Cybersecurity MORE THAN A GOOD HEADLINE

Protect more

2 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

Contents

2 Introduction

3 What is ‘Cybersecurity’?

4 Thought model

5 Social, Economic, Political,

and IT Alignment

6 Strategies and Policies

8 ICT Infrastructure

10 National Projects

and Solutions

10 Engagement

12 Conclusion

Introduction

Hardly a week goes by without news of cyber-related attacks on both governments

and private companies. As a result, most governments today are looking to establish

some form of Cybersecurity strategy. However, talking to different stakeholders reveals

that the definition of Cybersecurity (or Cyberdefense) varies broadly and so do

the approaches from policy, process, people, and technology perspectives. This is

understandable since the Cybersecurity Agenda (or program) must be embedded

in a country’s existing legal framework, find cultural and social acceptance, and be

technically and economically feasible.

Many governments take an approach driven by the most recent incidents or news that

captured public attention; that is, they are looking for ways to implement short-term,

publicly visible actions that are often executed by a single government agency, such as

National Defense. This leads to different definitions of Cybersecurity and different

approaches to addressing it—all of which raises complexity within governments and

creates additional challenges regarding international cooperation. Moreover, when

governments change the initiative is often realigned, or worse, restarted without

taking experience into consideration. It may be moved from the civil side of the

organization to the military/defense side or vice-versa. This situation satisfies neither

the government nor the private sector—which plays a critical role in any Cybersecurity

initiative—and harms the prospects for a clear and focused approach.

On the other hand, examples exist wherein governments successfully focus on the

long-term success of a Cybersecurity strategy based on a sound risk-management

policy at a national level.

3 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

So what is the critical success factor that governments taking a long-term approach

have in common? Often they work toward a commonly defined cyber framework

that is accepted across all government agencies.

Successful governments also see Cybersecurity as an enabler of a well-run

Cybersecurity program—this being characterized by a close collaboration between

the private and the public sectors as well as within the governmental organizations.

Such an approach can enable new scenarios, attract investors, and provide the basis

for economic growth. An efficient Cybersecurity Agenda can act as an accelerator on

existing or planned IT investments or even industry investments and help to achieve

faster returns.

This paper offers food for thought regarding a model that could be used to structure

Cybersecurity initiatives and build a maturity model to ensure a long-term, sustainable

approach to a government’s Cybersecurity Agenda.

What is ‘Cybersecurity’?

There are plenty of definitions in the market trying to build the context for such

initiatives—and none of them are right or wrong. However, it is important to

understand what the concept of Cybersecurity means in this paper.

Often it is seen in the realm of classic security:

Ensure the confidentiality, integrity, and availability of critical government data

and systems.

This paper adopts a broader definition and includes the providers of the critical

national infrastructure as well. The 2009 Cyber Security Strategy of the United

Kingdom1 provides a very good description of Cybersecurity:

Citizens, business, and government can enjoy the full benefits of a safe, secure,

and resilient cyber space: working together, at home and overseas, to understand

and address the risks, to reduce the benefits to criminals and terrorists, and to seize

opportunities in cyber space to enhance the UK’s overall security and resilience.

This expansive vision includes areas such as Cybercrime as well.

1 http://www.cybersecuritymarket.com/wp-content/uploads/2009/06/css0906.pdf

4 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

Thought model

The model shown here offers a structure for considering a Cybersecurity initiative

within a government. It consists of five areas:

Alignment: The social and legal environment into which the agenda is embedded.

The Cybersecurity principles must be closely aligned with these fundamentals.

Strategies/Policies: Based on the governance environment, there should be

strategies and policies guiding the Cybersecurity agenda.

ICT Infrastructure: Protecting the critical national infrastructure (both government

owned and non-government owned) must be a key priority of every Cybersecurity

agenda.

National Projects and Solutions: On the foundation laid in the Alignment,

Strategies/Policies, and ICT Infrastructure levels, tangible solutions can be securely

delivered and operated.

Engagement: In addition to the more technical and process focus in infrastructure

and solutions, engagement targets the people and the various stakeholders. So

this area is mainly about collaboration and awareness.

Graphically it could be represented like this:

The following sections briefly touch on these different areas.

5 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

Social, Economic, Political, and IT Alignment

Any government activity must be based upon and fit the country’s current social,

legal, and political environment. The legal system plays a key role when it comes to

leveraging Cybersecurity to help to grow the economy. To become a trusted partner

of both investors and other governments, a country needs the capability to fight

Cybercrime and pursue criminals—not only within the country but on an international

level. This also implies a commonly accepted understanding of what Cybercrime entails

as well as multi-national assistance treaties.

Social norms and cultural trends must be included when building the behavioral norms.

A typical example is the balance between privacy and security; what is the socially

accepted level of individual privacy that will still allow law enforcement and intelligence

to fight crime and terrorism? What is the limit beyond which a society is no longer willing

to accept invasion into its privacy? There is no globally agreed-upon standard of what is

right or wrong, but a standard does exist within each social context.

Finally, the decisions a government makes must make economic sense and help create

a level economic playing field regarding national and international competition. The

private sector cost to help drive Cybersecurity in a national context should not inhibit

a company’s financial well-being; otherwise international competitiveness could be

negatively affected, which might lead to lengthy policy debates and resistance from

the private sector in the implementation of a coherent Cybersecurity Agenda.

Therefore, a well-targeted Cybersecurity Agenda must lay the foundation for a

country’s economic growth.

The Cybersecurity principles of a country should reflect and embrace these

influencing factors.

6 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

Strategies and Policies

Within the governance environment, a government must decide on its risk-based

strategy and policy structures.

Supply Chain Security

Understanding and analyzing the supply chain is an important step. After all, essential

services, processes, and functions are not monolithic entities but rather a composition

of integrated sub-components, services, processes, and functions. Each of these

subcomponents, in turn, is comprised of a supply chain. Understanding these complex

and interdependent chains not only assists in the analysis of threats, vulnerability,

and consequences, but also helps identify stakeholders and key providers that might

otherwise be overlooked.

The current government approach to securing the supply chain is to certify products

rather than the processes used to build the components that go into the products.

But the security of products must be built in from the beginning and a vendor must

ensure that its supply chain meets a certain minimum security standard. This is true for

any kind of development model—on-premises as well as in the cloud. It is critical for

vendors to follow stringent and repeatable processes to manage the risks in engineering

and development. Further, these processes should be transparent, up to a given point,

for customers. For certain applications self-attestation may be good enough—product

certification alone might not help to achieve the necessary goals. However, it is likely

that, where sensitive data is stored, a formal certification will be required.

Government Training

Addressing Cybersecurity topics and fighting Cybercrime requires governments to

acquire a new skill set. The training of government employees within their areas of

responsibility must be part of a joint effort between government and the private

sector. The relevant technical and threat knowledge is often within the private sector;

on the other hand, people in the private sector may require training similar to

government employees. Collaboration that helps grow the network in both sectors

is worth considering.

However, training entails a certain risk; people could become highly skilled in

Cybersecurity but then fail to gain appropriate employment. Their potential for

securing a good job in government or industry and the danger of them applying

their skills for criminal activities should be carefully managed when selecting

candidates for training.

7 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

In any case, a training strategy must address the constant need to keep training

material and know-how current and aligned to the latest developments in technology

and crime. Within the same context falls the need to recruit talented people, train

them, and retain them. Often, governments tend to build their capacity, and then lose

trained individuals to the private sector because they are unclear on how to grow

these highly specialized people within their organization.

Internal Government Collaboration

Many initiatives start with an effort to improve collaboration between the private and

public sectors. However, collaboration within the government and among its different

agencies can be as large a problem as collaboration with other organizations—if not

larger. Therefore, governments must define a clear strategy and clear policies to

address and improve this situation; these should be supported and implemented from

the top level of any governmental organization. Good practices in this area include

streamlining the various Cybersecurity efforts in one government agency with

sufficient funding and oversight. To be clear here, the bureaucratic problems far

outweigh the technical. Existing organizations with existing authorities must make

adjustments that are complex and hardly understood by politicians or societies.

Innovation

Cybersecurity is often seen as a measure to defend the country from Cyberattacks.

However, if a government is able to drive a sound and targeted Cybersecurity Agenda,

this can and will lay the foundation for growth of the country’s businesses and, therefore,

economic growth. A comprehensive Cybersecurity agenda should include a perspective

on economic growth and how to leverage the investments to accelerate this.

8 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

ICT Infrastructure

Government Infrastructure

Building a trusted and well-managed infrastructure is probably the best known and

yet most-neglected discipline in the entire model. Securing an infrastructure has long

been a challenge before the IT industry. However, few infrastructure operators run

their systems based on mature risk models—which are based not only on a gut feeling

but on sound statistical models.

Most Cyberattacks target well-known vulnerabilities on older and unpatched operating

systems and browser versions or systems that rely on weak administrator passwords

rather than using advanced techniques. Basic security precautions are missing; these

systems are typical “low-hanging fruit” for government implementation—and adversary

exploitation. It is surprising that many successful attacks are not really sophisticated but

rather straightforward, exploiting well-known, unpatched vulnerabilities.

Critical National Infrastructure

Protecting the critical national infrastructure is a key government goal—both in the

physical and the cyber worlds. In IT, this should be done in close collaboration with

the operators of the critical infrastructure as well as with key technology providers.

These protection measures must be based on a nation-wide risk-management process.

Experience shows that the private sector and the government often hold differing

views on risks. Private sector companies normally concern themselves with risks around

their business operations; governments consider risks to the well-being of the country

(even though governments must manage risks in their own infrastructure as well).

These are fundamentally different angles and often private sector companies have

a challenge making the transition. Therefore, governments and the operators of critical

national infrastructure (including key technology vendors and service operators) must

collaborate to establish a national risk management program; this will help them gain

a joint understanding of the risks faced by the economy and the nation state and drive

risk-mitigating activities. This collaboration is necessary because the critical

infrastructure providers likely have a deep understanding of their operational risks

since they run the infrastructure on a daily basis.

9 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

Identity

In today’s connected world, an individual might have different electronic identities

with varying levels of trust (e.g., self-subscription and anonymous email accounts vs.

verified, trustworthy identities for business-related transactions). Any measures taken

in the interest of security must be based on a trustworthy identity. There are multiple

and varied aspects to addressing the identity challenge for government employees,

citizens, and the supply chain:

There must be trusted identity providers in an ecosystem; this might be the

government, the postal services, the banks, or an Internet service provider,

depending on the culture of any given country. If the government tends to

change frequently, there might be limited trust, and a provider outside of

government could be the better choice. There will likely be more than one

provider depending on the trust level and the usage of an identity.

Identities should be able to federate. The term identity federation refers to

a concept whereby identities can be shared across multiple platforms and

organizations. Identities must be interoperable based on claims and standards;

it is critical to follow industry standards when implementing an identity

management system. Governments must be able to work with citizens, suppliers,

and other governments (often other government ministries within the same

country) in a trusted way—and this should enable ad hoc collaboration. No

lengthy process and/or technology should be required to make this happen.

Often there must be a fine balance between authentication and privacy. Do citizens

really want to use the same identity everywhere, which would make it much easier

to correlate different activities? The ability to use attribute claims (e.g., someone is

an employee of the government organization X) without revealing the true identity

should be built in to any identity strategy of a government.

Finally, trusted identities must be based on a process that can deliver enough certainty

to the electronic identity; an in-person proving process, or something equally as

stringent, is key.

10 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

National Projects and Solutions

With these measures in place, national projects and solutions can be operated within a

trusted and trustworthy environment. Because the solutions now provide real value for

the whole agenda/initiative, these will leverage the investments made in Cybersecurity.

This is true for solutions and projects in the government space, such as public safety,

defense, education, and health, and within basic government applications as well.

However, this approach is not limited to the government as such. It can and should be

extended to the private sector companies, as well as the sectors themselves—finance,

utilities, telecommunications, and others—which are part of the critical infrastructure.

Engagement

In addition to all of the technology and processes, there should be intense

engagement both internationally and with different communities within a country.

International Collaboration

A government must decide on a strategy for international collaboration on different

levels, such as within the various ministries—defense, intelligence, law enforcement,

and so forth. This might drive new approaches for collaboration since time is critical

in Cyberspace. Additionally, there must be a strategy on how to work with different

international organizations, such as the UN, Interpol, and others, and which

international frameworks to drive or to adopt (where they already exist).

Security Community

Many countries have a more or less active community of security researchers.

Engaging in smart collaboration with these researchers, based on mutual trust rather

than legislation and regulation, might help governments understand current and

future threats and would help align the defensive strategy for the public as well as

the private sector—as long as the security researchers are working within locally

and internationally acceptable boundaries.

People Awareness and Education

Whatever measures are taken within a government and the private sector, the end

user will always play a key role in any Cybersecurity initiative. This is true for the

average citizen, for the government employee, and for the operators of the critical

infrastructure as well as suppliers.

11 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

However, security considerations often stand between the end user and the most

efficient way of doing business or achieving a goal. Security personnel sometimes

forget that the cost/benefit equation of security for an end user tends to reach an

improper balance: the relatively high cost (of not being able to do something) and

low value. Many of the security measures implemented are for the protection of

the ecosystem much more than the protection of an individual user. Implementing

a Cybersecurity Agenda should be done from the viewpoint of the end user as well.

What is the benefit? If there is none, there must be a regulatory consequence (e.g.,

a PC is taken off the network and put in quarantine until brought into compliance)

or some other means of increasing an end user’s value in return for being compliant

and behaving in a secure way.

Situational Awareness

Situational awareness can be defined as “what you need to know not to be surprised.”

(Source: Jeannot, Kelly, & Thompson, 2003) Situational awareness probably cannot be

done by the government itself since so much of the information, data, and intelligence

is hosted in the private sector.

The government can act as a broker, turning information into intelligence and acting

as a central point of trust in a network, but often the private sector—be it the critical

infrastructure or the vendors—has detailed knowledge about what is happening on

the Internet. Therefore, the government plays a vital role bringing all of the

information together, and then redistributing the intelligence to the critical

infrastructure. These channels must be established early on and may even enable

a government to take a more proactive role in defending the network.

However, all of this intelligence is only useful insofar as the infrastructure can actively

protect itself once a threat is detected.

Incident Response

The incidents that most concern governments are those attacking the critical

infrastructure—and, by extension, attacking the well-being of society. Therefore,

it is important to engage with the operators of the critical infrastructure, as stated

in the fundamentals on critical infrastructure protection. There should be a constant

engagement between governments and the critical infrastructure stakeholders to

foster mutual trust since this is the basis for any efficient situational awareness and

incident response. This also holds true for engaging with any type of security

community such as security researchers.

12 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011

Conclusion

Cybersecurity is included in many governments’ agendas and is on the minds of

numerous politicians and bureaucrats. To run a successful Cybersecurity Agenda or

program, a well-structured framework is critical—even if only certain parts of it will

be addressed in the near term; it should provide for oversight to ensure the right

priorities are established. This model can help any given country take the right

approach to creating a Cybersecurity Agenda since the approach itself must be

adapted to the relevant social, cultural, and economic priorities.

Further, governments should never run such an initiative themselves. Close collaboration

with the private sector and the international community—as well as within the

government itself—is absolutely necessary to achieve success in the cyberworld.

© 2011 Microsoft Corporation. All rights reserved.