Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
Challenges in Cybersecurity Risks, Strategies, and ... - Unidir
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
new-founded German Cyber Security Council – a cooperation between government bodies <strong>and</strong><br />
<strong>in</strong>dustry – which <strong>in</strong>clude the coord<strong>in</strong>ation of cybersecurity policy stances, the identification <strong>and</strong><br />
correction of structural trouble spots, discussion of cybersecurity issues, new technologies,<br />
transparency, collaboration, <strong>and</strong> recommendations to the Cyber Response Center. Accord<strong>in</strong>g to<br />
the speaker, concrete steps on the agenda entail enhanc<strong>in</strong>g <strong>and</strong> extend<strong>in</strong>g cooperation on critical<br />
<strong>in</strong>frastructure protection, creat<strong>in</strong>g more PC security by <strong>in</strong>creas<strong>in</strong>g provider responsibility,<br />
<strong>in</strong>tensify<strong>in</strong>g cooperation, both nationally <strong>and</strong> abroad, <strong>and</strong> establish<strong>in</strong>g norms of state behavior <strong>in</strong><br />
cyberspace <strong>in</strong> <strong>in</strong>ternational forums (G8 <strong>and</strong> UN).<br />
TRACK 1.2<br />
CYBERSECURITY DILEMMAS<br />
The second Track on the first day dealt with systemic challenges <strong>in</strong> the doma<strong>in</strong> of cybersecurity<br />
<strong>and</strong> how best to meet them.<br />
The first expert argued that the professionalization of attackers has made cybersecurity the key<br />
challenge of the 21 st century. In order to control these risks <strong>and</strong> <strong>in</strong>ternational threats, it was<br />
argued that governments, <strong>in</strong>dustry, <strong>and</strong> citizens will have to cooperate <strong>in</strong> a jo<strong>in</strong>t effort, while<br />
roles <strong>and</strong> responsibilities need to be divided. The exist<strong>in</strong>g European, <strong>in</strong>ternational <strong>and</strong> national<br />
frameworks regard<strong>in</strong>g cooperation could be l<strong>in</strong>ked, while <strong>in</strong>ternational efforts, a speaker<br />
proposed, should be <strong>in</strong> l<strong>in</strong>e with national competencies, <strong>and</strong> further cybersecurity dilemmas,<br />
such as “<strong>in</strong>dividual privacy” versus “national security” should also be kept <strong>in</strong> m<strong>in</strong>d. The need to<br />
underst<strong>and</strong> the motives of attackers with strategic goals <strong>in</strong> order for cybersecurity to work was<br />
discussed. Other participants <strong>in</strong> this panel then po<strong>in</strong>ted to some of the difficulties <strong>in</strong>volved <strong>in</strong><br />
this approach. The most press<strong>in</strong>g of all the regulatory questions <strong>in</strong> the cybersphere is the issue<br />
of attribution. One expert argued that attribut<strong>in</strong>g crimes to sophisticated attackers – the ones it is<br />
most important to combat – is not possible at present. There are systemic reasons for this, <strong>and</strong><br />
no progress will be able to mitigate them. Another expert po<strong>in</strong>ted out that systems are often said<br />
to fail because people who could protect them have no <strong>in</strong>centive to do so. This highlighted<br />
many of the economic problems associated with cybersecurity, which is a further true dilemma.<br />
There are no <strong>in</strong>centives for the <strong>in</strong>dustry to come up with robust cybersecurity, <strong>and</strong> what<br />
<strong>in</strong>centives there are often lead to poor cybersecurity solutions.<br />
Accord<strong>in</strong>g to another panelist, <strong>in</strong>formation security could also be improved via policy means.<br />
Policy makers are argued that they should have a role <strong>in</strong> ensur<strong>in</strong>g a consistent collection of<br />
relevant <strong>in</strong>cident data. It was stressed that <strong>in</strong>formation disclosure could help to get a grip on the<br />
true extent of threats, while a “collaborative malware remediation program […] deal with<br />
externalities of <strong>in</strong>security”. The same panelist also outl<strong>in</strong>ed the German approach to<br />
cybersecurity policy <strong>and</strong> stated that anyth<strong>in</strong>g that can be done at national level should be done at<br />
national level.<br />
TRACK 1.3<br />
INTRODUCING TRANSPARENCY AND CONFIDENCE-BUILDING *<br />
Session 1.3 dealt with the topic of identify<strong>in</strong>g CBMs <strong>in</strong> cyberspace, outl<strong>in</strong><strong>in</strong>g the current state of<br />
development, <strong>and</strong> how to move forward.<br />
* A greater emphasis is be<strong>in</strong>g placed on the content of this session, as it was part of the UNIDIR-IFSH project.<br />
13