April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Cyber threats for the European Union: Not if, but when
John Cosgrove (left)
By John Cosgrove and Adam Bulava
Mission: Enhance E.U. cyber security
Earlier this summer, a group of European ministers, senior officials from the North Atlantic Treaty Organization (NATO) and other influential European leaders assembled in Brussels for a cyber exercise demonstration. The demonstration was requested by the European Security Round Table (ESRT) as part of that organization’s conference called Shared Threats -- Shared Solutions: Toward a European Cyber Policy.
Reflecting shared concerns over ever-evolving cyber threats, the U.S. and European Union (E.U.) are on a joint mission to enhance their international cyber security activity and cooperation. At the heart of this effort is a common understanding among policy makers on both sides of the Atlantic that cyber security threats have no expiration date. That is, it’s not a question of “if an attack will happen,” but rather “when an attack will happen.”
In this article, we’ll offer a look inside how international cyber exercises help illuminate and address international, governmental and private-sector cyber preparedness and response issues. At the conference, cyber security experts were able to deliver a snapshot that captured a look into how exercises like these enhance cooperation and planning both within and outside the E.U.
As the premier member-based security policy organization in the E.U., the ESRT provides the Union, NATO and other organizations with a neutral forum in which to discuss the future of European security and defense policy. The June conference provided an opportunity to explore existing E.U. cyber security policies and initiatives, as well as what is needed for the future. At the outset, ESRT leaders hoped to provide attendees with a cyber exercise demonstration that would drive thinking about critical cyber security issues and spark discussion about how they currently are being addressed within their home countries, as well as in coordination with the E.U. and other outside entities.
The exercise demonstration presented a multi-media walkthrough of three distinct attacks against different European critical infrastructure sectors that had simultaneous impact on several E.U. member states. The demonstration was facilitated by cyber security expert Jon Noetzel of Fairfax, VA.-based SRA International.
Greater than the sum of its parts
Prior to the actual demonstration, Noetzel explained the nature and purpose of the various exercise types. The U.S. predominantly adheres to the Homeland Security Exercise and Evaluation Program (HSEEP) methodology for civilian public-sector exercises. And, while many methodologies exist, they share similarities with core elements of HSEEP, which divides exercises into two broad categories: discussion-based exercise (DBE) or operations-based exercise (OBE).
DBE formats include seminars, workshops and table-top exercises. Typically, international exercises that involve senior government officials use this format and provide the opportunity to address and explore joint policy issues, such as memorandums of agreement, mutual assistance pacts and other inter-governmental coordination issues.
OBE formats, on the other hand, include drills, functional and full-scale exercises, and provide a forum for operational personnel to assess their capabilities against targeted goals. Two notable examples of this format are the U.S. Cyber Storm and E.U. Cyber Europe series, though it is important to note that the E.U. does not share this exact HSEEP terminology.
And straddling these two categories is a format known as games, which can be discussion- or operations-centered.
Given the number of high-level participants in attendance at the ESRT conference, SRA chose to demonstrate a DBE.
At their core, cyber exercises provide participants with the ability to make mistakes in a simulated environment without the real world consequences. Moreover, they bring together diverse sets of stakeholders, all with the objective of validating plans and capabilities, and discovering specific operational and policy gaps through the ability to examine individual process components, as well as holistic performance in the aggregate.
Around the world, cyber exercises have advanced the resolution of key international issues and eliminated many historic barriers between nations that previously prevented joint coordination and cooperation in cyber security areas. Given the potential consequences of a mis-handled response to an international cyber attack, these opportunities deliver very high returns on investment.
During the cyber exercise demonstration, Noetzel noted that the European Network and Information Security Agency (ENISA) has recommended increasing the number of cyber exercises in the E.U. as part of a continual pan-European exercise cycle.
Establishing clear goals, objectives and milestones is the bedrock of a successful exercise. Goals and objectives influence not only who participates, but drive the development of the exercise scenario, as well as a litany of other planning details. The complexity of this issue increases, however, as more countries participate. While exercise planning methodologies vary from country to country, simple international exercises have been successfully planned and executed within a three to six month timeframe, while more complex exercises may require as much as two years of planning.
Developing objectives in any exercise can be difficult, particularly for international exercises, which by necessity require the communication of official positions. This can obscure underlying issues that need attention. So, regardless of what is written on paper, it is vital that exercise planners have a clear understanding of objectives and expectations well in advance. This greatly improves the exercise planning and development process.
Since the ESRT exercise was a demonstration rather than a full exercise, there was not a participant-based robust planning committee that determined the exercise’s objectives. To fill this void, the team from SRA researched European cyber security issues and past exercises extensively. This research included informative European cyber exercise after-action reports and key European Commission reports.
Specific report findings included the importance of:
• Building a roadmap for pan-E.U. exercises that includes a definition of standard procedures and structures for large-scale events and more bi- and multi-lateral cyber security exercises;
• Increasing collaboration between member states;
• Addressing the importance of the private sector in ensuring cyber security; and,
• Organizing member states internally by developing and testing national contingency plans through exercises.
The ESRT exercise presented a host of issues for the policy maker’s consideration. These issues and associated questions were derived from a wide range of publically-available government and industry studies. The exercise presented the following topics that addressed both internal and external cyber security and cyber preparedness issues:
- Internal Issues -- Internal issues are those that remain confined to the authority of a specific country or individual entity. Even in effectively run governments, establishing or revising cyber security policy remains a complex process that requires diligence and careful resolution.
- Leadership and incident management -- Governments must have a cyber incident management plan. Such a plan identifies the lead department or agency, incident management structure, roles and responsibilities, and legal or other authorities critical to any cyber response effort. Key impediments inherent within inter-governmental planning and coordination include internal competitions for resources and reputation, statutory prohibitions or limitations, disparate organizational cultures, and political favoritism.
- Defense, intelligence and law enforcement coordination -- The need for government to regularly share information and intelligence both internally and externally is critical. Progress that may have occurred in this area for traditional threats cannot be assumed to carry over into the cyber domain. Though similar concerns about compromising sources, collection methods and clearance reciprocity may apply, these issues have proven extremely difficult to resolve within the cyber domain given the perceived sensitivity of such information.
- Continuity of operations planning -- With the rise of crippling cyber attacks against governments and private organizations, the need for comprehensive continuity of operations planning at all levels is greater than ever before. Such planning necessitates a targeted evaluation of all cyber-based infrastructure and mission-essential functions of an agency or organization.
- Public-private partnerships -- Coordination between the government and private sector, particularly in areas of cyber security, raises a host of legitimate concerns that must be addressed. Given the private-sector ownership of a sizeable portion of critical information infrastructure and services, cyber attacks against such assets can devastate national economies and social welfare of citizens.
- International coordination -- Cyber events do not confine themselves within national borders and therefore require cross-border or broad international coordination with other nations. The focus of many international cyber exercises is issues related to bi- and multilateral coordination, intelligence and information sharing, and joint investigation and response operations.
A well-crafted scenario is arguably the most important and unique element of any exercise, cyber-focused or otherwise, because it influences the direction, pace and overall dynamics of the exercise discussion. A thorough and productive scenario is one that leads exercise players toward the achievement of specific strategic and operational objectives, while surfacing critical issues for consideration, action and reflection. Because of these requirements, crafting a scenario is often the most time consuming and meticulous step in developing an exercise.
To build the ESRT scenario, the expert team first had to develop a keen understanding of who would be part of the exercise, as well as the key issues they would have to address in order to fully capture the responsibilities and operational considerations of the exercise participants. At its best, an exercise well-constructed and executed would perhaps inspire the participants to return to their home agencies and organizations with new ideas for improving their cyber security posture.
With this in mind, the team made the following key determinations regarding the exercise scenario. It should:
- Involve multiple European critical infrastructure sectors;
- Elicit response actions from key stakeholders across law enforcement, private sector, government and national/international information security communities;
- Target multiple E.U. member states across diverse geographic locations;
- Involve distinct and overlapping cyber attack vectors that escalate issues from an organizational-level perspective to an E.U.-level perspective;
- Strive for originality in design and execution;
- Touch upon critical issues described in past E.U. cyber exercise reports and after-action analyses.
The team divided the exercise into three main “moves,” each detailing separate evolving cyber events that were occurring simultaneously within each move, as well as chronologically across all three moves.
At the conclusion of each move, ESRT audience members were presented with a series of critical questions pertaining to the evolving scenario, and how the organizations for which they are responsible would and should react. In general terms, the ESRT scenario moves included a trans-national financial sector target, a multi-national government sector target and a key commercial/transportation sector target -- all of which involved and affected member state governments, computer emergency response teams (CERTs), law enforcement, financial sector leaders, NATO authorities, media entities and E.U. citizens. Lastly, discussion areas included bi- and multilateral information and intelligence sharing; public-private sector threat communications; organizational cyber policies and response procedures, the government’s role during a private sector attack, international assistance, strategic national communication, forensics coordination and numerous other key aspects of a robust and full-spectrum response planning capability.
With the increasing number of vulnerabilities, and the ease of access to cyber attack software and equipment, the incidence of cyber attacks will continue to grow globally.
Faced with the inevitability of cyber incidents, exercises such as the one described in this article provide an accessible, flexible and cost-efficient tool that every policymaker and organizational leader should have in their cyber security planning toolkit. These exercises offer the ability to learn lessons in a practice environment, before they are learned during, or after, an attack occurs. Exercises offer the opportunity for organizations to discover what they may not know or have considered, before the would-be hackers bring these unknowns to their attention in a very costly, potentially debilitating, way.
John Cosgrove and Adam Bulava are both cyber analysts with SRA International, Inc. They can be reached at: