Of Citadels And Sentinels: State Strategies For Contesting Cyber-terror Tim Legrand and Jeff Malone
4 key issues and challenges 1. A cyber architecture designed for efficiency, not security 2. Private ownership/operation of critical infrastructure 3. Evolving and ambiguous threats 4. Changing use of and reliance on the cyber realm
1. A cyber architecture designed for efficiency, not security The internet and cyber-structure has evolved anarchically: Development of cyber realm occurred beyond the control of governments Digital architecture designed by private/social entities to increase efficiency, not security
2. Private ownership/operation of critical infrastructure Since the 1980s, under the purview of New Public Management, critical national infrastructure has gradually moved into private operation and ownership: UK: ~80% of CIP owned/operated privately US: ~85% to 90% of CIP owned/operated privately Australia ~ 80% of CIP owned/operated privately
3. Evolving and ambiguous threats The architecture of the cyber realm makes threat origins difficult to discern: State-sponsored/state-endorsed cyber attacks increasing in frequency Issue-motivate groups growing in technical sophistication Spectre of cyberterrorism growing with calls for cyber-jihad
4. Changing use of and reliance on the cyber realm Gradual transfer of data and digital services into the cloud Allows for greater efficiency and scalability Sovereign ownership/control of data Increased uptake of and access to the internet in Australia and worldwide National Broadband Network (NBN) and the digital economy
New Public Management Era of privatisation: 1980s Sell-off of critical infrastructure Coincided with development of networked interoperability Onus of responsibility now placed in corporate sphere cyberspace constructed anarchically: no central direction (yet highly resilient and redundant) characterized by increased push towards efficiency in data access/interchange
Critical infrastructure Sector Matrix Overlapping and interdependent critical infrastructure/essential services Communications (Data Communications, Fixed Voice Communications, Mail, Public Information, Wireless Communications), Emergency Services (Ambulance, Fire and Rescue, Coastguard, Police), Energy (Electricity, Natural Gas, Petroleum), Finance (Asset Management, Financial Facilities, Investment Banking, Markets, Retail Banking), Food (Produce, Import, Process, Distribute, Retail), Government and Public Services (Central, Regional, and Local Government; Parliaments and Legislatures; Justice; National Security), Public Safety (Chemical, Biological, Radiological, and Nuclear (CBRN) Terrorism; Crowds and Mass Events), Health (Health Care, Public Health), Transport (Air, Marine, Rail, Road), Water (Mains Water, Sewerage).
The ambiguous, yet gathering, storm All these different groups criminals, terrorists, foreign intelligence services and militaries are active today against the UK s interests in cyberspace. But with the borderless and anonymous nature of the internet, precise attribution is often difficult and the distinction between adversaries is increasingly blurred (UK Cyber Security Strategy, 2011)
The cyber-terror threat Cyberspace is already used by terrorists to spread propaganda, radicalise potential supporters, raise funds, communicate and plan. While terrorists can be expected to continue to favour high-profile physical attacks, the threat that they might also use cyberspace to facilitate or to mount attacks against the UK is growing. We judge that it will continue to do so, especially if terrorists believe that our national infrastructure may be vulnerable (UK Cyber Security Strategy)
Government strategy (UK) Strategic Defence and Security Review in 2010 the Government put in place a 650 million, four-year National Cyber Security Programme (NCSP). Managed Government by the Office of Cyber Security and Information Assurance in the Cabinet Office UK Cyber Security Strategy (2011)
Government strategy (AS) E-Security National Agenda(s) promulgated in 2001 and 2008 Cyber-Security Strategy 2009 Defence White Paper 2009 Critical Infrastructure Resilience Strategy 2010 Cyber White Paper 2012 (to be released)
Issues in delivering cyber protection The digital architecture on which we now rely was built to be efficient and interoperable. When the internet first started to grow, security was less of a consideration (UK Cyber Security Strategy) AMBIGUITY AND THE RISK-BASED APPROACH: We will therefore apply a riskbased approach to prioritising our response. LIMITED CAPACITY: Government cannot act alone. It must recognise the limits of its competence in cyberspace. Much of the infrastructure we need to protect is owned and operated by the private sector TRANSNATIONAL COLLABORATION: Threats are cross-border. Not all the infrastructure on which we rely is UK-based. So the UK cannot make all the progress it needs to on its own. We will seek partnership with other countries that share our views, and reach out where we can to those who do not CLOUD COMPUTING VECTOR: Increased reliance on cloud computing- rollout of online public services based in the cloud next year.
Public-private cyber security (UK) CPNI hosts Information Exchanges (general intel) and Warning Advice and Reporting Points (WARPs) (Specific) Also hosts: Combined Security Incident Response Team (CSIRTUK) which works with private sector to identify and manage cyber-threats GCHQ advises the public sector via The Communications-Electronics Security Group (CESG) which runs GovCertUK (emergency response) Single Intelligence Account, building cross cutting capabilities, including Information Assurance 59% of 650m: will strengthen and upgrade the sovereign capability the UK needs to confront the high-end threat
Public-private cyber security (AS) AGD hosts TISN arrangements, enables information sharing and development of good practice guidance (via sectoral groups, ITSEAG and SCADA COI). Also hosts CERT Australia assists CI owners with response DSD advises public sector via CSOC Hosted by DSD, but integrates activities undertaken by other agencies (AFP, ASIO)
Threat to the individual Direct threat to individuals: criminal groups (Actual) cyber-based sabotage on physical architecture (potential) causing physical harm Indirect threat: disruption of key public services and/or utilities (actual/potential) Exploitation: botnets (actual) Response: educating individuals on staying safe online
Threat to cyber-communities Direct threat: Indirect threat: government CT/IP legislation might restrict cybercommunity interaction and freedoms Exploitation: exploitation of cybercommunities to foment criminal behaviour (cf. Darknet) Response: transnational agreements?
Threat to commercial (non-ci) sector Threat to commercial (non-ci) sector Direct threat: industrial espionage/ip theft (actual), criminal groups (actual) Indirect threat: disruption to commercial systems/loss of customer confidence Exploitation of commercial sector? Response: development of TISN (Aus) & CSIRTUK, Cleanfeed (IP)
Threat to commercial (CI) sector Direct: attacks to SCADA systems/disabling of critical elements Indirect: exploitation of CI in commission of physical attack/loss of government contracts (for non-compliance) Responses: Sovereign responses, internatinonal agreements
Threat to the state Direct: state-sponsored attacks/cyber espionage/cyber warfare Indirect: loss of dominion/state revenues associated with diminished cyber-economy Exploitation of the state:? Response: sovereign institutions/transnational agreements
Policy dilemmas Reliance on a digital architecture, designed for efficiency, that is clearly not fit for purpose. Simultaneously diffuse and aggregated cyber-threats Much of critical infrastructure is overseas and thus beyond traditional power of the state to intervene/influence Tensions between public and private imperatives in cyber security Inherent difficulty in establishing metrics and collecting good data to evaluate effectiveness of policy