ERICE SEMINAR 2013
Permanent Monitoring Panel on Information Security
Plenary Round Table, August 21
“Cybersecurity at the Crossroads: Are We Losing the Battle?”
Ambassador Henning Wegener (Chairman)
The plenary session on information security which Professor Zichichi so generously concedes to our group every year has two particularities this time around.
In the first place, it does not consist of the customary sequence of 20’ power-point supported individual presentations. This time it takes the form of a panel with very brief initial statements by each participant. We hope to derive from that format a more lively and active interchange on a problem that is of so much concern to all of us.
The second novel feature is that you will listen to a new team. Over the last year we realized that so many of our erstwhile colleagues had to leave us for imperative personal or professional reasons that we were in danger of losing the critical mass for our work. Under these circumstances Professor Zichichi has kindly agreed that we amplify our resources by inviting new colleagues, - forming a new team, new in part, because some of the original members are of course still with us. In recruiting new talent, we had two purposes: the first one, to broaden our expertise in a rapidly evolving area of science; the second, to broaden our geographical spread. We are now geographically more representative, more global, as befits our topic. Cyber security is a global problem, and it is important to reflect this.
To give our new colleagues proper access to this audience, the PMP members who have been traditional speakers at this annual session have refrained from taking the floor, ceding the limelight to our new colleagues who at the same time can also be better known to you.
We have the great privilege that Secretary General Hamadoun Touré, so well known to you from past years, has agreed to be the moderator of this debate.
Secretary General HamadounTouré (Moderator)
Cybersecurity is a very sensitive topic. At the outset it is important to mention one critical fact: if one gives a strong warning on cybersecurity that does not mean that one is against the use of cyberspace. Its uses by far outweigh the menace to it of criminal acts. Our task is to improve the security situation to generate added value.
There is no better place for this than Erice with its record of 60 successful years of struggle to avoid the nuclear threat. That being said, cyber security is probably one of the greatest challenges of our time.
We have by the end of this year almost 7 bn people connected by mobile phones, and 2,7 bn connected by Internet. That is almost 70% of the world population. Yet we have a long way to go: my task at ITU is to see to it that all are connected, and enjoy security and safety. If we make sure that they all come aboard, the world will be a better place.
There are some companies like Ericsson predicting that by 2020 there will be 50 bn connected devices in the world, a situation that makes the security situation more complex and the challenge even greater. The scientific community has a great role in this, highlighting the problem and advocating security solutions. Erice has been successful in such work and is, indeed, very important as regards this planetary emergency, moving this agenda world-wide. The role of the scientific community cannot be overstated.
There are a number of topics we are going to cover in the time allotted to our session today. First, the new threat landscape and the exponential growth of digital devices and users, and the dangers that growth portends. Then the dangers of an increasingly mobile and interconnected world that also offers new opportunities for terrorism that arise in a mobile environment. Then the insufficiency of effective legal mechanisms to combat these threats, and the need for new norms of behavior. Big data! We will also talk about the vulnerability of the digital controls, the SCADA, in an emerging world of “smart” infrastructures and industries. We will talk about the alarming militarization of cyberspace, - and on this we will not fear to be very provocative. We will always remind ourselves of the title of our session: Cybersecurity at the crossroads: are we losing the battle? Or are we winning it?
One essential query is whether we can maintain the universality of the Internet, or whether balkanization threatens us. And what would be the consequences? Can we maintain the multi-stakeholder model? Our debate will then move to prevention, cyber resilience and cyber defense. Can we organize them in a global framework, is it feasible, how can we go about its creation?
I have touched on some of the key points we will discuss. I hope for a lively debate, and now call upon our speakers. We will talk about everything, also about what is in the latest news. I have asked our speakers not to present government or organizational views; they will speak for themselves. That will make them freer in talking about our topic.
I would now like to invite our first speaker, Professor Howard Schmidt, to talk about the threat landscape. Give us a snapshot of where we are today.
Professor Howard A. Schmidt
It is interesting if we look at the milestones of this Center, especially at the 50 years of preventing nuclear war and the evolution of nuclear technology and what is has done on the militarization road, that we see some stark parallels between the nuclear, and what happens in cyberspace and where we have gone. Many nations oftentimes look to vilify the technology and the science, but do not vilify the villain.
If again we look at milestones, there are in particular two areas I would like to frame my comments on. Ten years ago, the US adopted the National Strategy for Secure Cyber Space, in five parts. Clearly there was an education and training part, also one very much on protection of critical infrastructures, and then an international part which included intelligence and law enforcement.
Another 10 years ago to this month and perhaps even this day, we saw globally a virus, a worm, called MS Blaster. Some of you who have a computer science background may be familiar with it and others may have been directly affected by it. It was a piece of malware that exploited the vulnerability of Microsoft systems, but it was the first shot of a new dimension, pursuing multiple venues of infection, going beyond the traditional attack on one vulnerability using one vehicle of delivery like the I love you virus, sent via e-mail. This one was written for multiple vulnerabilities, and multiple deliveries: e-mail, network connections, certain protocols that would be executed, and if one vehicle was not successful, it would try another, and then perpetuate itself to other networks.
This attack on multiple venues of infection and delivery by various vectors became known precisely at the moment when there was a great blackout in the North East of the US. Much work on the cause and effect has been done, and it appeared that many of the monitoring systems on the grid had no direct effect on power generation. Many were in the process of rebooting, introducing new software at the time. The lesson has not got lost. I use the example as a basis for describing some of the things where we are today.
There is almost nobody who does not use IP-based technologies in all areas of his life, from research, communication, leisure, to work. Our dependency has increased significantly, but there always those who not only want to interrupt these processes, but use them against us. There are new generations of malware which make MS Blaster look relatively simple by comparison. Sophisticated malware is now written by criminal groups, hacktivists, researchers who do not have good control over what they are creating. Even more troubling: nation States are now embarking on writing their own malware. We have to protect our citizens and our systems. But there is now an open market with wholesale selling of vulnerabilities in ICT systems. We as researchers would have immediately shared this knowledge with our colleagues so as not to perpetuate structures by which we ourselves become victims.
But these types of malware are now not only sold on open markets, but also stockpiled by governments in arsenals for use in some future when they believe others do not have them.
Others have already spoken – or will underline - the exponential growth of digital systems, especially mobile devices. Let me add one other development. Many TV manufacturers now look at the IP-connected home, where all communication means, all gadgets, are now centrally located in an IP-based system, controlling many aspects of our life and creating corresponding vulnerabilities. There are the same things happening as when we developed software, and it also holds for SCADA of that time: we developed easily used, rich, robust systems, but security was not a factor in the development.
A final comment on Big Data. They are very helpful for many of our purposes, but their use, particularly when involving the Cloud, are not without significant risk. We in the science field, in the business world, and even in government, do not fully comprehend the risk brought forth by this huge conglomeration of data available anywhere and anytime.
Dr. Pavan Duggal
I have been asked to talk about the new dangers in the mobile world.
When we were all travelling from our respective places to Erice, something was happening in another part of the world. Trend Micro released its annual report on the second quarter of the year, and, low and behold, the title was “Mobile Threats Go Full Throttle”. It threw light on things which are probably the worst kind of nightmare we were expecting. The level of infections that have invaded the Android operating system of mobile phones is now mind-boggling. While in 2011 they found a mere 1000 cases of infection, the number in 2012 rose to 365.000. Trend Micro also reported the growth of high risk mobile apps. From 509.000 in the first quarter the figure jumped 30% to 718.000 in the second. We all use mobile apps on our phone and take them for granted. But little do we realize that we carry the devices, but also live, ticking time bombs in our pockets. Each and everyone can be used in a remarkable and imaginative manner so as not only to break cybersecurity, but also the whole mobile ecology. If you believe Gartner, 1,857 bn mobile phones are to be sold all over the world this year, 1bn are going to be smartphones, and the majority are going to be on Android. We are actually carriers of infections. These phones can be used so dramatically as to pierce the security of everything, all computers and networks. Gartner further says that by 2015 the tablet market will grow faster than the entire PC market. That is the reality of today! We are all mature people and we use our phones responsibly. But think of our youngsters who are the digital leaders, they go ahead and use these devices and do not think of the dire ramifications on the security and stability of the cyber systems per se and also the mobile security.
Early this year EMC published yet another report, on the current state of cybercrime 2013. They noted almost a 42% increase of high risk mobile malware, and tracked down a total download of Apple iOS from App Stores of 40 bn that have taken place from 2008 onwards,, of which 20 bn in 2012 alone. With these massive figures it becomes increasingly clear: we can disagree on our choice of mobile devices, but almost invariably people are addicted to devices that are communicating audio, video, images and text. No matter what the device, the name of the company, the configuration: they are connected to a network.
My own country, India ahs very effectively surpassed the PC generation, leap-frogging from the pre-PC age to the mobile generation. More and more Indians use mobile phones to do services on the Internet. Service providers become increasingly aware and fight for their part of the pie, offering 7 days of free Internet access for just one dollar! With that, there is increased concentration on mobile as the de facto mode for storage, communication, reliance, trustworthiness without realizing that we are perhaps committing the greatest mistake of our lives: we have a perception that this is very safe because the phone is in my pocket, I have not given it to anyone, Nothing is farther from reality, others can hack it or go to somebody else’s system. There is thus the need to come up with a broader vision of cybersecurity and to incorporate special elements pertaining to mobile security, as we are increasingly accessing not only normal computers but also critical information infrastructures by mobile devices.
A new legal discipline has evolved: mobile law. In my last book I have defined it and talk about all the legal and regulatory aspects. It is a new world we are waking up to, and clearly, there a huge numbers of new challenges with further ramifications on the protection and preservation of cybersecurity across the digital domain.
Dr. Stefan Lüders
I speak to make a plea for enhanced security of digital control systems.
Like everyone in my generation, embedded in all the conveniences of modern city life, my environment made me a Cyborg --- a human entangled with technology --- supported by, but also highly dependent on software and hardware: Most of our activities are facilitated and controlled by a sophisticated chain of automatism and controls. Take the example of the air conditioning system in this hall. A process control system (PCS) monitors the ambient room temperature through a distributed network of sensors. A central intelligent unit --- labelled Programmable Logic Controller (PLC) --- compares the measured temperature values with a set of thresholds and subsequently calculates the new setting of the attached actuators for heating or cooling. On top of this temperature control loop (monitor, calculate, set), a small display --- a very simple SCADA system (supervisory controls and data acquisition system) --- attached to the wall allows me to read the current room temperature and to manipulate its set-points. Many (different) sensors, PLCs, actuators and SCADA systems can be combined and inter-connected to build up a larger and more complex PCS.
In a similar way, all our commodities and amenities depend on many different, complex PCS: PCS for water and waste management, for electricity production and transmission, for public and private transport, for communication, for production of oil & gas but also cars, planes, food, pharmaceuticals, medical care. Today, many people live in symbiosis with those PCS which make their live cosy and comfortable, and industry depends on it. The variety of PCS has become a comprehensive, integrated “Critical Infrastructure” (CI) providing the fundamental basis for civilized survival.
So what would happen if a component or the whole of this Critical Infrastructure fails? Failure of the electricity system will halt public life: We rely on our Critical Infrastructure, we rely on PCS, and we rely on the technologies behind PCS. In the past, PCS, PLCs and SCADA systems and their hardware and software components were proprietary, custom-built, and stand-alone. Expertise was centralized with a few system engineers knowing their system by heart. That has changed in past decades. Pressure for consolidation and cost-effectiveness has pushed manufacturers and utility operators to open up. Today, modern PCS employ the same technological means used since years in computer centres, in offices and at home: Microsoft’s Windows operating systems run SCADA systems; web browsers function as user interfaces; laptops and tablets replace paper check lists; emails disseminate status information and alerts; IP protocols communicate among different (parts of a) PCS; the Internet runs remote access for support personnel and experts...
While benefitting from standard information technology (IT), today more than ever, computer centres, office systems and home computers are under permanent attack aiming at infiltrating control systems and gaining malicious benefits --- sabotage, espionage, overriding conflict objectives, or, less threatening, plain fun. PCS have become targets. The sophisticated “Stuxnet” attack by the U.S. and Israel against the control system of Iranian uranium enrichment facilities in 2010 is just one of the most publicized cases. New vulnerabilities affecting PCS are regularly published on certain web pages, and recipes for malicious attacks circulate widely on the Internet. The damage caused may be enormous.
Therefore, “Critical Infrastructure Protection” (CIP) becomes a must. But protecting PCS of computer centres and important infrastructures, patching them, running anti-virus on them, controlling access is much more difficult than the attack possibilities. PCS are built for use-cases. Malicious abuse is rarely considered during their design and implementation phase and subsequent operation. For example, rebooting a SCADA PC will temporarily impede monitoring capabilities; updating PLC firmware usually requires thorough re-testing and probably even re-certification. Both are non-trivial and costly tasks and cannot be done in-line with the monthly patch cycle of e.g. Microsoft…
A fraction (if not many) of today’s PCS are vulnerable to common cyber-attacks. Not without reason said the former advisor to the US president, Richard Clarke, “that the U.S. might be able to blow up a nuclear plant somewhere, or a terrorist training centre somewhere, but a number of countries could strike back with a cyber-attack and the entire [US] economic system could be crashed in retaliation … because we can’t defend it today”. We need to raise our cyber-defenses now. Without CIP protection, without protected SCADA, our modern symbiotic life is at risk.
Professor Solange Ghernaouti
I would like to share with you some reflections on the current unbridled militarization of cyberspace, a great concern of our time, and I will do this from several perspectives.
First, from a military perspective. Modern armed forces are increasingly dependent on information systems and telecommunication, in great part from the civilian infrastructures. Information systems have both created new opportunities and introduced new vulnerabilities. Ideally cyberspace and information technologies should never be reduced to the status of military tools that could be used as weapons, but with the Internet the frontiers between the military and civilian worlds are not clear; the same technologies and infrastructures are used. Modern weaponry is digitally controlled and employed, both worlds mix. But the limits to such military uses are ill defined, and the collateral effects insufficiently explored. Militarily motivated incidents, apart from their direct impact on targets, pose a potential economic threat but also endanger public safety and national security at large.
The Internet and modern information technologies enable attacks on information systems at a distance. Militarily speaking, it is possible to inflict losses on an enemy, destabilise him in the political, economic, scientific, cultural and social fields without needing to cross traditional geographical borders. The Internet allows the development of military strategies employing non-military traditional weapons. Certain states have understood this very well and are developing both offensive and defensive operational IT capabilities, cyber doctrines, and national cyber strategies, in an incipient cyber arms race with possibly dire consequences.
.
There is also the “new territory” perspective. Cyberspace is a new technological domain. This domain is now considered a fifth fundamental military space alongside the air, the land, the sea and space, a new territory to be conquered, but not regulated. Cyberspace may be a source of enrichment, a place for the expression of power. But through Internet technologies, including mobile, cyberspace has also become a tool for criminality and terrorism, including the hosting of conflicts.
There is also the perspective of anonymity and protective isolation. The Internet provides a layer of protective isolation that allows the origin of attacks and the identity of attackers to be masked, at least for a time. It allows psychological operations, data theft, espionage, or tampering with or shutting down systems. A state can thus carry out large-scale offensive operations without needing to admit to them.
The enemy is not necessarily a state, however. There exist mercenaries and there is a whole service infrastructure based around black markets where tools and expertise for carrying out malicious activities are available to criminals, terrorists and activists who have understood how to use or misuse the Internet to support their activities in an effective and efficient way. They do not care about legal considerations and thus in this context the current Laws of War – binding States - do not apply. Existing laws or treaties are not enough and we require a structural equivalent to the International Atomic Energy Agency to promote the safe, secure and peaceful public use of information and communication technologies. We need norms for peaceful behaviour in cyberspace.
Speaking from an international and global perspective, war in cyberspace differs from war in the traditional sense in many aspects, but an economic war, an information war, a war of, for and through information occurring in a period of generalised global crisis from which the Internet is not excluded can be the equivalent and must be discouraged. Our hyperconnected world has introduced a new level of complexity that brings with it systemic risks and complex crises, large scale military use of cyber space being the worst option.
We need to be innovative in our responses. Cyberspace has a great need for coordination and co-operation among all nations and a real challenge will be to propose efficient confidence-building measures or codes of conducts. We need solutions that will allow cyber risks to be restricted to an acceptable level and human rights to be respected in cyberspace. A key counterpart of reducing the digital divide will consist in ensuring that all users have access to information security. Peaceful use must be the norm.
Without a common understanding and a real will to make change happen, it will be impossible to fight against cybercrime, to reduce ICT misuses and to preserve fundamental human rights in a peaceful environment. The unbridled military use of the cyberspace must be curtailed.
MSc Alexander Klimburg
Let me start with a simple statement of faith: the emergence of the Internet is one of the most momentous events in human history. Man is the ultimate creator of cyberspace. He can also destroy this domain at will; and there is a real risk that this might occur. The Internet technology that underpins cyberspace was developed by individuals, not corporations, not governments. CERN took a leading early part with individual scientists. This is how the Internet was really built, part by part, by volunteers, by scientists, by the civil society, by creating protocol after protocol. Obviously what was created was not perfect; most importantly, it was too trusting. Due to cybercrime and cyber conflict governments have increasingly become involved in this area. The UN, in the First Committee, has since 2003 maintained a Group of Experts that recently published a document on norms of behavior in cyberspace. In the OSCE there is a group with which I worked for the Austrian Government that has recently defined a set of Confidence-Building Measures. towards reducing tensions, for instance by hot lines of communication to prevent accidental war breaking out. The problem is that some States are not so much concerned with State-to-State escalation or conflict but with internal security. They are deeply suspicious of Western and liberal democratic support for human rights and the right of free speech, and see there attempts to undermine their authority. They also claim that ICANN, a US-based non-profit organization which has a leading role in domain names, is purely under US control and serves US Government interests. These countries also, for control, wish to go to the root of the Internet and correspondingly question the very bases on which the Internet is built and its resources managed. This is the multi-stakeholder approach, implicitly defined since 2005 at WSIS and which maintains that the Internet be managed to equal parts by Governments, the private sector and civil society. The balance is shifting rapidly and there seems to be an effort to interpret equality in the sense that Governments are to be “advised” by the private sector and civil society. That would shift the entire balance, and could easily happen, possibly in 2015, and the Internet would then not be the way it is. We had a recent meeting in Dubai where many countries indicated that they want a new discussion on Internet governance. Liberal democracies would be confronted with a hostile majority of votes, due to their failure to articulate the reasons why the current governance should be maintained. In 2015 there will be a redefinition of the multi-stakeholder approach which would basically mean that the Internet will, not stay the way it is. That would in my view be a disaster for three reasons.
ICANN would have no more legitimacy anymore, could not do the things it has to do, would be an illegal and unsupported institution. If the liberal democracies reject that attack, countries such as Russia and Iran – China would even go further down this path – ,as they have repeatedly stated, will create their own Internet and disconnect from the world-wide web.
There would be real difficulties for technical reasons, but there would also be a moral problem. We must keep in mind that there are people behind the digital Iron Curtain who could not be connected to the rest of the world.
Second there would a political disaster. If liberal democracies reject the majority view as they intend to do, they would undermine the entire basis of international governance as it exists, a catastrophe of global proportions. It can happen as for liberal democracies this is linked to free speech and freedom of association, and backing down would effectively be compromising their positions.
Thirdly it would be a disaster on the scientific level. Professor Zichichi in his opening statement told us to be aware of political recommendations to science. Governments are simply not able to develop the protocols that are the Internet, only qualified engineers can do it. The Internet Engineering Task Force is an anarchic, amorphous group that does not even officially exist and never even votes. They set their own rules and presume that they can set up their own Internet. Who would use it? Criminal elements, activists in their own interest. What can science to do prevent this? Science, civil society must engage, must accept the challenge. The solution requires a lot of activity and financial resources.
Secretary General Hamadoun Touré
Let me just mention a simple fact. We did hold the ITU Conference last December in Dubai; I was the main organizer. It was not a conference on Internet governance, but the result was that we can now talk about Internet Governance in a better atmosphere.
Ambassador Iklódy
Are we losing the battle? In fact there is more than one battle that we need to be fighting. One is waged between cyber attackers and defenders. Here, the picture is not reassuring, as the attacker always has the advantage over the defender. Another difficult battle is fought between freedom and security. Finding the right balance between privacy and anonymity on the one hand and ensuring traceability, on the other is a growing challenge that needs to be continually reassessed. But the need to become more security-conscious should never lead countries to use cyber security threats as a pretext to curtail the freedom of access to the internet.
It is clear: with growing dependence on cyber assets comes greater vulnerability. The task ahead is to ensure that we maintain the freedom that cyberspace offers but navigate in this new, quickly expanding domain in a more security-conscious fashion. There is no return: solutions are to be found within digital technology.
So, are we losing the battle? No, we are not - and, clearly, we cannot afford losing it. Instead, the real question we should pose to ourselves is: what could one do to make cyberspace more secure and how could science help us achieve this? Let me offer a few thoughts:
We should probably start with the basics and, as a first step, help raise awareness in the wider public of the fundamentals of cyber security. There is broad agreement among experts that at least 90-95% of cyber incidents could be prevented by applying better cyber "hygiene", e.g. by regularly updating our software, using firewalls, not clicking on suspicious attachments, etc. In other words more education is needed: at schools, at work, and wherever computers are being used.
It is equally important to train national cyber security experts from the strategic to the technical level. NATO has already embarked on that road. It designs specialized courses, many of which are open to partner countries. In an increasingly interconnected digital world our chances of proper incident response increase significantly if national experts understand one another.
Deterrence, unlike in the traditional domains, may no longer keep adversaries, particularly non-state actors securely away. Therefore, any successful cyber defense strategy must rely heavily on prevention and resilience.
An early detection of hostile intent and/or malicious activity requires, inter alia, greater emphasis on enhanced intelligence cooperation within and between states. Disclosing vulnerabilities is, however, extremely sensitive even within a country; a lot more so internationally. Science, together with industry, can help develop technology that detects malicious activity without compromising vital national or business interests.
But prevention may fail. Our ability then to withstand an attack is determined largely by how resilient our digital networks are. The development of common security and interoperability standards, drawing on existing best practices, will likely become a major driver of our activities in the years ahead. International standards can help encourage countries to invest in reducing their vulnerabilities and can also promote trust between countries. It is paramount that standards development is pursued as a truly collaborative effort beyond traditional stove-piped approaches.
One of the biggest challenges we face today stems from the fact that from the perspective of cyber awareness and capabilities the landscape is extremely varied: some countries are a lot more advanced and are investing heavily, while others are clearly lagging behind. The truth of the matter is that the gap that separates the frontrunners from the others is actually growing. There are several problems but also opportunities arising from it. Let me just mention two of them.
All should acknowledge that in our increasingly interconnected world no one, however powerful, can build fences that are high enough to securely separate countries from one another. Consequently, promoting higher levels of cyber security for all is a common interest.
And second, today one third of the world's population is online. In ten to fifteen years that number will grow to two thirds, with a real boom in the developing world. The quick expansion there offers the opportunity for the developed world to help build those networks in a more security-conscious way, so that the mistakes that we had committed when security did not matter so much are not repeated.
Professor Mona Al-Achkar Jabbour
I will speak on the comprehensive networks of cooperation needed to achieve cyber security.
In our interconnected world, different societies, governments and businesses continue to place sensitive data and the control of critical infrastructures on the Internet. Rogue individuals, States, organized crime, and terrorists are using information and telecommunications technology to attack systems and to gain access to infrastructure control and sensitive information. These intrusions, in an ever-changing mesh of opportunities and challenges in the cyber environment, cause serious threats to emerge, raising mistrust and conflict potential and the risk of actual and future conflicts and even wars, between States..
With these increasing cyber threats, ranging from cyber crime to cyber espionage to large-scale cyber attacks, governments all around the world are considering cyber security as directly related to their national safety. They believe that the consequences of cyber attacks may endanger national welfare, stability, and security. Many of them have thus placed cyber security on their political and military agenda as a top priority, and look to diplomatic meetings to discuss strategies to protect their own space. Some have already started developing, not only defensive strategies and tools, but also cyber weapons, and offensive sophisticated malware, while several among them are suspected of using cyber weapons and making offensive interventions across cyberspace.
The danger is real, and becomes imminent in a global economy driven by technology where cyber crime has become a booming industry.
Accordingly, cyber security is indeed a planetary emergency, since some threats may produce major disturbances by attacks on critical infrastructure of the society, and since escalation is a possibility when one event leads to another, which may ignite wars and lead to catastrophic results.
In cyber space hostile action is easy, and does not respect jurisdictional confines, which suggests that the traditional concept of national or regional territories, authorities and competences hinder an efficient combat and deterrence of ICTs misuse.
Cyber threats represent a transnational global criminal phenomenon which cannot be dealt with according to the traditional distinction between jurisdictions defined by State sovereignty and borders. An attack launched, from one country against another may affect many others. A single jurisdictional approach is not enough, a coherent and global approach is needed. Hence, cyber deterrence cannot be undertaken by one government alone, in the absence of cooperation. Cooperation is a must.
Hackers and criminals continuously exchange vulnerability information, detailed exploits, and attacker toolkits. They benefit from the borderless nature of the cyberspace, the anonymity it provides, the complex structure of the telecommunications infrastructure, and the lack of international cooperation at the legal and procedurals levels to track and punish them.
Traditional law enforcement methods cannot keep pace with the technical development that moves far too quickly. Actual technical skills, as well as, tracking and tracing capabilities in most countries, are still primitive, compared with the sophisticated and advanced capabilities of the attackers, which makes attacks extremely difficult to detect and to trace using national human and technical resources.
To avoid falling behind criminals and overcome jurisdictional limits, governments have the obligation to cooperate nationally, regionally and internationally, by:
- Establishing national strategies and policies that support a robust plan of action, to ensure protection, legislation, capabilities and close cooperation among all stakeholders within civil society and the public sector.
- Considering cooperation that goes beyond high-level agreements in principle and traditional ways of cooperation in cross-border crimes. One needs to share information and resources on existing vulnerabilities, incident data, tracking techniques, best practices, hacking trends, investigations methodologies on large scale attacks, and malicious activities.
- Organizing exercises and simulations.
- Avoiding emergence of safe havens through multilateral international and regional conventions, and through homogenization of legislations and regulations dealing with cyber crime, and cross-border cooperation.
- Establishing a regional consensus around common problems of cultural and national sensitivities, that may be particular to a region, like the issues related to illegal content, the IP, and sensitive subjects like religion in Islamic societies.
- Encouraging research and education toward a highly wired security engineering of the Internet, profiling, and criminal investigations.
- Harnessing criminal activities data, in ways that make intelligence development and investigation better streamlined and more cost effective.
Ambassador Henning Wegener
Let me offer a very few concluding remarks. I am grateful to the Secretary General for having moderated the session and to the colleagues for their participation. We had allotted the various aspects of our theme in advance, and I am glad that from the collective effort also a collective message has emerged: that we are entering, or rather are in the midst of, a digital universe permeating all segments of individual and societal life: the second digital revolution .The Secretary General has cited some of the key figures, the billions of digital participants, and the billions of extant and future digital devices – he spoke of 50 bn – all of them – in principle - vulnerable, from computers to mobile sets, tablets, embedded devices, RFIDs and sensors of all kinds. We must realize that every microprocessor chip is - in principle! - subject to cyber attack, and that the great majority of them remain unprotected. And they are not only interconnected, but the connection links are, as Professor Lehmann has pointed out, often automatic, and often irreversible. In the new smart factories of our time which are already revolutionizing production, digital devices do all the necessary by themselves, - unless cyber attack intervenes, in which case they will cease to do so, or do other undesirable things. In Professor Lindzen’s comment I perceived some nostalgia for the pre-digital age, longing for “unhooking”, even at the price of foregoing the benefits of these new technologies. The trouble is we cannot; we are caught, and have to face a fascinating, but very complex and perilous future. We all know what is coming, or is already with us: the Internet of Things with powerful computers shrunk to sugar-cube size, computers (smart phones included) integrated in our wrist watches, sewn in our cloth, mounted in our eye glass frames, often doing things automatically because so programmed.
I trust that another collateral message has also come through: that the ubiquitous presence and connectivity, and the exponential growth of interlocked digital devices also generate an exponential expansion of dangers in an interlocked digital world. Dr. Duggal has done well to emphasize that cyber conflict, borderless because of unforeseeable and often uncontrollable cascade effects, is one of the great hazards of our time, that the distinction between cyberwar, cyber terrorism and major cybercrime becomes blurred, and that cyber conflict threatens overriding network structures. Solange Ghernaouti has told us that the militarization of cyberspace proceeds apace, without anybody telling the gleeful cyber arms racers where to stop. The challenges of cyber security are enormous. Are we losing the battle? Have we already lost it?