The Bled Strategic Forum panel Cyber Security System: Achieving Resilience looked at the growing threat of advanced cyber-attacks on critical infrastructure and industrial systems as well as individuals. It featured eight esteemed experts from academia, government, the military and the private sector who highlighted the complexity of the challenges ahead and the need for across-the-board cooperation.
Mr Guy De Launey of BBC News, who moderated the panel, started a round featuring the participant’s main thoughts on cybersecurity by pointing out how cybersecurity seems counter-intuitive to people after they have been trained, socialised to trust cyberspace “maybe a little too much”. This of course is problematic given the task at hand.
Mr Mitja Jermol, head of the Center for Knowledge Transport at Jožef Stefan Institute, also pointed to the importance of personal behaviour, while stressing collective action will also be necessary.
Mr Uzi Moscovici, a retired major general who is the vice president of the missile division at Israel Aerospace Industries, called for the orchestration “of the actions, not intentions” of all the relevant sectors in a national ecosystem with the goal of achieving cybersecurity.
Mr Tanel Sepp, deputy director of cyber policy and the IT Department of the Estonian Ministry of Defence, highlighted the lip service this “sexy topic” is being paid to by politicians, who often do not really understand the real implications, while this fails to get to followed up with any action. “Usually they say: yes cyber is important, let’s take another topic.”
Major General Dobran Božič, director of the Office of the Slovenian Government for the Protection of Classified Information, argued the debate on cybersecurity is only picking up because the entire economy is now embedded in cyberspace. “When we talk about investments, the big companies and institutions refuse to come to countries without cybersecurity,” he added, while also raising the major implications of hacking or dividing society.
Antonio Missiroli, Assistant Secretary General of Emerging Security Challenges at NATO, pointed out that cybersecurity is a team sport, but one “where the dividing line between defence and offence is being blurred…where defence and offence are only one shot away from one another”.
US army Colonel Jerry Chappee, Deputy Director of the Joint Cyber Center at European Command, noted that it is not only a team sport, but also a challenge that will require a change of culture. “We need to improve our cyber hygiene,” he said, stressing there are numerous teams that trying to breach the defences on a daily basis, which is why people also need to be aware what they are validating when they are for instance installing applications on popular app platforms.
Mr Kai Hermsen , global coordinator for the charter of trust at Siemens AG, said cyber security is a bit like climate change, as “it transcends countries, industries…is a matter of society in the end”. By doing nothing, one is already vulnerable and has lost this game, he said, noting that even an active approach cannot provide 100% security. If we get cybersecurity right, there are a number of opportunities that open up in the future that will be digital any way, he noted.
Mr Gregor Pipan, CEO of XLAB, feels people’s first thoughts as regards cyber are “the military, how to penetrate targets, obtain classified information”. However in reality “the most vulnerable person is the everyday Joe with credit card numbers etc.”, meaning everybody, not only critical infrastructure, is being targeted. Touching on new companies, he noted that most do not really start paying attention to security until after they have created some assets that need to be protected – it is usually too late at that point.
The discussion went on the explore the strategic aspects and issues, one of them being that 90% of cyberspace is owned by private companies, which makes government control in what is also a national security issue very difficult. “We first need to define who is who in the zoo,” Mr Božič said, arguing the structure of communication, cooperation among the key players needs to be clear and that some basic rules pertaining to cyber will be necessary.
Another major issue is the scarcity of skilled workforce – needed in both the private and public sector – with Forbes estimating a skills gap in cyber security to the tune of 3.5m vacancies by 2021. In Estonia they have embraced the fact that the private sector will poach the experts in the public sector. “By not fighting a fact, by training them and letting them go, we can at least stimulate their willingness to come back when they want or provide their expertise on a voluntary basis,” Mr. Sepp said. Mr Moscovici proposed education schemes that would be funded by both the public and private sectors and bind the experts trained to work for both for a specific number of years.
The lack of clear international rules, for instance a diving line between espionage and sabotage was highlighted in the section of the discussion on the cross-border dimension of the issue, which has mostly been targeted with local regulations. The attribution problem, meaning the difficulty to really prove the source of the attack, was also highlighted in this context, while there is also the liability issue in the age of AI. “Who will be held responsible if your smart home fridge suddenly starts mining cryptocurrencies – and you don’t really mind or care because your butter is still cold,” Mr Hermsen of Siemens illustrated. Rules and maybe even basic ideas on which our society is built might have to be rethought fundamentally, he added.
AI can on the other hand play a role in addressing the scale and complexity of the problem, which again requires cooperation in terms of sharing as much data as possible, Mr Jermol pointed out. This was echoed by NATO’s Mr Missiroli, he however warned that “whenever AI has been applied in a more active, offensive format, it tends to display escalatory behaviour”, thus a degree of control has to be retained.
The privacy or freedom vs. security dilemma, also from the perspective of what kind of behaviour should be tolerated, was raised as well, with the first point being the need to raise digital literacy. Mr Božič noted that people have no issues with sharing everything with corporations while they are very wary of government, even if the objective is to protect them. Mr. Sepp said the real issue is data integrity and that governments need to earn the trust related to this. Trust is also crucial for Mr. Hermsen who argued that “if you get security right, you will have more freedom in the end”.
