Slashdot Mirror
Europe's Cybersecurity Policy Under Attack
wiredmikey (1824622) writes "As Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job. The exercise, called Cyber Europe 2014, involved 200 organizations and 400 cybersecurity professionals from both the European Union and beyond. Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking. Others questioned whether the law enforcement agencies taking part in the drill should be involved in safeguarding online security, in the wake of American whistleblower Edward Snowden's revelations of online spying by western governments. Eurostat figures show that, by January 2012, only 26 percent of EU enterprises had a formally defined information technology security plan in place. One industry insider said the view in Brussels is that EU cybersecurity was "like teenage sex: everyone says they are doing it but not that many actually are.""
welcome to 1996, can we cyber?
Actually 29 different cells can be a good protection.
As long as they move from the "teenage sex" to acctaully doing it!
And they actually fix things at their home countries, and get their cooperation skills so they can do coordinate work between the different cells.
Even if 26percent has some form of plans, i bet there is not more then 1percent that look on IT security as business critical..
Even though a 1-3hour stop in corporate LAN's or WAN connectivity usually grinds 95percent to complete halt!
Nowdays there is even talks about getting more and more "cloud" software for goverment....
How nice that will be when they should be able to work in natural disasters and problems with civilian society similar to Ukraine and Georgia...
Are any of these systems Multi-Level Secure? This stuff was figured out in the 1970s, we're still 10 years away from collectively realizing we needed it yesterday.
Such as the day of the week, what is being server at Tom's Pub, what the movie schedule is. But, they are definitely not going to share their mother's chicken pie recipe!
Freud might say that Intelligent Design is religion's ID.
unless, of course, the earth has been engulfed in nano machines and turned into grey goo...
Usually I sell that, but ... let's say I do it for my country.
0. Drop the "cyber". It makes you sound like a 16 year old wannabe kiddy. The 90s called, they wanted their buzzword back.
1. Get your act together and get the EU to formulate a security plan. It's amazing how that bureaucratic piece of bulldung can get a guideline about every kind of crap but not about security. Ok, I know, politicians don't know jack about it. Didn't stop them in any other area, did it? Get a few experts (please, for a change, get experts rather than some corporate lobbyists) and get the shit on track.
2. While you're at it, get a technology incident rapid response team together. Staff and fund them well. And, again, don't listen to some lobbyist shysters telling you that they should be used to protect some corporate assets. They can do that themselves. Their job is to keep YOUR COUNTRIES safe. Yes, that includes keeping them safe from said corporations! Their job is to make sure that your infrastructure, from power to gas to water, everything that depends on the internet today (which is a security nightmare by itself by the way, but there's little you can do about it now anymore) is secure. That shit is important! Think what's going to go down in your average town if they're just 3 days without water, gas and power. Trust me, you'll hope that you only get to deal with riots.
3. As soon as you get the plan from 1 down, make sure that your key infrastructure corporations (gas, power, water, logistics) implement it. Make CEOs and CSOs personally (!) responsible to get their shit together. Audit the living daylights out of them. If they fail, jail the responsible C-Levels.
It's neither hard nor really that expensive. But it's necessary. We're HEAVILY dependent on some of that crap today but we treat it like it's some kind of minor inconvenience if it should fail. Part of me really hopes that it will at some point, part of me feels sorry for the thousands that would have to pay for it with their life.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
> While you're at it, get a technology incident rapid response team together. Staff and fund them well. And, again, don't listen to some lobbyist shysters telling you that they should be used to protect some corporate assets. They can do that themselves. Their job is to keep YOUR COUNTRIES safe. Yes, that includes keeping them safe from said corporations! Their job is to make sure that your infrastructure, from power to gas to water, everything
You've largely described the role of the National Emergency Response and Rescue Training Center in the US. Their focus in recent years has been IT security for infrastructure. When the experts there aren't actively responding to an emergency, they are providing training, often to state and city officials. For example, New Orleans mayor Ray Nagin and his staff could have been much better prepared if they had taken a few days of TEEX training.
NEERTC also provides some pretty good online cybersecurity classes for free. The material is great, the presentation could be improved. The idea is that a few experts can't protect everything, but they can certainly help educate the people who are responsible for critical systems in how to keep the systems safe.
It wwould be sad (and stupid) if the funding for NERRTC (a few million dollars) were redirected to some senator's pork project, so I hope the public continues to support their mission.
Full disclosure - I am tangentially associated with NERRTC. I don't work for NERRTC, but I work with them.
As a participant in CE14's exercises last week, what I got the feeling of was something far less political, and vaguely reminiscent of the CTF exercises that I used to do back in school. My (corporate) team was in the top 10 of the published scores (adding all points for published teams, though teams had the option to hide their scores!)
I noted that either the actual turnout for the technical exercises was PITIFULLY low, with only about 10% of the registered teams even posting a single completed challenge, or almost all the teams chose to keep their scores private. In my own country the police forces, military, as well as intelligence branches of government participated, but not a single reported score came from any of them. The exercises were well designed, but technical requirements were not communicated at all before hand to players, so my team at least had to spend a full day of the two day exercise setting up systems to use for it!
Personally, I thought as a practice round for incident response, the exercise was great, BUT as a competition it was terrible. I found myself really wishing for the good old attack/defense combination (this was PURE incident response, no defense even!)
There may be some policy related to all of this, but I haven't seen any sign of it myself. I avoid politics and stick to my software usually.
Actual security for none. Someone please invade this shithole.
What the hell is Multi-Level Secure?
All rites reversed 2010
CYBER CYBER CYBER. 15 years ago it meant something totally different than the politicians are talking about.
I was promised a flying car. Where is my flying car?
like teenage sex: everyone says they are doing it but not that many actually are.
So, the ones actually doing security are doing it very much? Based on US television shows I hereby conclude that the US must be one of the most secure places in this world.
Multi-Level Security was worked out in the late 1960s in order to allow computing both Secret and "Top Secret" information in the same computer at the same time. The use of the Bell-LaPadula model ensures that a lesser privileged user can never cause grief for a more privileged user. If we had Mutli-Level secure systems, we could safely run any program we want in a sandbox, and it could never, ever crawl back out of it.
The closest you're likely to approach is if you enable the MAC option in FreeBSD, which is experimental.
The Genode project aims to provide a capability based security system which can run Linux Apps... it is the best chance I see going forward for a truly secure system that isn't military grade. In such systems, you specify at run time exactly which files can be accessed by an application. This has the benefit of explicitly limiting the side effects of said application, and thus making for a far more secure system. You might be tempted to think this would make it unusable (as App-Armour tends to be)... but it doesn't have to be that way. In fact, it's possible to make apps behave almost identically, as far as the user is concerned, without compromising anything.
I think we're still 10 years out before people wake up and realize that our collective assumptions about computer security are wrong, and this needs a more rigorous, carefully engineered solution, instead of the layers of patch we currently employ. I'm hoping that my frequent postings on this subject are informative, and help shorten that timespan significantly.
"Cyber" and "teen sex" are the two things you NEVER want to see in the same sentence!!!