At the 23rd annual Economic Forum in Krynica, Poland, on September 5, ICDS organized a panel discussion entitled Cyber Security Policy: Defending Critical Network Infrastructure and Protecting Rights. Moderated by ICDS director Ambassador Matthew Bryza, the panel featured Cyber Security Policy Advisor of the European External Action Service Heli Tiirmaa-Klaar, Brigadier General Krzysztof Bondaryk, advisor to the Polish minister of national defence, and Nataša Pirc Musar, Information Commissioner of Slovenia and President of the Europol Joint Supervisory Body.
23.10.2013
At the 23rd annual Economic Forum in Krynica, Poland, on September 5, ICDS organized a panel discussion entitled Cyber Security Policy: Defending Critical Network Infrastructure and Protecting Rights. Moderated by ICDS director Ambassador Matthew Bryza, the panel featured Cyber Security Policy Advisor of the European External Action Service Heli Tiirmaa-Klaar, Brigadier General Krzysztof Bondaryk, advisor to the Polish minister of national defence, and Nataša Pirc Musar, Information Commissioner of Slovenia and President of the Europol Joint Supervisory Body.
The panel addressed the question how governments can actively promote the security of critical infrastructure while continuing to serve as a neutral guarantor of fundamental rights.
Security versus privacy; defensive versus offensive cyber capabilities
In his introduction, Bryza noted that since everyday life has taken on a cyber dimension, it is becoming increasingly difficult to separate cyber security from other types of security. At the same time, he observed, we can see dichotomies emerging. One is between the responsibility of governments to protect their citizens versus the freedoms and rights of the public. . Another is the split between defensive versus offensive cyber capabilities; the former is less uncontroversial, while the latter causes many significant discomfort.
Bryza referred also to the different public attitudes towards government surveillance in the US and in Europe. Since 9/11, Americans have been more concerned about their security, and hence expect the US government to conduct extensive electronic surveillance to protect them from terrorists and criminals. . Immediately after the PRISM scandal broke, 56% of Americans still expressed support for the surveillance programmes of the National Security Agency (NSA), even though that figure has subsequently dropped to 44 %. In contrast, in some European countries there is rather less trust in governments.
For his part, Bondaryk emphasised that cyber security starts with good “cyber hygiene”: all users should take steps to protect their privacy and identities. . Unfortunately, many internet users do not understand that they sell their preferences on commercial market. Bondaryk pointed to a certain ambivalence within Polish society: one the one hand Poles demand that government ensure their security, while the same time refusing to accept obligations imposed by the state in return.
Governments should use proportional measures to attain personal data
In her remarks, Pirc Musar argued for the application of the proportionality principle to the activity of law enforcement and security agencies in data collection. The inherent “greediness” of law enforcement and intelligence agencies in collecting all available information—including information for which they have no need—contradicts the proportionality principle. Pirc Musar said that information collecting efforts must have a legitimate aim and governments should use only suitable, necessary, and reasonable measures to attain it.
Pirc Musar echoed Bryza in noting the difference between the US and Europe in approaches to surveillance and data protection. In the US, she explained, data protection is regarded as a right of citizens and consumers; while in Europe it is seen as a human right set forth in national constitutions. Moreover, she argued, surveillance practices diverge: in the US personal data is held by the NSA, but in Europe it is kept by telecom service providers, with police and security agencies able to request access to details only if permission has been granted by a court. She contended that in the US nobody checks what NSA is doing with the data.
Estonia’s example has become a model on how to build resilience in public-private domain
Heli Tiirmaa-Klaar began her presentation by noting that in Estonia, there is not much debate about the protection of personal data because all transactions in cyberspace in the country are based on its secure electronic identity card system.
She maintained that security and freedom are compatible. Security is a prerequisite for freedom, she explained; we do need a minimum amount of security to protect our freedom. In cyberspace security has always been an afterthought, because the idea of cyberspace was based on resilience, that is, the continuity of business operations. In cyber space, security is not built into the technology, as it is for example in aviation. When we take an airplane, we have a justified expectation that we will not crash. This is not the case in cyberspace.
At a time when the Internet has become critical infrastructure to all of us, she argued, we are missing the same set of safety procedures as we have with other such infrastructure. In drawing lessons from the cyber attacks against Estonia in 2007, Tiirmaa-Klaar underlined two important conclusions: first, since cyber attacks will definitely be part of any future conflict, governments need to protect critical infrastructure from cyber attacks. As a small state with scarce resources, Estonia decided to focus on protecting critical infrastructure and creating/enhancing public-private partnerships. Today Estonia’s example has become a model internationally on how to build resilience in public-private domain. The second lesson highlighted from 2007 was that international cooperation is key to mitigating the damage caused by cyber attacks. Today most international organizations are active in fostering cyber security, something that was not the case in 2007.
As for how governments should protect this infrastructure, Tiirmaa-Klaar suggested that each country should choose its own model. On a national level, all countries should strive for resilience of their critical information infrastructure. On an international level, states should agree on standards of acceptable conduct in cyberspace; technical authorities should exchange information on cyber incidents; national regulators should compare notes; diplomats should make the cyber dimension part of their mainstream daily business; and international organizations should provide platforms for better cooperation.
Confidence and Security Building Measures in cyber space
Turning to the topic of international law, Tiirmaa-Klaar claimed that an international cyber warfare law would not work because cyber tools are intrinsically dual-use in nature; we cannot control who uses them or for what purposes. In her words: “how do we control guys in pyjamas who are doing something bad with laptops in attics?” A cyber security treaty is not the right answer, as it would lend legitimacy to the actions of governments that seek to control their citizens. Instead, we should build trust and confidence between states, as well as create norms and regulations for states to act responsibly in cyberspace. Tiirmaa-Klaar acknowledged that attribution remains a big problem, but argued that confidence-building measures between countries—such as joint cyber security events, exercises, exchange of information, cyber diplomacy, etc.—can have effective results.
In response to an audience question as to whether cyber attacks fall under Article 5 of the North Atlantic Treaty, she suggested that since such attacks take a political motivation, NATO will decide its course of action according to the political context. This position is stated in NATO cyber defence policy (2011) according to which “any collective defence response by NATO will be subject to political decisions of the North Atlantic Council. NATO does not pre-judge any response and therefore maintains flexibility in deciding a course of action that may or may not be taken.”
This program brief was drafted by ICDS research fellow Piret Pernik.