The fifth dimension: cyber defence2 September 2013
Cyberattacks on targets of national importance, including government and defence departments, are becoming more sophisticated and more frequent. In response, Europe is in the process of ramping up its efforts to counter such threats through a combination of research and awareness initiatives. Ross Davies meets Michael Sieber and Wolfgang Roehrig of the European Defence Agency to find out more.
Never has cybersecurity been under such scrutiny. The recent scandal surrounding the extent of internet and phone surveillance purportedly carried out by US intelligence bodies, as leaked by National Security Agency technical contractor Edward Snowden, has sparked fresh fears over internet safety and privacy.
The fallout has been defined by heightened paranoia on a macro scale. As a result of ceaseless speculation, cyber-insurance sales have spiked, while it was reported in July 2013 that the Kremlin had ordered a shipment of typewriters in a bid to prevent Russian electronic data leaks.
Governments and their institutions remain among the most prominent targets for advanced persistent threat malware. For this reason, cyberspace is often identified as the 'fifth dimension' of modern warfare - as pertinent to military operations as land, sea, air and space.
Able to cross borders undetected through computer networks, the single most difficult aspect in stymieing cyberattacks is their innate inconspicuousness; unlike, say, a conventional missile, identifying the source of a breach can be a complicated task.
Cyberattacks on an unprecedented scale
In Europe, cyberdefence remains high on the agenda, identified as one of the ten priorities in the European Defence Agency (EDA)'s capability development plan (CDP). The programme has been initiated to collaborate with EU member states in developing the most suitable capabilities to drive down threats.
Michael Sieber, assistant director for research and technology at the EDA, has spoken at a number of cyberdefence conferences and workshops coordinated by the European Commission. He is under no illusion that the task ahead will be trouble free. Such is the sheer magnitude of today's malware - coupled with increasing levels of sophistication among hackers - that cybersecurity experts are under pressure to pre-empt breaches like never before.
"We have tried to establish a common security and defence policy, identifying the main values that need to be protected - the availability and integrity of information," he says. "The main risks we have identified relate to the engagement of technical systems of all kinds. This means less obvious components or elements of dealing with IT, going right down to the computer chip."
Sieber's colleague Wolfgang Roehrig, EDA's project officer for cyberdefence, also believes that today's cyberattacks
are occurring on an unprecedented scale.
"What we have seen from the technology side within the last three years is that the quality and quantity of malware have definitely increased," he notes. "And you have to remember that these attacks can cause real damage in the physical world. As we have seen recently, there have been more advanced and persistent threats in the realm of cyber-espionage."
The weakest link
One of the main quandaries facing the Commission's development of higher threat resilience is the aforementioned insidiousness of malware; once it has infiltrated a system, it has the potential to remain undetected over months, possibly years.
In response, the EDA, armed with the role of facilitating cooperation among member states, operates under
a well-worn capability framework appropriated from NATO: DOTMLPFI (doctrine, organisation, training, materiel, leadership and education, personnel, facilities and interoperability).
"We have adopted DOTMLPFI as a means of following a much wider approach, covering all lines of development," explains Roehrig. "Technology comes under the 'materiel' part, but many of the facets take into account the human being, who is often the weakest link and first line of defence when it comes to being susceptible to different attack vectors."
Put simply, while technology will surely be indispensable, it cannot come at the expense of human training, education and vigilance. The EDA is currently conducting a cyberdefence-training need-analysis programme; built on existing training capacities across member states and EU institutions, it is carried out in close cooperation with the NATO-affiliated Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia.
"Training is paramount - both for normal users and cyberdefence specialists," says Roehrig. "Recently, many institutions looking to protect themselves have invested a lot of money in software, but are ignoring their people. This often leads to a very poor cybersecurity culture. Our work with CCD COE has seen us expand beyond EU institutions in order to improve this."
Cyberdefence readiness and cloud security
In a recent one-year stocktaking study, released by the EDA in May 2013, the interrelation between players such as the EDA, CCD COE and theEuropean Space Agency (ESA) was also identified as a crucial means of bolstering defence capabilities.
Benchmarking the degree of "cyberdefence readiness" of participating member states and EU organisations, it recommended that member states "cooperate in the area of cyberdefence capabilities as well as in the research and technology domain".
An integral part of this effort is spearheaded by the European Framework Cooperation (EFC). It is run by the EDA, through which the Commission, EDA and ESA coordinate their research efforts in a bid to reinforce a multidisciplinary approach, as Sieber explains.
"The EFC was established in 2009, addressing research into specific technologies for detection, reaction and protection, not to mention training, around safety and security," he says. "Another goal is clearly to avoid duplication of these efforts - taxpayers' money should be allocated as efficiently and effectively as possible."
More of a moot point has been the emergence of cloud computing. Already prevalent in the public domain - predominantly due to cost benefits - questions abound over the feasibility of moving sensitive data into emerging infrastructures, particularly within a military setting, by which front-line personnel can remotely access and exchange information. Is such a crossover possible without compromising security?
"Actually, cloud technology hasn't changed anything about security regulations with regards to classified data and information," states Roehrig. "But, for sure, moving things to the public cloud for military units is a no-go at the moment. Any kind of remote access opens up new risks of attack vectors."
"From a technology viewpoint, on the one hand, we do see the advantages of the cloud philosophy coming across from the civilian side," adds Sieber. "There is the potential to use it as an enabler in the military and defence domain to fulfil missions. In terms of security mechanisms, however, we might need to wait for other providers."
What lies ahead
As inferred by Sieber, there is still much work to be done. The EDA's study stated that some schemes were still found wanting, concluding that: there is an innately complex operational set-up between the various directorates; the use of military-specific standards and tools is still poorly understood; cybersecurity good practice needs to be nurtured; and incident response capabilities could be deepened.
Sieber would also like EU member states to pull together and leverage their cryptography efforts. Despite the continent often being cited as a bellwether in crypto research, it still lacks an expansive, concrete policy, which he believes could be a vital part of the online security puzzle.
"There's an awful lot of excellent academic knowledge in Europe around cryptography," he says, "but we are not doing enough with it. For instance, it needs to be matured and commercialised for use in the military domain. It also needs to be adapted to the mobile field. There's still some technology homework to be done."
As the National Security Agency imbroglio unfurls, the EDA will continue to facilitate such progress. Starting in 2014, it will assist the Commission in running its Horizon 2020 framework programme, which will further amalgamate existing EU research and innovation funding provided through the Framework Programme for Research and Technological Development, the Competitiveness and Innovation Framework Programme and the European Institute of Innovation and Technology.
The extent to which cyberspace is being used to steal, supply and wage war will always be a font of conjecture. But the recent moves overseen by the Commission could prove to be indispensable in retaining the boundaries of trust that cybercrime and espionage threaten to break down, and which are essential to the continent's long-term future.