Recently, I was invited to speak on a panel in Tbilisi, Georgia at a NATO-Georgia Conference on Emerging Security Challenges put on by the NATO Energy Security Section, Emerging Security Challenges Division. The topic was Energy Security, including Cyber Threats to Infrastructure (Moderated by Mr. Michael Rühle, Head, Energy Security Section, Emerging Security Challenges Division, NATO).
You can find a copy of my presentation here: http://sintixerr.files.wordpress.com/2011/07/natotbilisiswhitsitt.pptx
When writing – and delivering the presentation – I found it difficult to support both the scope of the panel as described – Energy Specific SCADA threats/vulnerabilities – while at the same time meeting the audience’s need for a higher level view of the problem. I definitely need to work more on bridging the gap between the technical realities of what we do and the knowledge/perspective of policy makers…but that was always going to be hard…if it was easy, it would happen more often. :)
As for the rest of the conference, there were a number of presentations given, but I was most impressed by Alexander Klimburg’s take. He spoke about the intersection between attribution difficulties in cyber space and recent talk about kinetic response to attacks by nation states. Policy discussions seem to be moving, according to Alexander, in a direction which results in rapid, somewhat automated, escalation of hostilities between nations in the event of a cyber attack which seems to have come from another nation. With the confidence in attribution being as low as it is – and with such a high probability of non-state actors being involved – this type of escalation becomes probablematic and ill-advised. Alexander’s talk proposed creating confidence building measures between states and non-state cyber attack actors, building in enough of a policy buffer to allow thoughtful responses to attacks, and having the media “name and shame” attackers where confidence isn’t 100% as a deterrent.
I don’t completely agree with all of the details, but philosophically, I think he was on point.
What I also found interesting about the conference was that the same conclusions were drawn at the end of this conference that are drawn at the end of every other cyber conference:
- More information sharing is needed
- Public/Private Partnerships are important and difficult
- Cyber is a real threat
- Large organizations can help solve some, but not all problems in cyber security
- There needs to be clearer definition of roles and responsibilities
Someone in the audience rightly asked: “Yes, that all is obvious, but how do we do it?”
That’s a perfect question, and one I ask constantly. I’ll say again: You can’t just say “cyber security is a problem” and expect to implement a plan to solve it; you can only speculate as to what types of efforts might be involved. The problem needs to be defined in a much more structured, specific manner than we have so far (in my mind, using threat models which link risks to strategic business objectives from cyber systems to tactical risks to those cyber systems…at some point I’ll post a model for that here).
That all said, the trip was fantastic:
My NATO and Georgian hosts were gracious, professional, and intelligent. The locals were a lo of fun – I spent one evening with three random Tbilisians (one cute bartender, a guy who claimed to be a male model and was explaining the story of the city’s founding in broken english and by waving his arms up and down like a giant bird, and a US expat helping to start a lab). The country was beautiful; I particularly loved some of the crypts on the floor of a church in Mtskheta (the script was beautiful…I suggest checking out Georgian writing).
Thanks to Julijus for inviting me to speak. I was very grateful for the opportunity.
(Edit: This is a pretty rough draft of this blog post. It may change significantly and I want to add many more thoughts, but I wanted to get it out before it became OBE.)