International co-operation only way to protect critical infrastructure from cyber attack, warns OECD

Countries need to step up international co-operation to protect the critical national infrastructure against increasingly sophisticated cyber threats, the...

Countries need to step up international co-operation to protect the critical national infrastructure against increasingly sophisticated cyber threats, the Organisation for Economic Corporation and Development (OECD) has warned.

Nicholas Mansfield, an information security consultant with the OECD, who was worked on helping governments assess their readiness to defend against cyber attacks, said many threats were two big for single nations to deal with.

"What they need to do is co-operate across international boundaries on critical infrastructure protection," he said in an interview with Computer Weekly. "They need to share information about what is going on, and they need to share information on how they have dealt with attacks."

"All governments have the same concerns," he said. " The accession countries, like Russia, are saying, 'We are using Western equipment and we are worried about logic bombs in the hardware, and we are worried about cyber attacks from China.' Every country is grappling with cross border cyber threats."

But even the most developed countries have a long way to go to bolster their cyber defences, said Mansfield.

"The problem is that the socialisation of technology through the internet is growing faster than we can control it. It is not a sensible roll-out. Its like trying to catch a wild horse. You need to get someone to start doing the basics," he said.

One measure of how seriously countries take cyber defences is the level of seniority of ministers responsible for protecting each country's critical national infrastructure. In Russia, for example, president Vladimir Putin chairs the committee responsible for cyber defences. In South Korea, the prime minister is responsible. In the UK, responsibility for cyber defences lies with MI5.

In other countries, it can be the junior minister responsible for telecoms - an indication that cyber defence is low down on the political agenda.

Mansfield warned that there is an urgent need for governments to collaborate more closely with industry and business to combat cyber threats.

Studies by the OECD show that the willingness of governments to share information candidly with business varies greatly. The Netherlands and Japan have a good track record and Korea is excellent, said Mansfield. The UK tends to take the view that business should tell it everything, while government says nothing, he said.

"There are complex liability issues in some counties in some countries, such as the US. That is one reason there is not a lot of collaboration. The other is credibility. If you run infrastructure for government and it goes wrong, that can be a problem. In other countries you can't slip a piece of paper in the gap between government and industry," he said.

Mansfield was responsible for overseeing a major study for the OECD looking at the readiness of the US, Canada and Australia to protect their critical national infrastructure from cyber attacks, and for overseeing a series of follow up studies.

Among other issues, the work has highlighted the need for states to make international co-operation easier by publishing single points of contact for other states to contact in the event of a cross-border attack.

"If you are a foreign company providing electricity into a company and there is an infrastructure issue, you need to know where to go," he said. "We have urged governments to be very clear who does what when there are cross-border issues."

It is important, he said, to limit cross border collaboration to issues that are too big for one country to deal with.

"The subject area is too big. So we have to find a way to simplify it. We are not going to work on everything. At an international level we would say only issues that are beyond the capability of a single country."

The OECD study revealed that countries have very different views of which systems are critical. Japan, for example, regards the ticketing systems on the railways as critical - without it the Japanese transport system would grind to a halt.

The study, presented in Seoul, South Korea, has laid down high-level principles to help countries put in place a critical national infrastructure policy.

The recommendations give countries that have yet to adopt a strategy to protect their infrastructure a blueprint to work on, and have highlighted gaps in the approaches of other countries.

"When you analyse what governments are doing, they are doing things in one area or another to protect their infrastructure. Sometimes they arrive there themselves by accident. I have tried to make explicit a lot of what they are doing that is implicit," said Mansfield.

Whitepaper: The Open Group Architecture Framework and the US Department of Defense Architecture Framework >>

Read more on IT risk management