Ebook: Cyber Defense – Policies, Operations and Capacity Building

Military cyber threats are becoming more frequent, complex, destructive, and coercive. Nowhere is the ‘Fog of War’ thicker than it is in cyberspace. Indeed, it is difficult to imagine any conflict in the future that would not include a cyber dimension.

Exactly how to achieve better cyber defense varies from organization to organization and government to government. What is clear is that cyber defense should be addressed as we would any other critical risk – through identification, analysis, and resolution, whether by avoidance, acceptance, transfer, or mitigation. What makes cyber risk different from other risks, though, is the pervasiveness of its scope. It touches all aspects of an organization or a society, and, moreover, necessarily involves diverse, external actors.

Take a well-understood and well-managed risk: the risk of fire. We have extensive building codes, based on empirical data that define standards on everything from building materials, fire systems, entrances and exits. The response time—and response actions—for a fire department are similarly well-known and defined.

This is different for cyber. Static standards for security, as are possible with fire, do not work for cyber defense—technology is constantly changing. What each employee should do in the event of an incident is also harder to define. And, companies are very much reliant on external vendors (e.g., to patch their technology), and vendors have their own varied, internal risk management processes. Software vendors will not, cannot, and likely should not standardize the way that a fire department does.

This means that all of us need to take responsibility for increasing our defenses while realizing that we cannot control all aspects of our security—we will not be able to be perfect all the time. As our world becomes ever more cyber-enabled, we will necessarily continue to have risks and failures. Indeed, we need to think about cyber defense in terms of resilience. That is, being able to prepare for and adapt to changing threat conditions while withstanding and rapidly recovering from attacks to infrastructure availability. In other words, we must continuously get better at both defense and recovery—even while preparing to operate in a degraded environment.

Partnerships are crucial in this regard. This NATO Science for Peace Programme publication is a testament to the way NATO engages with partner nations and academia. I hope it also serves as a unique reference when it comes to some of the most pressing challenges related to implementing effective cyber defenses on the policy, technical and operational level.

Christian LIFLÄNDER

Head, Cyber Defense Section, Emerging Security Challenges Division, NATO Headquarters

Brussels, June 2019

Cyber defense of nations has been a concern for modern developed countries. However, concepts and concrete models for the practice of cyber defense have not yet been established. In this article, a framework model for cyber defense is proposed. Also issues for Japan to build national cyber defense capabilities are examined.

By 2017 the cyber posture of the European Union had by then achieved an early stage of maturity. Some essential steps had been taken to allow its member states to benefit from a shared approach to national capacity development to support EU’s missions and operations. The Network and Information Security Directive had established a EU-wide standard for member states to follow and transpose in their legislation. However, in June 2017 the world learned of NotPetya – a malware attack, unprecedented both in terms of its global reach as well as destructiveness. Coming shortly after another malware attack, WannaCry, the effects of the two attacks served as a wake-up call for Europe, drastically changing the cyber threat picture and making it evident that the EU had only limited options for joint action against malicious cyber activities that could target the EU countries. The incoming Estonian Presidency of the Council of the EU, together with the European Commission launched several new initiatives to overcome some of those gaps. This paper discusses the development of the EU’s cyber posture to date (Disclaimer: the contents of this paper were presented at the Cydef conference in Tokyo on April 4, 2018. As a result, it might not include reflections on any of the more recent developments between 2018–2019 in the EU that could be relevant to the topic of the paper at the time of publishing.) and analyses one of the areas where a joint response was agreed in 2017 – cyber diplomacy.

This paper aims to clarify the latest trends in Japan’s cybersecurity policies. Specifically, the paper outlines the institutional development of the Japanese government, including the Basic Act on Cybersecurity and the formulation of the Cybersecurity Strategy based on the institutions, first. Then the paper focuses on IoT systems that are rapidly spreading and describes the contents of the Comprehensive Package of IoT Security Measures by the Ministry of Internal Affairs and Communications (MIC) and the trends of measures based on this.

Cyberspace is regarded as an important area of protection for national security, so much so that many countries have now formulated strategies and policies on cybersecurity. This article focuses on the concept of “resilience,” a keyword emphasized in recent years as part of such strategies and policies. The article examines and analyzes its background and positioning from the standpoint of the theory of deterrence in international politics. The purpose of this paper is to demonstrate that the concept of resilience in cybersecurity has been adopted from discussions in other fields and is used from the national security viewpoint to deter aggressors.

This work presents an old and new approach for Cybersecurity. The old one, Defense-in-Depth approach was developed in 2002 by the U.S. DoD, and promulgated by the National Security Agency. This old approach is still effective in the present circumstances using the Hybrid Architectures for the On-Premises and Cloud Computing. Another approach by Data-Centric or Data-driven was radically expanding under the edge technologies such as Big Data Analytics or Machine Learning. The Defense in Depth approach is the basic and valuable concept for the Cyber Defense. But some Information Technology staffs were misleading and degrading this concept into the technology-specific aspects, such as “Multi-layered defense”. In the original concept, this approach includes People, Technology and Operation aspects. Then, we are working in the Cloud Computing Environments, so system or platform-centric approaches have lost their realities, and we must seek the new data-centricity in the Defense in Depth approach.

Offense in cyber is a field shrouded with myths and misunderstandings. Yet getting a better grasp of this world is crucial to identifying functional policies and better technologies.

Threats posed by cyber attacks have been increasing year by year, and such security risks, for most entities whether corporate, government or individuals, cannot be dismissed. There is ongoing effort on human resources development for cyber security measures by the governments and academia, however, it would be far optimistic to assume that the current human resources are sufficient to deal with ever-evolving cyber attack techniques. As such, security operations which is feasible with limited manpower are desired. This paper will introduce research for efficient and effective security operations based on new technologies.

This paper starts by discussing and analyzing an attack found in the wild in a public dataset against Japanese Twitter accounts. We found that the traffic from a known Russian Information Operation was also congruent with a likely CNE effort focused on Japanese targets. It then goes on to discuss strategic countermeasures to this kind of effort for future development.

The progress of the internet has created a cyber evolution. The fourth industrial revolution, or Industry 4.0, is the first sign of the evolution. Japan, declared to be the world’s most advanced IT nation, thrives to cope with the progressed internet in Japan. To this end, Japan has started to pursue the super smart society (Society 5.0). This paper expands on Japan’s story and the importance of cyber security methods. This paper concludes that the white listing method is hopeful.

The recommendations described are intended for the effective and holistic approach with the “body of knowledge” and its taxonomy since usually the cybercrime unit will be exhausted by chasing the new technologies, new techniques introduced very quickly and frequently by cybercriminals

This paper starts by discusses the changing character of war and emerging technologies, and then identifies the key skills needed to meet contemporary defense challenges from a defense leadership perspective. It puts forward strategic considerations around talent management, and the ecosystem of innovation, and concludes with proposed pedagogies that are best suited for this context.

Cyberspace is often described as the fifth domain of military operations, as equally critical to national and international defense as the domains of land, sea, air, and space. The success of military missions increasingly depends on the availability of cyberspace and freedom of action in it. Robust and resilient cyber defense capabilities are now required to support military structures, missions, and operations. Because of severe budget constraints and scarce resources, leaders see NATO’s Smart Defence and the European Union’s pooling and sharing efforts as pragmatic and coherent ways to generate the cyber defense capabilities. NATO member nations and EU member states need to face future challenges. As this work moves forward, cyber remains a dual-use sector that offers many opportunities to develop synergies covering several aspects of cyber defense and security, from competence profiles to research and development.

Cyber professionals are in high demand, and companies are struggling to find and retain skilled cyber security employees. This document will present some of the challenges to maintain a skilled cyber workforce and tries to share some possible solutions. It is divided into two parts: how to “attract” and how to “retain” the right people in order to maintain a skilled cyber workforce.