Si Vis Pacem…
A recent article published in the Frankfurter Allgemeine Zeitung (FAZ – soft paywall) about Germany’s “Operationsplan Deutschland” (English version of the informational brochure here), or OPLAN DEU, has drawn media attention to escalating tensions between the EU and aligned countries, and Russia, accelerated since Russia’s 2022 invasion of Ukraine. The operational plan is a national defense contingency plan created “in response to the aggravated security situation in Europe“.
Arguably, this type of plan is necessary regardless of Russia’s aggressive posture. European defense spending and preparedness have lagged since the end of the Cold War; although German spending has grown in absolute terms over the past decade, it has declined significantly as a percentage of GDP (Macrotrends.net).
Russian hostile acts against or in countries it perceives as adversaries include the 2018 assassination attempt on British soil against a former Russian spy, a threat by former Russian president and prime minister, and current deputy chairman of Security Council of Russia Dimitri Medvedev about sabotage of undersea communications cables, a foiled plot to assassinate the Rheinmetall CEO, interference in the 2016, 2020 (pdf), and 2024 US presidential elections, a likely 2024 arson attack on a German munitions-related firm, numerous disinformation campaigns (some examples from the Germany interior ministry), alleged sabotage of several European television satellites, to name a few examples.
The FAZ article was predictably represented on Kremlin-controlled website Russia Today as “German army warning companies of war with Russia” – interestingly, the “Ukrainian Military Center” Public Organization (Militarnyi) published an article titled with a very similar tone. Both make the German government recommendations sound more pressing (which in my opinion they should be) than an absolutely necessary and advisable, even routine part of ensuring critical industry and infrastructure is prepared for eventualities. At the same time, both Sweden and Finland, two countries accustomed to dealing with threats from their neighbor, have issued war preparedness pamphlets to their citizens as part of a more immediate crisis readiness plan.
Don’t Forget the “Cyber” Aspect
So, where does “cybersecurity”, as in a big part of CyAN’s very raison d’être, fit into this?
Many of the sample articles and information pieces I linked to above refer to Russian “hybrid warfare”. In the information space, this includes Russian government tolerance and even support for malicious cyber actors, including run-of-the-mill criminal APT groups. The Natto Thoughts team have covered this topic well in multiple articles. It entails digital sabotage, denial of service operations, espionage, and other active measures (e.g. the Sandworm/APT44 group prominent for its 2022-23 attacks on Ukrainian power infrastructure, but operating since 2008).
Russia has engaged in extensive social media disinformation campaigns, election interference, online defamation and threats against disinformation researchers, and other acts designed to damage the digital economy and confidence in democratic processes and institutions. CyAN is dedicated to supporting information security, and online trust and safety. As such, any systemic threat to these aspects of liberal democratic society is of interest to CyAN. Q.E.D.
Since the early 2000s, we’ve seen a gradual increase in the level of awareness and preparedness, from citizens, government, and companies, in the cyber-defense arena. The creation of the ISAC model in the US, with coordination bodies such as the US National Council of ISACs and Empowering EU ISACs initiatives, has improved intra- and inter-industry coordination and information sharing. Various national cybersecurity centres, public-private initiatives such as the UK NCSC’s Industry 100 Programme and US NCCIC (pdf) bring together commercial-sector and government specialists, including for more transparent and seamless sharing of classified information.
Exercises involving both public and private domains, such as the NATO-and-friends annual Locked Shields simulation run by the CCDCOE in Estonia, help identify gaps and enhance cooperation. Actionable guidance to industry, such as ENISA’s excellent ISAC in a Box toolkit, public institution-led critical sector cooperation bodies such as the European Central bank’s CIISI group for key financial market infrastructure actors, and various national crisis coordination bodies such as Germany’s UP-KRITIS group organized by the German cybersecurity agency BSI also stimulate and enable active cooperation and preparation at a national level. TIBER (Threat Intelligence Based Ethical Red Teaming) forces key financial sector firms to toughen up their defense.
What’s Next?
There’s much more to do, though. I wrote an article about the need for improved and more active public-private cooperation in the area of national cyber defense for CyCon 2022 (my talk is here – starts around 50:00 if you have a few minutes to admire my choice of conference wardrobe). While it’s clear that any activity tasked with something as important as national and regional cyber-defense must be cautious about factors such as whom it admits and trusts, sharing of classified information, cost and resources, and respect for legal restrictions, we could do a lot more as a society (not just a collection of individual countries) to prepare for, and respond to, state actors who seek to destabilize and undermine us.
In my view, the “to-dos” fall primarily into three main heavily overlapping categories:
Awareness and Education
Western governments can and should do a much better job explaining to both citizens and companies what cyber-threats they face – not only to their daily lives, but also to the functioning of their economy and democratic institutions. There are already many great resources; Europe would benefit from standardized information and education channels and content.
Who are the actors? What motivates them? What kinds of threats can they face? Finland’s media literacy school curriculum is a great example of how to prepare young people to critically approach (dis-/mis-)information they will face online. Making information about risks, threats, and good practices more easily available to citizens through active outreach would be a good start.
Education and mentorship of new information security professionals is another issue. While the shortage of skilled security experts is an ongoing trope, and stress/burnout of staff from technicians to CISOs has been rising to frightening degrees (a big shoutout to CyAN’s “sister” organization dedicated to improving mental health in the cybersecurity industry, CyberMindz), much of the activity aimed at addressing these challenges seems to consist of cranking out more cybersecurity graduates. Meanwhile, recruiting remains a complex process, many new career entrants lack access to the kind of multidisciplinary experience-gathering opportunities and mentorship that are vital for building true experience, and company traineeship programs are often disconnected and inconsistent.
Helping to solve this is a role tailor-made for national and EU public sector agencies. A major part of government’s role should be to provide opportunity- and prosperity-building initiatives that on their own would not be profitable for industry to run. This could include, for example, giving tax incentives for hiring and paying new graduates as part of training programs, bringing academia and industry together at new talent events, encouraging and sponsoring industry mentorship initiatives, even providing guidelines for just how to better encourage the development and retention of talent.
Better communication of expectations, for example of senior corporate leadership, also presents great opportunities. European cybersecurity-related regulation such as the NIS2 Directive and Digital Operational Resilience Act are generally pretty well written, but create significant overhead for a lot of firms; based on the same principles of accessibility and clarity that make the ISACs in a Box toolkit so powerful and useful, agencies like ENISA can do more to not only issue actionable, practical mini-guidance, but to proactively provide easily navigable collections of these, especially to small and midsize firms, as well as local and regional governments.
There are many small business resources that provide cybersecurity hygiene and risk management best practices. These are frequently inconsistent, badly updated, and hard to find. Providing a simple “meta view” for smaller and less mature firms, alongside easy-to-follow checklists under an “80-20” approach (fix 80% of problems with 20% of the effort, figure out how to make things perfect once you’ve done that) would go a long way towards making security practices more accessible.
Channel / Process Identification, Use, and Creation
In short: all the above, and more. ISACs, critical infrastructure get-togethers, newsletters for senior leadership, exercises and testing, and good practices communiqués are all important. We need more of these. Similarly, there are not enough inter-industry forums for sharing cyber-threat intelligence or good practices at an operational, hands-on level. Conferences and lectures only go so far; people learn better from interaction than passive consumption of information, hands down.
A concrete, highly anecdotal example that is relevant for private citizens: my small Catalan village neighborhood has its own WhatsApp group, in addition to the overall town group – a large percentage of residents subscribe, and sometimes contribute, to these. It’s a resource they understand and trust. At the same time, very few of my neighbors realize just how much disinformation they face on Facebook and other Internet forums, especially around election time, or what kinds of cybercrime they are at risk of. Rather than creating informational websites (to directly quote a friend currently working for a major national cybersecurity center, “oh god, not another portal”), why not seek to identify and contribute to these? Issue simple flyers to local governments to share with their citizens through proven, reliable means.
In my opinion, the single biggest gap in European public-private cybersecurity capabilities is the unconditional provision of forums and channels to private sector organizations seeking cooperation and guidance. Especially at EU level, coordination and communication tend to be extremely focused on member-state verticals such as national CERTs and cybersecurity agencies. ISACs are a superb way of democratizing and streamlining alerts and information for companies, local governments, NGOs, and educational organizations.
Such coordination initiatives need money for expenses like analysts, coordinators, events, and communications resources. Funding can only come through a) government contributions, b) membership dues, c) sponsorships, and d) donations. B) and c) bear major logistical challenges, d) is undependable, leaving a) – as anyone who has ever applied to an EU Horizon grant can attest, this is a very challenging undertaking. Governments prefer to invest in shiny new things rather than funding boring, existing initiatives that work. Why is that? Even just creating and running mailing lists, get-togethers for intelligence analysts and specialists,
Preparation
Again, more please. No plan survives first contact with the enemy. Practice makes perfect. Insert additional clichés and mix to taste.
TIBER should be expanded to more of the many critical industry verticals defined in NIS2 – and made lightweight and more accessible for smaller firms, if possible. Locked Shields is a massive, complex undertaking – but cyber-range and table-top (TTX) exercises are nothing new, and could be offered in much less cost- and time-intensive “mini-versions”.
For private citizens, this becomes a bit trickier; for example, one could offer fairly harmless individual versions of the common corporate fake phishing email to citizens, or create simple, fun quizzes to disseminate via known channels, see above.
In short, make testing simple, affordable, and accessible, be ruthless about exposing gaps, and make remediating shortfalls as painless as possible.
Conclusion
We should not have to deal with this. Cybercrime and -abuse are a serious issue even without atavistic state actors entering the picture.
Some initiatives already exist to help build society- and industry-wide cybersecurity maturity and resilience. These should be lauded and expanded. The same applies to sectors, such as the financial industry as well as oil & natural gas, which have a comparatively high degree of security capability – the mistakes and innovations these verticals have undergone can help other, less cybersecurity-evolved industries, reach a higher degree of readiness and robustness more rapidly.
At the same time, there are a lot of simple, low-cost opportunities for dramatically enhancing our ability to cope with malicious information campaigns that are part of essentially hybrid warfare. Much of this is nothing more than identifying and expanding existing resources, sharing information, and coordinating between activities to ensure that private citizens, businesses, as well as democratic institutions and free markets across the liberal world are less vulnerable to hostile cyber-acts.
Also, I want a pony.