How can we protect our “critical infrastructures” from fatal cyber-attacks?

infrastructureLast week, our sister think tank the Security and Defence Agenda (SDA) held an event on “Critical Infrastructure Protection in the cyber age“. Critical infrastructures include all necessary facilities a country needs to take care of its citizens, ranging from government websites and banking services, to air traffic control and the supply of energy.

As critical infrastructures become increasingly reliant on connectivity to the internet, they are at risk of becoming targets for malicious attacks, often state sponsored. As Jason Healey, Director of the Cyber Statecraft Initiative at the Atlantic Council recently stated:

HealeyWhat concerns us is “the internet of things” –connecting things made of steel and concrete to the internet. Because once those are connected to the internet, then a cyber-attack will not only destroy ones and zeroes, but things of steel and concrete, and when they break, people will die.

During the SDA’s event, we asked several questions to two CIP (Critical Infrastructure Protection) experts: Michael Daniel, Special Assistant to the US President and Cybersecurity Coordinator, and Sigrid Johannisse, Advisor on cyber security in the Cabinet of Neelie Kroes, European Commissioner for the Digital Agenda.

First, we asked Michael Daniel how big the threat of cyber-attacks on critical infrastructures currently is:

So the threat is real and although for the moment it is difficult for hackers or malicious actors to inflict their intended damage at the time and place of their choosing, Michael Daniel expects that this will become easier over time. We put the same question to Sigrid Johannisse, but with a specific focus on critical infrastructures in the EU:

The Network and Innovation Security (NIS) Directive requires EU member states to put in place cyber defence capabilities. In March the European Parliament voted in favour of the Directive, meaning that it will now have to be implemented at member state level. Secondly, we asked both experts where they think the threat of cyber-attacks mainly comes from: individual hackers or state-sponsored attackers? And which governments form the biggest threat?

What do YOU think? Are countries investing enough in developing their cyber defence capabilities? Will attacks on critical infrastructures replace conventional warfare in the future? And how can countries work together in protecting their critical infrastructures? Leave your thoughts and comments in the form below, and we will take them to policy-makers for their reaction!

IMAGE CREDITS: CC / Flickr – Ryan Lackey


24 comments Post a commentcomment

  2. avatar
    Tarquin Farquhar

    Don’t link-up national energy grids – keep them ALL separate.
    Spy on everyone, everything and everybody.

  4. avatar
    Eugene Tishchenko

    The majority of respondents are expecting information securityrelated M&A to increase over the next 12 months. They attribute the anticipated rise to the extensive use of cloud computing, data storage, and virtualization technology.

  5. avatar
    Evgenii Tishchenko

    If we examine the last WEF report, then in line with earlier results, the majority of respondents (53%) expect IT services and technology companies to be the most active acquirers within the information security space. These firms are improving and making their existing line of products and services more sophisticated to cater to the specific needs of each client.

  6. avatar
    Rui Manuel Simões oliveira

    In my opinion we should be more concerned about this cyber attacks because its our safety that’s on danger. First of all, every state members must have an european plan that put in top of internet priorities the safety of the european citizens by working in a development map based in the proximity with tecnologic companies in order to provide ‘strong’ anti viruses capable to prevently detect with more time the cyber attacks. Then, there should be more relevant information as panflets, marketing on tv, distribution of information in the streets. And finally , more workshops to transform mentalities and prepare better the european citizens in order to deal with the cyber attacks, because safety start on us!

  8. avatar
    Jaume Roqueta

    the best way of preventig civer attacks is respect people… dont try to steal theyr money and rights…

  9. avatar
    Mihai Suciu

    Gandeste-te la persoana iubita. 2. Repeta numele ei in gand de 3 ori. 4. Spune te iubesc. 5. Pune asta in alte 20 comentarii oriunde pe facebook. 6. Daca ai facut tot ce scrie mai sus maine o sa iti spuna te iubesc! Nici eu nu am crezut dar a mers

  10. avatar
    Kevin

    Always have humans involved in the chain of command

  11. avatar
    Nico Segers

    The investments are one thing, setting pan-European concrete targets / benchmarks based on the severity on inter-sectoral and intra-secoral infrastructure vulnerabilities is the logical next step, and member states working quickly towards testing their cyber defence mechanisms. Nurturing the network of national Cyber security authorities and their linkeages to the member states’ (Criminal) Justice branches requires sufficient EU budgetary backing.

    However, a serious impediment remains member states’ reluctance to cooperate more thorougly, which is iterated by experts like prof. Bart Preneel (Belgian Cybercrime Center of Excellence for Training, Education and Research (BCCENTRE)) in May. In March, the Obama administration endorsed a thorough “whole-of-government” approach to incident responce in the cyber domain and proposing a federal ‘co-op’ campus for key civilian agencies to pool their staff and programs on cyber security incident response.

    Fact remains that ENISA is more an advisor and overseer rather than operational regulator or agency with top-down inspection powers. The transboundary nature of cyber intrustions means that individual enforcement of national agencies’ technical and investigatory strenghts are an inadequate equation. I find it questionable that cyber resilience across Europe is tenable without a “europeanization” of cyber training. If not, then collective cyber governance will fail and malicious hackers and criminals will exploit our failure to work together on joint weakness points. Not to mention the meagre budget ENISA currently has at its disposal… Funding calls for Digital Security research (including topics on ICT in infrastructure protection) have increased, but for 49 million € (http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/h2020/topics/1052-ds-03-2015.html) that still seems quite under par compared to the budgets talked about in the U.S. (also consider that EU populace counts 182 million inhabitants more than U.S.!). Hence I hope that within two-three years an array of strong, innovative partners will consolidate key cyber security inspection skills and develop digital platforms and programs that the member states direly need and have to refurbish in intense cycles following figures and degree of ‘successes’ of cyber intrustions.

    SCADA systems are largely privately operated, so frequent mandatory state ICT / infrastructure security audits – perhaps even using confidential “ethical hacking” and consolidation of state-of-the-art security / anti-intrustion diagnostic tools (by a authority created within ENISA for the national CERTs ?) to measure flaws, are to be put in place. A serious fall-out will do more economic damage than continued monitoring and auditing — which we need as cyber security ‘insurance. While surely the industry will try to keep intrusive and random cyber authority diagnostic auditis at bay, the path of autoregulation simply does not guarantee that they can pull off the job on their own, without independent supervision.

    02/29/2016 Heli Tiirmaa-Klaar, Cyber Security Policy Advisor for the European External Action Service (EEAS), has responded to this comment.

    10/30/2018 Edvinas Kerza, Lithuanian Vice-Minister of National Defence, has responded to this comment.

    10/30/2018 Kate Charlet, Program Director of Technology and International Affairs at the Carnegie Endowment for International Peace, has responded to this comment.

  12. avatar
    Jaume Roqueta

    first not supporting terrorist actions like bombing gaza, prosecution of civilians in strikes, and not playing the game of war between USA and RUSIA!… this would prevent the most common motives to produce a civer-attack… but the simples way is to desconect from internet any critical infraestructure… it is crazy that you have not think on that?… anything in internet is not critical… critical infrastructures are nuclear plants, airports, trains etc etc.. so please, disconect the servers from internet.. thats all!.

  20. avatar
    Nadir Silva

    the internet is the only relatively decentralised mean of communication there is, stop tampering with it. keep law out of it. keep politicians away from it. Do not fool yourselves, the people who are afraid of cyber attacks are not innocent.

  22. avatar
    Dobromir Panchev

    Disconnect the critical infrastructures from the Internet :-)

  23. avatar
    Dominique

    Stop ICT outsourcing and human brain dumping
    Stop voice over IP and control you TC rooms.
    Stop all in one GIGA contracts and get back to people you know the name.

  24. avatar
    Dominique

    Danger is most of the time inside …
    So far so high you build your fire wall… Think crypto and think to track out your stuff in case of someone succeed. If you are inside the cavern who care, who get the know how? I
    it’s strange that the know how is away with the guy you change every 4 years. The guy who fix the rules or who explain to you how you have to fix the rules, in fact the guy who knows and who you ask to do, he knows also that you will fired him a little bit later ….So maybe if you are polite he will give you the keys back … More humanity in the techno fields will make a better world for both parts …
    Sorry It’s late I juist wake me up and I thought I had a good dream …

Your email will not be published

Leave a Reply

Your email address will not be published.

Notify me of new comments. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Similar debates

By continuing to use this website, you consent to the use of cookies on your device as described in our Privacy Policy unless you have disabled them. You can change your cookie settings at any time but parts of our site will not function correctly without them.

I AGREE PRIVACY POLICY