In Focus

• Improving Data Handling
• UK National Security Strategy
• UK Cyber Security Strategy
  • Tackling UK cyber threats
  • European Cyber Strategy
  • Guiding cyber security
  • 2011 Cyber Strategy response
  • Know Thine Enemy
  • Reclaiming cyber space
  • Global cyber security threat
  • Cyber Defence Incident Mgmt
  • Information Fidelity
  • Malware Espionage
  • Cloud Computing Security
  • Darwinian Defence
  • Hacktivism
  • Digital Forensics challenges
  • Protecting CNI in cyber space
• Information Superiority
• Information Sharing
• Information Exploitation
• Olympic Security Strategy
• Managing Efficiency
• Secure Government Networks
• Acquisition Reform
• TLCM
• Business Continuity Management
• Addressing Sustainability

Home Page / In Focus / UK Cyber Security Strategy / Reclaiming cyber space

Reclaiming security control in Cyber Space

As organisations around the globe grapple to understand the full implications that a successful cyber attack may have on their future business, Paul MacGregor, Director, Finmeccanica Cyber Solutions highlights the pervasive nature of the threats, while at the same time suggesting that responses to such threats are available to those ready to evolve.

Over the past 30 years we have all been seduced by the promises of efficiency, cost reduction, new sales channels, global markets, and faster, more effective information management and exploitation through the panacea of Information Technology. The seducers were not MBA graduates, but billionaire Geeks pedalling ever better IT gadgets to civilian and military organisations alike. It can be argued that that seduction has turned into a dangerous addiction that has isolated us from our (now automated) business and C4i processes, leaving us vulnerable to a new range of threats. Our corporate assets and business processes (our hidden treasure) are now locked inside an obscure and confusing world that has been termed ‘Cyber Space’.

This world is defined by a new Geek language, unintelligible to the Boards and Commanders, many of whom now find themselves under attack by a myriad of threats evolving at the speed of thought. Threats prosecuted by actors who have in the past been strategically irrelevant to them; political activists, financial speculators, industrial spies, rumour mongers, foreign states, organised criminals, geeks with a chip on their shoulder amongst others. Never before has our military industrial complex been so besieged. In the UK alone, cyber crime is costing the economy £27 billion each year.

The nature of these threats – with their widely differing motives – has led to a blurring of the lines between crime and warfare. In 1999, the People's Liberation Army’s Colonels predicted unrestricted warfare; information was everywhere and therefore the battlefield was everywhere. Over the past decades – as the glare of media has reduced states’ appetites for killing power, and technology made it possible to establish control over an enemy through non-lethal power – we have seen the remaining boundaries broken down systematically to the point where the distinction between warfare and security / crime is largely irrelevant. The attack and subsequent dissolution on DIGINOTAR in the Netherlands is an example of how a cyber attack can disrupt at both state and international levels.

Just like any technological revolution, Cyber Space is here to stay; in spite of the risks, there is no turning back – the benefits too valuable, the allure too great. It is estimated that a 10% increase in broadband can create a 1.3% growth in GDP. This demands that we do what the human race has always done; we learn, we adapt, and we evolve. To do this, we must regain control of our businesses and command structures. We must stop pointing the finger of blame at the Geeks and waffling in half understood techno babble. Our Boards and Commanders must return to a conversation about asset value, shareholder value, and risk appetite. We must measure the investment in our defences in terms of the treasure, not the infrastructure of that surrounds it. We must stop referring to the great Cyber Bogeyman and do some good old fashioned root cause analysis. We must take the same personal responsibility, as we drive our computers down the information super highway, as we do with our families, our bank accounts, and our national security.

“But it’s different, it’s global, it’s unattributable, and it’s hard!” No it isn’t, and if your staff say it is, fire them! 80% of your vulnerabilities can be removed or threats can be deflected by education, common sense and straightforward technical measures. You wouldn’t leave your car unlocked with your briefcase on the back seat in the middle of a busy high street would you?  You buy a car with locks, immobilisers, alarm systems and you put your valuables in the boot or take them with you. The same in Cyber Space.

But what about the remaining 20% (and its 20% of a very big problem!)? The truly sophisticated threats, well-funded, ideologically motivated maybe, state-sponsored probably, but with access to an arsenal of advanced technology.  Countering these threats requires active defence supported by sophisticated monitoring and analysis, intelligence of what’s happened and the ability to predict future threat vectors. Cyber Defence needs response capability, the ability to merge HUMINT with SIGINT and interoperable command and control capability with access to both military and industrial doctrine and capabilities. Secure Operation Centres that allow rapid deployment of sophisticated scanning and monitoring, high performance computers and network sensors than can analyse internet activity and identify threats across terabytes of data; R&D into evermore advanced and sophisticated counter measures to detect and defend against a rapidly evolving threat. At the high threat level, it’s a big problem that requires big solutions.

Whatever the threat vector, businesses must think in terms of risk and shareholder value, and not just spend millions on evermore sophisticated technological tools while forgetting to manage the human component with the right processes and safeguards. UBS was recently punished (share price fell, customers exited, CEO resigned) because they didn’t have the processes in place to control a rogue trader using their multi-million $ trading infrastructure. The same in Cyber Space.

At a regional level our law enforcement agencies must erase the distinction between e-crimes and other crimes. Yes the tools are different, but the motives are the same. They must make individuals accountable for their personal safety, security, behaviours, the way they use tools and technologies, the way they fulfil positions of trust, be they a private citizen or a criminal.

States must take responsibility for their Cyber Borders and safeguard traffic across them while remaining accountable in line with Article 19 of the UN convention on human rights, and freedom of trade. We rightly hold freight businesses accountable for what they carry across our borders, so why not ISPs? In the UK a local multinational can be prosecuted for malpractice / corruption in the Middle East or China. The same in Cyber Space.

Cyber, by its very nature, is a world with few real borders. If we can establish personal, business, regional and national safeguards, then we provide a stable baseline for an international agency to provide “jointery” across national boundaries. The UN, the EU, Interpol, and NATO are examples of organisations that are well placed to fulfil aspects of this role. Given the aforementioned blurring of the crime/war boundary, such organisations may soon find themselves in a truly powerful position to help police and protect cyber space, and become relevant at not just a state but an individual and business level.  However, the very blurring of the boundary and the number of actors demands a dialogue between international agencies to address the differing legal, doctrinal and political concepts of operations. For this reason we welcome proposals such as the establishment of a European Cyber Security Centre and the forthcoming Interpol Cyber Centre in Singapore.

The challenges at national and international level require consistent policies, taking into account differing social context and technological maturity but supportive of cross-border activity and everyone’s fundamental right to the freedom of speech. It requires investment, standards, policy and regulatory stimulation to encourage companies and nations to adopt best practice and a cyber security technology platform to help establish shared programmes and a common lexicon to address the problem. We need pilot projects to demonstrate what good looks like and show how cyber defence can become an economic advantage…a competitive differentiator on the world stage. This won’t happen simply by establishing a coalition of the willing. We need strong inter and intra agency co-ordination and maybe even the creation of Cyber Tsars to provide leadership and momentum. We need a single loud voice to follow.

Finally therefore, we must think of Cyber Space as both local and global. The technology solutions provided must meet local needs and address local culture and sovereignty, but be informed by global intelligence, be aware of evolving threats, and build the ability to bridge securely complex military industrial command structures, processes and people. This is why companies with a global reach – those with deep presence and understanding of local markets and yet with the ability to act at a global level, cross country, cross coalition –have a role to play. Finmeccanica has over 60 years of helping society utilise new technology; we aren’t scared by Cyber Space. We want to get back in the driving seat and help regain control.

Contact Vega for more information about cyber security