Discussion on Information Assurance topics, sharing approaches, best practices, new ideas, and events.
EU and cyber-security
June 9, 2009 at 1:29 pm #73699
This paper examines Cyber-Security and Politically, Socially and Religiously Motivated Cyber-Attacks, focusing on the European Union as an international organisation with a fragmented yet developing interest in cyber-security. The paper is presented in three parts.
Part 1 assesses the source and nature of cyber threats.
Society’s increasing dependence on Information and Communications Technology (ICT) infrastructure creates vulnerabilities and corresponding opportunities to be exploited by the unscrupulous, ranging from low-level, individual computer hacking to serious and organised crime, ideological and political extremism, and state-sponsored cyber attacks such as those perpetrated against Estonia in 2007. ICT also has an important enabling function in each of these cases. The Internet seems to fit the requirements of ideological and political extremists particularly well, and governments can only expect the ‘ungoverned space’ of the global ICT infrastructure to be ever more closely contested. At the level of states and governments, it is clear that in some quarters the Internet is becoming viewed as a battlefield where conflict can be won or lost. The threats can inter-connect when circumstances demand – terrorist groups, for example, can be sophisticated users of the Internet but can also make use of low-level criminal methods such as hacking in order to raise funds. The challenge to cybersecurity policy-makers is therefore not only broad, but complex and evolutionary.
Part 2 reviews current multilateral initiatives to address cyber-security, focusing on the work of the United Nations, the Organisation for Economic Co-operation and Development, the Organisation for Security and Co-operation in Europe, the Council of Europe, the North Atlantic Treaty Organisation, and the Group of Eight. In each case, the organisation in question has recognised the breadth and complexity of the cybersecurity challenge and that its response to the cyber-security challenge can be but one part of the whole. Although national governments are the most important actors in cyber-security, others have a contribution to make, including industry and the private commercial sector. Within each organisation there are various balances to be struck: between defensive/passive/protective measures, and a more activist or offensive stance; between security measures (of whatever sort) and civil liberties; and finally between securing the specific interests of a given organisation or government, and the more general requirement to create, for the benefit of all legitimate users, an international communications and technological environment which is as hostile as possible to the activities and ambitions of cyber-terrorists and extremists, cyber-criminals and hackers.
Part 3 examines European Union’s responses to the cyber-security challenge. The EU is very closely engaged in cyber-security but cannot be said to have a comprehensive approach to the problem: the EU’s responses are diverse, lack coherence and could at times conflict. The picture emerges of a vast and ambitious undertaking in government and administration, touching upon most conceivable aspects of societal, commercial and private life, yet which appears unable to organise a comprehensive approach to cybersecurity challenges which, if taken together, could be said to threaten the EU comprehensively. A more coherent approach could be achieved in one of two ways:
either by uniting the EU’s cyber-security efforts around one central strategy (and perhaps even within a new institutional framework); or by seeking a more efficient coordination of effort, while maintaining institutional and role specialisations. The latter approach is preferable; a co-ordinated approach reflects more closely the politics and structures of the EU and would be more responsive to the complex and evolving challenge of cyber-security. This approach – described as Comprehensiveness in Diversity – would require a more prominent role for the Common Foreign and Security Policy, the establishment within the Council Secretariat of a Cyber-Security Coordinator,
June 9, 2009 at 1:30 pm #73701
Is the EU Dropping the CyberSec Ball?
The threat posed by cyber attacks continue to evolve. As such governments around the world are scrambling to address the threat. One such governmental body is the European Union (EU). Earlier this year a thirty-four page document detailing a study on CYBER SECURITY AND POLITICALLY, SOCIALLY AND RELIGIOUSLY MOTIVATED CYBER ATTACKS was quietly released. The document can be downloaded at. The document released in February of this year addresses three major areas.
Part 1 assesses the source and nature of cyber threats.Part 2 reviews current multilateral initiatives to address cyber security.
Part 3 examines the European Union's responses to the cyber security challenge.
The study concludes with the two recommendations provided below:
There should be no attempt at a centralized, unified, cross-cutting approach to cyber security within the EU. Such an approach would conflict with the political character and bureaucratic structures of the EU, resulting in a loss of flexibility and a narrowing of the EU's response to the ever-widening challenge of cyber security.
The EU should adopt a policy described as Comprehensiveness in Diversity (or in similar language) with the following three aims:
a. Establish a clear role within the overall cyber security response for the EU's Common Foreign and Security Policy. Uniquely within the EU, the CFSP will be able to bridge the civil-military divide where cyber-security is concerned, and will connect the internal and external aspects of cyber security.
b. Establish the post of Cyber Security Co-ordinator with the Council Secretariat, acting in close liaison with EU institutions and member governments, and with relevant agencies such as ENISA, ESDP and EDA.
c. Prepare a Common Operating Vision for cyber security. Emphatically not a strategic document, the Common Operating Vision would seek to achieve operational consistency across the EU.
Cyber security is an ever evolving problem that demands the flexibility discussed in the first recommendation. However, many of the EU states have still not formed a computer emergency readiness team (CERT). This begs the question how will the Cyber Security Co-ordinator identified in recommendation 2b function when, in many cases there is no one to coordinate with.
The European Union must be able to quickly and effectively take action if threatened by a cyber attack. Many of those I talked to did not think this study had enough content to even be considered a first step. While the EU is actively engaged in discussions about the growing threat of cyber security, like many other nations it does not have a comprehensive approach to the problem.
Will the EU rise to the challenge and address the growing threat of cyber attacks before it is too late? The answer is ... only time will tell, but it is not looking likely at this point.
You must be logged in to reply to this topic.