Key players, including public bodies, need to take a proactive approach and lead the way in adopting a responsible behaviour to tackle cybersecurity challenges, says the Kosciuszko Institute in the CYBERSEC 2018 recommendations. The publication shows the results of the two-day debates, engaging more than 150 world-renowned experts and decision-makers during the 4thEuropean Cybersecurity Forum – CYBERSEC 2018 – one of the biggest European conferences providing comprehensive overview of the strategic aspects of cybersecurity. The Forum was held under the theme “The Quest for Cyber Trust” and its discussions were divided into four thematic streams: State, Defence, Future, and Business.
- Our distinguished speakers spoke with one voice – we need trust, we need tools to provide it and we need to be agile and less hesitant to act – says Joanna Świątkowska, PhD, CYBERSEC Programme Director and adds, that the set of recommendations are aimed for decision-makers and cybersecurity stakeholders to take bold measures to ensure safe cyberspace.
Countries should include security criteria in procurements for the basic IT infrastructure, and price should not be a decisive factor. Secure public procurements should carefully look at action plans, targets, specific procurements criteria, and specific certifications, to really help national procurement bodies tackle existing challenges. It is strongly recommended that public sector and public procurement bodies talk more to their IT security agencies and implement cybersecurity strategies through public procurements.
There is an important piece of legislation – the EU public procurement directive– that is going to be reviewed. Taking an example from the chapter called “green public procurements” for instance, which sets out a requirement to procure in an “environmentally friendly way”, a chapter called “secure public procurements” should be included.
2. Three Seas countries should prepare specific investment plans and raise funds to implement projects in the digital pillar. Cybersecurity should be the cornerstone of every activity
Three Seas countries should jointly apply for and then make use of the financial resources available in the new EU Multiannual Financial Framework to implement projects in the digital pillar. The priority project in this area should be the 3 Seas Digital Highway initiated by the Kosciuszko Institute and think tanks from the CEE. Possible funding sources are the Connecting Europe Facility and the Digital Europe Programme as well as national resources and Three Seas Fund. In the near future, efforts should be undertaken to prepare specific investment plans.
- If we want to execute the 3 Seas Digital Highway project, we would need each state to give incentive to their telecom companies to work, build interconnection and invest together. – says CEO of Exatel, Nikodem Bończa Tomaszewski during the CYBERSEC interview. - The Three Seas countries should think about investing in common fiber-optic infrastructure built along the highways. This infrastructure could be available in the whole sale model for everybody who would be interested. It would give a strong incentive for the whole economy – not only digital economy but also for the traditional industry to stimulate integration across the region. – claims Exatel’s CEO.
Cybersecurity as well as “security by design approach”have to be the cornerstone of each and every activity and projects in each of Three Seas Initiative’s pillars: energy, transportation and digital. The “do-things-fast-and-fix-them-later” way of thinking has to be abandoned, especially since digital solutions are today the foundation of critical processes which the socio-economic security depends on.
- The Three Seas Initiative, with the potential to create a strong backbone of digital connectivity is incredibly important. – underlines John Frank, Vice President, EU Government Affairs at Microsoft. - Without connectivity, local economies can’t grow, prosper, and take advantage of the incredible opportunities that are being made available through today’s technological advances. There is never been a better time to jump into technology.
3. 5G development must be indispensably correlated with security activities
While developing 5G it is recommended to keep in mind that customer-oriented needs cannot undermine the security aspects – security and functionality need to be advancing in parallel. Security responsibilities of the producers of devices connected to the network should be underlined. It is necessary to increase the users’ awareness. All users (private and public) should feel responsibility for their behaviour when it comes to cyber hygiene.
- The user awareness is very important, but we have to remember, that the security of 5G will be in hands of those who own the infrastructure. – said Nikodem Bończa Tomaszewski, CEO of Exatel during the CYBERSEC 2018 discussion panel. - That’s why, in countries like Poland, the most important issue to resolve is: how are we going to build this infrastructure?
5G infrastructure operators and owners should build their business models on a public-private scheme that would increase trust and provide improved efficiency and security. Due to the 5G deployment infrastructure operators and owners will have the greatest impact on cybersecurity of the future, therefore, the decision how and with whom to cooperate within the whole telecommunication value chain is absolutely crucial.
4. States need to overcome the taboo, when it comes to the development of offensive capabilities
Regarding the usage of offensive tools for defensive purposes, more focus should be put on rules of engagement, political control, and legality. The nature of offensive cyber actions is unique and will require new areas of planning. Cyber actions are usually one-time use. This causes NATO member states to be reluctant to disclose their capabilities and methods. They will focus on providing effects rather than tools. This creates new needs for mechanisms of cooperation, especially in the multinational context.
- It’s important to reiterate, that whatever States will do, will stay within the framework of international law. International law applies to cyber. International law applies to offensive capabilities. No question, no doubt should be raised about that – underlined Ambassador Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace and Former Estonian MFA during her keynote speech at CYBERSEC Forum 2018.
Usage of offensive capabilities requires close analysis of potential consequences and collateral damages, as well as proportionality. Their deployment must be seen from the broad perspective of all cross-domain tools.
5. Securing the digital value chain should be embedded into the DNA of every activity in cyberspace
The concept of the security of the digital value chain is central to all activities in the area of cybersecurity. Explained by Edna Conway, CSO, Global Value Chain at Cisco Systems, “the value chain, certainly for the information and communications technology, is the end-to-end lifecycle of any solution, whether it’s software, or service, or hardware.” In the interconnected world, we are entirely interdependent. The critical issue is to identify third parties upon which we rely and to implement effective security requirements. While thinking about cybersecurity, we need to look at the full spectrum: physical security, logical security, operational security, behavioural security, information security and security of technologies.
Private-public cooperation is the key.We need to identify fundamental security requirements based on international solutions. We should think globally – not about regional or even country-specific solutions.
6. EU and NATO Member States should be more decisive in terms of cyber attribution
Attribution should be treated not only as a technical challenge, but also as a political one, which requires more cross-domain approach.
- Attribution is something we’re doing increasingly – says Ciaran Martin, CEO of the National Cyber Security Centre in UK in the CYBERSEC TV Interview. Martin explains, that it’s all about getting the evidence and finding ways to make it transparent, so it is possible to convince people who’s behind certain cyberattacks. - Attribution gives us information that we can give to our companies, our governmental organisations and the citizens. We can provide them with tools to protect themselves from future attacks. – adds NCSC’s CEO.
Experts during CYBERSEC 2018 also recommended to develop the EU Cyber Diplomacy Toolbox, which is a framework for a joint EU diplomatic response to malicious cyber activities. One potential dimension for further action is to enhance community building, boost cooperation among entities that may contribute to attribution, including the private sector and non-EU states.
7. We need to change the approach towards cybersecurity from passive to active
We should take steps, even small, which will increase cybersecurity posture within organisations. The UK government created the “Active Defence” frameworkcomposed of a set of automated and free-to-implement measures which help a user to eliminate numerous cyber risks. Similar activities could be introduced around the world.
- Active Defence is about doing something, it’s about not being passive, not being inactive. – explains the NCSC’s chief Ciaran Martin. It’s about fixing the technology, fixing the way data flows, stopping spoofing, about taking down bad websites, just to protect people automatically. – adds Martin.
8. Start looking at the labour market as a whole to safeguard the cybersecurity ecosystem
Secure development and maintenance are the launching pad for the vulnerability prevention and the safeguarding of the ecosystem. We need to have more secure coders and we need to start looking at the labour market as a whole.
- The cybersecurity ecosystem consists of not just security researchers, but also bug fixers, and the folks who prevent the security incidents from happening and who write more secure code. – says Katie Moussouris, Founder & CEO, Luta Security and a famous hacker and a pioneer of the bug bounty. - So in order to ensure a global ecosystem, that is more secure, we need all players in this ecosystem, including security researchers to be welcome. But not just to prevent security holes, but also find them and fix them, when they are missed in the initial process. – adds Moussouris.
Entities must keep in mind that the encrypted data they store today might become readable in the foreseeable future due to the quantum developments. There is no time like the present to begin to think about the various methods of protecting data against potential decrypting operations in the future.
Europe must speed up in building its own quantum machines. Also, apart from quantum hardware, there is a need to develop quantum software. The European crypto policy should be created and implemented.
10. Highly reliable cloud solutions can significantly increase trust and security, while saving budget on cybersecurity specialists
Implementation of many modern technologies, like cloud computing, requires trust. Trust is built on transparency of technology and verification of security and privacy (using, among others, certifications or standards). The mechanisms of building confidence in digital technologies should be employed and promoted throughout the region.
- Trust is critical to everything that we're doing. We’re moving to the cloud computing age, when perhaps the idea of moving data to the third party servers might create questions about how these large data centres are protecting our data. – said Pablo Chavez, VP, Global Public Policy and Government Relations at Google Cloud during CYBERSEC 2018. – We have the opportunity to demonstrate to our customers, that the data in the cloud is actually very secure, that it is under their control.
Many companies cannot afford to hire employees with high cybersecurity expertise. Cloud providers are capable of providing clients with secure solutions regarding data management. The cloud often brings a better level of resilience. For instance: denial-of-service attacks succeed rather poorly in cloud environment compared to an enterprise environment. It also enables quicker patching conducted on the core infrastructure.
European cloud security certification scheme,which will be built on existing solutions and which will define common technical controls for cloud security at the European level, can significantly increase trust and transparency. Security can be sector-oriented and in the future we should move towards sectoral guidelines and requirements for cloud services.
We predict that 2019 will be characterized by more complex and deceptive cybersecurity incidents and attacks. We will not win the competition with black hats unless we concentrate efforts of governments and companies on Securing the World’s Digital DNA – says Izabela Albrycht announcing a motto of the 5th anniversary edition of CYBERSEC Forum 2019 that takes place on 29-30 October 2019.