Recently an old colleague, Dr Andrew Rogoyski, came to lecture to our MSc students on how government deals with cyber security. Dr Rogoyski has studied the interactions between government and industry and his talk led to a key question for which there was a surprising range of views. The question? When and how should government get involved in cyber security?
The UK has the most Internet-centric economy in the G20 group of industrialised nations according to research by the Boston Consulting Group released in March 2012. It estimates that the UK's internet economy was worth 121bn in 2010, more than 2,000 per person. Couple this with the knowledge that approximately 20 threats per second are discovered on the Internet, and it’s not surprising that UK government lists cyber security as a “Tier 1 Threat”, alongside terrorism. However, recognising the threat is slightly different from actually doing something about it.
Governments now recognise that there is a strong economic advantage in having a secure digital infrastructure. In order to attract businesses to your economy increasingly you need to demonstrate that your country is a safe place to conduct Internet-based business. Booz-Allen reports on this aspect of a countries with its cyber hub index.
Interestingly the UK and the US are seen as the safest places for Internet based business. This has resulted in several large corporations quietly reversing the recent trend to relocate business to the developing world to reduce costs. Ensuring security has become as important, if not more important, a business driver for governments as cost. When a country loses its AAA credit score for a ratings agency, it makes headlines. I predict it will not be long before similar importance is attached to measures such as the Booz Allen cyber hub index.
But in order to ensure a safe environment, where does government responsibility end and business responsibility begin? In November 2011, the UK government hosted the first intra-governmental conference on the cyber threat, at which time they issued a revised cyber-security strategy. As well as discussing the usual topics of the threat from cybercrime, espionage and warfare, the conference saw the debate begin at governmental level as to where responsibility lies for protecting key assets on the Internet. When the national interest is threatened, responsibility for protection lies primarily with the state, but many governments are powerless in the case of the cyber threat, for a variety of reasons.
A significant difficulty in protecting critical national assets is that the Internet is primarily run by private companies or non-governmental organisations. That's true even in the case of critical national infrastructure such as utilities, which are vulnerable to attack via the Internet. Most of the infrastructure and services that underpin national digital infrastructures are run by private companies such as HP, Fujitsu, IBM, Verizon, BT and others. Even the key technologies employed to sit on top of the infrastructure are developed by private companies ranging from Google, to Microsoft, to Apple plus a raft of much smaller start-ups, some of whom you will never have heard. The level of investment produced by these companies dwarfs those made by governments.
For example, the UK’s National Cyber Security Programme is making available a total of GBP650 million (USD1.01 billion) over four years. This money is intended to be part of a programme whereby government works with businesses, as well as protecting governmental assets. But this money is lost when you think, for example, of cyber security company Symantec spending USD862 million in 2011 alone on research and development. Similarly, Microsoft spent USD8.7 billion in 2010 and Google USD3.7 billion. The disparity between individual government spend, and that they are used to procuring systems over many years rather than at the speed at which Internet technologies change, means that governments find it very difficult to engage with private businesses.
So what have governments done in response to this situation? Well, they have acted in remarkably different ways.
For example, you might imagine the all-out attack on Estonia in 2007 would have led to an aggressive response. Instead it led to the formation of the Co-operative Cyber Defence Centre of Excellence (CCD COE). The purpose of CCD COE is to understand the cyber threat as it develops and thence to prevent those attacks. This is an approach which has received the full backing of NATO. Meanwhile, the EU has created the European Network and Information Security Agency (ENISA) to act as a hub for the exchange of information, best practices and knowledge in the field of information security.
Other governments have adopted a more militaristic approach. In May 2010, the United States Cyber Command, part of the US Strategic Command, became operational. Cyber Command is not just there for the operations and defence of specified Department of Defense information networks but also to carry out “full spectrum military cyberspace operations”. Similarly, Israeli Prime Minister Binyamin Netanyahu announced in May 2011 that the country would set up a cyber-defence task force to defend Israel’s vital infrastructure from cyber-attacks.
Regardless of style of approach one common theme has emerged: the key to effective defence against the rapidly evolving threat is shared intelligence. The studies conducted by Dr Rogoyski showed that what business wants most from government is Information Sharing and Awareness Raising. And, intelligence is one thing that governments do have.
They are now looking for ways of sharing sensitive information, that they might otherwise be unhappy to share as it might reveal the source of the information, with those who are directly affected by it. In the US in 2011, the Department of Defense launched a new pilot programme, the Defense Industrial Base Cyber-Pilot, in which it shares classified threat intelligence with around 20 defence contractors or their commercial internet service providers. Although the initial scope of Defense Industrial Cyber-Pilot was to help protect government network, it doesn’t take a great leap of imagination to see how this can become a two way process, especially in areas such as power, transportation and energy. The success of this scheme resulted in it being extended in September 2011 to include more private organisation. It has, however, highlighted in the public consciousness that the military are involved in protecting the Internet, and the debate continues as to whether it should be the Department for Homeland Security of the DoD that has such a responsibility. Either way, the positive aspect is that it is happening.
In the UK, the private sector is not necessarily waiting for government direction. For example, a financial services virtual task force has been formed by several large banks. This task force co-operates with the Metropolitan Police and exchanges information on threats and attacks as rapidly as possible. This has proved to be a very effective approach and has led to a number of successful prosecutions. Another information exchange is being set up by Intellect and ADS, UK hi-tech trade associations.
The emergence in 2011 of the infamous Stuxnet virus has highlighted how vulnerable critical national infrastructure is, and this has given a jolt to all those thinking about Internet security from a governmental perspective. Even if it were just a commercial issue, cyber security (and certainly the perception of it) can dramatically affect a nation’s fortune in the modern world. The fact that someone can potentially turn off the water, lights and stop the trains makes people think quite differently about what is a “stable” country, and will certainly influence anyone trying to decide whether to base their business in a country.
However, it is clear that unlike many historical threats to national wellbeing, this threat can only be checked by the closest collaboration possible between government and business. Business must be focussed on ensuring that this happens, and government must be more willing to share what it knows than it has been previously.
With news only this week that the Duqu virus (evil son of Stuxnet) has been found in the wild in a new variant, we can see that the threats are becoming more advanced and more persistent, and perhaps most worry of all, more targeted. Governments and business have a relatively small window in time to put in place the necessary mechanisms to share information such that it can be acted upon quickly enough to prevent damage. For those countries that don’t do this, they will rapidly realise that whilst in the past people “voted with their feet”, these days people “vote with their mouse” and it takes a lot less time lose trust in the Internet age than ever it did before.