Report Cyber Security Industry and Parliament Trust CYBER SECURITY 2.0 REflECTIonS on UK/EU CYBER SECURITY Co-opERaTIon CONTENTS 1. Foreword and Introduction 3 By James Arbuthnot MP and Talal Rajab, IPT 2. You, Me, and the Great Threat to Cyber Security 6 By Steven Mosley MP 3. Cyber-Security: The Need for Greater Co-Operation Between Public, Private and Academic Spheres 8 By Tim Watson 4. The Challenges of Creating a Pan-European Approach to Cyber-Security 9 By James Morris MP 5. The Network and Information Security Directive What Role can Regulation Play in Improving Cyber Security: 10 The Legal Perspective By Jane Jenkins 6.Cyber Security Legislation in Europe: The NIS Directive and the Opportunities for Leadership and Harmonization: The Business Perspective 14 By Jan Neutze 7. Cyber Security Regulation and it’s Relevance to the Payments Industry: A Case Study 16 By Colin Whittaker 8. The Policy Challenges of Cyber Security By David Abrahams 18 9. The NIS Directive and Protecting Critical National Infrastructure 20 By Carla Baker 10. European Critical Information Infrastructure By T.J.Parsons 23 11. Protecting Critical National Infrastructure across Borders: Cyber Security and the Blended Threat 29 By James Willison 12. A Year is a Short Time in Cyber-Space 32 By Dr.Christopher Laing 13. Cyber Activism and Hacktivism 34 By Tom Sorell and Mariarosaria Taddeo 14. Snowden, Prism and State Regulation of the Internet 36 By Andrew Miller MP 15. The Dark Side of Social Media: Rumours, Real Time and Cyber Security By Dr. Layla J Branicki 38 16. Bibliography 40 17. List of Commissioners and Acknowledgements 41 2 FoRewoRd TheRe Can be Few aReaS In whICh The need FoR PolITICIanS and InduSTRy To woRk CloSely TogeTheR haS gReaTeR ReSonanCe Than The FIeld oF CybeR-SeCuRITy, and I am delIghTed ThaT The InduSTRy and PaRlIamenT TRuST haS ConTRIbuTed To bRIngIng TogeTheR ThInkIng In ThIS aRea. UK/EU CYBER SECURITY Co-opERaTIon BY JamES aRBUThnoT mp, foRmER ChaIR of ThE hoUSE of CommonS DEfEnCE SElECT CommITTEE The threat of cyber-attack was identiied in the National Security Strategy as one of the highest priority risks facing the UK. Whilst Government has an important role to play in protection against such attack, and this issue is being given increasing priority across Government, much of the work in ensuring security of our critical infrastructure must be done in the private sector. Defence doctrine places a strong emphasis on the importance of deterring security threats, using the full spectrum of the state’s capabilities to make clear to potential enemies that there will be costs to hostile action that will outweigh the beneits they hope to achieve. Cyber-attack poses a different challenge. It may not be readily clear that a state or single body can be held responsible, and there may therefore be no one against whom retaliation can be threatened. Where the ability to deter is reduced, there is a need to focus instead on protecting critical systems against attack, ensuring that they are resilient in the face of attacks that get through, and building in systems for quick recovery in the event of successful and destructive attack. This is as much a task for the private sector as for Government. A successful cyber-attack on the UK could have truly apocalyptic consequences and given the linkages between our economies, a threat to our EU partners also represents a threat to the UK. I commend this volume of fascinating essays as a contribution to debate across Europe on how best to address this threat. 3 InTRoduCTIon REflECTIonS on EU/UK CYBER-SECURITY Co-opERaTIon InTRoDUCTIon - Talal Rajab, Business Relations Manager, Industry and Parliament Trust yber-security continues to remain a hot topic public, private and academic spheres better work for both industry and Parliament. It has been together to improve our responses to the threat over two years now since the UK Government of cyber-crime. The purpose of this report is to published its National Cyber Security Strategy. analyse the role regulation can play in answering Its key objectives were to make the UK more these questions, and more. ‘cyber-resilient’ to protect our interests, build essays from parliamentarians, academics and cyber-security knowledge and skills amongst representatives from industry, the report will seek to the population and, ultimately, make the UK the assess recent EU legislation around cyber-security most secure place to do cyber-related business. and analyse some of the key concerns related C Comprising of short to UK/EU cyber-security co-operation focused Cyber criminals are, however, global in their outlook on three key areas: the EU’s recent Network and protecting our interests in cyber-space therefore and Information Security Directive (NIS), the requires a global approach. Recent EU directives standardisation of protecting critical infrastructure surrounding cyber-security have attempted to across the EU and the effects of cyber-activism standardise practice amongst member states, on businesses and policymaking around Europe. though the effects these proposed directives will have on states and their businesses are debatable. In Chapter One we have contributions from Stephen How, for example, do you deine what is “critical” Mosley MP, Professor Tim Watson of the University when referring to critical national infrastructure of Warwick and James Morris MP, with introductory from country to country? How have revelations pieces on the IPT’s cyber-security commission regarding PRISM and Edward Snowden affected and an analysis of the challenges towards creating co-operation between nations? And how can the a pan-European approach to cyber-security. 4 InTRoduCTIon Chapter Two delves into the legal and regulatory principles behind UK/EU cyber-security co-operation, with a particular focus on the EU’s recent Network and Information Security (NIS) Directive. Jane Jenkins (Freshields Bruckhaus Deringer), Jan Neutze (EMEA Microsoft), David Abrahams (Nominet) and Colin Whittaker (Visa Europe) look at the regulatory principles behind the directive and assess its impact on businesses. In Chapter Three we focus more closely on a key aspect of cyber-security that many argue requires the greatest cross border co-operation – that of protecting critical national infrastructure. Carla Baker (Symantec), James Willison (ASIS International) and Tim Parsons (Selex ES) outline the current cyber initiatives and standards operating in the EU and the UK The IPT is an independent, non- related to protecting critical national infrastructure, both voluntary lobbying, and mandatory, and stress the need for a holistic approach to that provides a trusted platform of managing the cyber-related risks to infrastructure that involves engagement between Parliament greater co-operation between the public and private sectors. and UK business. The IPT is Finally, Chapter Four takes a look at one of the most pertinent dually supported cyber-security related topics at the moment – that of cyber- party representation activism, or “hactivism”. Tom Sorell and Mariarosaria Taddeo parliamentarians (University of Warwick), Andrew Miller MP, Dr Layla Branicki of (University Laing patronage of its industry supporters. (Northumbria University) discuss recent trends in relation to The IPT creates an environment that cyber-activism and the security implications created by the supports trusted, open and two-way desire amongst the population of having “anywhere, anytime” dialogue between Parliament and connectivity to the internet. UK business. IPT platforms engage, of Birmingham) and Dr Christopher This report does not pretend to provide any concrete solutions to many of the problems related to cyber-security regulation, nor does it attempt to take any particular position on the merits of UK/EU co-operation around cyber-security. Its purpose is to analyse some of the key policy related questions associated with UK/EU cyber-security co-operation and hopefully provide a platform for others to continue the discussions further. Regardless of the UK’s relationship with the EU in the future, and regardless of how EU legislation around cyber-security develops, it is clear that the questions and topics raised in this report will continue for a long period of time. We hope that this collection of essays helps bring policymakers, industry representatives and academics closer together to ensure that the UK’s cyber-space is the best regulated, and best protected. 5 non-partisan Trustees, by on and charity cross- of senior its Board through the educate and inform, create lasting relationships and exchange of ideas. facilitate the uk/eu CybeR SeCuRITy Co-oPeRaTIon YoU anD mE: ThE GREaT ThREaT To CYBER SECURITY BY STEPHEN MOSLEY MP uring the Industry & Parliament Trust (IPT) Here was a man, who had only been in place and Parliamentary Internet Communications for a few months with relatively little power or Technology Forum (PICTFOR) Cyber Security inluence, who managed to smuggle over one Commission visit to Brussels, there was one million iles out of the National Security Agency constant theme that stood out. Whether you (NSA), an organisation that you would hope would attended be one of the most secure institutions in the world. D the discussion groups, seminars or meetings, you will have heard the same message: no matter how secure your system, how It is of no surprise that spies spy and I do not think comprehensive your regulations or the type of anybody realistically expected the NSA to not hold business you are involved in, there is always one data on a wide range of security interests. What weak point in your network. And that weak point is came as a surprise, at least for me, was that one man consistent the world over. It is, of course, the user. had access to such much important data. Except he didn’t. Not quite. He was helped by the user error The background to our visit was the Snowden of his colleagues, up to two dozen of whom were revelations. This event had an intense impact duped by his system administrator status to give on the UK, our relationships with our European him their login details. That user error – admittedly partners and the future of our security intelligence combined with a staggering degree of systemic services. What’s more, it perfectly demonstrated vulnerability – could threaten the NSA opens up a the conference’s lesson about user-weakness. much bigger challenge, and not just for America. 6 uk/eu CybeR SeCuRITy Co-oPeRaTIon During the conference we also heard that the most likely way that Iran’s uranium enrichment facilities were infected and damaged by the Stuxnet virus was by someone inserting an infected USB stick into a Windows machine. One of the most secure sites in Iran, built to withstand bombing raids and totally protected against external cyber-attacks, was brought low because someone inserted a USB stick. And how did that person get hold of the USB stick? They most likely found it in the car park. ThERE IS alwaYS onE wEaK poInT In YoUR nETwoRK, anD ThaT wEaK poInT IS ConSISTEnT ThE woRlD oVER The Stuxnet virus took advantage of previously unknown hacks Stephen Mosley has been the Member of Parliament for the City of Chester since 2010. in Microsoft software. Within minutes of Microsoft releasing new software patches on Patch Tuesday, the second Tuesday of every month, malware developers take advantage of the hacks revealed to attack machines. This high-speed activity from potential hackers is here to stay – but individuals can protect themselves. Often, Microsoft’s vulnerabilities are exposed and systems penetrated because users failed to update their software. The only answer is to make sure that you always update your machines with the latest patches as regularly as possible. Finally, it is not just in Iranian security facilities and the headquarters of the NSA where security is under threat. The inal major case of user error is something with which we are all Before entering parliament, Stephen enjoyed a career in the IT industry, initially working for IBM before setting up his own IT Consultancy in 1997. He has a Degree in Chemistry from the University of Nottingham and has served on Chester City Council (2000-9), including two years as Deputy Leader of the Council, and on Cheshire County Council (2005-9). familiar. That suspicious looking email arrives in your inbox; you don’t recognise the sender and it comes with an attachment. You download it and, predictably, it contains a virus. This familiar tale is the most common case of security breaches – and we can all take small steps to prevent it. So I’ve come back from Brussels with a very simple message. Whether you’re working for the Government, running your own business or simply sitting at home on your laptop, you must always update your software, never open attachments that you do not know what they are and never put strange USB sticks in your machine! 7 In Parliament, Stephen serves as a member of the Science & Technology Select Committee, is Co-Chair of the Parliamentary ICT Forum and has been appointed a Small Business Ambassador by the Prime Minister. hea uk/eu CybeR SeCuRITy Co-oPeRaTIon The Industry and Parliament Trust (IPT) Cyber Security Commission, was an informative and enlightening series of events that highlighted the progress made, and the work yet to do, around cyber-security within the European Union. Vladimir Sucha, the Director General of the Joint Research Centre (JRC), opened proceedings with an overview of the work being done by the JRC. It became clear that whilst the JRC are doing good work around cyber-security, engaging with national bodies and academic institutions, there are beneits to be had from greater collaboration. It was concluded that it may be worthwhile for the JRC to consider staff exchanges with universities. One of the issues raised throughout our time in Brussels was CYBER-SECURITY: ThE nEED foR GREaTER CoopERaTIon BETwEEn pUBlIC, pRIVaTE anD aCaDEmIC SphERES BY PROFESSOR TIM WATSON, UNIvERSITY OF WARWICK the common view that public and private sector communities are continually playing catch-up and are one step behind attackers. While it is true that criminals are often extremely agile in their ability to exploit new systems, be they economic, social or technical, and while it is equally true that the process of regulation and governance often cannot react at the same pace, it is not inevitable that the defenders of systems will be playing catch-up. Often law enforcement, security and intelligence agencies are one or more steps ahead of criminals. There is no reason why organisations, large and small, cannot provide adequate protection for their systems without stiling the business processes that they are meant to facilitate. For this to happen we need to provide the right balance of training, education and awareness in areas such as procurement and Prof. Tim Watson is the Director of contracts, board level governance and operational security so that the Cyber Security Centre at the trustworthy systems are procured, developed and maintained. University of Warwick. With more We also need to improve the social and narrative interaction than twenty years’ experience in the between the security communities and the decision-makers within computing industry and in academia, organisations so that cyber-security is seen as a business enabler he has been involved with a wide and so that the risks and rewards of doing it properly are clear to all. range of computer systems on several The private sector has its part to play too, as there is still too much reliance on the technical solutions provided by cyber-security irms. There needs to be a greater contribution from the behavioural sciences in the development of technical security controls, and the historic preference for commoditised products over more holistic security services should be discouraged. While it can be argued that an academic may not be completely unbiased in this area, it does seem as though we should move from a position of trying to buy cyber-security off the shelf and to have staff trained suficiently to operate the products, to a position where cyber-security is educated into organisations and the focus for security controls is as much on social, cultural and behavioural controls as it is on technical controls. This ought to be a key focus for the JRC and for Member States. 8 high-proile projects and has acted as a consultant for some of the largest telecoms, power and oil companies. He has designed, produced and delivered innovative courses on cybersecurity for a variety of public and private-sector organisations. Tim’s current research includes EU funded projects on combatting cyber-crime and research into the protection of infrastructure against cyber-attack. Tim is also a regular media commentator on digital forensics and cyber-security. uk/eu CybeR SeCuRITy Co-oPeRaTIon ThE ChallEnGES of CREaTInG a pan-EURopEan appRoaCh To CYBER-SECURITY BY JAMES MORRIS MP James is the Conservative Member of Parliament for Halesowen and Rowley Regis and Parliamentary Private Secretary to Employment Minister Esther Mcvey. He was previously a successful small businessman specialising in computer software. In 2003 he founded Mind the Gap, an independent campaign to promote civic action and to encourage more grassroots involvement in politics. Prior to entering Parliament, James was the Chief Executive of the think tank Localis. Prior to becoming a PPS to Esther Mcvey MP, James was a member of the Communities and Local Government Select Committee and is currently a member of the All Party Parliamentary Group on Homeland Security The challenge for government and business in relation to tackling threats from cyberspace is complex and multi-dimensional. It poses dificult questions as to the most appropriate level at which to tackle the problem in a world which has porous borders and ungoverned virtual spaces. Should Britain seek to tackle the problem at a national, European Union or global level? Combatting the threat of cyber-attack on business, government and critical national infrastructure involves dismantling traditional notions of sovereignty, boundaries and protocols and thinking about cooperative relationships in a new way. Successful solutions in this area do demand that countries co-operate across traditional boundaries and the businesses share information both among other businesses and with governments. The networked world presents rich opportunities for business and government while simultaneously offering a similarly rich array of strategic and tactical threats. Recent attempts to regulate cyberspace at the European Union level on a pan European basis seem doomed to fail because they fail to take into account the lexibility that is required to cope with the strategic threats of the networked world. Many countries in Europe have yet to develop an appropriate strategic level of operational response to the cyber threat and the danger of European Union level regulation could mean that the UK could be dragged into an elaborate attempt to drab the weakest put to a certain level. Would this be in Britain’s national interest? Attempting to regulate on a pan European basis also runs into complex deinitional issues. For example, is it possible to deine what ‘Pan European critical national infrastructure’ is? The answer is almost certainly no. The reality is that some light touch co-operation across Europe may be desirable; but Britain should be seeking a global reach in its overall approach to cyber-security by building a network of co-operative alliances with countries like Israel and the US rather than locking itself into a European Union approach which is predicated on the lowest common denominator. Britain should be seeking to build this network of co-operative relationships as a more appropriate response to the complex global challenge of cyber-security. 9 CybeR-SeCuRITy RegulaTIon ThE nETwoRK anD InfoRmaTIon SECURITY DIRECTIVE whaT RolE Can REGUlaTIon plaY In ImpRoVInG CYBER SECURITY: ThE lEGal pERSpECTIVE BY JANE JENKINS, PARTNER, FRESHFIELDS BRUCKHAUS DERINGER LLP In February 2013 the European Commission published its proposal for a draft Directive on ‘Network and Information Security’ (NIS) to regulate operators of critical national infrastructure across the EU. The objectives behind the Directive are to create an EU wide information sharing framework with requirements for each Member State to adopt a network and information security strategy, to designate a national authority charged with implementation, to establish a computer emergency response team to respond to NIS risks and incidents and to ensure operators put in place appropriate security measures. There is a requirement to report signiicant incidents to national authorities, who will have discretion to publish reports where they deem publication to be in the national interest. The authorities will also have the power to impose sanctions for failure to meet the required standards. The draft Directive has provoked signiicant debate around key issues including its scope, the mandatory reporting of breaches and the imposition of additional technical standards. On 13 March 2014 the European Parliament approved a revised draft containing signiicant amendments to water down the scope and effect of the law. Cyber-security is an arena where defence and data protection meet. Attackers have varying motivations: some look to use data theft and service disruption as a means of advancing political and ideological agendas. Others are exploiting vulnerabilities in networks to steal data for inancial gain and perpetrate fraud. The Commission justiies the imposition of regulation as a means to establishing a reliable environment for the proper functioning of essential services. The Directive is not driven by the protection of data nor personal privacy; it is concerned with protecting critical national infrastructure. 10 CybeR-SeCuRITy RegulaTIon The aim of this paper is to identify the competing arguments and address the Directive in the broader context of regulatory developments in the USA and Germany. The European Commission considers existing EU rules, requiring telecoms and data controllers to adopt security measures and report security incidents, to be too speciic and too fragmented to truly affect cyber-security issues. It sees the new Directive as establishing an enhanced, consistent EU-wide standard to protect our key internet based infrastructure. The Commission’s proposal extends to internet companies, cloud providers, social networks, e-commerce platforms, search engines, banking and trading markets, energy generators, transmission and distribution companies, operators of transport systems (including aviation, maritime and rail), hospitals and clinics and public administrations. The EU Parliament has removed key internet enablers and provided greater detail around remaining categories to include speciically regulated markets, multilateral trading facilities and organised trading facilities. Listed companies will be subject to minimum security standards. Conversely, public administrations are not caught en masse - only those which fall within the deinition of the other speciic functions. This is surprising, given the vulnerability and criticality of central and local government. Suppliers in the UK, in particular, may react with cynicism given the strong messaging to industry generally to address cyber-security at the board level and the stated intention to exclude from government contracting those suppliers who do not meet acceptable standards of cyber health. mandaToRy RePoRTIng and PublICITy – The ConTRoveRSIeS Perhaps the most controversial issue in the draft Directive is the requirement to report signiicant breaches coupled with the ability of the NIS to make such reports public. Whilst the UK Government fully supports the objectives of increasing protection and resilience against attacks, it feels that mandatory reporting will create perverse incentives that may cause companies to turn a blind eye to risks. The UK Government, rather, advocates a policy of voluntary information sharing and has therefore set up the information sharing partnership (CISP) to encourage the sharing of information about attacks and the means to combat them. Industry points to the risk of damage to reputation, with associated impact on share price and customer loyalty, as a key cause for concern in regards to the issue of mandatory reporting. These arguments are less persuasive given the existing requirement under data protection laws to report signiicant attacks to data subjects and, separately, under the Stock Exchange listing rules to disclose to the market any incident that may impact on share price under the “reasonable investor” principle. This raises an interesting point concerning the impact cyber-attacks that are made public have on share prices. A limited survey conducted in 2013 suggested that share prices were unaffected by publicity around cyber breaches. This suggests a lack of investor appreciation of the risks to businesses posed by such attacks. Indeed, a 2013 PwC survey revealed that the majority of Finance Directors of FTSE350 companies were unable to evaluate the cyber risks to their businesses so as to make decisions as to the proportionate and appropriate levels of investment required to commit to cyber risk management. If Finance Directors are in the dark, investors will be too. 11 CybeR-SeCuRITy RegulaTIon ThE aTTaCK on US RETaIl GRoUp TaRGET, aT ThE EnD of laST YEaR, maY BE a waKEUp Call. CASE STUDY On 19 December 2013 Target announced that hackers entering its network via a heating supplier had stolen basic card data for 40 million of its customers. On 10 January 2014 this was revised to 70 million customers. The company’s stock value fell 4% over this period and the company now faces class actions from its customers whose data have been lost, its shareholders who allege a breach of iduciary duties of the directors to safeguard the information lost and the banks who have had to compensate their customers for fraudulent credit card transactions. IMCO and the EU Parliament’s reactions to the mandatory reporting obligation were to introduce additional protections for the company suffering the attack. Firstly, there is a statement that the notiication of incidents “shall not expose the notifying party to increased liability”. It is unclear how such a provision would work in a case where an incident gives rise to civil liability to customers or other third parties. It would not seem appropriate to deny those parties the opportunity to pursue their legal rights arising under national law. Additionally, Parliament has introduced a right to be consulted on a proposed publication with a hearing if requested. Where information is publicized, it proposes that this shall be anonymised. On market disclosure the amendments propose that Member States shall “encourage market operators to make public incidents involving their corporation in their inancial reports on a voluntary basis”. There is a tension here with existing notiication rules and the Securities Exchange Commission has indicated it is contemplating enforcement action in relation to failures to report incidents to market. A further area of uncertainly is the threshold for reporting. IMCO has sought to provide greater clarity around the deinition of a “signiicant incident” which will trigger the notiication obligation. It proposes that signiicance be determined by factors including the number of users affected and the duration and geographic spread of the incident. In its current form the Directive envisages the development of sector speciic guidance on both the meaning of a signiicant incident and the related test for mandatory notiication. The European Network and Information Security Agency (ENISA) will be involved in developing that guidance. There has been resistance from industry to setting technical standards at the EU level given a concern at the inconsistent standards applying outside the EU. Commentators are concerned that a standard will become a lowest common denominator and encourage a “tick box” approach to compliance as opposed to a dynamic and continuous review of threats and their management. Germany, however, is pressing ahead with its own legislation which is likely to be in place before the EU Directive. Its ‘IT Security Act’ is aimed at imposing mandatory standards (currently being addressed on a sector speciic basis with trade associations), obligations to report incidents and to conduct an audit on a two yearly basis. There is a strong potential for the German approach to be highly inluential in the debate around the appropriate EU position. Whilst industry in the UK is generally resistant to mandatory standards, they are even more resistant to the potential for inconsistent standards applying in different jurisdictions. 12 CybeR-SeCuRITy RegulaTIon In the US, the National Institute of Standards and Technology issued on 12 February 2014 a voluntary risk-based framework, foreshadowed by the Executive Order 13636 on “Improving Critical Infrastructure Cyber-security” made on 12 February 2013. The framework was created through collaboration between government and the private sector, with a view to addressing and managing cyber-security risk “in a cost-effective way based on business needs without placing additional regulatory requirements on businesses”. The framework does not impose new standards but rather provides a structure for navigating existing standards applicable to critical national infrastructure so businesses can build a risk-based plan adapted to their needs. While it is not mandatory, compliance with the framework is likely to become a benchmark against which security measures are tested in any litigation or regulatory investigation. TheRe haS been ReSISTanCe FRom InduSTRy To SeTTIng TeChnICal STandaRdS aT The eu level gIven a ConCeRn aT The InConSISTenT STandaRdS aPPlyIng ouTSIde The eu. “Fortress europe” and Protectionism Another issue being discussed is the possible creation of siloed internet systems. The shadow cast by the Snowden revelations has caused some Europeans to raise the need for the separation of networks. Commentators have expressed concern at a trend towards forced data localisation and hardware production on the grounds of national security, seeing this as thinly disguised protectionism. Similarly, differing national standards for encryption methodologies are threatening to frustrate integration of systems across borders. Conclusion: Is voluntary Information Sharing the Solution? More recent developments include discussion around publicprivate information sharing platforms along the lines of the model adopted in the UK. The EU is to publish guidance on risk management and information sharing in the second quarter of this year. There is strong support for such initiatives and it remains to be seen whether this model will overtake the Commission’s support for mandatory information sharing. The Commission intends to contest both the watering down of the requirement for each NIS to share information on attacks and the removal of key internet enablers from the scope of the Directive. The debate going forward promises to be intense. It will be interesting to see if any Member State asserts its right to opt out of the Directive in all or part on the basis of its right to retain sovereignty over issues affecting its essential interests of national security and, if so, how the Commission will respond. 13 Jane is a solicitor and partner at Freshields Bruckhaus Deringer. She co-heads the irms international cyber security and defence teams. She advises clients on legal risk evaluation, mitigation and response in the aftermath of a cyber attack including management of the interface with regulators and litigation. CybeR-SeCuRITy RegulaTIon CYBER-SECURITY lEGISlaTIon In EURopE: ThE nIS DIRECTIVE anD ThE oppoRTUnITIES foR lEaDERShIp & haRmonIzaTIon: ThE BUSInESS pERSpECTIVE BY JAN NEUTzE, DIRECTOR OF CYBER-SECURITY POLICY, EMEA, MICROSOFT J ust over a year has passed since the European Commission published its proposals for the irst EU Cyber-Security Strategy and its accompanying Network and Information Security (NIS) Directive. Since then, a lot has happened in the cyber-security discourse. The disclosures over alleged government snooping have sparked concern, and in some cases outrage, over the size, scope and character of government surveillance programs. Microsoft, along with other ICT companies, announced signiicant technical, legal and transparency measures to enhance customer protections. The shifting threat model has inluenced the perception of cyber-threats and reshaped the public debate. At the recently held 50th Munich Security Conference, cyber-security was the topic of the opening panel, further evidencing how questions of security, privacy and transparency in cyber-space have become key public policy issues of our time. The European Commission’s initiatives’ irst anniversary therefore represents a timely opportunity to look back and assess the progress made so far. Global developments have made it even clearer that the Commission’s proposals needed to be considered contextually and not in isolation. Draft legislation on the processing of personal data and free movement of such data, as discussed within the framework of the General Data Protection Regulation, as well as the draft regulation on electronic identiication and trust services for electronic transaction, touch on many of the points put forward in the NIS Directive. All relevant stakeholders must ensure co-ordination between these three important pieces of legislation, in particular in areas such as data protection provisions, breach notiications, auditing, liability and reporting. A lack of harmonization across these initiatives could potentially result in conlicting requirements, which in turn could lead to a less secure cyber ecosystem, both within the EU and globally. Some of these challenges notwithstanding, we welcome substantial progress that has been made in particular with regards to the development of the NIS Directive. Success in cyber-security depends on committing to risk management. By focusing on the protection of Europe’s most critical services and assets, leaders in the European Parliament have signaled a commitment to a risk management approach and framework intended to support on collaboration and accountability. For example, recently proposed changes now provide the opportunity for the private sector to participate in the planned NIS co-operation network, which would allow for sharing of best practices and strategic analysis. 14 CybeR-SeCuRITy RegulaTIon Other parts of the draft NIS Directive could still beneit from additional clarity, including how national competent authorities (NCAs) or single points of contact will in fact interact with one another and what information they will share; similarly, greater emphasis on the role of international standards and recognized certiication agreements would be a welcome step forward.. ThE EURopEan UnIon haS an InCREDIBlE oppoRTUnITY To BEComE a polICY lEaDER In CYBER-SECURITY anD wE ShoUlD all woRK To SUppoRT ThIS EffoRT Last, but not least, it is important to note the progress already made on cyber-security at the Member State level over the past year. Close to half of the EU Member States have (re-)committed to strengthening their cyber-security efforts; either through work on national cyber-security strategies, as envisioned in the European Commission proposals, or through efforts aimed at capacity building and greater co-operation, as seen by the BeNeLux countries, Germany, Poland, and the United Kingdom. It is important that these commitments translate into concrete actions that reconcile both security and privacy while striving for maximum harmonization. The European Union has an incredible opportunity to become a policy leader in cyber-security and we should all work to support this effort. Harmonization is important beyond Europe. Just a few weeks ago, the United States released a Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). This Framework was developed over the past 12 months through a collaborative public-private process led by the National Institute of Standards and Technology (NIST). This is an important step in the broader development of cyber-security public policy, and the irst time that the public and private sectors have agreed to a common Framework for approaching cyber-security. In Europe, the NIS Platform can beneit from leveraging commonly accepted international risk management standards and building on the lessons learned from the US efforts. 15 Jan Neutze is Director of CyberSecurity Policy at Microsoft responsible for cyber-security policy matters in Europe, Middle East, and Africa (EMEA). Before taking on Microsoft’s EMEA security portfolio, Jan worked in Microsoft’s Trustworthy Computing (TwC) group at Microsoft Corp. leading TwC’s engagements with governments and industry partners. Jan came to Microsoft from the United Nations Headquarters where he served for three years in the policy planning staff of the UN Secretary-General and the Department of Political Affairs, leading a range of cybersecurity and counter-terrorism projects. CybeR-SeCuRITy RegulaTIon STakeholdeRS In CybeR-SPaCe have To Play an aCTIve Role beyond PRoTeCTIng TheIR own aSSeSTS, In oRdeR FoR The uSeFulneSS oF The CybeR-SPaCe To PRevaIl. CYBER-SECURITY REGUlaTIon anD ITS RElEVanCE To ThE paYmEnTS InDUSTRY: a CaSE STUDY BY COLIN WHITTAKER, HEAD OF PAYMENT SYSTEM SECURITY, vISA EUROPE O ne of the more illuminating descriptions of is that the harm from a data compromise is often the nature of cyber-security comes from an suffered greater by other entities in cyber-space Standardisation rather than those who have been compromised. (ISO) draft on the topic which states that “… These descriptions it well with Visa Europe’s stakeholders in the cyber-space have to play experience, and therefore the concept of cyber- an active role, beyond protecting their own security is highly relevant to the payments industry. assets, in order for the usefulness of the cyber- We space to prevail”. This provides a sound also prize the ability to secure control of an starting point to determine, from Visa Europe’s enterprise’s equipment and services to increase perspective, what cyber-security means to our their anonymity as they use these assets as a card payment eco-system and the implications springboard to launch cyber-attacks on other of victims. Visa Europe has seen evidence of this International proposals Organisation for for cyber-security regulations. cannot, however, ignore that attackers from data breach investigations. These examples The description strikes to the heart of the provide no better illustration of the trueness of the increasingly asymmetric nature of both the threat ISO description of the nature of cyber-security. from cyber-security and the risk assessments There is now an acute recognition across the enterprises make to determine how to defend payment card industry that attackers are willing themselves from the threat. An example of the to invest signiicant time, energy, imagination and asymmetry is that enterprises may either place tenacity in trying to defeat the security controls that much less value on the assets they need to we require entities to deploy to protect cardholder protect than the criminals do, or that the level data. This leads to these controls being kept under of effort, time and capability that the criminals continual review and enhanced where necessary; can generate to attack an enterprise is much this is in part evidenced by the recent triennial review greater than the enterprise can provide to protect of the PCI Data Security Standard incorporating themselves. An additional asymmetry to recognise lessons 16 learnt from recent data breaches. CybeR-SeCuRITy RegulaTIon It is also of note that annual reports from computer forensics companies supporting the payment card industry continue to show that adoption of commonly accepted, good security practices would have prevented many of the breaches they investigate; irrespective of the motivation of the attacker. As important, however, as protection continues to be, Visa Europe also actively promotes other strategies that reduce cyber-security risk, and hence the data security burden, for enterprises. We do this by working to devalue the data the attackers’ prize by making it worthless to them. The most striking example of this has been EMV, or Chip and PIN as it is known in the UK; a truly asymmetric security strategy. Colin Whittaker Payment heads System up Risk the team It is important to approach cyber-security holistically, inherent in within the description quoted. However, it must also be acknowledged responsibility for payment system that there are beneits when communities of interest act for security, member compliance, PIN the good of the community through self-regulating the cyber- security and vendor certiications, security measures implemented by its participants. This programmes, and Data Compromise is what Visa Europe does for its payment system and the Management. Part of Colin’s remit is participants within it, providing appropriate and relevant security also the implementation of PCI DSS requirements, monitoring adoption of these requirements, the across the European markets and co-ordination of data breaches where security fails and the creating market speciic risk policies. dissemination of intelligence on lessons learnt from breaches. visa Europe and has Colin joined visa Europe in 2010 from UK Payments where he was Although there are calls for greater governmental regulatory the Head of Security. His role was action to protect all stakeholders in cyber-space, it would to provide the focus for information clearly be unhelpful if this action undermines the efforts security issues for the wide range of of extant communities of interest. Any regulatory effort companies and brands serviced by must complement community cyber-security efforts, and UK Payments. where possible reinforce them. However, where that community crosses many national jurisdictions achieving a consistent approach is of course much more challenging. If the beneits of cyber-space are to be realised, then it must be appropriately protected and this is where cybersecurity becomes important. It is also perhaps inevitable that some measure of regulation might become necessary to achieve this. The issue, as always, will continue to be: how much regulation? Is it proportionate? Finally, is it capable of being applied sensitively to complement and reinforce existing cyber-security strategies and not to disrupt them? 17 CybeR-SeCuRITy RegulaTIon ThE polICY ChallEnGES of CYBER-SECURITY REGUlaTIon BY DAvID ABRAHAMS, HEAD OF PUBLIC POLICY, NOMINET The conversations we held across two days of security cannot be addressed simply by regulation presentations and debate provided an interesting or the actions of commercial operators alone. and useful insight into the high level policy Instead, it requires a multi-faceted policy response challenges that are presented by cyber-security. taking in industry standards, supply chain management; cultural changes by consumers, As with so many issues related to the internet, enhanced expertise in regulatory bodies and a key challenge for policy makers is that there co-ordination with national security apparatus. is no central point of control or regulation of the internet. This is of course exactly why the internet The proposed directive on network and was irst established – to provide a decentralised Information Security (nIS) communications network that could survive a Much of the discussion over the two days related to catastrophic attack on a central command and the European Commission’s proposal for a Directive control function. on Network and Information Security (NIS). There It is also one of the reasons that the internet has lourished as a place where was signiicant industry concern about the way people can freely exchange opinions, build the Commission’s proposals pursued a top-down communities of shared interest and do business. regulatory approach rather than encouraging However, unlike some other internet-related policy those Member States that are behind the curve on issues, complicated cyber-security to pursue a multi-faceted strategy. by the fact that it is not only simply a matter of The Commission’s regulatory approach stands in cyber-security is further inding ways to enforce existing laws in an online contrast to the approach taken in the UK, where we environment; it is also a matter of national security. have a well-developed government cyber-security Taken together, these factors mean that cyber- strategy and infrastructure to support industry. The uk aPPRoaCh IS baSed on: • Co-operation between our national security apparatus and industry, especially in the ield of critical national infrastructure; • Well established voluntary information-sharing arrangements between commercial operators; and • Strong information and awareness raising campaigns led by government and supported by industry 18 CybeR-SeCuRITy RegulaTIon In the larger European economies, where commercial supply chains are long, complex and global in nature, it is clear that an EU-centric regulatory approach to cyber-security is not going to be effective. In short, the EU cannot insulate itself from the rest of the world when it comes to internet and global trade and therefore the policy response to challenges of cyber-security must look beyond the creation of regulatory hoops for European businesses to jump through. Industry participants in the delegation therefore welcomed the changes made to the NIS Directive by the European Parliament in terms of limiting the directive’s scope and creating a framework for a more co-operative relationship David Abrahams is Head of Public Policy at Nominet, the company responsible for running the .uk domain name registry. David leads Nominet’s relationship with government and political audiences in the UK and EU and has led the development of Nominet’s policies for the new .cymru and .wales domain spaces which will launch in 2014. Prior to joining Nominet in 2012 David worked at Ofcom where he directed competition investigations, regulatory disputes and consumer protection programmes. between regulatory bodies and the companies they regulate. CYBER-SECURITY CannoT BE aDDRESSED SImplY BY REGUlaTIon oR ThE aCTIonS of CommERCIal opERaToRS alonE Cultural responses to surveillance There were clear disagreements amongst the policy makers we met regarding the impact of Edward Snowden’s revelations about the surveillance activities of the US, UK and other governments. There is a clear cultural difference between the UK’s general trust of the state security apparatus that has been built up since the Second World War and the culture of distrust and concern in countries that have a recent history of authoritarian government or occupation by foreign forces. This may relect a dificulty that will always exist when trying to approach issues of national security within the European Union, which is civilian and political by nature. Cyber activism and democracy Our closing discussion on “cyber activism” highlighted that, beyond the headlines about hackers, there may be some positive outcomes from this sort of activity. The Pirate Party is a good example of how self-organising communities that have been established online around cyber-activism can enter the mainstream political process in a number of European countries. This should be celebrated as a success for the liberal democratic system enabled by an open and free internet. 19 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe moRE EmphaSIS nEEDS To BE plaCED on woRKInG In paRTnERShIp wITh ThE pRIVaTE SECToR To aDDRESS ThE pERVaSIVE ThREaT ThE nIS DIRECTIVE anD pRoTECTInG CRITICal naTIonal InfRaSTRUCTURE BY CARLA BAKER, SENIOR GOvERNMENT AFFAIRS MANAGER, SYMANTEC The need to protect critical national infrastructure is not new. Nation states have recognised the criticality of protecting key elements of the national infrastructure for hundreds of years. The Roman Empire understood the importance of protecting roads and aqueducts, which were considered vital parts of the Empires’ infrastructure. Indeed, this very infrastructure was exploited in 213 BC when Hannibal led an offensive and used the Roman Roads, the Empire’s own critical infrastructure, to launch an attack. Not that differently from today’s cyber attackers, who exploit our information systems against us. The advance of the digital world brings a new, more complex dimension to the protection of Critical National Infrastructure (CNI). The near borderless nature of the internet, the growth of cyber-security threats and varying levels of cyber maturity across both the public and private sector creates a challenging and complex environment. As set out in the Symantec 2014 Internet Security Threat Report (ISTR), threats are becoming increasingly sophisticated and pervasive, affecting every level of society, from national governments to businesses and citizens. In addition to cyber-crime driven attacks, targeted attacks on key aspects of the critical infrastructure continue to grow and evolve. Targeted attacks use malware to target a speciic user or group of users within an organisation and can be delivered using various stealthy methods ranging from spear-phishing emails to watering holes in legitimate websites. The aim of such attacks are to provide a backdoor for the attacker to breach the intended organisation in order to gain access to systems and cause damage or steal conidential information such as trade secrets or customer data. As the 2014 ISTR highlighted, there was a global average of 83 targeted spear-phishing attacks per day in 2013 and approximately 1 in 3 organisations in the Mining, Public Administration and Manufacturing sectors were subjected to at least one targeted spear-phishing attack in 2013. Cyber-security threats are no longer just a case of a lone hacker developing malware to cause havoc; we are seeing more sophisticated, targeted attacks from adversaries that are well resourced and organised, and use an array of evasive techniques and tradecraft. The threats to critical infrastructure have been well documented with attacks such as Stuxnet, Duqu and, more recently, Flamer. 20 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe CASE STUDY : STUXNET Stuxnet brought the issue of critical infrastructure protection to the forefront of the cyber debate, making headlines across the globe. Stuxnet is a very sophisticated worm that targets industrial control systems in order to take control of industrial facilities, such as power plants. Given countries’ dependencies on key infrastructure such as utilities, transport and telecommunications, Stuxnet proved a very worrying example of how sophisticated and damaging threats were becoming. As a result, governments across the globe are striving to protect vital infrastructure from cyber- attacks due to its criticality to national security, economic stability, and public health and safety A number of recent publications have highlighted the importance of protecting critical national infrastructure and highlighted the steps national governments and international organisations are undertaking to strengthen resilience to the growing threats. In 2011 the UK Government published the Cyber Security Strategy which, amongst other objectives, set forth a number of actions that aimed to enhance the UK’s cyber-resilience, from developing effective information sharing mechanisms such as the Cyber Security Information Sharing Partnership, through to providing advice, guidance and tools to companies that underpin the CNI. At a European level, the EU Commission published the European Cyber-Security Strategy and a proposal for a Network and Information Security (NIS) Directive, which aim to develop a common baseline of NIS across EU Member States. The Directive represents an important step in the efforts to improve cyber-security and harmonise preparedness and resilience mechanisms across Europe, taking stock of best practices that already exist amongst EU Member States. A key principle in the Directive is the need to develop effective information sharing mechanisms which, if established with the necessary trust, incentives, safeguards, controls and protections can form a crucial tool in helping organisations protect systems, networks and conidential information from intrusion, disruption, theft or manipulation. There is still work to be done to improve and enhance the Directive and more emphasis needs to be placed on working in partnership with the private sector to address the pervasive cyber threat. However, what is abundantly clear is that governments across the world, whether at a national, regional or international level, take the cyber threats faced by both the public and private sectors seriously and realise that more is needed to mitigate this growing and evolving challenge. 21 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe The evolution of the internet has driven economic growth, facilitated international trade and enabled people to communicate across the globe. It has also brought new risks, which are being exploited by hackers, criminal gangs and nation states, and these adversaries are targeting key aspects of the critical national infrastructure. Addressing the risks requires clear strategies, followed up with concrete actions, enhanced operational capabilities and a collaborative approach between industry and the public sector. moRE EmphaSIS nEEDS To BE plaCED on woRKInG In paRTnERShIp wITh ThE pRIVaTE SECToR To aDDRESS ThE pERVaSIVE ThREaT The EU’s efforts to strengthen Member States’ approach to network and information security is a welcomed step in the right direction, however a number of issues need to be addressed, such as whether the EU should take a regulatory or voluntary approach to information sharing schemes and address the political sensitivities around elevating information sharing to an EU level. HIGHLIGHTS FROM THE SYMANTEC 2014 INTERNET SECURITY THREAT REPORT - Key Findings • 91% increase in targeted attacks campaigns in 2013 • 62% increase in the number of breaches in 2013 • Over 552M identities were exposed via breaches in 2013 • 23 zero-day vulnerabilities discovered • 38% of mobile users have experienced mobile cybercrime in past 12 months • Spam volume dropped to 66% of all email traffic • 1 in 392 emails contain a phishing attacks • Web-based attacks are up 23% • 1 in 8 legitimate websites have a critical vulnerability 22 Carla is Symantec’s Senior Government Affairs Manager, responsible for driving the company’s public policy agenda in UK and Ireland and representing Symantec before public authorities, industry associations and trade bodies. Prior to joining Symantec, Carla was a director at Intellect, the UK trade association for the technology industry, leading the association’s Cyber Security Programme. In this role she led the development of industry-wide policy positions on specific cyber related issues, informed the development of government policy and built successful relationships with senior government officials, Ministers and MPs. CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe EURopEan CRITICal InfoRmaTIon InfRaSTRUCTURE BY TIM.J.PARSONS, FBCS, FIET, FRSA, MIOD SELEx ES, SECURITY AND SMART SYSTEMS It is useful to summarize the issues connected with European Critical Information Infrastructure (ECII) from at least three perspectives, these being three key areas which can frame our understanding of this topic. • The market and commercial perspective • The systems perspective • The legislative and standards perspective THE MARKET AND COMMERCIAL PERSPECTIVE From the market, commercial and legislative perspectives, market liberalization, market coupling and service unbundling has signiicantly diversiied the supply chain in some member states and the economic arguments for these trends continuing across the EU are overwhelming. Studies undertaken for the European Commission Directorate indicate that savings worth 10’s of Billions of euros per year would be achieved by the establishment of a deeply integrated and resilient European market in the energy sector alone [5]. The supply chain will hence continue to broaden and deepen, increasingly incorporating Small to Medium Enterprises (SMEs) and, from an economic viewpoint alone therefore, it may be concluded that the sectors comprising the ECII in ive years’ time (most certainly in ten years’ time) will differ in detail from the critical infrastructures we know today. It is these ‘details’ which determine the threats and vulnerabilities relating to ECII . 23 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe anY InITIaTIVE In ThE lEGISlaTIVE SpaCE mUST BE fUllY CoGnISanT of BoTh ThE ComplExITY of ExISTInG SECToRal anD naTIonal lEGISlaTIon anD STanDaRDS anD ThE DIVERSITY of oRGanISaTIonS foRmInG ThE EmERGInG ECII. THE SYSTEMS PERSPECTIVE From a ‘systems perspective’ the ECII is not static, and the European Program for Critical Infrastructure Protection (EPCIP) [2,2a] recognizes and highlights the increasing interconnectivity and interdependency of the emerging ECII. The following signiicant developments may be identiied: 1. The integration of de-centralised renewable energy, within the context of continuing European market integration. These developments will change the fundamental topology of energy distribution networks across European wide grids. 2. The development of ‘Smart Cities’ and so-called ‘Cyber-physical convergence’ which will broaden our concepts of criticality considerably. 3. The emergence of real-time monitoring, control, and machine to machine communication. 4. Finally, the cyber-physical threat itself will substantially drive the evolution of the ECII. Each of these drivers will have consequences for the fundamental properties of the emergent ECII such as resilience, and further cross-sectorial, multi-stakeholder research of these issues would yeild additional valuable insights. THE LEGISLATIVE AND STANDARDS PERSPECTIVE Commercial operations are, of course, also driven by the legislative and compliance environment in which those services are provided. The ECII in particular is characterised by an exceptionally complex multi-layered, sectoral, national and international environment. Work commissioned by the UK Business Innovation and Skills Department (BIS), for example, recently evidenced over 1000 standards internationally relating to cyber-security [6]. 24 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe Any initiative in the legislative space must be fully cognisant of both the complexity of existing sectoral and national legislation and standards and the diversity of organisations forming the emerging ECII. In terms of EU approaches to harmonisation and coherence, a number of areas within EPCIP 2013 [2,2a] are to be welcomed. These are : • The recognition of the complexity of facilitating and harmonising change • The increased focus on interdependencies • The increased role for public and private collaboration • A focus on the critical areas of energy distribution, geo-location and air traffic control • Progress towards a trusted network by which to disseminate and report cyber threat intelligence and incident alerts (CIWIN) “CommERCIal opERaTIonS aRE, of CoURSE alSo DRIVEn BY ThE lEGISlaTIVE anD ComplIanCE EnVIRnomEnT In whICh ThoSE SERVICES aRE pRoVIDED” EPCIP outlines a mix of market, EU and public-private fora led approaches in the establishment of common risk management processes, cyber threat information sharing networks and scenario exercises. They recognise a need for cohesive planning across the EU Directorates and a focus on interdependencies within and across four key Critical Infrastructure sectors. In contrast, both the Joint Communication on the Cyber security strategy of the EU [1] and the Directive relating to Network and Information Security [3] propose that delivery of Cross EU harmonisation and coherence would be facilitated by adopting a more regulatory approach. 25 As a co-founding Board member of the Information Assurance Advisory Council, Tim led the first UK cross-sectoral study of emerging threats to the Critical National Infrastructure in 2001. He has acted as an independent scientific advisor to the MoD, scoping the rapidly evolving field of Information Operations and to the DTI for the Cyber Trust and Crime Prevention S&T Foresight Panel. Within Europe, he has advised NATO on the implications of civil information infrastructure dependency and aspects of counter-terrorism. He was also an invited reviewer for the Framework 5 programme on dependable and trustworthy information infrastructures. He is currently an industry advisor to NATO in the area of cyber crisis management and a committee member for the academic fora on Information Warfare and Security and Cloud Security Management. CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe InITIaTIVES wIThIn ThE UnITED KInGDom It is against this backdrop that it is useful to summarise recent initiatives within the UK. In addition to the engagement of senior business leaders on cyber-security by CESG in 2012, the sectoral based CPNI led information sharing fora and the further development of an ‘IT health check’ service provider scheme (CHECK), there are six additional notable initiatives: 1) The Cyber Security Information Sharing Partnership (CISP) Following an earlier pilot study in 2011, the Cyber Security Information Sharing Partnership (CISP) was launched in March 2013 by the Cabinet Ofice. The CISP is a joint, public-private initiative to enhance awareness of the cyber threat by sharing real-time intelligence on threats and vulnerabilities within a secure collaborative environment. Funded by the National Cyber Security Programme, the initiative has cross government support and it extends beyond Critical National Infrastructure to encompass over 200 organisations in, for example, the legal and retail sectors. CISP will feed into the National Computer Emergency Response Team CERT-UK. 2) CeRT uk CERT UK is due for launch in Spring 2014. It will have a 24/7 capability providing speciic support to CNI and situational awareness across a wider range of sectors. It will provide national level co-ordination with the sectoral CERTS, and it will have EU and international co-ordination and outreach responsibilities. CERT UK will build on the capabilities developed by CISP and it is anticipated to be integral to existing national emergency response and civil contingency organisations. It is not anticipated to have investigatory, regulatory or law enforcement powers, but will work closely with those who do. 3) The Production of good Practice guides The Good Practice Guides provides guidance to public bodies and the public body supply chain. These guidelines cover cyber related issues such as protective monitoring, internet connectivity, remote working, data separation and cyber forensics. 26 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe 4) Cyber Incident Response Scheme Towards the end of 2012 The Cyber Incident Response scheme was launched by CESG and the CPNI. It aims to provide a kitemark for those companies with evidenced capability in countering advanced persistent threats (APT’s). 5) basic Cyber hygiene The Business Innovation and Skills Department (BIS) is currently leading a cross sector engagement process to produce guidance for “Basic Cyber Hygiene”. Although inluenced by the ISO27000 series of standards, this initiative recognises the potentially high cost of mandatory legislation to the Small to Medium Enterprises (SME) within the supply chain. BIS is therefore working with the British Standards Institute (BSI), Information Security Forum (ISF) and a speciic IA model designed to provide practical guidance to Small to Medium Enterprises. 6) defence Cyber Protection Partnership There is also a signiicant public private initiative within the Defence sector called the Defence Cyber Protection Partnership. It has the backing of some 12 Defence companies together with the MoD, GCHQ and CPNI and seeks to articulate the risks and to enhance and share threat intelligence across the supply chain via a trusted virtual environment. In summary there are currently at least six notable cyber collaborative initiatives in the UK. The overall initiatives have not been mandatory; rather they have been initiated via Government or via public-private sector fora and resources.Interestingly, there is evidence that these initiatives are already beginning to shape the cyber market within the UK, in both the low and the high threat arenas. Vendors already market GPG ‘compliance’ in the ‘low threat space’ and, in the ‘high threat space’, CESG Kitemark for competence in countering advanced persistent threats has differentially attracted businesses. A key point of recognition is that the eficiency of the Critical Infrastructure supply chain has signiicant business value. It is integral to an organisation’s competiveness and market proposition. As such it is dynamic and evolving in response to the drivers we have identiied. The CEII in ten years time will be different in detail from the current CEII. 27 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe TheRe IS a Real need TheReFoRe To undeRSTand The ImPaCT oF oRCheSTRaTIng The haRmonISaTIon wIThIn The eu oF CybeR STandaRdS, noT only ThRough The lIFe-CyCle oF PRevenTIon, PRePaRedneSS and mITIgaTIon, buT alSo aCRoSS The enTIRe SuPPly ChaIn. SUmmaRY of poInTS It is essential that those complex enabling frameworks which will lay the foundations for a secure and resilience critical infrastructure are scoped and co-ordinated at national and EU levels. These legal, commercial and systems initiatives must enable and support future critical infrastructure development, with increasingly complex interdependencies and increasingly diverse supply chains. There is a real need therefore to understand the impact of orchestrating the harmonisation within the EU of cyber standards, not only through the life-cycle of prevention, preparedness and mitigation [6], but also across the entire supply chain. Business impact itself must be considered from a number of viewpoints including cost and supply chain agility and its ability to respond appropriately to cyber events. A key focus needs to be placed on mechanisms which: • Enhance federated trust and security across the increasingly diverse supply chain • Have an acceptable legislative burden • Allow for a diversity of reporting mechanisms • Enhance existing initiatives • Encompass the existing integration of cyber processes into National Governmental organisations. These mechanisms would be key to effective implementation and reduce the barriers to uptake by the diverse range of organisations forming the emerging ECII. A ‘tool-box’ approach, using the entire spectrum of voluntary, public-private collaborative and mandatory initiatives would hence likely offer the diversity of controls needed to address the complex, diverse and ever evolving ‘systems of systems’ which forms the ECII. 28 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe p RoTECTInG CRITICal naTIonal InfRaSTRUCTURE aCRoSS BoRDERS: CYBER SECURITY anD ThE BlEnDED ThREaT BY JAMES WILLISON, VICE CHAIR, ASIS INTERNATIONAL EUROPEAN CONVERGENCE COMMITTEE James Willison of Uniied Security is vice Chair, ASIS International European Convergence Committee and one of 800+ members of the ASIS UK Chapter. ASIS International is a global community of 38,000 security practitioners, each of whom has a role in the protection of assets, people, property, and/or information. ASIS advocates the role and value of the security management profession to business, the media, government and the public and is an ANSIaccredited Standards Developing Organization, working with standards-setting organizations worldwide. ASIS is developing a series of ANSI resilience standards helping organizations address the risks of disruptive events. Critical National Infrastructure (CNI) faces an increasingly complex risk scenario. In the last decade threats have multiplied from both the physical and IT areas. It used to be suficient for site security at a power plant or factory to focus on fencing, CCTV and physical/logical access control but now the cyber risk posed by Internet Protocol based physical security systems is forcing the need for a more uniied security strategy. Traditionally, cyber-security has been managed by IT departments but the vulnerabilities in physical security systems provide opportunities for both hackers and the insider to gain access to company information and critical system controls. These can no longer be protected without an organisation wide strategy to consider security risks in multidisciplinary and cross-functional teams. In the digital age, those responsible for CNI resilience need to ensure all these risks are managed effectively and work very closely with all business support functions including Corporate and Information Security, IT Security, Business Continuity, HR and Legal. In the last decade much work has been done to develop international standards in the area of information security. Notably, the ISO 27001 & 2: 2013 Information Security Standards and the ISO 22301:2012: Business Continuity Management Standard. However, the issues of site security and blended cyber physical threats which can cause the CNI to fail and lead to disasters have not received the attention they really need. In an effort to remedy this situation, and in line with the UK National Security Strategy, in August 2010 ASIS UK and ASIS International invited over one hundred Global Physical and Information Security leaders to contribute to an American National Standard (ANSI) for Physical Asset Protection (PAP). ht tp: // w w w.as is .o r g.u k / www.asisonline.org The Physical Asset Protection Standard sets out to complement the work of the ISO Standards and offers guidance on these emerging new threats. The Standard takes a holistic approach and outlines best security practices. It also indicates the increasing signiicance of blended cyber physical threats to physical security systems and data and recommends a teaming pre-emptive response. The relevance for the protection of Critical National Infrastructure which relies on resilient site security in order to function should be obvious. 29 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe I t is the exploitation of these vulnerabilities which concerns so many. For if a hacker can gain access to a facility and render the plant inoperable, the consequences could be catastrophic. Following a two year consultation process and a public review, ANSI and ASIS International published the Standard in April 2012. The result is a comprehensive approach to security risk management designed and written with a focus on the needs of the business. There are many valuable perspectives and insights with practical recommendations for developing relations with all areas of the organisation. The introduction sets the scene perfectly and the following quote is indicative of its quality. “In order to effectively protect its assets, an organization needs to recognize the interdependencies of various business functions and processes to develop a holistic approach to PAP. Physical asset protection is intertwined with other security-related disciplines, such as information technology systems and continuity management. In order to understand the shared risk environment, the organization should consider: a) A common basis for risk ownership and accountability; b) An integrated risk assessment and harmonized treatment strategy; c) Common lines of communications and reporting for assessing and managing risk in a cross-disciplinary and cross-functional fashion; and d) Establishing cross-disciplinary and cross-functional teams to achieve a co-ordinated pre-emptive and response structure. When implementing this Standard, organizations should adopt a comprehensive and integrated strategy that encompasses all areas of security risk. This should be relected in all elements of the Standard. The organization will be better able to achieve its objectives by understanding and incorporating the convergence of PAP, information technology systems, and risk management in all of the elements of its management system, (ANSI / ASIS PAP.1 - 2012 Standard, page xiv with permission). It is the need for cross-disciplinary and cross-functional teams, which can identify blended attacks, that is such an important solution for the threats to Critical National Infrastructure. Currently, most organisations only operate these teams in a crisis event when it is too late. This failure to identify the vulnerabilities in physical security systems and procedures is not acceptable. So what is the answer? ASIS UK, as part of ASIS International, is working with the European Union in a variety of ways. In April 2014, Europol partnered with the ASIS European Security Conference in the Hague and emphasised the importance of reaching out to our members. There are about three thousand senior security professionals from across Europe who can advise and help secure our member states. It is anticipated that there will be a developing commitment to cross border security issues in the future. Europol and the Cyber Crime Centre (EC3) itself is a cross border organisation which leads initiatives to combat crime and links security professionals and investigations. Many of these security leaders were involved in, and supportive of, the ANSI / ASIS PAP Standard which has many valuable principles for the protection of Critical National Infrastructure. 30 CybeR-SeCuRITy and CRITICal naTIonal InFRaSTRuCTuRe The ANSI / ASIS PAP Standard states that, “The organization shall deine and document its risk and resilience management context, including: How combinations of multiple risks will be taken into account” (ibid., p.6). In its discussion on the identiication of risk it says, “The organization should establish, implement, and maintain a documented security survey procedure to: a) Identify cross-disciplinary and cross-functional interdependencies.” (ibid., p.13) The issue of interdependencies of functions is a common phrase and its importance is seen in the section on training. “The organization should identify competencies and training needs associated with PAP management, including the interdependencies of various business functions and processes. It should provide training or take other action to meet these needs, and should retain associated records” (ibid., p. 16). Once the foundation of the standard has been laid it outlines the importance of security convergence for the organisation. There are two pages on the applications of security convergence including this statement, “Rather than having asset protection and security solutions managed by different business functions applying subjective risk controls to their threat speciic vulnerabilities, convergence provides a common platform where these solutions are assessed and treated from the perspective of a shared risk environment” (ibid., p.31). It then indicates that the following be established: “A cross-discipline and cross-functional risk assessment and management framework that identiies, analyzes, evaluates, and treats all security risks within a singular managed process; A risk management process that monitors all security risks controls and reports weaknesses, vulnerabilities, attacks, and systems failures collectively” (ibid., p.32). This selection of text alone makes it clear that protecting physical assets like power stations and the water supply is dependent on the need to manage the risks holistically. This means that organisations can no longer consider business security risks in isolation. The various interdependencies are evident. The PAP Standard outlines many important solutions and it needs to be implemented more widely. ASIS International has identiied that only about 20% of organisations operate strategies which follow this holistic approach. It is really important therefore that parliamentarians promote the implementation of best security practises as our CNI depends on them. The PAP Standard recommends the deployment of cross functional teams which act in a pre-emptive way and common risk reporting to enhance an organisation’s strategy and thereby prevent a cyber physical attack. If one should get through, at least this approach will enable a fast response and greater likelihood of a good recovery. 31 CybeR aCTIvISm and ‘haCTIvISm’ a YEaR IS a ShoRT TImE In CYBER SpaCE BY DR CHRISTOPHER LAING, NORTHUMBRIA UNIvERSITY In a far-off time and cyber-space very few people Internet Freedom at The Newseum, outlined her had heard of WikiLeaks or Julian Assange. Well, vision in which digital whistle-blowers, such as just in case you missed it, Julian is the main Assange, and their ‘information networks would spokesperson and editor-in-chief for WikiLeaks, form a new nervous system for our planet’; in who from which digital whistle-blowers would champion private, secret and classiied sources: a ‘digital transparency; ‘helping the people discover new whistle-blower’! In its time WikiLeaks has been facts, and making governments more accountable’. publish anonymous submissions awarded numerous accolades, starting with The Economist’s New Media Award in 2008 and the However, less than 12 months later, things had Amnesty International UK Media Award in 2009. changed.Clinton, now speaking at a hastily In 2010, it was listed as one of 5 ‘pioneering convened State Department press conference, websites that could totally change the news’ by condemned those same digital whistle-blowers; the New York City Daily News, while in the same digital transparency was an ‘attack on the year readers of TIME magazine voted Julian as international community.’ Sarah Palin even called their choice for TIME’s Person of the Year. Julian for Assange to be hunted down by American special was the new techno urban warrior, a ‘wunderkind’. forces and assassinated; arguing that he should Interestingly, in that very same year the US be ‘pursued with the same urgency we pursue al- Secretary of State, Hilary Clinton, speaking on Qaeda and Taliban leaders.’ 32 CybeR aCTIvISm and ‘haCTIvISm’ With this in mind, one does wonder: do we need some type of digital transparency for business information security issues? Now, I’m not suggesting a digital whistleblower championing the transparency of digital and software vulnerabilities, as used by various national intelligence forces to undertake mass surveillance. Although, as we have seen recently, that could be one option, and interestingly the repercussions of those revelations may have indirectly led to the European Parliament voting on data protection reform and protection from mass surveillance. No – I am suggesting some form of ‘collective intelligence: a shared intelligence that emerges from a collective and transparent collaboration of individuals dealing with similar problems’, i.e., the use of collective intelligence directed at European security breaches/issues with its critical infrastructure. I would argue that an effective means of transparently sharing details, without fear of recrimination and embarrassment, would greatly reduce the impact of such breaches. Fine idea, but the key words here are, ‘recrimination’ and ‘embarrassment’ – how can this be achieved? In reality, organizations are reluctant to share information; what about my competitors; will this sharing be reciprocated; will it open me up for further attacks, more expense, loss of reputation; what will my customers/clients think? But, given privacy and anonymity safeguards, organizations might just be persuaded to share information with a ‘trusted’ independent security ‘broker’; able to exchange security information from many similar sources. All that is needed is for a trusted broker to step forward. The UK government’s Warning, Advice & Reporting Points are part of the Centre for the Protection of National Infrastructure initiative on helping organizations secure their information and information infrastructure. Warning, Advice & Reporting Points, otherwise known as WARPs (please don’t let the name put you off), are independent not-for-proit entities that offer a trusted sharing framework. In essence, they act as a trusted broker for sharing security incidents, and other sensitive information without any fear that the information will be used against the information source. I’m suggesting that a network of European WARPS, that are able to pool and share this sensitive information, not only with the membership of national WARPs, but with the European WARP community, will lead to more robust and secure critical national infrastructures. Perhaps we could call it DigiLeaks? 33 C hristopher Laing is a University Fellow in the Faculty of Engineering and Environment at Northumbria University. He is the Project Director of Northumbria’s Warning, Advice & Reporting Point (nuWARP), part of the UK’s Government CPNI initiative on securing information infrastructures. He is also a founder member of the GCHQ/ EPSRC Cyber Security Research Institute, a Consultant for the European Network & Information Security Agency, and co-editor of ‘Securing Critical Infrastructures and Critical Control Systems: Approaches for Threat Protection’ (IGI Global, 2012) CybeR aCTIvISm and ‘haCTIvISm’ CYBER aCTIVISm anD haCKTIVISm BY PROFESSOR TOM SORELL AND DR MARIAROSARIA TADDEO, UNIvERSITY OF WARWICK Cyber activism and hacktivism are new forms of political participation which have been brought to the fore by the digital revolution. Social and political scientists, as well as ethicists, have focused on these two phenomena, highlighting their implications for the political lives of both democratic and totalitarian countries. However, before considering their political consequences, it is important to focus on their nature and on the differences between the two phenomena. Cyber activism is often a form of conventional political participation that is only distinctive in using the internet as a medium. It uses the internet to support citizens’ participation in the political lives of their countries, e.g. signing online petitions, organising demonstrations, sharing information and attracting attention to relevant problems. Less conventionally, cyber activism also focuses on issues concerning the regulation of the internet, but does so through relatively traditional channels of political discussion. Consider, for example, the Swedish Pirate Party, which emerged from the debate on the regulation for the use of copyright material on the web and now focuses on problems like civil rights, direct democracy and participation in government, reform of copyright, free sharing of knowledge, information privacy, transparency and network neutrality. Hacktivism occupies a different space and is an entirely new phenomenon. It is also quite controversial from an ethical perspective. It is seen as ‘a social and cultural phenomenon, in which the popular politics of direct action has been translated into virtual realms” (Jordan, 2004). This form of political participation emerges from Hackers’ culture and has two roots: the open source or anti-copyright movement, which originated in the 1970s at MIT, and the so-called lulz, which is a more recent phenomenon. ‘Lulz’ is the internet adaptation of the texting acronym ‘L(augh)O(out) L(oud)’: it refers to sharing disturbing or provocative jokes and memes, such as for example the cartoon paedophile mascot ‘Pedobear’. 34 CybeR aCTIvISm and ‘haCTIvISm’ The ethos of the lulz is at the very heart of Anonymous, which over the past decade has become a leading hacktivist movement. Anonymous is a disruptive and powerful social force able to transform sporadic cellbased cyber performances and protests into tactics adopted on a regular basis by globally decentralized networks of individuals seeking to intervene in real-world situations. The decentralization is not just the form of the movement; it is the means through which Anonymous endorses one of its ethical values, i.e. anonymity. Anonymous does Dr. Rosaria Taddeo has been a Marie Curie Research Fellow at the University of Hertfordshire and has been a Research Associate at Oxford. She works in all areas of cyber ethics and cyber-security. She has been awarded several international prizes and is the author of many peerreviewed articles. not rely on a leader, applying instead the so-called ‘one made of many’ model, which de-emphasises the identities of its members. Anonymous members have participated in actions ranging from support for the Arab spring and identiication of sex offenders to attacks on private companies and institutional websites, e.g, the attack against Amazon, PayPal, MasterCard, and VISA and against the Spanish Police and the Malaysian government. The fact that there is no real coherence to Anonymous causes, and the fact that some of its denial of service attacks have seemed arbitrary and have been carried out with impunity, raises questions about the legitimacy of its form of activism. Since Anonymous has also supported the questionable evasion of rape charges by Julian Assange and some questionable Wikileaks disclosures, its actions also call attention to the power of hactivist alliances and the possible illegitimacy of joint activism carried out anonymously and unaccountably. 35 Professor Tom Sorrell is Professor of Politics and Philosophy in the Department of Politics and International Studies (PAIS) at the University of Warwick. He is also ESRC Global Uncertainties Leadership Fellow (2013-15). Before coming to PAIS in January 2013, he was John Ferguson Professor of Global Ethics at the University of Birmingham, and Director of the Centre for the Study of Global Ethics. He was previously Co-Director of the Human Rights Centre and Professor of Philosophy, University of Essex. In 1996-7 he was Fellow in Ethics at Harvard CybeR aCTIvISm and ‘haCTIvISm’ of ThE InTERnET SnowDEn, pRISm, anD STaTE REGUlaTIon BY ANDREW MILLER MP was tempted in writing this piece to focus on away from the only effective approach of greater why there is no public Wi-Fi in the European stakeholder engagement. There is a genuine Parliament but I will avoid that! Let me just say danger at the present that if we allow debates around that as we were at the European Parliament to ‘Prism’ to dominate the way we approach these discuss cyber threat issues in a modern society, matters, there will be unintended consequences we need to accept that most citizens now want leading us towards a more state regulated internet. “anywhere, anytime” connectivity and there are Whilst that supericially will seem good to some, challenging security implications created by that the reality is that it will give more power to control desire. These challenges range from the rights the citizen within any undemocratic nation. Getting and privacy of the citizen, through to the needs the balance right will be one of our real challenges of law enforcers and security services to protect over the next few years, which is why I have always both individuals and the nation state. Whilst been a strong supporter of the Internet Governance these two priorities create tensions between one Forum’s (IGF) approach, promoted so strongly and another, they are not mutually exclusive. by Nominet, with cross party support in the UK. I My concerns about this point were reinforced by The so called Snowden revelations have coloured conversations with a Swedish MEP who clearly this debate. Indeed, whilst we were in Brussels, had no trust in the British state machinery because a press statement emerged regarding internet of the relationship between GCHQ and the NSA. governance that some see as a backward step Conversely, it remains the case that a large amount 36 CybeR aCTIvISm and ‘haCTIvISm’ of anti-terror intelligence gathering requires the most covert surveillance and I have long argued the need for what I would call an “on-line warrant” to empower a state agency to actually examine the content of personal electronic trafic. There is a direct parallel between the electronic world and the physical world here and I believe appropriate mechanisms can be created that protect both citizen and state. ThERE IS a GEnUInE DanGER aT ThE pRESEnT ThaT If wE allow DEBaTES aRoUnD ‘PrISm’ To DomInaTE ThE waY wE appRoaCh ThESE maTTERS, ThERE wIll BE UnInTEnDED ConSEqUEnCES lEaDInG US TowaRDS a moRE STaTE REGUlaTED InTERnET. Whether this is possible, in the current era of mistrust, remains to be seen. The very nature of the EU, in dealing with challenges like these, presents us both with problems and opportunities. As a supporter of our membership of the EU, I will try to look at both sides. The problem is the very reality of dealing with massive data lows, within nations that have very different histories, with various degrees of commitment towards NATO ideals and 28 or more languages. Finding common ground will be very hard indeed. I haVE lonG aRGUED ThE nEED foR whaT I woUlD Call an ‘oN-lINE WArrANT’ To EmpowER a STaTE aGEnCY To aCTUallY ExamInE ThE ConTEnT of pERSonal ElECTRonIC TRaffIC On the plus side, if we can reach agreement we can genuinely set standards that will inluence the world in a way that the Americans or Chinese could not. 37 As Labour Member of Parliament for Ellesmere Port and Neston, Mr Miller represents just under 70,000 electors. As well as dealing with numerous widely diverse issues at constituency level, Mr Miller is also Chair of the Science and Technology Select Committee; Chair of the Parliamentary & Scientific Committee; vice-Chair of the Parliamentary Internet, Communications and Technology Forum (PICTFOR) and a Member of the Liaison Committee. Between 1992 and 2001 he was also a member of the House of Commons Information Committee and has served on many other parliamentary committees. Mr Miller is the author of: ‘Information and Communication Technology Tools for Better Government’ a paper commissioned by the Cabinet Office Minister in preparation for the Modernising Government White Paper in 1998. Mr Miller also presents widely on Information Technology, E-working and E-Government. CybeR aCTIvISm and ‘haCTIvISm’ SoCIal mEDIa IS In manY RESpECTS a SofT-TaRGET foR CYBER-aTTaCK ThE DaRK SIDE of SoCIal mEDIa: RUmoURS, REal TImE anD CYBER SECURITY BY DR. LAYLA J. BRANICKI, LECTURER IN STRATEGY AND INTERNATIONAL BUSINESS, UNIvERSITY OF BIRMINGHAM The invention of social networking technology platforms such as blogs, Facebook and Twitter, and widespread uptake of them by citizens, has led to new and more immediate modes of information exchange. As a result of this technological shift, traditional forms of media (from print press to TV news broadcast) have rapidly been supplemented, or in some cases superseded, by modes of communication that are more social, frequent, accessible and interactive. While these new technologies have brought many beneits for users and for wider society, they are not without their risks and challenges. For example, in January 2010, via the social media platform Twitter, a rumour spread in real-time about the evacuation of the Grand Central Terminal in Manhattan. A journalist recounted that ‘streaming before my eyes was… the ebb and low of rumor’ and noted that the experience of real-time data analytics, in this context, was ‘fascinating, frustrating and mesmerizing’ (Bnet, 2010). Multiple versions of the rumour spread rapidly through Twitter and ranged from the entire report being a Twitter hoax, to a steam explosion resulting in one death and 15 injured to a dirty bomb attack (Bnet, 2010). The NYPD later conirmed that the station had been briely evacuated but there was no evidence of either injuries or a terrorist threat. The case of Grand Central highlights a dark side to the use of both social media and real-time data analytics. Whether false rumour spread is thoughtless, intentional or malicious it has the potential to inluence real world action and raises the possibility that social media accounts might be hijacked or harnessed in order to create panic and disruption. In effect, the social media platform creates the potential for a crisis to be generated from a non-event (e.g. a reported terrorist attack). Understanding the ways in which information is exchanged and rumours proliferate across social media platforms is critical for understanding the scale of this predominantly social as opposed to technical threat to cyber-security. A recent multi-disciplinary study found that the speed, scale and scope of rumour spread across a social media network was heavily predicated on both the social and network characteristics of the person creating or transferring the information (see Preston et al, 2013). For example, a highly connected individual with an established voice on a social media platform is arguably more likely to inluence realworld actions as a result of the information that they post (see Branicki and Agyei, 2014). 38 CybeR aCTIvISm and ‘haCTIvISm’ The outcome of malicious social media rumour spread in relation to non-events might range from individual anxiety to crowd panic, and from unnecessary resource allocation to city evacuation. Two methods by which social media could be targeted are: a) The creation and maintenance of a large number of ‘sockpuppet’ accounts (i.e. created and used solely for the purpose of deception) which are then used to seed false and/or malicious rumours across social media networks; Dr Layla Branicki is a lecturer at Birmingham Business School (University of Birmingham) specialising in the linked areas of resilience, critical national infrastructure protection and the impact of social media on crisis communication. Prior to joining Birmingham Layla was the Strategy, Organisational Learning and Resilience Research Fellow at Warwick Business School. Layla worked on the first major UK project to examine the existing capacity of organisations, and networks of organisations, to manage emergencies and was a coinvestigator on the EPSRC funded project ‘Game Theory and Adaptive Networks for Smart City Evacuation’. b) The hacking and hijacking of existing user accounts which are either dormant or highly network centric. Approaches to the malicious use of social media could use Twitterbots (or similar) to produce a schedule of automated posts designed to increase the rapidity of information spread and the traction of the messages (i.e. by including faked or mislabelled images). Social media is in many respects a soft-target for cyber-attack, as the methods used may require relatively minimum levels of technical expertise, be low cost, diffuse, and as a result dificult to detect. Understanding the ways in which social media platforms are used and how information spreads across them is therefore critical in enabling the risks associated with social media to be better understood and for appropriate interventions to be designed. A central tension however exists between mitigating the threats and enabling the opportunities created by access to an open and connected internet. In the EU’s vision of ‘how to enhance security in cyberspace’ it is stated that ‘for cyberspace to remain open and free, the same norms, principles and values that the EU upholds ofline, should also apply online’ (European Commission, 2013) and yet it is unclear how this can or ought to be applied to the soft-target of social media. In section 1.21 of the UK National Security Strategy (2010) the potential impact of a new ‘mass of connections’ upon security was highlighted. It was argued that networks, including social networking technologies and 24 hour news media, could impact security as interest groups become more able to pressurise governments and a wide range of ideas easily proliferate globally (UK National Security Strategy, 2010). An article on ZDNet highlighted how reducing loose connections on Facebook could decrease the risk of terrorism and discussed, as a possible intervention, ‘National Unfriend Day’ (2010). Loose networks may lead to increased risk in extreme cases and yet they also facilitate openness and connectivity on a daily basis. How to best police and protect social media is therefore a complex cybersecurity question as it is as much about trade-offs between privacy and ethics as it is about technical intervention. 39 bIblIogRaPhy EnD noTES THE LEGAL PERSPECTIVE Share prices are rarely hit hard by cyber attacks, Financial Times, 31 October, 2013 PwC: Unlocking Potential: Finance effectiveness benchmark study 2013. October 2013, page 27. (http:// www.pwc.com/et_EE/EE/publications/assets/pub/unlocking-potential-inancial-effectiveness-benchmarkstudy-2013.pdf) THE BUSINESS PERSPECTIVE http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-fromgovernment-snooping.aspx http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/01/31/microsoft-announces-brusselstransparency-center-at-munich-security-conference.aspx EUROPEAN CRITICAL INFORMATION INFRASTRUCTURE 1) Joint Communication to the European Parliament, “The Council, The European Economic and Social Committee and the Committee of the Regions, Brussels”; Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace 7.2.2013 JOIN(2013) 1 Final. 2) Commission Staff Working Document, on a new approach to the European Programme for Critical Infrastructure Protection, Making European Critical Infrastructures more secure, 28.8.2013 SWD(2013) 318 Final. 2a) Executive summary of the Impact Assessment on PDEPC (2013). 3) Directive of the European Parliament and of the Council, concerning measures to ensure a high common level of network and information security across the union. 4) Digital Agenda for Europe (2010, reviewed Dec 2012), Pillar 3 Trust and Security. 5) Beneits of an integrated European energy market, DG Energy commissioned report (2013). 6) Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurityframework-021214.pdf PROTECTING CRITICAL NATIONAL INFRASTRUCTURE ACROSS BORDERS: CYBER SECURITY AND BLENDED THREAT References: ASIS International (2012) ANSI / ASIS PAP.1 - 2012. Security Management Standard: Physical Asset Protection. This document is available at: http://www.asisonline.org ISO 22301:2012, Societal Security – Business Continuity Management Systems - requirements. BSI Standards Limited. ISO/IEC 27001:2013, Information technology — Security Techniques – Information Security Management Systems requirements. BSI Standards Limited. ISO/IEC 27002:2013, Information technology — Security Techniques — Code of practice for information security controls; BSI Standards Limited. ISO 31000:2009, Risk management — Principles and guidelines. BSI Standards Limited. CYBER ACTIVISM AND HACKTIVISM Jordan, T. 2004, Activism!: Direct Action, Hacktivism and the Future of Society, Reaktion Books - Focus on Contemporary Issues. Milan, S. 2012, “The Guardians of the Internet? Politics and Ethics of Cyberactivists (and of their Observers)”, Inter-Asia Roundtable 2012 The Dark Side of Social MediaL Rumours, Real-Time and Cyber-Security Branicki, L. and Agyei, D. (forthcoming 2014). Unpacking the impacts of social media upon crisis communication and city evacuation in Preston, J. (editor), City Evacuations: an interdisciplinary approach, Springer: NY. Bnet (2010), Evacuation at Grand Central? Anatomy of a Twitter Rumour. Accessible: http://www.bnet. com/blog/new-media/evacuation-at-grand-central-anatomy-of-a-twitter-rumor/4615 Accessed: 24.04.14 40 CommISSIoneRS and aCknowledgemenTS European Commission (2013), Joint Communication on the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace. Accessible: http://eeas.europa.eu/policies/eu-cybersecurity/cybsec_comm_en.pdf Accessed: 24.04.14. Preston, J., Binner, J., Branicki, L., Ferrario, M., Galla, T., Jones, N. and Kolokitha, M. (2013). City evacuations: preparedness, warning, action and recovery. Final report of the DFUSE project (Game theory and adaptive networks for smart evacuations: EP/I005765/1). Accessible: http://www. cityevacuations.org/public-report.html Accessed: 24.04.14. UK National Security Strategy (2010). Accessible from: https://www.gov.uk/government/uploads/system/ uploads/attachment_data/ile/61936/national-security-strategy.pdf Accessed: 24.04.14. ZDNet (2010), ‘How ‘National Unfriend Day’ can prevent terrorism’, Accessible: http://www.zdnet.com/ blog/igeneration/how-national-unfriend-day-can-prevent-terrorism/6696 Accessed: 02.12.10. lIST of CommISSIonERS JONATHAN SAGE (Government Programmes Executive, IBM) STEPHEN MOSLEY MP COLIN WHITTAKER (Head of Payment System Security, Visa Europe) ANDREW MILLER MP (Chair, Science and Technology Select Committee) TIM PARSONS (Cyber Lead Technologist, Selex ES) JAMES MORRIS MP JANE JENKINS (Partner, Freshields Bruckhaus Deringer) DR DUNCAN HINE (Principal Fellow, Warwick Manufacturing Group, University of Warwick) PROFESSOR TOM SORELL (Professor of Politics and Philosophy and Head of the Interdisciplinary Ethics Research Group, Politics and International Studies, University of Warwick) CHRISTIAN ENGSTROM MEP NIKKI MUCKLE (Senior Assistant Registrar, Research Strategy, University of Warwick) JESSICA SMITH (Cabinet Ofice) DR GEORGE CHRISTOU (Professor of Politics, University of Warwick) RACHAEL BISHOP (Lead NIS Directive, BIS) DR CHRISTOPHER LAING (Northumbria University) PROFESSOR RICHARD ALDRICH (Director of Research, Politics and International Studies, University of Warwick) LYNNE COVENTRY (Northumbria University) DAVID ABRAHAMS (Head of Public Policy, Nominet) CARLA BAKER (Senior Government Affairs Manager, Symantec) JAN NEUTZE (Director of Cyber-Security Policy, Microsoft EMEA) PROFESSOR TIM WATSON (Director, Cyber Security Centre, University of Warwick) aCKnowlEDGEmEnTS Firstly, the Industry and Parliament Trust (IPT) would like to thank the University of Warwick for funding the Cyber-Security Commission, the visit to Brussels and the publication of this report. Particular thanks should be given to Dr Duncan Hine, Professor Richard Aldrich, Nikki Muckle and Denise Hewlett for the ideas behind the commission and help in bringing together such an interesting group of academics, parliamentarians and industry representatives. The IPT would also like to thank the Parliamentary Internet, Communications and Technology Forum (PICTFOR) for assisting in creating the content for the commission and help in bringing the three PICTFOR parliamentarians to the commission’s events and activities. We would also like to thank all those involved in the sessions in Brussels and this report, without whom none of this would be possible; Christian Engstrom MEP, Emma McClarkin MEP, Sajjad Karim MEP, Phil Uzupris from the UK Representation to the European Parliament (UKREP), Jonathan Sage from IBM, Rachael Bishop from the Department for Business, Innovation and Skills (BIS), Jessica Smith from the Cabinet Ofice and Steve Purser from The European Network and Information Security Agency (ENISA). Finally, special thanks should go to Rioco Green, the IPT’s wonderful Communications Intern, who helped design this report and, ultimately, made it look so good. Talal Rajab, June 2014 41 headeR leFT T he Industry and Parliament Trust’s (IPT) Cyber Security Commission was designed to assess how best to nurture uk/eu co-operation on cyber-security and create a series of thoughts to that affect. The aims of the project were achieved by creating a group of ‘Commissioners’ consisting of academics, policymakers and industry representatives who discussed the different ways in which to formulate a cross-border response to the ever changing threat of cyber-crime. The Commissioners helped deliver the content and direction of the discussions and documented their findings in this report. The main bulk of the Commission took place in brussels over two days in February with the IPT arranging a delegation of commissioners to visit the Joint Research Centre (JRC) in the european Commission and receive a set of briefings on the targets and progress of the eu’s agenda on cyber-security. These briefings drew on the expertise of industry representatives, academics and policymakers, with the aim of the sessions being to develop a consensual framework from the delegation on eu/uk cyber security co-operation. I CommEnD ThIS VolUmE of faSCInaTInG ESSaYS aS a ConTRIBUTIon To DEBaTE aCRoSS EURopE on how BEST To aDDRESS ThIS ThREaT. - James Arbuthnot MP for North East Hampshire ThE InDUSTRY anD paRlIamEnT TRUST CYBER SECURITY CommISSIon, waS an InfoRmaTIVE anD EnlIGhTEnInG SERIES of EVEnTS ThaT hIGhlIGhTED ThE pRoGRESS maDE, anD ThE woRK YET To Do, aRoUnD CYBER SECURITY wIThIn ThE EURopEan UnIon. - Professor Tim Watson, Warwick University Industry and Parliament Trust www.ipt.org.uk @indparltrust 42