Cyber Defense Is All About Political Decisions

One of the things democracies are least prepared to handle about a cyberattack is how quickly the response to it turns in to a a political controversey.

Defense officials responding to an attack quickly encounter bureaucratic roadblocks and geopolitical concerns they may be unprepared to navigate.
 
That was one of the main takeaways from a first-of-its-kind tabletop cyber exercise Estonia hosted in October.

CYBRID 2017 put European Union defense ministers in the hot seat as a fictional scenario “moved from a minor cyber incident up to a real blockade of communications systems that stopped a naval operation on the Mediterranean,” Estonian Defense Minister Jüri Luik said.

“At first, you were not able to recognise whether it was a cyberattack against just the personal computers of the people working there, or was it, for instance…a ransomware attack. And then it became more and more confusing,” Luik told reporters in Washington this week.

“There were more hacks, systems were down, computers stopped working, communications stopped working.”

“In the end, we ran into a situation where the whole military communications system was down, and the EU headquarters was not able to contact the ships on the Mediterranean, and there was no clear information about what had even happened to these ships. And from point to point to point, the ministers had to make a decision” about how to respond, he said.

The world hasn’t seen a “9/11-level” cyber incident yet, said Luik, whose country was on the receiving end of one of the most serious to date: A Russian attack in 2007 that shut down the country’s banks, media outlets and government websites. The events played out in CYBRID 2017 didn’t rise to that level either, but one of the things the exercise exposed was just how difficult it is to evaluate how bad things are.

“The biggest issue is that we have no baselines for such attacks,” Luik said. “Our capability to judge what has happened is very complicated, because we even don’t know what these terms mean — is it high-risk, is it low-risk? How do you assess the risk?”

That complicates a nation’s response. Something that can appear small, a seemingly random computer malfunction in an EU military office, can quickly “transpire into a strategic political issue,” said Kristjan Prikk, Estonia’s undersecretary for defense policy.
 
And when that happens, defense ministers have to “be willing to look into that, not on a technical level, but to understand what’s at stake and…tackle those at a strategic political level.”

The exercise revealed various roadblocks to effective response, including the reluctance to share information across political boundaries. Luik said there’s a natural hesitation to disclose vulnerabilities and talk openly about an attack, even among allies.

“The exercise showed us how demanding it is to communicate in order to pass the right information to the public in case of severe cyberattacks, especially on critical infrastructure,” German Defense Minister Ursula von der Leyen said after the exercise. It highlighted “how important the coordination of reactions on cyberattacks is. Coordination not only among EU member states but also amongst EU Institutions and also NATO.”

Once the decision has been made to involve other parties, whether that’s calling in treaty commitments for collective crisis management and security, or just informing critical infrastructure providers to be on alert, there’s still the question of how, exactly, to go about doing so.

So during CYBRID, Luik said, “the ministers had to answer the question, starting from, there is a drone above the EU international installation. Who has the right to shoot it down? Is it the host country or is it the international body? And ending with, the situation is so complicated we have to ask NATO for assistance: How would we do it?”

 “Let’s say you get attacked, a government facility gets attacked,” Luik said. “The immediate assumption would be that we should inform all the power stations, factories, etc., that this kind of attack took place.

“But … everything is classified. How do you share that information? And with whom? Whom do you call? The owners? The heads of the cyber defense units of those organisations?”

DefenseOne

You Might Also Read:

EU Nations Expand Their Cyber Defences:

US Is Not Drawing 'Red Lines' in Cyberspace:

 

« Maritime Cybersecurity: No Substitute for Testing
Thomson Reuters Create A Knowledge Meta-Graph »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyren

Cyren

Cyren is a cloud-based, Internet security technology company providing threat detection and security analytics.

EfficientIP

EfficientIP

EfficientIP helps organizations drive business efficiency through agile, secure and reliable network infrastructures.

baramundi software

baramundi software

baramundi software AG provides companies and organizations with efficient, secure, and cross-platform management of workstation environments.

Yubico

Yubico

Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts.

Fenror7

Fenror7

Fenror7 lowers the TTD (Time To Detection) of hackers, malwares and APTs in enterprises and organizations from 300 days on average to 24 hrs or less.

macmon secure

macmon secure

macmon secure develops network security software, focussing on Network Access Control.

TechArch

TechArch

TechArch helps customers to optimize their investments in cybersecurity by providing them independent and vendor-neutral consultation and guidance.

Newtech Recycyling

Newtech Recycyling

Newtech Recycyling specializes in the removal and disposal of IT infrastructure which has reached the end of its life cycle.

National CyberWatch Center

National CyberWatch Center

National CyberWatch Center is a cybersecurity consortium working to advance cybersecurity education and strengthen the national workforce.

ISA Security Compliance Institute (ISCI)

ISA Security Compliance Institute (ISCI)

ISCI, a not-for-profit automation controls industry consortium, manages the ISASecure™ conformance certification program for industrial automation and control systems.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

Intechtel

Intechtel

Intechtel is a cyber security company, in addition to providing other internet, technology and telephone services.

TAV Technologies

TAV Technologies

TAV Technologies is a provider of technology services to the aviation industry in areas including airport infrastructure systems, digital transformation and cybersecurity.

META-Cyber

META-Cyber

META-cyber was founded by engineers with experience in process and control-protection to provide cyber security for industrial infrastructure.

Cyber Tzar

Cyber Tzar

Cyber Tzar is a new approach at dealing with an old problem; assessing and managing risks to your IT estate.

Myota

Myota

Myota intelligently equips each file to be resilient and achieve Zero Trust-grade protection. Withstand ransomware and data breach attacks. Reduce data restoration time and effort.