No longer a subject on periphery of the average policymaker’s understanding, SDA Director Giles Merritt remarked that that past year has seen an explosion of “real and concrete political, diplomatic and industrial policy making, international discussion and action.”
As the recommendations of the recently published Executive Summary to the 2012 Security Jam have made clear, actionable strategies in the area of cyber-security are no longer purely theoretical. The challenge instead is to make these actions as effective as possible betwee international actors and across sectors.
As Assistant Director of Operations and Europol, and the appointed head of the newly created European Cyber-Crime Centre, Troels Oerting approached these issues from a criminal prosecution perspective. “We would like to generate synergy between existing capabilities - it is not entirely a well-oiled machine when it comes to coordination, we will need to improve”, he explained. Adding that the costs of cutting edge cyber-forensics tools were astronomical, the Director advocated that Europe should focus on avoiding wasting resources. “Overlap is understandable, but duplication is idiotic”, he said.
Chris Painter, Coordinator for Cyber Issues in the Office of the US Secretary of State, expressed optimism about the plethora of international efforts to coordinate cyber-security – from the Budapest cyber-crime convention to the 2011 London cyber-security treaty debate. Transparency and confidence building is the key”, he added. “It has been taken up by the OSCE as a long term project - it’s important to develop these confidence building measures, to support a stable cyber environment.” He also emphasised the power and value of international norms such as protection for non-combatants and humanitarian principals in approaching the cyber-domain. “Those norms still apply.”
Antoaneta Angelova-Krasteva, Head of Unit for Internet and Cyber-security at DG INFSO emphasised the need to bring the various competencies and capabilities of the EU member states up to speed. “The level of preparedness is variable between member states”, she said. “We have to be more strategic in our planning, and more responsible about how we tackle future threats and challenges.” She went on to the outline the legislative proposals the European Commission intends to launch later this year to enhance information sharing across the EU.
From the industrial perspective, Jeffrey Snyder, Vice President of Cyber Programs at Raytheon, emphasised the need to coordinate new technology development. “We always look for opportunities to partner, looking to how can we minimise re-invention, avoid duplicate investment, and develop some common capabilities to circumvent this real threat” across the Atlantic, he said. The industrial expert also proposed that the EU should examine the US inter-state Information Sharing and Analysis Centres (ISAC) - anonymous networks for cyber-security information sharing that avoid potentially damaging industrial disclosures. “Could this be analogous to what you need to do in the EU?”
Heli Tiirmaa-Klaar, Cyber-Security Policy Advisor and the European External Action Service, emphasised that all of these sectors have to be factored into a coherent, multi-level policy. “What makes our job hard is to find proportionate responses according to the different levels and severity of the threat we are faced with”, she said. Expressing doubt that a global “cyber arms treaty” will ever come into being, the former NATO policymaker focused instead on international capacity building. “Sooner or later we have to deal with this - how to raise the global minimum level of capability?” For Tiirmaa-Klaar, the key could lie in exporting current inter-EU Computer Emergency Response Team (CERT) frameworks abroad. “Once we succeed within the EU model, we should think of a global one”, she stated.