Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Europe's Cybersecurity Policy Under Attack

timothy posted about 9 months ago | from the teenagers-are-pretty-darn-creative dept.

Security 22

wiredmikey (1824622) writes "As Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job. The exercise, called Cyber Europe 2014, involved 200 organizations and 400 cybersecurity professionals from both the European Union and beyond. Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking. Others questioned whether the law enforcement agencies taking part in the drill should be involved in safeguarding online security, in the wake of American whistleblower Edward Snowden's revelations of online spying by western governments. Eurostat figures show that, by January 2012, only 26 percent of EU enterprises had a formally defined information technology security plan in place. One industry insider said the view in Brussels is that EU cybersecurity was "like teenage sex: everyone says they are doing it but not that many actually are.""

Sorry! There are no comments related to the filter you selected.

By the (-1)

Anonymous Coward | about 9 months ago | (#46915399)


cybersecurity! (0)

Anonymous Coward | about 9 months ago | (#46915433)

welcome to 1996, can we cyber?

What a nice dream.... (0)

Anonymous Coward | about 9 months ago | (#46915437)

Actually 29 different cells can be a good protection.
As long as they move from the "teenage sex" to acctaully doing it!
And they actually fix things at their home countries, and get their cooperation skills so they can do coordinate work between the different cells.

Even if 26percent has some form of plans, i bet there is not more then 1percent that look on IT security as business critical..

Even though a 1-3hour stop in corporate LAN's or WAN connectivity usually grinds 95percent to complete halt!

Nowdays there is even talks about getting more and more "cloud" software for goverment....
How nice that will be when they should be able to work in natural disasters and problems with civilian society similar to Ukraine and Georgia...

Re:What a nice dream.... (1)

Opportunist (166417) | about 9 months ago | (#46915597)

Actually, with SOX and similar stuff looming over the C-Levels' heads today, quite a few CEOs started to look at ITSEC as more as some kind of lip service, fig-leaf kind of thing that you kinda-sorta do so some activists stfu.

For some odd reason, I can't help but think that those 26% are pretty much those EU companies that are listed on the NYSE and hence subject to SOX...

Re:What a nice dream.... (3, Insightful)

Old Fatty Baldman (3630557) | about 9 months ago | (#46916387)

From what I've seen, government-mandated security auditing results in two things: 1) 10%-20% of your IT staff is always offline while they try to figure out why they can't log in today. (What was the 20 character password I used for that one account in the Prague datacenter?) 2) The auditing misses all of the gaping holes in the home-brewed software running in the datacenter.

Re:What a nice dream.... (1)

AmiMoJo (196126) | about 9 months ago | (#46917591)

They appeared to have missed the elephant in the room. GCHQ is the biggest cyber-security threat to the EU.

Multi-Level Security? (2)

ka9dgx (72702) | about 9 months ago | (#46915483)

Are any of these systems Multi-Level Secure? This stuff was figured out in the 1970s, we're still 10 years away from collectively realizing we needed it yesterday.

Re:Multi-Level Security? (1)

Ceriel Nosforit (682174) | about 9 months ago | (#46916499)

What the hell is Multi-Level Secure?

Re:Multi-Level Security? (3, Interesting)

ka9dgx (72702) | about 9 months ago | (#46916867)

Multi-Level Security was worked out in the late 1960s in order to allow computing both Secret and "Top Secret" information in the same computer at the same time. The use of the Bell-LaPadula [wikipedia.org] model ensures that a lesser privileged user can never cause grief for a more privileged user. If we had Mutli-Level secure systems, we could safely run any program we want in a sandbox, and it could never, ever crawl back out of it.

The closest you're likely to approach is if you enable the MAC option [freebsd.org] in FreeBSD, which is experimental.

The Genode project [genode.org] aims to provide a capability based security system which can run Linux Apps... it is the best chance I see going forward for a truly secure system that isn't military grade. In such systems, you specify at run time exactly which files can be accessed by an application. This has the benefit of explicitly limiting the side effects of said application, and thus making for a far more secure system. You might be tempted to think this would make it unusable (as App-Armour tends to be)... but it doesn't have to be that way. In fact, it's possible to make apps behave almost identically, as far as the user is concerned, without compromising anything.

I think we're still 10 years out before people wake up and realize that our collective assumptions about computer security are wrong, and this needs a more rigorous, carefully engineered solution, instead of the layers of patch we currently employ. I'm hoping that my frequent postings on this subject are informative, and help shorten that timespan significantly.

They will share all kinds of information (1)

innerweb (721995) | about 9 months ago | (#46915489)

Such as the day of the week, what is being server at Tom's Pub, what the movie schedule is. But, they are definitely not going to share their mother's chicken pie recipe!

If your phone gets stolen - do this: (-1)

Anonymous Coward | about 9 months ago | (#46915491)

If you are using your phone on the street and someone run by and grabs it - follow them. Find out where they live and what they own. Then fuck it up. Don't get caught and do not confront them.

If you find them later, go there. Do not be seen. Find out if they have a car or anything and fuck it up. Do not get caught.

If you see them and they are bigger than you - wait until you can hit them from behind with a heavy bar, tire iron, or large flashlight. Make sure it is them. Do not say anything. Just hit them hard until they go down. Run away. Do not be seen.

Your phone is gone. But you can fuck them up one way or another. Just be careful - it is not the movies. You with get hurt badly.

slashdotted (0)

Anonymous Coward | about 9 months ago | (#46915559)

unless, of course, the earth has been engulfed in nano machines and turned into grey goo...

Here's a little suggestion (2)

Opportunist (166417) | about 9 months ago | (#46915577)

Usually I sell that, but ... let's say I do it for my country.

0. Drop the "cyber". It makes you sound like a 16 year old wannabe kiddy. The 90s called, they wanted their buzzword back.

1. Get your act together and get the EU to formulate a security plan. It's amazing how that bureaucratic piece of bulldung can get a guideline about every kind of crap but not about security. Ok, I know, politicians don't know jack about it. Didn't stop them in any other area, did it? Get a few experts (please, for a change, get experts rather than some corporate lobbyists) and get the shit on track.

2. While you're at it, get a technology incident rapid response team together. Staff and fund them well. And, again, don't listen to some lobbyist shysters telling you that they should be used to protect some corporate assets. They can do that themselves. Their job is to keep YOUR COUNTRIES safe. Yes, that includes keeping them safe from said corporations! Their job is to make sure that your infrastructure, from power to gas to water, everything that depends on the internet today (which is a security nightmare by itself by the way, but there's little you can do about it now anymore) is secure. That shit is important! Think what's going to go down in your average town if they're just 3 days without water, gas and power. Trust me, you'll hope that you only get to deal with riots.

3. As soon as you get the plan from 1 down, make sure that your key infrastructure corporations (gas, power, water, logistics) implement it. Make CEOs and CSOs personally (!) responsible to get their shit together. Audit the living daylights out of them. If they fail, jail the responsible C-Levels.

It's neither hard nor really that expensive. But it's necessary. We're HEAVILY dependent on some of that crap today but we treat it like it's some kind of minor inconvenience if it should fail. Part of me really hopes that it will at some point, part of me feels sorry for the thousands that would have to pay for it with their life.

Re:Here's a little suggestion (1)

aliquis (678370) | about 9 months ago | (#46915837)

0. Yeah, use Security 2.0 instead.

1. They will never understand what you are saying. Also some of course don't want a super state.

(Water kinda is all our 2. We drink it, we make power of it and we heat our homes using electricity. (+nuclear.))

About 2 months ago we had to cook our water because the toilet at the top of the water tour had leaked sewage into the water reservoir ... (Örebro, Sweden.)

Re:Here's a little suggestion (1)

aliquis (678370) | about 9 months ago | (#46915873)

Tour? Tower =P. I should be sleeping.

Re:Here's a little suggestion (1)

Opportunist (166417) | about 9 months ago | (#46917915)

1. Again, they needn't understand it any more than they need to understand the other crap they decide about. When you look at some of their "guidelines" you can still see the "copyright $company" faintly in the background... if not in the word document meta data itself...

Also, it won't be a European "technology police". More akin to European technology firefighters. Don't worry, we're not talking about a super state, we're talking about keeping your country safe from disaster.

Your #2 is NERRTC in the US, and funding is in que (1)

raymorris (2726007) | about 9 months ago | (#46915847)

> While you're at it, get a technology incident rapid response team together. Staff and fund them well. And, again, don't listen to some lobbyist shysters telling you that they should be used to protect some corporate assets. They can do that themselves. Their job is to keep YOUR COUNTRIES safe. Yes, that includes keeping them safe from said corporations! Their job is to make sure that your infrastructure, from power to gas to water, everything

You've largely described the role of the National Emergency Response and Rescue Training Center in the US. Their focus in recent years has been IT security for infrastructure. When the experts there aren't actively responding to an emergency, they are providing training, often to state and city officials. For example, New Orleans mayor Ray Nagin and his staff could have been much better prepared if they had taken a few days of TEEX training.

NEERTC also provides some pretty good online cybersecurity classes for free. The material is great, the presentation could be improved. The idea is that a few experts can't protect everything, but they can certainly help educate the people who are responsible for critical systems in how to keep the systems safe.

It wwould be sad (and stupid) if the funding for NERRTC (a few million dollars) were redirected to some senator's pork project, so I hope the public continues to support their mission.

Full disclosure - I am tangentially associated with NERRTC. I don't work for NERRTC, but I work with them.

CE14 participant (2, Interesting)

Anonymous Coward | about 9 months ago | (#46915927)

As a participant in CE14's exercises last week, what I got the feeling of was something far less political, and vaguely reminiscent of the CTF exercises that I used to do back in school. My (corporate) team was in the top 10 of the published scores (adding all points for published teams, though teams had the option to hide their scores!)

I noted that either the actual turnout for the technical exercises was PITIFULLY low, with only about 10% of the registered teams even posting a single completed challenge, or almost all the teams chose to keep their scores private. In my own country the police forces, military, as well as intelligence branches of government participated, but not a single reported score came from any of them. The exercises were well designed, but technical requirements were not communicated at all before hand to players, so my team at least had to spend a full day of the two day exercise setting up systems to use for it!

Personally, I thought as a practice round for incident response, the exercise was great, BUT as a competition it was terrible. I found myself really wishing for the good old attack/defense combination (this was PURE incident response, no defense even!)

There may be some policy related to all of this, but I haven't seen any sign of it myself. I avoid politics and stick to my software usually.

Gender security for all! (1)

Intrepid imaginaut (1970940) | about 9 months ago | (#46916307)

Actual security for none. Someone please invade this shithole.


dutchwhizzman (817898) | about 9 months ago | (#46916651)

CYBER CYBER CYBER. 15 years ago it meant something totally different than the politicians are talking about.

Teen sex metaphore (0)

Anonymous Coward | about 9 months ago | (#46916679)

like teenage sex: everyone says they are doing it but not that many actually are.

So, the ones actually doing security are doing it very much? Based on US television shows I hereby conclude that the US must be one of the most secure places in this world.

Two things you NEVER want in the same sentence (0)

Anonymous Coward | about 9 months ago | (#46922081)

"Cyber" and "teen sex" are the two things you NEVER want to see in the same sentence!!!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?