SlideShare una empresa de Scribd logo

How Estonia is helping to shape cyber resilience

R
rmdesilva

Ahead of Cyber Defence and Network Security 2012, we spoke with Heli Tiirmaa-Klaar, Senior Advisor to the Undersecretary at the Estonian MoD, about the pioneering work that Estonia has contributed to global cyber security measures. Heli provides insight into the progress being made in regards to developing cyber policy, an integrated CERT team, and the underlying issue of improving cyber forensics to ensure future accuracy when it comes to identifying the source of a network attack.

1 de 6
Descargar para leer sin conexión
How Estonia is helping to shape cyber resilience Ahead of Cyber Defence and Network Security 2012, we spoke with Heli Tiirmaa- Klaar, Senior Advisor to the Undersecretary at the Estonian MoD, about the pioneering work that Estonia has contributed to global cyber security measures. Heli provides insight into the progress being made in regards to developing cyber policy, an integrated CERT team, and the underlying issue of improving cyber forensics to ensure future accuracy when it comes to identifying the source of a network attack. Defence IQ: Heli, welcome to the session. HTK: Thank you. Hello. Defence IQ: We appreciate your time. It is, I would say, vital to have input from a representative from Estonia, given its recent experience and its work in the cyber domain. We'll get to that in just a moment, but first let's start with a slightly broader look at Europe, as a whole. Now, you're a Policy Maker, and traditionally the European Union has had no firm policy for dealing with cyber attacks. Can I ask, why is it taking so long for this to come about? HTK: Well, in order to answer the question, you probably have to listen to some lessons about how the European Union is built up. The European Union has many different policy areas that already have initiatives in the cyber security field, notably to fight cyber crime, and a new legislation there, which is now proposed. Then we will have some more initiatives from critical information infrastructure protection, and right now the European Union has the policy on critical information infrastructure protection, and also the network and information security field is covered by the European Union. There is an agency, ENISA (European Network and Information Security Agency), that takes care of the information security issues for member states and for the institutions. The new European CERT (Computer Emergency Response Team) will be formed soon, and so let's just say the European Union is a very large organisation, and it probably just takes time, in such a large organisation, to mobilise the attention and resources – but once it is mobilised, it will hopefully be very efficient. Defence IQ: Yes, and it’s obviously not an area that you would want to rush. I imagine there's no concrete timeline for that completion?
“It's everywhere. HTK: Well, yes, and then there is the new And in order to get the European Internal Action Service, which is a very new institution still, and probably it just full picture of what is takes some time before all the players in the going on, international European Union find their own specific role in coordination and cyber field, and once they have found it, cooperation is the key.” they start to coordinate it and so we will have some results maybe in a few years’ time. Defence IQ: Well, we'll actually be speaking directly with that action service very soon, in this podcast series. Now, just moving on from there, without going into detail over the events in Estonia back in 2007 – as it's well-trodden ground – let's simply look at the aftermath, if we can. What were the lessons, Heli, taken from this incident, and how has Estonia since emerged as a pioneer in the realm of cyber defence? HTK: Well, the first lesson, probably, for all countries was that no country can really these days fight alone. So in order to be efficient you should have vast coordination networks – international coordination networks. International organisations should have their networks in other international organisations, and the information in cyber threats is not only in one domain. It’s not only in cyber crime. It's not only in military services. It’s not only in police. It's everywhere. And in order to get the full picture of what is going on, international coordination and cooperation is the key. So that’s one lesson. And the other lesson of course is that in one nation, the nation has to have a very viable cyber security system, with public/private partnership, with necessary policies and organisation, and with necessary interagency coordination. So all those elements have been strengthened, in Estonia, and this has been my direct responsibility in the last three years, to advance that system, and I'm happy that it’s been done. Defence IQ: So Estonia has shone a light on this need, and you're saying that progress has been made, but do you believe that it will take a similar large scale incident in those other nations, for international forces to move as swiftly with their own national cyber policies, or their cyber procurements, or indeed their cyber countermeasures? HTK: I think some nations already have been doing quite many useful efforts, and it’s just sometimes the issue of the size of the country, and also the different institutions in different larger countries have very clear mandates, and it’s sometimes hard to coordinate who is doing what, and it takes just time before they get their act together. But I think there is a learning curve probably for every nation in cyber… let's say cyber defence or a cyber security system… and every nation probably will reach that point of maturity at some point. Just in some smaller nations it’s easier to reach it early, and in larger nations, it take more effort and political attention and resources as well, because the targets are not only the governmental sites, or not only the
military. It’s civilian national infrastructure; it's everybody, basically. So the more targets you have in a nation, the more work you need to do, and then it’s about the awareness process, it's about the interagency coordination, and how the political elite of the country is seeing the issue, and whether it pays attention to this issue or not, so it’s still very varying in Europe, I would say. Defence IQ: Yes, that's a good point, and it does raise that issue of the level of seriousness that cyber attacks can pose. On that note, do you think it's time to begin treating cyber attacks in the same way that we would perhaps treat conventional attacks on a nation’s soil? I understand that Estonia has been one of the most vocal on this subject, so aside to the official stance, what should we be considering when we look at this argument? HTK: Cyber attacks can be dangerous, but most of the cyber attacks are nuisance or disruption, and it depends very much on the nature of the cyber attacks, what we talk about and the consequences. If the consequences of cyber attacks are serious enough, it could trigger very serious political response, but no country in the world has predetermined the response so far, and no country in the world has said that cyber attacks can trigger armed attack response definitely. So I think this strategic ambiguity, how the attacks will be responded, should remain, in order to deter some of the terrorist groups and some of the non-state actors to go over certain borders. But the hope is that the rational actors, the nation states, the players in the international arena, actually know what they are doing if they employ the cyber tools, and for that we have international law that could be employed, in order to restrict nation states to launch very serious cyber attacks against other nation states. We have the rules of engagement in war, we have the law of armed conflict. So these laws have to apply also in case of cyber conflict, in order to restrict the unlawful launch of attacks in cyber space. Additionally we should build these norms for arrangements and mechanisms in the international arena, notably confidence-building measures, for instance, that would reduce risk and create transparency between the countries. We could also think of developing general norms of behaviour for nation states in cyberspace, to have a type of ‘soft law’, what is recommended and what is not recommended. Because of the real time attribution issue in cyberspace, it's hard to set a new cyber law. We have actually one very good cyber law existing, which is the ‘Council of Europe Convention on Cyber Crime.’ This is more a law enforcement focused document, but it sets the very clear principles on what a country itself has to do in order to fight with organised cyber crime, and how the penalties have to be applied, and then how international cooperation should be carried out in investigating cyber incidents. So all these instruments, actually, what we already have in international law, should be applied. Plus there should be additional confidence building measures in order to enhance the possibility of perception of states in crisis situation, because the risk is that some non-state actors would appear to be attacking another state, and could be masked [to appear as] as state actors – and for that reason you should have some arrangements between the states how we can reduce that kind of misperception threat in very serious cyber conflicts.
Defence IQ: You raised several excellent points there, but probably the one there at the end, which I imagine is even more of an issue than measuring the seriousness of a threat is in the identification of the source of that threat. How would we perhaps begin to make proper steps towards those arrangements, as you called them, in determining the source of an attack, whether it's state or non-state? Is there a way that we can physically do it? And would that be the “What we actually lynchpin problem that's underlying this whole need is awareness puzzle? raising... 80% of the HTK: Yes, it’s possible to do it, but it’s not breaches in possible to do it in real time. This is very sure. organisations come It’s possible to track the traces of a cyber from human attack later on, after the incident. But in negligence, not from order to respond in real time, or in a short outside attackers.” time, sometimes this short time response is also needed. So then the identity of the attacker could be hidden, and therefore, well, in order to diminish the risk of misattributing the attack, we should have those more political measures. But as for the attribution issue, I think that this is not a mystery, and it's overestimated, and we, in the area of counter-terrorism, have the principle that the country is responsible for investigating and cooperating, in order to track down terrorist activity on its territory. In cyberspace we could apply the same kind of logic that we have to take the nation states first to be responsible for all sorts of malicious cyber activity on the territory, and with this nation state responsibility, we can go on setting some norms, how nation states have to be investigating the cyber incidents, how they have to build up the law enforcement capabilities, and how they have to progress in their cyberspace monitoring and forensics and analysis capabilities. This is kind of a law enforcement issue in the end, not so much military, actually, because the cyber actors, most of them are in the civilian domain. Either they are sometimes used by the countries, or they carry out some state sponsored activities, but they are still, in majority, in the civilian domain right now. Defence IQ: I see. It will be interesting to see whether the development of the cyber forensics field will evolve in the same sort of way that we've seen the conventional criminal forensics evolve, throughout the 20th century. I imagine there’ll be a lot more emphasis on that, and we'll see some interesting things come of it soon. To move on, I'd like to ask, just going back, right to the start of the discussion, where you mentioned the combined CERT initiative currently looking to be developed this year, I believe. Can I ask how is that intended to impact the current pre-existing CERT teams within the EU, or indeed any other cyber command currently involved in this domain? HTK: Yes. EU CERT is supposed to be guarding the EU’s own institutions. It’s not the CERT for the whole of Europe, so every country still has to have its national CERT, and these national CERTs in each European country actually are coordinating with each other already. They are having exercises, and any
European network and information security agency is taking care of this pan European exercise initiative with national EU CERTs or CERTs from the EU countries. So the CERTs for EU institutions themselves are just needed in order to protect the information possessed by those [specific] EU institutions themselves. So that's long overdue! Defence IQ: We will keep an eye on that as it develops. It's recommended that we develop offensive cyber capabilities in order to fully round out our cyber defence, at least in the words of some of the experts that we've spoken to recently. What are the policy or legal implications inherent to this theoretical approach? HTK: The offensive cyber capabilities are kind of buzzwords or catchwords, and it’s probably also promoted by defence industry that we need really those offensive capabilities. In fact, what we actually need maybe more is awareness raising and prevention of cyber problems. You might be aware that 80% of the breaches in organisations come from human negligence, not from outside attackers. Defence IQ: Right. HTK: So there are much more serious issues with, let's say, organisational cyber security than the attackers from outside. It’s just that those serious issues don’t get headlines. Like somebody who had been negligent doesn’t make a good headline. If somebody had attacked an organisation it makes a good headline. So therefore I think it’s much more complex issue, and it would be wrong to think that if we only had more offensive capabilities, the issues will be solved. It's not like the conventional military issue. It's much more complex. Therefore I don’t… I am not a believer… Defence IQ: You're not a proponent? HTK: … that offensive capabilities will solve all the issues. No, they don’t solve the issue. They might help something, in general, maybe a strategic picture, but as for the national level cyber security, you need a lot more attention going to preventive side. Defence IQ: Yes. Change from within, in other words. HTK: Yes. Defence IQ: Okay. As we're looking towards India, obviously another non-EU ally, now beginning to develop and enhance their cyber resilience capabilities, how do you anticipate that this will affect Estonia or the EU, or indeed the global cyber domain? Will there be, would you say, many new challenges to face with this rapid increase of militarised investment?
HTK: Well as I said, you cannot militarise it. The domain cannot be militarised because it's not meant to be a military domain. It's being militarised because of the side effects of not having security built in, in the cyber domain. This is the issue that we have in the cyber domain. In aviation we have security built in, but in cyber we don’t, and let's say the industry doesn’t help either much because the software, which is developed, seems to be pretty weak, full of vulnerabilities, and so probably we will have many checks going on in the future. As for the countries outside Europe, and what they are doing, if they raised their own resilience, and if they enhanced their own capabilities, especially law enforcement capabilities, to take responsibility on what is going on, on their cyber, and in their cyber space, on their territory, this is a great help for all the world, because the cyber crime that comes from the countries, which do not have advanced law enforcement capabilities and legislation is the most serious threat – not the militarised cyberspace, but those, let's say on organised crime civilian actors that that use the territories, which cannot govern themselves, in order to launch attacks towards European countries or North America. So this is the major problem, not the nation states having some military capabilities. And nation states supposedly are more rational, and they don’t use these capabilities unless there is a political reason, but cyber crime guys, they are around, and they use every opportunity to attack banks and economic actors, in order to make money. So this is the real problem there. Defence IQ: Okay, well, in those efforts to foster partnerships and to continue to maintain the real dialogue on the issues, we're very much looking forward to seeing you at the cyber defence series, Heli. Thank you very much for your input today. HTK: Thank you. Defence IQ: Thank you. Cyber Defence and Network Security 2012 takes place in London this coming January. More information and booking forms www.CDANS.org Email: enquire@defenceiq.com Tel: +44 (0) 207 368 9334

Recomendados

Why the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber DefenceWhy the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber DefenceGareth Niblett
 
CTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea GlorisoCTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea Glorisosegughana
 
Application of principles of international law to computer networks operation...
Application of principles of international law to computer networks operation...Application of principles of international law to computer networks operation...
Application of principles of international law to computer networks operation...Adriana Dvorsak
 
CTO Cybersecurity Forum 2013 Jean Jacques Massima-landji
CTO Cybersecurity Forum 2013 Jean Jacques Massima-landjiCTO Cybersecurity Forum 2013 Jean Jacques Massima-landji
CTO Cybersecurity Forum 2013 Jean Jacques Massima-landjiCommonwealth Telecommunications Organisation
 
CTO-Cybersecurity-Forum-2010-Cristina Buetti
CTO-Cybersecurity-Forum-2010-Cristina BuettiCTO-Cybersecurity-Forum-2010-Cristina Buetti
CTO-Cybersecurity-Forum-2010-Cristina Buettisegughana
 
Tomasz Czajkowski
Tomasz CzajkowskiTomasz Czajkowski
Tomasz Czajkowskisegughana
 
Pal gov.tutorial6.session9.cybercrime
Pal gov.tutorial6.session9.cybercrimePal gov.tutorial6.session9.cybercrime
Pal gov.tutorial6.session9.cybercrimeMustafa Jarrar
 
National Security and Public-Private Partnership for Cybersecurity: Strengths...
National Security and Public-Private Partnership for Cybersecurity: Strengths...National Security and Public-Private Partnership for Cybersecurity: Strengths...
National Security and Public-Private Partnership for Cybersecurity: Strengths...CODE BLUE
 

Recomendados

Why the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber DefenceWhy the Private Sector is Key to Cyber Defence
Why the Private Sector is Key to Cyber DefenceGareth Niblett
 
CTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea GlorisoCTO-CybersecurityForum-2010-Andrea Gloriso
CTO-CybersecurityForum-2010-Andrea Glorisosegughana
 
Application of principles of international law to computer networks operation...
Application of principles of international law to computer networks operation...Application of principles of international law to computer networks operation...
Application of principles of international law to computer networks operation...Adriana Dvorsak
 
CTO Cybersecurity Forum 2013 Jean Jacques Massima-landji
CTO Cybersecurity Forum 2013 Jean Jacques Massima-landjiCTO Cybersecurity Forum 2013 Jean Jacques Massima-landji
CTO Cybersecurity Forum 2013 Jean Jacques Massima-landjiCommonwealth Telecommunications Organisation
 
CTO-Cybersecurity-Forum-2010-Cristina Buetti
CTO-Cybersecurity-Forum-2010-Cristina BuettiCTO-Cybersecurity-Forum-2010-Cristina Buetti
CTO-Cybersecurity-Forum-2010-Cristina Buettisegughana
 
Tomasz Czajkowski
Tomasz CzajkowskiTomasz Czajkowski
Tomasz Czajkowskisegughana
 
Pal gov.tutorial6.session9.cybercrime
Pal gov.tutorial6.session9.cybercrimePal gov.tutorial6.session9.cybercrime
Pal gov.tutorial6.session9.cybercrimeMustafa Jarrar
 
National Security and Public-Private Partnership for Cybersecurity: Strengths...
National Security and Public-Private Partnership for Cybersecurity: Strengths...National Security and Public-Private Partnership for Cybersecurity: Strengths...
National Security and Public-Private Partnership for Cybersecurity: Strengths...CODE BLUE
 
CTO Cyber Security Conference Key Note Address by UK Security Minister
CTO Cyber Security Conference Key Note Address by UK Security MinisterCTO Cyber Security Conference Key Note Address by UK Security Minister
CTO Cyber Security Conference Key Note Address by UK Security Ministersegughana
 
Internet Safety
Internet SafetyInternet Safety
Internet SafetyCharles Mok
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationMark Johnson
 
Cyber security issue part b
Cyber security issue part b Cyber security issue part b
Cyber security issue part b www.StudentsAssignmentHelp.com
 
CybersecurityTFReport2016 PRINT
CybersecurityTFReport2016 PRINTCybersecurityTFReport2016 PRINT
CybersecurityTFReport2016 PRINTAimee Shuck
 
Welcome Address by H.E Tifatul Sembiring Minister for Communication and Infor...
Welcome Address by H.E Tifatul Sembiring Minister for Communication and Infor...Welcome Address by H.E Tifatul Sembiring Minister for Communication and Infor...
Welcome Address by H.E Tifatul Sembiring Minister for Communication and Infor...Directorate of Information Security | Ditjen Aptika
 
Cyber
CyberCyber
CyberIonel Nitu
 
Security in a Mobile World
Security in a Mobile WorldSecurity in a Mobile World
Security in a Mobile WorldHewlett Packard Enterprise Business Value Exchange
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityDominic Karunesudas
 
Cyber2
Cyber2Cyber2
Cyber2Amey Borkar
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomySettapong_CyberSecurity
 
Input on threat images against information society
Input on threat images against information societyInput on threat images against information society
Input on threat images against information societySomerco Research
 
Module 7.pdf
Module 7.pdfModule 7.pdf
Module 7.pdfSitamarhi Institute of Technology
 
Module 7 Cyber Laws and Forensic
Module 7 Cyber Laws and ForensicModule 7 Cyber Laws and Forensic
Module 7 Cyber Laws and ForensicSitamarhi Institute of Technology
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaEvan Pathiratne
 
CYBER PEACE PROPOSALRunning head.docx
CYBER PEACE PROPOSALRunning head.docxCYBER PEACE PROPOSALRunning head.docx
CYBER PEACE PROPOSALRunning head.docxalanrgibson41217
 
National cyber security strategies
National cyber security strategiesNational cyber security strategies
National cyber security strategiesjcp88600
 
Pt08 19 final1
Pt08 19 final1Pt08 19 final1
Pt08 19 final1Francisco Santibañez
 
Week 10 Discussion Information Security and Digital Crime and .docx
Week 10 Discussion Information Security and Digital Crime and .docx Week 10 Discussion Information Security and Digital Crime and .docx
Week 10 Discussion Information Security and Digital Crime and .docxaryan532920
 
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...Metamorphosis
 

Más contenido relacionado

Similar a How Estonia is helping to shape cyber resilience

CTO Cyber Security Conference Key Note Address by UK Security Minister
CTO Cyber Security Conference Key Note Address by UK Security MinisterCTO Cyber Security Conference Key Note Address by UK Security Minister
CTO Cyber Security Conference Key Note Address by UK Security Ministersegughana
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationMark Johnson
 
CybersecurityTFReport2016 PRINT
CybersecurityTFReport2016 PRINTCybersecurityTFReport2016 PRINT
CybersecurityTFReport2016 PRINTAimee Shuck
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityDominic Karunesudas
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomySettapong_CyberSecurity
 
Input on threat images against information society
Input on threat images against information societyInput on threat images against information society
Input on threat images against information societySomerco Research
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaEvan Pathiratne
 
CYBER PEACE PROPOSALRunning head.docx
CYBER PEACE PROPOSALRunning head.docxCYBER PEACE PROPOSALRunning head.docx
CYBER PEACE PROPOSALRunning head.docxalanrgibson41217
 
National cyber security strategies
National cyber security strategiesNational cyber security strategies
National cyber security strategiesjcp88600
 
Week 10 Discussion Information Security and Digital Crime and .docx
Week 10 Discussion Information Security and Digital Crime and .docx Week 10 Discussion Information Security and Digital Crime and .docx
Week 10 Discussion Information Security and Digital Crime and .docxaryan532920
 
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...Metamorphosis
 

Similar a How Estonia is helping to shape cyber resilience (20)

CTO Cyber Security Conference Key Note Address by UK Security Minister
CTO Cyber Security Conference Key Note Address by UK Security MinisterCTO Cyber Security Conference Key Note Address by UK Security Minister
CTO Cyber Security Conference Key Note Address by UK Security Minister
 
Internet Safety
Internet SafetyInternet Safety
Internet Safety
 
The National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through CooperationThe National Cyber Security Strategy: Success Through Cooperation
The National Cyber Security Strategy: Success Through Cooperation
 
Cyber security issue part b
Cyber security issue part b Cyber security issue part b
Cyber security issue part b
 
CybersecurityTFReport2016 PRINT
CybersecurityTFReport2016 PRINTCybersecurityTFReport2016 PRINT
CybersecurityTFReport2016 PRINT
 
Welcome Address by H.E Tifatul Sembiring Minister for Communication and Infor...
Welcome Address by H.E Tifatul Sembiring Minister for Communication and Infor...Welcome Address by H.E Tifatul Sembiring Minister for Communication and Infor...
Welcome Address by H.E Tifatul Sembiring Minister for Communication and Infor...
 
Cyber
CyberCyber
Cyber
 
Security in a Mobile World
Security in a Mobile WorldSecurity in a Mobile World
Security in a Mobile World
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber Security
 
Cyber2
Cyber2Cyber2
Cyber2
 
Guideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital EconomyGuideline Thailand Cybersecure Strate Digital Economy
Guideline Thailand Cybersecure Strate Digital Economy
 
Input on threat images against information society
Input on threat images against information societyInput on threat images against information society
Input on threat images against information society
 
Module 7.pdf
Module 7.pdfModule 7.pdf
Module 7.pdf
 
Module 7 Cyber Laws and Forensic
Module 7 Cyber Laws and ForensicModule 7 Cyber Laws and Forensic
Module 7 Cyber Laws and Forensic
 
Cyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri LankaCyber security , an Analysis of State Security in Sri Lanka
Cyber security , an Analysis of State Security in Sri Lanka
 
CYBER PEACE PROPOSALRunning head.docx
CYBER PEACE PROPOSALRunning head.docxCYBER PEACE PROPOSALRunning head.docx
CYBER PEACE PROPOSALRunning head.docx
 
National cyber security strategies
National cyber security strategiesNational cyber security strategies
National cyber security strategies
 
Pt08 19 final1
Pt08 19 final1Pt08 19 final1
Pt08 19 final1
 
Week 10 Discussion Information Security and Digital Crime and .docx
Week 10 Discussion Information Security and Digital Crime and .docx Week 10 Discussion Information Security and Digital Crime and .docx
Week 10 Discussion Information Security and Digital Crime and .docx
 
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...
Information Security Initiative (ISI) by Mr. Ljubomir Trajkovski, Trajkovski ...
 

How Estonia is helping to shape cyber resilience

  • 1. How Estonia is helping to shape cyber resilience Ahead of Cyber Defence and Network Security 2012, we spoke with Heli Tiirmaa- Klaar, Senior Advisor to the Undersecretary at the Estonian MoD, about the pioneering work that Estonia has contributed to global cyber security measures. Heli provides insight into the progress being made in regards to developing cyber policy, an integrated CERT team, and the underlying issue of improving cyber forensics to ensure future accuracy when it comes to identifying the source of a network attack. Defence IQ: Heli, welcome to the session. HTK: Thank you. Hello. Defence IQ: We appreciate your time. It is, I would say, vital to have input from a representative from Estonia, given its recent experience and its work in the cyber domain. We'll get to that in just a moment, but first let's start with a slightly broader look at Europe, as a whole. Now, you're a Policy Maker, and traditionally the European Union has had no firm policy for dealing with cyber attacks. Can I ask, why is it taking so long for this to come about? HTK: Well, in order to answer the question, you probably have to listen to some lessons about how the European Union is built up. The European Union has many different policy areas that already have initiatives in the cyber security field, notably to fight cyber crime, and a new legislation there, which is now proposed. Then we will have some more initiatives from critical information infrastructure protection, and right now the European Union has the policy on critical information infrastructure protection, and also the network and information security field is covered by the European Union. There is an agency, ENISA (European Network and Information Security Agency), that takes care of the information security issues for member states and for the institutions. The new European CERT (Computer Emergency Response Team) will be formed soon, and so let's just say the European Union is a very large organisation, and it probably just takes time, in such a large organisation, to mobilise the attention and resources – but once it is mobilised, it will hopefully be very efficient. Defence IQ: Yes, and it’s obviously not an area that you would want to rush. I imagine there's no concrete timeline for that completion?
  • 2. “It's everywhere. HTK: Well, yes, and then there is the new And in order to get the European Internal Action Service, which is a very new institution still, and probably it just full picture of what is takes some time before all the players in the going on, international European Union find their own specific role in coordination and cyber field, and once they have found it, cooperation is the key.” they start to coordinate it and so we will have some results maybe in a few years’ time. Defence IQ: Well, we'll actually be speaking directly with that action service very soon, in this podcast series. Now, just moving on from there, without going into detail over the events in Estonia back in 2007 – as it's well-trodden ground – let's simply look at the aftermath, if we can. What were the lessons, Heli, taken from this incident, and how has Estonia since emerged as a pioneer in the realm of cyber defence? HTK: Well, the first lesson, probably, for all countries was that no country can really these days fight alone. So in order to be efficient you should have vast coordination networks – international coordination networks. International organisations should have their networks in other international organisations, and the information in cyber threats is not only in one domain. It’s not only in cyber crime. It's not only in military services. It’s not only in police. It's everywhere. And in order to get the full picture of what is going on, international coordination and cooperation is the key. So that’s one lesson. And the other lesson of course is that in one nation, the nation has to have a very viable cyber security system, with public/private partnership, with necessary policies and organisation, and with necessary interagency coordination. So all those elements have been strengthened, in Estonia, and this has been my direct responsibility in the last three years, to advance that system, and I'm happy that it’s been done. Defence IQ: So Estonia has shone a light on this need, and you're saying that progress has been made, but do you believe that it will take a similar large scale incident in those other nations, for international forces to move as swiftly with their own national cyber policies, or their cyber procurements, or indeed their cyber countermeasures? HTK: I think some nations already have been doing quite many useful efforts, and it’s just sometimes the issue of the size of the country, and also the different institutions in different larger countries have very clear mandates, and it’s sometimes hard to coordinate who is doing what, and it takes just time before they get their act together. But I think there is a learning curve probably for every nation in cyber… let's say cyber defence or a cyber security system… and every nation probably will reach that point of maturity at some point. Just in some smaller nations it’s easier to reach it early, and in larger nations, it take more effort and political attention and resources as well, because the targets are not only the governmental sites, or not only the
  • 3. military. It’s civilian national infrastructure; it's everybody, basically. So the more targets you have in a nation, the more work you need to do, and then it’s about the awareness process, it's about the interagency coordination, and how the political elite of the country is seeing the issue, and whether it pays attention to this issue or not, so it’s still very varying in Europe, I would say. Defence IQ: Yes, that's a good point, and it does raise that issue of the level of seriousness that cyber attacks can pose. On that note, do you think it's time to begin treating cyber attacks in the same way that we would perhaps treat conventional attacks on a nation’s soil? I understand that Estonia has been one of the most vocal on this subject, so aside to the official stance, what should we be considering when we look at this argument? HTK: Cyber attacks can be dangerous, but most of the cyber attacks are nuisance or disruption, and it depends very much on the nature of the cyber attacks, what we talk about and the consequences. If the consequences of cyber attacks are serious enough, it could trigger very serious political response, but no country in the world has predetermined the response so far, and no country in the world has said that cyber attacks can trigger armed attack response definitely. So I think this strategic ambiguity, how the attacks will be responded, should remain, in order to deter some of the terrorist groups and some of the non-state actors to go over certain borders. But the hope is that the rational actors, the nation states, the players in the international arena, actually know what they are doing if they employ the cyber tools, and for that we have international law that could be employed, in order to restrict nation states to launch very serious cyber attacks against other nation states. We have the rules of engagement in war, we have the law of armed conflict. So these laws have to apply also in case of cyber conflict, in order to restrict the unlawful launch of attacks in cyber space. Additionally we should build these norms for arrangements and mechanisms in the international arena, notably confidence-building measures, for instance, that would reduce risk and create transparency between the countries. We could also think of developing general norms of behaviour for nation states in cyberspace, to have a type of ‘soft law’, what is recommended and what is not recommended. Because of the real time attribution issue in cyberspace, it's hard to set a new cyber law. We have actually one very good cyber law existing, which is the ‘Council of Europe Convention on Cyber Crime.’ This is more a law enforcement focused document, but it sets the very clear principles on what a country itself has to do in order to fight with organised cyber crime, and how the penalties have to be applied, and then how international cooperation should be carried out in investigating cyber incidents. So all these instruments, actually, what we already have in international law, should be applied. Plus there should be additional confidence building measures in order to enhance the possibility of perception of states in crisis situation, because the risk is that some non-state actors would appear to be attacking another state, and could be masked [to appear as] as state actors – and for that reason you should have some arrangements between the states how we can reduce that kind of misperception threat in very serious cyber conflicts.
  • 4. Defence IQ: You raised several excellent points there, but probably the one there at the end, which I imagine is even more of an issue than measuring the seriousness of a threat is in the identification of the source of that threat. How would we perhaps begin to make proper steps towards those arrangements, as you called them, in determining the source of an attack, whether it's state or non-state? Is there a way that we can physically do it? And would that be the “What we actually lynchpin problem that's underlying this whole need is awareness puzzle? raising... 80% of the HTK: Yes, it’s possible to do it, but it’s not breaches in possible to do it in real time. This is very sure. organisations come It’s possible to track the traces of a cyber from human attack later on, after the incident. But in negligence, not from order to respond in real time, or in a short outside attackers.” time, sometimes this short time response is also needed. So then the identity of the attacker could be hidden, and therefore, well, in order to diminish the risk of misattributing the attack, we should have those more political measures. But as for the attribution issue, I think that this is not a mystery, and it's overestimated, and we, in the area of counter-terrorism, have the principle that the country is responsible for investigating and cooperating, in order to track down terrorist activity on its territory. In cyberspace we could apply the same kind of logic that we have to take the nation states first to be responsible for all sorts of malicious cyber activity on the territory, and with this nation state responsibility, we can go on setting some norms, how nation states have to be investigating the cyber incidents, how they have to build up the law enforcement capabilities, and how they have to progress in their cyberspace monitoring and forensics and analysis capabilities. This is kind of a law enforcement issue in the end, not so much military, actually, because the cyber actors, most of them are in the civilian domain. Either they are sometimes used by the countries, or they carry out some state sponsored activities, but they are still, in majority, in the civilian domain right now. Defence IQ: I see. It will be interesting to see whether the development of the cyber forensics field will evolve in the same sort of way that we've seen the conventional criminal forensics evolve, throughout the 20th century. I imagine there’ll be a lot more emphasis on that, and we'll see some interesting things come of it soon. To move on, I'd like to ask, just going back, right to the start of the discussion, where you mentioned the combined CERT initiative currently looking to be developed this year, I believe. Can I ask how is that intended to impact the current pre-existing CERT teams within the EU, or indeed any other cyber command currently involved in this domain? HTK: Yes. EU CERT is supposed to be guarding the EU’s own institutions. It’s not the CERT for the whole of Europe, so every country still has to have its national CERT, and these national CERTs in each European country actually are coordinating with each other already. They are having exercises, and any
  • 5. European network and information security agency is taking care of this pan European exercise initiative with national EU CERTs or CERTs from the EU countries. So the CERTs for EU institutions themselves are just needed in order to protect the information possessed by those [specific] EU institutions themselves. So that's long overdue! Defence IQ: We will keep an eye on that as it develops. It's recommended that we develop offensive cyber capabilities in order to fully round out our cyber defence, at least in the words of some of the experts that we've spoken to recently. What are the policy or legal implications inherent to this theoretical approach? HTK: The offensive cyber capabilities are kind of buzzwords or catchwords, and it’s probably also promoted by defence industry that we need really those offensive capabilities. In fact, what we actually need maybe more is awareness raising and prevention of cyber problems. You might be aware that 80% of the breaches in organisations come from human negligence, not from outside attackers. Defence IQ: Right. HTK: So there are much more serious issues with, let's say, organisational cyber security than the attackers from outside. It’s just that those serious issues don’t get headlines. Like somebody who had been negligent doesn’t make a good headline. If somebody had attacked an organisation it makes a good headline. So therefore I think it’s much more complex issue, and it would be wrong to think that if we only had more offensive capabilities, the issues will be solved. It's not like the conventional military issue. It's much more complex. Therefore I don’t… I am not a believer… Defence IQ: You're not a proponent? HTK: … that offensive capabilities will solve all the issues. No, they don’t solve the issue. They might help something, in general, maybe a strategic picture, but as for the national level cyber security, you need a lot more attention going to preventive side. Defence IQ: Yes. Change from within, in other words. HTK: Yes. Defence IQ: Okay. As we're looking towards India, obviously another non-EU ally, now beginning to develop and enhance their cyber resilience capabilities, how do you anticipate that this will affect Estonia or the EU, or indeed the global cyber domain? Will there be, would you say, many new challenges to face with this rapid increase of militarised investment?
  • 6. HTK: Well as I said, you cannot militarise it. The domain cannot be militarised because it's not meant to be a military domain. It's being militarised because of the side effects of not having security built in, in the cyber domain. This is the issue that we have in the cyber domain. In aviation we have security built in, but in cyber we don’t, and let's say the industry doesn’t help either much because the software, which is developed, seems to be pretty weak, full of vulnerabilities, and so probably we will have many checks going on in the future. As for the countries outside Europe, and what they are doing, if they raised their own resilience, and if they enhanced their own capabilities, especially law enforcement capabilities, to take responsibility on what is going on, on their cyber, and in their cyber space, on their territory, this is a great help for all the world, because the cyber crime that comes from the countries, which do not have advanced law enforcement capabilities and legislation is the most serious threat – not the militarised cyberspace, but those, let's say on organised crime civilian actors that that use the territories, which cannot govern themselves, in order to launch attacks towards European countries or North America. So this is the major problem, not the nation states having some military capabilities. And nation states supposedly are more rational, and they don’t use these capabilities unless there is a political reason, but cyber crime guys, they are around, and they use every opportunity to attack banks and economic actors, in order to make money. So this is the real problem there. Defence IQ: Okay, well, in those efforts to foster partnerships and to continue to maintain the real dialogue on the issues, we're very much looking forward to seeing you at the cyber defence series, Heli. Thank you very much for your input today. HTK: Thank you. Defence IQ: Thank you. Cyber Defence and Network Security 2012 takes place in London this coming January. More information and booking forms www.CDANS.org Email: enquire@defenceiq.com Tel: +44 (0) 207 368 9334