|Many politicians limit cyber security to fighting cybercrime|
|Giving combating cybercrime a top priority in a national security plan is a good start (e.g., Belgium), however, the question must be raised:- will extra police officers be able to work effectively without a national CSIRT coordinating information exchange between police and various other parties (e.g., critical infrastructure providers, financial payment networks and ISPs)?|
|Without a comprehensive and well thought out national cyber security strategy that includes and is built on a central node for coordination and information exchange, a European security strategy that works remains just that==> a pipe dream.|
Most experts agree that national efforts alone cannot help in protecting a coujntry’s infrastructure against a serious attack.Important is to accept the fact that critical infrastructure may be owned and operated by private companies (e.g., telecommunication networks) or governments (e.g., transportation infrastructure including railway infrastructure and air traffic control). In fact, in some cases part of the infrastructure could be owned by the government but operated by private firms on behalf of the govenrment (e.g., managing a dam whose water is being used for generating power).Do you really have a national security plan that is workable?Of course, every country will answer this question with a yes. But put it to the test and ask yourself to name what is in the plan – see table below.
In a family setting we do write down the emergency numbers to call just in case our baby has put her hand into boiling water….
But things get fuzzy when we talk about cybersecurity and defense…. most nations do not have a well worked-out and comprehensive plan that has been thoroughly tested in a series of exercises (remember fire drills?).
For instance, the plan should spell out succinctly what infrastructure operators (especially their employees) should do when they discover an attack, a botnet, or realize with surprise that their computer(s) might have gotten infected by some malicious code.
|Do you have a plan that is tried and tested – Keep it Simple, Stupid (KISS)|
|Nation – When a cyber attack occurs everyone in your organization (e.g., CSIRT, infrastructure providers, railway operator, etc.) should know what to do, where to go and who to contact at the national or organizational level.Make AND test your plan’s practicability.|
|Citizens – When a cyber emergency occurs everyone in your household should know what to do, how to respond and who to contact. Make and test your plan.|
And no, do not be rash claiming your country has it under control before you reflect for a moment.To illustrate, when Canada established a Cyber Security Plan in April 2004, the Cyber Security Task Force got Can$5 Mio out of total budget of just about 690 Mio. Just to put things in perspective, others got the following funding:
The above illustrates that if we use the saying – put your money were your mouth is — cybersecurity was not a primary concern in 2004 nor 2005 when an update was published online by the Federal Government of Canada (see above link).Closer to home, last week, Belgium’s Council of Ministers approved the national security plan for the next four years. Belgium’s Federal Computer Crime Unit has said for quite some time that the country is highly vulnerable to cybercrime. The plan forsees recruiting some 200 additional police experts per year to be added to the 1,150 that are currently in place to fight cybercrime.
This means that by 2012, Belgium might have 2000 cyber cops being busy fighting cybercrime. Unfortunately, the country lacks a national Computer Security Incident Response Team (CSIRT) that coordinates these efforts and acts as national and international point-of-contact to foster more structured and faster exchange of information (e.g., about attacks, best practice).
De Bruycker and Gattiker (Feb. 6, 2008) published CyTRAP Labs Technical Report Series 2008-01 that addresses these issues. In particular it outlines why a national point of contact (or information node – whatever name you prefer) is needed to coordiante various national stakeholders’ efforts and responsibilities. It builds on the believe that protecting critical infrastructures such as telecommunication networks or the Internet is a shared responsibility that needs to involve various parties (e.g., infrastructure owners, private and public groups, regions, regulators, etc.) to be successful in better protecting our infrastructure assets:
de Bruycker, M. & Gattiker, U. E. (February 5, 2008). Successful cyber defense requires a coordinated national approach. CyTRAP Labs Technical Report Series #2008-01 (http://papers.WebUrb.dk). Zurich: CyTRAP Labs. [Online] (Available: http://papers.weburb.dk/frame.php?loc=archive/00000149/ Last access: 2008, February 6).
The report makes it quite clear why tasking a government CSIRT with this important task is setting yourself up for failure (PS. serving governement agencies and departments is not the same as being a node for information exchange or a national center of excellence). As well, having a national CSIRT that is virtual by having members work in various branches of the government (e.g., federal police department, academic network operator, govCERT, etc.) has not proven to work extremely well. In fact, it makes it far more difficult to do a good job. Hence, getting these experts seconded and work in one building is an important first step on the road to success.
CyTRAP Labs take on this issue
When an emergency occurs everyone in your household should know what to do, where to go and who to contact. And while you may not have a plan, you surely have instructed your kids where to find the number to call in case of an emergency.
Unfortunately, when it comes to cybersecurity and infrastructure protection we tend to fail miserably. Just jog your memory:
The above happened in December 2006 and we had another little mishap by the end of January 2008 which we reported about her:
It shows, whilst we should have learned our lesson during Taiwan’s disaster, we failed as the January 2008 case near Alexandria, Egypt suggests. We are not prepared in making our networks resilient and redundancy compliant. Neither have we put coordination centers in place that do have the resources and explicit mandate to make things happen regarding the improving of a country’s national cyber defense.
How much longer can we afford to talk and plan about it isntead of doing something practical? Until a real disaster strikes us first bringing things to its knees for a week or so (e.g., neither telephone works nor your debit or credit card at the gas station or grocery store)?