NRI Collaborative Session: European national perspectives on securing critical information infrastructure

18 December 2017 - A Workshop on Other in Geneva, Switzerland

Agenda

 Co-proposers/co-organizers:

  • Albania IGF
  • Dutch IGF 
  • Dutch Youth IGF
  • Estonia IGF
  • Georgia IGF
  • German IGF
  • Norway IGF
  • SEEDIG 
  • Switzerland IGF
  • UK-IGF
  • Ukrainian IGF
  • EuroDIG the regional forum will be the facilitator of this session, by bringing together independent NRIs from the region to discuss and exchange. We consider the preparatory process as an integral part of the discussion during the session.

Session title  
European national perspectives on securing critical information infrastructure (To agree on cybersecurity as topic for discussion is the result of a consultation process as it was agreed during the NRI Assembly taking place at EuroDIG in Tallinn in June 2017.)

Session format and timing

The session will be 90 minutes long in total. It will be a co-moderated discussion among national security experts and the audience. Speakers will be invited to provide their perspective on the national approach and co-moderators will constantly engage with the audience (onsite and online); not only via an open mic but also by using interactive tools. The session will be concluded by the key messages of the discussion, to be delivered by rapporteurs.

Content of the session
Cybersecurity in all of its facets has consistently topped the agendas of the NRIs in Europe for the past two years. This was the outcome of a review of hot topics among NRIs in Europe. (See the compilation of hot topics discussed in Europe).

During the session, the co-organizers will  provide an overview of national subtopics as they have been discussed within Europe, find out where the commonalities lie and where are the differences, and suggest the ways to bridge divergences in approaches.

We will discuss the following questions:  

  1. Defining what are the critical assets to be secured at the national level, and what are the methodologies to prevent them?
  2. What are the local challenges?
  3. How to build trust between all stakeholders?
  4. How can/do the National Internet Governance Initiatives facilitate and support collaborative, multistakeholder solutions to address these local challenges?


Speakers

  • Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC) and former Foreign Minister of Estonia
  • Nata Goderdzishvili, Ministry of Justice of Georgia, Data Exchange Agency, senior consultant in e-government and cyber security, Georgia IGF
  • Nina Leemhuis Jansen, Dutch Ministry of Justice
  • Vanessa Berning, Wilma Westenberg (Netherlands Youth IGF)
  • Isabel Skierka, Digital Society Institute at ESMT Berlin and Co-Chair IGF Germany [remote]
  • David Rüfenacht, MELANI, Reporting and Analysis Centre for Information Assurance, Switzerland
  • Ørnulf Storm, Norwegian Communications Authority
  • Su Sonia Herring, Civil Society, SEEDIG Executive Committee, Turkey
  • Nick Wenban-Smith, UK IGF


Relevance of the issue
It has become conventional wisdom that cybersecurity is a global problem that requires a global response. In reality, however, there are differences in approaches to the protection of critical infrastructure at the local and regional levels, especially with regard to the role of the government, the need for regulatory intervention, and the definition and scope of what constitutes critical infrastructure, to name but a few.

The compilation of hot topics clearly shows the diversity of cybersecurity-related issues discussed within one region but Europe is not unified in terms of the issues, resources and possible solutions and we can find different UN regional Groups / WEOG and Non-WEOG (developing economies) in this region. However with more than 20 active and independent European Internet Governance Initiatives, we would like to showcase the existing substantive diversity on how to approach the issue of cybersecurity within the European region. Each NRI is of a multistakeholder nature and this will be reflected in the Org Team as well as in the session.

>>Find more information about different national perspectives further below under "Additional Background"

Onsite moderator(s)

Tatiana Tropina, EuroDIG cybersecurity Subject Matter Expert Cyber (SME)
Vladimir Radunovic, DiploFoundation

Online moderator
Michael Oghia, YOUthDIG cybersecurity Focal Point

Rapporteur
Nick Wenban-Smith, UK IGF 

Link with the Sustainable Development Goals: (8), 9, 11


Connecting with intersessional groups:
Best Practice Forum Cybersecurity Our aim is to add a national perspective to the expert discussion in the BPF and not to repeat or duplicate other sessions.

Reference document link


ADDITIONAL BACKGROUND  
Thematic input from the Netherlands:
we have a lot of discussion in the Netherlands, after years of 'ignoring' the serious threats, cyber security is top of mind now, but there is a risk of too  much top-down approach and control. When cyber threats such as IOT botnets become manifest, the common reflex is to start initiatives to deal with the situation at hand. But as it turns out a generic, bottom-up approach towards threat mitigation is much more effective. Continue reading...

Thematic input from Georgia:
We are one of the few countries where cyber security exceeds ICT development. While in the beginning eGovernment and Information society were key enablers for strengthening state efforts in cyber domain, nowadays cyber security attracts high political and societal attention.  Being in the 8th place in ITU Global Cyber Security Index implies that Georgia is recognized in the world as one of the most advanced countries in terms of cybersecurity. No less important, Georgia occupies the 2nd place in National Cyber Security Index in 2017. Continue reading...

Thematic input from Germany: Cybersecurity has become a highly political issue in Germany. The public debate about defensive and offensive cybersecurity capabilities highlights tensions between different dimensions of cybersecurity: the security of information technology, critical infrastructure, and individual users on the one hand, and national security on the other. Two events have fuelled the rise of cybersecurity to the top of the political agenda and to the center of public debate in Germany: the Snowden revelations in 2013 and the cyber attack against the German parliament (Bundestag) in 2015. Today, the government’s expansion of offensive hacking capabilities is cause for growing public debate about the government’s role in cybersecurity. Continue reading...

Thematic input from Albania: Albania ranks among the countries where the development of telecommunications, internet access and computerization of society is progressing very quickly. Increasing the use of communication is an added value in the country's economic and social development, but at the same time it exposes it to the dangers of cybernetic nature with state and non-state actors. The last years Albanian Government has done several very important steps related Cybersecurity by: Continue reading...


Thematic input from UK
: Report from the UK IGF 2017

Thematic input from SEEDIG: One of the six sessions of SEEDIG 2017 annual meeting focused on cybersecurity challenges and opportunities in the region. The most prominent answers to the onsite survey asking, “What are cybersecurity priorities and what should they be?” were:

  • Ignorance
  • Identity theft
  • Privacy
  • Facebook
  • Credit card frauds
  • Governments

Other questions discussed included: Is cybersecurity on national agendas?  Are there implementable action plans and multistakeholder processes? What is the level of regional cooperation (and why is it low)? Continue reading...

Thematic input from Norway
 
National and sectorial response centers
The Norwegian Computer Emergency Response Team (NorCERT) in the National Security Authority has the ability to prevent, detect and analyze data related to serious incidents on the Internet. NorCERT works closely with other countries and similar services in international organizations. To improve society’s ability to detect, alert and handle serious ICT incidents, in addition to NorCERT’s overall role, multiple sectoral response teams have recently been established in Norway. This is in conjunction with the strategies aligned in the Cyber Security Strategy for Norway (2012)[1]. The sector response teams have detailed knowledge about their sector and sector-specific challenges in particular, and an extensive coordination with NorCERT and other sector response teams.
 
From the Cyber Security Strategy for Norway section 4.4:
Safeguard Society’s Ability to Detect, Alert and Handle Serious ICT Incidents
• There must be ICT alert teams with the basic capacity to coordinate and manage ICT incidents for all sectors (such as a sectoral CSIRT), and for the most important organisations that support critical societal functions. These alert teams should be structured such that they take into consideration the use, architecture and governance of ICT infrastructure in the sector.
 
Norwegian Communications Authority (Nkom) has recently establish a sectorial CSIRT for the telecom sector. NkomCERT[2] cooperates with telecom operators and their security organizations. Presence is within normal working hours, but the team are able to mobilize 24/7.
 
The main tasks are:
To hold expertise concerning the vulnerability and threat picture in general, and sector-specific challenges in particular
To maintain professional networks to other authorities and relevant niche operators
To provide assistance in the event of serious incidents, as information sharing, advice and coordination
In the event of serious incidents, provide a situation picture, which gives Nkom's management a good basis to take correct decisions.
 
On the Norwegian IGF meeting (Nasjonalt Internettforum) in 2017 there have not been so much focus directly related to cyber security and sectorial CSIRT capabilities. However, in 2016 there was much focus on cybercrime issues and cooperation between law enforcement and private sector. Nkom have plans to focus more on cyber security issues and sectorial CSIRT capabilities in 2018. National and regional IGF activities can play an important facilitating role in bringing public and private sector together to establish better dialog and cooperation.


[1] https://www.regjeringen.no/en/dokumenter/cyber-security-strategy-for-norway/id710469/
[2] https://eng.nkom.no/technical/security-and-preparedness/csirt/nkom-csirt
 

Thematic input from Albania: Albania ranks among the countries where the development of telecommunications, internet access and computerization of society is progressing very quickly. Increasing the use of communication is an added value in the country's economic and social development, but at the same time it exposes it to the dangers of cybernetic nature with state and non-state actors.
The last years Albanian Government has done several very important steps related Cybersecurity by:
Approving the National Security Strategy 2014-2020: Establishing and Respecting the Highest Standards for secure and safe the Information in All Forms of its existence, focusing on special efforts to protect against cyber-attacks and specifically in the most vulnerable sectors and governmental institutions.
Approving Digital Agenda for Europe 2020 (Enhancing ICT confidence by strengthening security policy for networks and information) and in line with the Cyber ​​Security Strategy of the European Union: Open, Safe and Protected Cyber ​​Space.
Approving the first Cybersecurity Law 2/2017: The purpose of this law is to achieve a high level of cyber security by defining security measures, rights, obligations, and mutual co-operation between entities operating in the cyber security field.
Defining what are the Critical Information Infrastructure at the national level, and what are the methodologies to prevent them?
Established Government structures and Institutions dealing with security and cybercrime
 
Albania IGF will launch the 1st National Internet Governance Initiative early on 2018 in our agenda one of the most important sessions is Cybersecurity: National Strategy, Law, priorities Awareness, risks, as Albania is a developing economy where internet connectivity and telecommunication infrastructure are improving and increasing. Cybersecurity as a core construct was traditionally related to national security problems and cyber-attack. The emergence of the need to have multi stakeholder approach on cybersecurity determines the elaboration and implementation of the national cybersecurity strategy. And the aim is to gather different stakeholders impacted from national cybersecurity strategy and safe internet issues. We will not only focus on policy making issues, institutional implications, law and rule of law, the main purpose is to have a systemic approach about cybersecurity and how does it impact individuals at a daily personal and professional basis.
 
UK:

Report from the UK IGF 2017:
http://ukigf.org.uk/wp-content/uploads/2017/11/UKIGF-2017-Report.pdf

SEEDIG
One of the six sessions of SEEDIG 2017 annual meeting focused on cybersecurity challenges and opportunities in the region. The most prominent answers to the onsite survey asking, “What are cybersecurity priorities and what should they be?” were:
·         Ignorance
·         Identity theft
·         Privacy
·         Facebook
·         Credit card frauds
·         Governments
Other questions discussed included: Is cybersecurity on national agendas?  Are there implementable action plans and multistakeholder processes? What is the level of regional cooperation (and why is it low)?
Key messages from the session where Albania, Armenia, Bosnia and Herzegovina, Bulgaria, Croatia, Georgia, Kosovo, Montenegro, Republic of Moldova, Romania, Serbia, Slovenia, the former Yugoslav Republic of Macedonia, Turkey, and Ukraine were represented are:
·         Cybersecurity is a complex area. It related firstly to the vulnerabilities of an operating system; but even if vulnerabilities are known, not many users pay attention to them or to the need to update their systems. Users are, usually, the weakest link. And ‘ignorance seems to be our new best friend!’.
·         The software industry should be more responsible when it comes to embedding security features into their products. But the human factor is equally important.
·         The most important words that we should keep in mind when it comes to cybersecurity are education, awareness, and a good security strategy.
·         Cybersecurity laws and strategies are adopted completely different from one country to another, unfortunately. One solution to this challenge might rest in engaging different stakeholders in high level discussions, asking them to synchronize their policies.    
Additional Reference Document Link (Optional)
NATO Cooperative Cyber Defence Centre of Excellence - “Defending the Core: Proceedings of the 9th International Conference on Cyber Conflict, 2017 -  https://ccdcoe.org/sites/default/files/multimedia/pdf/CyCon_2017_book.pdf
George C. Marshall European Center of Security Studies - Publications - http://www.marshallcenter.org/mcpublicweb/en/nav-publications-overview-en.html
Global Commission on the Stability of Cyberspace (GCSC) - https://cyberstability.org/