As a lobbyist at the European Parliament where I follow the ITRE committe I send draft proposals.
Abstract: More and more countries have taken the leap from being industrial societies to being information
societies. Societies are becoming increasingly dependent upon information technology, and thereby it
is important to reduce vulnerabilities in the information infrastructure and combat threats against such
an information society.
Input on threat images against information society
1. CEO of Somerco Research Ltd Jan Softa. Date: 2013-04-02.
1. Input on threat images against information society
Abstract:
More and more countries have taken the leap from being industrial societies to being information
societies. Societies are becoming increasingly dependent upon information technology, and thereby it
is important to reduce vulnerabilities in the information infrastructure and combat threats against such
an information society.
Background
Helping geniuses! Our slogan sums up who Somerco aims to help. Somerco are a
company that target to help researchers and innovators so that these geniuses can
create prosperity and jobs in society. We are foremost a technology company, but are
open to contribute with input on issues concerning the protection of information
society. Much has been done more needs to be discussed, developed and adopted.
Introduction
The information age has created incredible possibilities concerning how societies
disseminate, collect, and use information. The communication between people and the
access to information has appreciably been facilitated through information technology
(IT). However, technical development seldom means only advantages; it also means
challenges. During the last decades, the development of IT products and systems has
been very rapid, and the use of IT has increased considerably. A common observation
is it has made societies more vulnerable. Moreover, IT-related threats are often
invisible. An actor can operate from anywhere in the world, making it difficult to
identify a threat and its aim. Moreover, the number of persons with sufficient
computer knowledge of how to disseminate computer viruses and with capacity to
carry out attacks against the IT infrastructure is increasing. With this paper I want to
contribute on how to best protect information society. I want to start by raising a
question: Is it by increasing our money spent on combating or learning more about
cyber attacks that gives greatest value for money, or are there more urgent areas to
attend too?
A wide perception on threats
Lack of proper attention from decision-makers to various kinds of threats could lead
to insufficient risk management of threats against vital functions in an IT society. The
analysis of threats against an IT dependent society includes digital threats. The other
threat images that need attention are the so called physical actor threats, construction
flaws and threats originating from natural disasters, dependencies and
interdependencies.
Examples of digital threats are cyber-attacks against web sites and servers, on-line
databases and IP-addresses. These attacks can be executed by actors such as young
hackers that are driven by curiosity, but also more threatening actors such as
criminals, spies, terrorists and by other states. The motives can be to steal, manipulate
or destroy data in order to affect political decision-making processes, or to get access
to information in corporations and authorities. Physical threats have an external
intentional or unintentional effect on the function of IT. Intentional threats include
deliberate acts of sabotage to IT infrastructure, with the use of explosives or tools,
such as a sledgehammer. Unintentional threats can be caused by poor security
routines, which might lead to further incidents. Negligence and other human factors
2. CEO of Somerco Research Ltd Jan Softa. Date: 2013-04-02.
can also be a risk factor.
Figure 1. Threat images against information society
Construction flaws arise when IT systems have an insufficient security level or a
functional flaw. One example is when bugs in software become threats against
societies. Natural disasters that can threaten the IT infrastructure include lightning,
storms, earthquakes, volcanic eruptions and avalanches since these can cause
interruptions in the power supply and the telecommunication networks, which are
necessary for the proper functioning of Internet, e-mail etcetera.
When it concern dependency I focus on a key dependency for the functioning of
information society – namely access to computer chips in times of crisis. In times of
crisis our access to computer chips are critical. When it concern interdependencies for
an information society they are related to infrastructural interdependencies. Threats
against and vulnerabilities in information society have taken a salient role in the
political security agenda in many states and EU. One reason is that the IT
infrastructure has a vital function in a modern society since other infrastructures, such
as the power networks and telecommunications, have become increasingly dependent
upon IT in order to function.
Figure 2. Infrastructural interdependencies
Digital
Physical
Construction flaw
Natural disasters
Dependencies
Interdependencies
Trans-
port
Oil
IT
El
Tele-
com
Water
3. CEO of Somerco Research Ltd Jan Softa. Date: 2013-04-02.
Discussion
Regardless of the reason for the disruptions in IT-systems, the information society
will not function if they are not prepared for these threats. Lack of proper attention
from decision-makers to these various kinds of threats could lead to insufficient risk
management of threats against vital functions in an IT society. Due to this I would
like to continue with the question raised at the start. Is it by increasing our money
spent on combating or learning more about cyber attacks that gives greatest value for
money, or are there more urgent areas to attend too?
In this paper I focus on a few issues that could be discussed with the question in mind.
I start by discussing the role national and international governmental agencies and
move on to comment private-public partnership PPP and ends by discussing Europe’s
dependency on access to computer chips.
To start, I want to acknowledge the importance the European Government CERTs
(EGC) group, which performs operational tasks, has played and also the national
CERTs. To set up a well-functioning national/governmental CERT is a first step.
Only some Member States have to date adopted national cyber security strategies.
However, I do not think it is enough to only rely on CERTs since them to date only
focus on computer incident – digital threats. With a wide perception of threats against
information society, which besides digital threats also includes physical, construction
flaws, natural disasters, dependencies and interdependencies threats. In my opinion, a
cyber security strategy is an import step but a more holistic approach should be
adopted and thereby the countries national strategy should be further developed and
include more aspects of vulnerabilities. With a more inclusive perception on threats
against information society also responsibilities of governmental agencies should
evolve or new ones be put in place. Should the CERTs be a part of an agency that
works with a wider threat palette? Or should the CERTs evolve and adopt greater
responsibilities to face these threats? Here in lies is an interesting issue what is the
best organisational solutions on a national level and EU level. Future steps could be to
increase CERTs mandate to include preventive work and also combating with all
threats described – digital, physical, construction flaws, natural disasters,
dependencies and interdependencies. Or should the future role of ENISA evolve and
take on this responsibility and what relation should the EC member states have to
them?
Private Public Partnership is important to have in place on a national and international
level since a lot of society’s critical infrastructures who are dependent on the
functioning of IT are run by private companies. The European Public-Private
Partnership for Resilience (EP3R) is a platform which facilitates the exchange of best
practices among the Member States and ICT companies. The EP3R has no formal
standing and cannot require the private sector to report incidents to the national
authorities. A framework for trusted information sharing and for communicating
information on NIS threats, risks and incidents is absent within the EP3R. Is this an
initiative that should be given greater importance by implementing legislation for
demanding incident reporting? Will it be necessary to allocate more financial
resources to them? A particular interesting question is if they should be managed by
ENISA and the private sector or will it be necessary to have another organisational
structure in place with a more holistic approach?
4. CEO of Somerco Research Ltd Jan Softa. Date: 2013-04-02.
In times of crisis - when does our access to computer chips become critical? I would
argue, in short – term crisis it is possible for those companies and agencies that are
considered critical for the functioning of society to stock pile what is on their home
market. In long – term crisis the chip producer will change location of their facilities
or ask some else in another country to build up their capacity to meet the demand on
the market. It is when you are into mid – term crisis in countries/areas where
computer chips are manufactured the vulnerabilities are highest. In crisis when
shortages of computer chips do occur; what countries get access to the produced
computer chips first? Who ranks second and so on? I would argue the countries that
rank first are the countries that produce the computer chips and the two largest
chipmakers Intel and AMD who US companies. Second would be those countries that
pay the most. Most likely several European countries would and could pay more.
However, are we prepare to be ranked second in such a key area for the functioning of
information society?
To have companies in the European Union who produce computer chips is one way to
decrease our dependency on having access to this key component. I know that Russia
has thought in these terms and thereby have production facilities in their country.
Moreover, if it would emerge a European company that are interested in producing
computer chips, would these be able to compete in this rapid development, with price,
etc