Report Cyber Security. Industry and Parliament Trust CYBER SECURITY 2.0

Transcription

1 Report Cyber Security Industry and Parliament Trust CYBER SECURITY 2.0 Reflections on UK/EU Cyber Security Co-operation

2 CONTENTS 1. Foreword and Introduction 3 By James Arbuthnot MP and Talal Rajab, IPT 2. You, Me, and the Great Threat to Cyber Security 6 By Steven Mosley MP 3. Cyber-Security: The Need for Greater Co-Operation Between Public, Private and Academic Spheres 8 By Tim Watson 4. The Challenges of Creating a Pan-European Approach to Cyber-Security 9 By James Morris MP 5. The Network and Information Security Directive - What Role can Regulation Play in Improving Cyber Security: The Legal Perspective 10 By Jane Jenkins 6.Cyber Security Legislation in Europe: The NIS Directive and the Opportunities for Leadership and Harmonization: The Business Perspective 14 By Jan Neutze 7. Cyber Security Regulation and it s Relevance to the Payments Industry: A Case Study 16 By Colin Whittaker 8. The Policy Challenges of Cyber Security By David Abrahams The NIS Directive and Protecting Critical National Infrastructure 20 By Carla Baker 10. European Critical Information Infrastructure By T.J.Parsons Protecting Critical National Infrastructure across Borders: Cyber Security and the Blended Threat 29 By James Willison 12. A Year is a Short Time in Cyber-Space By Dr.Christopher Laing Cyber Activism and Hacktivism By Tom Sorell and Mariarosaria Taddeo Snowden, Prism and State Regulation of the Internet By Andrew Miller MP The Dark Side of Social Media: Rumours, Real Time and Cyber Security By Dr. Layla J Branicki Bibliography List of Commissioners and Acknowledgements 41 2

3 Foreword There can be few areas in which the need for politicians and industry to work closely together has greater resonance than the field of cyber-security, and I am delighted that the Industry and Parliament Trust has contributed to bringing together thinking in this area. UK/EU Cyber security co-operation by James Arbuthnot MP, former Chair of the House of Commons Defence SELECT Committee The threat of cyber-attack was identified in the National Security Strategy as one of the highest priority risks facing the UK. Whilst Government has an important role to play in protection against such attack, and this issue is being given increasing priority across Government, much of the work in ensuring security of our critical infrastructure must be done in the private sector. Defence doctrine places a strong emphasis on the importance of deterring security threats, using the full spectrum of the state s capabilities to make clear to potential enemies that there will be costs to hostile action that will outweigh the benefits they hope to achieve. Cyber-attack poses a different challenge. It may not be readily clear that a state or single body can be held responsible, and there may therefore be no one against whom retaliation can be threatened. Where the ability to deter is reduced, there is a need to focus instead on protecting critical systems against attack, ensuring that they are resilient in the face of attacks that get through, and building in systems for quick recovery in the event of successful and destructive attack. This is as much a task for the private sector as for Government. A successful cyber-attack on the UK could have truly apocalyptic consequences and given the linkages between our economies, a threat to our EU partners also represents a threat to the UK. I commend this volume of fascinating essays as a contribution to debate across Europe on how best to address this threat. 3

4 Introduction INTRODUCTION - Reflections on eu/uk cyber-security Co-operation Talal Rajab, Business Relations Manager, Industry and Parliament Trust Cyber-security continues to remain a hot topic for both industry and Parliament. It has been over two years now since the UK Government published its National Cyber Security Strategy. Its key objectives were to make the UK more cyber-resilient to protect our interests, build cyber-security knowledge and skills amongst the population and, ultimately, make the UK the most secure place to do cyber-related business. Cyber criminals are, however, global in their outlook and protecting our interests in cyber-space therefore requires a global approach. Recent EU directives surrounding cyber-security have attempted to standardise practice amongst member states, though the effects these proposed directives will have on states and their businesses are debatable. How, for example, do you define what is critical when referring to critical national infrastructure from country to country? How have revelations regarding PRISM and Edward Snowden affected co-operation between nations? And how can the public, private and academic spheres better work together to improve our responses to the threat of cyber-crime. The purpose of this report is to analyse the role regulation can play in answering these questions, and more. Comprising of short essays from parliamentarians, academics and representatives from industry, the report will seek to assess recent EU legislation around cyber-security and analyse some of the key concerns related to UK/EU cyber-security co-operation focused on three key areas: the EU s recent Network and Information Security Directive (NIS), the standardisation of protecting critical infrastructure across the EU and the effects of cyber-activism on businesses and policymaking around Europe. In Chapter One we have contributions from Stephen Mosley MP, Professor Tim Watson of the University of Warwick and James Morris MP, with introductory pieces on the IPT s cyber-security commission and an analysis of the challenges towards creating a pan-european approach to cyber-security. 4

5 Introduction Chapter Two delves into the legal and regulatory principles behind UK/EU cyber-security co-operation, with a particular focus on the EU s recent Network and Information Security (NIS) Directive. Jane Jenkins (Freshfields Bruckhaus Deringer), Jan Neutze (EMEA Microsoft), David Abrahams (Nominet) and Colin Whittaker (Visa Europe) look at the regulatory principles behind the directive and assess its impact on businesses. In Chapter Three we focus more closely on a key aspect of cyber-security that many argue requires the greatest cross border co-operation that of protecting critical national infrastructure. Carla Baker (Symantec), James Willison (ASIS International) and Tim Parsons (Selex ES) outline the current cyber initiatives and standards operating in the EU and the UK related to protecting critical national infrastructure, both voluntary and mandatory, and stress the need for a holistic approach to managing the cyber-related risks to infrastructure that involves greater co-operation between the public and private sectors. Finally, Chapter Four takes a look at one of the most pertinent cyber-security related topics at the moment that of cyberactivism, or hactivism. Tom Sorell and Mariarosaria Taddeo (University of Warwick), Andrew Miller MP, Dr Layla Branicki (University of Birmingham) and Dr Christopher Laing (Northumbria University) discuss recent trends in relation to cyber-activism and the security implications created by the desire amongst the population of having anywhere, anytime connectivity to the internet. This report does not pretend to provide any concrete solutions to many of the problems related to cyber-security regulation, nor does it attempt to take any particular position on the merits of UK/EU co-operation around cyber-security. Its purpose is to analyse some of the key policy related questions associated with UK/EU cyber-security co-operation and hopefully provide a platform for others to continue the discussions further. The IPT is an independent, nonlobbying, non-partisan charity that provides a trusted platform of engagement between Parliament and UK business. The IPT is dually supported by crossparty representation of senior parliamentarians on its Board of Trustees, and through the patronage of its industry supporters. The IPT creates an environment that supports trusted, open and two-way dialogue between Parliament and UK business. IPT platforms engage, educate and inform, create lasting relationships and facilitate the exchange of ideas. Regardless of the UK s relationship with the EU in the future, and regardless of how EU legislation around cyber-security develops, it is clear that the questions and topics raised in this report will continue for a long period of time. We hope that this collection of essays helps bring policymakers, industry representatives and academics closer together to ensure that the UK s cyber-space is the best regulated, and best protected. 5

6 UK/EU Cyber security Co-operation You and Me: The Great Threat to Cyber Security BY STEPHEN MOSLEY MP During the Industry & Parliament Trust (IPT) and Parliamentary Internet Communications Technology Forum (PICTFOR) Cyber Security Commission visit to Brussels, there was one constant theme that stood out. Whether you attended the discussion groups, seminars or meetings, you will have heard the same message: no matter how secure your system, how comprehensive your regulations or the type of business you are involved in, there is always one weak point in your network. And that weak point is consistent the world over. It is, of course, the user. The background to our visit was the Snowden revelations. This event had an intense impact on the UK, our relationships with our European partners and the future of our security intelligence services. What s more, it perfectly demonstrated the conference s lesson about user-weakness. Here was a man, who had only been in place for a few months with relatively little power or influence, who managed to smuggle over one million files out of the National Security Agency (NSA), an organisation that you would hope would be one of the most secure institutions in the world. It is of no surprise that spies spy and I do not think anybody realistically expected the NSA to not hold data on a wide range of security interests. What came as a surprise, at least for me, was that one man had access to such much important data. Except he didn t. Not quite. He was helped by the user error of his colleagues, up to two dozen of whom were duped by his system administrator status to give him their login details. That user error admittedly combined with a staggering degree of systemic vulnerability could threaten the NSA opens up a much bigger challenge, and not just for America. 6

7 UK/EU Cyber security Co-operation During the conference we also heard that the most likely way that Iran s uranium enrichment facilities were infected and damaged by the Stuxnet virus was by someone inserting an infected USB stick into a Windows machine. One of the most secure sites in Iran, built to withstand bombing raids and totally protected against external cyber-attacks, was brought low because someone inserted a USB stick. And how did that person get hold of the USB stick? They most likely found it in the car park. There is always one weak point in your network, And that weak point is consistent the WORLD OVER The Stuxnet virus took advantage of previously unknown hacks in Microsoft software. Within minutes of Microsoft releasing new software patches on Patch Tuesday, the second Tuesday of every month, malware developers take advantage of the hacks revealed to attack machines. This high-speed activity from potential hackers is here to stay but individuals can protect themselves. Often, Microsoft s vulnerabilities are exposed and systems penetrated because users failed to update their software. The only answer is to make sure that you always update your machines with the latest patches as regularly as possible. Finally, it is not just in Iranian security facilities and the headquarters of the NSA where security is under threat. The final major case of user error is something with which we are all familiar. That suspicious looking arrives in your inbox; you don t recognise the sender and it comes with an attachment. You download it and, predictably, it contains a virus. This familiar tale is the most common case of security breaches and we can all take small steps to prevent it. So I ve come back from Brussels with a very simple message. Whether you re working for the Government, running your own business or simply sitting at home on your laptop, you must always update your software, never open attachments that you do not know what they are and never put strange USB sticks in your machine! Stephen Mosley has been the Member of Parliament for the City of Chester since Before entering parliament, Stephen enjoyed a career in the IT industry, initially working for IBM before setting up his own IT Consultancy in He has a Degree in Chemistry from the University of Nottingham and has served on Chester City Council (2000-9), including two years as Deputy Leader of the Council, and on Cheshire County Council (2005-9). In Parliament, Stephen serves as a member of the Science & Technology Select Committee, is Co-Chair of the Parliamentary ICT Forum and has been appointed a Small Business Ambassador by the Prime Minister. 7

8 HEA UK/EU Cyber security Co-operation The Industry and Parliament Trust (IPT) Cyber Security Commission, was an informative and enlightening series of events that highlighted the progress made, and the work yet to do, around cyber-security within the European Union. Vladimir Sucha, the Director General of the Joint Research Centre (JRC), opened proceedings with an overview of the work being done by the JRC. It became clear that whilst the JRC are doing good work around cyber-security, engaging with national bodies and academic institutions, there are benefits to be had from greater collaboration. It was concluded that it may be worthwhile for the JRC to consider staff exchanges with universities. One of the issues raised throughout our time in Brussels was the common view that public and private sector communities are continually playing catch-up and are one step behind attackers. While it is true that criminals are often extremely agile in their ability to exploit new systems, be they economic, social or technical, and while it is equally true that the process of regulation and governance often cannot react at the same pace, it is not inevitable that the defenders of systems will be playing catch-up. Often law enforcement, security and intelligence agencies are one or more steps ahead of criminals. There is no reason why organisations, large and small, cannot provide adequate protection for their systems without stifling the business processes that they are meant to facilitate. For this to happen we need to provide the right balance of training, education and awareness in areas such as procurement and contracts, board level governance and operational security so that trustworthy systems are procured, developed and maintained. We also need to improve the social and narrative interaction between the security communities and the decision-makers within organisations so that cyber-security is seen as a business enabler and so that the risks and rewards of doing it properly are clear to all. The private sector has its part to play too, as there is still too much reliance on the technical solutions provided by cyber-security firms. There needs to be a greater contribution from the behavioural sciences in the development of technical security controls, and the historic preference for commoditised products over more holistic security services should be discouraged. While it can be argued that an academic may not be completely unbiased in this area, it does seem as though we should move from a position of trying to buy cyber-security off the shelf and to have staff trained sufficiently to operate the products, to a position where cyber-security is educated into organisations and the focus for security controls is as much on social, cultural and behavioural controls as it is on technical controls. This ought to be a key focus for the JRC and for Member States. 8 Cyber-Security: The Need for Greater Co- Operation between Public, Private and Academic Spheres BY Professor Tim Watson, University of Warwick Prof. Tim Watson is the Director of the Cyber Security Centre at the University of Warwick. With more than twenty years experience in the computing industry and in academia, he has been involved with a wide range of computer systems on several high-profile projects and has acted as a consultant for some of the largest telecoms, power and oil companies. He has designed, produced and delivered innovative courses on cybersecurity for a variety of public and private-sector organisations. Tim s current research includes EU funded projects on combatting cyber-crime and research into the protection of infrastructure against cyber-attack. Tim is also a regular media commentator on digital forensics and cyber-security.

9 UK/EU Cyber security Co-operation The Challenges of Creating a Pan-European Approach to Cyber-Security BY James Morris MP James is the Conservative Member of Parliament for Halesowen and Rowley Regis and Parliamentary Private Secretary to Employment Minister Esther McVey. He was previously a successful small businessman specialising in computer software. In 2003 he founded Mind the Gap, an independent campaign to promote civic action and to encourage more grassroots involvement in politics. Prior to entering Parliament, James was the Chief Executive of the think tank Localis. Prior to becoming a PPS to Esther McVey MP, James was a member of the Communities and Local Government Select Committee and is currently a member of the All Party Parliamentary Group on Homeland Security The challenge for government and business in relation to tackling threats from cyberspace is complex and multi-dimensional. It poses difficult questions as to the most appropriate level at which to tackle the problem in a world which has porous borders and ungoverned virtual spaces. Should Britain seek to tackle the problem at a national, European Union or global level? Combatting the threat of cyber-attack on business, government and critical national infrastructure involves dismantling traditional notions of sovereignty, boundaries and protocols and thinking about cooperative relationships in a new way. Successful solutions in this area do demand that countries co-operate across traditional boundaries and the businesses share information both among other businesses and with governments. The networked world presents rich opportunities for business and government while simultaneously offering a similarly rich array of strategic and tactical threats. Recent attempts to regulate cyberspace at the European Union level on a pan European basis seem doomed to fail because they fail to take into account the flexibility that is required to cope with the strategic threats of the networked world. Many countries in Europe have yet to develop an appropriate strategic level of operational response to the cyber threat and the danger of European Union level regulation could mean that the UK could be dragged into an elaborate attempt to drab the weakest put to a certain level. Would this be in Britain s national interest? Attempting to regulate on a pan European basis also runs into complex definitional issues. For example, is it possible to define what Pan European critical national infrastructure is? The answer is almost certainly no. The reality is that some light touch co-operation across Europe may be desirable; but Britain should be seeking a global reach in its overall approach to cyber-security by building a network of co-operative alliances with countries like Israel and the US rather than locking itself into a European Union approach which is predicated on the lowest common denominator. Britain should be seeking to build this network of co-operative relationships as a more appropriate response to the complex global challenge of cyber-security. 9

10 Cyber-security regulation The Network and Information Security Directive What Role Can Regulation Play in Improving Cyber Security: The Legal Perspective BY Jane Jenkins, Partner, Freshfields Bruckhaus Deringer LLP In February 2013 the European Commission published its proposal for a draft Directive on Network and Information Security (NIS) to regulate operators of critical national infrastructure across the EU. The objectives behind the Directive are to create an EU wide information sharing framework with requirements for each Member State to adopt a network and information security strategy, to designate a national authority charged with implementation, to establish a computer emergency response team to respond to NIS risks and incidents and to ensure operators put in place appropriate security measures. There is a requirement to report significant incidents to national authorities, who will have discretion to publish reports where they deem publication to be in the national interest. The authorities will also have the power to impose sanctions for failure to meet the required standards. The draft Directive has provoked significant debate around key issues including its scope, the mandatory reporting of breaches and the imposition of additional technical standards. On 13 March 2014 the European Parliament approved a revised draft containing significant amendments to water down the scope and effect of the law. Cyber-security is an arena where defence and data protection meet. Attackers have varying motivations: some look to use data theft and service disruption as a means of advancing political and ideological agendas. Others are exploiting vulnerabilities in networks to steal data for financial gain and perpetrate fraud. The Commission justifies the imposition of regulation as a means to establishing a reliable environment for the proper functioning of essential services. The Directive is not driven by the protection of data nor personal privacy; it is concerned with protecting critical national infrastructure. 10

11 Cyber-security regulation The aim of this paper is to identify the competing arguments and address the Directive in the broader context of regulatory developments in the USA and Germany. The European Commission considers existing EU rules, requiring telecoms and data controllers to adopt security measures and report security incidents, to be too specific and too fragmented to truly affect cyber-security issues. It sees the new Directive as establishing an enhanced, consistent EU-wide standard to protect our key internet based infrastructure. The Commission s proposal extends to internet companies, cloud providers, social networks, e-commerce platforms, search engines, banking and trading markets, energy generators, transmission and distribution companies, operators of transport systems (including aviation, maritime and rail), hospitals and clinics and public administrations. The EU Parliament has removed key internet enablers and provided greater detail around remaining categories to include specifically regulated markets, multilateral trading facilities and organised trading facilities. Listed companies will be subject to minimum security standards. Conversely, public administrations are not caught en masse - only those which fall within the definition of the other specific functions. This is surprising, given the vulnerability and criticality of central and local government. Suppliers in the UK, in particular, may react with cynicism given the strong messaging to industry generally to address cyber-security at the board level and the stated intention to exclude from government contracting those suppliers who do not meet acceptable standards of cyber health. Mandatory Reporting and Publicity The Controversies Perhaps the most controversial issue in the draft Directive is the requirement to report significant breaches coupled with the ability of the NIS to make such reports public. Whilst the UK Government fully supports the objectives of increasing protection and resilience against attacks, it feels that mandatory reporting will create perverse incentives that may cause companies to turn a blind eye to risks. The UK Government, rather, advocates a policy of voluntary information sharing and has therefore set up the information sharing partnership (CISP) to encourage the sharing of information about attacks and the means to combat them. Industry points to the risk of damage to reputation, with associated impact on share price and customer loyalty, as a key cause for concern in regards to the issue of mandatory reporting. These arguments are less persuasive given the existing requirement under data protection laws to report significant attacks to data subjects and, separately, under the Stock Exchange listing rules to disclose to the market any incident that may impact on share price under the reasonable investor principle. This raises an interesting point concerning the impact cyber-attacks that are made public have on share prices. A limited survey conducted in 2013 suggested that share prices were unaffected by publicity around cyber breaches. This suggests a lack of investor appreciation of the risks to businesses posed by such attacks. Indeed, a 2013 PwC survey revealed that the majority of Finance Directors of FTSE350 companies were unable to evaluate the cyber risks to their businesses so as to make decisions as to the proportionate and appropriate levels of investment required to commit to cyber risk management. If Finance Directors are in the dark, investors will be too. 11

12 Cyber-security regulation The attack on US retail group Target, at the end of last year, may be a wakeup call. CASE STUDY On 19 December 2013 Target announced that hackers entering its network via a heating supplier had stolen basic card data for 40 million of its customers. On 10 January 2014 this was revised to 70 million customers. The company s stock value fell 4% over this period and the company now faces class actions from its customers whose data have been lost, its shareholders who allege a breach of fiduciary duties of the directors to safeguard the information lost and the banks who have had to compensate their customers for fraudulent credit card transactions. IMCO and the EU Parliament s reactions to the mandatory reporting obligation were to introduce additional protections for the company suffering the attack. Firstly, there is a statement that the notification of incidents shall not expose the notifying party to increased liability. It is unclear how such a provision would work in a case where an incident gives rise to civil liability to customers or other third parties. It would not seem appropriate to deny those parties the opportunity to pursue their legal rights arising under national law. Additionally, Parliament has introduced a right to be consulted on a proposed publication with a hearing if requested. Where information is publicized, it proposes that this shall be anonymised. On market disclosure the amendments propose that Member States shall encourage market operators to make public incidents involving their corporation in their financial reports on a voluntary basis. There is a tension here with existing notification rules and the Securities Exchange Commission has indicated it is contemplating enforcement action in relation to failures to report incidents to market. A further area of uncertainly is the threshold for reporting. IMCO has sought to provide greater clarity around the definition of a significant incident which will trigger the notification obligation. It proposes that significance be determined by factors including the number of users affected and the duration and geographic spread of the incident. In its current form the Directive envisages the development of sector specific guidance on both the meaning of a significant incident and the related test for mandatory notification. The European Network and Information Security Agency (ENISA) will be involved in developing that guidance. There has been resistance from industry to setting technical standards at the EU level given a concern at the inconsistent standards applying outside the EU. Commentators are concerned that a standard will become a lowest common denominator and encourage a tick box approach to compliance as opposed to a dynamic and continuous review of threats and their management. Germany, however, is pressing ahead with its own legislation which is likely to be in place before the EU Directive. Its IT Security Act is aimed at imposing mandatory standards (currently being addressed on a sector specific basis with trade associations), obligations to report incidents and to conduct an audit on a two yearly basis. There is a strong potential for the German approach to be highly influential in the debate around the appropriate EU position. Whilst industry in the UK is generally resistant to mandatory standards, they are even more resistant to the potential for inconsistent standards applying in different jurisdictions. 12

13 Cyber-security regulation In the US, the National Institute of Standards and Technology issued on 12 February 2014 a voluntary risk-based framework, foreshadowed by the Executive Order on Improving Critical Infrastructure Cyber-security made on 12 February The framework was created through collaboration between government and the private sector, with a view to addressing and managing cyber-security risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The framework does not impose new standards but rather provides a structure for navigating existing standards applicable to critical national infrastructure so businesses can build a risk-based plan adapted to their needs. While it is not mandatory, compliance with the framework is likely to become a benchmark against which security measures are tested in any litigation or regulatory investigation. There has been resistance from industry to setting technical standards at the EU level given a concern at the inconsistent standards applying outside the EU. Fortress Europe and Protectionism Another issue being discussed is the possible creation of siloed internet systems. The shadow cast by the Snowden revelations has caused some Europeans to raise the need for the separation of networks. Commentators have expressed concern at a trend towards forced data localisation and hardware production on the grounds of national security, seeing this as thinly disguised protectionism. Similarly, differing national standards for encryption methodologies are threatening to frustrate integration of systems across borders. Conclusion: Is Voluntary Information Sharing the Solution? More recent developments include discussion around publicprivate information sharing platforms along the lines of the model adopted in the UK. The EU is to publish guidance on risk management and information sharing in the second quarter of this year. There is strong support for such initiatives and it remains to be seen whether this model will overtake the Commission s support for mandatory information sharing. The Commission intends to contest both the watering down of the requirement for each NIS to share information on attacks and the removal of key internet enablers from the scope of the Directive. The debate going forward promises to be intense. It will be interesting to see if any Member State asserts its right to opt out of the Directive in all or part on the basis of its right to retain sovereignty over issues affecting its essential interests of national security and, if so, how the Commission will respond. Jane is a solicitor and partner at Freshfields Bruckhaus Deringer. She co-heads the firms international cyber security and defence teams. She advises clients on legal risk evaluation, mitigation and response in the aftermath of a cyber attack including management of the interface with regulators and litigation. 13

14 Cyber-security regulation Cyber-security Legislation in Europe: The NIS Directive and the Opportunities for Leadership & Harmonization: The Business Perspective BY Jan Neutze, Director of Cyber-security Policy, EMEA, Microsoft Just over a year has passed since the European Commission published its proposals for the first EU Cyber-Security Strategy and its accompanying Network and Information Security (NIS) Directive. Since then, a lot has happened in the cyber-security discourse. The disclosures over alleged government snooping have sparked concern, and in some cases outrage, over the size, scope and character of government surveillance programs. Microsoft, along with other ICT companies, announced significant technical, legal and transparency measures to enhance customer protections. The shifting threat model has influenced the perception of cyber-threats and reshaped the public debate. At the recently held 50th Munich Security Conference, cyber-security was the topic of the opening panel, further evidencing how questions of security, privacy and transparency in cyber-space have become key public policy issues of our time. The European Commission s initiatives first anniversary therefore represents a timely opportunity to look back and assess the progress made so far. Global developments have made it even clearer that the Commission s proposals needed to be considered contextually and not in isolation. Draft legislation on the processing of personal data and free movement of such data, as discussed within the framework of the General Data Protection Regulation, as well as the draft regulation on electronic identification and trust services for electronic transaction, touch on many of the points put forward in the NIS Directive. All relevant stakeholders must ensure co-ordination between these three important pieces of legislation, in particular in areas such as data protection provisions, breach notifications, auditing, liability and reporting. A lack of harmonization across these initiatives could potentially result in conflicting requirements, which in turn could lead to a less secure cyber ecosystem, both within the EU and globally. Some of these challenges notwithstanding, we welcome substantial progress that has been made in particular with regards to the development of the NIS Directive. Success in cyber-security depends on committing to risk management. By focusing on the protection of Europe s most critical services and assets, leaders in the European Parliament have signaled a commitment to a risk management approach and framework intended to support on collaboration and accountability. For example, recently proposed changes now provide the opportunity for the private sector to participate in the planned NIS co-operation network, which would allow for sharing of best practices and strategic analysis. 14

15 Cyber-security regulation Other parts of the draft NIS Directive could still benefit from additional clarity, including how national competent authorities (NCAs) or single points of contact will in fact interact with one another and what information they will share; similarly, greater emphasis on the role of international standards and recognized certification agreements would be a welcome step forward.. The European Union has an incredible opportunity to become a policy leader in cyber-security and we should all work to support this Effort Last, but not least, it is important to note the progress already made on cyber-security at the Member State level over the past year. Close to half of the EU Member States have (re-)committed to strengthening their cyber-security efforts; either through work on national cyber-security strategies, as envisioned in the European Commission proposals, or through efforts aimed at capacity building and greater co-operation, as seen by the BeNeLux countries, Germany, Poland, and the United Kingdom. It is important that these commitments translate into concrete actions that reconcile both security and privacy while striving for maximum harmonization. The European Union has an incredible opportunity to become a policy leader in cyber-security and we should all work to support this effort. Harmonization is important beyond Europe. Just a few weeks ago, the United States released a Framework for Improving Critical Infrastructure Cybersecurity (the Framework ). This Framework was developed over the past 12 months through a collaborative public-private process led by the National Institute of Standards and Technology (NIST). This is an important step in the broader development of cyber-security public policy, and the first time that the public and private sectors have agreed to a common Framework for approaching cyber-security. In Europe, the NIS Platform can benefit from leveraging commonly accepted international risk management standards and building on the lessons learned from the US efforts. Jan Neutze is Director of Cyber- Security Policy at Microsoft responsible for cyber-security policy matters in Europe, Middle East, and Africa (EMEA). Before taking on Microsoft s EMEA security portfolio, Jan worked in Microsoft s Trustworthy Computing (TwC) group at Microsoft Corp. leading TwC s engagements with governments and industry partners. Jan came to Microsoft from the United Nations Headquarters where he served for three years in the policy planning staff of the UN Secretary-General and the Department of Political Affairs, leading a range of cybersecurity and counter-terrorism projects. 15

16 Cyber-security regulation Stakeholders in cyber-space have to play an active role beyond protecting their own assests, in order for the usefulness of the cyber-space to prevail. Cyber-Security Regulation and its relevance to the Payments Industry: A Case Study BY colin Whittaker, Head of Payment System Security, Visa EUrope One of the more illuminating descriptions of the nature of cyber-security comes from an International Organisation for Standardisation (ISO) draft on the topic which states that stakeholders in the cyber-space have to play an active role, beyond protecting their own assets, in order for the usefulness of the cyberspace to prevail. This provides a sound starting point to determine, from Visa Europe s perspective, what cyber-security means to our card payment eco-system and the implications of proposals for cyber-security regulations. The description strikes to the heart of the increasingly asymmetric nature of both the threat from cyber-security and the risk assessments enterprises make to determine how to defend themselves from the threat. An example of the asymmetry is that enterprises may either place much less value on the assets they need to protect than the criminals do, or that the level of effort, time and capability that the criminals can generate to attack an enterprise is much greater than the enterprise can provide to protect themselves. An additional asymmetry to recognise is that the harm from a data compromise is often suffered greater by other entities in cyber-space rather than those who have been compromised. These descriptions fit well with Visa Europe s experience, and therefore the concept of cybersecurity is highly relevant to the payments industry. We cannot, however, ignore that attackers also prize the ability to secure control of an enterprise s equipment and services to increase their anonymity as they use these assets as a springboard to launch cyber-attacks on other victims. Visa Europe has seen evidence of this from data breach investigations. These examples provide no better illustration of the trueness of the ISO description of the nature of cyber-security. There is now an acute recognition across the payment card industry that attackers are willing to invest significant time, energy, imagination and tenacity in trying to defeat the security controls that we require entities to deploy to protect cardholder data. This leads to these controls being kept under continual review and enhanced where necessary; this is in part evidenced by the recent triennial review of the PCI Data Security Standard incorporating lessons learnt from recent data breaches. 16

17 Cyber-security regulation It is also of note that annual reports from computer forensics companies supporting the payment card industry continue to show that adoption of commonly accepted, good security practices would have prevented many of the breaches they investigate; irrespective of the motivation of the attacker. As important, however, as protection continues to be, Visa Europe also actively promotes other strategies that reduce cyber-security risk, and hence the data security burden, for enterprises. We do this by working to devalue the data the attackers prize by making it worthless to them. The most striking example of this has been EMV, or Chip and PIN as it is known in the UK; a truly asymmetric security strategy. It is important to approach cyber-security holistically, inherent in the description quoted. However, it must also be acknowledged that there are benefits when communities of interest act for the good of the community through self-regulating the cybersecurity measures implemented by its participants. This is what Visa Europe does for its payment system and the participants within it, providing appropriate and relevant security requirements, monitoring adoption of these requirements, the co-ordination of data breaches where security fails and the dissemination of intelligence on lessons learnt from breaches. Although there are calls for greater governmental regulatory action to protect all stakeholders in cyber-space, it would clearly be unhelpful if this action undermines the efforts of extant communities of interest. Any regulatory effort must complement community cyber-security efforts, and where possible reinforce them. However, where that community crosses many national jurisdictions achieving a consistent approach is of course much more challenging. If the benefits of cyber-space are to be realised, then it must be appropriately protected and this is where cybersecurity becomes important. It is also perhaps inevitable that some measure of regulation might become necessary to achieve this. The issue, as always, will continue to be: how much regulation? Is it proportionate? Finally, is it capable of being applied sensitively to complement and reinforce existing cyber-security strategies and not to disrupt them? Colin Whittaker heads up the Payment System Risk team within Visa Europe and has responsibility for payment system security, member compliance, PIN security and vendor certifications, programmes, and Data Compromise Management. Part of Colin s remit is also the implementation of PCI DSS across the European markets and creating market specific risk policies. Colin joined Visa Europe in 2010 from UK Payments where he was the Head of Security. His role was to provide the focus for information security issues for the wide range of companies and brands serviced by UK Payments. 17

18 Cyber-security regulation The Policy Challenges of Cyber-Security Regulation BY David Abrahams, Head of public policy, Nominet The conversations we held across two days of presentations and debate provided an interesting and useful insight into the high level policy challenges that are presented by cyber-security. As with so many issues related to the internet, a key challenge for policy makers is that there is no central point of control or regulation of the internet. This is of course exactly why the internet was first established to provide a decentralised communications network that could survive a catastrophic attack on a central command and control function. It is also one of the reasons that the internet has flourished as a place where people can freely exchange opinions, build communities of shared interest and do business. However, unlike some other internet-related policy issues, cyber-security is further complicated by the fact that it is not only simply a matter of finding ways to enforce existing laws in an online environment; it is also a matter of national security. Taken together, these factors mean that cybersecurity cannot be addressed simply by regulation or the actions of commercial operators alone. Instead, it requires a multi-faceted policy response taking in industry standards, supply chain management; cultural changes by consumers, enhanced expertise in regulatory bodies and co-ordination with national security apparatus. The proposed Directive on Network and Information Security (NIS) Much of the discussion over the two days related to the European Commission s proposal for a Directive on Network and Information Security (NIS). There was significant industry concern about the way the Commission s proposals pursued a top-down regulatory approach rather than encouraging those Member States that are behind the curve on cyber-security to pursue a multi-faceted strategy. The Commission s regulatory approach stands in contrast to the approach taken in the UK, where we have a well-developed government cyber-security strategy and infrastructure to support industry. The UK approach is based on: Co-operation between our national security apparatus and industry, especially in the field of critical national infrastructure; Well established voluntary information-sharing arrangements between commercial operators; and Strong information and awareness raising campaigns led by government and supported by industry 18

19 Cyber-security regulation David Abrahams is Head of Public Policy at Nominet, the company responsible for running the.uk domain name registry. David leads Nominet s relationship with government and political audiences in the UK and EU and has led the development of Nominet s policies for the new.cymru and.wales domain spaces which will launch in Prior to joining Nominet in 2012 David worked at Ofcom where he directed competition investigations, regulatory disputes and consumer protection programmes. In the larger European economies, where commercial supply chains are long, complex and global in nature, it is clear that an EU-centric regulatory approach to cyber-security is not going to be effective. In short, the EU cannot insulate itself from the rest of the world when it comes to internet and global trade and therefore the policy response to challenges of cyber-security must look beyond the creation of regulatory hoops for European businesses to jump through. Industry participants in the delegation therefore welcomed the changes made to the NIS Directive by the European Parliament in terms of limiting the directive s scope and creating a framework for a more co-operative relationship between regulatory bodies and the companies they regulate. Cyber-Security cannot be addressed simply by regulation or the actions of commercial operators alone Cultural responses to surveillance There were clear disagreements amongst the policy makers we met regarding the impact of Edward Snowden s revelations about the surveillance activities of the US, UK and other governments. There is a clear cultural difference between the UK s general trust of the state security apparatus that has been built up since the Second World War and the culture of distrust and concern in countries that have a recent history of authoritarian government or occupation by foreign forces. This may reflect a difficulty that will always exist when trying to approach issues of national security within the European Union, which is civilian and political by nature. Cyber activism and democracy Our closing discussion on cyber activism highlighted that, beyond the headlines about hackers, there may be some positive outcomes from this sort of activity. The Pirate Party is a good example of how self-organising communities that have been established online around cyber-activism can enter the mainstream political process in a number of European countries. This should be celebrated as a success for the liberal democratic system enabled by an open and free internet. 19

20 Cyber-Security and Critical National Infrastructure More Emphasis needs to be placed on working in partnership with the private sector to address the pervasive threat The NIS Directive and Protecting Critical National Infrastructure BY Carla baker, Senior government AFFAIRS manager, symantec The need to protect critical national infrastructure is not new. Nation states have recognised the criticality of protecting key elements of the national infrastructure for hundreds of years. The Roman Empire understood the importance of protecting roads and aqueducts, which were considered vital parts of the Empires infrastructure. Indeed, this very infrastructure was exploited in 213 BC when Hannibal led an offensive and used the Roman Roads, the Empire s own critical infrastructure, to launch an attack. Not that differently from today s cyber attackers, who exploit our information systems against us. The advance of the digital world brings a new, more complex dimension to the protection of Critical National Infrastructure (CNI). The near borderless nature of the internet, the growth of cyber-security threats and varying levels of cyber maturity across both the public and private sector creates a challenging and complex environment. As set out in the Symantec 2014 Internet Security Threat Report (ISTR), threats are becoming increasingly sophisticated and pervasive, affecting every level of society, from national governments to businesses and citizens. In addition to cyber-crime driven attacks, targeted attacks on key aspects of the critical infrastructure continue to grow and evolve. Targeted attacks use malware to target a specific user or group of users within an organisation and can be delivered using various stealthy methods ranging from spear-phishing s to watering holes in legitimate websites. The aim of such attacks are to provide a backdoor for the attacker to breach the intended organisation in order to gain access to systems and cause damage or steal confidential information such as trade secrets or customer data. As the 2014 ISTR highlighted, there was a global average of 83 targeted spear-phishing attacks per day in 2013 and approximately 1 in 3 organisations in the Mining, Public Administration and Manufacturing sectors were subjected to at least one targeted spear-phishing attack in Cyber-security threats are no longer just a case of a lone hacker developing malware to cause havoc; we are seeing more sophisticated, targeted attacks from adversaries that are well resourced and organised, and use an array of evasive techniques and tradecraft. The threats to critical infrastructure have been well documented with attacks such as Stuxnet, Duqu and, more recently, Flamer. 20