Crime and Conflict in Cyberspace

---

Conflict, Crime and Complexity in Cyberspace

Dave Clemente Research Associate Chatham House Chartered Institute for Securities & Investment January 2013

Managing complexity • Greater efficiency often implies greater dependence • Poor understanding of the implications of societal dependence on cyberspace • Who owns the risks when everything is connected to everything else (i.e. who pays)? • How is critical infrastructure (and information) identified and prioritised in a hyper-connected world?

2

Managing complexity • Increase in: – Sophisticated and patient criminal activity (funding R&D from revenue stream) – Compound attacks / derivative attacks • Dramatic expansion of connected users and devices – 2015: Twice as many connected devices as people – 2020: 50 billion ‘things’ on the internet • New users = less Western-centric internet

3

4

5

The human element • The human is the least scalable component of cyber security – Is cyber security talent valued in your organisation?

• When does cyber security receive attention from senior management? • Exquisite technical solutions are wasted if users are not incentivised to use them properly • The human in the loop - failsafe or liability? 6

7

UK Cyber Security Strategy – Nov 2011 Protecting and promoting the UK in a digital world 1. Tackle cyber crime and be one of the most secure places in the world to do business in cyberspace 2. Be more resilient to cyber attacks and better able to protect our interests in cyberspace 3. Have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies 4. Have the cross-cutting knowledge, skills and capability we need to underpin all our cyber security objectives 8

Areas of friction •

Divergence of public/private sector interests – Particularly with critical infrastructure (and information)

•

Reliance on private sector to mitigate most cyber risks

•

When is the risk gap big enough to require government intervention?

•

Defensive measures - partnership or alliance?

9

Priorities • Get the basics right – Poor cyber security subsidises the competition

10

Priorities • Get the basics right – Poor cyber security subsidises the competition

• Info-sharing forums – U.S. FS-ISAC, UK CISP

11

Priorities • Get the basics right – Poor cyber security subsidises the competition

• Info-sharing forums – U.S. FS-ISAC, UK CISP

• Nurture talent – Cyber Security Challenge UK

12

Priorities • Get the basics right – Poor cyber security subsidises the competition

• Info-sharing forums – U.S. FS-ISAC, UK CISP

• Nurture talent – Cyber Security Challenge UK

• Develop risk dispersal mechanisms – Cyber risk insurance?

13

Priorities • Get the basics right – Poor cyber security subsidises the competition

• Info-sharing forums – U.S. FS-ISAC, UK CISP

• Nurture talent – Cyber Security Challenge UK

• Develop risk dispersal mechanisms – Cyber risk insurance?

• Rigorously prioritise – What is critical?

14

Priorities • Get the basics right – Poor cyber security subsidises the competition

• Info-sharing forums – U.S. FS-ISAC, UK CISP

• Nurture talent – Cyber Security Challenge UK

• Develop risk dispersal mechanisms – Cyber risk insurance?

• Rigorously prioritise – What is critical?

• Regularly assess resilience and redundancy

15

16

‘Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them’ – Laurence J. Peter

17