Digitization made us vulnerable. We will not resolve digital vulnerabilities neither Today nor Tomorrow. Therefore, we need to make sure that we are resilient.
A NEW NATIONAL STRATEGY
Vulnerabilities related to digitization create a shift in traditional governmental roles and responsibilities. Digitization entails, for example, a paradigmatic shift between ‘military vs. police’ and ‘national security vs. crime’. In addition, there is movement in the confines between authorities and private entities. A shift in the relationship between ‘state vs. private’, and ‘military vs. non-military’.
Digitization challenges a series of traditional key paradigms, suggesting that digitization should be managed from a more holistic perspective.
The contemporary hybrid environment is described by the merger of battle space, humanitarian space and cyberspace, the latter being a decisive novelty that greatly enhance the spectrum of influence and potential outcomes of employing hybrid tactics.
Future successful security policy planning requires an innovative multifaceted response that reflects this multidimensional confluence of diverse political and strategic directions across a cast of public-private actors.
The current situation appears to present a window of opportunity to condense the complexities of formulating holistic cross-sector policies into a manageable guiding principle for responsive national security policies.
Resilience against hybrid threats entails an expansion of conventional military defence planning principles to include non-military spheres into comprehensive security policy planning. Most NATO and EU countries have yet to confirm specific national policies aimed to increase their resilience, both in regard to civilian crisis management, disaster or emergency preparedness, and in relation to cyber-defence, countering information operations, and protecting critical infrastructures.
While we are waiting for Godot – the Danish Government’s new cybersecurity strategy – we live in the hope that the long-awaited government announcement answers some key challenges in digitizing society.
The digital domain dissolves the traditional divide between organizational and professional boundaries. It is a new political reality, where we must learn to navigate in new networks of cooperation.
Providing robustness to counter vulnerabilities in the
digital domain is first and foremost a cross-sectorial task. It requires
cross-sectorial efforts to defend the nation’s digital infrastructure. It
requires cooperation between defence, police and civil society.
Digitization calls for political understanding of convergence in relations across a security policy field of defence, crime and market economics.
In a criminological narrative, this convergence between defence, police and civil society is called ‘The Security-Crime-Risk Continuum’: a theoretical conceptual construction based on the claim that the robustness of any digital community must be provided through cross-sectorial interaction between military intervention, law enforcement, and corporate risk management. The concept inspires a holistic strategic approach that is prerequisite for providing accountability, robustness and security against the many vulnerabilities introduced by digitalization of core societal functions.
A robust response to digital vulnerabilities therefore takes an offset in cross-sectorial cohesion. The cross-sectorial distribution of responsibilities in national security policy appears to be a precondition for successful implementation of resilience in the coming Danish national strategy for cybersecurity.
Fragmentation of roles, responsibilities and resource allocation seems to hamper cross-sectorial cooperation. To a large extent fragmentation has been the culprit, delaying implementation of the intentions in the Danish national cybersecurity strategy from 2014.
Stove-piping, entrenchment, and bunker mentalities have dominated the sector-specific approach to governance in cybersecurity. This dilemma also applies to both cross-governmental cooperation across public authorities, and cooperation in public-private partnerships.
Achieving results in collaborative efforts across various divides comes with a pricetag in terms of both time and money. Digitization of vital societal core functions is introduced at breakneck speed. Sufficient resources were not allocated for thinking robustness and security into the process, resulting in lack of overview and coordination at both cross-sectorial and sector-specific levels.
It makes us very vulnerable right now.
Providing robustness to critical vulnerabilities in digital infrastructures is a task best resolved at the sharp end in the individual sectors, but must be managed centrally. The Government’s new strategy should provide a central direction in this process.
The new cybersecurity strategy must designate a central authority that can create a cross-sectorial overview that guides and maintains oversight of the process involving governmental stakeholders and private actors within the individual sectors. Centralization aims to clarify the strategic objectives of digital robustness and to ensure that requirements are observed and validated. At the same time, a central function must be built, which will serve as a single entry point for reporting cyber related incidents.
This is particularly relevant providing robustness and security in critical societal functions.
PROTECTION OF CRITICAL INFRASTRUCTURES
Critical infrastructures are all things that bring cohesion and solidity to our society. Everything that used to bring it all together was formerly state property and state responsibility. That’s not the case anymore. Ownership of critical societal functions is largely delegated to both national and international private companies. The change in ownership affects some of the key security policy paradigms, such as ‘national vs. international’ and ‘internal vs. external security’.
In the current Danish risk landscape the challenge is that some sectors are more vulnerable than others. However, some sectors have not yet identified the most serious vulnerabilities. We generally need to identify the features that are critical to the robustness of society, and we need to assign and delegate responsibilities and resources to authorities and private providers of critical societal functions. The process must necessarily take place at the sector-specific level – where the appropriate competencies are available. We must implement a process based on the principle of sectorial accountability.
Compliance is the key concept for providing robustness in critical infrastructures – in both sector-specific and cross-sectorial terms. Unlike a number of other countries, Denmark does not currently have a formalized central definition of the concept of critical infrastructures. This designation is assigned to an individual interpretation of the term in the individual sectors.
The Danish 2014 cybersecurity strategy favours key dynamic sector-specific solutions. However, the starting point for the dynamic approach is rather confronted by the fact that we have not adequately allocated resources for the task.
Due to lack of resources, the provision of robustness and security in digitised critical infrastructures has been prioritized in competition with other tasks of the sectorial authorities. The process has gone stale, awaiting the arrival of new impetus that hopefully comes with a new strategy during 2018.
Digital vulnerabilities in critical infrastructures must be considered globally. Denmark is among the most digitized communities in the world.
But we are not among the best in measure of robustness against digital vulnerabilities. According to the UN/ITU Global Cybersecurity Index from 2017, Denmark is down to a 34th place internationally. Precisely because of the prominent position in the implementation of comprehensive digitalization of society, we are also more vulnerable than most.
Within the five pillars of the ITU Global Index, which measures the quality of security and robustness in the state’s handling of digital vulnerabilities, Denmark fails the test. To reverse the downfall the Government’s new strategy must address specific challenges in the absence of sectorial legislation, outstanding national strategy development, inadequate cross-sectorial cohesion, dysfunctional public-private cooperation and diffusion in capacity building. A global comparison shows that Denmark is lagging behind.
In the cyber arena, the Danish National Security Policy Agenda is driven by regulations and directives coming from NATO or EU. Providing robustness to digital vulnerabilities has been the subject of great awareness internationally for a number of years. Denmark has obligations in relation to international cooperation in the digital domain. Defence and security policy initiatives from international cooperation must be embodied in Danish law to achieve compliance.
This top-down process meets resistance when national interests come into play. The latest controversy surrounding the introduction of EU’s GDPR into the Danish national legislation on privacy protection provides a relevant casestudy.
A status quo of Danish digital robustness will undoubtedly show that some sectors are well prepared. Other sectors have basic processes and certifications in place, which may require updating. But the majority of Danish companies will be found to be completely in the dark. This is still true in meeting the requirements provided in the EU Privacy Guidelines, GDPR, and introducing corporate compliance in accordance with the renewed national data protection law; however, the EU NIS-Directive lurks in the shadows. The NIS-Directive has a decisive influence on how to introduce robustness and security into critical infrastructures in the future.
GDPR & NIS-DIRECTIVE
In 2016 Denmark acceded to the NIS Directive, which, like legislation for personal data protection, will come into force from May 2018. When we focus on the protection of critical infrastructures, the NIS-Directive becomes the pivotal focal point for the impending strategy.
The Net- and Information Systems Security Directive (NIS) is the EU tool for promoting digital robustness in all EU Member States, thus promoting cyber security across the EU as a whole. Due to a high degree of interdependence across borders, digital vulnerabilities will migrate, justifying the top-down approach.
The Directive obliges member states to identify operators of vital societal functions and to ensure that they comply with a number of requirements. The Directive focuses on digital vulnerabilities. It is anticipated that the intent of the NIS-Directive will be implemented in the forthcoming Danish national cybersecurity strategy. Based on the sectorial principle, the respective responsible ministries must set requirements and criteria for operators with roles and responsibilities in the protection of critical infrastructures, and monitor that operators comply with sector-specific network and information security requirements.
CENTRAL MANAGEMENT – DECENTRALISED IMPLEMENTATION
In this sector-specific process to ensure NIS-Directive compliance, there will be great need for centralized management. This is the primary key to affirm requirements and criteria for critical infrastructures. Secondly, resources should be allocated centrally for implementation of the national strategy and the introduction of compliance in accordance with the intentions of the NIS-Directive in the individual sectors.
Without resources, the implementation of a Danish cybersecurity strategy will be delayed, possibly repeating continued breaches of vulnerabilities in critical infrastructures that result in major tangible and intangible losses to both public and private entities.
Part of the requirements for authorities and operators is the introduction of management processes according to ISO 27001. This will give operators and authorities in each sector a high level of insight into their own preparedness. Thus the individual sectors have the best knowledge and skills to create opportunities for increasing robustness against digital vulnerabilities. The ISO standard will be a common starting point for sector-specific efforts. However, ISO 27001 does not necessarily provide a cross-sectorial coherence. Therefore, a centralized body is needed to create cross-sectorial overview, transparency, oversight and facilitate a coordinated process.
Overview, coordination, accountability and resource allocation appear to be key challenges in implementing new strategies for sector-specific digital robustness. Therefore, the different sectors may risk fragmentation and redirected prioritization of the task when the new national strategy is to be implemented. The new national strategy must address these challenges in the individual sectors.
The same challenges arise in inter-ministerial and inter-agency cooperation. The essential requirements for a successful cross-departmental implementation of the forthcoming national cybersecurity strategy requires the establishment of a central authority that creates overview and coordination and a centralized designation of critical infrastructures, in support of decentralized implementation. And finally a central distribution of costs for implementing the strategy.
The national cybersecurity strategy will hopefully provide an overall security policy approach to security for everyone in the digital domain. It should determine a new security policy paradigm. Here, ‘robustness vs. vulnerabilities’ is a decisive bid for a new overall agile paradigm. In a global and pan-European perspective, resilience is the term that most easily leads to a discussion of a national implementation of NATO and EU targets for a ‘robust and secure society.’
RESILIENCE AS A STRATEGIC PARADIGM
Despite of the widespread use of the concept, there is no common definition of resilience across different disciplines, such as psychology, ecology, sociology, political sciences, military studies, criminology, law, economics, technology or systems theory. In various contexts the concept is loosely translated into robustness, resistance, sustainability, changeability, defence or restitution. In the absence of a precise interdisciplinary definition, resilience assumes a label as ‘Buzzword’.
Nevertheless, both NATO, EU and national strategies in a number of countries use the concept in their response to the challenges in the digital domain. Resilience – or robustness, in our interpretation of the term – contains the hypothesis that our world has become complex. The number of vulnerabilities is extensive. It has in itself an escalating effect to talk about many serious cyber events from a threat terminology. It has become impossible to protect ourselves from all of the risks found in the digital domain – let alone prevent them from happening.
We must understand cyberspace as a risky digital domain, where it is crucial to increase focus on own vulnerabilities, mutual interdependence and resilience. Instead of talking about strategies for deterrence, we must work with risk management.
In this context, robustness is an antonym to vulnerability.
Robustness holds a promise that whatever happens, we have an idea of how to recover and proceed.