BF-FieldManual-FEB13 -3.pdf - Bertelsmann Foundation

MEMO ONCYBER SECURITYThe State of PlayThe US and Europe have seen a dramaticincrease in cyber incidents in the pasttwo years. An analysis of such eventssince 2006 shows that of 97 known majorincidents, 44 were aimed at US-basedtargets and 28 at European targets,including the highly publicized attacksin Estonia in 2007 and Georgia in 2008. 1Even excluding unreported incidents, thedanger these subversive activities pose tothe most essential arteries of economicactivity in the US and Europe is clear. TheUS intelligence community believes cyberespionage represents a larger threat thantraditional espionage. 2 And these threatsare increasing.Two trends are changing the threatlandscape. First, with greater relianceon smartphones and other handhelddevices, networks are increasingly goingmobile. Storage and access points aregrowing via new network resources suchas cloud computing. Second, service andcontrol functions, including commercialpayments ranging from large moneytransfers to small retail purchases withswipe cards, are migrating online. Thesecommercial transactions are not solelymonetary; they are also tied to transfersof highly sensitive personal identitydata. In both cases, cultural shifts aredriving individual online connectivityand eroding barriers of state-basedjurisdiction, increasing vulnerabilities fornefarious actors to exploit.When the Internet was created, theinitial concern was openness, notsecurity. Its guiding philosophy has longbeen one of open access developed bya “self-regulated, non-governmentalcommunity”. 3 As a result of this openness,two factors color the cyber securityapproach of early-adoptive digitalsocieties such as the US and Europe:The central tension of cyber security policy is theinherent tradeoff between regulating a secure andsafe cyber space while creating an online environmentthat fosters optimal economic and political outcomesfor citizens across the globe.1) offensive capabilities dominatedefensive capabilities; and 2) the primarydeterminant of vulnerability is the degreeof technological integration. For thesereasons, a Maginot Line against cyberincidents will not work. 4Cyber security policy cuts across atangle of interlocking policy areas,from defense to homeland security,from criminal justice to commercialpolicy and civil liberties. Protection ofmilitary assets, cyber cover in combatoperations and offensive militarycapabilities are the areas to which theUS government and EU member stateshave devoted the greatest resources.Protecting areas of the private sectorthat are fully dependent on the Internet,hardening the defense and resilience ofcritical infrastructure, and combatingcyber crime and e-espionage, all directlylinked to economic security and lawenforcement, is also important. At thesame time, maintaining a free and openglobal Internet that is a conduit for civildiscourse and organization has becomea central tenet of democracy. The centraltension of cyber security policy is theinherent trade-off between regulatinga secure and safe cyber space whilecreating an online environment thatfosters optimal economic and politicaloutcomes for citizens across the globe.The Government Accountability Office(GAO) has sounded the alarm aboutUS cyber policy’s failure to keep pacewith the threats. 5 The lack of neededskills across government agencies anddepartments is magnified by the needto create a coherent international policyon cyber security. The inability of the112th Congress to pass comprehensivecyber security legislation means that theadministration will have to set policyon these issues within the limits ofcurrent law, domestic and international.Exploration of collective cyber defensewith Europe will require mergingdisparate security concepts into anoverarching cyber policy encompassingtrade, offensive capabilities, resilience,data protection and the creation ofinternational norms. 6US and European threat assessmentsare similar, and Europe represents anatural cyber security partner for theUS, bilaterally and internationally.Indeed, there is a robust trans-Atlanticlinkage for much of the financial sectoras well as for many Internet services andsocial networks that are repositories forhighly sensitive personal information.US military bases in Europe are alsoreliant on the continent’s infrastructure.But the dense net of interconnectivityfacilitated by the size and opennessof European states, the formationof their single market and their earlyadoption of Internet technology all makeEurope a uniquely challenging cybersecurity landscape.Some analysts have advocated for aclear division of labor on Europeancyber security policy between a pooled4 4Cyber Security