Of Citadels And Sentinels: State

Strategies For Contesting Cyber-terrorStrategies For Contesting Cyber-terror

Tim Legrand and Jeff Malone

4 key issues and challenges

1. A cyber architecture designed for efficiency,

not security

2. Private ownership/operation of critical

infrastructureinfrastructure

3. Evolving and ambiguous threats

4. Changing use of and reliance on the cyber

realm

1. A cyber architecture designed for

efficiency, not security

• The internet and ‘cyber-structure’ has evolved

anarchically:

– Development of cyber realm occurred beyond the

control of governmentscontrol of governments

– Digital architecture designed by private/social

entities to increase efficiency, not security

2. Private ownership/operation of

critical infrastructure

• Since the 1980s, under the purview of New

Public Management, critical national

infrastructure has gradually moved into

private operation and ownership:private operation and ownership:

– UK: ~80% of CIP owned/operated privately

– US: ~85% to 90% of CIP owned/operated privately

– Australia ~ 80% of CIP owned/operated privately

3. Evolving and ambiguous threats

• The architecture of the cyber realm makes

threat origins difficult to discern:

– State-sponsored/state-endorsed cyber attacks

increasing in frequencyincreasing in frequency

– Issue-motivate groups growing in technical

sophistication

– Spectre of cyberterrorism growing with calls for

‘cyber-Jihad’

4. Changing use of and reliance on the

cyber realm

• Gradual transfer of data and digital services

into the cloud

– Allows for greater efficiency and scalability

– Sovereign ownership/control of data– Sovereign ownership/control of data

• Increased uptake of and access to the internet

in Australia and worldwide

• National Broadband Network (NBN) and the

digital economy

New Public Management

• Era of privatisation: 1980s

– Sell-off of critical infrastructure

– Coincided with development of networked interoperability

– Onus of responsibility now placed in corporate sphere

– cyberspace constructed anarchically: no central direction (yet highly resilient and redundant) characterized by increased push towards efficiency in data access/interchange

Critical infrastructure Sector Matrix

Overlapping and interdependent critical infrastructure/essential services

• Communications (Data Communications, Fixed Voice Communications, Mail, Public Information, Wireless Communications),

• Emergency Services (Ambulance, Fire and Rescue, Coastguard, Police),

• Energy (Electricity, Natural Gas, Petroleum),

• Finance (Asset Management, Financial Facilities, Investment Banking, Markets, Retail Banking),

• Finance (Asset Management, Financial Facilities, Investment Banking, Markets, Retail Banking),

• Food (Produce, Import, Process, Distribute, Retail),

• Government and Public Services (Central, Regional, and Local Government; Parliaments and Legislatures; Justice; National Security),

• Public Safety (Chemical, Biological, Radiological, and Nuclear (CBRN) Terrorism; Crowds and Mass Events),

• Health (Health Care, Public Health),

• Transport (Air, Marine, Rail, Road),

• Water (Mains Water, Sewerage).

The ambiguous, yet gathering, storm

• All these different groups – criminals,

terrorists, foreign intelligence services and

militaries – are active today against the UK’s

interests in cyberspace. But with the interests in cyberspace. But with the

borderless and anonymous nature of the

internet, precise attribution is often difficult

and the distinction between adversaries is

increasingly blurred (UK Cyber Security

Strategy, 2011)

The cyber-terror threat

• “Cyberspace is already used by terrorists to spread propaganda, radicalise potential supporters, raise funds, communicate and plan. While terrorists can be expected to continue to favour high-profile physical attacks, the threat favour high-profile physical attacks, the threat that they might also use cyberspace to facilitate or to mount attacks against the UK is growing. We judge that it will continue to do so, especially if terrorists believe that our national infrastructure may be vulnerable” (UK Cyber Security Strategy)

Government strategy (UK)

• Strategic Defence and Security Review in 2010

the Government put in place a £650 million,

four-year National Cyber Security Programme

(NCSP).(NCSP).

• Managed Government by the Office of Cyber

Security and Information Assurance in the

Cabinet Office

• UK Cyber Security Strategy (2011)

Government strategy (AS)

• E-Security National Agenda(s) promulgated in

2001 and 2008

• Cyber-Security Strategy 2009

• Defence White Paper 2009• Defence White Paper 2009

• Critical Infrastructure Resilience Strategy 2010

• Cyber White Paper 2012 (to be released)

Issues in delivering cyber protection

“The digital architecture on which we now rely was built to be efficient and interoperable. When the internet first started to grow, security was less of a

consideration” (UK Cyber Security Strategy)

• AMBIGUITY AND THE RISK-BASED APPROACH: “We will therefore apply a risk-based approach to prioritising our response”.

• LIMITED CAPACITY: “Government cannot act alone. It must recognise the limits of • LIMITED CAPACITY: “Government cannot act alone. It must recognise the limits of its competence in cyberspace. Much of the infrastructure we need to protect is owned and operated by the private sector”

• TRANSNATIONAL COLLABORATION: “Threats are cross-border. Not all the infrastructure on which we rely is UK-based. So the UK cannot make all the progress it needs to on its own. We will seek partnership with other countries that share our views, and reach out where we can to those who do not”

• CLOUD COMPUTING VECTOR: Increased reliance on cloud computing- rollout of online public services based in the cloud next year.

Public-private cyber security (UK)

• CPNI hosts Information Exchanges (general intel) and Warning Advice and Reporting Points (WARPs) (Specific)– Also hosts: Combined Security Incident Response Team

(CSIRTUK) which works with private sector to identify and manage cyber-threatsmanage cyber-threats

• GCHQ advises the public sector via The Communications-Electronics Security Group (CESG) which runs GovCertUK (emergency response)– Single Intelligence Account, building cross cutting

capabilities, including Information Assurance 59% of £650m: will ‘strengthen and upgrade the sovereign capability the UK needs to confront the high-end threat’

Public-private cyber security (AS)

• AGD hosts TISN arrangements, enables

information sharing and development of good

practice guidance (via sectoral groups, ITSEAG

and SCADA COI).and SCADA COI).

– Also hosts CERT Australia – assists CI owners with

response

• DSD advises public sector via CSOC

– Hosted by DSD, but integrates activities

undertaken by other agencies (AFP, ASIO)

Threat to the individual

• Direct threat to individuals: criminal groups

(Actual) cyber-based sabotage on physical

architecture (potential) causing physical harm

• Indirect threat: disruption of key public • Indirect threat: disruption of key public

services and/or utilities (actual/potential)

• Exploitation: botnets (actual)

• Response: educating individuals on staying

safe online

Threat to cyber-communities

• Direct threat: Indirect threat: government

CT/IP legislation might restrict cyber-

community interaction and freedoms

• Exploitation: exploitation of cyber-• Exploitation: exploitation of cyber-

communities to foment criminal behaviour (cf.

Darknet)

• Response: transnational agreements?

Threat to commercial (non-CI) sector

• Threat to commercial (non-CI) sector Direct

threat: industrial espionage/IP theft (actual),

criminal groups (actual)

• Indirect threat: disruption to commercial • Indirect threat: disruption to commercial

systems/loss of customer confidence

• Exploitation of commercial sector?

• Response: development of TISN (Aus) &

CSIRTUK, Cleanfeed (IP)

Threat to commercial (CI) sector

• Direct: attacks to SCADA systems/disabling of

critical elements

• Indirect: exploitation of CI in commission of

physical attack/loss of government contracts physical attack/loss of government contracts

(for non-compliance)

• Responses: Sovereign responses,

internatinonal agreements

Threat to the state

• Direct: state-sponsored attacks/cyber

espionage/cyber warfare

• Indirect: loss of dominion/state revenues

associated with diminished cyber-economyassociated with diminished cyber-economy

• Exploitation of the state: ?

• Response: sovereign institutions/transnational

agreements

Policy dilemmas

• Reliance on a digital architecture, designed for efficiency, that is clearly not fit for purpose.

• Simultaneously diffuse and aggregated cyber-threats

• Much of critical infrastructure is overseas and thus beyond • Much of critical infrastructure is overseas and thus beyond traditional power of the state to intervene/influence

• Tensions between public and private imperatives in cyber security

• Inherent difficulty in establishing metrics – and collecting good data – to evaluate effectiveness of policy