C
yber security in Europe is a reflection of national priorities – defence and security, critical national infrastructure (CNI) and the wider commercial world. It is also a reflection of how individual countries view their relationship with the two big blocs – the EU and NATO.National authorities have to balance these priorities against the claims of their indigenous
The cyber threat to governments and key infrastructure is
becoming greater, not only in terms of potency, but in the range
of possible attacks.
Nick Watts
examines how Europe in particular
is responding and what nations are leading the way in securing
their assets and information.
Europe is playing catch-up to protect its critical infrastructure as most older networks are vulnerable to cyber attack. (All photos: NATO)
Evolving
enemies
defence and IT contractors when negotiatingcooperation arrangements and deciding on applicable standards.
Achieving equilibrium is also a reflection of both European and national efforts at harnessing research and technology spending, as well as the allocation of capital expenditure in defence and security budgets and the private sector.
Governments have come to understand that they do not own their utilities or most of their CNI, such as railways or airports, while the ‘cyber solutions’ being offered are often in the hands of foreign-owned companies.
nn
THE NEXT ARMS RACE?It was necessary for nations to understand both the nature of the threat and the resources they already possess to counter it. Merely publishing a declaratory document as a ‘cyber strategy’ would not suffice in a domain that was rapidly becoming the next ‘arms race’ in the minds of politicians and business leaders, especially after the revelation of the Stuxnet attack in June 2010.
www.digital-battlespace.com Volume 7 Number 4 | July/August 2015 |DIGITAL BATTLESPACE
placed great emphasis on making business safe in cyberspace. Germany, following the revelations by Edward Snowden that the US National Security Agency (NSA) was listening to Chancellor Angela Merkel’s phone, has been strong on surveillance safeguards.
The defence and security aspects of cyber security began to emerge with the publication of national strategies across Europe. Those countries that have a well-developed IT sector and a national SIGINT capability have led the way. The UK initially produced such a strategy in 2009 and again in 2011. France and Luxembourg followed in 2011 and Germany in 2012.
Industry was quick to offer cyber security remedies, and those defence contractors who did not possess cyber capability bought it in a series of acquisitions in the period following the Stuxnet attack. Most of the major defence contractors can now field a cyber offering.
In an era of continuing austerity, governments are also trying to future-proof their IT projects to avoid embarrassment should they find themselves left behind in the race to achieve an acceptable level of security.
The continuing challenge for agencies and MoDs used to dealing with a recognised group of defence and IT contractors is how best to accommodate the protean world of the IT sector, when they were used to ponderous procurement procedures which lasted years. This matter remains unresolved.
Governments and other agencies might profess their admiration for the work done by the innovative technology sector, but are still wedded to lengthy procurement and demonstration processes. Defence contractors, for their part, are looking to earn back the money they had to pay to acquire their new cyber capability.
nn
COMMON STANDARDSThe driver for much of the recent activity across Europe has been the need to achieve common standards within NATO and the EU. While the UK, with its ‘Five Eyes’ arrangement with the US, is seen as being a leader in the defence and security domain, it has shown a fractured response to other threats such as intellectual property theft and commercial cyber crime.
Despite the revulsion towards ‘snooping’ by the US among civic society groups, many policy makers in Europe now understand the need for some measure of surveillance after the jihadist attacks in Paris and Copenhagen together with the Belgian police raid in Verviers in January 2015, which left a total of 17 people dead, plus scores wounded. The London jihadist-inspired killing in September 2013 claimed another life.
These events demonstrate to policy makers the nature of the terrorist threat facing open societies from self-starter and ‘lone wolf’ terrorists. The Intelligence and Security Committee of the UK Parliament noted that the Woolwich attack might have been prevented if communication service providers had shared information on their networks with government agencies. One of the attackers was in communication with a jihadist with links to al-Qaeda in the Arabian Peninsula.
The Russian incursion into the Crimea in February 2014 and the subsequent fighting in eastern Ukraine has alarmed European leaders about the risks posed by a revanchist Russia.
Russian doctrine includes ‘ambiguous’ warfare in its armoury, including cyber operations. Western leaders are divided about the best response to these developments, but it has added impetus to considerations about Europe’s cyber security.
nn
NATO’S RESPONSEAs early as 2002, NATO began to address the cyber threat at its Prague Summit. The New Strategic Concept promulgated at the 2010 Lisbon Summit called for the alliance to be fully capable in the face of the cyber threat.
Within NATO’s structure, an Emerging Security Challenges (ESC) Division was created in 2010 following the summit headed by
ambassador Sorin Ducaru.
Efforts to achieve adequate standards of information assurance within national defence and security agencies took priority, as governments realised that their legacy computer networks were vulnerable to hacking or signals interception. Progress in implementing cyber security strategies in individual countries has been patchy, due to financial constraints in both the state and private sectors.
The terrorist threat has also created a new kind of danger, the ‘self-starter’ – disaffected individuals who are radicalised via social media and online forums.
Budgets for expensive defence projects have come under increased scrutiny in an era where the threat is seen as an enemy within, as much as a state-versus-state confrontation. An era of ambiguous and hybrid warfare presents senior military and security officials with difficult decisions about the allocation of resources.
nn
EVOLVING LANDSCAPERecent developments in the European cyber security market demonstrate approaches to this matter that reflect the varying interests of different countries.
Estonia, which was subject to a cyber attack by Russian activists in 2007, has very quickly become the leading centre of expertise on cyber-resilience and detection. Britain, with its interests in the financial and services sector, has
Following the Estonian and Georgian attacks of 2007 and 2008 respectively, the alliance established the Estonia-based Cooperative Cyber Defence Centre of Excellence (CCDOE) in 2008.
Suleyman Anil, head of the cyber defence section in the ESC division at NATO, told Digital Battlespace: ‘The CCDOE was established as a non-operational centre for research and the promulgation of best practice advice. At present, some 19 of the alliance’s 28 members participate in its activities. Its terms of reference allow the CCDOE to develop work and promulgate studies which do not necessarily carry the imprimatur of the alliance as official cyber policy.’
Initial steps by NATO to address its vulnerability were taken in 2004 with the establishment of the NATO Computer Incident Response Capability (NCIRC). In 2012, the NCIRC was upgraded to 24/7 operations under a €50 million ($56.2 million) contract awarded jointly to Finmeccanica and Northrop Grumman, which was completed in May 2014.
It was further agreed at the October 2013 ministerial meeting that the alliance would consider how best to support member states if they come under cyber attack.
Jamie Shea, deputy assistant secretary-general of the ESC division told DB: ‘NATO has over 100,000 computers and 30 significant networks. Ensuring the alliance can protect itself was its first priority.’
Institutional efforts by NATO to come to terms with the cyber threat have demonstrated a bureaucratic form of Moore’s Law. Initially established as the NCIRC, the Cyber Defence Management Authority (CDMA) was created in 2008. In 2011, the CDMA was replaced by the CDMB – the ‘B’ standing for Board. On 1 July 2012, the NATO Communications and Information Agency (NCIA) was established.
nn
MULTINATIONAL CAPABILITYThe NCIA is currently leading the Multinational Cyber Defence Capability Development programme (MN CD2). MN CD2 comprises five participating countries: Canada, Finland, the
Netherlands, Norway and Romania. These nations fund the NCIA to undertake this work.
The purpose of this initiative is to develop a cyber defence situation awareness capability, of which a current RfI sponsored by MN CD2 is in place for such a system. Responses were due as
DB closed for press, and evaluations will be carried out in September.
The alliance’s vehicle for working with industry is normally managed by the NATO Industry Advisory Group (NIAG), which continues to undertake studies, including into evolving needs in the cyber domain.
‘Member states of the alliance nominate participant companies and can suggest to NATO staff which companies are the leaders in a particular sector, to take the lead in particular studies,’ said Anil. However, he was keen to stress that ‘there was no preferred list of participants’.
An NIAG study on ‘Private Sector Support to NATO Cyber Defence’ was instrumental in helping to shape the alliance’s early thinking about developments in the cyber domain. NATO is taking the lead in developing cyber capabilities and is likely to speed up
www.digital-battlespace.com Volume 7 Number 4 | July/August 2015 |DIGITAL BATTLESPACE
The communiqué issued after the NATO Summit in Wales in September 2014 incorporated cyber defence into the alliance’s collective defence mechanism: ‘Article 5 [of the Treaty of Washington of 1949] can be invoked in case of a cyber attack, with effects comparable to those of a conventional armed attack.’
nn
SENDING A MESSAGEThe intent of the NATO declaration is to send a message to Russia, particularly with the Ukraine situation in mind. The alliance is currently examining how best to link collective conventional defence to cyber defence. At present, Article 5 is considered on a case-by-case basis.
‘Arising from the Wales Summit was an action plan relating to cyber defence,’ explained Anil. ‘This has implications both for NATO’s internal structures as well as members of the alliance. It is called the NATO Industry Cyber Partnership [NICP].’
It is intended that the NICP will undertake a study on how best the alliance can work with industry and it reported to the NATO ministerial meeting in June.
Anil told DB: ‘The emphasis will be on harnessing the dynamism of small and medium enterprises [SMEs] who thrive on innovation. This will involve working together on collaborative platforms and opening up the alliance’s “innovation incubators” to encourage development of solutions. This work began in September 2014 and a report on progress will be made in June and a web portal will then be launched to encourage participation.’
The technical action plan brings the alliance’s cyber defence activities into two main work streams: those that apply
internally – securing NATO’s own networks; and those that apply to members of the alliance. This latter part comprises capacity building and rapid reaction teams (RRTs).
‘When Estonia was subjected to a cyber attack in 2007, it sought assistance from the alliance, which in the event was unable to help,’ Anil noted. ‘The RRTs are designed to respond to similar events in future. The alliance is also undertaking a study to fully
understand the nature of hybrid or
ambiguous warfare – given that cyber attacks are often a prelude to more kinetic activity by state of non-state actors. Capacity building amongst alliance members and partners is also built around a series of cyber war games:
Locked Shield, which is run by the CCDOE; and
Cyber Coalition run by NATO.’
nn
INSTITUTIONAL STRUCTUREThe EU’s approach to cyber security reflects its institutional structure post the Lisbon Treaty. The inter-governmental European Council adopted the European Security Strategy in December 2003, following the terrorist attacks of September 2001.
This was drafted by Javier Solana, former Secretary General of NATO. The Madrid bombings of March 2004 gave these efforts fresh impetus, and in July 2004 the European Defence Agency (EDA) was established to underpin political efforts to harmonise Europe’s evolving efforts in the security area.
The EU’s approach to cyberspace is fragmented within its pillar structure:
• Cyber crime issues fall within the competence of the Directorate-General (DG) for Home Affairs and DG Justice, with support from the European Cyber Crime Centre within EUROPOL, established in 2013.
• Other elements are covered by the DG for Communications Networks, Content and Technology (DG Connect) supported by the European Network and Information Security Agency (ENISA) in Greece, the European External Action Service (EEAS) and the EDA.
In February 2013, the European
Commission (EC) published its Cyber Security Strategy. This was combined with a draft EU directive on cyber security. The strategy is intended to ensure a common level of network information security throughout the EU.
The strategy also addresses such issues as: network resilience; awareness raising; encouraging R&D investment and the development of an internal market for cyber security products and services; and cyber
defence in Common Security and Defence Policy (CSDP) missions and operations.
nn
IMPOSED OBLIGATIONSThe EU draft cyber security directive sets out the obligations that member states will be expected to impose at industry level. It also addresses mechanisms for information sharing between the public and private sectors and sets out measures with which member states and those entities providing CNI services will be required to comply to ensure adequate cyber security.
This directive has the twin objectives of unlocking the commercial and social benefits of the Internet and the requirements of cyber security and related cyber crime measures.
Following the adoption of the Cyber Security Strategy and a tasking from the European Council on Defence Matters from December 2013, the European Council adopted a Cyber Defence Policy Framework in November 2014. It focuses on five areas:
• supporting the development of member states’ cyber defence capabilities related to CSDP; • enhancing the protection of CSDP
communication networks used by EU entities;
• promotion of civil-military cooperation and synergies with wider EU cyber policies, relevant EU institutions and agencies as well as with the private sector;
• improving training, education and exercises opportunities; and • enhancing cooperation with relevant
international partners.
At the EDA, cyber security matters are the responsibility of the Capability,
Armaments & Technology Directorate that is headed by Peter Round.
Wolfgang Roehrig heads the cyber team and he emphasised to DB how small that team is – two staff members.
Roehrig said that a second colleague only joined him in May. He added: ‘The other area which looks at defence- related aspects of cyber in the EU are staff in the EEAS, which oversees the activities of
the EU Military Staff and the EU’s CSDP activity.’ However, he pointed out that this still amounts to no more than ten people at present.
nn
IN CONTEXTAs the EU is a not a military alliance like NATO, the cyber domain has to be considered in the context of the dual nature of policy areas adjacent to defence and security, such as transport and CNI.
‘Studies are currently ongoing, where the EDA provides input into work undertaken by DG Connect – the part of the European Commission that looks at the information society and how this can be safeguarded,’ Roehrig explained.
In view of the dual policy areas, different cyber security-related projects of the EC’s research programmes, such as the Framework Programme 7 and the recently started Horizon 2020 Programme, are under evaluation in order to identify solutions that can be adopted for further implementation in the military domain. This may help to save scarce military R&D funds.
Concerning its current work stream, Roehrig said: ‘At the end of 2014, the EDA completed the revision of its Capability Development
Plan which put cyber security as a priority area, with a strong focus on the human aspects of cyber defence and the availability of state-of-the-art technology.
‘As regards industry, the EDA is in the same position as NATO – it is in the process of tendering for a study to look at the EU cyber defence market.’
Roehrig expects this study to focus on the opportunities in what he calls a ‘volatile’ domain, from engagement with SMEs. Like NATO, the EDA expects to find more innovative approaches from the smaller, more agile players in this market.
‘We know the “big elephants” and their portfolios,’ by which he meant many of the prime contractors. But, he added: ‘We expect more from the SMEs in this domain.’ The study will begin work ‘in the summer’ and Roehrig expects results by the end of the year.
nn
COMMON THEMESDespite coming from different starting points, the EU and NATO have sought to cooperate as much as possible. This should ensure that there is a seamless web that links Europe’s civil infrastructure with its defensive apparatus.
It also provides a model for an ‘open Internet’ which other international powers will be
encouraged to emulate. Both NATO and the EU look to SMEs in the IT sector to drive innovation, although they see a mix of established prime contractors and SMEs providing solutions for future needs.
Beyond the institutional boundaries, both the EU and NATO are mapping out standards of resilience and security with their respective member states. It is national government that will implement standards, and which will no doubt want to ensure its own contractors get a fair crack of the whip in winning future contracts.
For its part, European states who are members of both the EU and NATO, as well as those which are non-aligned, will wish to see an open Internet as advocated by the Organisation for Economic Co-operation and Development and not a controlled Internet, as espoused by the Shanghai Cooperation Organisation whose principal members are China and Russia. The diplomatic bargaining will continue, while technology evolves and new threats and solutions emerge.
nn
REDUCED HYPEThe hype surrounding an arms race in the cyber domain has subsided, but the threats posed to national security are no less real. Cyber crime helps to fuel both drug and people trafficking, which adds to instability and fuels terrorist activity.
Industrial espionage conducted by state agencies or non-state actors threatens to erode both economic advantage and national security. Any future kinetic conflict is likely to be preceded by an upsurge in cyber activity, whether it be a denial-of-service attack, or an attack on the nervous system of a country’s CNI.
Industry and policy makers will await the outcome of NATO’s NICP study in June and the EDA’s cyber market study due by the end of the year. Both will help to shape the future landscape of Europe’s cyber security. Neither of these pieces of work must disadvantage the continent’s security, industrial
competitiveness or ability to innovate by being too prescriptive. The worst that could happen is for Europe to believe that it has created a new ‘Cyber Maginot Line’. DB
Cyber warfare spans both military and civilian domains – the EDA will tender for a study into the European cyber market, and the EU needs to cooperate more closely with NATO.