One click to attack critical infrastructure. What can we do?

9 Dec 2021 08:30h - 10:00h

Session page

Event report

The discussion, moderated by Ms Anastasia Kazakova (Kaspersky), had two parts. The first part addressed what states define as critical infrastructure (CI) and the policy frameworks in place to protect it, while the second addressed the technical community in exploration of the creation of a ‘UN cyber emergency phone book’.

First, speakers shared definitions of CI in their respective countries. Ms Regine Grienberger (Federal Foreign Office, Germany) explained the German national approach and how it is embedded in the EU framework. ‘We have something that we call a whole of government and a whole of society approach to critical infrastructure protection. Essential elements of these are that we observe close public-private cooperation with intense information sharing, we try to continuously improve the cybersecurity level’. Grienberger also sketched the broader landscape of German cybersecurity laws and strategies on federal and local levels, as well as presenting a progress report on negotiating the NIS directive.

Mr Daniel Klingele (Federal Departments of Foreign Affairs, Switzerland) said Switzerland also has a strategy to protect CI. It defines CI as systems and facilities essentially for the function of the economy, that is, for the well being of the population. That can include energy, supplies, passenger and freight transport, and medical care. ‘As we have seen during the pandemic, medical care has really come up high on the agenda because of many attacks on the health sector’.In Switzerland, protection of CI is a cross cutting task that interfaces with various policy areas and tasks like energy policy, security policy, and protection against natural hazards. 

In Singapore, eleven critical infrastructure sectors are functioning, said Mr Yock Hau Dan (Cyber Security Agency, Singapore). These sectors provide services essential to the citizens of Singapore related to national security defence, foreign relations, the economy, public safety and public order. The Cyber Security Agency works closely with the various sector regulators to determine criteria for levels of disruption for each CI sector and then designates critical objects and entities that should receive better protection from cyberattacks. 

Finally, Ms Johanna Weaver (Tech Policy Design Centre, Australian National University) shared recent legislative developments for CI protection in Australia. New laws have several provisions: extension of the definition of CI from 4 to 11 sectors, including parts of the DNS system; creation of a register of CI objects, with stronger incident reporting and ownership requirements; extension of the powers of the government to take control over infrastructure in case of a serious cyber attack.

Kazakova also asked how domestic frameworks of CI protection coexist with the UN framework for cyberstability.

Grienberger pointed out that UN cyber norms are very generic. Klingele said that a broad exchange between CI providers and the government is vital. A network of relevant stakeholders must be established early on and continuously strengthened. Hau Dan agreed that no single country or no single stakeholder will be able to assume full responsibility for ensuring the cybersecurity of its CI. Weaver emphasised once again the important milestone of adopting the GGE and OEWG reports by all UN member states, especially the norm relating to intentional damage of national CI. ‘There are not enough countries in the world making public commitments that they are not going to intentionally damage the critical infrastructure of other states. We know there are many countries out there who have and are developing cyber defence capabilities, including Australia. Australia, however, is one of the few countries that publicly commits that we’re not going to use these to damage the infrastructure of other states. We need more transparency.’

Speakers also expressed views on the interplay between national cybersecurity frameworks and the actual actions of CI providers, which primarily belong to the private sector. According to Grienberger, the responsibility of governments is basically to provide for the framework, to set up national rules, and to instigate international cooperation with regard to malicious state activity. ‘That is also a diplomatic responsibility, but with regard to cyber criminals, it’s also the responsibility to cooperate with law enforcement and other governments in the jurisdictions. Private owners of critical infrastructure are responsible for secure operations’.

During the second part of the workshop, members of the technical community discussed ways that states with lesser cyber capabilities can address cyber incidents; also addressed were issues of CERT neutrality and ways a technical collaboration between the private sector, cybersecurity research firms and CERTs could be arranged when helping with multi-jurisdictional attacks.

Mr Serge Droz (Forum for Incident Response and Security Teams) noted that most CERTs will sooner or later run into limits regarding handling of incidents. They do not have access to infrastructure operated by the private sector. Droz also stressed that a CERT should only do what it is designed to do: ‘The one role they’re designed to do is responding to incidents. They should not be party to any other activity such as attribution, for example, or offensive capabilities. If you start to deal with someone that does attribution, then other states may not collaborate. You do not know if this plays back’.

Ms Carmen Corbin (Head of Counter Cybercrime Programming (West and Central Africa) at UNODC) spoke on regional work for capacity development events, where they bring together cybersecurity experts and various CERT members to provide space for networking and trust building.

Mr Pierre Delcher (GReAT at Kaspersky) provided insights on cyber attacks and how they affect the scale of incident response. ‘Cyber attack incidents are global by nature, but response almost never is. The results of the current rate of cyber attacks and cybersecurity incidents speak for themselves’. 

By Ilona Stadnik

Session in numbers and graphs

Most frequent noun chunksMost frequent names and entitiesWordcloudProminent verbs with adverbs

Automated summary

Diplo’s AI Lab experiments with automated summaries generated from the IGF sessions. They will complement our traditional reporting. Please let us know if you would like to learn more about this experiment at ai@diplomacy.edu. The automated summary of this session can be found at this link.