Presentation made at Cyber Defence 2010 (National Security in a Borderless World), in Tallinn, Estonia on 17th May 2010, covering "Why the Private Sector is Key to Cyber Defence".

1. Why the Private Sector is Key to
Cyber Defence
Gareth Niblett, Chairman, BCS ISSG
18th May 2010

2. About your Speaker
Overview
Chairman of the BCS ISSG, a security specialist group Recent Collaborative Efforts:
with over 3,500 members from BCS, the Chartered BCS Security Community of Expertise
Institute for IT, where he is involved in a number of British Business Federation Authority
initiatives focused on improving security and safety. (BBFA)
Currently working as a managing consultant providing Centre for the Protection of National
business advisory services and solutions focussed on Infrastructure (CPNI) sponsored UK
security, privacy and compliance, especially in relation Network Security Information
to communications and online services. Exchange (NSIE)
Electronic Communications Resilience
Previously Chief Information Security Officer (CISO) of & Response Group (EC-RRG)
a national communications and IT services company
EURIM e-Crime Working Group
where he had group wide responsibility for all aspects
of information security, participating in government and Internet Watch Foundation (IWF)
Funding Council
industry forums focussed on infrastructure protection,
emergency services, resilience and response, internet Network Interconnection Consultative
safety, next generation network assurance and secure Committee (NICC) Security Group
network interoperability. 999/112 Liaison Committee
Presentation to Cyber Defence 2010 2

3. 01
Critical National Infrastructure (CNI)
What is critical and why

4. What is Critical National Infrastructure?
Critical National Infrastructure (CNI) is the Overview of CNI Sectors
collective term for those services that are
Communications
essential to the economic, social and
Critical National Infrastructure
political wellbeing of a country. Emergency Services
CNI can be categorised into 10 sectors: Energy
communications, emergency services, Finance
energy, finance, food, government and
Food
public services, health, public safety,
transport and water. Gov. & Public Services
Health
 Not everything is critical
Public Safety
 Each sector is different Transport
 Many sectors privately held Water
Presentation to Cyber Defence 2010 4

5. Why are these Sector Critical?
Without Communications, your telephones (fixed and mobile) and
Internet access stops working properly; you become unable to call, fax,
text, e-mail, browse or otherwise transfer information.
Without Energy, your home goes dark, you can’t get online, although
your telephone may work (while the telcos’ batteries / generator hold out),
you can’t get fuel for your vehicle or home, business start shutting down.
Without Finance, your bank account and card stops working, so you
can’t withdraw cash, buy groceries, pay for fuel / travel, or pay bills.
Finance relies on Communications for transfers, online & phone banking.
And so on…
Critical National Infrastructure is a complex web of vital interdependent
services, which are all dependent on technology, creating new risks.
Presentation to Cyber Defence 2010 5

6. 02
Why the Private Sector is Critical
Or, why governments can’t just do it themselves

7. Why rely on the Private Sector?
Governments no longer own and control significant portions of their
country’s critical national infrastructure. This varies by country but is a
growing trend, due to consolidation and globalisation. Also, critical
infrastructure now crosses borders and may be under foreign control.
Companies once government owned may have been privatised and are
now outside of direct government control; or companies that may never
have been under government control in the past, being independent
commercial venture, have become critical to a nation’s infrastructure.
As with every rule there are exceptions and complications. Even with
partial government control of a business, such as when there has been a
financial bailout or the sector is strictly regulated, governments may still
struggle to deal with CNI issues without clear rules and co-operation.
Presentation to Cyber Defence 2010 7

8. Private Sector is Key to Cyber Defence
If online government & banking services start collapsing under a deluge
of sustained access attempts coming from thousands of worldwide
sources, it would take international co-ordinated effort, between finance,
government and communications to identify and mitigate the threat.
If a leading global search engine and dozens of other leading businesses
are extensively compromised, possibly by a foreign intelligence service,
exposing sensitive company and customer information, including trade
secrets and source code, surely governments might be interested.
If a national power grid uses legacy SCADA systems, now connected
internally via IP, that may be susceptible to exploitation via the Internet by
foreign nationals then this exposure is of interest not only to government
but to all the other sectors of critical national infrastructure.
And so on…
Presentation to Cyber Defence 2010 8

9. 03
Information Sharing
Government, industry and cross-sector collaboration

10. Why is Information Sharing Important?
Sharing information about the risks facing critical national infrastructure is
beneficial to both government and industry. If each parties can privately
learn from the experiences, mistakes, and successes of each other, then
they can all improve their level of assurance.
No government, sector or company can operate in isolation in the
modern, interconnected and dependent world. Without information
sharing, it may not be possible to find out about risks whose impacts may
affect you; therefore you are unable to adequately protect or prepare.
Companies will be reticent in sharing commercially sensitive information
without a similar reciprocal arrangement. If government does not engage
in a positive two-way dialogue with the private sectors that form part of
CNI then they are likely to be unaware of all the risks facing the country.
Presentation to Cyber Defence 2010 10

11. How does Information Sharing occur?
Public Education – publication of information security standards, user
awareness, education campaigns, threat assessments (warning levels)
Private Advice – restricted information on physical, personnel and
electronic threats and vulnerabilities along with mitigation approaches
Information Exchanges – trusted government & sector representatives
sharing sensitive info on threats, vulnerabilities, incidents and intelligence
Standards Development – collaborative working to define standards for
information assurance, e.g. in Next Generation Networks (NGNs)
Policy Development – arrangements to help ensure security, such as
staff vetting and procurement rules for critical components and services
Planning Exercises – joint government / industry crisis workshop
looking at complex scenarios, e.g. loss of power and / or communications
Presentation to Cyber Defence 2010 11

12. 04
Private Sector Support
How assistance is given to cyber defence & investigations

13. What Support does Private Sector give?
Example: in many countries the communications sector has been
privatised and opened up to competition, but it regulated and is generally
co-operative to lawful requests and supporting CNI. It is often best placed
to support efforts in cyber defence through a variety of routes, such as:
Lawful Interception – targeting content of voice & data communications
Data Retention & Disclosure – communications related data records
Filtering Illegal Content – blocking or removing child sexual abuse
images, terrorism material, defamatory or inciting statements etc.
Filtering Unwanted Content – spam, phishing, malware, DDoS etc.
Online Investigations – hacking, botnets, copyright infringement etc.
Infrastructure Protection – building and operating to secure standards
Resilience & Response – robust networks but responsive to incidents
Presentation to Cyber Defence 2010 13

14. 05
Lessons Learned
What events have taught us about improving collaboration

15. How can we Improve Things?
Countries need to recognise that government does not own all of CNI
and that they cannot provide adequate cyber defence in isolation.
More effort required to establish effective Public-Private Partnerships,
both nationally and internationally – with a focus on consistency.
Information sharing must be two-way and include information that is
not, and should not be, in the public domain to be of significant benefit.
Joint exercises simulating response to realistic scenarios with a large
scale impact on CNI – business continuity plan testing at a national scale.
Planning will not highlight all the things that will occur in a real event, be it
a physical terrorist attack, or an online cyber attack – a flexible and agile
defence is needed. This can only be achieved through collaboration
between governments and the private sector that forms much of CNI.
Presentation to Cyber Defence 2010 15

16. And Finally…
Questions welcome, either now or later.
More of me:
Blog: http://www.infosecmaven.org/
Twitter: http://twitter.com/INFOSEC_Maven
LinkedIn: http://uk.linkedin.com/in/garethniblett
If you want direct contact details, please ask…
Presentation to Cyber Defence 2010 16