RECOMMENDATIOS

CYBERSEC 2015 – RECOMMENDATIONS (DOWNLOAD):

http://bit.ly/2aq03BK

reko_en

The main aspects and key recommendations from the European Cybersecurity Forum 2015 has been described in the European Cybersecurity Journal by its chief editor – Dr Joanna Świątkowska. As the first and only publication in Central-Eastern Europe dedicated to cybersecurity, the European Cybersecurity Journal provides its readers with a comprehensive overview of the topic from a perspective of both private and public sector. For subscription information, click here: ECJ

1.       Introduction

European Cybersecurity Forum 2015 – CYBERSEC 2015  – was the first edition of annual and international conference dedicated to strategic challenges for Cybersecurity, inaugurated in September in Kraków. The event hosted 400 participants, among the others 120 decision-makers, experts and academia from all over the world, actively engaged in substantive work before and after the conference. During CYBERSEC Forum, we prepared eight Breakout Sessions under four thematic panel discussions accompanied by several additional events. During the preparation for the conference we also organised eight webinars. Throughout the whole process, we have developed a number of conclusions and recommendations which can serve for different groups of stakeholders in order to build a variety of cybersecurity system components in their area of operations. This article hereby presents an analysis of the most important topics and arguments that have been raised during debates at CYBERSEC Forum. The analysis contributed to aggregation of key conclusions and presentation of a summary.

2.       The crucial role of a state

One of the common points in all the discussions that took place at CYBERSEC Forum was a belief that the role of activities related to cybersecurity is of strategic importance. Regardless of whether we think of cybersecurity at the level of a single private entity or at the state level, the key issue is to make it a challenge which is built into the strategy of the functioning of the whole organism. Supervision and control should be assigned to the highest level of both political responsibility and the board company. Only if crucial decision makers realise how important cyberspace is for functioning of the company or the state, we will have a chance to take effective actions and decisions concerning allocating adequate financial resources.

The participants of the conference indicated that providing an adequate level of cybersecurity is a direct function and responsibility of countries (in a macro scale) and individual enterprises (in a micro scale). Regardless of the important supporting role of supranational organisations such as NATO or the EU, these are countries which face the need to build their own capabilities and solutions to ensure their safe operation in cyberspace. Supranational structures can harmonise approaches, indicate correlation and provide help. However, these are states which must take responsibility for proper preparation to face cyberthreats. Similarly, states can support private entities, even those which are crucial to the country’s security. However, private entities cannot rely only on states and they should take care, in the first place, for their own safe operation. Such a clear identification of responsibility entails postulate for a fair implementation of appropriate measures or proper allocation of a large budget for cybersecurity.

The postulate for building capacity in the field of cybersecurity went hand in hand with speakers’ insights that there is a general tendency to build and apply national solutions, particularly in the most sensitive areas of the state. In other words, the greatest emphasis is placed on ensuring control over hardware, software, in order to maximise the level of security. In dealing with external suppliers it was recommended to take precautions and select trusted partners whose products are testable. This trend has been noticed on two levels – national and regional, where one of the participants also recommended the implementation of a more pragmatic approach.

Speaking of private companies exposed primarily on the activities of cybercriminals, participants pointed out that despite the help they can get from the state, first of all, they should take care of their own safety themselves. What is more, they should take more proactive actions, not based solely on the use of passive defence, which rely on active countering threats. Increasing situational awareness and information sharing should be standard practices in the organisations.

3.       Protection of critical resources

There was a call for promoting the use of proactive approach at the state level and individual companies, as well as the implementation of the action-oriented goal. In order to effectively build cybersecurity, one should know threats and the reasons for which it is protected. Effective fight against cyberthreats requires implementing effective risk management system. First of all, we should clearly identify and analyse the most valuable and critical resources, understand the risks, and then on that basis we should implement appropriate action. Countries and companies should also better understand the risks and consequences that may threaten them. For this reason, the aim of actions must be clearly defined.

The postulate reported during a session dedicated to cybersecurity of critical infrastructure was a good illustration of the process of understanding our own resources. One of the participants pointed out that even within the critical infrastructure, not all elements are critical, and therefore we should require different levels of activities aimed at providing security. For this reason, one must identify the most important elements and  spend most of widely understood efforts for their defence.

4.       Education

While building capacity for cybersecurity, countries should meet deepening problem of shortages of specialists. There are increasing needs in both the private and public sector in the field looking formost skilled cybersecurity professionals. Therefore, we need to start building strategies for professional forces at national level. The supply should result from market needs, and universities in consultation with the private sector should adapt to this strategy of education.

The common denominator of almost all the sessions was the issue of increasing awareness and education on cybersecurity. It is not only about learning the aforementioned specialists. Our objective should be focused on increasing citizen awareness in terms of “hygienic” and safe use of the network, and equipping them with basic knowledge in this area That is why, one of the postulates highlighted that cybersecurity should be incorporated in all educational cycles from an early age. Ministries of Education of all EU countries should deal with this issue.

5.       Funding

Financial issues were one of the most important parts of discussions at CYBERSEC Forum. Participants unanimously pointed out that spending on cybersecurity must be increased. More and more countries decide to increase the level of defence spending, for example by introducing the principle of designating 2% of their GDP for this purpose. One of the suggestions was to reserve a specific, substantial part of the budget just for the aspects related to cybersecurity, both within countries and international organisations. In addition, participants suggested increasing the expenditure on cybersecurity not only in the military sector, but also in the civilian one. The budget expenditure for this purpose should be clearly increased.

Some of these expenses should be spent on conducting broad Research & Development activities in the area of cyberspace. As participants pointed out, there are national and supranational funds (EU) supporting these activities. However, they are not yet sufficiently utilised. It was also recommended that in order to successfully apply for financing, firstly, we need to ensure rapid commercialisation projects. What is more, participants agreed that private entities along with the public ones should work on prioritising public spending, and a special fast path should be earmarked for small and medium-sized enterprises. In this context, there was also an important postulate to support European start-ups and  their capabilities so that they could carry out their activities in Europe, and did not have to emigrate in order to seek funds. Participants, with respect to good practices in the framework of public-private co-operation and financing actions, pointed out several European initiatives such as NIS Platform, Cybersecurity Private-Public Partnership (within DSM), which offer stakeholders many opportunities.

6.       Information sharing

A large part of discussions during many session at CYBERSEC Forum was dominated by the topic related to the exchange of information both at the level of the private- public sector and within the private sector itself. These activities have been identified as the foundation of providing cybersecurity and the basis for proactive action. During the discussions there were several recommendations concerning methods of ensuring the effectiveness of this process and participation of all stakeholders. The table below presents the most important postulates:

 

EFFECTIVE ELEMENTS OF INFORMATION SHARING

Shared information must in a real way contribute to the solving of pre-defined problems. Stakeholders must know what kind of information is needed and why (what kind of problem will be solved) this can be called targeted information sharing.

Co-operation and information sharing must work as a win-win model. Information from the public sector should be shared on equal basis with those from the private one. The current state of affairs, when public information is excluded from dissemination, is perceived as unfair. This must be a two-way process, and private sector must be an equal part of the system.

Governments should provide a clear plan for processing the security data obtained from private sector, and based on this data, they should provide effective input into the cybersecurity dialogue. All the parties involved must see clear results of the co-operation.

States should play an important role in information sharing process during a crisis situation.

Information must be relevant and timely

The absolute precondition of successful information sharing is protection of privacy and sensitiveness of information. Actors, which are involved must be convinced that exchanging information will not harm their business and their clients.

 

The effective information sharing is perceived as a key to provide the security of critical infrastructure. Another key action in this area is the application of appropriate standards. Cybersecurity standards should be developed at the sectorial level and applied rigorously.

7.       Public – Private Partnership

During the discussions there were different opinions whether a private-public co-operation and the application of standards should be governed by mandatory laws or rather based on a voluntary approach. The collision of these two approaches was evident not only in regard to the protection of critical infrastructure, but practically in all subjects discussed at CYBERSEC Forum. The supporters of the mandatory laws argued, inter alia, that cybersecurity often plays too important role to let entities or forces of the free market decide. The proponents of the voluntary approach indicated that the sanction approach often leads to minimum service obligations and it does not solve the real problems. Moreover, the solutions proposed by the public sector do not keep up with the changing environment.

Although the dispute was not solved during CYBERSEC Forum, and it is difficult to refuse certain rights of each parties , we believe that maybe it would be worth looking for intermediate solutions that would solve at least part of the dilemma. If within each body, including the state, not every component is critical, and at the same time there are some components responsible for the functioning of the whole body, then maybe it is worth applying a flexible approach, and use sanction approach where necessary. Then, the effects of problems would have larger social repercussions.

Regardless of the approach, it is worth using properly constructed system of financial and non-financial incentives to mobilize the private sector to co-operate and provide adequate cybersecurity. This issue is likely to become one of the subjects of discussion at next CYBERSEC Forum.

8.       Strategic international co-operation and military aspects

One of the elements, which was approved by the participants, was a demand for more intensive implementation of the exercise refining activities in the field of cybersecurity. There was a recommendation for intensified exercise at both national and international levels. One of the postulates also spoke about organising joint exercises of NATO and the EU, especially in the face of rising hybrid threats. Exercises allow you to test many elements of an effective defence, among others, procedures and information sharing.

In the context of the talks on cybersecurity in the Military session, participants raised many of the key issues, which are important to national defence and also allied co-operation, mainly in the activities of NATO.

The other part of the debate concerned the observed trend associated with building strategies and doctrines of cybersecurity. It was considered that the documents of this type should be strictly established, but they should be treated only as the first step in the whole process operations. We need to develop further implementing efforts, primarily, we need to expand the capacity for effective action and preparation procedures for taking concrete actions both in terms of military operations in cyberspace and in relation to emergencies.

The offensive abilities of modern army to operate in cyberspace were discussed in detail. Many experts indicated that the expansion of this item is necessary. This element is also an important factor in terms of deterrence and proportional defence. According to one of the participants – inability to offensive operations in cyberspace may lead to the fact that in order to respond to the attack we will be forced to go for conventional measures.

For many reasons, operations carried out in cyberspace can lead to the escalation of crises. Cyberspace environment has some features (such as difficulties in attribution), which promotes the development of such adverse events. For this reason, it was pointed out that one should maintain as much transparency as possible in terms of building a cyberdefence policy at the state level. Strategies and doctrines should be fully transparent in order to reduce the risk of misinterpretation of the actions.

Another key instrument that increases confidence in the functioning of cyberspace are CBMs There was a strong postulate to create and implement them both at the global and regional level.

It was also noted that building capacity at the state level is an important factor, and even a duty, from the point of view of safe operation of the Alliance. Strong member states contribute to strong Alliance. At the same time it should be remembered that currently NATO does not allow to conduct offensive operations in cyberspace within the Alliance, and the decision to expand the offensive capability should be responsibility shouldered by the Member States.

In order to meet the postulate of strengthening national actions, participants called on Member States to sign the second generation of Memoranda of Understanding (MOUs).

Participants pointed to the many opportunities and actions that can be taken by NATO in order to strengthen its own capacity. It was recommended to create NATO Specialised Cyber Defence Force operating in a manner similar to the NATO Response Force. Another specific indication was to create Cyber Command Component aside from the Existing Land, Air, Maritime and Special Operations Component Commands.

In the context of discussions on cybersecurity in the military area, once again there was an issue concerning co-operation of private – public sectors. An interesting part of the discussion was to identify the potential and opportunities arising from the formation of volunteer civil defence leagues in which civilians support the activities of the State in the field of cyberdefence.

Regarding co-operation with public sector, there were recommendations for further development and promotion of initiatives such as the NATO Cyber Industry Partnership. Similar arrangements should be also considered from the point of view of individual countries.

It was also noted that Member States as well as NATO, should increase their situational awareness in order to operate more effectively in cyberspace. One of the elements leading to this goal is the expansion of capacities in the area of cyberintelligence.

Another important element of the discussion was to indicate that actions in cyberspace conducted by the states (or actions inspired by states) are almost always associated with conventional operations, which are part of measures leading to implementation of specific policy goals. Therefore, effective protection against them requires analysis of the current geopolitical situation and the application of measures belonging to range of classic policy. In this context, there was a very important postulate to build the capacity of individual countries within the so-called cyberdiplomacy. Diplomatic corps should have the ability to use a variety of tools for all major aspects of cyberspace, including those related to potential conflicts.

The issue of building capacity for taking actions in cyberspace in conjunction with cyberdiplomacy was raised in the context of helping developing countries. In order to think about strengthening cybersecurity at the global level, it is necessary to support these entities, which are at starting point of intensive functioning in cyberspace, and soon they will be its key users. It was pointed out that issues dedicated to cyberspace should become an important element of the development policies in modern states.

Participants in the framework of discussion also raised a need to work in partnership with developing countries on the future of Internet governance. All participants agreed on the fact that we should keep the current, multi-agent network management system. However, we should engage developing countries in the participation within this system.

It was also noted that the management of the Internet, seen from the perspective of actions aimed at cybersecurity, should be based also on the principles of multi-stakeholder approach, and the first action should be to clearly define the roles and responsibilities of all players.

The issues relating to emerging megatrends such as the Internet of Things were important part of the talks during CYBERSEC Forum. Participants pointed to the opportunities and the risks that go hand in hand with these processes. In the face of massive spread of the Internet of Things we were cautioned against placing on the market cheap and untested products, which do not meet safety requirements. It was also indicated that the Internet of Things implications will have an impact, among others, on employment issues, responsibility for security and other processes such as categorisation of customers.

During the CYBERSEC Forum we had also an opportunity to take part in a special session dedicated to the fight against cybercrime. The main postulates raised during this session concerned the need to build international co-operation, promotion of signing and ratification of the Budapest Convention and its robust implementation into national law, update of legal solutions, reinforcing (e.g. by training, exercises or by application of modern technologies) national capacities in terms of prosecution and punishment of cybercriminals. Co-operation in this area should take the form of multilateral (e.g. Europol) and also bilateral agreements. Also in this area, participants raised a need to build public-private co-operation. Without this component, the effectiveness of the fight against cybercrime is much lower.

9.       Conclusion

CYBERSEC abounded in many interesting conclusions. The key recommendations should be implemented as soon as possible, in order to really enhance the level of cybersecurity. Within the framework of the Kosciuszko Institute we will be intensively promoting them among the key target groups. At the same time we will be monitoring critical processes by verifying which of the recommendations were failed to be implemented in real life. On the basis of this action we will specify the status quo and challenges that must be taken when working in a future edition of CYBERSEC Forum. We believe that our work will contribute to improving cybersecurity level in a real way.

Photo gallery from the the 1st edition of the European Cybersecurity Forum (CYBERSEC 2015) is available here:

https://www.flickr.com/photos/49878092@N04/sets/72157659348575776/

Using photos, please indicate the source: http://2016.cybersecforum.eu/