Cyber Defense Is All About Political Decisions

One of the things democracies are least prepared to handle about a cyberattack is how quickly the response to it turns in to a a political controversey.

Defense officials responding to an attack quickly encounter bureaucratic roadblocks and geopolitical concerns they may be unprepared to navigate.
 
That was one of the main takeaways from a first-of-its-kind tabletop cyber exercise Estonia hosted in October.

CYBRID 2017 put European Union defense ministers in the hot seat as a fictional scenario “moved from a minor cyber incident up to a real blockade of communications systems that stopped a naval operation on the Mediterranean,” Estonian Defense Minister Jüri Luik said.

“At first, you were not able to recognise whether it was a cyberattack against just the personal computers of the people working there, or was it, for instance…a ransomware attack. And then it became more and more confusing,” Luik told reporters in Washington this week.

“There were more hacks, systems were down, computers stopped working, communications stopped working.”

“In the end, we ran into a situation where the whole military communications system was down, and the EU headquarters was not able to contact the ships on the Mediterranean, and there was no clear information about what had even happened to these ships. And from point to point to point, the ministers had to make a decision” about how to respond, he said.

The world hasn’t seen a “9/11-level” cyber incident yet, said Luik, whose country was on the receiving end of one of the most serious to date: A Russian attack in 2007 that shut down the country’s banks, media outlets and government websites. The events played out in CYBRID 2017 didn’t rise to that level either, but one of the things the exercise exposed was just how difficult it is to evaluate how bad things are.

“The biggest issue is that we have no baselines for such attacks,” Luik said. “Our capability to judge what has happened is very complicated, because we even don’t know what these terms mean — is it high-risk, is it low-risk? How do you assess the risk?”

That complicates a nation’s response. Something that can appear small, a seemingly random computer malfunction in an EU military office, can quickly “transpire into a strategic political issue,” said Kristjan Prikk, Estonia’s undersecretary for defense policy.
 
And when that happens, defense ministers have to “be willing to look into that, not on a technical level, but to understand what’s at stake and…tackle those at a strategic political level.”

The exercise revealed various roadblocks to effective response, including the reluctance to share information across political boundaries. Luik said there’s a natural hesitation to disclose vulnerabilities and talk openly about an attack, even among allies.

“The exercise showed us how demanding it is to communicate in order to pass the right information to the public in case of severe cyberattacks, especially on critical infrastructure,” German Defense Minister Ursula von der Leyen said after the exercise. It highlighted “how important the coordination of reactions on cyberattacks is. Coordination not only among EU member states but also amongst EU Institutions and also NATO.”

Once the decision has been made to involve other parties, whether that’s calling in treaty commitments for collective crisis management and security, or just informing critical infrastructure providers to be on alert, there’s still the question of how, exactly, to go about doing so.

So during CYBRID, Luik said, “the ministers had to answer the question, starting from, there is a drone above the EU international installation. Who has the right to shoot it down? Is it the host country or is it the international body? And ending with, the situation is so complicated we have to ask NATO for assistance: How would we do it?”

 “Let’s say you get attacked, a government facility gets attacked,” Luik said. “The immediate assumption would be that we should inform all the power stations, factories, etc., that this kind of attack took place.

“But … everything is classified. How do you share that information? And with whom? Whom do you call? The owners? The heads of the cyber defense units of those organisations?”

DefenseOne

You Might Also Read:

EU Nations Expand Their Cyber Defences:

US Is Not Drawing 'Red Lines' in Cyberspace:

 

« Maritime Cybersecurity: No Substitute for Testing
Thomson Reuters Create A Knowledge Meta-Graph »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Huawei

Huawei

Huawei is a leading global ICT solutions provider. with end-to-end capabilities across the carrier networks, enterprise, consumer, and cloud computing fields.

Cloudera

Cloudera

Cloudera provide the world’s fastest, easiest, and most secure data platform built on Hadoop.

Norton Rose Fulbright

Norton Rose Fulbright

Norton Rose Fulbright is a global business law firm. Practice areas include Data protection, Privacy and Cybersecurity.

Checksum Consultancy

Checksum Consultancy

Checksum Consultancy specializes in Information security, Risk management, and IT governance.

CyberSAFE Malaysia

CyberSAFE Malaysia

CyberSAFE Malaysia is an initiative to educate and enhance the awareness of the general public on the technological and social issues and risks facing internet users.

Bugraptors

Bugraptors

BugRaptors is a certified software testing company with extensive experience as a third-party testing vendor, effectively proven as a leader in software testing & QA Services.

Reed

Reed

reed.co.uk is a leading job site in the UK, providing a full online service for anyone looking for a new job.

Palantir

Palantir

Palantir software empowers entire organizations to answer complex questions quickly by bringing the right data to the people who need it.

LogicalTrust

LogicalTrust

LogicalTrust security testing specialists find the weakest points in your company and show you how to fix them step-by-step, as well as how to improve your security.

link22

link22

link22 offers a high level of expertise within IT security and system solutions. We help public and private actors with highly secure IT-solutions.

Open Web Application Security Project (OWASP)

Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

Unit 42

Unit 42

Unit 42 brings together world-renowned threat researchers, incident responders and security consultants to create an intelligence-driven, response-ready organization.

Zenzero

Zenzero

Zenzero simplifies technology adoption and supports our customers through managed and outsourced IT support.

CODA Intelligence

CODA Intelligence

CODA's AI-powered attack surface management platform helps you sort out the important remediations needed in order to avoid exploits on your systems.

ThoughtSol

ThoughtSol

Thoughtsol help brands grow through Digital Transformation enabling them to leverage the power of IT for an all-embracing impact on their businesses.

GetReal Security

GetReal Security

GetReal Security is the world’s leading authority on malicious digital content and deepfake protection.