Key players, including public bodies, need to take a proactive approach and lead the way in adopting a responsible behaviour to tackle cyber security challenges, according to a report by The Kosciuszko Institute.
The report is based on recommendations by more than 150 experts and decision makers during the 4th European CyberSec Forum in Krakow in October 2018, which is organised by the Kosciuszko Institute, a non-governmental R&D non-profit organisation.
“Our distinguished speakers spoke with one voice – we need trust, we need tools to provide it and we need to be agile and less hesitant to act,” said Joanna Świątkowska, CyberSec programme director.
“The recommendations are aimed at decision-makers and cyber security stakeholders to take bold measures to ensure a safe cyber space,” she said.
1. Cyber security can and must be strengthened through public procurements
Countries should include security criteria in procurements for the basic IT infrastructure, and price should not be a decisive factor, according to experts who spoke at the conference.
They recommend that secure public procurements should carefully look at action plans, targets, specific procurements criteria, and specific certifications, to really help national procurement bodies tackle existing challenges.
It is also strongly recommended that public sector and public procurement bodies talk more to their IT security agencies and implement cyber security strategies through public procurements.
In particular, experts said the Three Seas countries should prepare specific investment plans and raise funds to implement projects in the digital pillar and that cyber security should be the cornerstone of every activity.
2. 5G development must be indispensably correlated with security activities
While developing 5G, the experts recommend that customer-oriented needs are never allowed to undermine the security aspects. Security and functionality need to be advancing in parallel, they said, underlining the security responsibilities of the producers of devices connected to the network.
The report said it is also necessary to increase the users’ awareness so that all users feel responsible for their behaviour when it comes to cyber hygiene.
“The user awareness is very important, but we have to remember, that the security of 5G will be in hands of those who own the infrastructure,” said Nikodem Bończa Tomaszewski, CEO of Exatel. “That’s why, in countries like Poland, the most important issue to resolve is how we are going to build this infrastructure.”
5G infrastructure operators and owners should build their business models on a public-private scheme that would increase trust and provide improved efficiency and security, the experts said.
Due to the 5G deployment infrastructure, the experts believe operators and owners will have the greatest impact on cyber security of the future. Therefore, the decision how and with whom to cooperate within the whole telecommunication value chain is absolutely crucial, they said.
3. States need to overcome the taboo, when it comes to the development of offensive capabilities
Regarding the usage of offensive tools for defensive purposes, more focus should be put on rules of engagement, political control, and legality, the experts said, noting that the nature of offensive cyber actions is unique and will require new areas of planning.
“It’s important to reiterate that, whatever states will do, must stay within the framework of international law,” said Marina Kaljurand, chair of the Global Commission on the Stability of Cyberspace, and former foreign affairs minister for Estonia.
“International law applies to cyber,” she said. “International law applies to offensive capabilities. No question, no doubt should be raised about that.”
Usage of offensive capabilities requires close analysis of potential consequences and collateral damages, the report said, as well as proportionality. Their deployment must be seen from the broad perspective of all cross-domain tools, according to the experts.
4. Securing the digital value chain should be embedded into the DNA of every activity in cyberspace
The concept of the security of the digital value chain is central to all activities in the area of cyber security, said Edna Conway, CSO, global value chain at Cisco Systems. “The value chain, certainly for the information and communications technology, is the end-to-end lifecycle of any solution, whether it’s software, or service, or hardware.”
The critical issue, the experts said, is to identify third parties upon which countries rely and to implement effective security requirements. While thinking about cyber security, the experts said countries need to look at the full spectrum of security, including physical, logical, operational, behavioural, information and technology security.
Private-public cooperation is the key, they said, highlighting the need to identify fundamental security requirements based on international solutions and to think globally rather than about regional or even country-specific solutions.
5. EU and NATO Member States should be more decisive in terms of cyber attribution
Attribution should be treated not only as a technical challenge, but also as a political one, the experts said, which requires more cross-domain approach.
“Attribution is something we’re doing increasingly,” said Ciaran Martin, CEO of the UK’s National Cyber Security Centre (NCSC). “It’s all about getting the evidence and finding ways to make it transparent, so it is possible to convince people who is behind certain cyber attacks.
“Attribution gives us information that we can give to our companies, our governmental organisations and the citizens. We can provide them with tools to protect themselves from future attacks,” he said.
Experts also recommended the development of the EU Cyber Diplomacy Toolbox, which is a framework for a joint EU diplomatic response to malicious cyber activities. One potential dimension for further action is to enhance community building, boost cooperation among entities that may contribute to attribution, including the private sector and non-EU states.
6. We need to change the approach towards cyber security from passive to active
Steps to increase the cyber security posture within organisations should be taken, no matter how small, the experts said. The report cites as an example, the UK National Cyber Security Centre’s Active Defence framework composed of a set of automated and free-to-implement measures which help organisations eliminate numerous cyber risks. Similar activities could be introduced around the world.
“Active Defence is about doing something – it’s about not being passive, not being inactive,” said NCSC chief Ciaran Martin. “It’s about fixing the technology, fixing the way data flows, stopping spoofing, about taking down bad websites, just to protect people automatically.”
7. Start looking at the labour market as a whole to safeguard the cyber security ecosystem
Secure development and maintenance are the launching pad for the vulnerability prevention and the safeguarding of the ecosystem, the experts said, identifying a need for more secure coders.
“The cyber security ecosystem consists of not just security researchers, but also bug fixers, and the folks who prevent the security incidents from happening and who write more secure code,” said Katie Moussouris, bug bounty pioneer and founder & CEO of Luta Security.
“So in order to ensure a global ecosystem, that is more secure, we need all players in this ecosystem, including security researchers to be welcome,” she said. “But not just to prevent security holes, but also find them and fix them, when they are missed in the initial process.”
8. Keep the future developments in mind when planning the methods of protecting your data
Entities must keep in mind that the encrypted data they store today might become readable in the foreseeable future due to the quantum developments, the experts said. There is no time like the present, they said, to begin to think about the various methods of protecting data against potential decrypting operations in the future.
The experts also encouraged Europe to speed up in building its own quantum machines, adding that as well as quantum hardware, there is a need to develop quantum software.
They also called for the creation and implementation of a European crypto policy that focuses on a lack of the proof of trust, updating older devices and older encryption methods in order to protect users, and setting standards for crypto agility within organisations
9. Highly reliable cloud solutions can significantly increase trust and security
“Trust is critical to everything that we're doing. We’re moving to the cloud computing age, when perhaps the idea of moving data to the third party servers might create questions about how these large data centres are protecting our data,” said Pablo Chavez, vice-president, global public policy and government relations at Google.
“We have the opportunity to demonstrate to our customers, that the data in the cloud is actually very secure, that it is under their control,” he said.
The experts note that while many companies cannot afford to hire employees with high cyber security expertise, cloud providers are capable of providing clients with secure solutions regarding data management.
The cloud often brings a better level of resilience, they said, citing an example of denial-of-service attacks that succeed poorly in cloud environments compared with an enterprise environment. The cloud also enables quicker patching conducted on the core infrastructure.
The report predicts that 2019 will be characterised by more complex and deceptive cyber security incidents and attacks.
“We will not win the competition with black hats unless we concentrate efforts of governments and companies on securing the world’s digital DNA,” said Izabela Albrycht, announcing the theme of the CyberSec Forum 2019 from 29-30 October.