Ebook: Modelling Cyber Security: Approaches, Methodology, Strategies
Cyberterrorism and cybercrime are on the rise. One new webpage was infected every 4.5 seconds by malicious email attachments in 2008, five times more than the previous year. The normal computer user also has to fight against new ‘scareware’ or fake antivirus software websites (five new ones identified every day) and the ubiquitous spam. It seems clear that the more technology advances, the greater the increase in the number of threats. According to expert reports there were more than 237 million attacks to information security all over the world in the first half of 2005 only. States cannot control cyber crime at the individual level and international cooperation is highly needed. Securing cyberspace is, however, extremely difficult, as it requires facing strategic challenges and cooperation between the public, private, military and civilian sectors of our society. It is therefore necessary to fully understand the characteristics, principles and challenges that underlie the development of secure information systems. This book is one of the first comprehensive attempts to address all the issues mentioned above and highlights the urgent need of a multidisciplinary approach to cope with cyber threats. It presents all the factors that need to be taken into consideration, rethinks current strategies and identifies urgent measures to be taken in order to minimize the strategic and economic impact of cyber attacks. This volume is divided into three parts: the first one revises various conceptual approaches to security, explaining concepts such as cryptography and how it is applied. The second part focuses on terrorists attacks and attacks to critical infrastructures and the third part reviews European measures and legal issues. The final chapter also includes experts’ recommendations and proposals for a more secure cyberspace in the future. Modelling Cyber Security: Approaches, Methodology, Strategies could be of great interest to engineers working on IT security and everybody -from government departments to small companies and regular Internet users- concerned with the overall impact of security in the Net.
Securing cyberspace, however it is defined, is an extremely difficult strategic challenge that requires cooperation between the public and private sectors, military and civilian, of our societies. Cyberterrorism and cybercrime are on the rise. Almost all observers, with rare exception, share this view. The most important activities in the world today rely upon computers. It is therefore necessary to fully understand the characteristics, principles and challenges that underlie the development of secure information systems. Security should be considered within the entire context of information systems development and not in isolation. However, as it has been said by Dr. Mouratidis (1), information systems engineering and security engineering research communities traditionally work independently. “As a result of this situation, security is usually considered after the analysis, design and implementation of the system has been completed. Security mechanisms are enforced into the system without considering the overall design and this usually results in problematic systems and security vulnerabilities”. One should not forget that the security of a system is only as strong as its weakest part.
Internet, which is now used as a weapon in the hands of terrorists and criminals, was not designed or created to withstand an environment under attack. Its protocols derive from the protocols of Arpanet, which was used by only a few scientists and researchers in a spirit of intellectual and scientific cooperation. Its evolution contributed to exceptional progress in many fields, social and technical, of human activity.
At the same time, however, its impressive interconnectedness is now the major cause of its vulnerability. Other causes of vulnerability are software flaws, users' behaviour, an inadequate number of cyber security specialists, the insufficient amount of money allocated to activate countermeasures, and the lack – in my opinion – of a comprehensive and multidisciplinary approach to cope with the cyber threats.
There is broad consensus that new methods for designing and engineering more secure systems are urgently needed. This implies more public intervention to fund research, as private companies usually neglect this type of investment. Another action to be taken is the internationalisation of efforts. Only international cooperation is likely to reduce, if not eliminate, the consequences of malicious attacks.
According to a Symantec report, the year 2008 was dominated by new web infections (one new infected webpage discovered every 4.5 seconds), by malicious email attachments (five times more in comparison to the year before), by new ‘scareware’, i.e. fake antivirus software websites (five identified every day) which deceive users – myself included – and by spam (97% of business email) (2). In other words, the more technology advances, the greater the increase in the number of threats.
Another source, CERT/CC – the Computer Emergency Response Team Coordination Center – has identified thousands of computer vulnerabilities which only increase exponentially year after year. According to a publication of IBM, in the first half of 2005 there were more than 237 million attacks to information security all over the world. States cannot control cyber crime at the individual state level and therefore international cooperation is highly needed.
Some believe that privateering can be a solution to cyberspace threats, though this is not without complications (3). The situation is similar to the time when weak states had to rely on privateers, namely pirates with government sanction (Letter of Marque). Actually, most states, today, do not have the possibility to cope with the exponential rise of cyber threats and the excessive costs for countermeasures.
The main characteristics, or properties, of security are: confidentiality, authentication, integrity, access control, non-repudiation, and availability. Normally, at least thus far, security is mainly considered a technical challenge, but other aspects should be considered. The human and social factors, for instance, may also have a significant impact on security. After all, security is a game of action and reaction.
Technology has altered and corroded the State's authority and strengthened non-state actors, in particular transnational crime and terrorist organisations. Cybercriminals and cyberterrorists have already “crossed over into the spectrum of information warfare”. As a consequence, states cannot control cybercrime at the individual state level. Internet offers an ideal opportunity for cybercriminals to make money, organise attacks, infect our democratic institutions and our economies, while remaining in perfect anonymity. It is therefore imperative to elaborate measures, both national and international, against high-tech criminal behaviour. Because our traditional laws are devised to protect physical property and physical ‘goods’, and not the virtual assets of the world of computers, our juridical systems need to be revised as well.
The internet allowed Islamic terrorism not only to become a global phenomenon but also to create a virtual community corresponding to the Umma of Salafism. In other words, as everybody can see, cyber-threats are likely to be a major problem in the years to come.
Of the ten information warfare trends discussed by K. J. Knapp and W. R. Boulton (4), I would like to mention only five: the various dangerous forms of cyber weapons, such as ‘e-bombs’; how the private sector and the non-critical infrastructures are the primary target, and how, should the critical and/or military targets be hit, avoiding heavy retaliation ought to be a consideration as well; that cyber technology is increasingly used in influencing public perception; that cyber technology is increasingly used in corporate espionage; that cyber technology is increasingly used against individuals and small business.
Our NATO Advanced Research Workshop Operational Network Intelligence: Today and Tomorrow, held at the Italian Navy Arsenal in Venice in February 2009, tried to take all of these problems into account and to rethink present strategies and identify urgent measures to be taken in order to minimise the strategic and economic impacts of cyber attacks.
The book is divided into three parts. The first section addresses various conceptual approaches to security, and the issues connected to the conceptualisation of such; several actual methods employed for security purposes, beginning with the concept of cryptography and how it is applied; and the description of other security methods/systems. The section concludes with two articles that illustrate concrete examples of actual security approaches.
In the introductory article, Niv Ahituv explains why an open information society (OIS) is inevitable and how shared information may lead business to evolve toward one of two possible extremes: global monopolies or a much more creative and sophisticated form of management. OIS may also generate a magnified version of “1984”, or a better and improved process of recruitment and human communications.
The essay by Ari Vidali explores some of the root causes of the usability problem and how proper security practices are consistently being ignored or circumvented by the users. After all, the security of any information system is only as strong as its weakest link, i.e. human beings. The question is whether it is possible to reconcile maximum security, which requires a ‘closed system’, and maximum utility, which requires ‘openness’. Some very concrete proposals are put forward.
Haris Mouratidis describes a methodology that takes both the technical and social aspects of security into consideration, arguing that a security focus should be introduced throughout the development lifecycle. He believes that Secure Software Engineering (SSE) “is concerned with the unification of any area of research that can contribute to the development of knowledge (theoretical and practical), principles, practices as well as the establishment of a research agenda regarding secure software systems development”. In other words, SSE should become a real discipline.
Serena Lisi, a former student of mine, deals with an interesting problem: how to reconcile two different approaches to the theory of codes, the technological and the cultural and allegorical ones.
She is of the opinion that the two approaches are progressively merging together to create a new integrated and fuzzy approach along the line of thought of Burt Kosko, the well-known scholar author of Fuzzy Thinking: The new Science of Fuzzy Logic.
On the same subject, but from a mathematical and a revolutionary point of view, Gerardo Iovane demonstrates, with fascinating and sophisticated reasoning, that the sequence of prime numbers is deterministic, and not stochastic, as everybody has believed for several centuries. But the genetics of primality shows us a potential and intrinsic weakness of current security systems, since numerical security keys are based on prime numbers. The reaction to this threat – Iovane says – must be synergic. The conclusion is alarming: since we will probably have more accurate and rapid algorithms to generate numeric keys to crack code and data encryptions in the near future, it is high time to find new strategies, both technological and social. Otherwise, “the progress of knowledge could itself become a Trojan horse and defeat us”.
Dario Sgobbi, of the Italian Navy, contributes two essays to this book. His coauthors are Guglielmo Morgari (for the first paper) and Marco Paggio (for the second). The first contribution, which requires a sound knowledge of mathematical concepts, deals with asymmetric (public-key) algorithms. A possible classification of the various cryptographic techniques is presented, with particular emphasis on the RSA (an acronym from the names of R. Rivest, A. Shamir and L. Adleman) and Diffie-Hellman systems. It is worth mentioning here that Shor's algorithm (a quantum algorithm for integer factorisation) is important because it can – at least in theory – be used to ‘break’ the public-key cryptography. In addition, elements of complexity theory are discussed, as the evaluation of the complexity of an attack shows the concrete possibility of the same.
The second paper deals with the security process, and analyses some classifications and properties of two technologies, which enhance the process itself: the Intrusion Detection System (IDS) and the Intrusion Prevention System (IPS).
In his essay, Paolo Campobasso warns that information warfare has moved beyond the military dimension and has begun to threaten the commercial world as well. In particular, the banking and services industries have at the same time become targets and “innocent” technical supporters of cyber terrorism. Therefore, there is great need for international response through close cooperation with the military and law enforcement agencies on all levels.
The paper by Esti Peshin presents an approach to protect Critical National Infrastructures via unidirectional connectivity, namely connecting them with less secure networks via real time physical unidirectional gateways (using a single fibre optic cable). This system eliminates the risks due to the standard incomplete IT security measures.
A case of critical infrastructure protection concerns the electricity distribution network. It is the case discussed by Pascal Sitbon in his paper, which deals with the security approach taken by the ERDF of Electricité de France for its pilot project of 300,000 smart metering points in view of the general deployment of the system in the country. It is worth mentioning that the world's largest smart meter deployment (to over 27 million customers) was undertaken in Italy by ENEL between 2000 and 2005. Obviously, due to the widespread distribution of this electronic device, there is an elevated possibility of cyber attacks, similar to the one made against the AMM (Automated Meter Management) of ENEL. The conclusion by the author is that all metering actors should be involved in a global security approach as early as possible.
The second section concentrates on terrorist attacks and attacks on critical infrastructures and concludes with various police and military force operations and approaches.
Anat Hochberg-Marom presents a marketing strategy to contrast the global terror of Al-Qaeda's leaders. On the basis of her quantitative-statistical content analysis of the statements of Al-Qaeda's leaders, she finds that they adopt a ‘nihilistic-destructive’ approach and aim to destroy the Dar al Harb. The Jihad is considered the highest religious value (rated 41%), whereas the Ummah is rated only 25%. As radical movements behave as rational actors, it is possible to use rational models and theories to study their strategies and reduce their nefarious influence. A counter-marketing warfare is highly needed.
Another paradigm for countering Jihadism is offered by Antonio Guido Monno, more or less on the line described by Hochberg-Marom. His approach, however, far from being quantitative and statistical, reflects a sound historical knowledge of the Islamic culture, and advocates a strategy of defence against Islamic ‘fundamentalism’ that implies the use of scholars and experts of the Islamic world directly in the field of cyber-counterintelligence. Although cultures are not transmitted easily, it is possible to counter the “jihadist” interpretations of the Quran, which are not consistent with the tenets of classical Islamic theology.
Claudio Cioffi-Revilla uses deterrence theory to examine whether deterrence is feasible in cyber space (“Cyberia”). After discussing the conditions that make deterrence reliable, and introducing some key innovations made possible by computational social science (such as genetic algorithms), the author concludes that “the value of a deterrence strategy for ensuring cyber security seems to decline with the decrease of the formal organisational level of the potential attacker”. In other words, deterrence seems viable if the potential attacker is a State. In other cases, if the threatening actor is an individual or a clandestine organisation, the best strategy seems to be a preventive one.
The paper by Maurizio Agazzi defines our time as the collective intelligence era in which an enormous quantity of information is shared through Internet platforms. Starting from this idea, the author focuses his research on the illegal underground economy and the malicious use of web-forums by cyber-criminals. Phishing generator toolkits, password recovery tools, encryption and compression utilities, mobile viruses, credit card information, identity theft information, and so forth, are some of the goods and services which are traded from servers located in countries which do not contrast cyber-crime activities. In particular, malicious botnet applications are some of the greatest threats, as exemplified by the case in Estonia. A prospective real-time system based on the artificial neural network model could perhaps be effective in identifying attacks right from the initial stages on the condition that a supranational coordination be possible.
Y. Elovici and A. Shabtai deal with the protection of critical information infrastructures (CIIs) from malware. These attacks may be conducted in the initial stages of conventional wars to achieve a strategic advantage in command and communication capabilities. The authors describe three alternative approaches to secure the networks: detection of malware by the network service providers (NSP) to prevent innocent users from being exploited and used as launch pads for attacks on CCIs; protection of the CIs overlay network; detection of hidden botnets.
The centralisation of the protection of the CCIs is the strategy used in Italy, Domenico Vulpiani and Sergio Staro say in their paper. In fact, it is the Postal and Communications Police Service (a specialised Agency of the Italian State Police) which has the exclusive competence of protecting the critical information infrastructures of the country. For this purpose, a National Cyber Crime Centre for the protection of CIIs was instituted in 2005.
Moreover, this body is also entrusted with the prevention of and response to the various forms of cyber crime, such as common crimes, organised crime and terrorism.
The role of the Carabinieri Corps in the fight against cyber terrorism is described by Giovanni Cataldo. Specialised units of the Corps are trained to use the latest telecommunications interception technology. Obviously, no police force or intelligence agency is exclusively in charge of monitoring Internet sites. An Anti-terrorism Strategic Analysis Committee, whose members are officials from the security and intelligence forces, meets every week to decide synergic counter-measures.
The transition from cyber crime and cyber terrorism to something similar to a cyber war is examined by Ferdinando Sanfelice di Monteforte, who, starting from the NATO Declaration on Alliance Security of April 2009 that defines cyber attacks the “new, increasingly global threats”, refers to the recent attacks on Estonia and Georgia that were supposedly delivered by a State actor. The train of thought is complementary to the one suggested by Cioffi-Revilla, but whereas this author defines the technical rules of a possible retaliation, the Admiral examines the political conditions and effects of the same.
We come, at this point, to the last section of the ARW, which focuses on the European measures and several related legal issues.
The first paper in this section deals with the role of Europe in matching today's asymmetric threats. In the first part, Giancarlo Grasso underlines how the philosophy of the European Union is aimed at reconciling two apparently opposite concepts such as security and privacy. The protection of human rights is one of the fundamental values at the basis of EU material constitution. In the second part, the author emphasises the necessity to pass from interoperability to network centric systems in the struggle against terrorism. Here, and in some other cases, the paper has a normative approach, though also it underlines some EU achievements (e.g., EDA, FRONTEX, ESRIF, etc).
The second essay of the section is authored by Alessandro Gazzini and Andrea Rigoni. It adds new valuable information with regard to the steps taken by the EU to ensure information sharing among its Member States. Examples, such as ENISA (European Network and Information Security Agency), NEISAS (National and European Information Sharing and Alerting System), CIWIN (Critical Infrastructure Warning Information Network) and so forth, are considered by the authors, who also describe the many benefits of information sharing both for the Member States and private stakeholders. In short, information sharing (IS) is mentioned by the EU as “one of the key elements of a successful critical information infrastructure protection strategy”. Clearly, bi-directional trust is the pre-condition for IS to work successfully.
The last two contributions have a legal approach. The paper by Eneken Tikk deals with the antinomy privacy-security and how it is managed in the EU context. Another point discussed regards the difficulty of transmitting the personal data of EU citizen to the NATO or non-EU States due to the stringent European legislation in the field. Another problem to be solved concerns the necessity to demonstrate the relevance for NATO that a given cyber incident has in order to activate the proper measures of the Alliance. Despite some difficulties, more cooperation between EU and NATO is highly needed. Hence, the paper is in some way complementary to the two previous ones.
Last, and hopefully not the least, the essay by Ivo Paparela creatively expresses, in a non traditional form, his question as to whether the legislation in the NATO countries, and in particular in Eastern European countries, is adequate and capable of supporting law enforcement agencies in their fight against cyber criminals. The conclusions, after having conducted research on some legislations on cyber activities, are – according to the author – pessimistic, though provisory. The reasoning seems to be correct, but he who writes these lines wants to emphasise that the responsibility for some statements in this essay is solely that of the author.
Some final proposals were elaborated in our Workshop. Each participant was asked to propose two or three concrete solutions in the area they personally felt was of critical importance.
What follows is a compendium of their proposals and ideas. Many conference participants presented more than one proposal, often in more than one area of cyber security. Therefore, the proposals have been arranged according to argument in order to facilitate comprehension and identify common themes, the compilation and organisation of which has been arranged by Margot J. Wylie, BSc. at the University of Florence, one of our most brilliant students to whom I want to express here all my gratitude and appreciation.
The proposals may be divided into general work areas, such as: research, the legislative and regulatory measures, co-operation, strategies, technical and economic measures. All recognised that to face the multifaceted problem of cyber security it was necessary to work on different layers, not only in their field of research and development, but also in all areas that are touched by questions of cyber security.
As far as research is concerned, several proposals regarded specific suggestions of methodology and approach. Essentially, a multidisciplinary approach was suggested in reference to the study of cyber security and crime. One suggestion specifically advocated the combination of methodologies, such as mathematical programming, object-oriented and agent-based modelling, and fuzzy logic with risk management tools, such as fault tree analysis, failure modes and effect analysis (FMEA), etc. to identify, monitor or predict possible disruption factors related to operational or social networks. Another was based on implementing marketing and management tools and concepts to better understand and analyse the global terror phenomenon and terrorist organisations and their use of the Internet.
Other proposals regarded the creation of multidisciplinary research centres and projects with experts coming from all sectors. From the presentation and discussions held during the conference, it became very clear that there is great need for collaboration between various areas and sectors of society when facing questions of cyber security. Several suggestions highlighted the need for the creation of an international network of cyber security centres of excellence. Others recommended that NATO hold a leading and important role in stimulating joint research projects and centres and that private, academic, law enforcement agencies, and military resources should be involved in such projects with the objective of developing active information defence and protection measures.
Other suggestions emphasised the need to create a merger between private and public institutions, and form serious, lasting forms of co-operation with research centres and universities.
Some research proposals focused on the specific objective of gathering information on cyber events. The finality of these proposals revolved primarily around obtaining the data necessary for gaining a clear understanding and picture of the global incidence of cyber crimes and threats, especially in regards to the protection of critical infrastructures. Although, as some participants observed, there are already existing initiatives that collect, aggregate and analyse cyber threats as part of an early warning system (see www.itu.int/cybersecurity), there are many possibilities to extend or expand the reach and the entity of such initiatives. In fact, it was suggested that an international observatory or observatories be created within NATO or the EU framework that would be able to systematically record cyber events. Should more than one observatory or centre be constituted, NATO would be able to compile all reports of threat analysis from the various centres thus rendering the comparison of the threats and threat levels between member States possible. Several other proposals were of a specifically more academic or cultural nature. While it is evident that technical and legal measures are of paramount importance, not to mention co-operation and preparing viable and practical approaches in response to eventual real threats, the cultural aspect was certainly not ignored. Several proposals took a preventative approach, underlining the necessity of understanding the mechanisms and reasons for which people are drawn to visit extreme or radical websites and the motivations behind why they ultimately join extremist or radical groups, hence becoming threats in both our physical and virtual space. The creation of a research institute, possibly even of a virtual nature, composed of three to four interconnected centres was suggested. The purpose of such an institute would be to monitor websites in order to understand what people are looking for or doing with a particular site itself. The scientists and academics involved ought to be comprised of specialists not only Western in origin, but also those from the regions from which extremist or radical cyber activity originates. From the information gathered and the conclusions made by the centres, preventative solutions aimed at facing threats even before they became serious would be possible. Proactive cultural activities and measures could then be realistically realised to stop or reduce the dissemination and propagation of radicalism.
It was also suggested that the centres of the research institute divide among them the topics relevant to cyberspace and send monthly reports to NATO and the interested states and governments.
On a general note, it was suggested that a culture of security ought to be fostered at the university level and that security considerations ought to be inserted in any project right from the beginning.
Other proposals were of an overlapping nature that seemed to interconnect the concepts of legislation, cooperation and the division of competence, wherein legislation not only addresses both the general and specific areas of cyber-security, but it is also delegated to various levels of government. Various forms of cooperation are proposed, as are assorted combinations of actors to be involved in such cooperation.
The need for the implementation of a certification process of IT/SW products was addressed by several participants in the conference. It was suggested that legislation be created to ensure best practice. It was also suggested that incentives be created to stimulate all solution providers to take security requirements into account and to follow best practice. Creating forms of sponsorship to ensure security measures from the beginning in solution development was suggested as well.
In discussing the content and management of websites, it was recognised that a legal problem exists when defining radical and extremist expressions on the Internet. How does a State or group of States, such as the EU or NATO, define these terms and give them parameters? How does one decide what is considered to be ‘unacceptable’? Several solutions were proposed regarding this issue. It was suggested that the EU legislation on incitement to hate and violence be integrated into the national legislation of each Member State. When dealing specifically with the removal of websites, Member States ought to agree on a notice and take down procedure. In cases where laws already exist, it must be implemented and it needs to be effective. A possible solution to issues regarding legislative gaps, i.e. when no legal justification exists to remove or shut a website down, was to invite moderators of radical or extremist websites to discuss content and ask them to filter their information.
Making an inventory of all legislation and other legally binding acts regarding cyberspace and more specifically cyber-criminality that currently exist within the EU and NATO countries could possibly be a starting point for any initiative in the legislative field. It presents not only the possibility of determining what measures do and do not exist, but it offers the possibility of comparing the existing measures and their effectiveness as well.
It was also suggested that candidate countries (for instance, Albania and Croatia) be subject to a special audit in order to determine the level at which their internal legislation corresponds or not to the EU acquis on cyberspace and cyber criminality. This point was made with the reserve that excessive legislative standardisation and homogenisation be avoided.
The need to legislate and create regulatory institutions in the field of cyber security was discussed at length: it was recognised at the same time that an important division of competence must not be disregarded. In fact, it was pointed out that two fields of competence exist, as do two institutions. While NATO is, and ought to continue to be, responsible for operational and technical issues, the EU Commission is the body that is responsible for the regulatory aspects of cyber security. It ought to create regulatory institutions and set up security standards, modify laws and create them, where needed. The EU ought to work on the financial and legal aspects connected to the creation of these structures and inform the citizens of all matters connected to such activity.
What is essential, however, in perpetuating and sustaining cohesive and coordinated action is the close co-operation between NATO and the EU. The proposal, therefore, suggested that an apposite roundtable be created around which EU Commission and NATO representatives are equally represented and whose objective would be to ensure that the two institutions work more closely together and to guarantee a cohesive and rational development of the respective competencies.
In regards to information sharing, one specifically regarded the necessity of developing policies and legislation at the EU level in order to ‘neutralise’ competitive behaviours when dealing with security information exchange platforms and forums, without which exchange of information would most likely fail or lack in content.
Co-operation was a dominant theme throughout the conference: It was understood that in order to fight cyber terrorism and crime, there must be co-operation. Suggestions ranged from proposals to involve each country's respective politicians and policy-makers when speaking of the security sector (to be managed within the EU context), to creating forms of co-operation to bring military and police forces together (within the NATO environment). On a broad scale, the EU and NATO organisations would need to remain in close contact. Other proposals emphasised the need to enhance co-operation not only between the respective governments, armed services and universities, but between these sectors themselves. In all of these proposals, however, it was underlined that individual roles must remain delineated and separate wherein the military must maintain its sphere of competence, the government must maintain its role and so forth.
To promote clarity and facilitate co-operation, it was proposed that an organisation or organisations on the civilian level comparable to those existing within the government or military be established.
A further proposal focused on security issues arising in the so-called ‘last mile’, in other words, security issues related to end user use. In fact, while large companies have the money to invest in the R&D of security systems to protect their business, small to medium sized companies or peripheral offices without the money to invest in security often remain, if not unprotected, highly exposed and vulnerable to attack.
Another weak point in end user use for small to mid-sized companies is the constant contact with local IT maintenance companies that work unsupervised in the vast majority of cases. The suggestion that was made was to give this last mile more attention and, under the supervision of NATO, invest in creating a common policy. A workshop could be formed on the creation of inexpensive and certified common tools for the companies and entities exposed or at risk. It is important to note that, due to market mechanisms connected to the rules of competition, without the organisation and guidance of a public entity or the establishment of a public framework, such as could be done with the EU or NATO, economic agents will not come together to resolve these security issues.
The concept of information sharing was a common theme in the proposals that were made by the conference participants. While it was recognised that various experiences in security issues ought to be shared and divulged via solutions such as an interoperability platform based on web 2.0 or through the creation of Wiki on topics such as vulnerabilities, cyber incidents, and technical solutions, it was recognised that security concerns had to be respected when developing these systems or platforms. It was suggested that there be various phases of information sharing, beginning with less confidential material. A proposal was made to create a protected network specifically intended to link key players together and permit the safe transmission of classified information within the context of multi-level co-operation.
Internet surveillance was an important theme, addressed by several conference members. Surveillance, however, was tightly coupled with the concept of increasing public awareness of cyber security and giving the public a space to communicate with the authorities on questions of cyber security. One suggestion to increase public awareness was to establish an international security awareness day that would involve all levels, including small to medium enterprises.
As for cyber security itself, it was generally perceived that our ‘virtual’ boundaries are not as well protected as our physical boundaries and, therefore, it was suggested that measures be implemented to carefully monitor traffic over national, EU and NATO network exchange nodes.
In that cyber space ought to be considered a public space, proposals were also made to actively monitor the internet, just as the streets are (a pilot study in Netherlands has already had some success). The surveillance proposal focused on involving end users in publicly policing our virtual community through the creation of a reporting centre responsible for monitoring suspicious activity on the Internet. All information gathered could then be passed on to NATO from the various reporting centres and systematically compare the information collected from each Member State.
One proposal focused on the need to develop theoretical and practical models on radicalisation using actual law enforcement case files (as was mentioned by a conference participant, a separate ARW is dealing with just this topic). The model could then be used to improve the analysis capabilities by creating analytical tools which could be distributed to Member States by NATO.
NATO itself could be the forum within which various experience and the effectiveness of each Member State's tools are exchanged.
When speaking of actual strategies and practical approaches to address cyber security issues, cyber attacks or threats of any sort, it was recognised by many conference participants that role models and strategies have to be created, that EU and NATO countries must be prepared to face future threats from ‘virtual’ space. Diverse solutions on how to prepare and be prepared on a practical level were proposed. The need to maintain an awareness of what is being done in the rest of the world or in the multitude of sectors that are daily faced with questions of security was pointed out by one conference member. One proposal advocated the establishment of a response convention that would be able to be activated in the eventuality that a given country were attacked, a convention that would put response plans in place and that would stimulate the exchange of information on a tactical level. Another proposal urged the creation of exercises and drills to increase response capability by preparing response teams and operators for extreme situations.
It was also pointed out that many of the proposals and actual policies focus on the response to attacks and take a defensive approach. It was suggested that a think tank be instituted to develop offensive measures and, as a first step, learn the processes of deradicalisation.
Of the proposals made, many were technical in nature. In this broad category, it was possible to identify such themes as: the development of IT security systems and solutions, the use of hackers in systems tests, and, from a more economic perspective, the reduction in costs and time employed in the development sector.
In the proposals that dealt with systems and solutions development, it was generally recognised that today's networking is still based on protocols that are fundamentally not secure (ISPEC and IPv6 being the evolution of TCP/IP), and therefore, a new and secure network protocol that incorporates security measures right from the initial development stage is in order. At the same time, it was pointed out that the file systems normally used to store and manage information, even in classified environments, do not guarantee the security of the information itself. It was proposed that a secure system be developed wherein security is considered throughout the development stages.
It was agreed that encryption methods ought to play an important role in securing not only the storage and management of information, but also its transmission over the network. The development of electronic labelling technologies was also suggested for the secure transmission of information over the networks.
One proposal specifically referred to finding new methods to increase the level of security of end users. While it is known that many advances have been made in biological parameters, not only was it suggested that the area of human emotions be explored, it was also suggested that the use of images ought to be researched to see how these might be applied and used in increasing the level of security in end user access.
It was also recognised that there ought to be set security standards and certification processes. In the meantime, however, there ought to be an immediate, if temporary, solution in assuring that our systems and network solutions are safe. One of the recurrent themes in the proposal session was that the security level of all systems and network solutions must be tested. The dominant idea was to involve or use hackers to test whether information systems are secure or not, be that via red teaming or launching a challenge to hackers to try and penetrate the test networks of a distributed and open source model. A variation of this theme was to create technical groups whose scope is to systematically attack systems in order to reveal any weak points that may exist.
Last but not least, practical aspects of an economic nature were addressed in several proposals regarding the fields of research and development. While it was clear that investments needed to be made in IT technology and research and that security measures and requirements ought to be incorporated right from the outset, it was also pointed out that both the costs and time invested in the research and development of actual IT security solutions and in the evaluation of such solutions had to be reduced.
At the end of this brief presentation of the main results of this Workshop, I feel it my duty to give my thanks to a group of colleagues and friends. First of all, I want to express my gratitude to Dr. Shai Blitzblau, University of Tel Aviv and co-director of the ARW, whose scientific and impressive technical know-how was indispensable for the success of the conference. His ideas and long experience animated the workshop. It only grieves me that, due to his overwhelming activities, he could not produce an essay for this book in due time. Thanks also go to my friend Paolo Lezzi, who, from his office of Maglan Group in Milan, helped in the difficult task of organising the event.
I owe heartfelt gratitude to Margot J. Wylie, already mentioned, for her intelligent, painstaking and enthusiastic work of synthesising the discussions held during the sessions. Without her contribution this presentation would have been much more difficult. Moreover, she is also to be credited for revising all the papers from a linguistic and publishing point of view.
My debt of gratitude also goes to my young colleague Ilaria Maltagliati, who assisted me in the long months of preparation of the meeting with intelligence, spirit of initiative, and enthusiasm. The same should be said of Serena Lisi, one of the authors in this book, whose artistic temperament and vivacious eclecticism contributed to the publicity campaign and formalities of the initiative. Both of them are working in the University Centre of Strategic and International Studies (CSSI).
Some other friends deserve to be mentioned here: Renate Cuda Sommerfeld, Jacqueline Marchal, Anna Maria Petruccelli, Reut Rahav, Pietro Stopponi, whose suggestions and clerical assistance during the meeting contributed to the success of the ARW.
Obviously, my thanks go to the key speakers who animated the discussions of the (about) eighty participants coming from fifteen countries of the world, and, in particular, to those of them – the major part – who put down in writing their ideas, and made this book possible.
Last, but not least, my deep gratitude goes to the Defence General Staff, and in particular to the Italian Navy which accepted to accommodate the ARW in its ancient and historical dockyard in Venice, and which offered an invaluable logistical support.
My gratitude also to the sponsors – Unicredit, Waterfall Solutions, Ispri/Cerpre, Agricola snc. – which contributed to make the costs of such an expensive city as Venice affordable.
All sectors of the society were represented at a very high level around the table: from the university, industry, banks, the military, police forces, computer scientists, lawyers, mathematicians, technicians, and so forth. Against the same threats they felt themselves a community: the only way to face terrorism and crime. Thanks to all of them.
Umberto Gori, Co-director of the NATO ARW, University of Florence, August, 2009
(1) Secure Information Systems Engineering: A Manifesto, in: “International Journal of Electronic Security and Digital Forensics”, vol. I, issue 1, 2007, pp. 27–41.
(2) Tanji Michael, INFOSEC privateering as a Solution to Cyberspace Threats, in: “Journal of Cyber Conflict Studies”, vol. 1, issue 1, pp. 4–10.
(3) Green Cloud Security, White Paper Top 7 Security Threats in 2009, 2008–2009.
(4) Kenneth J. Knapp and William R. Boulton, Ten Information Welfare Trends, in: L. J. Janczewski and A. M. Colarik, Cyber Warfare and Cyber Terrorism, IGI Global, Hershey, PA, 2008, pp. 17–25.
• Cyber Security: A Crisis of Prioritization, Report to the President, NCO/IT R&D, 2005, pp. 58.
• W. Stallings, Cryptography and Network Security: Principles and Practice, 4th Ed., Prentice Hall, Upper Saddle River, N.J., pp. 592.
• H. Jahankhani, Evaluation of cyber legislation: trading in the global cyber village, in: Int. J. Electronic Security and Digital Forensics, Vol. I, No. 1, 2007, pp. 1–11.
• D. L. Watson, Stealing corporate secrets using open source intelligence (the practitioner's view), in: op. cit., pp. 71–75.
• S. Ahsan, IT enabled counter terrorism infrastructure: issues and challenges, in: op. cit.
• M. Watney, State surveillance of the internet: human rights infringement or e-security mechanism?, in: op. cit., pp. 42–47.
• L. Yang and S.H. Yang, A framework of security and safety checking for internet-based control systems, in: op. cit., vol. I, No.1/2, 2007, pp. 185–200.
• N. Stakhanova, S. Basu, J. Wong, A taxonomy of intrusion response systems, in: op. cit., pp. 169–184.
• M. P. Gallaher, A.N. Link, B.R. Rowe, Cyber Security – Economic Strategies and Public Policy Alternatives, E. Elgar Publishing, Cheltenham, UK and Northampton, MA, USA, 2008, pp. 266.
• L. J. Janczewski and A. M. Colarik, Cyber Warfare and Cyber Terrorism, IGI Global, Hershey, PA, 2008, pp. 529.
• N. Carr, The Big Switch: Rewiring the World, from Edison to Google, W. W. Norton & Company, New York, 2009, pp. 276.
It is argued that computer networks proliferate to such an extent that individuals and organisations, for the most part, might as well give up in their efforts to protect most of their databases. Moreover, most of the information required for management decision-making processes is open and readily available on the web. As for individuals, it is not certain whether privacy is what they are looking for. The virtual community networks and the global social networks (e.g., Facebook, Linkedin, Youtube, and blogging) provide counter-privacy-seeking examples. Electronic information and on-line data analysis are accessible to everybody, be it an individual, a firm or a government. This eventuality heralds the dawn of a new era for society – the open information society (OIS).
This article focuses on organisations rather than on individuals. It explains why an open information society is inevitable and how this stage of societal development has almost been reached. In particular, the implications for organisation management are discussed.
The assertion presented is that shared information may lead businesses to evolve toward one of two possible extremes: global monopolies or a much more creative and sophisticated form of management.
As far as relationships between individuals and organisations are concerned, the OIS may generate either a new form of feudalism, in which the organisation fully controls its employees (“1984” augmented with information technology), or better and improved processes of recruitment and human communications.
With regard to the protection and the search for information, it is better to focus on tightening security for a very limited segment of the organisational information thus freeing up resources that may then be directed toward “legal” searches in open information depositories.
Maximum security requires, by definition, a “closed system” whereas maximum utility requires “openness.” Is it possible to reconcile these two extremes? Can a highly secure system actually be easy to use?
With the exponential adoption of technology, highly interconnected computer & telecommunications systems have become an indispensable component of modern societies. Our reliance on information technology has penetrated almost every facet of daily life. Our critical services, financial systems, transportation and commerce rely upon the confidentiality, integrity and availability of these systems. Notwithstanding some promising advances, networked systems remain highly vulnerable to attack and exploitation by hackers, cyber criminals and terrorists despite the significant efforts and investments that have been put forth to detect, deter and mitigate these threats.
Most experts agree that the security of any information system is only as strong as its weakest link; the human beings who create and use them. This paper explores some of the root causes of the usability problem and how proper security practices are consistently being ignored or circumvented by the very users and organizations they were designed to protect.
We propose that this reality must be understood and addressed in order for systems engineers to architect effective, easy-to-use security solutions that enhance rather than limit system utility. In our paper, we propose that the security systems of the future must be highly convenient, largely transparent to end users, fully integrated across security domains, threat aware, and able to modify security policies “on the fly” in response to changing threat environments.
In a culture driven by convenience, one-stop-shopping and near universal access to information, system users will continue to find ways to circumvent even basic security protocols if they are too onerous and burdensome. While highly complex, inter-connected systems will always have flaws that can be exploited; the vast majority of attacks on cyber-infrastructure are made possible because of human nature.
Technology has become an indispensable tool for modern societies. Has our reliance upon technology become a two-edged sword? We argue that as hackers, cyber criminals, and terrorists become more technically sophisticated, the very technology that contributed to the rise of the western world is being exploited as one our greatest weaknesses by those with nefarious intent. Our paper concludes that to stem the tide, the security community must address some of these root causes of cyber insecurity.
In this paper we argue that, in order to develop the next generation of secure software systems, a security focus must be introduced throughout the development lifecycle. We also argue that security is not just a technical issue, and we explain how considering security issues from the earliest stages of the development process leads to the development of more secure software systems. After looking at the limitations and barriers of existing research and industrial approaches, with respect to the engineering of secure software systems, we briefly describe a methodology, which considers both the social and the technical aspects of security and supports the objective of considering security from the early stages of the software systems development. Moreover, we also argue that, in order to provide a security focus throughout the development lifecycle, we need to look at the issue collectively, rather than individually, by establishing a discipline that will form the basis of an in depth understanding of the security issues involved in the development of software systems; provide the appropriate knowledge and best practice to assist software and security engineers in developing secure software systems; and also educate system users on security related issues.
Cryptography may be considered a science in fieri; it is constantly evolving and being updated, in order to adapt to today's fast-changing scenarios. This paper underlines the coexistence of two different approaches to the theory of codes and protection of confidential information; the first and largely diffused approach emphasises technology (i.e. a scientific approach) and the second emphasises human perception (i.e. a cultural, allegorical, non-conventional approach). The two different approaches are gradually merging together to create a new integrated and fuzzy approach, which resembles those theories of systems and political science developed by Burt Kosko during the late 1990s to present. In order to accept the aforementioned fuzzy approach, we need to accept a specific definition of the word cryptography, here intended as the theory and technique used to create secret codes, either in written form (encryption) or in visual form/jargon (steganography).
In this paper we will consider Evolutionary Information Theory, and pay specific attention to the application of prime numbers to cyber security and cryptography. Indeed, we will demonstrate that the sequence of prime numbers is deterministic, and not stochastic, as we have believed for several centuries. This implies that much attention must be directed toward the new scenario that has been formed of cryptosystems, encryption and ciphering in order to prevent cyber attacks and protect Critical Network Infrastructures.
While the classic symmetric encryption systems require a single key for both encryption and decryption, public-key systems are based on the existence of two distinct keys, one private and one public, and on the concept that, while the private key is never transmitted over any channel, and is therefore known only by its owner, the public key is made publicly known. Public-key systems are thus extremely useful in open network scenarios, where not all users are known in advance, or where it is simply impractical to establish a secure channel with any of them over which to exchange symmetric keys for the ensuing communications protection. Asymmetric systems are very interesting from a mathematical point of view, since they are based on one-way trapdoor functions, which are invertible functions that are “easy” to compute in one direction and “difficult” to compute in the opposite direction, with the additional condition of being “easy” to compute in that direction if additional information (the trap) is available.
Both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are technologies that will help to enhance the security environment of private sector companies and government agencies. These technologies provide visibility and also offer many other benefits related to the network monitoring activity. The IDS and IPS provide the real time monitoring of network activity, while contemporaneously consenting for the relevant information to be stored in order to perform data analysis and/or reporting at a later date. In the decision-making process, visibility has an important role since it allows a security policy, based on quantifiable real world data, to be envisaged. The Intrusion Detection technologies, and, specifically, the host-based and network-based technologies, are divided into two categories depending on which technique is used to detect security events. The first is the Anomaly-Based technology, which is based upon behaviour, and the second is the Signature-Based technology, which is based upon knowledge. IPS and IDS technologies are only two of the many resources that can be deployed to increase visibility and control in a complex and critical network infrastructure. With these two technologies, the network will have a perimeter and core defence that can combat zero day attacks and counter existing threats, as well as being able to render activity in the internal network visible and be capable of providing forensic analyses.
Considering that one of the most dynamic and attractive segments of the commercial world is the financial sector, it naturally becomes a favourite target for information warfare, due to the direct impact an attack on this sector could have on economic stability. Our reliance on infrastructures that support the use of information is subject both to being used for violence itself or to being the target of violent acts; industries such as broadcasting, or banks, stock markets, and telecommunication companies are dependant on technologies and a disruption of their systems can potentially cause serious harm to basic societal interests. All corporate leaders must be aware of the diversity of potential attacks and should plan and implement measures to defend their organisations. In order to assure secure information exchange between business partners, it is mandatory that all involved parties secure their business environments by implementing the appropriate security measures. There is need for international response wherein the authorities and organisations alike use military expertise as consultancy or knowledge transfer in order to establish appropriate frameworks.
Critical Networks monitor and control the most valuable assets of national and homeland security and usually refer to operational, real-time networks. Ecosystems involving Critical Networks, on the other hand, often include inter-connections with external, Less Secure Networks.
There is a constantly increasing demand to connect Critical Networks to Less Secure Networks or ecosystems in order to enable more business processes and improve business continuity and day to day operations.
This paper describes three models of ecosystems that involve Critical Networks and Less Secure Networks, in which the role of the Critical Network differs within each of the proposed ecosystems:
1. Production/DCS (Data Control System) Network – An Industrial (Critical) Network (for example, an oil refinery) which is monitored by a Business Network within the organisation.
2. Remote Infrastructure Management – Assets (for example, data centres) within a Critical Network that are monitored by a third party support centre (for example, equipment vendors).
3. Lawful Interception – A Critical Network that monitors assets within External Networks (for example, Service Providers, Telecomm Operators).
This paper analyses the IT Security threats inherent to the above ecosystem models. It describes the pros and cons of the existing IT Security approaches for mitigating these threats, and presents a novel pragmatic approach that can completely eliminate these risks, while maintaining the business processes that require inter-connectivity.
In this article, we discuss the cyber security approach taken by ERDF (Electricité Réseau Distribution France) as a preliminary step in its smart meters deployment project. First, we focus on the emerging risks introduced by the new technologies and their usages. Then, we explain how and why we have to define high-level security objectives independently of the technical solutions, and conclude by emphasising the committed involvement needed from the whole metering community and supply-chain in order to achieve these objectives.
This study presents a new and unique perspective – the marketing perspective – to analyse and increase our understanding of the global terror phenomenon. Based on a quantitative-statistical content analysis of the statements of Al-Qaeda's leaders, I examined how a global terror organisation, such as Al-Qaeda, markets itself using the international media and the Internet between the years 2000-2008.
The findings reinforce the idea that Al-Qaeda's leaders consciously adopt a nihilistic-destructive approach and aim to destroy the “other” world, which it views as a world that is not a “pure” and “authentic” Islam, from its point of view. They encourage the willingness to kill and to die in the name of God and emphasise that the Jihad activists are their primary agents for cultivating and distributing the “martyrdom culture”. Furthermore, Al-Qaeda and its partners utilise the Internet not only to intensify its power and radicalise the strength of the Jihadi image, but also to empower its worldwide strategic threat. By knowing “our enemy” and its uncompromising ideology and strategy, we can actively help to confront Al-Qaeda today, with counter-marketing-warfare and undermine its discourse.
The complex relationship that exists between Islam and the Western world makes it necessary to enlist an increasing number of people who are capable of understanding these two cultures and of mediating between them. The Islamic world, in all its variety and diversity, becomes even more complex when it enters the West through immigration, where immigrants no longer have a purely superficial physical contact with the Western world, as was the case throughout the whole of the colonial period, but live within it. It is often the case that the products of both societies do not integrate, but tend to dis-integrate, not knowing to which world they belong. People using religious symbolism to pursue political ideas, opting for terrorism as their means of struggle, are able to exploit this sense of searching for an identity. This type of exploitation avails itself of the multiplier effect of the virtual world to bolster support; but without an adequate counterweight, this can cause damage which, while not irreparable, can impair our complex societies. This paper takes a fresh approach to counter this phenomenon which could prove to be extremely effective when contrasting this quest to enlist support.
Deterrence is an ancient strategy (as early as the 4th millennium BCE) based on defence and retaliation to prevent undesirable behaviour from a potential attacker. Specifically, deterrence—both classical and cyber-related—is based on a potential attacker perceiving an unacceptable cost and consequently refraining from attack. Similarly to nuclear deterrence, cyber-deterrence may be an effective strategy against foreign governmental attackers, who might refrain from attacking for fear of retaliation. However, cyber-deterrence may not be as effective against individual terrorist hackers or clandestine organisations that have a high propensity towards risks or simply believe they can attack with impunity. This paper outlines some solutions to the fundamental challenge of modelling deterrence in Cyberia and discusses theoretical and policy implications based on computational social science.
Human beings are experiencing new paradigms, such as collective intelligence, that contribute to levels of knowledge enhancement and information sharing unimaginable prior to the existence of the Internet. Nevertheless, these new paradigms are equally interesting for cyber-terrorist groups and for organised crime. This work intends to analyse this new paradigm, which avant-garde cyber networks, since they gain vitality from the web's complexity, also happen to use to express their developing dimension. This work focuses on the characterising aspect of advanced cyber criminal networks: the fast and broad movements along temporary trajectories. Mutation is an implicit aspect of their development, given that the Internet itself is constantly changing, together with interconnections that are enriched by collective experience.
Protecting Critical Information Infrastructures (CIIs) from attacks originating from the Internet is a great withstanding challenge. This article describes the challenges in protecting CII from malware and suggests three approaches. The first approach suggests purifying malicious traffic on public NSP/ISP networks in order to minimise the risk that innocent users, unbeknownst to them, will be exploited and used by the perpetrators as launch pads for attacks on CIIs. The second approach focuses on overlay networks established between CIs, where communication between CIs is mapped to underlying physical networks and the most critical routers are pinpointed, thereby enabling the cost/effective deployment of malware filtering devices. Finally, the third approach focuses on detecting hidden botnets, which often serve as a launch pad for Distributed Denial of Service (DDoS) attacks on CIIs.
The Postal and Communications Police Service is the central agency of the Italian National Police that has been entrusted with the prevention of and response to the various and multiple forms of cyber crime; approximately 2000 officers are located throughout the Italian territory. The protection of national critical information infrastructures (hereafter C.I.I.) that support and operate the vital points of the community has recently been added to its competences. The possibility that the security of a countrymay be compromised by cyber attacks on C.I.I. of terrorist or criminal nature, represents a real threat that is presently felt at both the national and international level. In Italy, in particular, a twofold solution had to be reached; firstly, the prevention of and response to any type of cyber crimes against C.I.I. computer systems and networks; secondly, the exclusive assignment of this task to a specialized agency. In fact, art. 7 bis of Law 155 of 31.07.2005 states that the exclusive competence of protecting the critical information infrastructures of national relevance is devolved upon the Postal and Communications Police Service. Following the enactment of the Minister of the Interior's Decree on 09.01.2008, a National Cyber Crime Centre for the Protection of Critical Information Infrastructures (Italian acronym, CNAIPIC) was instituted within the Postal and Communications Police Service. This Centre is equipped with high technology resources and staffed with highly skilled personnel, and will be the sole office in charge of the prevention of and response to cybercrimes (common crimes, organized crime and terrorism) targeting national critical information infrastructures that have institutional functions or provide operating or controlling services strategic to the security and prosperity of the country.
The theme of the discussion is very topical due to the fundamental role that cybernetics and data transmission play in our everyday life. Often, each technological innovation brings, along with the benefits, risks for society at large. The Carabinieri are working in today's global scenario, sure that the only effective way to fight terrorism is through the concerted coordinated and cooperative efforts of all possible resources, in the areas of intelligence and investigations, where the control of the territory, both real and virtual, plays a pivotal role.
Just as with the air and maritime domain – namely those geostrategic spaces where police authorities are unable to carry out law enforcement activities independently without military assistance – cyberspace could also become the object of military attention, from the moment that, like the other two, it is an environment where adversarial activities can be carried out by state or state-sponsored actors within the framework of international controversies among states. Due to the fact that the military was the first public sector to take serious steps toward ensuring adequate levels of security on its IT systems, and therefore holds an advantage in this field, military participation in questions of cyber security at the national and international levels could potentially be beneficial for all state agencies concerned with security issues of this nature.