccent.re Cyber Sec.rity Sc.ticns cers crcss-.ncticna cyber-sec.rity prcgrammes tc sec.re vita T-inrastr.ct.re BAE Systems is a Eritish m.tinaticna deence, sec.rity and aercspace ccmpany headq.artered in cndcn t is amcng the vcrds argest miitary ccntractcrs, and has extensive experience in the research and devecpment c inncvative ccmp.ter netvcrk cperaticns technccgies BP is the third argest energy ccmpany in the vcrd and is invcved in ci, gas, petrcchemicas, pcver generaticn and renevabe energy Curesec is an T sec.rity ccns.ting ccmpany based in Eerin, Cermany Deloitte Touche Tohmatsu is cne c the argest accc.ntancy and prcessicna services ccmpany in the vcrd Lecittes Ccba P.bic Sectcr grc.p is asc vcrking in the ed c cyber-sec.rity DEVOTEAM is an internaticna incrmaticn and ccmm.nicaticn technccgy ccns.ting ccmpany headq.artered in Er.sses Hathaway Global Strategies is an independent sec.rity ccns.ting ccmpany ING is a gcba nancia instit.ticn invcved in retai and investment banking and ins.rance services t is therecre expcsed tc cyber-attacks and r.ns a big T-sec.rity divisicn Kaspersky Lab is a h.ssian ccmp.ter sec.rity ccmpany n additicn tc ccns.mer prcd.cts, Kaspersky ab cers sec.rity appicaticns designed cr sma b.siness ccrpcraticns and arge enterprises Lexsi innovative security is an internaticna incrmaticn sec.rity ccns.tancy ccmpany speciaised in prctecting incrmaticn assets, strcngy driven tcvards inncvaticn and headq.arted in France McAfee is a ccmp.ter sec.rity ccmpany headq.artered in Santa Cara, USl t markets sctvare and services tc hcme .sers, b.sinesses and the p.bic sectcr NTT Communications is a s.bsidiary c Nippcn Teegraph and Teephcne (NTT, Ccrpcraticn, cne c the argest teeccmm.nicaticns ccmpanies in the vcrd 101 PwC is cne c the vcrds argest prcessicna services rms Within its crensic services, PWC asc vcrks vith cients tc devecp creative apprcaches tc ccmpex cyber-reated matters Resolute Consulting is an lmerican ccns.ting ccmpany Security Europe is an incrmaticn service speciaised in hU civi sec.rity iss.es ls s.ch, it asc repcrts cn devecpments in the hU cyber gcvernance Genos Consulting is a hcmanian incrmaticn sec.rity ccns.tancy rm Steptoe & Johnson is an internaticna av rm Cyber-sec.rity is cne c its cc.s areas Stratsec, a s.bsidiary c Elh Systems, is an incrmaticn sec.rity ccns.tancy ccmpany based in l.straia and Sc.th hast lsia The SecDev Group is a Canadian ccmpany that prcvides ccns.tancy services and ccnd.cts nct-cr-prct research in gcba sec.rity and vicence t eq.ay .ndertakes research and ccns.tancy cn cyber-sec.rity Zurich is a nancia services ccmpany cc.sed primariy cn ins.rance, asc cering services in T-sec.rity 102 Jaap de Hoop Scheffer former Secretary General of NATO Javier Solana former EU High Representative for Common Foreign and Security Policy The SLl this year ceebrates its !0 th anniversary as the eading Er.sses- based think-tank cn sec.rity and deence iss.es The SLl remains the cny cr.m tc bring tcgether tcp representatives rcm acrcss naticns, instit.ticns and sectcrs tc disc.ss pressing gcba chaenges, reaching bcth p.bic and private sectcr decisicn-makers tc make a rea dierence SDA Co-Presidents The SLl raises avareness and anticipates the pcitica agenda thrc.gh internaticna ccnerences, rc.ndtabes, evening debates, pcicymakers dinners, st.dies and disc.ssicn papers \isit vvvsec.ritydeenceagendacrg tc dcvncad c.r p.bicaticns and nd c.t mcre abc.t c.r activities If current trends in the decline of European defence capabilities are not halted and reversed, many US policymakers may not consider the return on Americas investment in NATO worth the cost. Robert Gates, then US Defense Secretary 10 June 2011 We must be careful not to allow the capability gap to become the credibility gap Anders Fogh Ramussen, NATO Secretary General 21 June 2010 About the SDA 103 Cyber-security initiative ls cyber-attacks ccntin.e tc make daiy headines, the SLl has a.nched an ambitic.s cyber-sec.rity initiative hnccmpassing repcrts, debates, and a strcng cnine presence, this prcgramme aims tc bring ccherence tc the gcba cyber-debate, tc separate act rcm hype and make sense c the myriad actcrs in the ed The initiative ens.res that a key stakehcders are heard in a baanced disc.ssicn, and that c.tp.t reaches the key decisicn-makers This is a battle we may not win. We need to act and to protect as quickly as possible Cecilia Malmstrm, European Home Affairs Commissioner 9 November 2011 Cyber has redened the front lines of national security. Just as our air and missile defences are linked, so too do our cyber defence networks need to be. William J. Lynn, III, then US Deputy Secretary of Defense 15 September 2010 \isit the cyber-sec.rity vebsite at vvvsec.ritydeenceagendacrg cr the rest c the years prcgramme, videc intervievs, backgrc.nd dcc.ments, and SLl repcrts cn cyber-sec.rity 104 Security jam The SLl ccnstanty inncvates tc p.sh the debate .rther n 20!0, it crganised the rst ever gcba sec.rity brainstcrming, the Sec.rity am, vhich brc.ght tcgether cver 4,000 pecpe rcm !24 cc.ntries cr a S-day disc.ssicn The repcrt vas presented tc NlTC Secretary Cenera Anders Fogh Rasmussen, Madeleine Albright and her grc.p c experts vcrking cn NlTCs Strategic Ccncept, and Felipe Gonzalez and his grc.p c h.rcpean visemen Cn March !9-23 20!2, the SLl and EM vi partner vith NlTC lCT, the h.rcpean hxterna lcticn Service, the h.rcpean Ccmmissicn, hUCCM and the US Missicn tc NlTC tc bring tcgether thc.sands c gcba sec.rity stakehcders hepresentatives c naticna gcvernments and armed crces, internaticna instit.ticns, NCCs, think-tanks, ind.stry and the media vi .se this .niq.e cppcrt.nity tc ccectivey dene the sc.ticns tc pressing sec.rity iss.es The mcst inncvative reccmmendaticns vi be presented tc the NlTC and hU eaderships ahead c the May 20!2 Chicagc s.mmits cg cn tc vvvsec.rityjamcrg tc register cr this .niq.e event VIP Jammers in 2010 included Adm. James Stavridis, Supreme Allied Commander Europe, NATO Anne-Marie Slaughter, Former Director of Policy Planning, US Department of State Alain Hubert, Explorer, International Polar Foundation Gen. Stphane Abrial, Supreme Allied Commander Transformation, NATO Josette Sheeran, Executive Director of the World Food Programme Carl Bildt, Minister for Foreign Affairs of Sweden A Security & Defence Agenda report Author: Brigid Grauman Publisher: Geert Cami Date of publication: February 2012 The views expressed in this report are the personal opinions of individuals and do not necessarily represent the views of the Security & Defence Agenda, its members or partners. Reproduction of this report, in whole or in part, is permitted providing that full attribution is made to the author, the Security & Defence Agenda and to the source(s) in question, and provided that any such reproduction, whether in full or in part, is not sold unless incorporated in other works. About the report This report is published as part of the Security & Defence Agenda's (SDA) cyber-security initiative. It is intended as a snapshot of current thinking around the world on the policy issues still to be resolved, and will form the basis of SDA debates and future research during 2012. About the SDA The SDA is Brussels only specialist security and defence think-tank. It is wholly independent and this year celebrates its 10 th anniversary. About the author Brigid Grauman is an independent Brussels-based journalist whose work appears widely in international media like the Financial Times and The Wall Street Journal. Shes currently engaged on a number of projects for institutions, including the European Commission. Report advisory board Jeff Moss, Vice-president and Chief Security Offcer at ICANN and founder of the Black Hat and DEF CON computer hacker conferences Reinhard Priebe, Director for Internal Security, Directorate General for Home Affairs, European Commission Andrea Servida, Deputy Head of the Internet, Network and Information Security Unit, Information Society and Media Directorate General, European Commission Jamie Shea, Deputy Assistant Secretary General for Emerging Security Challenges at NATO Brooks Tigner, Editor and Chief Policy Analyst at Security Europe My thanks to all those who contributed to this report, both those I have quoted and those I have not. Special thanks to Melissa Hathaway and Jamie Shea for their helpful comments on my draft text, to McAfee's Dave Marcus, Phyllis Schneck and Sal Viveros, and to the SDAs Pauline Massart and Igor Garcia-Tapia. SECURITY & DEFENCE AGENDA Bibliothque Solvay, Parc Lopold, 137 rue Belliard, B-1040, Brussels, Belgium T: +32 (0)2 737 91 48 F: +32 (0)2 736 32 16 E: info@securitydefenceagenda.org W: www.securitydefenceagenda.org
Download Cybercrime And Information Technology The Computer Network Infrastructure And Computer Security Cybersecurity Laws Internet Of Things Iot And Mobile Devices 1St Edition Alex Alexandrou online ebook texxtbook full chapter pdf