IGF 2021 Day 0 Event #103 „Cybersecurity and Crisis Management”– combining cyber and kinetic threats. Best practices”

Time
Monday, 6th December, 2021 (15:00 UTC) - Monday, 6th December, 2021 (16:15 UTC)
Room
Conference Room 4

NASK National Research Institute, Poland
 

Speakers

Mr. Juhan Lepassaar, Executive Director of ENISA (European Union Agency for Cybersecurity)

Mr. Jakub Boratynski, Head of Cybersecurity and Digital Privacy Policy Unit,  European Commission Directorate-General for Communications Networks, Content and Technology

Mr. Dong Geun Lee, Director of Incident Response Division,  KrCERT/CC, KISA South Korea

Ms. Amy Mahn, International Policy Specialist, National Institute of Standard and Technology, USA 

Mr. Witold Skomra, Advisor to the Government Centre for Security, Poland

Onsite Moderator
Maciej Siciarek, Head of Innovation & Development of Cybersecurity Dept., NASK
Online Moderator

Katarzyna Sokol, Senior Expert, Strategic Development of Cybersecurity, NASK

Rapporteur

Piotr Slowinski / Katarzyna Sokol

Format

panel discussion

Description

Due to increasing interdependency of trade sectors and ICT systems it is inevitable to tighten even more the connections between cybersecurity and crisis management and face new challenges for digital security of world economy. EU has been working on the legislation processes connected to combining critical Infrastructure and cybersecurity. Since Dec.8, 2008 Directive on Critical Infrastructure came into force. Every State Member turns over the information to security liaison officers of each european critical Infrastructure essential information regarding identified threats and risks. Adopted on 6th of July 2016, the NIS Directive (security network and information system) is the first piece of cybersecurity legislation passed by the EU which initiated the process of building and enhancing european cybersecurity ecosystem. On June 13th, 2017 the European Commission has prepared a Blueprint – european coordinated plan to respond to incidents and crisis related to cybersecurity which includes guidelines and recommendations and introduces other mechanisms of prompt/rapid response in crisis situations. EU Commission is currently proceeding NIS 2 Directive. One of the important points is regulating and clarifing systemic and structural changes to ensure the security of information networks for cybersecurity crisis management Polish government is in the process of revising and ammending National Cybersecurity System which also address those issues mentioned above. Crisis managment connected to cybersecurity is a global challenge which concerns every country but we all know that there are different ways and solutions applied by countries outside of EU. Our panel is an opportunity to exchange experiences and present various approaches. We all should find the most efficient tools and solutions which will ensure security of network and ICT systems. The elements and measures are constant, even universal: risk analysis, incident handling, the right approach to business continuity, and crisis management.

According to the scenario,after opening remarks and introduction of the speakers, there will be a round of questions to representatives from various countries and entities. The on-line participants in the audience will have a chance to write questions or remarks in the chat available throughout the session. Depending on the number of comments they will be addressed either during the session or at the end of the session.

Key Takeaways (* deadline 2 hours after session)

Due to increasing interdependency of trade sectors and ICT systems it is inevitable to tighten the connections between cybersecurity and crisis management and face new challenges for digital security of world economy One of the important points is regulating and clarifing systemic and structural changes to ensure the security of information networks for cybersecurity crisis management.

Call to Action (* deadline 2 hours after session)

To consider closer cooperation with like minded countries which are not part of the EU but sharing common values and approach to cybersecurity and crisis management.

Session Report (* deadline 26 October) - click on the ? symbol for instructions

Cybersecurity and crisis management: Combining cyber and kinetic threats: Best practices 

Cybersecurity and cyber crisis management is the global challenge with different challenges and approaches to remediate its negative impact on security landscape. Regardless of the geographic location certain difficulties remain common and best practices can be either directly applied or adapted to various legal or crisis management systems. 

The first panelist Ms. Amy Mahn from the U.S. National Institute of Standard and Technology  (NIST), presented the U.S. approach to standardisation and the role of NIST in the security and crisis management. She outlined how her institution supports advancing measurement science and standards of technology in close collaboration with government, private sector and international partners. Security of the U.S. systems protected within the crisis management network is to some extension dependent on the implementation of the information processing standards by the government e.g. FISMA Act (Federal Information Security Management Act). The effectiveness of the system is also based on the collaboration between federal institutions, e.g. U.S. NIST and the U.S. Department of Homeland Security, by organising among other activities regular stakeholders meetings on NIST standards implementation. The most important features of the crisis management system are flexible approach, regardless of the sector (e.g. health, energy, nuclear energy etc.), in both preparing for the incident and responding to it. Priority in protecting and building resilience of critical infrastructure should be standardisation efforts, implementing common best practices to prevent incidents and also updating procedures including feedback from major crises e.g. supply chain crisis or large scale cyber attacks e.g. ransomware attacks. 

Second panelist, Mr Dong Geun Lee outlined role of Incident Response Division of the KrCERT/CC within the South Korean cyber incident and cyber threat response system. In this regard it is responsible for sharing information, facilitating cooperation and responding to major cyber incidents among other responsibilities. Its activities are divided into four major pillars. Firstly, it is establishment of cooperative system K-cybersecurity alliance with information sharing system (CTAS), especially important for SMEs which lack threat analysis capabilities or resources. Secondly, in the event of an incident experts are being dispatched to the site with supportive role in investigation, analysis, recovery and prevention tasks. Thirdly, for the purpose of strengthening and building cyber resilience of the supply chain major companies will promote spreading of diagnostic tools and communicating threats to users. Lastly, equally important and vital for ensuring the safety is conducting cybersecurity exercises and trainings on cyber response in the private sector along with pentesting. 

Next panellist, Executive Director of ENISA (European Union Agency for Cybersecurity) Mr Juhan Lepassaar mentioned the EU efforts to increase the critical sector’s cybersecurity and coordinate incident response activities within Europe by creating CSIRTs Network, the network of national CERTs making it one of the cybersecurity's pillars of the EU. This European crisis response mechanism has evolved throughout the years and now CCERT has cyber crises liaison officers network exchanging information at both technical and operational level. Expanding and solidifying ENISA’s mandate by the Cybersecurity Act also influenced the cybersecurity ecosystem of the EU. Currently the most important areas of interest in cybersecurity and cyber crises management are gradually building capacities, organising exercises, enforcing procedures, building joint situation awareness, coordinating cross border incidents, exchanging information and monitoring networks and systems. Especially when it comes to the increasing joint situation awareness it is important to implement framework concentrated on synergetic and coordinated approach to manage large scale incidents. What is also important is to build more synergy between member states and the EU institutions to effectively facilitate coordination and collaboration, e.g. through Joint Cyber Unit (JCU). In terms of international cooperation, it can be based on the common interests, sharing similar values and longstanding economic relations. 

Mr Witold Skomra, Advisor to the Government Centre for Security in Poland, described role of his team as a link between the work of government and business companies, especially in the field of critical infrastructure. As one of the key features of ensuring the security and integrity of the crisis management system the panellist mentioned six interconnected dimensions of security which influence each other. The priorities has changed throughout last ten years – the physical security being regarded in the past as the most important. In case of protecting critical infrastructure the rule of six dimensions of security still applies. Additionally, there are plans to enforce critical infrastructure resilience bill in Poland to strengthen abilities to counter large scale crises. There can also be observed a problem with regulations prohibiting or limiting government financial support for private companies. 

Presenting the EU view, Mr Jakub Boratyński, Head of Cybersecurity and Digital Privacy Policy Unit, European Commission Directorate-General for Communications Networks, Content and Technology, started with outlining the most important issues being faced by different stakeholders – the scale of the challenges, the responsibilities of every single person, the differences between member states capacities. Mr Boratyński emphasised that specific cases of cyber crisis or incidents had also kinetic impact e.g., Colonial Pipeline attack in May 2021. In order to effectively address these types of threats it is vital to consider all levels of cyber crises management including but not limited to policy, technical or operational levels. He also underlined the need for multidimensional and multisectoral approach to strengthening cybersecurity, which is being implemented in the EU e.g., by the Joint Cyber Unit initiative or the NIS 2 directive and other EU’s cybersecurity legislation. As ultimately there will be a significant part of the EU economy will depend on abilities to ensure cyber security and resilience, it is an area of shared responsibility, also in the field of building capabilities or raising situation awareness. 

During the Q&A session a question was asked by the member of the audience from Georgian Information Security Association regarding the cooperation, knowledge or expertise (also from the technical field) sharing opportunities for countries from outside the EU with the EU member states or the EU institutions such as ENISA. He conveyed that according to his experience, in the case of Georgia, the direct reason given why it is not possible to establish or deepen cooperation between the EU institutions and Georgia in the areas of cybersecurity is the lack of an EU Member State status. Mr Lepassaar emphasised that in case of his institution and due to ENISA’s mandate as an internal agency, everything it conducts or undertakes needs to add value for the internal of the EU, so the EU member states and institutions. In this regard ENISA is not the one driving this international cooperation but rather External Action Service, however there is naturally the need to raise awareness, share information about both threats and methods to counter them.  

SUMMARY: 

The panellists presented various point of view regarding cybersecurity crisis management, especially in the face of emerging serious threats combining both cyber and kinetic components. Different backgrounds and current areas of interest helped to share ideas from various fields – from standardisation of procedures and good practices, multi stakeholder collaboration to respond and recover from cyber crisis, prevention of crisis and risks, information sharing procedures to education and exercise activities.  

During the discussion different approaches in managing cyber crisis or preparing for them emerged. Problems with securing critical infrastructure were outlined e.g., problems with standardisation of procedures in the multistakeholder security environment or lack of specialized incident response teams in the smaller SMEs, especially in case of large cyber crisis influencing subjects from different sectors.  

The participants emphasized the need to extend collaboration between different stakeholders groups, including international partners in the form of information sharing, building capabilities for cyber crisis management, ensuring the critical infrastructure sector’s safety and resilience and the need to conducting common exercises in joint crisis management.