Report Cyber Security
Industry and
Parliament Trust
CYBER SECURITY 2.0
Reflections on UK/EU
Cyber Security Co-operation
CONTENTS
1. Foreword and Introduction3
By James Arbuthnot MP and Talal Rajab, IPT
2. You, Me, and the Great Threat to Cyber Security
6
3. Cyber-Security: The Need for Greater Co-Operation
Between Public, Private and Academic Spheres 8
By Steven Mosley MP
By Tim Watson
4. The Challenges of Creating a Pan-European
Approach to Cyber-Security9
By James Morris MP
5. The Network and Information Security Directive What Role can Regulation Play in Improving Cyber Security:
The Legal Perspective10
By Jane Jenkins
6.Cyber Security Legislation in Europe: The NIS Directive
and the Opportunities for Leadership and Harmonization: The
Business Perspective 14
By Jan Neutze
7. Cyber Security Regulation and it’s Relevance to the Payments
Industry: A Case Study16
By Colin Whittaker
8. The Policy Challenges of Cyber Security
By David Abrahams 18
9. The NIS Directive and Protecting Critical
National Infrastructure 20
By Carla Baker
10. European Critical Information Infrastructure
By T.J.Parsons23
11. Protecting Critical National Infrastructure across Borders:
Cyber Security and the Blended Threat
29
By James Willison 12. A Year is a Short Time in Cyber-Space
By Dr.Christopher Laing 32
13. Cyber Activism and Hacktivism By Tom Sorell and Mariarosaria Taddeo 34
14. Snowden, Prism and State Regulation of the Internet
By Andrew Miller MP36
15. The Dark Side of Social Media: Rumours, Real Time
and Cyber Security
By Dr. Layla J Branicki
38
16. Bibliography 40
17. List of Commissioners and Acknowledgements 2
41
Foreword
There can be few areas in which the need
for politicians and industry to work closely
together has greater resonance than the
field of cyber-security, and I am
delighted that the Industry and Parliament
Trust has contributed to bringing together
thinking in this area.
UK/EU Cyber security co-operation by James
Arbuthnot MP, former Chair of the House of Commons
Defence SELECT Committee
The threat of cyber-attack was identified in the National Security Strategy
as one of the highest priority risks facing the UK. Whilst Government has an
important role to play in protection against such attack, and this issue is being
given increasing priority across Government, much of the work in ensuring
security of our critical infrastructure must be done in the private sector.
Defence doctrine places a strong emphasis on the importance of deterring security
threats, using the full spectrum of the state’s capabilities to make clear to potential
enemies that there will be costs to hostile action that will outweigh the benefits
they hope to achieve. Cyber-attack poses a different challenge. It may not be
readily clear that a state or single body can be held responsible, and there may
therefore be no one against whom retaliation can be threatened. Where the ability
to deter is reduced, there is a need to focus instead on protecting critical systems
against attack, ensuring that they are resilient in the face of attacks that get
through, and building in systems for quick recovery in the event of successful and
destructive attack. This is as much a task for the private sector as for Government.
A successful cyber-attack on the UK could have truly apocalyptic consequences
and given the linkages between our economies, a threat to our EU partners also
represents a threat to the UK. I commend this volume of fascinating essays
as a contribution to debate across Europe on how best to address this threat.
3
Introduction
Reflections on eu/uk
cyber-security Co-operation
INTRODUCTION -
Talal Rajab, Business Relations Manager, Industry and Parliament Trust
C
yber-security continues to remain a hot topic
public, private and academic spheres better work
for both industry and Parliament. It has been
together to improve our responses to the threat
over two years now since the UK Government
of cyber-crime. The purpose of this report is to
published its National Cyber Security Strategy.
analyse the role regulation can play in answering
Its key objectives were to make the UK more
these questions, and more.
‘cyber-resilient’ to protect our interests, build
essays from parliamentarians, academics and
cyber-security knowledge and skills amongst
representatives from industry, the report will seek to
the population and, ultimately, make the UK the
assess recent EU legislation around cyber-security
most secure place to do cyber-related business.
and analyse some of the key concerns related
Comprising of short
to UK/EU cyber-security co-operation focused
Cyber criminals are, however, global in their outlook
on three key areas: the EU’s recent Network
and protecting our interests in cyber-space therefore
and Information Security Directive (NIS), the
requires a global approach. Recent EU directives
standardisation of protecting critical infrastructure
surrounding cyber-security have attempted to
across the EU and the effects of cyber-activism
standardise practice amongst member states,
on businesses and policymaking around Europe.
though the effects these proposed directives will
have on states and their businesses are debatable.
In Chapter One we have contributions from Stephen
How, for example, do you define what is “critical”
Mosley MP, Professor Tim Watson of the University
when referring to critical national infrastructure
of Warwick and James Morris MP, with introductory
from country to country? How have revelations
pieces on the IPT’s cyber-security commission
regarding PRISM and Edward Snowden affected
and an analysis of the challenges towards creating
co-operation between nations? And how can the
a pan-European approach to cyber-security.
4
Introduction
Chapter Two delves into the legal and regulatory principles
behind UK/EU cyber-security co-operation, with a particular
focus on the EU’s recent Network and Information Security
(NIS) Directive. Jane Jenkins (Freshfields Bruckhaus Deringer),
Jan Neutze (EMEA Microsoft), David Abrahams (Nominet) and
Colin Whittaker (Visa Europe) look at the regulatory principles
behind the directive and assess its impact on businesses.
In Chapter Three we focus more closely on a key aspect of
cyber-security that many argue requires the greatest cross
border co-operation – that of protecting critical national
infrastructure. Carla Baker (Symantec), James Willison (ASIS
International) and Tim Parsons (Selex ES) outline the current
cyber initiatives and standards operating in the EU and the UK
The IPT is an independent, non-
related to protecting critical national infrastructure, both voluntary
lobbying,
and mandatory, and stress the need for a holistic approach to
that provides a trusted platform of
managing the cyber-related risks to infrastructure that involves
engagement between Parliament
greater co-operation between the public and private sectors.
and UK business. The IPT is
Finally, Chapter Four takes a look at one of the most pertinent
dually
supported
party
representation
cyber-security related topics at the moment – that of cyberactivism, or “hactivism”. Tom Sorell and Mariarosaria Taddeo
(University of Warwick), Andrew Miller MP, Dr Layla Branicki
(University
of
Birmingham)
and
Dr
Christopher
Laing
(Northumbria University) discuss recent trends in relation to
cyber-activism and the security implications created by the
desire amongst the population of having “anywhere, anytime”
connectivity to the internet.
This report does not pretend to provide any concrete solutions
to many of the problems related to cyber-security regulation,
nor does it attempt to take any particular position on the merits
of UK/EU co-operation around cyber-security. Its purpose is to
analyse some of the key policy related questions associated
with UK/EU cyber-security co-operation and hopefully provide
a platform for others to continue the discussions further.
Regardless of the UK’s relationship with the EU in the future,
and regardless of how EU legislation around cyber-security
develops, it is clear that the questions and topics raised in this
report will continue for a long period of time. We hope that
this collection of essays helps bring policymakers, industry
representatives and academics closer together to ensure that
the UK’s cyber-space is the best regulated, and best protected.
5
non-partisan
parliamentarians
of
Trustees,
by
on
and
charity
cross-
of
senior
its
Board
through
the
patronage of its industry supporters.
The IPT creates an environment that
supports trusted, open and two-way
dialogue between Parliament and
UK business. IPT platforms engage,
educate and inform, create lasting
relationships
and
exchange of ideas.
facilitate
the
UK/EU Cyber security Co-operation
You and Me: The Great Threat to Cyber Security
BY STEPHEN MOSLEY MP
D
uring the Industry & Parliament Trust (IPT)
Here was a man, who had only been in place
and Parliamentary Internet Communications
for a few months with relatively little power or
Technology Forum (PICTFOR) Cyber Security
influence, who managed to smuggle over one
Commission visit to Brussels, there was one
million files out of the National Security Agency
constant theme that stood out. Whether you
(NSA), an organisation that you would hope would
attended
be one of the most secure institutions in the world.
the
discussion
groups,
seminars
or meetings, you will have heard the same
message: no matter how secure your system, how
It is of no surprise that spies spy and I do not think
comprehensive your regulations or the type of
anybody realistically expected the NSA to not hold
business you are involved in, there is always one
data on a wide range of security interests. What
weak point in your network. And that weak point is
came as a surprise, at least for me, was that one man
consistent the world over. It is, of course, the user.
had access to such much important data. Except he
didn’t. Not quite. He was helped by the user error
The background to our visit was the Snowden
of his colleagues, up to two dozen of whom were
revelations. This event had an intense impact
duped by his system administrator status to give
on the UK, our relationships with our European
him their login details. That user error – admittedly
partners and the future of our security intelligence
combined with a staggering degree of systemic
services. What’s more, it perfectly demonstrated
vulnerability – could threaten the NSA opens up a
the conference’s lesson about user-weakness.
much bigger challenge, and not just for America.
6
UK/EU Cyber security Co-operation
During the conference we also heard that the most likely way that
Iran’s uranium enrichment facilities were infected and damaged
by the Stuxnet virus was by someone inserting an infected USB
stick into a Windows machine. One of the most secure sites
in Iran, built to withstand bombing raids and totally protected
against external cyber-attacks, was brought low because
someone inserted a USB stick. And how did that person get
hold of the USB stick? They most likely found it in the car park.
There is always one weak point in
your network, And that weak point is
consistent the WORLD OVER
The Stuxnet virus took advantage of previously unknown hacks
in Microsoft software. Within minutes of Microsoft releasing new
software patches on Patch Tuesday, the second Tuesday of
every month, malware developers take advantage of the hacks
revealed to attack machines. This high-speed activity from
potential hackers is here to stay – but individuals can protect
themselves. Often, Microsoft’s vulnerabilities are exposed
and systems penetrated because users failed to update their
software. The only answer is to make sure that you always update
your machines with the latest patches as regularly as possible.
Finally, it is not just in Iranian security facilities and the
headquarters of the NSA where security is under threat. The
final major case of user error is something with which we are all
Stephen Mosley has been the
Member of Parliament for the
City of Chester since 2010.
Before entering parliament,
Stephen enjoyed a career
in the IT industry, initially
working for IBM before setting
up his own IT Consultancy
in 1997. He has a Degree in
Chemistry from the University
of Nottingham and has served
on Chester City Council
(2000-9), including two years
as Deputy Leader of the
Council, and on Cheshire
County Council (2005-9).
familiar. That suspicious looking email arrives in your inbox; you
don’t recognise the sender and it comes with an attachment.
You download it and, predictably, it contains a virus. This familiar
tale is the most common case of security breaches – and we
can all take small steps to prevent it. So I’ve come back from
Brussels with a very simple message. Whether you’re working
for the Government, running your own business or simply
sitting at home on your laptop, you must always update your
software, never open attachments that you do not know what
they are and never put strange USB sticks in your machine!
7
In Parliament, Stephen
serves as a member of the
Science & Technology Select
Committee, is Co-Chair of the
Parliamentary ICT Forum and
has been appointed a Small
Business Ambassador by the
Prime Minister.
HEA UK/EU Cyber security Co-operation
The Industry and Parliament Trust (IPT) Cyber Security
Commission, was an informative and enlightening series
of events that highlighted the progress made, and the work
yet to do, around cyber-security within the European Union.
Vladimir Sucha, the Director General of the Joint Research Centre
(JRC), opened proceedings with an overview of the work being
done by the JRC. It became clear that whilst the JRC are doing
good work around cyber-security, engaging with national bodies
and academic institutions, there are benefits to be had from
greater collaboration. It was concluded that it may be worthwhile
for the JRC to consider staff exchanges with universities.
One of the issues raised throughout our time in Brussels was
the common view that public and private sector communities are
Cyber-Security:
The Need for
Greater CoOperation
between Public,
Private and
Academic Spheres
BY Professor Tim
Watson, University
of Warwick
continually playing catch-up and are one step behind attackers.
While it is true that criminals are often extremely agile in their ability to
exploit new systems, be they economic, social or technical, and while
it is equally true that the process of regulation and governance often
cannot react at the same pace, it is not inevitable that the defenders
of systems will be playing catch-up. Often law enforcement, security
and intelligence agencies are one or more steps ahead of criminals.
There is no reason why organisations, large and small, cannot
provide adequate protection for their systems without stifling
the business processes that they are meant to facilitate. For
this to happen we need to provide the right balance of training,
education and awareness in areas such as procurement and
contracts, board level governance and operational security so that
trustworthy systems are procured, developed and maintained.
We also need to improve the social and narrative interaction
between the security communities and the decision-makers within
organisations so that cyber-security is seen as a business enabler
and so that the risks and rewards of doing it properly are clear to all.
The private sector has its part to play too, as there is still too much
reliance on the technical solutions provided by cyber-security firms.
There needs to be a greater contribution from the behavioural
sciences in the development of technical security controls, and the
historic preference for commoditised products over more holistic
security services should be discouraged. While it can be argued that
an academic may not be completely unbiased in this area, it does
seem as though we should move from a position of trying to buy
cyber-security off the shelf and to have staff trained sufficiently to
operate the products, to a position where cyber-security is educated
into organisations and the focus for security controls is as much on
social, cultural and behavioural controls as it is on technical controls.
This ought to be a key focus for the JRC and for Member States.
8
Prof. Tim Watson is the Director of
the Cyber Security Centre at the
University of Warwick. With more
than twenty years’ experience in the
computing industry and in academia,
he has been involved with a wide
range of computer systems on several
high-profile projects and has acted as
a consultant for some of the largest
telecoms, power and oil companies.
He has designed, produced and
delivered innovative courses on cybersecurity for a variety of public and
private-sector
organisations.
Tim’s
current research includes EU funded
projects on combatting cyber-crime
and research into the protection of
infrastructure against cyber-attack. Tim
is also a regular media commentator
on digital forensics and cyber-security.
UK/EU Cyber security Co-operation
The Challenges
of Creating a
Pan-European
Approach to
Cyber-Security
BY James Morris MP
James is the Conservative
Member of Parliament for
Halesowen and Rowley Regis and
Parliamentary Private Secretary
to Employment Minister Esther
McVey. He was previously a
successful small businessman
specialising in computer software.
In 2003 he founded Mind the
Gap, an independent campaign
to promote civic action and to
encourage more grassroots
involvement in politics. Prior
to entering Parliament, James
was the Chief Executive of
the think tank Localis. Prior to
becoming a PPS to Esther McVey
MP, James was a member of
the Communities and Local
Government Select Committee
and is currently a member of the
All Party Parliamentary Group on
Homeland Security
The challenge for government and business in relation to tackling
threats from cyberspace is complex and multi-dimensional.
It poses difficult questions as to the most appropriate level at
which to tackle the problem in a world which has porous borders
and ungoverned virtual spaces. Should Britain seek to tackle
the problem at a national, European Union or global level?
Combatting the threat of cyber-attack on business, government
and
critical
national
infrastructure
involves
dismantling
traditional notions of sovereignty, boundaries and protocols
and thinking about cooperative relationships in a new way.
Successful solutions in this area do demand that countries
co-operate across traditional boundaries and the businesses
share information both among other businesses and with
governments. The networked world presents rich opportunities
for business and government while simultaneously offering
a similarly rich array of strategic and tactical threats.
Recent attempts to regulate cyberspace at the European Union
level on a pan European basis seem doomed to fail because
they fail to take into account the flexibility that is required to
cope with the strategic threats of the networked world. Many
countries in Europe have yet to develop an appropriate
strategic level of operational response to the cyber threat
and the danger of European Union level regulation could
mean that the UK could be dragged into an elaborate attempt
to drab the weakest put to a certain level. Would this be in
Britain’s national interest? Attempting to regulate on a pan
European basis also runs into complex definitional issues. For
example, is it possible to define what ‘Pan European critical
national infrastructure’ is? The answer is almost certainly no.
The reality is that some light touch co-operation across
Europe may be desirable; but Britain should be seeking
a global reach in its overall approach to cyber-security by
building a network of co-operative alliances with countries
like Israel and the US rather than locking itself into a
European Union approach which is predicated on the lowest
common denominator. Britain should be seeking to build this
network of co-operative relationships as a more appropriate
response to the complex global challenge of cyber-security.
9
Cyber-security regulation
The Network and Information Security Directive
What Role Can Regulation Play in Improving Cyber
Security: The Legal Perspective
BY Jane Jenkins, Partner, Freshfields Bruckhaus Deringer LLP
In February 2013 the European Commission published its proposal for a draft Directive on ‘Network
and Information Security’ (NIS) to regulate operators of critical national infrastructure across the
EU. The objectives behind the Directive are to create an EU wide information sharing framework with
requirements for each Member State to adopt a network and information security strategy, to designate
a national authority charged with implementation, to establish a computer emergency response team to
respond to NIS risks and incidents and to ensure operators put in place appropriate security measures.
There is a requirement to report significant incidents to national authorities, who will have
discretion to publish reports where they deem publication to be in the national interest.
The
authorities will also have the power to impose sanctions for failure to meet the required standards.
The draft Directive has provoked significant debate around key issues including its scope, the mandatory
reporting of breaches and the imposition of additional technical standards. On 13 March 2014 the European
Parliament approved a revised draft containing significant amendments to water down the scope and
effect of the law. Cyber-security is an arena where defence and data protection meet. Attackers have
varying motivations: some look to use data theft and service disruption as a means of advancing political
and ideological agendas. Others are exploiting vulnerabilities in networks to steal data for financial gain
and perpetrate fraud.
The Commission justifies the imposition of regulation as a means to establishing a reliable environment
for the proper functioning of essential services. The Directive is not driven by the protection of data nor
personal privacy; it is concerned with protecting critical national infrastructure.
10
Cyber-security regulation
The aim of this paper is to identify the competing arguments and address the Directive in the broader context
of regulatory developments in the USA and Germany. The European Commission considers existing EU
rules, requiring telecoms and data controllers to adopt security measures and report security incidents,
to be too specific and too fragmented to truly affect cyber-security issues. It sees the new Directive as
establishing an enhanced, consistent EU-wide standard to protect our key internet based infrastructure.
The Commission’s proposal extends to internet companies, cloud providers, social networks, e-commerce
platforms, search engines, banking and trading markets, energy generators, transmission and distribution
companies, operators of transport systems (including aviation, maritime and rail), hospitals and clinics and
public administrations. The EU Parliament has removed key internet enablers and provided greater detail
around remaining categories to include specifically regulated markets, multilateral trading facilities and
organised trading facilities. Listed companies will be subject to minimum security standards. Conversely,
public administrations are not caught en masse - only those which fall within the definition of the other
specific functions. This is surprising, given the vulnerability and criticality of central and local government.
Suppliers in the UK, in particular, may react with cynicism given the strong messaging to industry generally
to address cyber-security at the board level and the stated intention to exclude from government contracting
those suppliers who do not meet acceptable standards of cyber health.
Mandatory Reporting and Publicity – The Controversies
Perhaps the most controversial issue in the draft Directive is the requirement to report significant breaches
coupled with the ability of the NIS to make such reports public. Whilst the UK Government fully supports
the objectives of increasing protection and resilience against attacks, it feels that mandatory reporting will
create perverse incentives that may cause companies to turn a blind eye to risks. The UK Government,
rather, advocates a policy of voluntary information sharing and has therefore set up the information sharing
partnership (CISP) to encourage the sharing of information about attacks and the means to combat them.
Industry points to the risk of damage to reputation, with associated impact on share price and customer
loyalty, as a key cause for concern in regards to the issue of mandatory reporting. These arguments are
less persuasive given the existing requirement under data protection laws to report significant attacks to
data subjects and, separately, under the Stock Exchange listing rules to disclose to the market any incident
that may impact on share price under the “reasonable investor” principle.
This raises an interesting point concerning the impact cyber-attacks that are made public have on share
prices. A limited survey conducted in 2013 suggested that share prices were unaffected by publicity around
cyber breaches. This suggests a lack of investor appreciation of the risks to businesses posed by such
attacks. Indeed, a 2013 PwC survey revealed that the majority of Finance Directors of FTSE350 companies
were unable to evaluate the cyber risks to their businesses so as to make decisions as to the proportionate
and appropriate levels of investment required to commit to cyber risk management. If Finance Directors
are in the dark, investors will be too.
11
Cyber-security regulation
The attack on US retail group Target, at the end of
last year, may be a wakeup call.
CASE STUDY
On 19 December 2013 Target announced that hackers entering its network via a heating supplier had
stolen basic card data for 40 million of its customers. On 10 January 2014 this was revised to 70 million
customers. The company’s stock value fell 4% over this period and the company now faces class actions
from its customers whose data have been lost, its shareholders who allege a breach of fiduciary duties of the
directors to safeguard the information lost and the banks who have had to compensate their customers for
fraudulent credit card transactions.
IMCO and the EU Parliament’s reactions to the mandatory reporting obligation were to introduce additional
protections for the company suffering the attack. Firstly, there is a statement that the notification of incidents
“shall not expose the notifying party to increased liability”. It is unclear how such a provision would work in
a case where an incident gives rise to civil liability to customers or other third parties. It would not seem
appropriate to deny those parties the opportunity to pursue their legal rights arising under national law.
Additionally, Parliament has introduced a right to be consulted on a proposed publication with a
hearing if requested. Where information is publicized, it proposes that this shall be anonymised. On
market disclosure the amendments propose that Member States shall “encourage market operators
to make public incidents involving their corporation in their financial reports on a voluntary basis”.
There is a tension here with existing notification rules and the Securities Exchange Commission has
indicated it is contemplating enforcement action in relation to failures to report incidents to market.
A further area of uncertainly is the threshold for reporting. IMCO has sought to provide greater clarity
around the definition of a “significant incident” which will trigger the notification obligation. It proposes that
significance be determined by factors including the number of users affected and the duration and geographic
spread of the incident. In its current form the Directive envisages the development of sector specific
guidance on both the meaning of a significant incident and the related test for mandatory notification. The
European Network and Information Security Agency (ENISA) will be involved in developing that guidance.
There has been resistance from industry to setting technical standards at the EU level given a concern
at the inconsistent standards applying outside the EU. Commentators are concerned that a standard
will become a lowest common denominator and encourage a “tick box” approach to compliance as
opposed to a dynamic and continuous review of threats and their management. Germany, however,
is pressing ahead with its own legislation which is likely to be in place before the EU Directive. Its ‘IT
Security Act’ is aimed at imposing mandatory standards (currently being addressed on a sector specific
basis with trade associations), obligations to report incidents and to conduct an audit on a two yearly
basis. There is a strong potential for the German approach to be highly influential in the debate around
the appropriate EU position. Whilst industry in the UK is generally resistant to mandatory standards,
they are even more resistant to the potential for inconsistent standards applying in different jurisdictions.
12
Cyber-security regulation
In the US, the National Institute of Standards and Technology issued on 12 February 2014 a voluntary
risk-based framework, foreshadowed by the Executive Order 13636 on “Improving Critical Infrastructure
Cyber-security” made on 12 February 2013. The framework was created through collaboration between
government and the private sector, with a view to addressing and managing cyber-security risk “in a
cost-effective way based on business needs without placing additional regulatory requirements on
businesses”. The framework does not impose new standards but rather provides a structure for navigating
existing standards applicable to critical national infrastructure so businesses can build a risk-based
plan adapted to their needs. While it is not mandatory, compliance with the framework is likely to become
a benchmark against which security measures are tested in any litigation or regulatory investigation.
There has been resistance from
industry to setting technical standards
at the EU level given a concern at the
inconsistent standards applying outside
the EU.
“Fortress Europe” and Protectionism
Another issue being discussed is the possible creation of
siloed internet systems. The shadow cast by the Snowden
revelations has caused some Europeans to raise the need for
the separation of networks. Commentators have expressed
concern at a trend towards forced data localisation and
hardware production on the grounds of national security,
seeing this as thinly disguised protectionism. Similarly,
differing national standards for encryption methodologies are
threatening to frustrate integration of systems across borders.
Conclusion: Is Voluntary Information Sharing the Solution?
More recent developments include discussion around publicprivate information sharing platforms along the lines of the
model adopted in the UK. The EU is to publish guidance on
risk management and information sharing in the second quarter
of this year. There is strong support for such initiatives and
it remains to be seen whether this model will overtake the
Commission’s support for mandatory information sharing. The
Commission intends to contest both the watering down of the
requirement for each NIS to share information on attacks and
the removal of key internet enablers from the scope of the
Directive. The debate going forward promises to be intense. It
will be interesting to see if any Member State asserts its right to
opt out of the Directive in all or part on the basis of its right to
retain sovereignty over issues affecting its essential interests of
national security and, if so, how the Commission will respond.
13
Jane is a solicitor and partner
at Freshfields Bruckhaus
Deringer. She co-heads the firms
international cyber security and
defence teams. She advises
clients on legal risk evaluation,
mitigation and response in the
aftermath of a cyber attack
including management of the
interface with regulators and
litigation.
Cyber-security regulation
Cyber-security Legislation in Europe:
The NIS Directive and the Opportunities
for Leadership & Harmonization: The
Business Perspective
BY Jan Neutze, Director of Cyber-security Policy,
EMEA, Microsoft
J
ust over a year has passed since the European Commission published its proposals for the first EU
Cyber-Security Strategy and its accompanying Network and Information Security (NIS) Directive. Since
then, a lot has happened in the cyber-security discourse. The disclosures over alleged government snooping
have sparked concern, and in some cases outrage, over the size, scope and character of government
surveillance programs. Microsoft, along with other ICT companies, announced significant technical, legal
and transparency measures to enhance customer protections. The shifting threat model has influenced
the perception of cyber-threats and reshaped the public debate. At the recently held 50th Munich Security
Conference, cyber-security was the topic of the opening panel, further evidencing how questions of
security, privacy and transparency in cyber-space have become key public policy issues of our time.
The European Commission’s initiatives’ first anniversary therefore represents a timely opportunity to
look back and assess the progress made so far. Global developments have made it even clearer that
the Commission’s proposals needed to be considered contextually and not in isolation. Draft legislation
on the processing of personal data and free movement of such data, as discussed within the framework
of the General Data Protection Regulation, as well as the draft regulation on electronic identification
and trust services for electronic transaction, touch on many of the points put forward in the NIS
Directive. All relevant stakeholders must ensure co-ordination between these three important pieces
of legislation, in particular in areas such as data protection provisions, breach notifications, auditing,
liability and reporting. A lack of harmonization across these initiatives could potentially result in conflicting
requirements, which in turn could lead to a less secure cyber ecosystem, both within the EU and globally.
Some of these challenges notwithstanding, we welcome substantial progress that has been made in
particular with regards to the development of the NIS Directive. Success in cyber-security depends
on committing to risk management. By focusing on the protection of Europe’s most critical services
and assets, leaders in the European Parliament have signaled a commitment to a risk management
approach and framework intended to support on collaboration and accountability. For example, recently
proposed changes now provide the opportunity for the private sector to participate in the planned
NIS co-operation network, which would allow for sharing of best practices and strategic analysis.
14
Cyber-security regulation
Other parts of the draft NIS Directive could still benefit from
additional clarity, including how national competent authorities
(NCAs) or single points of contact will in fact interact with one
another and what information they will share; similarly, greater
emphasis on the role of international standards and recognized
certification agreements would be a welcome step forward..
The European Union has an
incredible opportunity to become a
policy leader in cyber-security and
we should all work to support this
Effort
Last, but not least, it is important to note the progress already
made on cyber-security at the Member State level over the past
year. Close to half of the EU Member States have (re-)committed
to strengthening their cyber-security efforts; either through
work on national cyber-security strategies, as envisioned in
the European Commission proposals, or through efforts aimed
at capacity building and greater co-operation, as seen by the
BeNeLux countries, Germany, Poland, and the United Kingdom.
It is important that these commitments translate into concrete
actions that reconcile both security and privacy while
striving for maximum harmonization. The European Union
has an incredible opportunity to become a policy leader in
cyber-security and we should all work to support this effort.
Harmonization is important beyond Europe. Just a few weeks
ago, the United States released a Framework for Improving
Critical Infrastructure Cybersecurity (the “Framework”). This
Framework was developed over the past 12 months through a
collaborative public-private process led by the National Institute
of Standards and Technology (NIST). This is an important step
in the broader development of cyber-security public policy, and
the first time that the public and private sectors have agreed
to a common Framework for approaching cyber-security.
In Europe, the NIS Platform can benefit from leveraging
commonly accepted international risk management standards
and building on the lessons learned from the US efforts.
15
Jan Neutze is Director of CyberSecurity Policy at Microsoft
responsible
for
cyber-security
policy matters in Europe, Middle
East, and Africa (EMEA). Before
taking on Microsoft’s EMEA security
portfolio, Jan worked in Microsoft’s
Trustworthy Computing (TwC) group
at Microsoft Corp. leading TwC’s
engagements with governments
and industry partners. Jan came to
Microsoft from the United Nations
Headquarters where he served for
three years in the policy planning
staff of the UN Secretary-General
and the Department of Political
Affairs, leading a range of cybersecurity and counter-terrorism
projects.
Cyber-security regulation
Stakeholders in cyber-space have to play
an active role beyond protecting
their own assests, in order for the
usefulness of the cyber-space to prevail.
Cyber-Security Regulation and its relevance to the
Payments Industry: A Case Study
BY colin Whittaker, Head of Payment System Security, Visa EUrope
O
ne of the more illuminating descriptions of
is that the harm from a data compromise is often
the nature of cyber-security comes from an
suffered greater by other entities in cyber-space
Standardisation
rather than those who have been compromised.
(ISO) draft on the topic which states that “…
These descriptions fit well with Visa Europe’s
stakeholders in the cyber-space have to play
experience, and therefore the concept of cyber-
an active role, beyond protecting their own
security is highly relevant to the payments industry.
assets, in order for the usefulness of the cyber-
We
space to prevail”.
This provides a sound
also prize the ability to secure control of an
starting point to determine, from Visa Europe’s
enterprise’s equipment and services to increase
perspective, what cyber-security means to our
their anonymity as they use these assets as a
card payment eco-system and the implications
springboard to launch cyber-attacks on other
of
victims. Visa Europe has seen evidence of this
International
proposals
Organisation
for
for
cyber-security
regulations.
cannot,
however,
ignore
that
attackers
from data breach investigations. These examples
The description strikes to the heart of the
provide no better illustration of the trueness of the
increasingly asymmetric nature of both the threat
ISO description of the nature of cyber-security.
from cyber-security and the risk assessments
There is now an acute recognition across the
enterprises make to determine how to defend
payment card industry that attackers are willing
themselves from the threat. An example of the
to invest significant time, energy, imagination and
asymmetry is that enterprises may either place
tenacity in trying to defeat the security controls that
much less value on the assets they need to
we require entities to deploy to protect cardholder
protect than the criminals do, or that the level
data. This leads to these controls being kept under
of effort, time and capability that the criminals
continual review and enhanced where necessary;
can generate to attack an enterprise is much
this is in part evidenced by the recent triennial review
greater than the enterprise can provide to protect
of the PCI Data Security Standard incorporating
themselves. An additional asymmetry to recognise
lessons
16
learnt
from
recent
data
breaches.
Cyber-security regulation
It is also of note that annual reports from computer forensics
companies supporting the payment card industry continue
to show that adoption of commonly accepted, good security
practices would have prevented many of the breaches they
investigate; irrespective of the motivation of the attacker.
As important, however, as protection continues to be, Visa
Europe also actively promotes other strategies that reduce
cyber-security risk, and hence the data security burden, for
enterprises. We do this by working to devalue the data the
attackers’ prize by making it worthless to them. The most
striking example of this has been EMV, or Chip and PIN as
it is known in the UK; a truly asymmetric security strategy.
Colin
Whittaker
Payment
heads
System
up
Risk
the
team
It is important to approach cyber-security holistically, inherent in
within
the description quoted. However, it must also be acknowledged
responsibility for payment system
that there are benefits when communities of interest act for
security, member compliance, PIN
the good of the community through self-regulating the cyber-
security and vendor certifications,
security measures implemented by its participants. This
programmes, and Data Compromise
is what Visa Europe does for its payment system and the
Management. Part of Colin’s remit is
participants within it, providing appropriate and relevant security
also the implementation of PCI DSS
requirements, monitoring adoption of these requirements, the
across the European markets and
co-ordination of data breaches where security fails and the
creating market specific risk policies.
dissemination of intelligence on lessons learnt from breaches.
Visa
Europe
and
has
Colin joined Visa Europe in 2010
from UK Payments where he was
Although there are calls for greater governmental regulatory
the Head of Security. His role was
action to protect all stakeholders in cyber-space, it would
to provide the focus for information
clearly be unhelpful if this action undermines the efforts
security issues for the wide range of
of extant communities of interest. Any regulatory effort
companies and brands serviced by
must complement community cyber-security efforts, and
UK Payments.
where
possible
reinforce
them.
However,
where
that
community crosses many national jurisdictions achieving a
consistent approach is of course much more challenging.
If the benefits of cyber-space are to be realised, then it
must be appropriately protected and this is where cybersecurity becomes important. It is also perhaps inevitable that
some measure of regulation might become necessary to
achieve this. The issue, as always, will continue to be: how
much regulation? Is it proportionate? Finally, is it capable
of being applied sensitively to complement and reinforce
existing cyber-security strategies and not to disrupt them?
17
Cyber-security regulation
The Policy Challenges of Cyber-Security
Regulation
BY David Abrahams, Head of public policy, Nominet
The conversations we held across two days of
security cannot be addressed simply by regulation
presentations and debate provided an interesting
or the actions of commercial operators alone.
and useful insight into the high level policy
Instead, it requires a multi-faceted policy response
challenges that are presented by cyber-security.
taking
in
industry
standards,
supply
chain
management; cultural changes by consumers,
As with so many issues related to the internet,
enhanced expertise in regulatory bodies and
a key challenge for policy makers is that there
co-ordination with national security apparatus.
is no central point of control or regulation of the
internet. This is of course exactly why the internet
The proposed Directive on Network and
was first established – to provide a decentralised
Information Security (NIS)
communications network that could survive a
Much of the discussion over the two days related to
catastrophic attack on a central command and
control function.
the European Commission’s proposal for a Directive
It is also one of the reasons
on Network and Information Security (NIS). There
that the internet has flourished as a place where
was significant industry concern about the way
people can freely exchange opinions, build
the Commission’s proposals pursued a top-down
communities of shared interest and do business.
regulatory approach rather than encouraging
However, unlike some other internet-related policy
issues,
cyber-security
is
further
those Member States that are behind the curve on
complicated
cyber-security to pursue a multi-faceted strategy.
by the fact that it is not only simply a matter of
The Commission’s regulatory approach stands in
finding ways to enforce existing laws in an online
contrast to the approach taken in the UK, where we
environment; it is also a matter of national security.
have a well-developed government cyber-security
strategy and infrastructure to support industry.
Taken together, these factors mean that cyber-
The UK approach is based on:
• Co-operation between our national security apparatus and industry, especially in the field of critical
national infrastructure;
• Well established voluntary information-sharing arrangements between commercial operators; and
• Strong information and awareness raising campaigns led by government and supported by industry
18
Cyber-security regulation
In the larger European economies, where commercial supply
chains are long, complex and global in nature, it is clear that an
EU-centric regulatory approach to cyber-security is not going
to be effective. In short, the EU cannot insulate itself from the
rest of the world when it comes to internet and global trade and
therefore the policy response to challenges of cyber-security
must look beyond the creation of regulatory hoops for European
businesses to jump through. Industry participants in the delegation
therefore welcomed the changes made to the NIS Directive by
the European Parliament in terms of limiting the directive’s scope
and creating a framework for a more co-operative relationship
David Abrahams is Head of
Public Policy at Nominet,
the company responsible
for running the .uk domain
name registry. David leads
Nominet’s relationship with
government and political
audiences in the UK and EU
and has led the development
of Nominet’s policies for
the new .cymru and .wales
domain spaces which will
launch in 2014.
Prior to joining Nominet in
2012 David worked at Ofcom
where he directed competition
investigations, regulatory
disputes and consumer
protection programmes.
between regulatory bodies and the companies they regulate.
Cyber-Security cannot be addressed
simply by regulation or the actions of
commercial operators alone
Cultural responses to surveillance
There were clear disagreements amongst the policy makers we
met regarding the impact of Edward Snowden’s revelations about
the surveillance activities of the US, UK and other governments.
There is a clear cultural difference between the UK’s general
trust of the state security apparatus that has been built up since
the Second World War and the culture of distrust and concern in
countries that have a recent history of authoritarian government or
occupation by foreign forces. This may reflect a difficulty that will
always exist when trying to approach issues of national security
within the European Union, which is civilian and political by nature.
Cyber activism and democracy
Our closing discussion on “cyber activism” highlighted that,
beyond the headlines about hackers, there may be some
positive outcomes from this sort of activity. The Pirate Party
is a good example of how self-organising communities that
have been established online around cyber-activism can enter
the mainstream political process in a number of European
countries.
This should be celebrated as a success for the
liberal democratic system enabled by an open and free internet.
19
Cyber-Security and Critical National Infrastructure
More Emphasis needs to be placed
on working in partnership with the
private sector to address the
pervasive threat
The NIS Directive and Protecting Critical
National Infrastructure
BY Carla baker, Senior government AFFAIRS manager, symantec
The need to protect critical national infrastructure is not new. Nation states have recognised the criticality
of protecting key elements of the national infrastructure for hundreds of years. The Roman Empire
understood the importance of protecting roads and aqueducts, which were considered vital parts of
the Empires’ infrastructure. Indeed, this very infrastructure was exploited in 213 BC when Hannibal led
an offensive and used the Roman Roads, the Empire’s own critical infrastructure, to launch an attack.
Not that differently from today’s cyber attackers, who exploit our information systems against us.
The advance of the digital world brings a new, more complex dimension to the protection of Critical
National Infrastructure (CNI). The near borderless nature of the internet, the growth of cyber-security
threats and varying levels of cyber maturity across both the public and private sector creates a challenging
and complex environment. As set out in the Symantec 2014 Internet Security Threat Report (ISTR), threats
are becoming increasingly sophisticated and pervasive, affecting every level of society, from national
governments to businesses and citizens. In addition to cyber-crime driven attacks, targeted attacks on
key aspects of the critical infrastructure continue to grow and evolve. Targeted attacks use malware
to target a specific user or group of users within an organisation and can be delivered using various
stealthy methods ranging from spear-phishing emails to watering holes in legitimate websites. The aim
of such attacks are to provide a backdoor for the attacker to breach the intended organisation in order
to gain access to systems and cause damage or steal confidential information such as trade secrets or
customer data. As the 2014 ISTR highlighted, there was a global average of 83 targeted spear-phishing
attacks per day in 2013 and approximately 1 in 3 organisations in the Mining, Public Administration
and Manufacturing sectors were subjected to at least one targeted spear-phishing attack in 2013.
Cyber-security threats are no longer just a case of a lone hacker developing malware to cause havoc;
we are seeing more sophisticated, targeted attacks from adversaries that are well resourced and
organised, and use an array of evasive techniques and tradecraft. The threats to critical infrastructure
have been well documented with attacks such as Stuxnet, Duqu and, more recently, Flamer.
20
Cyber-Security and Critical National Infrastructure
CASE STUDY : STUXNET
Stuxnet brought the issue of critical infrastructure protection to the
forefront of the cyber debate, making headlines across the globe.
Stuxnet is a very sophisticated worm that targets industrial control
systems in order to take control of industrial facilities, such as power
plants.
Given countries’ dependencies on key infrastructure such as utilities,
transport and telecommunications, Stuxnet proved a very worrying
example of how sophisticated and damaging threats were becoming.
As a result, governments across the globe are striving to protect vital
infrastructure from cyber- attacks due to its criticality to national
security, economic stability, and public health and safety
A number of recent publications have highlighted the importance of protecting critical national infrastructure
and highlighted the steps national governments and international organisations are undertaking to strengthen
resilience to the growing threats. In 2011 the UK Government published the Cyber Security Strategy which,
amongst other objectives, set forth a number of actions that aimed to enhance the UK’s cyber-resilience,
from developing effective information sharing mechanisms such as the Cyber Security Information
Sharing Partnership, through to providing advice, guidance and tools to companies that underpin the CNI.
At a European level, the EU Commission published the European Cyber-Security Strategy and a proposal
for a Network and Information Security (NIS) Directive, which aim to develop a common baseline of NIS
across EU Member States.
The Directive represents an important step in the efforts to improve cyber-security and harmonise
preparedness and resilience mechanisms across Europe, taking stock of best practices that already exist
amongst EU Member States. A key principle in the Directive is the need to develop effective information
sharing mechanisms which, if established with the necessary trust, incentives, safeguards, controls and
protections can form a crucial tool in helping organisations protect systems, networks and confidential
information from intrusion, disruption, theft or manipulation.
There is still work to be done to improve and enhance the Directive and more emphasis needs to be placed
on working in partnership with the private sector to address the pervasive cyber threat. However, what
is abundantly clear is that governments across the world, whether at a national, regional or international
level, take the cyber threats faced by both the public and private sectors seriously and realise that more is
needed to mitigate this growing and evolving challenge.
21
Cyber-Security and Critical National Infrastructure
The evolution of the internet has driven economic growth,
facilitated international trade and enabled people to
communicate across the globe. It has also brought new
risks, which are being exploited by hackers, criminal gangs
and nation states, and these adversaries are targeting key
aspects of the critical national infrastructure. Addressing the
risks requires clear strategies, followed up with concrete
actions, enhanced operational capabilities and a collaborative
approach
between
industry
and
the
public
sector.
More Emphasis needs to be
placed on working in
partnership with the private
sector to address the
Pervasive threat
Carla is Symantec’s Senior
Government Affairs Manager,
responsible for driving the
company’s
public
policy
agenda in UK and Ireland and
representing Symantec before
public
authorities,
industry
associations and trade bodies.
The EU’s efforts to strengthen Member States’ approach
to network and information security is a welcomed
step in the right direction, however a number of issues
need to be addressed, such as whether the EU should
take a regulatory or voluntary approach to information
sharing schemes and address the political sensitivities
around elevating information sharing to an EU level.
Highlights from the symantEc 2014 Internet
Security Threat Report - Key Findings
•
91% increase in targeted attacks campaigns in
2013
•
62% increase in the number of breaches in 2013
•
Over 552M identities were exposed via breaches in 2013
•
23 zero-day vulnerabilities discovered
•
38% of mobile users have experienced mobile cybercrime in past 12 months
•
Spam volume dropped to 66% of all email traffic
•
1 in 392 emails contain a phishing attacks
•
Web-based attacks are up 23%
•
1 in 8 legitimate websites have a critical
vulnerability
22
Prior to joining Symantec, Carla
was a director at Intellect, the
UK trade association for the
technology industry, leading the
association’s Cyber Security
Programme. In this role she led
the development of industry-wide
policy positions on specific cyber
related issues, informed the
development of government policy
and built successful relationships
with
senior
government
officials, Ministers and MPs.
Cyber-Security and Critical National Infrastructure
European critical information infrastructure
BY Tim.J.Parsons, FBCS, FIET, FRSA, MIoD
Selex ES, SEcurity AND SMART SYSTEMS
It is useful to summarize the issues connected with European Critical Information Infrastructure (ECII) from
at least three perspectives, these being three key areas which can frame our understanding of this topic.
• The market and commercial perspective
• The systems perspective
• The legislative and standards perspective
The Market and Commercial Perspective
From the market, commercial and legislative perspectives, market liberalization, market coupling and
service unbundling has significantly diversified the supply chain in some member states and the economic
arguments for these trends continuing across the EU are overwhelming. Studies undertaken for the European
Commission Directorate indicate that savings worth 10’s of Billions of euros per year would be achieved
by the establishment of a deeply integrated and resilient European market in the energy sector alone [5].
The supply chain will hence continue to broaden and deepen, increasingly incorporating Small to Medium
Enterprises (SMEs) and, from an economic viewpoint alone therefore, it may be concluded that the sectors
comprising the ECII in five years’ time (most certainly in ten years’ time) will differ in detail from the critical
infrastructures we know today. It is these ‘details’ which determine the threats and vulnerabilities relating to ECII .
23
Cyber-Security and Critical National Infrastructure
Any initiative in the legislative space
must be fully cognisant of both the
complexity of existing sectoral and
national legislation and standards and
the diversity of organisations forming
the emerging ECII.
The Systems Perspective
From a ‘systems perspective’ the ECII is not static, and the European Program for Critical Infrastructure
Protection (EPCIP) [2,2a] recognizes and highlights the increasing interconnectivity and interdependency
of the emerging ECII. The following significant developments may be identified:
1. The integration of de-centralised renewable energy, within the context of
continuing European market integration. These developments will change
the fundamental topology of energy distribution networks across European
wide grids.
2. The development of ‘Smart Cities’ and so-called ‘Cyber-physical
convergence’ which will broaden our concepts of criticality considerably.
3. The emergence of real-time monitoring, control, and machine to machine
communication.
4. Finally, the cyber-physical threat itself will substantially drive the evolution
of the ECII.
Each of these drivers will have consequences for the fundamental properties of the emergent ECII such
as resilience, and further cross-sectorial, multi-stakeholder research of these issues would yeild additional
valuable insights.
The legislative and standards Perspective
Commercial operations are, of course, also driven by the legislative and compliance environment
in which those services are provided. The ECII in particular is characterised by an exceptionally
complex multi-layered, sectoral, national and international environment. Work commissioned by the UK
Business Innovation and Skills Department (BIS), for example, recently evidenced over 1000 standards
internationally relating to cyber-security [6].
24
Cyber-Security and Critical National Infrastructure
Any initiative in the legislative space must be fully cognisant of
both the complexity of existing sectoral and national legislation
and standards and the diversity of organisations forming the
emerging ECII. In terms of EU approaches to harmonisation
and coherence, a number of areas within EPCIP 2013 [2,2a]
are to be welcomed.
These are :
• The recognition of the complexity of
facilitating and harmonising change
• The increased focus on interdependencies
• The increased role for public and private
collaboration
• A focus on the critical areas of energy
distribution, geo-location and air traffic
control
• Progress towards a trusted network by
which to disseminate and report cyber threat
intelligence and incident alerts (CIWIN)
“commercial operations are,
of course also driven by the
legislative and compliance
envirnoment in which those
services are provided”
EPCIP outlines a mix of market, EU and public-private fora led
approaches in the establishment of common risk management
processes, cyber threat information sharing networks and
scenario exercises. They recognise a need for cohesive planning
across the EU Directorates and a focus on interdependencies
within and across four key Critical Infrastructure sectors.
In contrast, both the Joint Communication on the Cyber security
strategy of the EU [1] and the Directive relating to Network
and Information Security [3] propose that delivery of Cross EU
harmonisation and coherence would be facilitated by adopting
a more regulatory approach.
25
As a co-founding Board member
of the Information Assurance
Advisory Council, Tim led the
first UK cross-sectoral study of
emerging threats to the Critical
National Infrastructure in 2001.
He has acted as an independent
scientific advisor to the MoD,
scoping the rapidly evolving field
of Information Operations and to
the DTI for the Cyber Trust and
Crime Prevention S&T Foresight
Panel.
Within Europe, he has advised
NATO on the implications of
civil information infrastructure
dependency and aspects of
counter-terrorism. He was
also an invited reviewer for the
Framework 5 programme on
dependable and trustworthy
information infrastructures.
He is currently an industry
advisor to NATO in the area of
cyber crisis management and
a committee member for the
academic fora on Information
Warfare and Security and Cloud
Security Management.
Cyber-Security and Critical National Infrastructure
Initiatives within the united kingdom
It is against this backdrop that it is useful to summarise recent initiatives within the UK. In addition to the
engagement of senior business leaders on cyber-security by CESG in 2012, the sectoral based CPNI
led information sharing fora and the further development of an ‘IT health check’ service provider scheme
(CHECK), there are six additional notable initiatives:
1)
The Cyber Security Information Sharing Partnership (CISP)
Following an earlier pilot study in 2011, the Cyber Security Information Sharing Partnership (CISP) was
launched in March 2013 by the Cabinet Office. The CISP is a joint, public-private initiative to enhance
awareness of the cyber threat by sharing real-time intelligence on threats and vulnerabilities within a
secure collaborative environment. Funded by the National Cyber Security Programme, the initiative has
cross government support and it extends beyond Critical National Infrastructure to encompass over 200
organisations in, for example, the legal and retail sectors. CISP will feed into the National Computer
Emergency Response Team CERT-UK.
2)
CERT UK
CERT UK is due for launch in Spring 2014. It will have a 24/7 capability providing specific support to CNI
and situational awareness across a wider range of sectors. It will provide national level co-ordination with
the sectoral CERTS, and it will have EU and international co-ordination and outreach responsibilities.
CERT UK will build on the capabilities developed by CISP and it is anticipated to be integral to existing
national emergency response and civil contingency organisations. It is not anticipated to have investigatory,
regulatory or law enforcement powers, but will work closely with those who do.
3)
The Production of Good Practice Guides
The Good Practice Guides provides guidance to public bodies and the public body supply chain. These
guidelines cover cyber related issues such as protective monitoring, internet connectivity, remote working,
data separation and cyber forensics.
26
Cyber-Security and Critical National Infrastructure
4)
Cyber Incident Response Scheme
Towards the end of 2012 The Cyber Incident Response
scheme was launched by CESG and the CPNI. It aims to
provide a kitemark for those companies with evidenced
capability in countering advanced persistent threats (APT’s).
5)
Basic Cyber Hygiene
The Business Innovation and Skills Department (BIS) is currently
leading a cross sector engagement process to produce guidance
for “Basic Cyber Hygiene”. Although influenced by the ISO27000
series of standards, this initiative recognises the potentially
high cost of mandatory legislation to the Small to Medium
Enterprises (SME) within the supply chain. BIS is therefore
working with the British Standards Institute (BSI), Information
Security Forum (ISF) and a specific IA model designed to
provide practical guidance to Small to Medium Enterprises.
6)
Defence Cyber Protection Partnership
There is also a significant public private initiative within
the Defence sector called the Defence Cyber Protection
Partnership. It has the backing of some 12 Defence companies
together with the MoD, GCHQ and CPNI and seeks to
articulate the risks and to enhance and share threat intelligence
across the supply chain via a trusted virtual environment.
In summary there are currently at least six notable cyber
collaborative initiatives in the UK. The overall initiatives have not
been mandatory; rather they have been initiated via Government
or via public-private sector fora and resources.Interestingly, there
is evidence that these initiatives are already beginning to shape
the cyber market within the UK, in both the low and the high
threat arenas. Vendors already market GPG ‘compliance’ in the
‘low threat space’ and, in the ‘high threat space’, CESG Kitemark
for competence in countering advanced persistent threats has
differentially attracted businesses. A key point of recognition
is that the efficiency of the Critical Infrastructure supply chain
has significant business value. It is integral to an organisation’s
competiveness and market proposition. As such it is dynamic and
evolving in response to the drivers we have identified. The CEII
in ten years time will be different in detail from the current CEII.
27
Cyber-Security and Critical National Infrastructure
There is a real need therefore to understand
the impact of orchestrating the harmonisation within
the EU of cyber
standards, not only through the
life-cycle of prevention, preparedness and mitigation,
but also across the entire supply chain.
SUMMARY OF POINTS
It is essential that those complex enabling frameworks which will lay the foundations for a secure and
resilience critical infrastructure are scoped and co-ordinated at national and EU levels.
These legal, commercial and systems initiatives must enable and support future critical infrastructure
development, with increasingly complex interdependencies and increasingly diverse supply chains.
There is a real need therefore to understand the impact of orchestrating the harmonisation within the
EU of cyber standards, not only through the life-cycle of prevention, preparedness and mitigation [6],
but also across the entire supply chain. Business impact itself must be considered from a number
of viewpoints including cost and supply chain agility and its ability to respond appropriately to cyber
events. A key focus needs to be placed on mechanisms which:
•
Enhance federated trust and security across the increasingly diverse
supply chain
•
Have an acceptable legislative burden
•
Allow for a diversity of reporting mechanisms
•
Enhance existing initiatives
•
Encompass the existing integration of cyber processes into National
Governmental organisations.
These mechanisms would be key to effective implementation and reduce the barriers to uptake by the
diverse range of organisations forming the emerging ECII. A ‘tool-box’ approach, using the entire spectrum
of voluntary, public-private collaborative and mandatory initiatives would hence likely offer the diversity
of controls needed to address the complex, diverse and ever evolving ‘systems of systems’ which forms
the ECII.
28
Cyber-Security and Critical National Infrastructure
P
rotecting
Critical
National
Infrastructure
Across Borders:
Cyber Security and
the Blended Threat
By James Willison, Vice
Chair, ASIS International
European Convergence
Committee
James Willison of Unified Security
is Vice Chair, ASIS International
European Convergence Committee
and one of 800+ members of
the ASIS UK Chapter. ASIS
International is a global community
of 38,000 security practitioners,
each of whom has a role in the
protection of assets, people,
property, and/or information. ASIS
advocates the role and value of the
security management profession to
business, the media, government
and the public and is an ANSIaccredited Standards Developing
Organization,
working
with
standards-setting
organizations
worldwide. ASIS is developing a
series of ANSI resilience standards
helping organizations address the
risks of disruptive events.
Critical National Infrastructure (CNI) faces an increasingly
complex risk scenario. In the last decade threats have
multiplied from both the physical and IT areas. It used to be
sufficient for site security at a power plant or factory to focus
on fencing, CCTV and physical/logical access control but
now the cyber risk posed by Internet Protocol based physical
security systems is forcing the need for a more unified security
strategy. Traditionally, cyber-security has been managed by
IT departments but the vulnerabilities in physical security
systems provide opportunities for both hackers and the
insider to gain access to company information and critical
system controls. These can no longer be protected without an
organisation wide strategy to consider security risks in multidisciplinary and cross-functional teams. In the digital age,
those responsible for CNI resilience need to ensure all these
risks are managed effectively and work very closely with all
business support functions including Corporate and Information
Security, IT Security, Business Continuity, HR and Legal.
In the last decade much work has been done to develop
international standards in the area of information security.
Notably, the ISO 27001 & 2: 2013 Information Security
Standards and the ISO 22301:2012: Business Continuity
Management Standard. However, the issues of site security
and blended cyber physical threats which can cause the CNI
to fail and lead to disasters have not received the attention they
really need. In an effort to remedy this situation, and in line with
the UK National Security Strategy, in August 2010 ASIS UK and
ASIS International invited over one hundred Global Physical
and Information Security leaders to contribute to an American
National Standard (ANSI) for Physical Asset Protection (PAP).
ht tp: // w w w.as is .o r g.u k /
www.asisonline.org
The Physical Asset Protection Standard sets out to complement
the work of the ISO Standards and offers guidance on these
emerging new threats. The Standard takes a holistic approach
and outlines best security practices. It also indicates the
increasing significance of blended cyber physical threats
to physical security systems and data and recommends
a teaming pre-emptive response. The relevance for the
protection of Critical National Infrastructure which relies on
resilient site security in order to function should be obvious.
29
Cyber-Security and Critical National Infrastructure
I
t is the exploitation of these vulnerabilities which concerns so many. For if a hacker can gain access
to a facility and render the plant inoperable, the consequences could be catastrophic. Following
a two year consultation process and a public review, ANSI and ASIS International published the
Standard in April 2012. The result is a comprehensive approach to security risk management designed
and written with a focus on the needs of the business. There are many valuable perspectives and
insights with practical recommendations for developing relations with all areas of the organisation.
The introduction sets the scene perfectly and the following quote is indicative of its quality.
“In order to effectively protect its assets, an organization needs to recognize the interdependencies of
various business functions and processes to develop a holistic approach to PAP. Physical asset protection
is intertwined with other security-related disciplines, such as information technology systems and continuity
management. In order to understand the shared risk environment, the organization should consider:
a) A common basis for risk ownership and accountability;
b) An integrated risk assessment and harmonized treatment strategy;
c) Common lines of communications and reporting for assessing and
managing risk in a cross-disciplinary and cross-functional fashion; and
d) Establishing cross-disciplinary and cross-functional teams to achieve a
co-ordinated pre-emptive and response structure.
When implementing this Standard, organizations should adopt a comprehensive and integrated strategy
that encompasses all areas of security risk. This should be reflected in all elements of the Standard. The
organization will be better able to achieve its objectives by understanding and incorporating the convergence
of PAP, information technology systems, and risk management in all of the elements of its management
system, (ANSI / ASIS PAP.1 - 2012 Standard, page xiv with permission).
It is the need for cross-disciplinary and cross-functional teams, which can identify blended attacks,
that is such an important solution for the threats to Critical National Infrastructure. Currently, most
organisations only operate these teams in a crisis event when it is too late. This failure to identify the
vulnerabilities in physical security systems and procedures is not acceptable. So what is the answer?
ASIS UK, as part of ASIS International, is working with the European Union in a variety of ways.
In April 2014, Europol partnered with the ASIS European Security Conference in the Hague and
emphasised the importance of reaching out to our members. There are about three thousand senior
security professionals from across Europe who can advise and help secure our member states.
It is anticipated that there will be a developing commitment to cross border security issues
in the future. Europol and the Cyber Crime Centre (EC3) itself is a cross border organisation
which leads initiatives to combat crime and links security professionals and investigations.
Many of these security leaders were involved in, and supportive of, the ANSI / ASIS PAP
Standard which has many valuable principles for the protection of Critical National Infrastructure.
30
Cyber-Security and Critical National Infrastructure
The ANSI / ASIS PAP Standard states that, “The organization shall define and document its risk and
resilience management context, including: How combinations of multiple risks will be taken into account”
(ibid., p.6).
In its discussion on the identification of risk it says,
“The organization should establish, implement, and maintain a documented security survey procedure to: a)
Identify cross-disciplinary and cross-functional interdependencies.” (ibid., p.13)
The issue of interdependencies of functions is a common phrase and its importance is seen in the section
on training.
“The organization should identify competencies and training needs associated with PAP management,
including the interdependencies of various business functions and processes. It should provide training or
take other action to meet these needs, and should retain associated records” (ibid., p. 16).
Once the foundation of the standard has been laid it outlines the importance of security convergence for
the organisation. There are two pages on the applications of security convergence including this statement,
“Rather than having asset protection and security solutions managed by different business functions
applying subjective risk controls to their threat specific vulnerabilities, convergence provides a common
platform where these solutions are assessed and treated from the perspective of a shared risk environment”
(ibid., p.31).
It then indicates that the following be established:
“A cross-discipline and cross-functional risk assessment and management framework that identifies,
analyzes, evaluates, and treats all security risks within a singular managed process; A risk management
process that monitors all security risks controls and reports weaknesses, vulnerabilities, attacks, and
systems failures collectively” (ibid., p.32).
This selection of text alone makes it clear that protecting physical assets like power stations and the
water supply is dependent on the need to manage the risks holistically. This means that organisations
can no longer consider business security risks in isolation. The various interdependencies are evident.
The PAP Standard outlines many important solutions and it needs to be implemented more widely.
ASIS International has identified that only about 20% of organisations operate strategies which follow
this holistic approach. It is really important therefore that parliamentarians promote the implementation
of best security practises as our CNI depends on them. The PAP Standard recommends the
deployment of cross functional teams which act in a pre-emptive way and common risk reporting to
enhance an organisation’s strategy and thereby prevent a cyber physical attack. If one should get
through, at least this approach will enable a fast response and greater likelihood of a good recovery.
31
Cyber Activism and ‘Hactivism’
A Year is a short time iN Cyber Space
BY Dr Christopher laing, Northumbria university
In a far-off time and cyber-space very few people
Internet Freedom at The Newseum, outlined her
had heard of WikiLeaks or Julian Assange. Well,
vision in which digital whistle-blowers, such as
just in case you missed it, Julian is the main
Assange, and their ‘information networks would
spokesperson and editor-in-chief for WikiLeaks,
form a new nervous system for our planet’; in
who
from
which digital whistle-blowers would champion
private, secret and classified sources: a ‘digital
transparency; ‘helping the people discover new
whistle-blower’! In its time WikiLeaks has been
facts, and making governments more accountable’.
publish
anonymous
submissions
awarded numerous accolades, starting with The
Economist’s New Media Award in 2008 and the
However, less than 12 months later, things had
Amnesty International UK Media Award in 2009.
changed.Clinton, now speaking at a hastily
In 2010, it was listed as one of 5 ‘pioneering
convened State Department press conference,
websites that could totally change the news’ by
condemned those same digital whistle-blowers;
the New York City Daily News, while in the same
digital transparency was an ‘attack on the
year readers of TIME magazine voted Julian as
international community.’ Sarah Palin even called
their choice for TIME’s Person of the Year. Julian
for Assange to be hunted down by American special
was the new techno urban warrior, a ‘wunderkind’.
forces and assassinated; arguing that he should
Interestingly, in that very same year the US
be ‘pursued with the same urgency we pursue al-
Secretary of State, Hilary Clinton, speaking on
Qaeda and Taliban leaders.’
32
Cyber Activism and ‘Hactivism’
With this in mind, one does wonder: do we need some type of
digital transparency for business information security issues?
Now, I’m not suggesting a digital whistleblower championing
the transparency of digital and software vulnerabilities, as
used by various national intelligence forces to undertake mass
surveillance. Although, as we have seen recently, that could be one
option, and interestingly the repercussions of those revelations
may have indirectly led to the European Parliament voting on
data protection reform and protection from mass surveillance.
No – I am suggesting some form of ‘collective intelligence: a
shared intelligence that emerges from a collective and transparent
collaboration of individuals dealing with similar problems’, i.e.,
the use of collective intelligence directed at European security
breaches/issues with its critical infrastructure. I would argue that
an effective means of transparently sharing details, without fear
of recrimination and embarrassment, would greatly reduce the
impact of such breaches. Fine idea, but the key words here are,
‘recrimination’ and ‘embarrassment’ – how can this be achieved?
In reality, organizations are reluctant to share information; what
about my competitors; will this sharing be reciprocated; will it
open me up for further attacks, more expense, loss of reputation;
what will my customers/clients think? But, given privacy and
anonymity safeguards, organizations might just be persuaded to
share information with a ‘trusted’ independent security ‘broker’;
able to exchange security information from many similar
sources. All that is needed is for a trusted broker to step forward.
The UK government’s Warning, Advice & Reporting Points are
part of the Centre for the Protection of National Infrastructure
initiative on helping organizations secure their information and
information infrastructure. Warning, Advice & Reporting Points,
otherwise known as WARPs (please don’t let the name put you off),
are independent not-for-profit entities that offer a trusted sharing
framework. In essence, they act as a trusted broker for sharing
security incidents, and other sensitive information without any fear
that the information will be used against the information source.
I’m suggesting that a network of European WARPS, that are
able to pool and share this sensitive information, not only with
the membership of national WARPs, but with the European
WARP community, will lead to more robust and secure critical
national infrastructures. Perhaps we could call it DigiLeaks?
33
C
hristopher
Laing
is
a
University Fellow in the
Faculty of Engineering and
Environment
at
Northumbria
University.
He is the Project
Director
of
Northumbria’s
Warning, Advice & Reporting
Point
(nuWARP),
part
of
the UK’s Government CPNI
initiative on securing information
infrastructures.
He is also a
founder member of the GCHQ/
EPSRC Cyber Security Research
Institute, a Consultant for the
European Network & Information
Security Agency, and co-editor of
‘Securing Critical Infrastructures
and Critical Control Systems:
Approaches for Threat Protection’
(IGI Global, 2012)
Cyber Activism and ‘Hactivism’
Cyber activism and Hacktivism
BY professor Tom sorell and Dr mariarosaria taddeo, university of
warwick
Cyber activism and hacktivism are new forms of political participation which have been brought to the
fore by the digital revolution. Social and political scientists, as well as ethicists, have focused on these
two phenomena, highlighting their implications for the political lives of both democratic and totalitarian
countries. However, before considering their political consequences, it is important to focus on their nature
and on the differences between the two phenomena.
Cyber activism is often a form of conventional political participation that is only distinctive in using the
internet as a medium. It uses the internet to support citizens’ participation in the political lives of their
countries, e.g. signing online petitions, organising demonstrations, sharing information and attracting
attention to relevant problems. Less conventionally, cyber activism also focuses on issues concerning
the regulation of the internet, but does so through relatively traditional channels of political discussion.
Consider, for example, the Swedish Pirate Party, which emerged from the debate on the regulation for
the use of copyright material on the web and now focuses on problems like civil rights, direct democracy
and participation in government, reform of copyright, free sharing of knowledge, information privacy,
transparency and network neutrality.
Hacktivism occupies a different space and is an entirely new phenomenon. It is also quite controversial
from an ethical perspective. It is seen as ‘a social and cultural phenomenon, in which the popular politics
of direct action has been translated into virtual realms” (Jordan, 2004). This form of political participation
emerges from Hackers’ culture and has two roots: the open source or anti-copyright movement, which
originated in the 1970s at MIT, and the so-called lulz, which is a more recent phenomenon. ‘Lulz’ is
the internet adaptation of the texting acronym ‘L(augh)O(out) L(oud)’: it refers to sharing disturbing or
provocative jokes and memes, such as for example the cartoon paedophile mascot ‘Pedobear’.
34
Cyber Activism and ‘Hactivism’
The ethos of the lulz is at the very heart of
Anonymous, which over the past decade
has become a leading hacktivist movement.
Anonymous is a disruptive and powerful
social force able to transform sporadic cellbased cyber performances and protests
into tactics adopted on a regular basis by
globally decentralized networks of individuals
seeking to intervene in real-world situations.
The decentralization is not just the form of
the movement; it is the means through which
Anonymous endorses one of its ethical
Dr. Rosaria Taddeo
has been a Marie
Curie Research Fellow
at the University of
Hertfordshire and
has been a Research
Associate at Oxford.
She works in all areas
of cyber ethics and
cyber-security. She
has been awarded
several international
prizes and is the
author of many peerreviewed articles.
values, i.e. anonymity. Anonymous does
not rely on a leader, applying instead the
so-called ‘one made of many’ model, which
de-emphasises the identities of its members.
Anonymous members have participated in
actions ranging from support for the Arab
spring and identification of sex offenders to
attacks on private companies and institutional
websites, e.g, the attack against Amazon,
PayPal, MasterCard, and VISA and against
the Spanish Police and the Malaysian
government. The fact that there is no real
coherence to Anonymous causes, and the
fact that some of its denial of service attacks
have seemed arbitrary and have been
carried out with impunity, raises questions
about the legitimacy of its form of activism.
Since Anonymous has also supported the
questionable evasion of rape charges by
Julian Assange and some questionable
Wikileaks disclosures, its actions also call
attention to the power of hactivist alliances
and the possible illegitimacy of joint activism
carried out anonymously and unaccountably.
35
Professor Tom Sorrell
is Professor of Politics
and Philosophy in the
Department of Politics
and International
Studies (PAIS) at the
University of Warwick.
He is also ESRC
Global Uncertainties
Leadership Fellow
(2013-15). Before
coming to PAIS in
January 2013, he
was John Ferguson
Professor of
Global Ethics at
the University of
Birmingham, and
Director of the Centre
for the Study of
Global Ethics. He was
previously Co-Director
of the Human Rights
Centre and Professor
of Philosophy,
University of Essex. In
1996-7 he was Fellow
in Ethics at Harvard
Cyber Activism and ‘Hactivism’
of the
Internet
Snowden, Prism, and State Regulation
BY Andrew miller mp
I
away from the only effective approach of greater
that as we were at the European Parliament to
‘Prism’ to dominate the way we approach these
was tempted in writing this piece to focus on
stakeholder engagement. There is a genuine
why there is no public Wi-Fi in the European
danger at the present that if we allow debates around
Parliament but I will avoid that! Let me just say
matters, there will be unintended consequences
discuss cyber threat issues in a modern society,
leading us towards a more state regulated internet.
we need to accept that most citizens now want
Whilst that superficially will seem good to some,
“anywhere, anytime” connectivity and there are
the reality is that it will give more power to control
challenging security implications created by that
the citizen within any undemocratic nation. Getting
desire. These challenges range from the rights
the balance right will be one of our real challenges
and privacy of the citizen, through to the needs
over the next few years, which is why I have always
of law enforcers and security services to protect
been a strong supporter of the Internet Governance
both individuals and the nation state. Whilst
Forum’s (IGF) approach, promoted so strongly
these two priorities create tensions between one
by Nominet, with cross party support in the UK.
and another, they are not mutually exclusive.
My concerns about this point were reinforced by
The so called Snowden revelations have coloured
conversations with a Swedish MEP who clearly
this debate. Indeed, whilst we were in Brussels,
had no trust in the British state machinery because
a press statement emerged regarding internet
of the relationship between GCHQ and the NSA.
governance that some see as a backward step
Conversely, it remains the case that a large amount
36
Cyber Activism and ‘Hactivism’
of anti-terror intelligence gathering requires the most covert
surveillance and I have long argued the need for what I
would call an “on-line warrant” to empower a state agency
to actually examine the content of personal electronic
traffic. There is a direct parallel between the electronic
world and the physical world here and I believe appropriate
mechanisms can be created that protect both citizen and state.
There is a genuine danger at the
present that if we allow debates
around ‘Prism’ to dominate the way
we approach these matters, there will
be unintended consequences leading
us towards a more state regulated
internet.
Whether this is possible, in the current era of mistrust, remains
to be seen. The very nature of the EU, in dealing with challenges
like these, presents us both with problems and opportunities. As
a supporter of our membership of the EU, I will try to look at both
sides. The problem is the very reality of dealing with massive
data flows, within nations that have very different histories, with
various degrees of commitment towards NATO ideals and 28
or more languages. Finding common ground will be very hard
indeed.
I have long argued the need for
what i would call an ‘on-line
warrant’ to empower a state
agency to actually examine the
content of personal electronic
traffic
On the plus side, if we can reach agreement we can genuinely
set standards that will influence the world in a way that the
Americans or Chinese could not.
37
As Labour Member of Parliament
for Ellesmere Port and Neston, Mr
Miller represents just under 70,000
electors. As well as dealing with
numerous widely diverse issues
at constituency level, Mr Miller
is also Chair of the Science and
Technology Select Committee;
Chair of the Parliamentary &
Scientific Committee; Vice-Chair
of the Parliamentary Internet,
Communications and Technology
Forum (PICTFOR) and a Member
of the Liaison Committee.
Between 1992 and 2001 he was
also a member of the House of
Commons Information Committee
and has served on many other
parliamentary committees.
Mr Miller is the author of:
‘Information and Communication
Technology Tools for Better
Government’ a paper
commissioned by the Cabinet
Office Minister in preparation
for the Modernising Government
White Paper in 1998. Mr Miller also
presents widely on Information
Technology, E-working and
E-Government.
Cyber Activism and ‘Hactivism’
Social media is in many respects a
soft-target for cyber-attack
The dark side of social media: Rumours,
Real time and cyber security
BY Dr. Layla j. Branicki, Lecturer in strategy and
international business, university of birmingham
The invention of social networking technology platforms such as blogs, Facebook and Twitter, and
widespread uptake of them by citizens, has led to new and more immediate modes of information
exchange. As a result of this technological shift, traditional forms of media (from print press to TV news
broadcast) have rapidly been supplemented, or in some cases superseded, by modes of communication
that are more social, frequent, accessible and interactive. While these new technologies have brought
many benefits for users and for wider society, they are not without their risks and challenges. For
example, in January 2010, via the social media platform Twitter, a rumour spread in real-time about the
evacuation of the Grand Central Terminal in Manhattan. A journalist recounted that ‘streaming before
my eyes was… the ebb and flow of rumor’ and noted that the experience of real-time data analytics,
in this context, was ‘fascinating, frustrating and mesmerizing’ (Bnet, 2010). Multiple versions of the
rumour spread rapidly through Twitter and ranged from the entire report being a Twitter hoax, to a steam
explosion resulting in one death and 15 injured to a dirty bomb attack (Bnet, 2010). The NYPD later
confirmed that the station had been briefly evacuated but there was no evidence of either injuries or
a terrorist threat. The case of Grand Central highlights a dark side to the use of both social media and
real-time data analytics. Whether false rumour spread is thoughtless, intentional or malicious it has
the potential to influence real world action and raises the possibility that social media accounts might
be hijacked or harnessed in order to create panic and disruption. In effect, the social media platform
creates the potential for a crisis to be generated from a non-event (e.g. a reported terrorist attack).
Understanding the ways in which information is exchanged and rumours proliferate across social media
platforms is critical for understanding the scale of this predominantly social as opposed to technical threat
to cyber-security. A recent multi-disciplinary study found that the speed, scale and scope of rumour spread
across a social media network was heavily predicated on both the social and network characteristics of the
person creating or transferring the information (see Preston et al, 2013). For example, a highly connected
individual with an established voice on a social media platform is arguably more likely to influence realworld actions as a result of the information that they post (see Branicki and Agyei, 2014).
38
Cyber Activism and ‘Hactivism’
The outcome of malicious social media rumour spread in relation
to non-events might range from individual anxiety to crowd panic,
and from unnecessary resource allocation to city evacuation. Two
methods by which social media could be targeted are:
a) The creation and maintenance of a large number of ‘sockpuppet’
accounts (i.e. created and used solely for the purpose of deception)
which are then used to seed false and/or malicious rumours across
social media networks;
Dr Layla Branicki
is a lecturer at
Birmingham Business
School (University
of Birmingham)
specialising in the
linked areas of
resilience, critical
national infrastructure
protection and the
impact of social
media on crisis
communication. Prior
to joining Birmingham
Layla was the Strategy,
Organisational
Learning and
Resilience Research
Fellow at Warwick
Business School.
Layla worked on
the first major UK
project to examine
the existing capacity
of organisations,
and networks of
organisations, to
manage emergencies
and was a coinvestigator on the
EPSRC funded project
‘Game Theory and
Adaptive Networks for
Smart City Evacuation’.
b) The hacking and hijacking of existing user accounts which are
either dormant or highly network centric.
Approaches to the malicious use of social media could use Twitterbots
(or similar) to produce a schedule of automated posts designed to
increase the rapidity of information spread and the traction of the
messages (i.e. by including faked or mislabelled images).
Social media is in many respects a soft-target for cyber-attack, as
the methods used may require relatively minimum levels of technical
expertise, be low cost, diffuse, and as a result difficult to detect.
Understanding the ways in which social media platforms are used and
how information spreads across them is therefore critical in enabling
the risks associated with social media to be better understood and for
appropriate interventions to be designed.
A central tension however exists between mitigating the threats
and enabling the opportunities created by access to an open and
connected internet. In the EU’s vision of ‘how to enhance security in
cyberspace’ it is stated that ‘for cyberspace to remain open and free,
the same norms, principles and values that the EU upholds offline,
should also apply online’ (European Commission, 2013) and yet it is
unclear how this can or ought to be applied to the soft-target of social
media. In section 1.21 of the UK National Security Strategy (2010)
the potential impact of a new ‘mass of connections’ upon security was
highlighted. It was argued that networks, including social networking
technologies and 24 hour news media, could impact security as
interest groups become more able to pressurise governments and a
wide range of ideas easily proliferate globally (UK National Security
Strategy, 2010). An article on ZDNet highlighted how reducing loose
connections on Facebook could decrease the risk of terrorism and
discussed, as a possible intervention, ‘National Unfriend Day’ (2010).
Loose networks may lead to increased risk in extreme cases and yet
they also facilitate openness and connectivity on a daily basis. How
to best police and protect social media is therefore a complex cybersecurity question as it is as much about trade-offs between privacy
and ethics as it is about technical intervention.
39
BIBLiography
END NOTES
The Legal Perspective
Share prices are rarely hit hard by cyber attacks, Financial Times, 31 October, 2013
PwC: Unlocking Potential: Finance effectiveness benchmark study 2013. October 2013, page 27. (http://
www.pwc.com/et_EE/EE/publications/assets/pub/unlocking-potential-financial-effectiveness-benchmarkstudy-2013.pdf)
The Business Perspective
http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-fromgovernment-snooping.aspx
http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/01/31/microsoft-announces-brusselstransparency-center-at-munich-security-conference.aspx
European Critical Information Infrastructure
1) Joint Communication to the European Parliament, “The Council, The European Economic and Social
Committee and the Committee of the Regions, Brussels”; Cybersecurity Strategy of the European Union:
An Open, Safe and Secure Cyberspace 7.2.2013 JOIN(2013) 1 Final.
2) Commission Staff Working Document, on a new approach to the European Programme for Critical
Infrastructure Protection, Making European Critical Infrastructures more secure, 28.8.2013 SWD(2013)
318 Final.
2a) Executive summary of the Impact Assessment on PDEPC (2013).
3) Directive of the European Parliament and of the Council, concerning measures to ensure a high
common level of network and information security across the union.
4) Digital Agenda for Europe (2010, reviewed Dec 2012), Pillar 3 Trust and Security.
5) Benefits of an integrated European energy market, DG Energy commissioned report (2013).
6) Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards
and Technology February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurityframework-021214.pdf
Protecting Critical National Infrastructure across Borders: Cyber Security
and Blended Threat
References: ASIS International (2012) ANSI / ASIS PAP.1 - 2012. Security Management Standard:
Physical Asset Protection. This document is available at: http://www.asisonline.org
ISO 22301:2012, Societal Security – Business Continuity Management Systems - requirements. BSI
Standards Limited.
ISO/IEC 27001:2013, Information technology — Security Techniques – Information Security
Management Systems requirements. BSI Standards Limited.
ISO/IEC 27002:2013, Information technology — Security Techniques — Code of practice for information
security controls; BSI Standards Limited.
ISO 31000:2009, Risk management — Principles and guidelines. BSI Standards Limited.
Cyber Activism and Hacktivism
Jordan, T. 2004, Activism!: Direct Action, Hacktivism and the Future of Society, Reaktion Books - Focus
on Contemporary Issues.
Milan, S. 2012, “The Guardians of the Internet? Politics and Ethics of Cyberactivists (and of their
Observers)”, Inter-Asia Roundtable 2012
The Dark Side of Social MediaL Rumours, Real-Time and Cyber-Security
Branicki, L. and Agyei, D. (forthcoming 2014). Unpacking the impacts of social media upon crisis
communication and city evacuation in Preston, J. (editor), City Evacuations: an interdisciplinary
approach, Springer: NY.
Bnet (2010), Evacuation at Grand Central? Anatomy of a Twitter Rumour. Accessible: http://www.bnet.
com/blog/new-media/evacuation-at-grand-central-anatomy-of-a-twitter-rumor/4615 Accessed: 24.04.14
40
Commissioners and acknowledgements
European Commission (2013), Joint Communication on the Cybersecurity Strategy of the European
Union: An Open, Safe and Secure Cyberspace. Accessible: http://eeas.europa.eu/policies/eu-cybersecurity/cybsec_comm_en.pdf Accessed: 24.04.14.
Preston, J., Binner, J., Branicki, L., Ferrario, M., Galla, T., Jones, N. and Kolokitha, M. (2013).
City evacuations: preparedness, warning, action and recovery. Final report of the DFUSE project
(Game theory and adaptive networks for smart evacuations: EP/I005765/1). Accessible: http://www.
cityevacuations.org/public-report.html Accessed: 24.04.14.
UK National Security Strategy (2010). Accessible from: https://www.gov.uk/government/uploads/system/
uploads/attachment_data/file/61936/national-security-strategy.pdf Accessed: 24.04.14.
ZDNet (2010), ‘How ‘National Unfriend Day’ can prevent terrorism’, Accessible: http://www.zdnet.com/
blog/igeneration/how-national-unfriend-day-can-prevent-terrorism/6696 Accessed: 02.12.10.
LIST OF COMMISSIONERS
Jonathan Sage (Government Programmes
Executive, IBM)
Stephen Mosley MP
Colin Whittaker (Head of Payment System
Security, Visa Europe)
Andrew Miller MP (Chair, Science and
Technology Select Committee)
Tim Parsons (Cyber Lead Technologist, Selex
ES)
James Morris MP
Dr Duncan Hine (Principal Fellow, Warwick
Manufacturing Group, University of Warwick)
Jane Jenkins (Partner, Freshfields Bruckhaus
Deringer)
Professor Tom Sorell (Professor of Politics
and Philosophy and Head of the Interdisciplinary
Ethics Research Group, Politics and International
Studies, University of Warwick)
Dr George Christou (Professor of Politics,
University of Warwick)
Christian Engstrom MEP
Rachael Bishop (Lead NIS Directive, BIS)
Nikki Muckle (Senior Assistant Registrar,
Research Strategy, University of Warwick)
Jessica Smith (Cabinet Office)
Dr Christopher Laing (Northumbria
University)
Professor Richard Aldrich (Director
of Research, Politics and International Studies,
University of Warwick)
Lynne Coventry (Northumbria University)
David Abrahams (Head of Public Policy,
Nominet)
Carla Baker (Senior Government Affairs
Manager, Symantec)
Jan Neutze (Director of Cyber-Security Policy,
Microsoft EMEA)
Professor Tim Watson (Director, Cyber
Security Centre, University of Warwick)
acknowledgements
Firstly, the Industry and Parliament Trust (IPT) would like to thank the University of Warwick for funding
the Cyber-Security Commission, the visit to Brussels and the publication of this report. Particular thanks
should be given to Dr Duncan Hine, Professor Richard Aldrich, Nikki Muckle and Denise Hewlett for
the ideas behind the commission and help in bringing together such an interesting group of academics,
parliamentarians and industry representatives.
The IPT would also like to thank the Parliamentary Internet, Communications and Technology Forum
(PICTFOR) for assisting in creating the content for the commission and help in bringing the three
PICTFOR parliamentarians to the commission’s events and activities.
We would also like to thank all those involved in the sessions in Brussels and this report, without whom
none of this would be possible; Christian Engstrom MEP, Emma McClarkin MEP, Sajjad Karim MEP, Phil
Uzupris from the UK Representation to the European Parliament (UKREP), Jonathan Sage from IBM,
Rachael Bishop from the Department for Business, Innovation and Skills (BIS), Jessica Smith from the
Cabinet Office and Steve Purser from The European Network and Information Security Agency (ENISA).
Finally, special thanks should go to Rioco Green, the IPT’s wonderful Communications Intern, who
helped design this report and, ultimately, made it look so good.
Talal Rajab, June 2014
41
T
HEADER LEFT
he Industry and Parliament Trust’s (IPT) Cyber Security Commission was designed to
assess how best to nurture UK/EU co-operation on cyber-security and create a series
of thoughts to that affect. The aims of the project were achieved by creating a group
of ‘Commissioners’ consisting of academics, policymakers and industry representatives
who discussed the different ways in which to formulate a cross-border response to the
ever changing threat of cyber-crime. The Commissioners helped deliver the content and
direction of the discussions and documented their findings in this report. The main
bulk of the Commission took place in Brussels over two days in February with the IPT
arranging a delegation of commissioners to visit the Joint Research Centre (JRC) in
the European Commission and receive a set of briefings on the targets and progress of
the EU’s agenda on cyber-security. These briefings drew on the expertise of industry
representatives, academics and policymakers, with the aim of the sessions being to develop
a consensual framework from the delegation on EU/UK cyber security co-operation.
I commend this volume of
fascinating essays as a
contribution to debate across
Europe on how best to address
this threat.
- James Arbuthnot MP for North East Hampshire
The Industry and Parliament Trust
Cyber Security Commission, was an
informative and enlightening series
of events that highlighted the
progress made, and the work yet to
do, around cyber security within the
European Union.
- Professor Tim Watson, Warwick University
Industry and Parliament Trust
www.ipt.org.uk
@indparltrust
42