Cybersecurity: Senate bill would make international cooperation a priority

US and EU are both going in the direction of International cooperation. On the 30th of March 2009, European Commission Directorate General Information Society and Media released a communication on Critical Information Infrastructure Protection. Below you find an articole abou the new US legislation proposal, introduced on July 10.

Apart from the declarations, we need to define the building blocks of international cooperation. In particular:
a. Research funds that can be obtained by international consortia (all US and UE funds are closed only to US or EU members)
b. Cooperation legislation framework: a new legislation framework should be defined in order to allow exchange of data (data sets for researchers), information sharing (threats, vulnerabilities, incidents) and information exchanges between operators and government agencies from the same sectors
c. Establish clear point of contacts and responsibilities: who do you contact in US or EU in case of incidens/attacks
d. Exercices and simulations

(FederalComputerWeek) A new Senate bill would encourage the secretary of state to work with other governments to further cooperation on cybersecurity and would require the secretary to submit a report to Congress about those efforts.

The legislation, introduced by Sen. Kirsten Gillibrand (D-N.Y.) on July 10, states the secretary should work with other governments to:

• Develop cooperative activities.
• Encourage international cooperation for improving cybersecurity.
• Develop safeguards for privacy, freedom of speech and commercial transactions to be included in agreements or other cybersecurity activities.

The bill would require the secretary to submit a detailed report to congressional committees about actions taken to meet these goals in 270 days of the legislation’s enactment.

“Relevant international cybersecurity agreements focus only on issues relating to cyber crime and common operating standards, and have not been signed by certain countries from which cyberattacks may be launched,” the bill states.

The Obama administration’s cyberspace policy review, released in May, also emphasized the need for international cooperation to secure cyberspace.

"International norms are critical to establishing a secure and thriving digital infrastructure," the policy review states. "The United States needs to develop a strategy designed to shape the international environment and bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility, and use of force."

The review recommended that the government develop positions for an international cybersecurity policy framework and strengthen its international partnerships related to cybersecurity.

UK Cyber-security strategy launched

(BBC)

Britons face a growing online threat from criminals, terrorists and hostile states, according to the UK's first cyber security strategy.

Businesses, government and ordinary people are all at risk, it says.

The strategy has been published alongside an updated, wider National Security Strategy.

Its publication is a sign of the growing recognition within government of the need to bolster defences against a growing threat.

In line with a wider focus within the National Security Strategy on not just protecting the state but also citizens, the cyber-strategy encompasses protecting individuals from forms of fraud, identity theft and e-crime committed using technology as well as defending government secrets and businesses.

'Attack capability'

Launching the strategy, cyber security minister Lord West said: "We know that various state actors are very interested in cyber warfare. The terrorist aspect of this is the least (concern), but it is developing."

He warned that future targets could include key businesses, the national power grid, financial markets and Whitehall departments.

He said: "We know terrorists use the internet for radicalisation and things like that at the moment, but there is a fear they will move down that path (of cyber attacks).

"As their ability to use the web and the net grows, there will be more opportunity for these attacks."

He confirmed that the UK government has already faced cyber attacks from foreign states such as Russia and China.

But he denied that hackers had successfully broken into government systems and stolen secret information.

He also said he could not deny that the government had its own online attack capability, but he refused to say whether it had ever been used.

"It would be silly to say that we don't have any capability to do offensive work from Cheltenham, and I don't think I should say any more than that."

'Missed opportunity'

Among those the government has turned to for help on cyber crime are former illegal hackers, Lord West added.

He said the government listening post GCHQ at Cheltenham had not employed any "ultra, ultra criminals" but needed the expertise of former "naughty boys" he said.

"You need youngsters who are deep into this stuff... If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys," he said.

Dame Pauline Neville-Jones, for the Conservatives, called the strategy was a "missed opportunity".

"It is impossible to know how significant these announcements are because we do not know what funding will be made available to enhance our ability to tackle cyber threats. It is also not clear how these new cyber security structures fit into the existing national security machinery."

Her colleague in the Commons, Crispin Blunt, called it a "pale imitation" of an initiative launched by US President Barack Obama.

Lib Dem home affairs spokesman Tom Brake said: "This new cyber security strategy could lead to an extension of the Government's invasive counter-terrorism powers which already pose significant threats to our civil liberties.

"The cyber security strategy uses broad, undefined terms that risk creating panic among the public and a demand for further government powers. We must not retreat into a Cold War mentality."

'Forensics'

Officials said e-crime crime is estimated to costs the UK several billion pounds a year.

Two new bodies will be established in the coming months as part of the strategy.

A dedicated Office of Cyber Security in the Cabinet Office will co-ordinate policy across government and look at legal and ethical issues as well as relations with other countries.

The second body will be a new Cyber Security Operations Centre (CSOC) based at GCHQ.

This will bring people together from across government and from outside to get a better handle on cyber security issues and work out how to better protect the country, providing advice and information about the risks.

"CSOC's aim will be to identify in real time what type of cyber attacks are taking place, where they come from and what can be done to stop them", according to a Whitehall security official.

Experts say the "forensics" of detecting who is behind a cyber attack and attributing responsibility remains extremely difficult.

Officials said it would require input from those who had their own expertise in hackers. "We need youngsters," an official said.

The range of potentially hostile cyber activity - from other states seeking to carry out espionage through criminal gangs to terrorists - is daunting.

Critical information

At one end of the spectrum, military operations - such as Russia's conflict with Georgia last year - are now accompanied by attacks on computer systems.

The UK's critical national infrastructure is also more reliant on technology than it was even five years ago and terrorists who have used the internet for fundraising and propaganda are also believed to have the intent - if not yet the capability- to carry out their own cyber-attacks.

Officials declined to give a figure of how many attacks on government computer networks take place each day.

In a speech in 2007, the head of MI5, Jonathan Evans, explicitly mentioned Russia and China in the context of a warning that that "a number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense. They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks."

Officials said they were not aware of any "key pieces of information" that had gone missing yet but said that British companies had lost critical information.

The new Cyber Security Operations Centre will work closely with the designated parts of the critical national infrastructure and wider industry and officials say that business are keen for the government to take a lead but also share as much information as possible.

US President Barack Obama has been carrying out a similar re-organisation for defending US computer networks and British officials said the two countries were co-ordinating closely not least because of the intimate relationship between GCHQ and its US equivalent.

British officials believe that their government systems may also have fewer vulnerabilities than their US counterparts partly because they moved online later and have fewer connections between the internal government system and the rest of cyberspace to monitor.

Officials in the US and UK are also thought to be working on forms of offensive cyber-warfare capability but officials are unwilling to go into any details of what this might involve.

Estonia attack: Russia admission...?

I spent a lot of time reading and studying what happened in Estonia with the famous attack. Few days after I flighted to Tallinn (what a beatiful city!!!) to meet with officials and people involved in defending the country from the cyberattack. Everyone had this question: was Russia behind the attack? Only an hypotesis, until now....

(From Betanews) A Russian official speaking on an infowar panel last week revealed that his assistant was responsible for the 2007 cyber-attacks that crippled the nation of Estonia. The only person surprised was Nargiz Asadova, the moderator of the discussion.

Sadly, the statement by Sergei Markov, an official from the pro-Kremlin Unified Russia party, has garnered only mild interest in the general press. (Almost no one I queried Tuesday even remembered the attacks, which knee-capped financial and government institutions as well as the nation's Internet traffic. It was started over the proposed relocation of a statue. Seriously.) Markov claimed that the assistant, whom he refused to name lest it imperil the man's visa applications, undertook the act as a patriotic gesture against perceived fascism (in, again, the relocation of a statue).

EU Information Sharing legislation proposal

The legislation proposal on Information Sharing (CIWIN - Critical Infrastructure Warning Information Network) to enable the sharing of information to better protect the european critical infrastructures will be discussed on the next Justice and Home Office council, Luxemburg 4th and 5th of June 2009.

You can find the agenda of the meeting here: http://www.consilium.europa.eu/ueDocs/cms_Data/docs/pressdata/en/fc/105067.pdf

EU: New "Directive on the Identification and Designation of European Critical Infrastructure

On the 23rd of December 2008, the European Union published on the "Official Journal" the new "Directive on the Identification and Designation of European Critical Infrastructure (ECI) and the assessment of the need to improve their protection" - COUNCIL DIRECTIVE 2008/114/EC. 

The directive is available on Eur-Lex.

EU Information Sharing Legislation Proposal - CIWIN (Critical Infrastructure Warning Information Network)

On the European Parliament Web Site is now available the proposal for an European Legislation on Information Sharing. 

The document can be accessed here. 

This legislation proposal is part of the European Program for Critical Infrastructure Protection (EPCIP) and its aim is to support the Critical Infrastructure Warning Information Network (CIWIN), a prototype developed by the European Commission in 2007. 

The security of energy, water, telecommunications and other vital European infrastructures is set to be strengthened by a new international project no

The pan-European 'Design of an Interoperable European federated Simulation network for critical Infrastructures' (DIESIS) project will develop advanced computer modelling and simulations to find and test points of vulnerability in these infrastructures, and develop ways to address them.
Europe's critical infrastructures, such as transport systems, gas lines, electricity supplies and communications, are becoming increasingly interdependent.

This makes understanding the complex relationships between them important because a breakdown in one can spark severe disruptions across many others, potentially affecting millions of people.

These failures can also spread quickly across many different countries, as happened in November 2006 when 13 countries including France, Italy, Germany, Portugal and Morocco lost electricity supplies after a high-voltage power line in Germany was temporarily shut without proper preparations.
Similarly, in 2002 Cyclone Ilse caused 12 billion euros of damage after flooding disrupted electricity, water supplies and waste water systems across regions of Germany, Austria and the Czech Republic.
Unravelling the complex interactions and interdependencies of cross-European infrastructures demands highly developed simulation tools. While simulators currently exist for certain infrastructures, none are capable of simulating the interaction of multiple interdependent systems. This severely limits how effectively nations can prepare for and respond to threats to their infrastructures ranging from natural disasters and IT failures to human error and acts of terrorism.
DIESIS aims to tackle this by developing advanced computer models and simulators that can test the robustness of these interdependent infrastructures, identifying weak spots where a failure in one could begin a catastrophic domino effect.
Professor Erol Gelenbe of Imperial College London's Department of Electrical and Electronic Engineering, one of the leaders of DIESIS, explains:
"Systems have weak spots and when they go down the costs and impact on people's lives are huge. These are highly complicated systems in their own right, so understanding the many ways in which they interrelate requires extremely complex modelling. Our aim is to come up with a simulation facility for constant study that can find weaknesses in systems and address them."
The project will also tackle smaller failures, which may go largely unnoticed but are nevertheless costly. Professor Gelenbe adds:
"If the internet system in Westminster is down for an hour because it has been attacked by hackers it won't make the headlines but it's very expensive for government and business. Those kinds of attacks happen very frequently. This project will help to make our entire critical infrastructure much more secure."
DIESIS is funded by 1.5 million euros over two years by the European Union under the Seventh Framework Programme. It will carry out the initial work that will pave the way for the establishment of a European Infrastructures Simulation and Analysis Centre.
The project sees Imperial College London working with large European public sector research organisations, including the Fraunhofer-Institute for Intelligent Analysis and Information Systems, Germany, Consorzio Campano di Ricerca per l'Informatica e l'Automazione Industriale, Italy, Ente per le Nuove Tecnologie, l'Energia e l'Ambiente, Italy, and the Netherlands Organisation for Applied Scientific Research.
More information on DIESIS is available at http://www.diesis-eu.org/

EU: USB flash drives 'pose real security threat' ENISA

USB flash drives 'pose real security threat'USB flash drives are being used to breach enterprise network security and install malicious code on corporate IT systems, a technology body has claimed. According to the European Network and Information Security Agency (ENISA), organisations allowing the unfettered use of such devices could be losing between 65,000 euros (£51,000) and 1.6 million euros (£1.3 million) for every security violation that is made. The agency, which shares best practices for minimising the risk of uncontrolled use of personal storage devices, also warned that as many as 90 per cent of the USB drives purchased by businesses last year were not encrypted or stored in secure locations. Andrea Pirotti, executive director of the ENISA, said: "The cost of a USB flash drive may be insignificant but the value of the data it might contain can be priceless. ENISA strongly encourages companies with highly regulated or sensitive data to better manage the use of 'plug-and-play' devices."

CIP Report - new International Issue

On this month CIP report, published by George Mason University School of Law, you find an article I wrote on Protecting the Critical Infrastructure in Europe.
You can access the report on the GMU CIP website: http://cipp.gmu.edu
Or directly here

EU states extend life of Internet security body | Technology | Reuters

EU states extend life of Internet security body Technology Reuters: "LUXEMBOURG (Reuters) - European Union telecoms ministers agreed on Thursday to extend the life of the bloc's Internet security watchdog by three years as threats to the Web increase.
The European Network and Information Security Agency (ENISA), a small body set up in 2004, was due to be closed down next year. But rising cyber-crime and attacks such as one suffered by EU member Estonia last year has triggered a rethink.
The bloc's 27 telecoms industry ministers, meeting in Luxembourg, agreed a three-year reprieve until 2012 to give time to decide how to take Greek-based ENISA forward.
The European Parliament is set to formally endorse the move next week.
ENISA's executive director, Andrea Pirotti, said network security was crucial for the European economy, which increasingly depends on a trouble-free Internet.
'The need for secure networks, systems and services will certainly not suddenly disappear in 2012,' Pirotti said in a statement.
'Network and information security touches business and the daily lives of citizens in Europe. It consequently needs constant reinforcement to keep up with the evolving threats landscape,' Pirotti said.
With an annual budget of 8 million euros and fewer than 50 staff, ENISA had no remit or resources to deal with cyber attacks like that experienced by Estonia last year, when the Baltic state accused Russia of causing government websites to crash."

ISN Publishing House: Energy Security of the European Union

ISN Publishing House: Energy Security of the European Union: "Energy Security of the European Union
This paper, published by the Centre for Strategic Studies (CSS) at ETH Zurich, describes how energy security has become an important policy area for the EU. However, forging and implementing a common energy policy has proven to be difficult. The author states that because the national energy mix and energy policies vary widely, the EU member-states have struggled to agree on common priorities and specific measures. The paper explains that while some progress has been made in the field of sustainability, the realization of a common energy market and of a common external energy policy to secure supplies remains particularly challenging.