Building a strategy to meet ‘rapidly evolving’ cyber threat
From: Public Service Europe
by Kadri Kaska and Anna-Maria Talihärm
We only become truly aware of our reliance on the human nervous system when it is affected by illness – likewise, knowledge of cyber threats currently only develops after an attack or other incident has taken place
The functioning of modern societies has grown so intertwined with information systems and communications networks that today barely anyone doubts their criticality. We depend on the availability, integrity and confidentiality of information infrastructure for the governing of our societies, for running our economies, and for exercising our rights and freedoms as citizens, both individually and collectively.
Similarly to the nervous system of a human body, information infrastructure enables various functions and activities: some of them may seem trivial, such as sharing a personal note over Facebook or Twitter; some may be vital to the society, such as enabling and controlling the provision of critical services, for example the supply of electricity or clean water. Yet, both make our society a modern one and we are not easily willing to give up neither the advantages nor the comfort brought by the ubiquitous use of information and communication technologies.
For many of such societal functions, low-tech alternatives no longer exist as the drive to achieve universal accessibility of services, ensure efficiency, and cut labour costs has been met by the response of automation. Hand in hand with its growing role, information infrastructure has also become a target for persistent cyber threats from actors of various types and motivations – criminal groups and individuals as well as state-sponsored actors. Attacks against information systems, taking varied forms and intensity, are a fact of life that both private and public infrastructure operators in modern information societies handle daily. However, wider awareness of cyber threats often occurs only after a significant cyber incident has already taken place; similarly again to the parallel of the nervous system of a human body, we are barely aware of its existence or our reliance upon it until it is actually affected by an illness.
A growing number of countries have realised that the interlinked dependency on information infrastructure no longer merely constitutes a sum of individual vulnerabilities of infrastructure owners and service users, but vulnerability of society and of national security as a whole. The past five years have witnessed the emergence of a number of national cyber security strategies, defining national cyber security priorities and outlining means to fulfil the identified objectives. Studying the existing national cyber security strategies, and especially their implementation, can provide valuable understanding for nations interested in tackling the area, but also those undergoing the process of strategy renewal. Such analysis gives useful insight into issues considered the most critical in cyber risk management on the national level and assist in keeping up to date with the fast developing cyber domain.
There are various studies carried out to identify the commonalities, emerging trends, and best practice examples in existing strategies, the NATO Cooperative Cyber Defence Centre of Excellence’s National Cyber Security Framework Manual, published in December 2012, being one. It provides in-depth theoretical understanding into the political aims and policy methods, strategic goals and stakeholders as well as organisational structures and governance mechanisms that are central in developing a national cyber security model.
The study indicates that many nations consider threats and vulnerabilities arising from cyberspace as potential threats to national security, addressing them in their national security strategies – examples of such nations include the United Kingdom, Spain, and France, but also the small nations of Estonia and Finland. By the end of 2012, about a half of European Union and North Atlantic Treaty Organisation member nations had adopted a national cyber security strategy. These typically address a number of objectives and activities aimed at strengthening the nation’s resilience to cyber threats; however, some aspects are commonly emphasised in the vast majority of the strategies, and these will be briefly acknowledged below.
Most national cyber security strategies are grounded in the understanding that cyber security cannot be viewed as an isolated problem of the government or one or several segments of the society, but rather a problem of the whole society, requiring coordinated and collaborative effort of various actors. A comprehensive approach is vital to ensure that a nation’s activities in the area are consistent and inclusive, so that no areas are left unconsidered and no duplication of activity occurs which would have a detrimental effect to limited national resources. Such understanding however does not entail a uniform, ‘one size fits all’ approach to the national cyber security model – national interests and political tradition will influence how the roles are played out on a national level.
As indicated above, there are numerous parties with a role in addressing the threats and vulnerabilities in cyberspace. Information infrastructure, including that used for operating critical services, is mostly privately owned and operated; the same applies to a large part of the digital services offered to the public. The civil society actors – private and corporate users of public communications services as well as non-governmental organisations – are a main determinant in the development of both the form and substance of those services. Public administration is responsible for governing public resources, ensuring public order and national security.
This variety of expectations and responsibilities means that the security of information infrastructure is neither achievable nor even designable by one type of actor alone, requiring the involvement and cooperation of all stakeholders. In both developing and implementing the national cyber security strategy, the involvement of an extensive range of stakeholders should be integrated into the process. The means for achieving their involvement may vary based on the task at hand, ranging from an incentive-based to a more regulatory approach; for meaningful involvement, however, it is important to consider that engagement must provide additional value for everyone involved.
A primary task of the national cyber security strategy is well-defined role allocation and a clear definition of the national cyber security governance structure. This task encompasses many layers, beginning with the definition of tasks and responsibilities of each member of the system as well as identifying the bodies responsible for coherence, coordination and information exchange, while still inserting a relevant degree of flexibility for unforeseen or even unforeseeable circumstances.
As explained above, national cyber security strategies require input from various national entities both on the private and public level. In order to integrate individual efforts into a collaborative endeavour, strong coordination between these entities is of utmost importance both during the adoption and implementation of the strategy. Without substantial and effective links within and between the governmental and the private sector, there is a risk of entities engaging in ‘cyber empire building’ within their narrow domains, such as telecommunications, security, energy, etc, which is likely to result in unbalanced resource allocation as well as distorted legislative and regulatory measures that may end up prioritising certain legitimate interests over other equally legitimate ones.
In order to facilitate the coordination and identification of areas of responsibility as well as to track the activities supporting the aims of the strategy, a specifically tasked neutral or inter-agency body could bring focus and balance among the private and public entities engaged. Such a body may be tasked with coordinating the input of various national entities, overseeing the activities outlined in the strategy, coordination of national cyber security strategy risk assessment, and similar supervisory tasks.
A national cyber security strategy, although a nationally relevant document, addresses a phenomenon that knows no geographical borders. Therefore, the strategy should not be limited to containing domestic challenges but also consider the significant role of international cooperation, actors, law and organisations in responding to the wide range of cyber threats. A number of existing international agreements and organisations already provide frameworks for cooperation in this regard both on the political and operational level. Examples include the Council of Europe Convention on Cybercrime, or organisations such as NATO, the EU, the United Nations, the Organisation for Security and Cooperation in Europe, and the Organisation of Economic Cooperation and Development. Active national participation in such international frameworks will facilitate the exchange of information, lessons learned, and best practices, but will also contribute to development and consensus building in the area. Countries may find it useful to also invest in closer cooperation with specific organisations or other like-minded countries.
To conclude, the importance of stakeholder engagement and cooperation cannot be overestimated, but it is equally important to realise the complexity of cyber security and the constant challenge it entails. Forming a national cyber security organisational model is not about devising a universally tasked agency or following a predefined blueprint, but developing an organic, adaptable national model – and maintaining its relevance in the rapidly evolving and complex threat environment. The evolution of information infrastructure to a nervous system enabling the appropriate operation of all functions of society may well prove to bring about a change in the way we govern our modern societies – from hierarchical to collaboration-based governance.
Kadri Kaska and Anna-Maria Talihärm are from the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. This article was first published in the Public Service Europe journal as Considering cyber security, strategically
Print article |