CYBERSEC 2016 in Krakow, Poland featured four discussion threads, one of which was the state stream which focused on a number of issues including the implementation of the EU's NIS Directive.
The NIS Directive was passed into law in July and requires the suppliers of essential services to meet new minimum standards for cyber-security. It also mandates that individual states adopt certain cyber-security measures and share information with other countries.
However, the Directive is a not as strict or specific in its requirements as some countries would have wanted. Compounding this lack of detail, according to its critics, is the fact that implementation of the directive is up to the individual states, leading to inconsistencies in combatting a threat that crisscrosses national boundaries.
The first day of CYBERSEC was given over to breakout sessions, which aimed to address the challenges of cyber-security at the state level. On day two, the moderators of these sessions presented their findings to the full conference and this was followed by a panel discussion featuring notable figures from government, academia and the cyber-security industry.
I was delighted to be asked to chair the panel discussion on the state stream, and especially pleased to have a distinguished panel of speakers:
Baroness Pauline Neville-Jones – Member of the House of Lords and former member of the national security council, UK
Gen. Włodzimierz Nowak – Cybersecurity Plenipotentiary to the Minister for Digital Affairs and Director of the Cybersecurity Department, Poland
Zoltan Rajnai – Cyber Coordinator for Hungary and National Representative to ENISA
Tomasz Zdzikot – Under Secretary of State at the Ministry of the Interior and Administration, Poland
Melissa Hathaway – Senior Advisor Project on Technology, Security and Conflict in the Cyber Age at Harvard University and author of the Cyber Readiness Index 2.0.
Paul J. Dwyer – Partner, Security Intelligence and Operations Competency Leader at IBM
Paul Dwyer, IBM and Tom Reeve, SCMagazineUK.com
Baroness Neville-Jones told the audience that to her the significance of the NIS directive was limited. “What it does is announce that the EU is going to take cyber-security seriously and the single best thing it does is set up cooperation because that's a method for getting laggard states up the ladder,” she said.
However, there is disagreement on a number of points, for instance, the question of how far the private sector should be involved. Each industry sector faces its own cyber-security challenges. “I think there will need to be sectoral working groups,” she said. “I don't see how we can get a level of security across the EU without very considerable discussion among the telecoms companies and the energy companies.”
Will Brexit harm the UK when it comes to cyber-security? “I would hope and expect that the disruption by Brexit will be minimised by both parties [the UK and the EU]. I certainly can't see why that can't be the case in cyber where we continue to be an active part in the formulation in policy. We will need to set up a mechanism for consultation but I'm sure that reasonable people will ensure that happens,” she said.
Gen Nowak is lending his expertise to the development of Poland's new cyber-security strategy and cyber-security legislation, too, which is expected to become law in the latter half of next year.
“Our work is quite complicated. We have consulted widely with all the stakeholders in Poland. We started to discuss with energy and transport sectors because such actors must be supported by the central government. Why? Because some parts of this are associated with costs and we must take that into consideration, that these companies will have to pay money for these regulations,” he said.
However, he said it was vital to complete this work to ensure that all actors within the regulated industries were strengthened to minimise the number of weak links in the chain.
Prof Rajnai from Hungary described the Visegrad Four, a group of countries comprising Poland, the Czech Republic, Slovakia and Hungary. Together with the “plus two countries” – Bulgaria and Romania – they have been working on regional cooperation initiatives to address their shared cyber-threats.
“In my opinion it is important for us to work together in the Visegrad Group because we face similar challenges,” he said. “The common interest is very important. The Visegrad Group plus Romania and Bulgaria can cooperate in exercises in cyber-security and use common networks.”
Under Secretary Zdzikot said that cooperation is always hard, never easy, no more so than when discussing cyber-security in the CEE region, and he believes that the NIS Directive will play an important role in generating cooperation in the region.
“The simple way is to do everything by yourself. The NIS Directive enforces cooperation, forcing cooperation on many levels and in many areas, in the private sector, of course, but it enforces it even in the public area which is not always obvious in this particular moment,” he said.
I asked him to explain why a regional group was required within the EU when the problems of cyber-security are transnational and respect neither borders nor distance.
Left to right: Gen Nowak, Baroness Neville-Jones, Melissa Hathaway
“One of the issues that came up is whether there is too much cooperation, too many groups, too many ways of cooperation,” he said, “but I don't agree – there is never too much cooperation… We have a pretty good formula because the V4 is growing and it is something that has far to go.”
Melissa Hathaway was one of the keynote speakers from day one of the conference. She has served in the administrations of two US presidents – Pres. George W. Bush and President Obama – and has devised the Cyber Readiness Index, an analysis against seven criteria of the preparations that various countries are taking to prepare for cyber-attacks.
She said the NIS Directive is directing governments to get organised and “develop a strategy and the capacity to deal with an incident and to be able to respond if there is a crisis that reaches across government borders”.
The directive is also singling out critical service providers and directing them to take steps to secure themselves.
The importance of these two steps is that countries in Europe are at different levels of maturity in their preparations for cyber conflict.
However, she cautioned the EU against adopting a compliance based model for security. While it can help bring countries and critical services up to a minimum standard, incentives are needed to encourage organisations to go beyond that and also speed up the rate at which they adopt the necessary measures.
She rejected the suggestion that even with these measures, the US would not want to work with all European countries on an equal basis and pointed to two programmes in the US that are helping to facilitate international information sharing: TAXII and STIX.
“But there is much more that needs to be done, in the US, UK, France and Germany and elsewhere, we all have a responsibility to share more information. We are not all sharing as much as we could, we all probably have more information about what is happening on the Eastern front that could be shared and I don't think that we perceive an overall existential threat to our security environment yet but when we do, maybe we will actually truly be in an alliance, sharing more information because we are all in it for the same thing,” she said.
Paul Dwyer from IBM agreed with the other speakers' points about the need for incentives. “We need to be ends focused rather than means focused,” he said, “because if we get caught up in the means we will end up exactly where the Baroness was saying and what General Nowak was referring to, where we will get overly focused on compliance.”
He said that cyber-security should not be viewed by organisations as a cost but rather as an opportunity to gather insightful information about how the business functions on a day to day basis.
Another challenge that countries face on a tactical basis is that often inter-state cooperation is based on informal relationships which could be dysfunctional in a crisis.“And if you are trying to coordinate on taking down a bad series of servers that are coordinating attacks, that takes a coordinated response across a lot of different organisations and one of the challenges we have today is that we are too reliant on interpersonal relationships rather than having the right formal relationships in place to require people to work together, because if you can't get that cooperation properly lined up, one or two countries or one or two law enforcement agencies not participating can undermine the efforts of all the other groups,” he said.