We need to overcome trust issues in cyber security

It is no wonder that with such attributes as the ease of launching an attack, the ability to hit multiple sectors or countries at once and the difficulty to identify the perpetrators, cyber threats thrive in today’s hybrid environment.

The ever-increasing digitalisation of everyday activities makes the cyber domain both a safe haven for malicious actors and a headache for governments and companies that are trying to protect themselves against the increasing threats and attacks. In the case of Lithuania, for example, the Lithuanian National Cyber Security Status Report 2017, conducted by the National Cyber Security Centre (the NCSC) under the Ministry of National Defence (the MoND) of the Republic of Lithuania, reveals that when it comes to cyber attacks, the most targeted sectors in the country are energy, public security and foreign affairs. One can easily see how vulnerabilities in these sectors could lead to consequences that are severely damaging, such as disturbance of energy supply, compromised police work and the loss of classified information.

An equally disastrous ripple effect is caused if social engineering tools are employed in operations ranging from financial extortion to stealing official government data. Or, in a true hybrid fashion, attacks may combine both cyber and information elements. Earlier this year, a Lithuanian news website was hacked to post fake messages about Lithuania’s defence minister, simultaneously sending e-mails with infected links to numerous recipients. The hacker’s IP address was traced to Russia.

Against this backdrop of cross-sectoral and cross-border effects of cyber threats, the most logical response is an integrated public-private cyber security system at the national level, complemented by a high degree of international cooperation. While it might not be easy to achieve, it is surely not impossible.

Lithuania’s cyber security system, which has already undergone its growing pains, could be taken as a positive example. In 2015, the Law on Cyber Security was passed, distributing various responsibilities among national institutions. Soon enough, it became apparent that there were still obvious functional overlaps and inefficient distribution of resources. At the same time, governmental and business entities found it difficult to address the right institution in case of an emergency. This led to the decision to consolidate all cyber responsibilities under the the MoND and the NCSC, thus creating a single authority on cyber security for both public and private entities.

A crucial element in implementing these reforms was the issue of trust-building. It started within the National Defence System with the aim of creating synergy between the MoND and the Armed Forces, so that both institutions would see themselves as integral parts in dealing with cyber issues. The next step was to engage other public and private actors, encouraging them to open up their networks, share information and internalise the responsibility to fulfil organisational and technical cyber requirements. A number of practices have been set up to contribute to trust-building: annual public report on cyber security to raise the general awareness and understanding of cyber threats; regular state-wide cyber exercises and other educational activities for developing practical skills and working relations among various entities; cooperation with the media, and so on.

The issue of trust becomes even more prominent at the international level. While governments can introduce various forms of penalties for failing to comply with cyber regulations nationally, most international organisations lack this type of authority. Therefore, one cannot highlight enough the unique role that the European Union plays in this area. Through its legislative powers, the EU can set unified standards not only for public, but also for private entities, as shown by the recently adopted legal acts the General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (the NIS Directive). Of course, it often falls to the EU member states to implement the law and for public and private companies to adhere to its provisions. This circles back to the individual states and the efforts they put into building robust national cyber security systems.

An even bigger qualitative leap is being made in the EU within the PESCO framework with the project “Cyber Rapid Response Teams (CRRTs) and Mutual Assistance in Cyber Security”. The initiative, proposed and led by Lithuania, foresees that member states do not only share information and expertise, but also pool human resources to handle and deal with cyber threats. The CRRTs will assist the participating nations in case of cyber attacks and could even be deployed in support of the EU institutions or operational activities.

From the inter-institutional perspective, cyber is proving to be the area where the EU can create value-added without duplicating NATO’s efforts. Therefore, it is necessary to further facilitate information exchange and improve communication channels between the two organisations. At the same time, it is important to expand the network of like-minded countries and share best practices with NATO and EU partners. Lithuania has been successfully doing this with Ukraine and Georgia.

As cyber threats become more complex, individual states and international communities cannot afford the luxury of lagging behind in terms of strategies, methods and tools. In Lithuania’s experience, a single ownership of cyber security authority, together with consistent communication, helps to develop trust and bring different actors and stakeholders together.

Yet, national efforts are not enough. The transnational nature of cyber threats can only be adequately addressed if there is readiness to engage in a conversation and action. The EU has the instruments to spur a more vigorous move in this direction where states are willing to share their knowledge and capabilities for the sake of common security and tangible results. However, the key takeaway is that practice makes perfect: fostering trust must be regarded as a continuous investment, especially when progressing from national solutions to ambitious international initiatives.