This paper by the Geneva Centre for the Democratic Control of Armed Forces (DCAF) was just brought to my attention. A piece of work that is definitely worth reading through. It lays out the problem space and then does a deep dive into the different sections:
- Governments
- Legislative Bodies
- The Armed Forces
- Law Enforcement
- Judges and Prosecutors
- The End User
- The Private Sector
- The IT Sector
- Banks and Financial Services
- Critical National Infrastructure
- WikiLeaks
The interesting one is the last one – a whole chapter on WikiLeaks.
The paper is very well structured and gives always a structured view on the different challenges. If I would have to pick a few of them, these would be my highlights:
From a strategic challenge perspective:
- The threats to cyber security are the greatest national and economic security threats states face. Cyber security will evolve into a key challenge, economically, politically, socially, and militarily. Yet it remains the least understood and most underestimated threat.
- The very complexity of the threat deters a full understanding of its implications and hinders a comprehensive debate on the strategic responses needed.
I recently had a discussion with a government and everybody was talking about “Cyber” and “Cybersecurity”. Have you ever dared to ask what Cyber means to them? It is the number one theme and the number one theme people do not understand. Especially for politicians it is far away from their world as the theme we are talking of is even hard to grasp for specialists.
Challenges for governments:
Of particular concern, are the often meagre resources available in developing countries, least developed countries and failed states to establish and implement an effective cyber-security regime. Without the participation of all countries, the overall system remains vulnerable to attack. International cooperation is hampered by these large discrepancies between national cyber capabilities.
[…]
With few exceptions, governmental responses to the threats and risks of cyberspace have taken two tracks: legal and organisational. Neither has been very well unified or coherent, rather, they have been more organic in their development and, consequently, less cohesive than one would wish. A lack of leadership, organisational stability and expertise are the main factors limiting the capacity to respond.
It sometimes really makes me feel sad, seeing different organizations within governments fighting each other for the leadership in Cyber. Even worse: We see this within international bodies as well. Guess who wins: The Criminals.
We simply do not have the resources nor the energies available to afford this. Microsoft wants to collaborate and support organizations which drive a cybersecurity agenda but we cannot afford (we simply do not have the people) to help a lot of organizations, which fight each other.
If you are out there from a government or an international organization, you should definitely think about this! This is your responsibility. Ours is to provide our help.
Challenges for legislative bodies:
- The technical complexity of the issue, which surpasses the professional experience of most members of parliament and requires highly specialized staffers that few parliaments can afford.
- The fact that cyber security is a cross-cutting issue, which cannot easily be fitted into existing committee structures. To put it simply: Who is in charge – the armed forces committee or the security committee? Justice, police, or the committee for homeland security? Telecommunications? Or all of them? And what role is there for Foreign Affairs?
Governments, have you read the point above? We need to fix this and we need to fix this now as…
- Cyber security is addressed, fully or partially, by many countries through their military and/or intelligence structures—i.e. through agencies that are, by their very nature, more exclusive and nontransparent.
Another challenge, which goes in the same direction: A lot of governments fear the collaboration with the private sector. Sometimes I hear statements like “we cannot work with you too closely because it would be politically incorrect if Microsoft helps us too far with our Cybersecurity strategy” – these are statements from people who listened to us and understood the value we can bring to the table (not selling products, fixing problems). Still, this fear blocks creative solutions between the public and the private sector.
There are good examples where this works but unfortunately there are not too many because of this fear. Interestingly enough it often works better in developing countries rather than developed – and again there are exceptions to the rule.
Challenges for the armed forces:
That’s a hard one as Cyberwar completely changes the world of the armed forces. One is:
- The military has become completely dependent on cyberspace for its activities. Any threat in the cyber domain is of fundamental consequence for the armed forces.
They have to rely on the critical infrastructure but are often not part of the government’s CIP program.
- The traditional conservatism of the military is a hindrance (historical examples include the difficulties that militaries have had with the introduction of the machine gun, the dreadnought, the tank, or aircraft carrier). There is some truth in the saying that the military always tends to prepare for the last war.
I am seeing some where good initiatives from people who understand that they are challenged. This then comes back to the collaboration between private and public sector. Us from the private sector, let’s help these people to move forward in their defensive capabilities. At least we will not engage in offense.
and finally:
- Cyberspace presents the military with questions for which there are not only no answers, but for which we might not even have understood the questions yet.
Well and we did not touch on the Cloud yet as it is worse there…
Challenges for law enforcement:
This is kind of a pet theme for me especially when it come to international collaboration and international harmonization of laws. The paper raises similar challenges:
- While Internet criminality is international in nature, cyber crime legislation varies from country to country.
[…]
- A country is, under international law, not responsible for the cyber activities of its citizens, even if those activities constitute de facto the equivalent of an act of war against another country. The situation invites cyber ambitious countries to hide their own cyber activities behind the cover of allegedly anonymous hackers or hacktivists.
This is actually an interesting approach and could solve the attestation problem. If a country can be held accountable internationally for not reacting on an attack which originates from within their boarders, this might significantly change the way governments treat such attacks as nobody can hide behind an activity, which is then concealed as a private activist group exercising the activity.
Challenges for judges and prosecutors:
In my experience, we have a significant knowledge problem with judges and prosecutors. Having digital evidence in court is in a lot of countries a real challenge as it always comes down to experts testifying.
Judges, prosecutors and law enforcement agencies often lack sufficient knowledge to effectively bring cyber criminals to justice. More must be done in training and education to ensure that these officials have the knowledge, skills, and capacity to properly fight cyber crime and to make their charges stick.
Private Sector:
The private sector is not much better, though:
If the government response to cyber security can be characterized as ad hoc, the private sector response to cyber security can best be characterised as unstructured.
And I do not think that they are wrong.
The IT Sector
The quality of software also needs to improve. Much attention has been on operating system security, but the target has now moved to the application layer, which has had insufficient security focus. Beyond the application layer, lower level software such as firmware is poised to be the next target of attack. There has been little to no attention aimed at reducing the vulnerabilities in this space, which must change.
There are different things we are working on but basically our Security Development Lifecycle is a sound, proven and I would even say auditable basis to go forward. The challenge here will be that you find much more application providers than Operating System Manufacturers.
Banks and Financial Services
What is interesting is that they are separating banks, the IT sector from the Critical Infrastructure, which you cannot in my opinion. They/we are a key part of it – and especially the banks showed it during the crisis.
- Due to the massive amount of money being transferred electronically around the globe every second, financially motivated cyber criminality is on the rise.
- The situation is rendered even more attractive for criminals by the fact that banks, more often than not, do not report successful attacks.
The last point is a call I make often to the banks but at the end of the day to everybody: We have to start to report attacks to the police. Otherwise, it is the Wild West out there. The problem currently is that we have a legal system, which works, we have Law Enforcement in a lot of countries doing a great job fighting cybercrime – often focused on child porn, which is great – but attacks on our infrastructures are not followed through as they are not reported. A fairly safe bet for the criminals.
Critical National Infrastructure
That’s a really complex thing and a lot of governments struggle with this. In my opinion for different reasons:
- Constantly changing governments makes it hard to build trust between the private and the public sector
- Often the focus of governments is providing the key infrastructure like roads, power, internet but protection comes, once it is here
- Partly this is a cultural thing as well as it depends to a certain point on the way the government and the society is structured. How trustworthy is the government from a citizen perspective? How far is the government willing to work with the private sector in a trusted way or how far is the government in the position to invest a lot of money to build the competency on its own? Even in Western Europe, where such initiatives grew already fairly far, there are a lot of different models in place already and you see that societies with similar cultures (e.g. Switzerland and The Netherlands) come up with fairly similar approaches, whereas different cultures (Switzerland and Germany) come up with fundamentally different way of tackling the challenge.
What does the paper see as the big challenges? Here you go:
- The protection of CNI, has been recognized by most countries, as a priority. This basic awareness alone does, however, not translate into effective mechanisms for actual protection.
[…]
- To create a genuine private public partnership in protection of CNI, the private sector would have to perceive a clear-cut, measurable advantage in reporting to law enforcement agencies, and to subsequently develop together with them a coherent defensive system. Currently, it does not.
[…]
- The problem is exacerbated by the fact that, as examples prove, cyber malware has already been planted into some of the world’s critical infrastructure systems. The corresponding need to develop intelligent systems able to check automatically and regularly for the presence of highly sophisticated malware, is only about to be understood. It will be a costly enterprise in the best of circumstances and likely to be unevenly applied, thus reducing the eventual positive effects of select countermeasures for the overall system of interlinked critical infrastructures.
- Comprehensively coherent and harmonized national approaches are indispensable in this domain; without international coordination no progress will be possible.
It is so obvious but so hard to achieve: International cooperation is key (and this means e.g. outside the EU as well) and one cannot address CIP without the private sector (which kind of runs the critical infrastructure…)
WikiLeaks
The final chapter, which comes back to ethics and freedom of speech. My position is clear here: “Freedom of speech” does not mean you can say everything!
Finally, what I really like with this paper is, that is comes down to the point to state, what they think the response could be:
Not surprising, the start with the Public Private Partnership. Now, I stopped to use this term, simply because it is often loaded with formal contracts and MoUs etc. What I think we need is a collaboration/cooperation between the sectors, where the public sector has to learn as well that collaboration with governments should not be to the disadvantage of the companies doing it. E.g. if we spend a lot of time and money working with the governments to pave the way for the industry, is this very good but we have the investment and the competition the benefit. At least the public acknowledgment of such a collaboration happens sometimes helps.
Where is the challenge we need to overcome? Well….
- The private sector is understandably reluctant to share sensitive proprietary information about intrusions, actual damage, theft and crime, as well as prevention practices, with either government agencies or competitors because information sharing is a risky proposition with less than clear benefits. No company wants information to surface that they have given in confidence, since such an event could jeopardize their market position, customer base or capital investments.
- Nor would private companies risk voluntarily opening themselves up to costly and time-consuming litigation. Industry fears that breaches on innocent customers might inadvertently occur during investigations. Negative publicity or exposure as a result of reports of information infrastructure violations could lead to threats to investor and consumer confidence in a company’s products. Moreover, companies fear revealing trade secrets to competitors, and hence are reluctant to share proprietary information. They also fear that sharing this information with government may lead to increased regulation of the industry or of e-commerce in general.
[…]
- On the other hand, many private sector mechanisms for information sharing already exist without the need for government intervention. For example, both the “white-hat hacker” and the security researcher community provide a valuable private sector service. They are active information sharers which head off a vast number of attacks and identify vulnerabilities before harm occurs. Particularly on the technical level, information sharing about vulnerabilities and remediation happens routinely in the private sector. This is not because of a mandate from government. Rather the impulse to share is based on a well-grounded exchange of network-protective information done by engineers of, for example, the major telecom companies. And if the government wants to join in the sharing, they would be welcome—that is, if they bring added value to the arrangement.
- There is an urgent need for active, robust, and credible liaison of government with the private sector. Government agencies have to respect the confidentiality as well as the value of the information and secrets that the private sector may give them to do their job. In order to do the job on both sides, real-time feedback on information sharing is essential. All partners engaged in ensuring IT security will not share information unless they have a high degree of confidence that this information will be protected from disclosure. Hence, all partners must take steps to protect sensitive data as a precursor to information sharing. Only then will it be possible to form trusted relationships and begin data sharing. Similar principles apply to information sharing between governments and international organisations.
I think that governments have to learn in the cyberspace that a partnership is not unilateral only. It should work both ways. I often see governments talking about partnerships but mean us sharing information. I want intelligence back – not about single cases but trends and maybe real-time intelligence as well, where our technology is concerned. However, more often than not it is a one-way street and the reason is trust again.
And the second way to approach the challenge is naturally International Cooperation. This comes natural if you read the statement above but is absolutely key. There are a lot of intergovernmental organizations trying to address the issue but unfortunately I see them often competing rather than collaborating. We need solutions and we need them fast – not in 2020 but in 2012.
All in all, a very good read, which in my opinion lays out the problems extremely well and gives a few natural approaches to possible solutions.
Roger