The primary objective of the NATO Advanced Research Workshop (ARW) titled “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework” was to gather specialists who are well versed with the technical problems, case studies, legal and policy development issues related to securing critical cyber infrastructures and enhancing resilience. All aspects of research involving hardening systems, attack prevention, response and recovery, and maximizing resources was included in the ARW. Cyberspace touches nearly every part of our daily lives. It's the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power almost all nations. It is critical that we secure our cyberspace to ensure that we can continue to grow the economy and protect our way of life. Due to the significance and overarching impact of securing cyber infrastructures, a diverse range of scientific and technological disciplines must be tactically integrated to achieve effective solutions to various scientific, commercial, and operational requirements.
Cyber warfare has become a major concern for international governments, military and civil agencies. Uniform enforcement within organizationally or territorially-defined jurisdictions is nearly impossible given the global architecture of networks and significant number of system administrators, as addressed in the drafting of the 2001 Council of Europe Convention on Cybercrime. A recent wave of cyber-attacks against NATO member Estonia in 2007 and Georgia in 2008 highlighted the crippling impact cyber warfare can have against a nation's critical national infrastructure. The difficulties in responding to these events for a nation state are exacerbated by ownership, operation, and associated national legal systems. Cyber critical infrastructure and its telecommunication networks are owned by the private sector. Gaining situational awareness to an emerging attack is difficult, as organizations must independently determine when to engage law enforcement or governmental agencies. The construction of these systems is dictated by competitive advantage and profit motive, not national security. All of these factors require a public-private partnership in a coordinated national policy framework.
The devastating attacks in Estonia were distributed denial of service events, primarily focused on the financial system. The trend over the last decade to network previously isolated industrial control and monitoring systems has placed national assets, including critical infrastructure, at a much higher risk. Industrial control and monitoring systems are a subset of computer systems that are subject to cyber exploitation. Furthermore, organizations increasingly share information between business systems and local and geographically remote control systems. Security breaches can cause the loss of trade secrets and/or interrupt information flow, resulting in the loss or destruction of services or products. Even more devastating consequences include potential loss of life, damage to the environment, violations of regulatory statutes, and compromises to operational safety. Effective responses to these events requires a logical escalation method through information sharing based on a decision-making model. Threats to these systems can come in many forms such as terrorist, clandestine organizations, and even trusted insiders who misuse authority. Actions in the cyber eco-system outpace the ability of human decision making. Motives and attribution in cyber-attacks are difficult to ascertain. An understanding of the impacts for diverse stakeholders is required and must be fed into the situational awareness of the cyber event which warrants engaging national security apparatus for significant events.
Cyber infrastructures are typically secured by defending the perimeter of the information system. The grand challenges of information security thus cannot be addressed by advanced science or technology alone, but needs to be layered with a national policy context and with engagement of law enforcement, judicial, legislative, and national security agencies. Design of future technologies must enhance both system security and resiliency, and allow swift restoration to full operational capacity to minimize disruption of services. This will require an organized cyber policy framework that defines situational awareness, escalation, and national or super-national decision making for continuity of critical infrastructure and government.
This workshop aimed to develop a governing policy framework to enhance the cyber security of a nation state's critical infrastructure through a process of defining the problem, followed by engaging the participants in interactive “exercises” to illustrate the issues as listed below that provided understanding of the framework.
• Establish a national cyber risk governance model that defines risks and levels of risk tolerance under varying circumstances, assigns responsibility among various stakeholders for defining and managing assigned risks, sets risk management goals and metrics, and determines the conditions for evaluating and refining the model as circumstances warrant;
• Identify and allocate resources necessary to meet risk management goals; and
• Be codified in appropriate policy-setting mechanisms, chosen from those that are constitutionally available, including national or regional legislation, executive order, and non-binding coordinating framework.
The workshop aimed to address views of the conflicting elements of a cyber policy and to initiate a dialogue across key stakeholders in the following areas, such as identifying who is responsible for actions needed to protect government, critical infrastructure, and the civilian population from the effects of a cyber-attack; engaging members of the legislature and judicial systems in developing cyber policy; and understanding what is possible and who is responsible for protecting networks and infrastructure. Furthermore the technical operators must anticipate what the next attack type may be, its severity, and what additional resources might be necessary to help defend, in addition to enhancing prevention of cyber-attacks against the government, military, critical infrastructure and the nation's civilians.
In all, approximately 15 countries participated to experience rich technical contents at a venue with significant historical importance. The ARW site - Hotel Inex Gorica by Ohrid Lake offered an air-conditioned auditorium, sound system, internet connection, adjustable terrace seats, and space suitable for conferences, workshops and congresses. The facility supported formal and informal settings for structured and spontaneous learning and sharing of ideas. Lake Ohrid - the largest and most beautiful of Macedonia's three tectonic lakes, provided a serene mountain setting. With its unique flora and fauna characteristic of the tertiary period, Ohrid is one of Europe's great biological preserves. Most of the lake's plant and animal species are endemic and unique to Ohrid. In 1980, UNESCO proclaimed Lake Ohrid a location of world natural and cultural heritage.
The meeting lasted 3 days. The agenda was packed with sessions. The meals were arranged either in the city or at a walking distance from the hotel. This provided a much needed break from the conference room environment and most everyone stayed engaged despite the inevitable post-lunch slowdown. The unique balance of technical and social interactions materialized in alliances among participants, which have been evidenced by continued correspondence in the months following the ARW. The co-directors interpret the ongoing interaction and positive feedback from participants as an affirmation of a successful ARW. Such a constructive ARW is the outcome of efforts by participants, speakers, and co-directors in addition to a host of caring individuals who supported their work.
Much appreciation is extended to the management of staff at the Hotel Inex Gorica for their gracious hospitality to all participants. Logistics help from Dr. Anka Trajkovska and timely publication of abstract help from Dr. Anita Grozdanov is much appreciated. We offer our gratitude to Dr. Deniz Beten, the director of the NATO Emerging Security Challenges Division and Ms. Alison Trapp for their resolute encouragement and support of the ARW. The co-directors are confident that ARW participants will continue research collaborations that began in Ohrid, Republic of Macedonia to enhance safety and security for all mankind in Support of NATO mission. The ARW was supported by NATO – Emerging Security Challenges division of Science for Peace and Security program.
Eric Braman, Ashok Vaseashta, Anka Trajkovska, Anita Grozdanov, Ernest Drew, Petar Dimovski, Vilma Petkovska, Aleksander Risteski and Philip Susmann
Ashok Vaseashta, Philip Susmann, and Eric Braman