APMG's Head of Cyber presented on 'protecting the world's critical infrastructure' at the recent Federal Police CiberSeguridad Conference in Mexico.
Last week at the 3rd annual Federal Police CiberSeguridad conference in Mexico, I had the privilege to present on "Protection of critical infrastructure around the world" at the request of the UK Foreign and Commonwealth Office. Mexico released their new national cybersecurity strategy on the 13th November.
- our UK National Digital Strategy; driving our needs to Defend, Deter and Develop in cyber security in the approach we apply, including to Critical National Infrastructure.
- the role the EU Network and Information Security Directive (NIS) is now playing in shaping the services we need, including testing.
- our UK Cyber Capacity building programme, operating worldwide, including with the Global Forum on Cyber Expertise (GFCE).
- our own APMG experience in the UK FCO Capacity Building programme which now includes more than half a dozen countries across Africa, the Americas and Asia.
The culmination of the event was in joining a panel session with TRENDMicro, Cisco and Huawei which is what has led me to write this article, mostly on the long flight home...
I gave two answers. You may like to consider what yours would have been?
Firstly, the obvious from a CDCAT® (or NIST Cyber Security Framework) perspective in that we know how best to Protect and Detect (including using behavioural analytics and AI). However, for an effective strategy, we need to implement automated Response and not forget training the people involved as both are essential to effective responses.
An email phishing example I know of, took several days to isolate all the end points from the downloaded malware. Several days is an eternity in cyber time. We need to continuously optimise all forms of cyber defensive activities in Protecting, Defending or Responding.
For the second I reflected on an analogy: What have nuclear arms treaties got to do with cyber security?
They are both about assurance of course. In our vendors of high technology we place our trust; TRENDMicro, Cisco and Huawei, and many others. The complexity of what their tools seek to achieve in actions is beyond what we as mere humans can replicate. Every day, every hour, every minute, every second and yes every sub-second at the clock speed that marches the internet and computing forward.
In them we trust to defend our futures, to keep safe our digital dreams, our national strategy, the growth of jobs and prosperity we want now and for our children and children's children. Grand visions perhaps but this is what is in the UK Digital Strategy, revenue of £118Billion in 2015 and £200Billion by 2025, £50Billion in exports, jobs growth at 2.8 times any other industry.
As debated with the wonderful people I met in Mexico human kind is getting the bounty of such growth, not just the UK but internationally as the services of the internet are truly global. Our capacity building strategy is international as our strategy states, "We will help our partners develop their own cyber security – as we share a single cyberspace, we collectively become stronger when each country improves its own defences.” So what of the Critical National Infrastructure strategy and technology of assurance question?
Well that’s the point - the strategy must be to provide independent and continuous verification and validation of cyber security performance. As vendors on this panel session admitted they don’t get it right 100% of the time, they are also continually learning and improving, optimising. Not surprising when the NSS Labs report for the next generation firewall technology group test report states that they have tested for 157 evasion techniques to date. A level of complexity that is staggering. But then how do we know at any instant in time whether our vendors are on-track or are underperforming?
You see, it is possible to provide independent continuous testing from 3rd parties using live threat feeds against vendor systems - something of benefit to the client and the vendor. This kind of test harness, off-line from our systems, should become the norm if we really want to understand our performance and continually improve and optimise our defences. For a hyperconnected world and critical national infrastructure, anything less will not be good enough.
And for Mexico, good luck with taking forward your National Cyber Security Strategy, your own path towards Society and Rights; Economy and Innovation; Public institutions; Public Security and National Security, you have a very exciting time ahead. I look forward to coming back!
CDCAT® is a registered trade mark of Dstl. All rights reserved.