Europe's Cybersecurity Policy Under Attack 22
wiredmikey (1824622) writes "As Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job. The exercise, called Cyber Europe 2014, involved 200 organizations and 400 cybersecurity professionals from both the European Union and beyond. Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking. Others questioned whether the law enforcement agencies taking part in the drill should be involved in safeguarding online security, in the wake of American whistleblower Edward Snowden's revelations of online spying by western governments. Eurostat figures show that, by January 2012, only 26 percent of EU enterprises had a formally defined information technology security plan in place. One industry insider said the view in Brussels is that EU cybersecurity was "like teenage sex: everyone says they are doing it but not that many actually are.""
Re: (Score:2)
Actually, with SOX and similar stuff looming over the C-Levels' heads today, quite a few CEOs started to look at ITSEC as more as some kind of lip service, fig-leaf kind of thing that you kinda-sorta do so some activists stfu.
For some odd reason, I can't help but think that those 26% are pretty much those EU companies that are listed on the NYSE and hence subject to SOX...
Re: (Score:3, Insightful)
Re: (Score:2)
They appeared to have missed the elephant in the room. GCHQ is the biggest cyber-security threat to the EU.
Multi-Level Security? (Score:3)
Are any of these systems Multi-Level Secure? This stuff was figured out in the 1970s, we're still 10 years away from collectively realizing we needed it yesterday.
Re: (Score:2)
What the hell is Multi-Level Secure?
Re:Multi-Level Security? (Score:4, Interesting)
Multi-Level Security was worked out in the late 1960s in order to allow computing both Secret and "Top Secret" information in the same computer at the same time. The use of the Bell-LaPadula [wikipedia.org] model ensures that a lesser privileged user can never cause grief for a more privileged user. If we had Mutli-Level secure systems, we could safely run any program we want in a sandbox, and it could never, ever crawl back out of it.
The closest you're likely to approach is if you enable the MAC option [freebsd.org] in FreeBSD, which is experimental.
The Genode project [genode.org] aims to provide a capability based security system which can run Linux Apps... it is the best chance I see going forward for a truly secure system that isn't military grade. In such systems, you specify at run time exactly which files can be accessed by an application. This has the benefit of explicitly limiting the side effects of said application, and thus making for a far more secure system. You might be tempted to think this would make it unusable (as App-Armour tends to be)... but it doesn't have to be that way. In fact, it's possible to make apps behave almost identically, as far as the user is concerned, without compromising anything.
I think we're still 10 years out before people wake up and realize that our collective assumptions about computer security are wrong, and this needs a more rigorous, carefully engineered solution, instead of the layers of patch we currently employ. I'm hoping that my frequent postings on this subject are informative, and help shorten that timespan significantly.
They will share all kinds of information (Score:2)
Here's a little suggestion (Score:3)
Usually I sell that, but ... let's say I do it for my country.
0. Drop the "cyber". It makes you sound like a 16 year old wannabe kiddy. The 90s called, they wanted their buzzword back.
1. Get your act together and get the EU to formulate a security plan. It's amazing how that bureaucratic piece of bulldung can get a guideline about every kind of crap but not about security. Ok, I know, politicians don't know jack about it. Didn't stop them in any other area, did it? Get a few experts (please, for a change, get experts rather than some corporate lobbyists) and get the shit on track.
2. While you're at it, get a technology incident rapid response team together. Staff and fund them well. And, again, don't listen to some lobbyist shysters telling you that they should be used to protect some corporate assets. They can do that themselves. Their job is to keep YOUR COUNTRIES safe. Yes, that includes keeping them safe from said corporations! Their job is to make sure that your infrastructure, from power to gas to water, everything that depends on the internet today (which is a security nightmare by itself by the way, but there's little you can do about it now anymore) is secure. That shit is important! Think what's going to go down in your average town if they're just 3 days without water, gas and power. Trust me, you'll hope that you only get to deal with riots.
3. As soon as you get the plan from 1 down, make sure that your key infrastructure corporations (gas, power, water, logistics) implement it. Make CEOs and CSOs personally (!) responsible to get their shit together. Audit the living daylights out of them. If they fail, jail the responsible C-Levels.
It's neither hard nor really that expensive. But it's necessary. We're HEAVILY dependent on some of that crap today but we treat it like it's some kind of minor inconvenience if it should fail. Part of me really hopes that it will at some point, part of me feels sorry for the thousands that would have to pay for it with their life.
Re: (Score:1)
0. Yeah, use Security 2.0 instead.
1. They will never understand what you are saying. Also some of course don't want a super state.
(Water kinda is all our 2. We drink it, we make power of it and we heat our homes using electricity. (+nuclear.))
About 2 months ago we had to cook our water because the toilet at the top of the water tour had leaked sewage into the water reservoir ... (Örebro, Sweden.)
Re: (Score:1)
Tour? Tower =P. I should be sleeping.
Re: (Score:2)
1. Again, they needn't understand it any more than they need to understand the other crap they decide about. When you look at some of their "guidelines" you can still see the "copyright $company" faintly in the background... if not in the word document meta data itself...
Also, it won't be a European "technology police". More akin to European technology firefighters. Don't worry, we're not talking about a super state, we're talking about keeping your country safe from disaster.
Your #2 is NERRTC in the US, and funding is in que (Score:2)
> While you're at it, get a technology incident rapid response team together. Staff and fund them well. And, again, don't listen to some lobbyist shysters telling you that they should be used to protect some corporate assets. They can do that themselves. Their job is to keep YOUR COUNTRIES safe. Yes, that includes keeping them safe from said corporations! Their job is to make sure that your infrastructure, from power to gas to water, everything
You've largely described the role of the National Emergency R
CE14 participant (Score:2, Interesting)
As a participant in CE14's exercises last week, what I got the feeling of was something far less political, and vaguely reminiscent of the CTF exercises that I used to do back in school. My (corporate) team was in the top 10 of the published scores (adding all points for published teams, though teams had the option to hide their scores!)
I noted that either the actual turnout for the technical exercises was PITIFULLY low, with only about 10% of the registered teams even posting a single completed challenge,
Gender security for all! (Score:2)
Actual security for none. Someone please invade this shithole.
CYBER (Score:2)