Conference Report * National Cyber Security Framework Workshop supported by the NATO Science for Peace and Security Programme 12-13 April 2012 Schloss Laudon, Vienna / Austria Philipp Mirtl * This Conference Report was prepared by the Austrian Institute for International Affairs (oiip) and approved by the Cooperative Cyber Defence Centre of Excellence (CCDCOE).
1. Agenda Thursday, 12 April 2012 09:15 Transport leaving Hotel Boltzmann 09:45-10:00 Welcome Coffee & Opening Remarks Dr Helmut Schnitzer Austrian Federal Chancellery Dr Katharina Ziolkowski NATO Cooperative Cyber Defence Centre of Excellence, Legal & Policy Branch, Scientist / Senior Analyst Suleyman Anil NATO Headquarters, Emerging Security Challenges Division, Head, Cyber Defence Section Austrian Institute for International Affairs, Fellow / Senior Adviser 10:00-11:00 Host Introduction: Cyber Security Strategy(ies) in Austria Franz Vock Austrian Federal Chancellery Brigadier Helmut Habermayer Austrian Ministry of Defence and Sport Wolfgang Ebner Austrian Ministry of the Interior 11:00-12:30 Panel I Preliminary Considerations Special Focus: National Security in the Context of Cyber Security Dr Gustav Lindstrom Geneva Centre for Security Policy, Head of the Euro-Atlantic Security Programme Heli Tiirmaa-Klaar European Union, European External Action Service, Cyber Security Policy Advisor Dr Greg Rattray Cyber Conflict Studies Association / Delta Risk LLD, Partner Prof Dr Paul Cornish University of Bath, Department of Politics, Languages & International Studies, Professor of International Security Jason Healey Atlantic Council, Director of the Cyber Statecraft Initiative 2
12:30-13:45 Lunch 13:45-15:15 Panel II Operational Structures: What International Good Practices Are There? Special Focus: Organisational and Administrative Measures Yurie Ito JPCERT, Director of Technical Operation Suleyman Anil NATO Headquarters, Emerging Security Challenges Division, Head, Cyber Defence Section Jart Armin HostExploit / Cyber Security Foundation, Director Victoria Ekstedt Swedish Armed Forces, Legal Adviser 15:15-15:45 Break Austrian Institute for International Affairs, Fellow / Senior Adviser 15:45-17:15 Panel III Strategic Goals: Who Needs To Do What? Special Focus: Stakeholders of National Cyber Security Jason Healey Atlantic Council, Director of the Cyber Statecraft Initiative Dave Clemente The Royal Institute of International Affairs (Chatham House), International Security Programme, Research Assistant Eric Luiijf Netherlands Organisation for Applied Scientific Research TNO, Principal Consultant C(I)IP Maeve Dion Stockholm University, Faculty of Law, Lecturer Dr Gustav Lindstrom Geneva Centre for Security Policy, Head of the Euro-Atlantic Security Programme 3
Friday, 13 April 2012 09:30 Transport leaving Hotel Boltzmann 10:00-10:30 Special Comment Jeff Moss ICANN, Chief Security Officer 10:30-12:00 Panel IV Political Aims: What Needs To Be Considered In A Strategy? Special Focus: Cyber Threats; What Composes Cyber Security? Austrian Institute of International Affairs, Fellow / Senior Adviser Melissa Hathaway Harvard University, John F. Kennedy School of Government, Belfer Center for Science and International Affairs, Senior Adviser Jeff Moss ICANN, Chief Security Officer John C. Mallery Massachusetts Institute of Technology, Computer Science & Artificial Intelligence Laboratory and Head of MINERVA Project Dr Katharina Ziolkowski NATO Cooperative Cyber Defence Centre of Excellence, Legal & Policy Branch, Scientist / Senior Analyst 12:00-12:30 Special Comment Melissa Hathaway Harvard University, John F. Kennedy School of Government, Belfer Center for Science and International Affairs, Senior Adviser 12:30 Closing Remarks Afternoon (authors only): National Cyber Security Framework Manual Author s Session (concluding ca. 16:00) Special Thanks To: 4
2. Summary The Vienna roundtable on National Cyber Security Frameworks was the first in a series of three workshops supported by the NATO Science for Peace and Security Programme. It will be followed by a second meeting in Stockholm (August 2012) and a final meeting in Geneva (November 2012). All three workshops aim to provide a setting conducive to fostering debate on technical and policy issues among a diverse group of experts ranging from academia, the private sector, military and governments ( geeks and wonks ). The series is considered a vital input to the overall deliverable of a National Cyber Security Framework Manual, which will support both member and non-member states in their approach to cybersecurity. The Vienna Roundtable was hosted in Schloss Laudon (Laudon Palace), the higher academic training institution of the federal Austrian civil service, located on the outskirts of Vienna. The event s venue was facilitated by the Federal Chancellery. Additional support was provided by the Ministry of Defense and Sport (BMLVS) and the Ministry of the Interior (BMI). Finally, the Austrian Institute of Technology (AIT) also provided financial support for the event (incl. for the hosted dinner). All the contributions were greatly appreciated. The host introduction was given by the Austrian Federal Chancellery, the BMLVS and the BMI. The presenters gave an overview of their coordinated strategies for a comprehensive protection of the Austrian cyberspace. The three ministries called particular attention to the ongoing Cyber Security Strategy Process in Austria, of which different mandates were overseen by different ministries: the BMI was emphasising cybercrime, the BMLVS military cyberdefense and crisis management support, and the Federal Chancellery particularly stressed crisis management and critical infrastructure protection (CIP). Each institution emphasized an (increasing) cooperation with one another and highlighted their involvement in national and international fora. Of particular interest to the participants was the existence of a mobilizeable ICT volunteer fire brigade concept. Panel I Following the logic of the roundtable (introduction, tactical, operational, strategic issues) the kick-off panel National Security in the Context of Cyber Security was dedicated to the examination of national cyber security objectively from the unbiased angle of overall national security concerns. The recent initiatives within the EU and the UK were just two examples of how cybersecurity had risen from a position of relative obscurity to newfound prominence within overall national security debates. Despite the increased prominence of cyber within national security the overall agreement was that there was, indeed, no hype if anything, the opposite was true: the top level decision makers still had considerable difficulties grasping the different aspects of national cybersecurity. This was also clearly reflected in the significant understandings of cyber within different European countries the disparity in capabilities (and understandings) is immense. There are additionally varied approaches clearly distinguishable, with some countries going for a (legal) top-down regulatory framework, while other countries are emphasising norms and standard setting as well as voluntary cooperation. There was significant discussion on the different foundation approaches to cybersecurity, including the origins of cyber as a military capability, a prolonged (and often inconclusive) discussion on critical infrastructure protection, a varied understanding of what precisely constituted cybercrime, as well as slowly changing attitude towards product (software) liability and other market instruments influencing national cybersecurity. Two specific trends were, however, dominant: the rising (or increasing awareness) of the importance of non-state actors (both as maintainers of 90% of CI as well as offensive and defensive actors), as well as the militarization (or spookification ) of cyberspace through an increase of intelligence-led activities. Panel II In the panel Operational Structures: What International Good Practices Are There? a key question was posed regarding characteristics of good national cybersecurity. Essentially, all three presenters (Anil Suleyman was taken ill and could not participate) concentrated on communication and information exchange as a key deliverable for all national cybersecurity-relevant efforts. However, the participant s examples suggested speed alone was not the only decisive factor. An international cybercrime gang was, for instance, tackled by an international consortia of experts, and, through facilitators (including Vienna), was able to confront the crisis in short period of time. However, legal concerns on international data 5
exchange put a hold on these efforts illustrating that international legal frameworks could prove to be speed bumps even for the informal information exchange often considered to be key. Within a formal information exchange environment, on the other hand, there were questions as to what escalation procedures would be truly helpful in a time of crisis. In essence, the question was posed if a Confidence and Security Building Measure (i.e. a hotline ) could be operated successfully if the escalation processes occurred only within the technical, and not the political, sphere. A specific in-depth examination of one particular data-sharing regime showed it was important to distinctly separate different types of activities and organisations, especially within the intelligence collecting world, in order to strive for international legal conformity (for instance on the issue of human rights). In essence, the particular example showed that a very wide-ranging informational monitoring scheme could only even be considered if the bodies concerned with the relevant tasks were under strictest legal framework i.e. that god was in the details, and even very intrusive surveillance measures could be undertaken if the data protection measures taken were sufficiently stringent. Panel III In the panel Strategic Goals: Who Needs To Do What? special attention was paid to the major players and their respective authorities. Much to the surprise of many technical experts at the operational level it was stressed that, in times of national crisis, the political level can respond very quickly by making relevant policy decisions. However, if there are no well-established channels of communication between the operational and the strategic level, it is not only difficult to communicate upstream, but also unlikely that state representatives will be capable of having reasonable negotiations with their peers abroad. In this context it was mentioned that the creation of such channels of communication usually requires an investment of considerable financial resources. Due to poor measurements for success, however, these resources are only accessible after having spent a lot of time in their justification. In order not to make the public sector fall behind the private one, governments are increasingly cooperating with private entities to ensure nationwide cybersecurity. Most of the relevant ICT actors are concentrated within the private sector. The information exchange between state actors, telecom operators and Internet service providers is most commonly conducted through Public Private Partnerships (PPP) meeting on a regular basis. Despite of their different value systems in terms of freedom of information, the stakeholders involved must trust and respect one another s rights and obligations if they want their collaboration to be successful. The next critical step ahead is the creation of a legal framework with common principles and laws. It must confront questions about how different laws, expectations and stakeholders can be brought together into a general strategy. National cybersecurity strategies should serve as useful guidelines which are focused and clear about interests and directions so policy can be effective. This includes traditional security concerns, everyday crime and education. Concurrently, they should not be overly detailed in terms of concrete instructions. Panel IV The last panel on Political Aims: What Needs To Be Considered In A Strategy? emphasized the tension between national security and economic growth. Both the public and the private sectors are being targeted by the same threats. However, since private companies run most of the networks, these companies must be involved in any national cybersecurity strategy. One way for governments to encourage such involvement is through market incentives (e.g., through tax reduction). In this context, national cybersecurity has been defined as the focused application of specific regulatory frameworks and information assurance principles to public, private and relevant international ICT systems, and their associated content, where these systems directly pertain to national security. National cybersecurity can be approached differently: through cooperation (whole of nation), collaboration (whole of system) or through coordination (whole of government). The national cybersecuirity debate can be divided into five different mandates including cyberdiplomacy, national crisis management, espionage, CIP/IA, and cybercrime(terrorism). One of the most important things to find out in cyberdefence is the attacker. It must be clear who the threat actor is, and what his capabilities and resources are. The vulnerability of computer networks is not a problem until a threat actor exploits it. Thus, the challenge for cyberdefence is to gain mathematical leverage over the attacker. To do that you need a coordinated vision and a clear set of objectives. Therefore, cyber-security systems ultimately need complicated methods because they are complicated and extremely hard to manage (asymmetrical actors approach). 6
3. Pictures 7