Ebook: Cyber Security and Resiliency Policy Framework

The primary objective of the NATO Advanced Research Workshop (ARW) titled “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework” was to gather specialists who are well versed with the technical problems, case studies, legal and policy development issues related to securing critical cyber infrastructures and enhancing resilience. All aspects of research involving hardening systems, attack prevention, response and recovery, and maximizing resources was included in the ARW. Cyberspace touches nearly every part of our daily lives. It's the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power almost all nations. It is critical that we secure our cyberspace to ensure that we can continue to grow the economy and protect our way of life. Due to the significance and overarching impact of securing cyber infrastructures, a diverse range of scientific and technological disciplines must be tactically integrated to achieve effective solutions to various scientific, commercial, and operational requirements.

Cyber warfare has become a major concern for international governments, military and civil agencies. Uniform enforcement within organizationally or territorially-defined jurisdictions is nearly impossible given the global architecture of networks and significant number of system administrators, as addressed in the drafting of the 2001 Council of Europe Convention on Cybercrime. A recent wave of cyber-attacks against NATO member Estonia in 2007 and Georgia in 2008 highlighted the crippling impact cyber warfare can have against a nation's critical national infrastructure. The difficulties in responding to these events for a nation state are exacerbated by ownership, operation, and associated national legal systems. Cyber critical infrastructure and its telecommunication networks are owned by the private sector. Gaining situational awareness to an emerging attack is difficult, as organizations must independently determine when to engage law enforcement or governmental agencies. The construction of these systems is dictated by competitive advantage and profit motive, not national security. All of these factors require a public-private partnership in a coordinated national policy framework.

The devastating attacks in Estonia were distributed denial of service events, primarily focused on the financial system. The trend over the last decade to network previously isolated industrial control and monitoring systems has placed national assets, including critical infrastructure, at a much higher risk. Industrial control and monitoring systems are a subset of computer systems that are subject to cyber exploitation. Furthermore, organizations increasingly share information between business systems and local and geographically remote control systems. Security breaches can cause the loss of trade secrets and/or interrupt information flow, resulting in the loss or destruction of services or products. Even more devastating consequences include potential loss of life, damage to the environment, violations of regulatory statutes, and compromises to operational safety. Effective responses to these events requires a logical escalation method through information sharing based on a decision-making model. Threats to these systems can come in many forms such as terrorist, clandestine organizations, and even trusted insiders who misuse authority. Actions in the cyber eco-system outpace the ability of human decision making. Motives and attribution in cyber-attacks are difficult to ascertain. An understanding of the impacts for diverse stakeholders is required and must be fed into the situational awareness of the cyber event which warrants engaging national security apparatus for significant events.

Cyber infrastructures are typically secured by defending the perimeter of the information system. The grand challenges of information security thus cannot be addressed by advanced science or technology alone, but needs to be layered with a national policy context and with engagement of law enforcement, judicial, legislative, and national security agencies. Design of future technologies must enhance both system security and resiliency, and allow swift restoration to full operational capacity to minimize disruption of services. This will require an organized cyber policy framework that defines situational awareness, escalation, and national or super-national decision making for continuity of critical infrastructure and government.

This workshop aimed to develop a governing policy framework to enhance the cyber security of a nation state's critical infrastructure through a process of defining the problem, followed by engaging the participants in interactive “exercises” to illustrate the issues as listed below that provided understanding of the framework.

• Establish a national cyber risk governance model that defines risks and levels of risk tolerance under varying circumstances, assigns responsibility among various stakeholders for defining and managing assigned risks, sets risk management goals and metrics, and determines the conditions for evaluating and refining the model as circumstances warrant;

• Identify and allocate resources necessary to meet risk management goals; and

• Be codified in appropriate policy-setting mechanisms, chosen from those that are constitutionally available, including national or regional legislation, executive order, and non-binding coordinating framework.

The workshop aimed to address views of the conflicting elements of a cyber policy and to initiate a dialogue across key stakeholders in the following areas, such as identifying who is responsible for actions needed to protect government, critical infrastructure, and the civilian population from the effects of a cyber-attack; engaging members of the legislature and judicial systems in developing cyber policy; and understanding what is possible and who is responsible for protecting networks and infrastructure. Furthermore the technical operators must anticipate what the next attack type may be, its severity, and what additional resources might be necessary to help defend, in addition to enhancing prevention of cyber-attacks against the government, military, critical infrastructure and the nation's civilians.

In all, approximately 15 countries participated to experience rich technical contents at a venue with significant historical importance. The ARW site - Hotel Inex Gorica by Ohrid Lake offered an air-conditioned auditorium, sound system, internet connection, adjustable terrace seats, and space suitable for conferences, workshops and congresses. The facility supported formal and informal settings for structured and spontaneous learning and sharing of ideas. Lake Ohrid - the largest and most beautiful of Macedonia's three tectonic lakes, provided a serene mountain setting. With its unique flora and fauna characteristic of the tertiary period, Ohrid is one of Europe's great biological preserves. Most of the lake's plant and animal species are endemic and unique to Ohrid. In 1980, UNESCO proclaimed Lake Ohrid a location of world natural and cultural heritage.

The meeting lasted 3 days. The agenda was packed with sessions. The meals were arranged either in the city or at a walking distance from the hotel. This provided a much needed break from the conference room environment and most everyone stayed engaged despite the inevitable post-lunch slowdown. The unique balance of technical and social interactions materialized in alliances among participants, which have been evidenced by continued correspondence in the months following the ARW. The co-directors interpret the ongoing interaction and positive feedback from participants as an affirmation of a successful ARW. Such a constructive ARW is the outcome of efforts by participants, speakers, and co-directors in addition to a host of caring individuals who supported their work.

Much appreciation is extended to the management of staff at the Hotel Inex Gorica for their gracious hospitality to all participants. Logistics help from Dr. Anka Trajkovska and timely publication of abstract help from Dr. Anita Grozdanov is much appreciated. We offer our gratitude to Dr. Deniz Beten, the director of the NATO Emerging Security Challenges Division and Ms. Alison Trapp for their resolute encouragement and support of the ARW. The co-directors are confident that ARW participants will continue research collaborations that began in Ohrid, Republic of Macedonia to enhance safety and security for all mankind in Support of NATO mission. The ARW was supported by NATO – Emerging Security Challenges division of Science for Peace and Security program.

Organizational Support

Eric Braman, Ashok Vaseashta, Anka Trajkovska, Anita Grozdanov, Ernest Drew, Petar Dimovski, Vilma Petkovska, Aleksander Risteski and Philip Susmann

Editorial Team

Ashok Vaseashta, Philip Susmann, and Eric Braman

Securing digital assets is an extremely difficult and strategic challenge worldwide that requires technology, cooperation between the public and private sector, military and civilian education and training, and a legal and policy framework. Unfortunately, cyber-crime and cyber–terrorism are on the rise and the perpetrators operate from shadows without boundaries. The technology that is developed to enhance our capabilities has the capacity to inflict harm by way of misusing information, pilfering financial assets, jeopardizing safety, security and integrity of our critical infra-structure. The nature of the technology and our growing reliance on its reliability and security opens vulnerability on a personal to national scale. A cyber-attack by small groups or individuals capable of large consequence is now a reality. Nation states and significant sub national actors are developing skills to promote political motives into the cyberspace with cyber crime as the noise that obfuscates the methods and tactics of cyberwar. Cyber-wars are always ongoing, however events such as a “Cyber-9/11” or the “Cyber Pearl Harbor”, though possible cannot be predicted. Cyber-war has escalated in a pervasive manner with advanced persistent threats infiltrating our national security and defense industrial base systems. Urgency exists worldwide to define a national cyber policy to enhance resiliency in the cyber domain. This requires examining consequence and probability while exploring methods for escalation of response to be considered. Defining what indicators and warnings will engage a national response to the cyber event is a representation of the national capability and priorities. At what point do nations collaborate with national partners to respond as a region. Each national policy will mirror the will of the society and government adopting those tenets but some basic parameters help to lead the development of the policy. The policy must be tested and processes developed and exercised to ensure resiliency. A critical element of national policy and regional collaboration must be the development of national and regional cyber exercises and war-games that hone response and refine capability. Finally, cooperation across multiple nations requires the development of trust initially to create the legal framework for sharing information and resources.

The millennium project was created with an intensive development of ICT systems development in support of E-Government applications which enables administrative authorities in several countries and municipalities that have considered E-Government as a helpful tool for better informing public and changing quality of their core business services to citizens and to improve constituent satisfaction. Usually E-Government was initiated by different authorities and refers to government use of technology, particularly web-based Internet applications to enhance the access to and delivery of government information and service to citizens, business partners, employees, other agencies and government entities. We noticed that in several stages of development of E-Government, there were security vulnerabilities in government services as sensitive information remained accessible to different subjects, citizens, and institutions of government. In this article, we will highlight how to improve security of E-Government services and override the problem of potential malicious or improper usage. The Ministry of Information society of Government Montenegro initiated an ambitious e-Government project based on Multipurpose E-Government Web Portal with an e-Service generator, payment gateway and delivery service included, serving as “a one stop government” for all end-users (citizen, business, and government agencies).

We live in a well-connected and technology dependent world. People, institutions, companies have increasing need for communication in everyday life. Global and seamless connectivity today is enabled by complex telecommunications infrastructure consisting of a large variety of different technologies which are in a continuous process of development and innovations. But, the global connectivity and easy access to modern technology also enables malicious users and their activities. These activities might be of a different nature: starting from passive monitoring to destructive attacks disabling the normal operation of ICT (information and communication technology) infrastructure. Therefore, security issues of the telecommunication infrastructure must be thoroughly addressed by all relevant stakeholders. Although each technology includes certain security mechanisms, it is necessary to create a well-designed security concept for the infrastructure as a whole, taking into consideration not only the technical issues, but also policy framework and legal aspects. The concept must be a subject of constant revision in order to be up to date to current threats. Therefore, the network infrastructure must be always monitored and analyzed, in order to create efficient measures against the security threats. The telecommunication infrastructure in the Republic of Macedonia is owned and operated by state institutions, telecom operators and providers, other companies and universities etc. All of them are faced with a number of malicious activities and attacks exploiting vulnerabilities of the systems, which are well monitored and statistically analyzed. Also, all of them have defined a more or less effective security concept including proactive and reactive measures. However, a common practice of cooperation and exchange of information and experience among the subjects is missing. A national strategy and policy framework are also missing that will benefit all stakeholders resulting in more effective and less expensive solutions as a response to cyber-attacks.

The history of smart phones and tablet computers is relatively short from a historical point of view, yet these devices are widely used for personal and business tasks daily. We present the advances of these devices in comparison to laptop and other computers with an awareness of their abilities to safeguard data. They are used as devices that hold sensitive information; and they are intended for use with different type of wireless and mobile communication lines. This kind of communication increases the risk of data transfer. Their characteristics (dimensions, processing power, networking etc.), working environment, stored information and their value, makes them suitable for theft and abuse. This paper addresses the problem of countermeasures needed to make smart phones and tablets more secure. Besides the fact that the first commercially available tablet computer was presented only three years ago, sales increase significantly each year. According to the analysis of the web site statista.com, in the last quarter of 2012 76% more tablet computers were purchased in comparison with the same quarter in 2011. According to the research expectations, this trend should continue in the next few years, and in 2016 we can expect around 283 million tablet computers to be purchased which will exceed purchases of laptop computers.

This article is devoted to problems of end-users dedicated training based on the latest methods and practice of endpoint security. Aims and objectives of endpoint security training are revealed. The basic ideas of security and privacy when using social networking services in the training are considered. It is concluded that endpoint security will continue to hold the attention of almost all enterprises, but most important in this list will be the education sector.

Cyberspace has become the dominant place for social, economic and political activities in the region of South East Europe (SEE). However like in the rest of the World the growing dependence of the cyberspace in the SEE in general and in Macedonia in specific has not been matched by a parallel focus on security. This article explains why Macedonian government needs to consider concrete strategic guidance for cyber security. The main argument of the article is that future cyber security strategy must have a comprehensive approach addressing cyber crime; cyber defense; intelligence and counterintelligence, critical information infrastructure protection and crisis management; and cyber diplomacy and cyber governance. Given that most of the SEE countries share the same history and political, social and security dynamics with small adjustments the findings and recommendation could be applicable to the rest of the SEE countries.

Communication networks and information systems in Bosnia and Herzegovina have experienced phenomenal growth throughout the last decades and became fully present in everyday life, since the majority of records and processes have been computerized and automated. Due to a low cyber security awareness together with the complex security management organization on the territory of Bosnia and Herzegovina (country's specific organization and multiple police agencies) and light technological lag in comparison to advanced European countries, this country is more susceptible to risks and threats in the cyber security domain. Therefore, in order to avoid serious repercussions for individuals, business and society in the case of cyber attacks, the Ministry of Security of Bosnia and Herzegovina has initiated the establishment of the Computer Emergency Response Team in Bosnia and Herzegovina – BIH CERT. This paper aims to provide an overview of the activities of Ministry of Security of Bosnia and Herzegovina in the area of cyber security focusing on establishment of the BIH CERT body. The BIH CERT has been envisioned as a preventive body which gives recommendation for the application and improvement of the security measures for protection of the information systems of Bosnia and Herzegovina's governmental institutions. In addition, this body will represent the Bosnia and Herzegovina's central point for cooperation with the international CERTs and thereby contribute to the security of the overall cyber space, since cyber attackers know no borders. The mission of BIH CERT will be to increase reliability of the critical infrastructure through a constant dedication, work on prevention and minimization of possibilities for occurrence of security emergency together with the provision of the assistance to the administrators of the critical infrastructure in application of the proactive measures for risk reduction from security emergency, as well as provision of the assistance in prevention of consequences of security emergency. The process of the institutional formation of BIH CERT has not yet started due to opposite political stances and interests.

Advanced and sophisticated cyber-attacks pose a serious risk to economic and national security. The solutions for cyber security problems necessitate initiatives from all legal, institutional, scientific and technical domains, and the cooperation of governments, universities, industry and civil societies. The global nature of the problem also puts a special emphasis on international cooperation. Therefore, countries need to develop strategies on both national and international scales in a holistic approach. Today, most strategies developed by countries share the holistic, integrated, comprehensive approach supported by strong leadership, enhanced governmental co-ordination at policy and operational levels, reinforced public-private co-operation, and improved international co-operation. Cyber security strategies generally include action plans. Since Turkey has a critical and important geopolitical position due to its location in the Middle East; cyber security has an immanent importance to our country. Studies in this scope resulted in the June 2013 National Cyber Security Strategy document and 2013-2014 Action Plan. In this strategy document, cyber security risks and measures, 7 major topics, 29 key actions and 30 governmental organizations responsible of these actions are identified. In the 2013-2014 Action Plan, 29 actions in the scope of the major topics, sub-actions and organizations responsible of these actions are identified. According to these documents, cyber security activities in Turkey include government, Turkish Armed Forces, universities, industry and non-governmental organizations (NGOs). Studies for legal regulations are also in progress. There have been various laws, draft laws, and regulations in cyber security. Cyber Security activities require national cooperation of governmental organizations, universities, industry and non-governmental organizations. In this paper, we will first briefly present the general headlines and commonalities of national strategies of various countries. Then we will chronologically summarize the cyber security studies in Turkey, and focus on the National Cyber Security Strategy and Action Plan, stakeholders and their studies, legal regulations, awareness and educational studies, and national and international collaborations. Lastly, we will further elucidate a brief evaluation of cyber security studies in Turkey.

This chapter addresses cyber security issues related to smart homes. With the introduction of smart devices and systems in our homes, the risks and threats linked to them, and respectively to the smart home inhabitants is growing. The digital world has gradually developed standards, protocols, interfaces, operating systems, programming models and architectures, making both computing and networking a type of plug-and-play environment. The smart house and its services, as we know them at present, form a highly heterogeneous environment, which presents a significant challenge for future users and manufacturers. Healthcare services contain unknown danger for human's life and present real vulnerabilities in interconnected medical devices. The chapter discusses details of cyber security risks, available technologies and methodologies to minimize and mitigate threat vectors.

This paper presents an analysis of the efforts to develop new application software under fire by innovators of the Israeli start-up nation. The applications were developed voluntarily by Israeli civilians living in Tel Aviv during Operation Pillar of Defense in November 2012. At the time when the IDF (Israel Defense Forces) was engaged in a military attack on Gaza, codenamed “Pillar of Defense”, the armed Palestinian militant groups Hamas and Palestinian Islamic Jihad were firing Grad and Kassam rockets at civilians in the State of Israel's home front. The new applications were designated to mark and map the locations of public shelters during emergencies in Israeli cities and towns for the benefit of civilians regularly using smartphones and applications. These applications were the brainchildren of Israeli home front civilians who wanted to help themselves as well as others who could find themselves trapped under rocket fire in the “City of Tel Aviv” for the first time in their lives (apart from Iraqi missiles in the winter of 1991 during the “Gulf War”). This article originated in and was written as a result of the personal experiences of this writer on the home front of the State of Israel in the physical and digital expanses (social media, Web 2.0) during “Operation Pillar of Defense”, in November 2012.

Most strategies and policies for cyber security are in essence reactive since they devise (counter) measures for known problems or quantitative forecasts of known problems. A long term strategy should predict new problems qualitatively. The problem with cyber security stems from the fact that cyberspace will invade physical space almost completely, including human bodies. The speed of changes in the way people live and work; as well as the emergence of new, related security problems, is accelerating while legislative and technical counter measures merely react on detected problems. Moreover, that critical mass of humans which should recognize risks, dangers and attacks in cyberspace does not, and does not have required knowledge and skills. In addition the general population is at risk for cyber security incidents due to his/her ignorance or to the mere statistical probability that he/she will make a mistake given the huge number of human-machine interactions in a unit of time and human nature being unsuitable for multiple, simultaneous routine tasks. While short term strategies have to rely on development and deployment of technical means for supervision and protection of systems, for (re)defining the legal framework and creating and nurturing the (new) body of cyber law enforcement, a long term strategy is also needed. It has to focus on accelerated and prompt education and increased awareness in all age groups, literally from kindergarten to retirement. This education has to be mandatory in all school systems and within the working environment in the framework of occupational safety. It has to be a major component of everyone's continuous, lifelong education. In order to support this strategy, national centers for increased awareness and broad education should be established, strongly linked with academia both because of academia's deep insight in cyber security development and its involvement in development of educational methods and tools. The long term strategy has to evolve a new culture of self preservation as well as community (self) care and preservation providing visible and omnipresent emergency response focal points. This long term strategy needs to be devised urgently and put in operation in parallel with short term strategies.

As Ground Water (GW) is a natural resource of vital importance, its protection against all types of threats is an absolute necessity. GW as a natural source can be effectively protected and managed using GW monitoring systems provided that, when developing such a system for a specific area of implementation, certain conditions are met and parameters are taken into account including GW recharge conditions, hydrogeological regime, land uses and GW vulnerability from surface pollution (as GW is often hydraulically connected to surface and surface water). To assess those parameters, reliable and accurate data are needed. The acquisition of such required data, regarding their economic cost and time needed, poses obstacles sometimes difficult to overcome. At this point, contemporary technologies as Geographic Information Systems (GIS) and Remote Sensing (RS) can provide solutions. In the present paper, a combination of case studies including the identification and delineation of GW recharge areas using RS, the GW vulnerability assessment using GIS and the development of a Web based GW monitoring system that can also be used as an early warning system for GW protection, is presented. The methodologies proposed have been tested in various areas of Northern Greece providing reliable results at minimal costs. Their combined application can provide the tools to constantly monitor GW quality, to detect GW pollution at a very early stage, to select and apply remediation measures and to continuously rate them, to detect pollution sources, to support decision making regarding land uses, to help raise public awareness and overall, to ensure GW protection and sustainability.