The Cyberspace and National Security Report lays out the UK’s cyber security strategy; yet practical steps to enhance security are difficult to take. The increasing complexity and interconnectedness of networked services means that more openness and collaboration is required on the part of potential targets. Training, monitoring, co-ordination and research are all part of the necessary response to cyber security threats. The advantages of sharing information must be properly reconsidered to create an optimal response to threats. The new governmental Office of Cyber Security and the Cyber Security Operations Centre will take a lead in encouraging shared security measures.
A 'digital revolution' has irrevocably changed our global society. Through a massive explosion in online activity and social networking the world’s online population is now 1.5 billion and growing rapidly. More than 2 billion people have a mobile phone. Every day, this global community sends 210 billion emails and over 8 billion text messages. There are now close to 200 million websites, 133 million blogs, and the three most popular photo-sharing sites host a total of 20 billion photographs.
Cyberspace has become so deeply embedded in every aspect of our lives that we cannot untangle the ‘virtual’ from the ‘real’. Far from happening overnight, this transformation has taken a generation, and yet we are only now beginning to understand the nature and scale of risks that this increasing dependency brings. Cyber security has suddenly become a national security issue. The level of concern is evident in the publication of President Obama’s sixty-day review of cyber security, the UK’s own National Cyber Security Strategy, and is also reflected in the ‘Cyberspace and the National Security of the United Kingdom’ report, based on research undertaken by Chatham House in conjunction with Detica.
However, despite this growing collection of national strategies, the reality is that practical measures to implement cyber security are immensely difficult. The operations of most public and private sector organisations have become so cyber-dependent that wholesale changes to structures and processes, not only to meet the demands of cyber security but also to help build the bigger intelligence picture, present a major challenge.
What do we Mean by Cyber Security?
We use the term ‘cyberspace’ to mean the content of, and actions conducted through, the digital networks that combine to form our enormously complex, globally networked society. This includes, but is not limited to, the Internet, mobile phones, corporate computer networks and wireless networks.
In principle, ‘cyber security’ means the securing of cyberspace against a range of threats; however we also use the term cyber security to help articulate the vision of a Digital Britain and encompass security-related topics as diverse as information assurance, detection and prosecution of e-crime, and Internet governance.
We can group the malicious objectives of threat actors, including criminals, terrorists and nation states, into three categories (see Figure 1):
Stealing sensitive information held within cyber space
Subverting information communication technology (ICT) systems so that they carry out activities counter to the intentions of their rightful controllers
Preventing ICT systems from carrying out the tasks intended by their rightful controllers (often called denial of service).
Actors seeking to achieve any of these objectives will deliberately conceal their activities in the run up to an attack. Ironically, the victims, whether they are governments, companies or individuals, also tend to be secretive about attacks because of concerns about their standing and reputation. However, the increasing complexity of the threat and the globally interconnected nature of our activities now demand more robust organisational approaches. More open and effective collaboration is also required if attacks are to be detected and appropriate responses mounted.
An Operational Model for Cyber Security
The emerging cyber security strategies emphasise the need for greater organisation and co-operation in building up a better picture of the threat and delivering appropriate responses. Re-orienting business operations to better achieve cyber security thus depends on having a straightforward and appropriate operational model and a ‘concept of operations’ that covers cyber security planning and operations.
The left hand side of the model in Figure 2 depicts the global interconnectedness of cyber space, providing both a source for external threats and a means of amplifying the impact of threats from insiders, such as disaffected employees, or simple human error. The right hand side of the model shows information risk management, which guides planning and operations primarily through the development and application of appropriate information assurance policies and standards. The central axis of the model shows a number of layers:
Business systems and processes – and associated behaviour, responsibility and training – which must be consistent with the need to safeguard personal, organisational and national well-being in cyber space
ICT infrastructure, which needs to be designed both to enable business benefit and to enhance cyber security. This includes not just organisational behaviour but also development, standards and co-operation across the global ICT market
Threat monitoring, analysis and response, which reinforces ICT infrastructure in a way that maintains benefits to stakeholders but also manages vulnerabilities that can be exploited by opponents
Threat co-ordination, which provides situational awareness and a broad intelligence picture, as well as helping alignment with associated mission-based activities outside the cyber domain.
Finally, in the upper right hand corner of the model, technical research identifies new vulnerabilities and the techniques required to respond to them.
Overcoming Information-Sharing Challenges
Media coverage of cyber security issues has given significant exposure to the concerns of individuals about the detrimental effect that more extensive surveillance and monitoring may have on their privacy. While these concerns are real and need to be addressed, the information-sharing challenge inherent in this organisational model runs equally in the opposite direction: organisations that need to share information and build a better intelligence picture need to do so while maintaining secrecy around sensitive aspects of their business, for instance concerning the threat environment, detection techniques, covert response methods, or around other sensitive personal, commercial or classified material.
As ever with the sharing of sensitive information, organisations must take a risk-based judgement to balance the risk of disclosure against the benefits of sharing. However, information-sharing could be widened significantly by measures including:
Widespread deployment of sensitive signatures in such a way that operators may be told ‘something’ has been detected but without needing to know how
Communicating only a recommended response across secrecy boundaries, rather than also detailing the reasons.
The latter approach is widely adopted in the commercial sector: system operators are often supplied with patches by software vendors before the specific vulnerability has been disclosed. The commercial sector in particular has learnt that maintaining trust across the secrecy divide is critical to persuading those ‘outside’ to adopt the proposed measures without supporting evidence.
Crucial to this trust is sharing an understanding of the implications of recommended actions on the business infrastructure and operations of the customer. This implies an intimate engagement between those on the ‘inside’ responsible for cyber security and those on the ‘outside’ responsible for the normal operations of ICT infrastructure as well as other business systems and processes.
Government Influence over Cyberspace
There is a critical difference between the security of cyberspace and the security of other domains such as land, sea and air: in cyberspace, the domain itself is constantly changing through continuous and fast-paced innovation. Over the past few decades, this ICT explosion has delivered untold benefits in functionality and performance, but the resulting infrastructure is one in which security is typically only a secondary, and usually retrofitted, concern.
As we have seen, cyber security is now high on the agenda of governments worldwide. Their concerns are shared by public and private sector organisations, where significant progress has been made in the past few years in the development of new models that start to build security into the applications and infrastructure at a fundamental level rather than as a retrofit. However there is growing evidence that the market will not deliver greater security in cyberspace unaided or without intervention.
Where markets cannot find a solution on their own, there is a clear role for government. However, effective engagement would mean recognising the same challenges that face any other traditional mechanisms for market intervention. For instance, as with the global financial markets, regulation may be ineffective in global cyberspace if deployed at a national rather than an international level, and may also risk stifling innovation. In an era of economic downturn, subsidy may also be hard to justify and ineffective at a national level.
Advancing the UK Cyber Security Strategy
On 29 June 2009, the UK government launched the National Cyber Security Strategy, which introduced two new cyber security organisations: the Office of Cyber Security (OCS), in the Cabinet Office, and the Cyber Security Operations Centre (CSOC), a multi-agency body hosted by GCHQ.
The CSOC’s expected role presents a good fit to the top layer of the operational model presented in Figure 2, and they must remain alert to the challenges around suitable threat responses and information-sharing necessary to build a comprehensive intelligence picture. Across the operational model, there is a constant theme of co-ordination amongst disparate stakeholders: co-ordination could be improved where the OCS can provide strategic leadership and both cross-government and public-private sector coherence – for instance, by rationalising the many parties currently involved in delivering cyber security.
There is no way of completely eliminating all the risks associated with cyberspace. But a new operational model, combined with innovative technological solutions, can reduce these risks significantly without damage to the economic and social benefits of cyberspace. The UK has an opportunity to play a significant role in delivering a better and more secure networked sphere for tomorrow’s citizens and businesses. As well as helping to deliver the vision of a Digital Britain, this will put the UK in a strong position to create a world-class capability in cyber security that can be exported to a global market.
Head of Security Strategy