of citadels and sentinels state strategies for contesting
play

Of Citadels And Sentinels: State Strategies For Contesting - PowerPoint PPT Presentation

Of Citadels And Sentinels: State Strategies For Contesting Cyber-terror Strategies For Contesting Cyber-terror Tim Legrand and Jeff Malone 4 key issues and challenges 1. A cyber architecture designed for efficiency, not security 2. Private


  1. Of Citadels And Sentinels: State Strategies For Contesting Cyber-terror Strategies For Contesting Cyber-terror Tim Legrand and Jeff Malone

  2. 4 key issues and challenges 1. A cyber architecture designed for efficiency, not security 2. Private ownership/operation of critical infrastructure infrastructure 3. Evolving and ambiguous threats 4. Changing use of and reliance on the cyber realm

  3. 1. A cyber architecture designed for efficiency, not security • The internet and ‘cyber-structure’ has evolved anarchically: – Development of cyber realm occurred beyond the control of governments control of governments – Digital architecture designed by private/social entities to increase efficiency, not security

  4. 2. Private ownership/operation of critical infrastructure • Since the 1980s, under the purview of New Public Management, critical national infrastructure has gradually moved into private operation and ownership: private operation and ownership: – UK: ~80% of CIP owned/operated privately – US: ~85% to 90% of CIP owned/operated privately – Australia ~ 80% of CIP owned/operated privately

  5. 3. Evolving and ambiguous threats • The architecture of the cyber realm makes threat origins difficult to discern: – State-sponsored/state-endorsed cyber attacks increasing in frequency increasing in frequency – Issue-motivate groups growing in technical sophistication – Spectre of cyberterrorism growing with calls for ‘cyber-Jihad’

  6. 4. Changing use of and reliance on the cyber realm • Gradual transfer of data and digital services into the cloud – Allows for greater efficiency and scalability – Sovereign ownership/control of data – Sovereign ownership/control of data • Increased uptake of and access to the internet in Australia and worldwide • National Broadband Network (NBN) and the digital economy

  7. New Public Management • Era of privatisation: 1980s – Sell-off of critical infrastructure – Coincided with development of networked interoperability – Onus of responsibility now placed in corporate sphere – cyberspace constructed anarchically: no central direction (yet highly resilient and redundant) characterized by increased push towards efficiency in data access/interchange

  8. Critical infrastructure Sector Matrix Overlapping and interdependent critical infrastructure/essential services Communications (Data Communications, Fixed Voice Communications, Mail, Public • Information, Wireless Communications), Emergency Services (Ambulance, Fire and Rescue, Coastguard, Police), • Energy (Electricity, Natural Gas, Petroleum), • Finance (Asset Management, Financial Facilities, Investment Banking, Markets, Finance (Asset Management, Financial Facilities, Investment Banking, Markets, • Retail Banking), Retail Banking), Food (Produce, Import, Process, Distribute, Retail), • Government and Public Services (Central, Regional, and Local Government; • Parliaments and Legislatures; Justice; National Security), Public Safety (Chemical, Biological, Radiological, and Nuclear (CBRN) Terrorism; • Crowds and Mass Events), Health (Health Care, Public Health), • Transport (Air, Marine, Rail, Road), • Water (Mains Water, Sewerage). •

  9. The ambiguous, yet gathering, storm • All these different groups – criminals, terrorists, foreign intelligence services and militaries – are active today against the UK’s interests in cyberspace. But with the interests in cyberspace. But with the borderless and anonymous nature of the internet, precise attribution is often difficult and the distinction between adversaries is increasingly blurred (UK Cyber Security Strategy, 2011)

  10. The cyber-terror threat • “Cyberspace is already used by terrorists to spread propaganda, radicalise potential supporters, raise funds, communicate and plan. While terrorists can be expected to continue to favour high-profile physical attacks, the threat favour high-profile physical attacks, the threat that they might also use cyberspace to facilitate or to mount attacks against the UK is growing. We judge that it will continue to do so, especially if terrorists believe that our national infrastructure may be vulnerable” (UK Cyber Security Strategy)

  11. Government strategy (UK) • Strategic Defence and Security Review in 2010 the Government put in place a £650 million, four-year National Cyber Security Programme (NCSP). (NCSP). • Managed Government by the Office of Cyber Security and Information Assurance in the Cabinet Office • UK Cyber Security Strategy (2011)

  12. Government strategy (AS) • E-Security National Agenda(s) promulgated in 2001 and 2008 • Cyber-Security Strategy 2009 • Defence White Paper 2009 Defence White Paper 2009 • Critical Infrastructure Resilience Strategy 2010 • Cyber White Paper 2012 (to be released)

  13. Issues in delivering cyber protection “The digital architecture on which we now rely was built to be efficient and interoperable. When the internet first started to grow, security was less of a consideration” (UK Cyber Security Strategy) AMBIGUITY AND THE RISK-BASED APPROACH: “We will therefore apply a risk- • based approach to prioritising our response”. LIMITED CAPACITY: “Government cannot act alone. It must recognise the limits of LIMITED CAPACITY: “Government cannot act alone. It must recognise the limits of • its competence in cyberspace. Much of the infrastructure we need to protect is owned and operated by the private sector” TRANSNATIONAL COLLABORATION: “Threats are cross-border. Not all the • infrastructure on which we rely is UK-based. So the UK cannot make all the progress it needs to on its own. We will seek partnership with other countries that share our views, and reach out where we can to those who do not” CLOUD COMPUTING VECTOR: Increased reliance on cloud computing- rollout of • online public services based in the cloud next year.

  14. Public-private cyber security (UK) • CPNI hosts Information Exchanges (general intel) and Warning Advice and Reporting Points (WARPs) (Specific) – Also hosts: Combined Security Incident Response Team (CSIRTUK) which works with private sector to identify and manage cyber-threats manage cyber-threats • GCHQ advises the public sector via The Communications-Electronics Security Group (CESG) which runs GovCertUK (emergency response) – Single Intelligence Account , building cross cutting capabilities, including Information Assurance 59% of £650m: will ‘strengthen and upgrade the sovereign capability the UK needs to confront the high-end threat’

  15. Public-private cyber security (AS) • AGD hosts TISN arrangements, enables information sharing and development of good practice guidance (via sectoral groups, ITSEAG and SCADA COI). and SCADA COI). – Also hosts CERT Australia – assists CI owners with response • DSD advises public sector via CSOC – Hosted by DSD, but integrates activities undertaken by other agencies (AFP, ASIO)

  16. Threat to the individual • Direct threat to individuals: criminal groups (Actual) cyber-based sabotage on physical architecture (potential) causing physical harm • Indirect threat: disruption of key public • Indirect threat: disruption of key public services and/or utilities (actual/potential) • Exploitation: botnets (actual) • Response: educating individuals on staying safe online

  17. Threat to cyber-communities • Direct threat: Indirect threat: government CT/IP legislation might restrict cyber- community interaction and freedoms • Exploitation: exploitation of cyber- • Exploitation: exploitation of cyber- communities to foment criminal behaviour (cf. Darknet) • Response: transnational agreements?

  18. Threat to commercial (non-CI) sector • Threat to commercial (non-CI) sector Direct threat: industrial espionage/IP theft (actual), criminal groups (actual) • Indirect threat: disruption to commercial • Indirect threat: disruption to commercial systems/loss of customer confidence • Exploitation of commercial sector? • Response: development of TISN (Aus) & CSIRTUK, Cleanfeed (IP)

  19. Threat to commercial (CI) sector • Direct: attacks to SCADA systems/disabling of critical elements • Indirect: exploitation of CI in commission of physical attack/loss of government contracts physical attack/loss of government contracts (for non-compliance) • Responses: Sovereign responses, internatinonal agreements

  20. Threat to the state • Direct: state-sponsored attacks/cyber espionage/cyber warfare • Indirect: loss of dominion/state revenues associated with diminished cyber-economy associated with diminished cyber-economy • Exploitation of the state: ? • Response: sovereign institutions/transnational agreements

  21. Policy dilemmas Reliance on a digital architecture, designed for efficiency, that is • clearly not fit for purpose. Simultaneously diffuse and aggregated cyber-threats • Much of critical infrastructure is overseas and thus beyond Much of critical infrastructure is overseas and thus beyond • • traditional power of the state to intervene/influence Tensions between public and private imperatives in cyber security • Inherent difficulty in establishing metrics – and collecting good • data – to evaluate effectiveness of policy

Recommend


More recommend