Professional Documents
Culture Documents
This Series presents the results of scientific meetings supported under the NATO Programme:
Science for Peace and Security (SPS).
The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence
Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and
Mediterranean Dialogue Country Priorities. The types of meeting supported are generally
“Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series
collects together the results of these meetings. The meetings are co-organized by scientists from
NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries.
The observations and recommendations made at the meetings, as well as the contents of the
volumes in the Series, reflect those of participants and contributors only; they should not
necessarily be regarded as reflecting NATO views or policy.
Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest
developments in a subject to an advanced-level audience.
Advanced Research Workshops (ARW) are expert meetings where an intense but informal
exchange of views at the frontiers of a subject aims at identifying directions for future action.
Following a transformation of the programme in 2006 the Series has been re-named and re-
organised. Recent volumes on topics not related to security, which result from meetings
supported under the programme earlier, may be found in the NATO Science Series.
The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media,
Dordrecht, in conjunction with the NATO Public Diplomacy Division.
Sub-Series
http://www.nato.int/science
http://www.springer.com
http://www.iospress.nl
Edited by
Umberto Gori
University of Florence, Italy
Department of Political Science and Sociology
CSSI (Centre for Strategic and International Studies)
ISPRI (Institute of Forecasting Studies and International Research)
All rights reserved. No part of this book may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, without prior written permission from the publisher.
ISBN 978-1-60750-074-2
Library of Congress Control Number: 2009940564
Publisher
IOS Press BV
Nieuwe Hemweg 6B
1013 BG Amsterdam
Netherlands
fax: +31 20 687 0019
e-mail: order@iospress.nl
LEGAL NOTICE
The publisher is not responsible for the use which might be made of the following information.
Editor’s note: The views in each independent article of this publication are those of the
respective author and the editor is in no way responsible for the individual authors’
opinions and statements. This publication is a product of the NATO ARW “Opera-
tional Network Intelligence: Today and Tomorrow”, but does not necessarily reflect the
views of NATO.
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies vii
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
Introduction
Umberto Gori
University of Florence
Co-director of the NATO ARW
2005 there were more than 237 million attacks to information security all over the
world. States cannot control cyber crime at the individual state level and therefore in-
ternational cooperation is highly needed.
Some believe that privateering can be a solution to cyberspace threats, though this
is not without complications (3). The situation is similar to the time when weak states
had to rely on privateers, namely pirates with government sanction (Letter of Marque).
Actually, most states, today, do not have the possibility to cope with the exponential
rise of cyber threats and the excessive costs for countermeasures.
The main characteristics, or properties, of security are: confidentiality, authentica-
tion, integrity, access control, non-repudiation, and availability. Normally, at least thus
far, security is mainly considered a technical challenge, but other aspects should be
considered. The human and social factors, for instance, may also have a significant
impact on security. After all, security is a game of action and reaction.
Technology has altered and corroded the State’s authority and strengthened non-
state actors, in particular transnational crime and terrorist organisations. Cybercriminals
and cyberterrorists have already “crossed over into the spectrum of information war-
fare”. As a consequence, states cannot control cybercrime at the individual state level.
Internet offers an ideal opportunity for cybercriminals to make money, organise at-
tacks, infect our democratic institutions and our economies, while remaining in perfect
anonymity. It is therefore imperative to elaborate measures, both national and interna-
tional, against high-tech criminal behaviour. Because our traditional laws are devised to
protect physical property and physical ‘goods’, and not the virtual assets of the world
of computers, our juridical systems need to be revised as well.
The internet allowed Islamic terrorism not only to become a global phenomenon
but also to create a virtual community corresponding to the Umma of Salafism. In other
words, as everybody can see, cyber-threats are likely to be a major problem in the years
to come.
Of the ten information warfare trends discussed by K. J. Knapp and W. R. Boulton
(4), I would like to mention only five: the various dangerous forms of cyber weapons,
such as ‘e-bombs’; how the private sector and the non-critical infrastructures are the
primary target, and how, should the critical and/or military targets be hit, avoiding
heavy retaliation ought to be a consideration as well; that cyber technology is increas-
ingly used in influencing public perception; that cyber technology is increasingly used
in corporate espionage; that cyber technology is increasingly used against individuals
and small business.
Our NATO Advanced Research Workshop Operational Network Intelligence: To-
day and Tomorrow, held at the Italian Navy Arsenal in Venice in February 2009, tried
to take all of these problems into account and to rethink present strategies and identify
urgent measures to be taken in order to minimise the strategic and economic impacts of
cyber attacks.
The book is divided into three parts. The first section addresses various conceptual
approaches to security, and the issues connected to the conceptualisation of such; sev-
eral actual methods employed for security purposes, beginning with the concept of
cryptography and how it is applied; and the description of other security meth-
ods/systems. The section concludes with two articles that illustrate concrete examples
of actual security approaches.
In the introductory article, Niv Ahituv explains why an open information society
(OIS) is inevitable and how shared information may lead business to evolve toward one
of two possible extremes: global monopolies or a much more creative and sophisticated
ix
form of management. OIS may also generate a magnified version of “1984”, or a better
and improved process of recruitment and human communications.
The essay by Ari Vidali explores some of the root causes of the usability problem
and how proper security practices are consistently being ignored or circumvented by
the users. After all, the security of any information system is only as strong as its
weakest link, i.e. human beings. The question is whether it is possible to reconcile
maximum security, which requires a ‘closed system’, and maximum utility, which re-
quires ‘openness’. Some very concrete proposals are put forward.
Haris Mouratidis describes a methodology that takes both the technical and social
aspects of security into consideration, arguing that a security focus should be intro-
duced throughout the development lifecycle. He believes that Secure Software Engi-
neering (SSE) “is concerned with the unification of any area of research that can con-
tribute to the development of knowledge (theoretical and practical), principles, prac-
tices as well as the establishment of a research agenda regarding secure software sys-
tems development”. In other words, SSE should become a real discipline.
Serena Lisi, a former student of mine, deals with an interesting problem: how to
reconcile two different approaches to the theory of codes, the technological and the
cultural and allegorical ones.
She is of the opinion that the two approaches are progressively merging together to
create a new integrated and fuzzy approach along the line of thought of Burt Kosko, the
well-known scholar author of Fuzzy Thinking: The new Science of Fuzzy Logic.
On the same subject, but from a mathematical and a revolutionary point of view,
Gerardo Iovane demonstrates, with fascinating and sophisticated reasoning, that the
sequence of prime numbers is deterministic, and not stochastic, as everybody has be-
lieved for several centuries. But the genetics of primality shows us a potential and in-
trinsic weakness of current security systems, since numerical security keys are based on
prime numbers. The reaction to this threat – Iovane says – must be synergic. The con-
clusion is alarming: since we will probably have more accurate and rapid algorithms to
generate numeric keys to crack code and data encryptions in the near future, it is high
time to find new strategies, both technological and social. Otherwise, “the progress of
knowledge could itself become a Trojan horse and defeat us”.
Dario Sgobbi, of the Italian Navy, contributes two essays to this book. His co-
authors are Guglielmo Morgari (for the first paper) and Marco Paggio (for the second).
The first contribution, which requires a sound knowledge of mathematical concepts,
deals with asymmetric (public-key) algorithms. A possible classification of the various
cryptographic techniques is presented, with particular emphasis on the RSA (an acro-
nym from the names of R. Rivest, A. Shamir and L. Adleman) and Diffie-Hellman sys-
tems. It is worth mentioning here that Shor’s algorithm (a quantum algorithm for inte-
ger factorisation) is important because it can – at least in theory – be used to ‘break’ the
public-key cryptography. In addition, elements of complexity theory are discussed, as
the evaluation of the complexity of an attack shows the concrete possibility of the
same.
The second paper deals with the security process, and analyses some classifica-
tions and properties of two technologies, which enhance the process itself: the Intrusion
Detection System (IDS) and the Intrusion Prevention System (IPS).
In his essay, Paolo Campobasso warns that information warfare has moved beyond
the military dimension and has begun to threaten the commercial world as well. In par-
ticular, the banking and services industries have at the same time become targets and
“innocent” technical supporters of cyber terrorism. Therefore, there is great need for
x
international response through close cooperation with the military and law enforcement
agencies on all levels.
The paper by Esti Peshin presents an approach to protect Critical National Infra-
structures via unidirectional connectivity, namely connecting them with less secure
networks via real time physical unidirectional gateways (using a single fibre optic ca-
ble). This system eliminates the risks due to the standard incomplete IT security meas-
ures.
A case of critical infrastructure protection concerns the electricity distribution net-
work. It is the case discussed by Pascal Sitbon in his paper, which deals with the secu-
rity approach taken by the ERDF of Electricité de France for its pilot project of
300,000 smart metering points in view of the general deployment of the system in the
country. It is worth mentioning that the world’s largest smart meter deployment (to
over 27 million customers) was undertaken in Italy by ENEL between 2000 and 2005.
Obviously, due to the widespread distribution of this electronic device, there is an ele-
vated possibility of cyber attacks, similar to the one made against the AMM (Auto-
mated Meter Management) of ENEL. The conclusion by the author is that all metering
actors should be involved in a global security approach as early as possible.
The second section concentrates on terrorist attacks and attacks on critical infra-
structures and concludes with various police and military force operations and ap-
proaches.
Anat Hochberg-Marom presents a marketing strategy to contrast the global terror
of Al-Qaeda’s leaders. On the basis of her quantitative-statistical content analysis of the
statements of Al-Qaeda’s leaders, she finds that they adopt a ‘nihilistic-destructive’
approach and aim to destroy the Dar al Harb. The Jihad is considered the highest reli-
gious value (rated 41%), whereas the Ummah is rated only 25%. As radical move-
ments behave as rational actors, it is possible to use rational models and theories to
study their strategies and reduce their nefarious influence. A counter-marketing warfare
is highly needed.
Another paradigm for countering Jihadism is offered by Antonio Guido Monno,
more or less on the line described by Hochberg-Marom. His approach, however, far
from being quantitative and statistical, reflects a sound historical knowledge of the Is-
lamic culture, and advocates a strategy of defence against Islamic ‘fundamentalism’
that implies the use of scholars and experts of the Islamic world directly in the field of
cyber-counterintelligence. Although cultures are not transmitted easily, it is possible to
counter the “jihadist” interpretations of the Quran, which are not consistent with the
tenets of classical Islamic theology.
Claudio Cioffi-Revilla uses deterrence theory to examine whether deterrence is
feasible in cyber space (“Cyberia”). After discussing the conditions that make deter-
rence reliable, and introducing some key innovations made possible by computational
social science (such as genetic algorithms), the author concludes that “the value of a
deterrence strategy for ensuring cyber security seems to decline with the decrease of
the formal organisational level of the potential attacker”. In other words, deterrence
seems viable if the potential attacker is a State. In other cases, if the threatening actor is
an individual or a clandestine organisation, the best strategy seems to be a preventive
one.
The paper by Maurizio Agazzi defines our time as the collective intelligence era in
which an enormous quantity of information is shared through Internet platforms. Start-
ing from this idea, the author focuses his research on the illegal underground economy
and the malicious use of web-forums by cyber-criminals. Phishing generator toolkits,
xi
password recovery tools, encryption and compression utilities, mobile viruses, credit
card information, identity theft information, and so forth, are some of the goods and
services which are traded from servers located in countries which do not contrast cy-
ber-crime activities. In particular, malicious botnet applications are some of the greatest
threats, as exemplified by the case in Estonia. A prospective real-time system based on
the artificial neural network model could perhaps be effective in identifying attacks
right from the initial stages on the condition that a supranational coordination be possi-
ble.
Y. Elovici and A. Shabtai deal with the protection of critical information infra-
structures (CIIs) from malware. These attacks may be conducted in the initial stages of
conventional wars to achieve a strategic advantage in command and communication
capabilities. The authors describe three alternative approaches to secure the networks:
detection of malware by the network service providers (NSP) to prevent innocent users
from being exploited and used as launch pads for attacks on CCIs; protection of the CIs
overlay network; detection of hidden botnets.
The centralisation of the protection of the CCIs is the strategy used in Italy,
Domenico Vulpiani and Sergio Staro say in their paper. In fact, it is the Postal and
Communications Police Service (a specialised Agency of the Italian State Police)
which has the exclusive competence of protecting the critical information infrastruc-
tures of the country. For this purpose, a National Cyber Crime Centre for the protection
of CIIs was instituted in 2005.
Moreover, this body is also entrusted with the prevention of and response to the
various forms of cyber crime, such as common crimes, organised crime and terrorism.
The role of the Carabinieri Corps in the fight against cyber terrorism is described
by Giovanni Cataldo. Specialised units of the Corps are trained to use the latest tele-
communications interception technology. Obviously, no police force or intelligence
agency is exclusively in charge of monitoring Internet sites. An Anti-terrorism Strate-
gic Analysis Committee, whose members are officials from the security and intelli-
gence forces, meets every week to decide synergic counter-measures.
The transition from cyber crime and cyber terrorism to something similar to a cy-
ber war is examined by Ferdinando Sanfelice di Monteforte, who, starting from the
NATO Declaration on Alliance Security of April 2009 that defines cyber attacks the
“new, increasingly global threats”, refers to the recent attacks on Estonia and Georgia
that were supposedly delivered by a State actor. The train of thought is complementary
to the one suggested by Cioffi-Revilla, but whereas this author defines the technical
rules of a possible retaliation, the Admiral examines the political conditions and effects
of the same.
We come, at this point, to the last section of the ARW, which focuses on the Euro-
pean measures and several related legal issues.
The first paper in this section deals with the role of Europe in matching today’s
asymmetric threats. In the first part, Giancarlo Grasso underlines how the philosophy
of the European Union is aimed at reconciling two apparently opposite concepts such
as security and privacy. The protection of human rights is one of the fundamental val-
ues at the basis of EU material constitution. In the second part, the author emphasises
the necessity to pass from interoperability to network centric systems in the struggle
against terrorism. Here, and in some other cases, the paper has a normative approach,
though also it underlines some EU achievements (e.g., EDA, FRONTEX, ESRIF, etc).
The second essay of the section is authored by Alessandro Gazzini and Andrea
Rigoni. It adds new valuable information with regard to the steps taken by the EU to
xii
ensure information sharing among its Member States. Examples, such as ENISA
(European Network and Information Security Agency), NEISAS (National and Euro-
pean Information Sharing and Alerting System), CIWIN (Critical Infrastructure Warn-
ing Information Network) and so forth, are considered by the authors, who also de-
scribe the many benefits of information sharing both for the Member States and private
stakeholders. In short, information sharing (IS) is mentioned by the EU as “one of the
key elements of a successful critical information infrastructure protection strategy”.
Clearly, bi-directional trust is the pre-condition for IS to work successfully.
The last two contributions have a legal approach. The paper by Eneken Tikk deals
with the antinomy privacy-security and how it is managed in the EU context. Another
point discussed regards the difficulty of transmitting the personal data of EU citizen to
the NATO or non-EU States due to the stringent European legislation in the field. An-
other problem to be solved concerns the necessity to demonstrate the relevance for
NATO that a given cyber incident has in order to activate the proper measures of the
Alliance. Despite some difficulties, more cooperation between EU and NATO is highly
needed. Hence, the paper is in some way complementary to the two previous ones.
Last, and hopefully not the least, the essay by Ivo Paparela creatively expresses, in
a non traditional form, his question as to whether the legislation in the NATO coun-
tries, and in particular in Eastern European countries, is adequate and capable of sup-
porting law enforcement agencies in their fight against cyber criminals. The conclu-
sions, after having conducted research on some legislations on cyber activities, are –
according to the author – pessimistic, though provisory. The reasoning seems to be
correct, but he who writes these lines wants to emphasise that the responsibility for
some statements in this essay is solely that of the author.
Some final proposals were elaborated in our Workshop. Each participant was
asked to propose two or three concrete solutions in the area they personally felt was of
critical importance.
What follows is a compendium of their proposals and ideas. Many conference par-
ticipants presented more than one proposal, often in more than one area of cyber secu-
rity. Therefore, the proposals have been arranged according to argument in order to
facilitate comprehension and identify common themes, the compilation and organisa-
tion of which has been arranged by Margot J. Wylie, BSc. at the University of Flor-
ence, one of our most brilliant students to whom I want to express here all my gratitude
and appreciation.
The proposals may be divided into general work areas, such as: research, the legis-
lative and regulatory measures, co-operation, strategies, technical and economic meas-
ures. All recognised that to face the multifaceted problem of cyber security it was nec-
essary to work on different layers, not only in their field of research and development,
but also in all areas that are touched by questions of cyber security.
As far as research is concerned, several proposals regarded specific suggestions of
methodology and approach. Essentially, a multidisciplinary approach was suggested in
reference to the study of cyber security and crime. One suggestion specifically advo-
cated the combination of methodologies, such as mathematical programming, object-
oriented and agent-based modelling, and fuzzy logic with risk management tools, such
as fault tree analysis, failure modes and effect analysis (FMEA), etc. to identify, moni-
tor or predict possible disruption factors related to operational or social networks. An-
other was based on implementing marketing and management tools and concepts to
better understand and analyse the global terror phenomenon and terrorist organisations
and their use of the Internet.
xiii
As for cyber security itself, it was generally perceived that our ‘virtual’ boundaries
are not as well protected as our physical boundaries and, therefore, it was suggested
that measures be implemented to carefully monitor traffic over national, EU and NATO
network exchange nodes.
In that cyber space ought to be considered a public space, proposals were also
made to actively monitor the internet, just as the streets are (a pilot study in Nether-
lands has already had some success). The surveillance proposal focused on involving
end users in publicly policing our virtual community through the creation of a reporting
centre responsible for monitoring suspicious activity on the Internet. All information
gathered could then be passed on to NATO from the various reporting centres and sys-
tematically compare the information collected from each Member State.
One proposal focused on the need to develop theoretical and practical models on
radicalisation using actual law enforcement case files (as was mentioned by a confer-
ence participant, a separate ARW is dealing with just this topic). The model could then
be used to improve the analysis capabilities by creating analytical tools which could be
distributed to Member States by NATO.
NATO itself could be the forum within which various experience and the effec-
tiveness of each Member State’s tools are exchanged.
When speaking of actual strategies and practical approaches to address cyber se-
curity issues, cyber attacks or threats of any sort, it was recognised by many conference
participants that role models and strategies have to be created, that EU and NATO
countries must be prepared to face future threats from ‘virtual’ space. Diverse solutions
on how to prepare and be prepared on a practical level were proposed. The need to
maintain an awareness of what is being done in the rest of the world or in the multitude
of sectors that are daily faced with questions of security was pointed out by one confer-
ence member. One proposal advocated the establishment of a response convention that
would be able to be activated in the eventuality that a given country were attacked, a
convention that would put response plans in place and that would stimulate the ex-
change of information on a tactical level. Another proposal urged the creation of exer-
cises and drills to increase response capability by preparing response teams and opera-
tors for extreme situations.
It was also pointed out that many of the proposals and actual policies focus on the
response to attacks and take a defensive approach. It was suggested that a think tank be
instituted to develop offensive measures and, as a first step, learn the processes of de-
radicalisation.
Of the proposals made, many were technical in nature. In this broad category, it
was possible to identify such themes as: the development of IT security systems and
solutions, the use of hackers in systems tests, and, from a more economic perspective,
the reduction in costs and time employed in the development sector.
In the proposals that dealt with systems and solutions development, it was gener-
ally recognised that today’s networking is still based on protocols that are fundamen-
tally not secure (ISPEC and IPv6 being the evolution of TCP/IP), and therefore, a new
and secure network protocol that incorporates security measures right from the initial
development stage is in order. At the same time, it was pointed out that the file systems
normally used to store and manage information, even in classified environments, do not
guarantee the security of the information itself. It was proposed that a secure system be
developed wherein security is considered throughout the development stages.
It was agreed that encryption methods ought to play an important role in securing
not only the storage and management of information, but also its transmission over the
xvii
network. The development of electronic labelling technologies was also suggested for
the secure transmission of information over the networks.
One proposal specifically referred to finding new methods to increase the level of
security of end users. While it is known that many advances have been made in bio-
logical parameters, not only was it suggested that the area of human emotions be ex-
plored, it was also suggested that the use of images ought to be researched to see how
these might be applied and used in increasing the level of security in end user access.
It was also recognised that there ought to be set security standards and certification
processes. In the meantime, however, there ought to be an immediate, if temporary,
solution in assuring that our systems and network solutions are safe. One of the recur-
rent themes in the proposal session was that the security level of all systems and net-
work solutions must be tested. The dominant idea was to involve or use hackers to test
whether information systems are secure or not, be that via red teaming or launching a
challenge to hackers to try and penetrate the test networks of a distributed and open
source model. A variation of this theme was to create technical groups whose scope is
to systematically attack systems in order to reveal any weak points that may exist.
Last but not least, practical aspects of an economic nature were addressed in sev-
eral proposals regarding the fields of research and development. While it was clear that
investments needed to be made in IT technology and research and that security meas-
ures and requirements ought to be incorporated right from the outset, it was also
pointed out that both the costs and time invested in the research and development of
actual IT security solutions and in the evaluation of such solutions had to be reduced.
At the end of this brief presentation of the main results of this Workshop, I feel it
my duty to give my thanks to a group of colleagues and friends. First of all, I want to
express my gratitude to Dr. Shai Blitzblau, University of Tel Aviv and co-director of
the ARW, whose scientific and impressive technical know-how was indispensable for
the success of the conference. His ideas and long experience animated the workshop. It
only grieves me that, due to his overwhelming activities, he could not produce an essay
for this book in due time. Thanks also go to my friend Paolo Lezzi, who, from his of-
fice of Maglan Group in Milan, helped in the difficult task of organising the event.
I owe heartfelt gratitude to Margot J. Wylie, already mentioned, for her intelligent,
painstaking and enthusiastic work of synthesising the discussions held during the ses-
sions. Without her contribution this presentation would have been much more difficult.
Moreover, she is also to be credited for revising all the papers from a linguistic and
publishing point of view.
My debt of gratitude also goes to my young colleague Ilaria Maltagliati, who as-
sisted me in the long months of preparation of the meeting with intelligence, spirit of
initiative, and enthusiasm. The same should be said of Serena Lisi, one of the authors
in this book, whose artistic temperament and vivacious eclecticism contributed to the
publicity campaign and formalities of the initiative. Both of them are working in the
University Centre of Strategic and International Studies (CSSI).
Some other friends deserve to be mentioned here: Renate Cuda Sommerfeld, Jac-
queline Marchal, Anna Maria Petruccelli, Reut Rahav, Pietro Stopponi, whose sugges-
tions and clerical assistance during the meeting contributed to the success of the ARW.
Obviously, my thanks go to the key speakers who animated the discussions of the
(about) eighty participants coming from fifteen countries of the world, and, in particu-
lar, to those of them – the major part – who put down in writing their ideas, and made
this book possible.
xviii
Last, but not least, my deep gratitude goes to the Defence General Staff, and in
particular to the Italian Navy which accepted to accommodate the ARW in its ancient
and historical dockyard in Venice, and which offered an invaluable logistical support.
My gratitude also to the sponsors – Unicredit, Waterfall Solutions, Ispri/Cerpre,
Agricola snc. – which contributed to make the costs of such an expensive city as Ven-
ice affordable.
All sectors of the society were represented at a very high level around the table:
from the university, industry, banks, the military, police forces, computer scientists,
lawyers, mathematicians, technicians, and so forth. Against the same threats they felt
themselves a community: the only way to face terrorism and crime. Thanks to all of
them.
Umberto Gori
University of Florence, August, 2009
Notes
Suggested Readings
Contents
Introduction vii
Umberto Gori
Introduction
In the not-too-distant future, it will be hard to find a company that doesn't embrace the
Open Information Society (OIS) framework [1, 2, 3, 4]. Any company that tries to
ignore it is guaranteeing its own extinction. The purpose of this article is to attempt to
analyse the implications that the OIS has on businesses and organisations.
1
ahituv@post.tau.ac.il
6 N. Ahituv / Thoughts on the Open Information Society
1. Trend-setters
Like it or not, business and industry usually set a lot more trends than governments or
private individuals. Logic dictates that legislatures should shape the framework for
what is considered acceptable behaviour in a democratic society, but reality is a
different ball game.
The private sector believes in the free market; if there's a good idea out there,
business will jump on the bandwagon. Government and the public sector, on the other
hand, nearly always lag behind. They are so concerned with politically and
administratively doing the right thing and so preoccupied with the bureaucratic
mechanisms that they have built by themselves that they display an inherent
conservatism at nearly every step of the way.
For many companies, the OIS is a lot more than a distant and future vision; it has
already happened, and it's helping them carve and expand market niches while their
competition falters.
Take some of the leading airline companies, for example. They now encourage
customers to take advantage of e-ticketing since they have realised that it is less
expensive for them, in terms of the costs associated with checking in and the
commissions paid to travel agencies. Not only have they offered reduced prices for e-
tickets, but as an incentive they have also opened separate check-in lines for customers
with electronic tickets, promising that the process is more expeditious.
2. The Innovators
Excluding NASA, which spends billions of dollars in research areas that no business
could ever even afford to contemplate, and a few industrial sectors in which R&D is
largely government-funded (such as aerospace, nanotechnology and nuclear energy),
most technological innovations come from the private sector. Relatively unencumbered
by political constraints, the business world examines a situation with a critical eye as to
what is possible and what may be profitable. Lawmakers, on the other hand, tend to be
conventional and it is tough to convince them that change is occurring as rapidly as it
is. While they ought to be the ones paving the way for the OIS, realism forces us to
understand and accept that, due to the respective characteristics of legislators and the
legislative process and the economy today, the business world will lead the way.
Evolving information technology offers too many examples to count, where
technological progress has outstripped the laws that govern it. All one has to do is look
at what happens when people start to do business electronically. Good old-fashioned
signatures have become a thing of the past, and now it has become difficult to prove in
court that commitments were made. A large number of countries have recently instated
laws to deal with the legitimacy and authenticity of electronic signatures. However,
such laws and regulations would have never been created had a true need not emerged
from the private sector.
One might then ask, what happens when a computerised inventory control system
and an online ordering system make a decision together to ship merchandise from the
vendor’s warehouse to the customer’s storage centre? Since no human being was
involved in the decision to ship goods, who is responsible in the event of a dispute?
Moreover, suppose the vendor and the customer reside in different countries and the
warehouse is located in a third country; which legal system will be enforced should
N. Ahituv / Thoughts on the Open Information Society 7
there be a dispute? In the event that the merchandise is downloaded electronically, such
as music or software, how do the custom authorities collect the tax, or how does the
national bureau of statistics analyse the annual balance of payments (import–export)
rates?
It's important to understand that only a handful of big companies can afford to sit
back and wait for the government to blaze a trail through the technological wilderness.
While lawmakers struggle to comprehend and adequately respond to this rapidly
shifting reality, big business is pushing forward and contributing to this daily changing
reality. This in turn creates further difficulties for legislators in their endeavours to
legislate. The current lag that exists between the creation of legislative boundaries and
standards and the actual current situation means that a lot of time and money are being
wasted. The only alternative would be to stop the clock on change, and this is clearly
not in the interest of the business world. In most cases, businesses operate in order to
turn a profit. They make decisions on the basis of economics, not a love of high-tech
"toys." Therefore, they cannot be halted and their commercial initiatives cannot be
suspended.
The mere act of acquiring PCs, servers and other computer hardware doesn't guarantee
a rosy future for any company, just as having an excellent product isn't always enough
to ensure success. The key to success is twofold: good communications among all of
those computers, and learning how to integrate and exploit the data accumulated on
them.
As increasing numbers of companies computerised their internal distribution
systems, they turned to and began to focus on their relations with the outside world.
This holds true for Electronic Data Interchange, hereinafter EDI. When this technology
began to show promise in the late 1980s, a few large corporations tentatively embraced
it. However, only when companies like Eastman Kodak, IBM and GM announced that
EDI was mandatory for anyone who sought to do business with them did it get its first
serious boost. Today, of course, governments use it (e.g., e-government applications),
and laws regarding this new style of completing transactions have been either instated
or tabled. Nobody disputes, however, that big business got EDI off of the drawing
board and into the warehouse or the virtual retail store long before legislators began to
regulate it.
What was one of the first organisations in Britain to address the complex issues of
standardising coding guidelines? None other than an alliance of retailers, wholesalers
and manufacturers who had set standards for product coding and scanning.
Government didn't do it. Individuals didn't do it. Business - large and small - did it, and
the world followed suit.
EDI and its offspring, B2B, B2C, B2P, G2B and e-government make sense. If a
hotel provides each of its regular suppliers with daily occupancy rates, then the
greengrocer and the dairy supplier can ship the appropriate amounts of food items to
meet the day's demand. Such automatic supply agreements must, of course, be based on
careful advance calculations, and the hotel must have ways of overriding standard
supply orders in the event of, say, a Polynesian theme night, which might boost the
need for certain tropical fruits and other foodstuffs.
8 N. Ahituv / Thoughts on the Open Information Society
Once a company embraces e-commerce, it is well on its way toward adapting a broad
range of other technological developments. When British department store chain Marks
& Spencer (M&S) told its suppliers in the early 1990s that it wanted to conduct product
design via an electronic network, each supplier had to either adapt or find new clients.
For Delta Textiles Ltd., an Israeli fashion underwear manufacturer worth $200
million in sales a year that sells 35% of its total production to the London-based Marks
& Spencer, the choice was clear: it began to examine the two CAD systems selected by
M&S and to accommodate its own internal systems for working electronically with its
largest client.
Until the new system was set up, Delta's design team members shuttled back and
forth between Tel Aviv and London every month to present the latest style ideas to
M&S buyers. As soon as the new system was operational, a Delta team in Tel Aviv and
an M&S team in London were able to spend as much time as was needed working
"together", eliminating the need to leave the office, at least on a frequent basis.
However, it is clear to everyone that for such cooperation to work, Delta’s design
records must be exposed to M&S buyers. At the same time, those buyers can access
the electronic files of Delta’s competitors. Therefore, a lot of trust is required if there
is a true desire to maintain such cooperation.
The greatest shortfall of businesses that embrace OIS and all its components may lie in
the billions of dollars that are spent annually trying to plug the holes that form in the
walls of secrecy surrounding their operations. Like the little Dutch boy with his finger
in the dike, they already realise that the holes can not be plugged forever nor can all of
them be sealed off; there will always be leaks, so why waste so much money and
manpower fighting them?
Industrial espionage poses a far greater threat to "secret" information than do
hackers.
Hackers get more publicity, because they seek access to this information for the
thrill of it, and half of that thrill comes from boasting about it afterwards the real threat
N. Ahituv / Thoughts on the Open Information Society 9
comes from those who infiltrate a system, leave no footprints, and learn all sorts of
secrets with the intent to use them to change the competitive playing field.
This activity used to be called industrial espionage, but now it is generally referred
to as information-gathering, or data mining. Simply put, anybody who does not do
his/her utmost to find out what others do not want him/her to know runs the risk of
losing competitiveness and being left behind. In fact, today it does not necessarily
require that illegal action be taken to find information on your competitors; Google and
other data depositories can provide you with almost all you need. For example, Google
Trends can provide a lot of open, free and analysed information on business
organisations.
Since knowledge will eventually be open to all in an OIS, the swift reaction to new
realities will be a prerequisite for survival. Companies will have to establish or enhance
their scouting departments, since even the slightest delay or oversight could be crucial
to their continued success.
The upper echelons of a business will have to take an active role in scouting and
using technology. Scouts provide management with frequent reports on potentially
adaptable technologies and business intelligence. Management will have to set the
company's priorities and determine how to allocate resources between promising
ventures.
With the whole world looking into their computer databanks, companies will have to
make careful decisions about what information to protect. Protection will be much
more difficult than it is today. Although it will still be possible to keep particularly
sensitive data out of the public's reach, the steps that need to be taken to protect it will
not only cause inconvenience even for the people who are supposed to have access, but
the cost of taking these measures will be near to prohibitive.
In an OIS, the management of any given company will need to adjust to an
environment in which their every move can be observed by the public in general, and
especially by their competitors. This new reality will force companies to focus on
products and innovations that produce immediate payoffs, requiring companies to
invest to obtain the high levels of creativity and originality needed to create such
products. The pursuit of such short-term, dynamic goals requires organisations to adapt
to more flexible production and marketing facilities. Companies will need to be willing
and able to switch their production lines from one product to another on short notice.
Likewise, in order to meet the needs of each new product, distribution and marketing
techniques will undergo rapid adjustment.
It grows increasingly clear that as the OIS moves closer to becoming a reality,
quick decision-making is needed. People with vision have seen this coming for years.
As B2B expands into the realm of R&D, as portrayed earlier in the Marks and
Spenser – Delta example, the dangers regarding information protection could become
even greater. What would happen, for instance, in the case that Delta submits a design
idea electronically and Fruit of the Loom - or any other underwear manufacturer that
sells their products to M&S – wishes to access it electronically? And that is to say
nothing of the inherent danger of having next year's fashions - complete with
multimedia representations - stored on the computer of a company that may buy
them... or even steal them.
10 N. Ahituv / Thoughts on the Open Information Society
References
[1] Niv Ahituv, “The Open Information Society”, Communications of the ACM, Vol.44, No. 6 (June
2001), pp 48-52.
[2] Niv Ahituv, A World Without Secrets: On The Open Information Society, Am Oved Publishers, Tel
Aviv, Israel, 2001 (in Hebrew)2, 188 p.
[3] Tom Friedman, The World is Flat, Farrar, Straus and Giroux, New York, 2005
[4] Richard Hunter, World without Secrets: Business, Crime, and Privacy in the Age of Ubiquitous
Computing, John Wiley, 2002.
2
A pdf draft version in English is available upon request.
Modelling Cyber Security: Approaches, Methodology, Strategies 11
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-11
Introduction
It is September 11th, 2013. In a dimly lit room on the outskirts of Peshawar, in Pakistan,
five men stare into their computer monitors as their fingers rapidly tap on keyboards.
Unbeknownst to them, their state-of-the-art equipment was funded by a relatively
new drug cartel operated by Taliban warlords. With the massive financial resources
derived from the burgeoning poppy trade, the cartel was able to ensure that the five had
sufficient funds for their purposes.
Calling themselves the New Islamic Martyrs Brigade, the five men are about to
launch a cyber attack on the Western World unlike anything ever seen before. Fueled
by the propaganda they have absorbed from radical Islamic websites, and violently
motivated by the inflammatory rhetoric of impassioned fundamentalist clerics, they are
driven by a single-minded objective: to deal a devastating blow to the very heart of
western capitalism by crippling its vital information infrastructure.
After a year of careful planning, preparation, complex coding and target selection
they are ready. For months they had been foiled in their attempt to crack the passwords
of the critical edge routers vital to their plans. The systems administrator had used
strong password authentication to protect them and combined with the cryptographic
strength of the authentication mechanisms, they had been delayed in their progress.
Luckily for them, an audit had required a new policy of changing the password every
thirty days. Harried help desk staff had provided the forgotten password to a coworker
in Instant Messaging rather than walking it down two floors, and the minor breach had
been exploited. A well designed and near invisible piece of code was installed on the
worker’s computer and silently duplicated itself across the network capturing the
keystrokes executed on the compromised machines. It sent the logs to anonymous
Yahoo accounts, setup for this very purpose by the five men.
Just two weeks ago, the five received, via a PGP-encrypted message, the
assurances of a highly-placed leader of the Hezbollah terrorist network that their efforts
would be augmented by multiple simultaneous suicide bombings. The message also
included instructions for coordinating their attacks with similar cyber terror cells in
Iran and Venezuela who had amassed vast botnet armies to unleash upon the west at the
appointed time. The five men had no doubt that their efforts would result in the
“mother of all terror incidents.” The careful planning, research, social engineering and
brilliant coding had yielded not only a treasure trove of high-access accounts for vital
systems, but also had allowed them to study weaknesses in the security of the systems
they intended to target.
At exactly 9:00 a.m. EST, an IT analyst at the New York Stock Exchange notices
increased traffic on the NYSE backbone. At 9:10, all of the servers lock-up and stop
functioning. At 9:45, the head of the NYSE issues a statement that all trading is
suspended due to a malfunction. This is followed by statements from the NASDAQ
that they too have suspended trading. As reporters investigate, rumors surface that the
machines and backups have been compromised and the timetable for recovery is
unknown. Investors around the world begin to panic, forcing European stock markets
to close after a 12 point decline due to panic selling and the spread of rumors of a
pending meltdown in Asian indices.
A. Vidali / Striking the Balance: Security vs. Utility 13
Halfway across the Globe, in London’s Heathrow airport, air traffic control notices
irregularities in its state-of-the art Pegasus-ATC traffic control systems. Installed just
four years ago, the systems were said to be impervious to attack. Five minutes later,
during heavy traffic, none of the primary or backup systems are working. The Prime
Minister is briefed and decides to re-route all incoming flights to Gatwick, but by then,
it is too late as two planes that were circling the airport under heavy fog collide. There
are no survivors; the death toll is 467.
10:00 a.m. EST. All of the major news networks around the globe begin reporting
on an urgent warning from the Center for Disease Control about water contamination in
cities across America including Los Angeles, New York, Detroit, Miami, Des Moines,
Atlanta, Chicago and Philadelphia. Officials deny that the CDC has issued any such
reports, yet each of the contacts that typically received press releases had received the
urgent warning. Grocery stores are without bottled water within the hour.
11:00 a.m. EST. Explosions are reported at five rural elementary schools in the
Midwest. Hundreds of children are injured; officials refuse to comment on the death
toll, citing the need to contact affected families. Cellular phones, already taxed with
traffic from earlier incidents cannot respond to the load. Anxious parents across the
country rush to take their children out of school, congesting freeways and impeding
rescue efforts.
12:00 p.m. EST. 15 million users of the largest Voice over IP provider in the
United States cannot receive a proper dial tone; instead, they hear a pre-recorded
message in broken English informing them of the impending destruction of their way
of life. The botnet armies assembled by the Venezuelan and Iranian cells, exploiting a
little known weakness in IPv6’s IPsec implementation that, combined with an exploit
of Cisco IOS’s implementation of stateless address auto-configuration, are wreaking
havoc with Cisco routers all across the Internet. Not since the Conficker worm
outbreaks in 2008 and 2009 has such a rapid, widespread attack been seen. Already,
48% of the core routers on the Internet are down, locking up telecommunications
across vast areas of the Internet. The general population is in a frenzy of panic.
At 12:01 p.m. EST, a secure call is routed to U.S. President who is aboard
AirForce One, travelling to an undisclosed location. The call, which is put through
from the Situation Room, and which was originally received by the Secretary of
Defense, is from a middleman in the Ukraine who relays the terrorist’s demand for an
immediate withdrawal of all foreign military personnel from the Middle East, including
the emptying of bases in Iraq, Afghanistan, Saudi Arabia, as well as the joint forces
base of operations in Amman Jordan, which was established in 2011. In addition, all
shipments of arms or aid to Israel are to immediately cease. The White House has 72
hours to comply or further attacks will occur.
Back in Peshawar, the five men watch with glee as Al Jazeera reports on the
devastation. They are deeply satisfied with the results of the first wave of their
carefully planned attack. . .
14 A. Vidali / Striking the Balance: Security vs. Utility
In the early 1980’s, network pioneers at DARPA1 , along with several academic
institutions, developed a successful open standard for linking computer networks
together. The resulting TCP and later TCP/IP protocol ushered in the Internet age.
The basic concept that computer systems can be easily, cheaply and reliably linked
together to exchange information has, within the span of three decades, revolutionized
almost every facet of modern life and ushered in the era of pervasive computing, the
Internet and the mobile communications revolution. It has been the very “openness” of
these early implementations that was the driving factor in widespread adoption. And
indeed, the growth of interconnected computer systems has been nothing less than
staggering. Worldwide usage of networked computer systems has grown to an
estimated 1.43 billion users, which amounts to 21% of the world’s total population. [1]
In history, no prior technology has achieved such rapid adoption.
With such interconnectedness and widespread adoption comes the possibility that
these tools can be used to harm the very societies that have come to rely heavily on
them.
Our cyber-infrastructure -- including most of the technologies, protocols, and
information systems that make up or reside in cyberspace -- was not originally
designed with high security in mind. While systems security has improved, it has been
added, after the fact, onto existing structures that utilise archaic authentication
mechanisms which do not take into account the fallibility of human beings. This is due
in part to the economics of technology development; most buyers are unwilling to
spend the premium needed for true secure computing.
This situation has not escaped the notice of disreputable actors who are finding
ingenious ways to exploit cyber-insecurity for monetary gain or with malicious intent.
According to a report released by IBM in 2005, “there were more than 237 million
overall security attacks in the first half of the year.” [2]
Our society’s increasing reliance on these technologies, coupled with the
persistent, well publicized2 vulnerabilities within our cyber infrastructure make it
relatively easy to exploit, disrupt, disable or cause mayhem on critical systems.
In a recent report, the Congressional Research Service (CRC) outlined current
terrorist capabilities for cyber attack and warned that terrorist organizations, state
sponsors of terror and extremist groups are becoming increasingly aware of the
essential role of critical information systems and will either develop their own
capabilities for cyber attack, forge alliances with cyber-criminals, or hire hackers to
assist them in targeting critical infrastructure. [3] The CRC cites a key report from the
House Homeland Security Committee, wherein FBI officials indicated that extremists
have used identity theft and credit card fraud to support recent terrorist activities by Al
1The Defense Advanced Research Project Agency is an agency of the United States Department of Defense
responsible for the development of new technology for use by the military.
2A prominent example was made public at the July 2005 Black Hat computer security conference where an
exploit was demonstrated to show how commonly used Internet routers could quickly be hacked. Victor
Garza, Security Researcher causes furor by releasing flaw in Cisco Systems IOS, SearchSecurity.com, July
28, 2005.
A. Vidali / Striking the Balance: Security vs. Utility 15
Qaeda cells3. Finally, the report concludes that if the current trends continue, cyber
attacks will certainly become “more numerous, faster, and more sophisticated”, likely
outpacing the ability of government agencies and private organizations to prevent,
respond to and recover from concerted attacks.
Deputy Attorney General Mark Filip, in his address to the International Conference
on Cyber Security, stated that “Cyber crime and cyber terrorism are issues that
transcend customary bureaucratic and national boundaries, and because both public and
private Internet infrastructures are "closely linked," they transcend the usual public/
private dichotomies as well.” [4]
This “interlinked” system of systems allows for numerous attack vectors, ranging
from a single targeted breach to a widespread coordinated cyber attack. The objectives
of a cyber attack include the flowing four areas: [5]
1. Loss of integrity, such that information could be modified improperly;
2. Loss of availability, where mission critical information systems are rendered
unavailable to authorized users;
3. Loss of confidentiality, where critical information is disclosed to
unauthorized users; and,
4. Physical destruction, where information systems create actual physical harm
through commands that cause deliberate malfunctions.
Many experts agree that one likely scenario for a cyber attack would be its use in
conjunction with a conventional physical, chemical, biological, radiological or nuclear
(CBRN) terrorist attack. Such a scenario could include direct attacks against first
responder communication infrastructure or 911 call centers simultaneously with the
detonation of explosive devices.
The Internet, which has penetrated almost all of our daily lives and is critical to the
functioning of our knowledge economies, was designed for research and information
sharing. Almost all but the most sensitive information systems are either directly or
indirectly connected to the Internet and are therefore vulnerable to its design flaws. The
continued and concerted Distributed Denial of Service(DDoS) attacks against the Net’s
DNS infrastructure is troubling in that many believe those responsible are merely
conducting tests and that a full scale attack is a real possibility in the near future. [6]
Many of these large scale attacks exploit weakly secured workstations from around
the world and transform these computers into “zombies”. These, in turn, are then
aggregated into botnet armies, which can be unleashed in devastating distributed denial
of service attacks. Had the users of these workstations properly secured them, such
attacks would be vastly more difficult, as each workstation would have to be
individually hacked.
It has been humorously stated that a computer is in fact quite easy to secure. Why, we
can simply turn it off, lock it in a steel vault, destroy any key and ensure that it is not
connected to anything. Voila, we now have a highly secure computing environment!
3According to FBI Officials, Al Qaeda terrorist cells in Spain used stolen credit card information to make
numerous purchases. Also, the FBI has recorded more than 9.3 million Americans as victims of identity theft
in a 12-month period; June 2005. Report by the Democratic Staff of the House Homeland Security
Committee, Identity Theft and Terrorism, July 1, 2005, p.10
16 A. Vidali / Striking the Balance: Security vs. Utility
As Bruce Schneier wrote, “Security is only as good as its weakest link, and people are
the weakest link in the chain.” [7] Hackers and cyber-criminals understand this
phenomenon significantly better than most technology companies. While the “human
factor” is generally accepted as a significant issue by the security community, the
majority of the discussions and research surrounding cyber security are focused on the
technical and policy challenges of securing cyberspace5. In addition, there are a scarce
number of resources, including scholarly papers, blogs, books or articles, that are
devoted to the subject of the usability of security solutions. Yet this issue is arguably
one of the most glaring and pervasive root causes of cyber insecurity. Given the fact
that most users interact with computer security on a daily basis, Angela Sasse,
comments that the current state of affairs amounts to nothing less than a major usability
crisis [8] and suggests that “unusable security systems are not only expensive, but
ineffective.”
This is because common security mechanisms have failed to acknowledge even the
most rudimentary usability and human-computer interaction design principles, such as
minimizing user’s mental workloads, task context or an understanding of user
motivation and self-image. Our continued reliance on password authentication as a
4In November 2002, the Honeynet Project placed unpatched Windows 2000 computers on the Internet and
found that they were being compromised after just five minutes. The Honeynet Project, "Forensics" (Jan. 29,
2003); http://honeynet.overt.org/index.php/Forensics.
5 Such as: which technologies will be used, what standards will be implemented, what sorts of policies will
need to be crafted to coordinate our security and law enforcement efforts nationally and internationally or the
varying roles of government, academia and the private sector, in securing cyberspace.
A. Vidali / Striking the Balance: Security vs. Utility 17
common security mechanism is proof that not much has changed in the last few
decades.
As far back as 1999, Adams & Sasse conducted both interview and questionnaire
studies with people inside and outside an international telecommunications company
[9] and concluded that users:
• Could not cope with the proliferation of passwords,
• Received little instruction, training or support, and
• Were not motivated to behave in a secure manner.
A decade later, the average user’s exposure to password authentication is even
more out of control. We are juggling everything from bill payments, eCommerce,
social networking sites (like MySpace, GoogleApps, Instant Messaging) and an
explosion of Web 2.0 Software as a Service (SaaS) offerings, credit and debit card PIN
numbers, VoiceMail access codes, in addition to the numerous work and home related
computer login accounts that most of us are required to maintain. It has been estimated
that today, the number of individual username/password combinations that the average
person is required to contend with regularly is in the high teens. That number is
significantly more than the average person can remember without an artificial aid.
Unfortunately, the aid is often writing the passwords down, storing all of them in a
single location or using the same password everywhere6 , thus defeating the purpose of
strong password authentication.
Let us consider for a moment some basic principles of human memory and motivation
and how these apply to security technology:
Human memory has limitations: Most of us are not good at remembering the
random sequences of characters required by strong password authentication methods.
Humans have trouble remembering more that 7 ± 2 unrelated characters. Moreover,
there is a limit to the number of passwords we can remember. Finally, unaided recall is
much more difficult than cued recall, resulting in the proliferation of the “Security
Question” or password reminders. While these “fixes” aid recall, they also introduce
additional significant security risks.
Humans don’t think randomly: We don’t do well when we are required to invent a
random string of characters and commit them to memory on the spot. Pattern
recognition is one of our strongest skills, so when asked to create many unique
passwords, we unintentionally or intentionally introduce patterns.
Human memory decays over time: We cannot recall passwords we use
infrequently. Conversely, we cannot forget (on command) memorized items we no
longer need. Thus, when we are forced to change our passwords, we commonly forget
the new one or confuse the new one with the old.
Humans are goal oriented: Security is not a goal most users strive for, rather it is
seen to get in the way of their production tasks. People use technology in order to
perform meaningful tasks. In this context, security is viewed as an “enabling task” or
“hurdle” the user is required to overcome in order to perform their production task.
“When security conflicts with a user’s production task they often respond by
6 Hackers and social engineers exploit this fact as it is much easier to direct their energies against soft targets
to obtain one or two of a user’s commonly used passwords, which in turn are probably the same passwords
used to access more sensitive systems at work.
18 A. Vidali / Striking the Balance: Security vs. Utility
7 In an experiment conducted in 2004, regular commuters in London where asked if they would reveal their
email passwords for a bar of chocolate. A troubling 34% revealed their passwords without needing to be
bribed. Over 70% revealed information about themselves that could be used by identity thieves. BBC,
Tuesday, 20 April, 2004: Passwords revealed by sweet deal. http://news.bbc.co.uk/1/hi/technology/
3639679.stm
A. Vidali / Striking the Balance: Security vs. Utility 19
The principle of strong security includes the common notion that in order to secure an
information system we need a combination of multiple vectors to establish a trusted
connection:
• Something I am – Identification – Who you are, positive identification
• Something I know – Authentication – Something only you uniquely know
• Something I have – A token, smart card, keycard etc.
• Somewhere I am – Location – a physical or logical “area” from where I can
access a system. (e.g. IP filtering, Internet Zones)
To be secure, a system must incorporate at least two of these vectors to establish
trust. In addition, once a user is positively identified and “trusted” we must also know
what actions that user is authorized to perform on the system, or in other words, his/her
authorization level. Upon cursory review, password authentication conforms to security
best practice by requiring two of the aforementioned vectors to authenticate a user and
allow them access to an information system:
1. Something I am - username and,
2. Something I know - password
Let us however, for a moment review standard password authentication in more
detail. By accessing the login screen a user is prompted for a username and password to
gain access to the system’s functions. The username supposedly serves to identify the
individual seeking to gain access. In combination with the proper password, access is
granted. In most cases, the username is ridiculously easy to guess as it almost
universally based on publicly available information, e.g. a person’s email address, a
subset thereof, their name or an abbreviation of their name. For Voicemail systems, the
username is almost always the individual’s phone number or mailbox number. Some
financial systems try to mitigate this fact by utilizing identifiers that are considered
“more secure” such as Social Security numbers, yet even these can be relatively easy to
obtain over the internet for as little as ten US dollars.
Thus, one of the most critical elements of our security system can be said to be
ineffective at positively identifying a user, leaving only the password to stand in the
way of a determined attacker. As we have seen, passwords are significantly less secure
than we would like. Likewise, because the ‘identification” component of this
authentication scheme is so weak, all it takes is a name, phone number or email address
for any malicious attacker to acquire enough information to initiate an attack.
As if this state of affairs was not bad enough, there are numerous readily available
tools that are designed to automatically exploit known weaknesses in operating systems
and commonly used commercial software applications that can collect login credentials
in order to assist a hacker in compromising vulnerable systems. These tools are easily
available for download from the Internet and can be utilized by relatively
unsophisticated attackers.
In addition, password authentication is severely flawed from a usability
perspective in that it requires 100% unaided recall of the non-meaningful items that
make up strong passwords. Given the limitations of human memory outlined above,
password authentication causes people to constantly compromise both the strength and
secrecy of the password in question. It is not a stretch to conclude that both vectors
(username and password) are compromised when it comes to password authentication.
This traditional scheme provides near zero non-repudiation support as there is no
way for the system to positively identify the user beyond checking that the username
20 A. Vidali / Striking the Balance: Security vs. Utility
To solve the usability problem, the security systems of the future must be highly
convenient, largely transparent to end users, fully integrated across security domains,
threat aware, and able to modify security policies “on the fly” in response to changing
threat environments.
Convenience and transparency are absolutely critical if we are to solve the
problem. As previously stated, the less a person encounters security as a hurdle to their
production task, the more effective the solution will be. An example in the physical
world would be a self-locking door. For those that do not have this convenience, many
forget to properly lock their doors when leaving their homes.
Thus, in simple terms, our user’s behavior indicates that they need security that is
quick, convenient and easy to use. They want to know that their identity, files, systems
and facilities are consistently secured in a manner that maintains their privacy, yet
alerts them when a potential breach has occurred. While users are understanding of the
need for authentication and are willing to provide credentials, it is unrealistic to ask
them to provide too many different sets of credentials during their daily workflow.
Users should be required to remember as few things as possible in order to access our
systems. Also, security must be contextualized with user’s production tasks and be
appropriate for the sensitivity of the system and applicable threat environment.
So at a minimum, future security mechanisms should:
1. Positively identify a person (not a username)
2. Require strong passphrases
3. Be threat-aware, i.e. able to discern threats, take appropriate actions and notify
appropriate user(s) or authorities of a breach. Also, they should be able to
share information in order to act as a threat early warning system.
4. Adapt in real-time – allowing for additional security to be imposed during
times of increased threat, automatically add layers of security to sensitive
information when an attack is perceived.
5. Be largely transparent/convenient
6. Be integrated – allowing user credentials to be used for physical and virtual
access
7. Be designed to safeguard our personal privacy
A. Vidali / Striking the Balance: Security vs. Utility 21
To establish objective trust and non-repudiation requires that we look beyond the easily
compromised username for positive identification. Biometric identification does this by
using one or more unique and intrinsic physical (fingerprints, iris, retina, facial or hand
geometry, palm vein patterns) or behavioral traits (typing dynamics, signature
recognition, voice pattern) of an individual to establish a positive identity match. The
advantages of biometric identification include:
• Very easy to use/convenient – we don’t forget our fingerprints or face
and, unlike tokens, these cannot be “lost”
• Limited Attack Surface – it is almost impossible for a remote attacker to
access the information necessary to initiate a direct attack or steal the
user’s identity
• Relatively fast – it can take under a second to verify a match
• Increasingly accurate – accuracy has improved significantly over the last
2 years
• Becoming cost effective – costs for biometric devices have come down
significantly8
While biometrics has significant advantages, detractors point out that the
technology is still problematic due to:
• Inability to change a biometric – unlike a username, once a biometric
signature is stolen, it is not easy to change and we only have a limited
number of biometric identifiers.
• Greater consequences - Criminals may be incentivized to cut off user’s
fingers, hands, other body parts or even kill in order to gain illicit access
to secure systems. 9
• Surrounding systems weak – biometrics can still be compromised via
system circumvention, verification fraud and enrollment fraud. [14]
• Biometric verification is not 100% accurate - This is due to the need for
match threshold values (similar to a metal detector) to take into account
the changing characteristics of the Biometric. Faces age, fingers can be
scarred and our voice may change due to a sore throat. Depending on the
threshold settings, and the “noise” encountered when scanning the
biometric, false verification can occur as well as false rejections.
• Fabricated biometrics - It is theoretically possible to recreate source
biometric data from associated templates, thus possibly compromising the
biometric. [15]
Nevertheless, biometric identification holds significant promise by utilizing
numerous “immutable” physical and behavioral attributes, which, when fused, could
8The cost of a fingerprint sensor has fallen from around $20 dollars four years ago, to under $5 in 2007 and is
being incorporated into everything from laptops and cell phones to USB keys and hard drives.
9A common story we hear regarding this objection is about the man whose new Mercedes was carjacked. The
car had a biometric lock and therefore the thieves removed the man’s finger in order to start the car. Despite
this popular story, many of today’s biometric devices have “live” sensors in them that would actually
incentivize a criminal to keep the individual alive as long as they need access. In addition, while this
information can be coerced from someone by force, so can a username, and the nature of the crime creates
significant visibility for the perpetrators thus effectively removing the shield of anonymity cybercriminals
hide behind.
22 A. Vidali / Striking the Balance: Security vs. Utility
form the basis for identification systems that are nigh impervious to identity theft.
These multi-modal or “fused” biometrics systems are more reliable due to their ability
to acquire multiple pieces of evidence to identify a person. Imagine a computer, vehicle
or door that not only recognizes your face but scans your iris and asks you how your
morning is going while analyzing the voice pattern of your response to positively
identify you. Humans can instantly recognize each other. We do this by simultaneous
synthesis of many visual, auditory and olfactory cues. In fact, our recognition is so
keen that it works even when the subject in question has altered their appearance or
sounds differently due to a cold. If a security system were as perceptive, it would be
incredibly difficult to circumvent as an attacker would be required to fool multiple
sensors simultaneously. In the future, we predict that multi-modal biometric technology
will be able to mimic how humans recognize each other by fusing biometric sensors
together and allowing security systems to evaluate our identity “holistically.” In this
scenario, match threshold values can be consolidated across multiple vectors, enabling
drastically improved recognition and the near elimination of false positives. [16] In
other words, a user may have a swollen face, but the system would still recognize her
because her height, iris and voice prints match.
Supporters of biometric authentication have gone so far as to suggest that the biometric
is all that may be necessary to positively identify a user and allow access to a sensitive
system. While highly convenient and in some cases transparent for the user, we
disagree on the grounds that while current biometric technology provides a
significantly stronger mechanism for positive user identification, it still has sufficient
vulnerabilities that must be addressed before we can completely eliminate strong two-
factor authentication.
Since multi-modal biometrics are not yet cost effective for most implementations,
one thing that could be done to increase the usability of most authentication systems is
to eliminate the “strong password” and replace it with a the more usable “passphrase.”
It is much easier for humans to both create and remember a 47 character phrase like
“Securing my identity in 2009 is very important!” rather than a meaningless string of 8
random characters such as “!$3^1@Z&”.
Numerous debates surround the topic of the cryptographic strength of a passphrase
vs. the strong password and the related entropy10 of each. Most agree however that the
longer passphrase (30 characters or more is typical) enables increased cryptographic
strength, rendering many kinds of brute force attacks highly impractical. More
importantly, because the passphrase is relatively easy to remember, we are far less
likely to write it down.
10 Entropy is a measure of the uncertainty associated with a random variable. There are three components to
entropy: the number of items chosen, the size of the set from which they are chosen, and the probability that
each individual item is chosen. Since pass phrases are longer than passwords, they have the potential for
higher entropy than passwords, (even if they are picked from the same character set) making them much
harder to crack.
A. Vidali / Striking the Balance: Security vs. Utility 23
A door is a physical barrier; if there is a lock on it, only authorized (key holders) are
supposed to be allowed access. Yet, a thief can steal the key, pick the lock, break down
the door or go through a window. In the physical world, we use alarm systems that
include various sensors (contact, motion, and pressure) to sense unauthorized
intrusions. Once an intrusion is detected, an alarm sounds and authorities are
dispatched to the property. At the network level, intrusion detection/prevention systems
have evolved significantly allowing for real-time responses such as blocking suspicious
traffic and automatically alerting administrators. When we look at most authentication
systems however, they do little to proactively sense and defend against threats or alert
account owners and administrators of a possible breach. In short, most are not threat
aware. At best, they lock a user account after a certain number of login attempts and
require reactivation and may log unsuccessful attempts in a log file or audit trail. While
this is useful for forensic analysis after the system has been compromised, this does
little to prevent or deter an attacker that has already stolen valid credentials. In
addition, many attacks originate from inside the network by disgruntled employees
utilizing their own credentials or those stolen from colleagues.
In order to secure systems from these sorts of threats, developers may be able to
incorporate some of the lessons learned by the financial industry. Given the enormous
costs associated with credit card fraud, many credit card companies have become adept
at tracking individualized spending patterns (what cardholders typically buy, where
they usually buy, average transaction sizes) and can proactively alert consumers of
unorthodox spending patterns or charges originating from locations not commonly
associated with the card holder. If we apply this principle to an authentication system, it
would be able to perceive a threat by sensing anomalous behaviors in the user. For
example, a user who is attempting to enter a building at an unusual hour or login to a
system from an atypical remote location. Biometric sensors could further enhance this
approach by adapting speech recognition to detect stress or fear in the user’s voice,
scanning for pupil dilation or recognizing when an unknown person is standing too
close to a user.
Security systems should not only recognize threats, but also be capable of adapting to
these threats in real time. When no threat indicators are present, adaptive security
systems should remain relatively transparent and not interfere with user’s productive
workflow. However, when a threat is identified, the system should be “smart” enough
to adjust its behavior and increase its security posture in a manner commensurate with
the threat it perceives. While we may be several years away from biometric fusion and
artificial intelligence that is capable of judging threats based on user behaviors and
situational awareness, we do have the technology today that could block access to
systems for users who are being forced to reveal their credentials. Similar to a silent
alarm system, a person who is under duress to reveal her password may provide a
“safeword” instead. The system, upon receiving the “safeword”, would automatically
secure critical or sensitive data and “pretend” to allow the attacker access to the system
while notifying authorities and logging all activity on the workstation.
24 A. Vidali / Striking the Balance: Security vs. Utility
When Windows Vista was released, many of the complaints about the operating system
were directed at the incessant security messages that the operating system directed at
the users. One "feature" that Microsoft added to Windows Vista is the ability to stop
programs from starting to begin with. This was aimed at reducing the threat of viruses
and malware so common on home computers. Microsoft implemented this in the form
of the User Account Control (UAC). The UAC was incredibly “chatty” and constantly
asked users whether they wanted a program to continue or if it should cancel the
operation. While the purpose was to warn users when an unknown or unwanted
program asked to start, Microsoft coded the service to display the message repeatedly
for almost any non-Microsoft program. These messages were so frequent and annoying
that most users simply ignore them and become used to clicking continue to get back to
their production task. Microsoft’s willful disregard for usability was further
underscored by outrageous comments made at the RSA 2008, in San Francisco, where
Microsoft admitted that UAC was designed, specifically, to annoy. Microsoft's David
Cross stated that "The reason we put UAC into the platform was to annoy users. I'm
serious," said Cross. [17]
It is no surprise that soon after Vista was released, a slew of internet pages, blogs
and forum posts sprang up with instructions on how to turn UAC off and according to
Ars Technica’s Ken Fisher, “…one of the most popular post-Vista install activities is
disabling UAC.”
So what have we learned? In this case, while the concepts of threat awareness and
user notification were laudable additions to the Vista OS, the implementation was an
unmitigated disaster and many Vista systems became significantly less secure as a
result.
Integrating application and network security is not a new concept; Single Sign-On does
just that. Once single sign-on is in place, keeping the managed passwords can be
changed to the strongest format allowed by the applications and managed
automatically. If they are never known by the user, they cannot be disclosed, written
down, or handled carelessly. However, if a single sign-on system is not reliable, users
and administrators will not trust it, creating back doors or leaving critical systems
vulnerable. In addition, many of today’s implementations are prone to creating a single
point of failure or a single point to break in. Usability is security, but reliability is
important for both. The ability of single sign-on to eliminate the need for numerous sets
of credentials is a drastic improvement in usability and, if implemented correctly, has
significant advantages for increased cyber security. If we take this concept one step
further, we could include physical access as an integrated component of our
authentication system. There are companies today that have created locks which can
not only read credentials11, but also write data directly back to the credential. This
11 For example CoreStreet (http://www.corestreet.com) provides locks that can read and write to a token
(FIPS 201 compliant smart card) thus allowing physical access privileges to be denied (without the need for
changing a lock) should the user’s network and system access be revoked. The same goes for increasing a
person’s access rights to facilities, for example when they have achieved security clearance. This has been a
costly problem with standard locks and keys issued to employees.
A. Vidali / Striking the Balance: Security vs. Utility 25
It cannot be stressed enough that if users do not trust that their privacy is being
protected, or if the actions being taken by a security system are not disclosed to the
users, they will not accept such a system or will intentionally bypass the system to
protect their privacy. Several studies indicate that the majority of people who find out
that software operates in a covert manner to compromise their privacy will discontinue
use of that software application. The most important aspect of maintaining user trust is
full disclosure of what the system may track and a clear understanding of the cost
benefit of the technology. 13 People are rightfully afraid of an Orwellian scenario, where
every step they take in both cyberspace and the real world is monitored by “authorities”
and will strongly resist any security technology that violates their privacy.
Yet, it is ironic that millions of people around the world post much of their
personal data daily on the internet via social networking and other sites14 and act as if
they are completely unaware that most of their activities can be easily followed, for
they leave digital “breadcrumbs” wherever they go. Blogs, MySpace entries, IRC
traffic, credit card records, phone records, internet activity logs, financial systems and
even our healthcare records are exposing our digital DNA to potential attackers. Today,
these “breadcrumbs” are distributed across the hundreds of web servers, applications
and the individual systems, which make aggregating this information somewhat
impractical. A single unifying identifier that can link all of these disparate systems
together, while highly “usable” will open a Pandora’s Box of privacy issues that our
societies may never be able to solve.
12Which we have seen could be useful in establishing normal baselines of activities in order to detect unusual
patterns of behavior that would enhance our detection of anomalous events.
13There are countless examples of a user’s voluntary willingness to part with personal information in order to
increase convenience. After 9/11, several companies launched registered traveler programs aimed at
capitalizing on traveler’s aggravation with increased security. Once such program, “Clear” (http://
www.flyclear.com), is now operating in twenty US Airports, and in exchange for $199 per year and
submitting personal information and a biometric for a background check, air travelers can access a special
security lane with almost no wait time. In August 2008, a laptop with 33,000 Clear records was lost or stolen
from the San Francisco Airport. Needless to say, the hard drive of that laptop was not encrypted, proving
once again that human error and lack of vigilance remain primary sources of cyber insecurity.
14 It may be interesting to note that the vast majority of these users are individuals who have grown up with
technology (Generation Y or the Millennials) and who don’t seem to have the same suspicions or concerns
regarding the security and privacy of their personal information.
26 A. Vidali / Striking the Balance: Security vs. Utility
attacker. CyberShield automatically redirected all traffic originating from the attacker’s
network address to the HoneyPot, all the while logging the illicit activities. The tables
were now turned. . .
Back at the ICC fusion center headquarters, logs from the HoneyPots poured in,
and within hours, cyber security analysts had identified the vulnerability and security
patches that were developed by the involved vendors were automatically distributed
through the CyberShield network to all of its connected machines. During this entire
time, the five cyberterrorists remained blissfully unaware that their intrusion had been
detected and that they were under counter-surveillance.
Later that day, authorities are able to decode an encrypted message from Hezbollah
terrorist leaders and were made aware of the numerous conventional attacks that were
planned to coincide with a massive cyberattack planned for the 11th of September. The
message referred to similar groups in Venezuela and Iran and authorities begin cyber
surveillance operations targeted at those countries’ subnets, uncovering two additional
cyber-cells involved in the attack.
ICC authorities increased threat levels across cyberspace and coordinated with
Law Enforcement in the US and the UK that were investigating Hezbollah plots. The
additional information gleaned from the computer logs seized in Pakistan provided
investigators significant leads that led to the arrests of several cell members in the
Midwest and East Coast involved in the scheme.
Numerous arrests are made the following week after additional evidence was
gathered from the captured men’s homes.
Conclusion
Technology has become an indispensable tool for modern societies, yet our cyber
infrastructure remains highly vulnerable to attack. In this paper, we have explored some
root causes of cyber-insecurity and conclude that a significant problem lies with
humans. If we do not begin designing systems that squarely address human limitations
and recognize that usable solutions are a crucial component of strong security, we will
undoubtedly remain highly vulnerable and, within a decade, see our technology turned
against us in continued, more sophisticated and damaging attacks.
As we designed the scenario outlined in the introduction, it was frightening to note
how many possible avenues of cyber attack exist and how fragile and tenuous our
economies and way of life actually are. As we pursued outlining both the problems and
some possible solutions it became clear that there is no single “magic bullet” approach
that will guarantee our safety. It is more a question of constant vigilance and the will to
evolve our security solutions to deal with 21st Century threats.
Finally, to succeed in hardening our security across cyberspace will require
unprecedented cooperation between nations, companies, academia and citizens as the
challenges are both formidable and multi-dimensional. The price of not solving these
problems may be nothing less than our way of life.
References
[1] http://www.internetworldstats.com/stats.htm
[2] IBM Press Release, Government, financial services and manufacturing sectors top targets of security
attacks in first half of 2005, August 2, 2005
28 A. Vidali / Striking the Balance: Security vs. Utility
[3] CRS Report for Congress: Terrorist Capabilities for Cyberattack: Overview and Policy Issues, January
22nd, 2007
[4] Law enforcement on the cyber beat: Government Security News, January 8th, 2009
[5] U.S. Army Training and Doctrine command, Cyber Operations and Cyber Terrorism, Handbook No.
1.02 August 15th, 2005 P.II-1 and II-3
[6] DNS Attack: Only a Warning Shot; http://www.darkreading.com/security/perimeter/showArticle.jhtml?
articleID=208804344
[7] Schneier, B., Secrets and Lies, John Wiley & Sons, 2000
[8] Mark Sasse, Angela M., Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery,
Abstract. In this paper we argue that, in order to develop the next generation of
secure software systems, a security focus must be introduced throughout the
development lifecycle. We also argue that security is not just a technical issue,
and we explain how considering security issues from the earliest stages of the
development process leads to the development of more secure software systems.
After looking at the limitations and barriers of existing research and industrial
approaches, with respect to the engineering of secure software systems, we
briefly describe a methodology, which considers both the social and the technical
aspects of security and supports the objective of considering security from the
early stages of the software systems development. Moreover, we also argue that,
in order to provide a security focus throughout the development lifecycle, we
need to look at the issue collectively, rather than individually, by establishing a
discipline that will form the basis of an in depth understanding of the security
issues involved in the development of software systems; provide the appropriate
knowledge and best practice to assist software and security engineers in
developing secure software systems; and also educate system users on security
related issues.
Introduction
Security systems have been used to protect humans since the start of time. Initially,
physical security systems, such as mechanical traps, walled castles and ramparts, door
locks and alarms, were put in place as protection from intruders. More recently, the
storage of important information in electronic format has introduced the need for
computer security systems, such as firewalls, intrusion detection systems and antivirus
software. The field of Computer Security, although newer in comparison with physical
security, is definitely not a new topic and has been an actuality since the 1960s [1].
Nevertheless, it was not until the advent of distributed systems and computer networks
that the security of information systems has become an issue of monumental concern.
Current software systems contain a large quantity of important and sensitive
information ranging from medical records, to financial accounts, to confidential
government information, to military secrets. As a result, the need to protect such
30 H. Mouratidis / Secure Software Engineering
information and develop secure software systems is no longer an option, but rather a
necessity. It is therefore of paramount importance to fully understand the underlying
characteristics, principles and challenges involved in the development of secure
software systems. It is only then that we will be able to create software systems capable
of safeguarding the information that is stored in them. As we gain an in depth
understanding of of how to develop secure software systems, it is important to
understand that software systems operate within the greater context of “human society”
and not in isolation. This is because a number of factors can affect the security of a
software system. Such factors, however, do not necessarily challenge the technical
issues related to the security of a software system. Consider, for example, the scenario
in which a system, X, operates a password protected policy, where each user must enter
a correct username and password to gain access. Consider also that user Y has written
down his/her password and has attached it to their computer screen. An attacker, Z, can
gain access to the system using the details of user Y. Although the technical security
solution of the system is not under attack, the human interaction with the system has
introduced security vulnerabilities.
Despite the need to consider software systems security as a multidimensional
issue, current research work mostly focuses on the technical issues of software system
security, such as authentication and encryption. Although this work is very important,
we believe that it cannot achieve the development of secure software systems on its
own. A multidimensional treatment of security is needed to form the basis for an in
depth understanding of security issues involved in the development of software
systems; provide the appropriate knowledge to assist software systems engineers and
security engineers in developing secure software systems; and also educate system
users on issues related to the security of software systems.
In this paper, we review the current state of the art in the area of secure software
engineering, and we briefly present a security-aware methodology that enables
software engineers to generate the appropriate security requirements for a system by
analysing its environment, including its stakeholders. This allows software engineers
not only to understand the technical challenges and requirements of the system but,
equally important, the challenges and security requirements introduced by the social
aspects of the system (environment, stakeholders, users and so on). The necessity of
introducing a discipline to support engineering secure software systems is also
discussed. In particular, Section 1 reviews research work in the area, whereas Section 2
briefly presents the Secure Tropos methodology. Section 3 discusses the foundations
for a Secure Software Engineering discipline and , finally the last Section concludes the
paper.
Initial work from the software systems engineering community produced a number of
methods and processes intended to address non-functional requirements, including
security. Chung [2] proposed the Non-Functional Requirements (NFR) framework to
represent security requirements as potentially conflicting or harmonious goals and to be
able to use them during the development of information systems. From the security
engineering community, Schneier [3] proposed attack trees as a useful way to identify
H. Mouratidis / Secure Software Engineering 31
and organise different attacks in an information system, whereas Viega and McGraw
[4] proposed ten (10) principles for building secure software. More recently, Anton et
al. [5], proposed a set of general taxonomies for security and privacy, to be used as a
general knowledge repository for the (security) goal refinement process. The pattern
approach has been proposed by a number of researchers to assist security novices to act
as security experts. Schumacher and Roedig [6] proposed a set of patterns, called
security patterns, which contribute to the overall process of secure information systems
engineering. Fernandez [7] specified security models to be object oriented patterns that
can be used as guidelines for the development of secure information systems.
Although useful, these approaches fail to define a structured process that takes
security into account. A well defined and structured process is of the utmost importance
when considering security during the development phase.
On the other hand, a number of researchers model security by taking the behaviour
of potential attackers into account. Van Lamsweerde and Letier [8] use the concept of
security goals and anti-goals. Anti-goals represent malicious obstacles set up by
attackers to threaten the security goals of a system. In addition, Van Lamsweerde [9]
also defines the notion of anti-models, models that capture attackers, their goals and
capabilities. Similarly, Crook et al. [10] introduce the notion of anti-requirements to
represent the requirements of malicious attackers. Anti-requirements are expressed in
terms of the problem domain phenomena and are satisfied when the security threats
imposed by the attacker are realised in any one instance of the problem. Lin et al. [11],
incorporate anti-requirements into abuse frames. The purpose of abuse frames is to
represent security threats and to facilitate the analysis of the conditions in the system in
which a security violation occurs. An important limitation of all of these approaches is
that security is considered a vague goal that has to be satisfied, and they all lack a
precise description and enumeration of specific security properties.
Differently, another “school of thought” indicates the development of methods to
analyse and reason about security that is based on the relationships between actors
(such as users, stakeholders and attackers) and the system. Liu et al. [12] have
presented work to identify security requirements that are analysed, during the
development of multiagent systems, as relationships amongst strategic actors.
Moreover, secure Tropos [13] has been proposed to deal with the modelling and
reasoning of security requirements and their transformation to a design that satisfies
these last (see more information in the next section). Secure Tropos has been
complemented by works in the areas of security attack scenarios [14] and a security
patterns language [15].
Another direction is based on the extension of use cases and the Unified Modelling
Language (UML). Initial work by McDermott and Fox [16] adapt use cases, which are
called abuse cases, to capture and analyse security requirements. An abuse case is
defined as a specification of a type of complete interaction between a system and one
or more actors, where the results of the interaction are harmful to the system, one of the
actors, or one of the stakeholders of the system. Similarly, Sindre and Opdahl [17]
define the concept of misuse case, the inverse of use case, which describes a function
that the system should not allow. They also define the concept of mis-actor as someone
who intentionally or accidentally initiates a misuse case and to whom the system
should not give support. Alexander [18] adds Threatens, Mitigates, Aggravates links to
the use case diagram, while Jurgens proposes UMLsec [19], an extension of the
Unified Modelling Language (UML), to include the modelling of security related
32 H. Mouratidis / Secure Software Engineering
features, such as confidentiality and access control. Lodderstedt et al. [20] also extends
UML to model security. In their approach, security is considered by analysing security
related misuse cases.
A significant limitation of the use-case/UML related approaches is that, although
they treat security in system-oriented terms, modelling and analysis of security
requirements at a social level are still lacking. In other words, they lack models that
focus on high-level security requirements, meaning models that do not force the
designer to immediately go down to security requirements.
On the other hand, a large amount of work has been devoted to security policies
and the definition of security models. Various models have been proposed based on
mandatory access control (MAC), discretionary access control (DAC) and role-based
access control (RBCA). One of the first models was the Bell & Lapadula multilevel
security model [21]. Another well known model is the Chinese Wall model [22],
according to which data is organised into three different levels.
The definition of security ontology is also an important area of research within the
security engineering community. Initial efforts to define a widely accepted security
ontology resulted in what is known as the Orange Book (US Department of Defense
Standard DOD 5200.58-STD). However, work towards this standard started in the late
1960s and was concluded by the late 1970s. Therefore important issues, raised by the
introduction of the Internet and the usage of information systems to almost every aspect
of our lives, have not been inserted into the standard. More recently, Kagal et al [23]
have developed an ontology, expressed in DAML+OIL, to represent security
information, trust and policies in multiagent systems, whereas Undercoffer and
Pinkston [24], after analysing over 4000 computer vulnerabilities and the
corresponding attack strategies employed to exploit them, have produced an ontology
for specifying a model of computer attacks. Bimrah et al. [25] have defined an
ontology to support trust modelling and have discussed how security is affected by
trust.
A number of works have been initiated in industrial environments. CLASP [26] is
an application security process that supports the consideration of security issues during
the software development lifecycle. CLASP introduces a number of activities that can
be integrated into a software development process to support security along with
indications on who (from a development team) is responsible for each of these
activities. The Microsoft Security Development Lifecycle (MS SDL) [27] aims to
reduce security vulnerabilities. SDL consists of best practices and tools that have been
successfully used to develop recent Microsoft products. The approach includes a
number of stages, such as education and awareness, project inception, cost analysis and
so on.
All of the works presented in this section have aided in increasing a general
understanding of the problem of developing secure software systems, and they have
provided some support towards a move in this direction. However, most of the existing
work primarily focuses on the technological aspects of security, and, in general, it
ignores the social dimension of security. It is important that security be considered
within the social context and any social issues, such as trust and the involvement of
humans, be taken into account [28]. In the next section, we briefly describe secure
Tropos, a methodology that considers the technical as well as social aspects of security
when developing a software system.
H. Mouratidis / Secure Software Engineering 33
2. Secure Tropos
dependencies are used in situations where the dependee is required to perform a given
activity. Resource dependencies require the dependee to provide a resource to the
depender. By depending on the dependee for the dependum, the depender is able to
achieve goals that it is otherwise unable to achieve independently, or not as easily or as
well. However, the depender becomes vulnerable, because if the dependee fails to
deliver the dependum, the depender is affected in their aim of reaching their goals.
A capability [33] represents the ability of an actor to define, choose and execute a
task for the fulfilment of a goal, given certain world conditions and in presence of a
specific event.
A security constraint [13] is defined as a restriction related to security issues,
such as privacy, integrity and availability, which can influence the analysis and design
of a software system under development by restricting some alternative design
solutions, by conflicting with some of the requirements of the system, or by refining
some of the system’s objectives. Security constraints, captured through a specialisation
of constraint, do not represent specific security protocol restrictions, which should not
be specified until the implementation of the system. However, they do contribute to a
higher level of abstraction, which allows for a generalised design that is free of models
biased toward particular implementation languages.
A secure dependency [13] introduces security constraint(s) that must be fulfilled
for a certain dependency to be satisfied. Both the depender and the dependee must
agree to the security constraint in order for the secure dependency to be valid. That
means the depender expects that the dependee will satisfy the security constraint(s) and
also that the dependee will make an effort to deliver the dependum by satisfying the
same security constraint(s). Secure Tropos defines three different types of secure
dependency. In a depender secure dependency, the depender depends on the dependee
and the depender introduces security constraint(s) for the dependency. In a dependee
secure dependency, the depender depends on the dependee and the dependee introduces
security constraint(s) for the dependency. In a double secure dependency, the depender
depends on the dependee and both the depender and the dependee introduce security
constraints for the dependency. Both must satisfy the security constraints introduced for
the secure dependency to be achieved.
The term secure entity [13] is used in Secure Tropos to represent a secure goal, a
secure task or a secure resource.
A secure goal [13] represents the strategic interests of an actor with respect to
security. Secure goals are mainly introduced in order to achieve possible security
constraints that are imposed on an actor or that otherwise exist in the system. However,
a secure goal does not specifically define how the security constraints can be achieved,
since alternatives can also be considered. The precise definition of how the secure goal
can be achieved is given by a secure task.
A secure plan [13] is defined as a plan that represents a particular way of
satisfying a secure goal.
A secure resource [13] can be defined as an informational entity that is related to
the security of the software system.
A secure capability [13] represents the ability of an actor/agent to achieve a secure
goal, carry out a secure task, and/or deliver a secure resource.
To support the analysis of security requirements using the concepts defined above,
secure Tropos defines a number of models. Detailed information regarding these
models is outside the aim of this paper. However, to facilitate a better understanding of
H. Mouratidis / Secure Software Engineering 35
the methodology, we briefly describe one of the methodology’s models, the security
enhanced actor model. Readers interested in obtaining information for the other models
of the methodology may refer to references [29] [30]. The security-enhanced actor
model, models any secure dependencies and the appropriate security constraints
imposed on the network of actors. The meta-model for the security enhanced actor
model is shown in Figure 1.
The secure Tropos process supports three main aims when considering security
issues throughout the development stages of a software system: (i) identify the security
requirements of the system; (ii) develop a design that meets the specified security
requirements; and (iii) validate the developed system with respect to security.
The first step of the methodology’s process aims to identify the security
requirements of the system. Security requirements are identified by employing
modelling processes such as security constraints, secure entities and secure capabilities
modelling. In particular, the security constraints imposed on the system and the
stakeholders are identified and secure entities, which guarantee the satisfaction of the
identified security constraints, are imposed on the actors of the system.
The second step in the process consists of identifying a design that satisfies the
security requirements of the system, as well as its functional requirements. To achieve
this, sub-components of the system are identified and then secure capabilities that
guarantee the satisfaction of the security entities identified during the previous step are
allocated to these sub-components. It ought to be noted that, in this stage, different
architectural styles might be used to satisfy the functional requirements of the system.
However, there should be an evaluation of how each of these architectural styles
satisfies the security requirements of the system.
36 H. Mouratidis / Secure Software Engineering
The third step of the process is the validation of the developed solution. The
Secure Tropos process allows for two types of validation. A model validation and
design validation. The model validation involves validating the developed models (for
example, the security enhanced actor model or the security enhanced goal model) with
the aid of a set of validation rules [13]. It is worth mentioning that the validation rules
are divided into two different categories, the inter-model rules and the outer model
rules. The first allow for the validation of each model individually, whereas the second
allowfor the consistency between the different developed models to be validated. The
inner model rules allow developers to validate the relationships between the
components of the different security-related models, such as the relationship between
the security features and the threats in the security reference diagram; to validate the
consistency between the same components that appear in more than one model, such as
a security constraint that appears in the actors’ model, as well as in the goal model; and
to validate the consistency when the delegation of components between actors takes
place.
The aim of the design validation is to check the developed solution against the
security policy of the system. A key feature of Secure Tropos that allows us to perform
such a validation is the fact that the same secure concepts are used throughout the
development stages. Moreover, the definition of these concepts allows us to provide a
direct mapping between them, and therefore to be able to validate whether the proposed
security solution satisfies the security policy.
It is of interest to note that the secure Tropos methodology has been employed in a
number of case studies [13] [29] [30] with positive results.
3.1. Motivation
There are various reasons that motivate the establishment of a discipline on Secure
Software Engineering. In this section we identify and discuss four important reasons,
and we explain how these affect the development of secure software systems by
presenting real-life scenarios.
Independent solutions: Securing information systems raises a set of intertwined
issues in the relevant areas of research, such as security engineering and software
systems engineering. However, the research communities of these two areas of research
(and in fact the research communities from most of the areas involved) traditionally
work independently. On one hand, software systems engineering techniques and
methodologies do not consider security as an important issue, although they have
integrated concepts, such as reliability and performance, and they usually fail to
provide precise enough semantics to support the analysis and design of security
requirements and properties [10] [13]. On the other hand, security engineering research
has mainly produced formal and theoretical methods, which are difficult to understand
by non security experts and which, apart from security, only consider limited aspects of
the system.
Sharing of knowledge: As discussed in the previous section, a number of efforts
have been reported in the literature towards developing security mechanisms, and
H. Mouratidis / Secure Software Engineering 37
methods, but these usually look at the problem from specific views and only for
specific purposes. this is primarily due to the fact that software systems and security
engineering communities mainly work separately. This separation not only creates a
void in the proposed solutions, but it also results in restricted sharing of existing
knowledge. Different research events organised by the two communities, different
research publications, and so on are rarely informed of what occurs in the forums of the
other. Even widely used textbooks mostly concentrate on one part of the problem,
either technical security issues or software engineering techniques, and, when they do,
they only contain very limited information about the integration of the security and
software systems engineering principles. The problem is worst when looking at the
integration of such work with other areas of research, such as social phenomena,
cognitive theories etc.
Custom solutions: In many cases, the inclusion of security on a system is driven
by existing custom technical solutions (e.g. security mechanisms) rather than the
system’s real security requirements. Basing the development of the security of a system
on specific security mechanisms, as opposed to the security requirements, prevents
different and sometimes better solutions from being considered and chosen to satisfy
the security requirements. As reported by Firesmith [34], requirements engineers do not
usually receive appropriate training in generating, analysing and specifying security
requirements. As a result, they often confuse them with security mechanisms, which are
used to fulfil the security requirements. Therefore, the engineers end up defining
architectures and constraints rather than true security requirements [34]. For instance,
imagine a system that requires identification and authentication. If the development of
the system is based on some specific solutions to these requirements, such as username
and password, then other solutions might be ignored, such as biometric identification
and authentication, which in some cases could better fulfil the initial security
requirements. Therefore, it is important that development be driven only by the security
requirements, as it happens with functional requirements, and not by the well-known
security solutions.
Lack of appropriate education: Professional training courses and university
curriculum should help towards solving the aforementioned problem. However,
unfortunately, they propagate it. Software engineering and security engineering
training, as well as curriculum development in universities adhere to the separation of
the two main research areas and also isolate students from other non-technical areas.
McDermott [16] argues that not all information systems practitioners are security
specialists neither do they fully understand mathematical security models. Moreover,
studies related to human behaviour and so on are never covered. This means that
software systems engineers are not well educated regarding the security issues that they
might be faced with during the development of software systems, and security
engineers are mostly not familiar with current practices and issues surrounding
software systems engineering. Furthermore, both only understand very little the aspects
of human behaviour and, therefore, have only a specific understanding of potential
social issues that might affect the security of a system.
38 H. Mouratidis / Secure Software Engineering
3.2. Foundations
based on related information systems and/or security engineering principles, the point
is that current approaches do not follow them.
Conclusion
This paper argues that the need to introduce a security focus through the entire software
development process, in order to support the development of the next generation of
secure software systems, is necessary. Such effort should bring the experience and
techniques from various current disciplines together, such as the software engineering,
security engineering and social studies disciplines, in a coherent and organised way. We
have also argued that security is not just a technical issue and we explain how the
consideration of security issues from the early stages of the development process leads
to the development of more secure software systems. The secure Tropos methodology
is briefly described and an attempt is made to define the foundations for a discipline for
secure software engineering. However, this is not an absolute attempt and the paper
aims to motivate a large scale effort towards the development of the discipline, which
will hopefully result into a more complete and detailed definition of the proposed
discipline.
References
[1] Saltzer, J., Schroeder, M.D., (1975). The Protection of information in computer systems, In the
Proceedings of the IEEE 63 (9), pp.1278-1308, September 1975.
[2] Chung, L., and Nixon, B., (1995) Dealing with Non-Functional Requirements: Three Experimental
Studies of a Process-Oriented Approach. In Proceedings of the 17th International Conference on
Software Engineering, Seattle- USA.
[3] Schneier, B., (2000). Secrets & Lies: Digital Security in a Networked World, John Wiley & Sons
[4] McGraw, G., Viega, J., (2001), Building Secure Software: How to Avoid Security Problems the Right
Way. Addison-Wesley.
[5] Anton, A.I., Earp, J.B., (2004) A requirements taxonomy for reducing web site privacy vulnerabilities,
Requirements Engineering, 9(3):169-185, 2004.
[6] Schumacher, M., Roedig, U., (2001). Security Engineering with Patterns, in the Proceedings of the 8th
Conference on Pattern Languages for Programs (PLoP), Illinois – USA
[7] Fernandez, E.B. (2004) A methodology for secure software design, Proceedings of the 2004
International Conference on Software Engineering Research and Practice (SERP'04), Las Vegas, NV,
June 21-24, 2004.
[8] Van Lamsweerde, A., Letier, E., (2000). Handling Obstacles in Goal-Oriented Requirements
Engineering, Transactions of Software Engineering, 26 (10): 978-1005
[9] Van Lamsweerde, A., (2004). Elaborating Security Requirements by Construction of Intentional Anti-
Models, Proceedings of the 26th International Conference on Software Engineering, Edinburgh, May,
ACM-IEEE, pp. 148-157
[10] Crook, R., Ince, D., Nuseibeh, B. (2003). Modelling Access Policies Using Roles in Requirements
Engineering, Information and Software Technology. 45(14):979-991, Elsevier
[11] Lin, L.C., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J., (2003). Analysing Security Threats and
Vulnerabilities Using Abuse Frames, Technical Report 2003/10, The Open University
[12] Liu, L., Yu, E., Mylopoulos, J., (2003). Security and Privacy Requirements Analysis within a Social
Setting, In Proceedings of the 11th International Requirements Engineering Conference, pp. 151-161,
IEEE Press.
40 H. Mouratidis / Secure Software Engineering
[13] Mouratidis, H. (2004). A security oriented approach in the development of multiagent systems: applied
to the management of the health and social care needs of older people in England, PhD thesis,
University of Sheffield.
[14] Mouratidis, H., Giorgini, P., Manson, G., (2004b). Using Security Attack Scenarios to Analyse Security
During Information Systems Design, in the Proceedings of the International Conference on Enterprise
Information Systems (ICEIS 2004),pp. 10-17, April, Porto-Portugal
[15] Mouratidis, H., Weiss, M., Giorgini, P., (2005c). Security patterns meet agent oriented software
engineering: a complementary solution for developing security information systems, Proceedings of the
24th International Conference on Conceptual Modelling (ER),Lecture Notes in Computer Science 3716,
pp. 225-240, Springer-Verlag.
[16] McDermott, J., Fox, C., (1999). Using Abuse Care Models for Security Requirements Analysis,
Proceedings of the 15th Annual Computer Security Applications Conference.
[17] Sindre, G., Opdahl, A.L., (2005). Eliciting security requirements with misuse cases, Requirements
Engineering, 10(1):34-44
[18] Alexander, I. (2003). Misuse Cases: Use cases with hostile intent. IEEE Software, 20, 58-66.
[19] Jürjens, J., (2004). Secure System Development with UML. Springer-Verlag.
[20] Lodderstedt, T., Basin, D., Doser, J., (2002). SecureUML: A UML-Based Modelling Language for
Model-Driven Security, in Proceedings of the UML’02, LNCS 2460, pp. 426-441, Springer-Verlag.
[21] Bell, D. E., LaPadula, L. J., (1976) Secure Computer Systems: Mathematical Foundations and Model.
The Mitre Corporation
[22] Brewer, D.F.C., Nash M.J. (1989),The Chinese Wall Security Policy, Proceedings of the IEEE
SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY, pp.206-214, 1-3 May1989, Oakland,
California. pp 206-14)
[23] Kagal, L., Finin, T., (2005). Modeling Conversation Policies using Permissions and Obligations, in
Developments in Agent Communication, Frank Dignum, Rogier van Eijk, Marc-Philippe Huget (Eds),
(Post-proceedings of the AAMAS Workshop on Agent Communication, Springer-Verlag, LNCS),
January, 2005.
[24] Undercoffer, J., Pinkston, J., (2002). Modelling Computer Attacks: A target-centric ontology for
intrusion-detection, proceedings of the CADIP research symposium, available at: http://
www.cs.umbc.edu/cadip/2002Symposium/
[25] Bimrah, K. K., Mouratidis, H., Preston, D. (2007) Trust Ontology for Information Systems
Development, Proceedings of the 16th International Conference on Information Systems Development
(ISD2007), Galway – Ireland.
[26] CLASP Project (2008), http://www.owasp.org/index.php/Category:OWASP_CLASP_Project, [Last
Accessed October 2008]
[27] Lipner, S. (2004), The Trustworthy Computing Security Development Lifecycle, In Proc. of the 20th
Annual Computer Security Applications Conference (ACSAC ‘04), CA, USA, 2004, IEEE CS Press,
pp. 2-13.
[28] Mouratidis, H., Giorgini, P. (2006). Integrating Security and Software Engineering: Advances and
Future Vision, IDEA Group Publishing, ISBN 1-59904-148-0.
[29] Mouratidis, H., Giorgini P., Manson, G., (2005). When Security meets Software Engineering: A case of
modelling secure information systems, Information Systems, Vol. 30, Issue 8, pp. 609-629, Elsevier.
[30] Mouratidis, H., Giorgini P., (2007), Secure Tropos: A Security-Oriented Extension of the Tropos
methodology, International Journal of Software Engineering and Knowledge Engineering (IJSEKE)
17(2) pp. 285-309, World Scientific.
[31] Yu, E., Modelling Strategic Relationships for Process Reengineering, Ph.D. Thesis. Dept. of Computer
Science, University of Toronto. 1995
[32] Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon N., (2008) Adapting
Secure Tropos for Security Risk Management during Early Phases of the Information Systems
Development, Proceedings 20th International Conference on Advanced Information Systems
Engineering (CAiSE’08), Montpellier, France
[33] Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perin, A., (2004). TROPOS: An Agent-
Oriented Software Development Methodology, Journal of Autonomous Agents and Multi-Agent
Systems. Kluwer Academic Publishers Volume 8, Issue 3, Pages 203 - 236.
[34] Firesmith D.G., (2003). Engineering security requirements, Journal of Object Technology, Vol 2., No. 1,
ETH Swiss Federal Institute of Technology
[35] Liles, D.H., Johnson, M.E., Meade, L.M., Underdown, D.R., (1995), Enterprise Engineering: A
discipline?, Proceedings of the Society for Enterprise Engineering Conference, June.
Section 1.2
Current Methods Applied to Security
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 43
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-43
1I have obtained these definitions by making a comparative analysis of the following texts: Dizionario della
Lingua Italiana “Devoto-Oli”, ed. 2008, Dizionario della Lingua Italiana “Il Gabrielli”, Ed 1999, The Oxford
English Dictionary, Ed. 2000, Simon Singh, “Codici e segreti”, Bur Saggi, Milano 1999 [1], [2], [3], [4]
44 S. Lisi / A Fuzzy Approach to Security Codes
obtain secret written or visual/jargon codes with the aim of protecting confidential
information.
Following the aforementioned definition, we can turn our attention to the
coexistence of two different approaches commonly used to protect information. The
first emphasises the importance of technology, supporting mathematical theories such
as the theory of prime numbers (Fermat’s theorem or quantum theory, which also
involves physics) [5] [6]. The second approach emphasises cultural, allegorical, and
non-conventional human perception, and involves technical and linguistic
steganography [4]. In several works, two macro-classes of techniques are presented, i.e.
those developed from, and based on, mathematics and physics and those developed
using approaches linked to human perception. In both macro-classes, the techniques are
gradually reaching their maximum level of innovation in comparison to their usability.
On one hand, the most important steps in the evolution of the first class of
techniques are as follows2:
• Vigenere’s polialphabetic code (26 alphabets)
• Enigma during the second World War
• Asymmetrical key codes developed during the 1970s
• Usage of the theory of prime numbers (Fermat’s theorem) has been
increasingly used in innovative applications for security.
These steps can be considered to be milestones or turning points in encryption systems
[7]. Probably, the third step (with Diffie-Hellman) can be considered the most
important when speaking of the marginal productivity of an encryption system. Today,
the theory of prime numbers (Fermat’s theorem) has been increasingly used in
innovative applications for security. According to various physicists3, the next turning
point will be the application of quantum cryptography. This is quite probable, given
that the studies on the issue are on-going and, with them, their usage and derived
applications. But, for the moment, quantum cryptography is still too expensive to be
considered as a mass solution device.
On the other hand, we can see how steganography [4] has maintained the same
principles it has always had; its aim is to hide the message through the application of
either visual devices or jargon codes, blanks, grids and so on. The point is that, today,
several technological devices are now involved in such a process. Digital imaging,
watermarking, blanks and so on need technology to be developed further. For this
reason, the present situation can be described as follows:
2 This refers to the modern and contemporary era. Several other important steps were introduced and used in
ancient times (e.g. Caesar Cipher, the so-called “Lakedaimon Scytale”) [4]
3 The interest rose up in the 1980s, with Bennett & Brassard’s theories and was developed through Eckert’s
study on entagled photons, Today, entanglement is the key-work for quantum theories [8]
S. Lisi / A Fuzzy Approach to Security Codes 45
4 For example, the usage of shahada (death for faith, martyrdom) in a Western Post-heroic Era.
This is an encrypted message itself and usually doesn’t need any other additional code/encryption.
46 S. Lisi / A Fuzzy Approach to Security Codes
6 From a discussion on languages and complexity with Prof. Dr. F.T. Arecchi, University of Florence.
7 An example of an hermeneutic circle (meant as a limited perspective view) is Euclide’s theories regarding
the sameness of triangles: if two triangles can be overlapped so that they coincide, then they are equal to each
other. The movement should be a rigid movement (i.e. moving polygons without altering their shapes), This
is true, but it is a limited concept, since it just involves the mere shape of a polygon.
8 Fuzzy logic is a type of logic that comprehends more than the classical two “truth values” (true or false).
Therefore, it is considered to be a multi-valued rather than a classical two-valued logic and is generally used
to handle situations that are approximate rather than specific. An example of its use is highlighted by an
experiment that is being conducted in Japan, where human rail conductors have been replaced with robots
that are able, through the use of applied fuzzy logic, to conduct trains on determined tracks.
S. Lisi / A Fuzzy Approach to Security Codes 47
9 E.g. Hiragana an Katakana alphabets in the Japanese language: the first is made of ideograms, the second is
a syllabic alphabet, which expresses sounds.
10 This factor is recognised in all theories and has been quite often studied
11 As also shown in a personal experiment in the INOA (Istituto Nazionale di Ottica Applicata – National
Institute of Applied Optics, University of Florence). A CO2 laser sends the same message translated in several
languages. Receiving it will take as long as the entropy level is high.
12Patrice Pognan teaches at the Institute of Formal and Applied Linguistics, Faculty of Mathematics and
Physics, Prague and at the INALCO, Paris. He has also been a professor of Military Strategy in France. His
contribution to the subject at the 2007 Flairs Conference, Key West, Florida, USA is notable. Another
important work of his is “Analyse morphosyntaxique automatique du discours scientifique tchèque” [10]
13 This is a sequence built on autograph blue ink calligrams inspired by a famous picture, also included in
“L’alfabeto Arabo (Arabic alphabet)”, Gabriele Mandel, Ed. Mondadori. The illustration above is just a
harmless example, but it explains the situation very well, since it demonstrates how allegories can be used as
real codes when the system of reference is different.
48 S. Lisi / A Fuzzy Approach to Security Codes
(God’s) lover launches an arrow towards a lion (passion). The lion avoids the
arrow, which strikes the eye of the beloved person (the one who should understand
religious message) [11].
This is just an artistic example (comic strip) of the great power and grade of
complexity allegories can have. We will have very difficult task ahead of us in this
post-Wassenaar Arrangement era14 . For a true comprehension of cryptographic matters,
14 The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and
Technologies, of 1996, replaced the Coordinating Committee for Multilateral Export Controls (COCOM). It
was a turning point since it included cryptography and other similar devices in the number of dual-use
devices that were subject to export controls. It was also combined with several privacy laws.
S. Lisi / A Fuzzy Approach to Security Codes 49
As we can see, through Fibonacci’s theories (look at the pentagon) and other non-
computational associations, the human brain is capable of elaborating highly complex
messages, which can only be fully understood thanks to human operators, as shown in
this last figure below, which summarises the major points made in Pognan’s studies on
language comprehension [9].
15 Dual-use devices are goods or technologies that can be used both for common (daily life) purposes and for
strategic or military purposes, and therefore for either peaceful or military aims.
50 S. Lisi / A Fuzzy Approach to Security Codes
References 16
[1] Dizionario della Lingua Italiana “Devoto-Oli”, Mondatori – Dizionari e Grammatiche, ed. 2008
[2] Dizionario della Lingua Italiana “Il Gabrielli”, Gruppo Editoriale Mondadori Ed 1989
[3] The Oxford English Dictionary, Oxford University Press, Ed. 2000
[4] Simon Singh, “Codici e segreti”, Bur Saggi, Milano 1999
[5] A.D.Aczel, “L’enigma di Fermat”, Net, Trento, 2003
[6] Moro, Giovanni. “Il codice dei numeri interi: l’ultimo teorema di Fermat”. Rivista Marittima, 1986.
[7] Fondazione Ugo Bordoni, “Crittografia - pubblicazioni”, 1992
[8] A.D.Aczel, “Entanglement, il più grande mistero della fisica”, Rizzoli, Bergamo 2004
[9] Bart Kosko, “Il fuzzy-pensiero. Teoria e applicazioni della logica fuzzy”, Baldini e Castoldi , Milano
2002
[10] Patrice Pognan, “Analyse morphosyntaxique automatique du discours scientifique tchèque”, Dunod,
Association Jean-Favard pour le développement de la linguistique quantitative, Paris 1975
[11] Gabriele Mandel Khân, “L’alfabeto arabo”, Mondadori, Milano 2000
[12] Scientific American: January 2005 "Best kept secrets" by Gary Stix (pp.65-69); October 1980 "The
Causes of Color" by Kurt Nassau (pp.106-123); October 1977 "Fundamental Particles with Charm" by
Roy F. Schwitters, "The Solution of the Four-color-map Problem" by Kenneth Appel and Wolfgang
Haken, "Hallucinations" by Ronald K. Siegel (pp. 56-70, 108-121, 132-140); October 1976 "White-
light Holograms" byemmett N. Leith (pp.80-95); April 1976 "Subjective Contours" by Gaetano
Kanizsa (pp.48-52); June 1975 "Electron-Positron Annihilation and the New Particles" by Sidney
D.Dell and "Visual Motion Perception" by Gunnar Johansson (pp. 50-62, 76-88), http://
dericbownds.net/ last visited July 2009 – Scientific American Partner Network
[13] Nicholas Falletta, “Il libro dei paradossi. Una raccolta di rompicapi avvincenti e figure impossibili”,
Longanesi & c., Milano 2002
16 References [14] to [30] are those sources which were used as general references throughout this paper,
which is an elaboration of the arguments presented by these on “cryptography”.
S. Lisi / A Fuzzy Approach to Security Codes 51
[14] Paul Forman, “Fisici a Weimar. La cultura di Weimar, la causalità e la teoria dei quanti.” A cura di Tito
Tonietti, CRT (PT) 2002
[15] Igor Shparlinski, “Number Theoretic Methods in Cryptology. Complexity lower bounds”. Birchhäuser,
Boston, Basel, Berlin 1999
[16] Paolo Facchi, Saverio Pascazio, “La regola d’oro di fermi”, Bibliopolis Trecase (NA) 1949
[17] C.J. Snijders, “La sezione aurea. Arte, natura, architettura e musica”, Muzzio Scienza PD 2000,
translated from “Die Golden Snede”, 1969 Driehoek, Amsterdam
[18] Fritjof Capra, “Il tao della fisica”, Gli Adelphi N/1989 ried. 1999
[19] Fondazione Ugo Bordoni, “Primo simposio nazionale su stato e prospettive della ricerca crittografica in
Italia - ATTI”, Roma 30-31 ottobre 1987
[20] A.D.Aczel, “L’equazione di Dio”, Net Trento 2003
[21] Ludwig von Bertalanffy, “Teoria generale dei sistemi. Fondamenti, sviluppo, applicazioni”, Oscar
Saggi, Milano 2004
[22] Vito A. Martini, “Grammatica araba”, Istituto Editoriale Cisalpino-Goliardica, Milano 1976
[23] Ghani Alani, “Calligraphie arabe”, Editino Fleurus, Paris 2001
[24] Len Walsh, “Read Japanese today”, Tuttle, Rutland, Vermont & Tokyo, Japan 1969, new ed. 1999
[25] Wolfgang Hadamitzky, Mark Spahn “Kanji & Kana, a handbook of the Japanese writing system”,Tuttle
Language Library, Rutland, Vermont & Tokyo, 1999
[26] Lawrence Washington “Elliptic Curves: Number Theory and Cryptography”, Chapman & Hall/CRC
2003
[27] Jonathan Katz and Yehuda Lindell “ Introduction to Modern Cryptography”, CRC Press 2007
[28] John R. Pierce, ”Elettronica quantistica. Transistor, maser, laser”. BMS Zanichelli 1968
[29] http://www.epfl.ch/, last visited 01/2009
[30] http://www.lci.det.unifi.it, last visited 10/11/2008
[31] http://www.peds.ufl.edu, last visited July 2009
52 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-52
Abstract. In this paper we will consider Evolutionary Information Theory, and pay
specific attention to the application of prime numbers to cyber security and
cryptography. Indeed, we will demonstrate that the sequence of prime numbers is
deterministic, and not stochastic, as we have believed for several centuries. This
implies that much attention must be directed toward the new scenario that has been
formed of cryptosystems, encryption and ciphering in order to prevent cyber
attacks and protect Critical Network Infrastructures.
1. Introduction
Behind the new cyber warfare threats it is possible to find computer evolutionism and
the genetics of prime numbers. The former will bring the International Community to
face these threats at a systemic level, whereas the virtual and physical spaces will no
longer be uncoupled, as it happens today, and it will be possible to control wireless
instruments through a notebook or an organiser from a distance of thousands
kilometres.
To know more about this topic, it is useful to trace the history of the Information
Era using a key-word for each epochal change: i) use; ii) interaction; iii)
communication, iv) immersion; v) immersive shared reality; vi) control. In Information
Technology, the term “use” indicates the birth of that very same technology. In other
words, the computer replaces all the operations of office automation, hence providing a
single integrated mean which can easily and rapidly offer all one needs for the daily
activities of any given structure, be it a basic family structure or a complex structure
typical of governments and large companies.
Over the years, the use of the computer and Internet has been refined to offer the
user newer ways with which to improve interaction. This means that it is now possible
to solve the problem which emerged in the 1980s, when technologies reached one of
their limits, that of running the risk of being boring. Although people continue to
experiment new and more engaging forms of interaction with the computer, their
primary need to communicate with other people and share data, information, strategies
and goals persists. In fact, the 1990s saw the spread of technologies that were linked to
communication, internet and the web. In the last decade of the 1900s, virtual reality
virtual left its technological incubator, and those research environments that aimed at
providing different instruments for the most various fields, from Defence to medicine,
transportation, entertainment, etc.
Now what can we say about the present? It is clear that immersive information
technologies, such as virtual reality, and communication technologies, namely the web,
G. Iovane / Cryptography and Security 53
are merging into each other to create new ICT forms. Indeed, in this field of research it
is already possible to see new forms of organisation that no longer use the NET (such
as InterNET and others) but rather use a new form or GRID, as do the so-called VO
(Virtual Organisation) and VN (Virtual Network). The GRIDS represent the next step
in net technology. This is because in the web you not only find information, but also
services (the so-called web-services). The web is no longer simply a web of computers
and their peripherals, but it is now comprised of meshes of electronic devices such as
the electronic equipment in a lab; an oscilloscope; the washing machine; the video
camera that monitors your sleeping child; and the rain sensor that activates the rolling
shutters of your porch where the laundry has been hung out to dry.
If this is what is happening now, in the present, what must we control in the near
future to make better use of these instruments? What might we predict about the remote
future? After the phase of ‘shared immersive reality’, we will enter into an era of
control of IT and our new technologies. In other words, what we now call virtual reality
and what we know to be our physical reality will merge and become one single action
field; it must not come as a surprise that our children will be able to command their IT
teacher’s ABS car from a distance, using remote wireless RFID (Radio Frequency
Identification) technologies directly from their organiser in order to take revenge for a
bad mark. But what would happen in the event that this technology was not used for
pseudo-recreational goals, such as was illustrated in the example above, but rather for
actions in contrast or reaction to governments that have not provided what has been
requested? It is clear that these types of terrorist actions would be completely out of
control. As a result, it is necessary that we study and analyse the limits of the control
theory in order to guarantee its intrinsic security on a global level, that is, on a
systematic level.
The genetics of primality, on the other hand, is able to reveal a potential and
intrinsic weakness of the security systems with which most of the technological
equipment for coding and preserving information has been built over the last few
decades. More specifically, it has been discovered that the sequence of prime numbers
is not random. Even the total knowledge of the structure of prime numbers has lead us
to meaningful questions regarding the weakness of the generation of numerical security
keys, which are based on prime numbers.
At this point it is possible to make an analogy. In the near future, we will need to
use new forms of prevention to contrast a cyber terrorism that is as linked to current
forms of cyber terrorism as much as 15th century artists were associated to the great art
of Leonardo Da Vinci, the former being amateurs and inaccurate, the latter being the
symbol of perfection and geniality able to combine art and science in works that have
no equal in human history.
It is necessary that we respond to the evolution that is taking place within the field
of cybertechnology, and it is particularly necessary that we address issues of cyber
terrorism and the forms it will take in the near future. For this to be effective, the
reaction must be synergic. In other words, it must not be the result of isolated scientific,
technological, political or social solutions, but rather it ought to be part of a texture
which manifests its complexity through a perfection and harmony that is typical of
even the most basic and fundamental level, DNA. Like the fingers of a hand, the
political, social, scientific and technological spheres will have to work together.
54 G. Iovane / Cryptography and Security
In this section, we will consider some results in the context of prime number
generation. Indeed, we will see that the prime sequence follows a scheme that is
deterministic rather than stochastic. The generation of prime numbers, their
distribution, and the knowledge of a possible deterministic scheme for discovering new
primes have all been relevant questions in mathematics over the last two centuries.
[1-9] The knowledge of prime numbers is relevant not only in mathematics but also in
other fields, such as information and communication technology and information
security.
In Prime Numbers Distribution: the Solution comes from Dynamical Processes
and Genetic Algorithms, Chaos, Solitons and Fractals (herein after [10]), we built a
new approach based on dynamical processes and genetic algorithm, while in The set of
prime numbers: Symmetries and supersymmetries of selection rules and asymptotic
behaviours, Chaos, Solitons and Fractals, (herein after [11]), we analysed the analytic
properties of prime numbers. We then considered the selection rules in order to obtain
two pure sets of primes, which contained all prime numbers with the exception of the
first two (i.e. 2,3), since they are the basis on which the genetic of primes is obtained.
Moreover, we studied the symmetries and supersymmetries of the selection rules.
Asymptotic behaviour was considered in The Set of Primes: Towards an Optimized
Algorithm, Prime Generation and Validation, and asymptotic consequences (herein
after [12]). Therein, we moved closer towards finding an optimised algorithm to
generate primes, whose computational complexity was C(n)O(n). In addition, a pre-
computed algorithm was also considered for which the computational complexity
proved to be C(n) O(1). In The set of prime numbers: Multiscale Analysis and
Numeric Accelerators (herein after [13]), we performed a multiscale analysis,
demonstrating that prime numbers clearly manifest themselves beautifully on different
scales. In other words, prime numbers at a fixed scale generate new primes at the next
scale. Indeed, by fixing the prime numbers at a fixed interval, they become the seeds
for primes in the following intervals.
In this work, starting from the multi-scale analysis in [13], we demonstrate that
prime numbers live on the vertices of a multifractal polygon. The change in resolution
and the number of sides of the polygon are initially mediated by the first prime
numbers, and more generally speaking, progress by the sequence of primes themselves.
As has been known for quite some time, a number of efficient algorithms have
been discovered (for details see bibliographic references [14-20]). The algorithms of
Rabin, and Solovay and Strassen are randomised. In addition, the algorithm of
Adleman et al. requires (slightly) super-polynomial time, while the algorithm of Miller
is in P only under an unproved number-theoretic hypothesis. A relevant contribution
was given by Agrawal, Kayal and Saxena in 2004 [14]. While in [10] and [11], we
demonstrated that the sequence of primes is not random, in [12] we considered a first
attempt towards an optimised sieve. It is in [12] that we have developed a multi-scale
procedure in order to facilitate the search for prime numbers and reduce the amount of
time to look for them. This procedure is a process that is the equivalent to walking on a
prism whose first basis is an hexagon. Step by step, this structure becomes a
multifractal polygon. The third dimension of the polygon is a discrete parameter, k,
which is used to generate classes of primes. It is important to emphasise that in our
approach we build a multifractal structure so as to obtain a deterministic process for
generating primes and not to simply describe the apparent randomness of the prime
sequence. It also appears that our vision generalises the procedure shown in Prime
sieves using binary quadratic forms, Mathematics of Computation, [20], where the
G. Iovane / Cryptography and Security 55
authors only consider the first and the second level of the fractal and multiresolution
decomposition.
This paper also presents a way to generate trees that are based on specific
diagrams. In other words, just as physicist, Richard Feynman, introduced his specific
diagrams to describe processes in terms of particle paths within the context of QFT
(Quantum Field Theory), here, we can introduce specific diagrams for describing the
process of prime generation and so, control the decomposition level of the multifractal
that is initiated by the hexagon to generate primes. The result is an interesting approach
to create a numeric accelerator capable of discovering prime numbers that move along
the branches of the tree structure.
3 Multiscale Analysis
In [11], we proved that we can write a closed formula for the sequence of prime
numbers:
with
where the new prime pij is written in terms of the product of other primes, pj, multiplied
by a positive integer, k, minus a prime, pi, that is smaller than pij and obtained in the
previous step of the computational recursive procedure.
By using the graph theory, or the tree analysis, we can see that at the first level we
have two classes or sets of candidates to primality, that is, the 6k- , while at the second
level, we have 8 classes (in other words, 30k- , where =1,7,11,13,17,19,23). At the
56 G. Iovane / Cryptography and Security
third level, there are 48 classes of candidates and so on (see the following table 1 and
Figure 1).
Starting from the results presented in this work on multiscale analysis, it is possible to
demonstrate that prime numbers are found on the vertices of a multifractal polygon.
Both the change of resolution and the number of sides of the polygon are initially
mediated by the first prime numbers and, more generally, proceed according to the
sequence of primes themselves.
G. Iovane / Cryptography and Security 57
References
[1] E.Bombieri, Problems of the Millennium: the Riemann hypothesis, CLAY, 2000.
[2] A.Granville, Harald Cramér and the distribution of prime numbers, Lecture presented on 24th
September 1993 at the Cramér Symposium in Stockholm.
[3] M. Du Sautoy, The music of the primes, RCS Libri, Milano 2003.
[4] A.Connes, Trace formula in non-commutative geometry and the zeros of the Riemann zeta function,
Selecta Math. (NS) 5, 29-106, 1999.
[5] G.H.Hardy, Divergent Series, Oxford Univ. Press, Ch.II, 23-26, 1949.
[6] H.L.Montgomery, Distribution of the zeros of the Riemann Zeta Function, Proc.Int.Conf.Math.
Vancouver, Vol.I, 379-381, 1974.
[7] A.M.Odlyzko, Supercomputers and the Riemann Zeta Function, Supercomputing 89: Supercomputing
Structures and Computations, Proc. 4-th Int.Conf. on Supercomputing, L.P.Kartashev and S.I.
Kartashev (eds.), International Supercomputing Institute, 348-352, 1989.
[8] Z.Rudnik and P.Sarnak, Zero of principal L-Functions and random matrix theory, Duke Math.Jou. 82,
269-322, 1996.
[9] A.Selberg, On the zeros of Riemann’s zeta-function, Der Kong.Norske Vidensk.Selsk.Forhand. 15,
59-62, 1942.
[10] G.Iovane, Prime Numbers Distribution: the Solution comes from Dynamical Processes and Genetic
Algorithms, Chaos, Solitons and Fractals, 37, 1, 23-42, 2008.
[11] G.Iovane, The set of prime numbers: Symmetries and supersymmetries of selection rules and
asymptotic behaviours, Chaos, Solitons and Fractals, 37, 4, 950-961, 2008.
[12] G.Iovane, The Set of Primes: Towards an Optimized Algorithm, Prime Generation and Validation, and
asymptotic consequences, in press, Chaos, Solitons and Fractals, 2008.
[13] G.Iovane, The set of prime numbers: Multiscale Analysis and Numeric Accelerators, in press, Chaos,
Solitons and Fractals, 2008.
[14] M.Agrawal, N.Kayal and N.Saxena, PRIMES is in P, Annals of Mathematics, 160, 781-793, 2004.
[15] M.Agrawal and S.Biswas, Primality and Identity Testing via Chinese Remaindering, Journal of the
ACM, 50, 4, 429-443, 2003.
[16] G.L.Miller, Riemann's hypothesis and tests for primality, Journal Comput.Syst.Sci., 13, 300-317, 1976.
58 G. Iovane / Cryptography and Security
[17] M.O.Rabin, Probabilistic algorithm for testing primality, Journal Number Theory, 12, 128-138, 1980.
[18] R.Solovay and V.Strassen, A fast Monte-Carlo test for primality, SIAM Journal Comput., 6, 84-86,
1977.
[19] L.M.Adleman, C.Pomerance, and R.S.Rumely, On distinguishing prime numbers from composite
numbers, Annals of Mathematics, 117, 173-206, 1983.
[20] A. O. L. Atkin, D. J. Bernstein. Prime sieves using binary quadratic forms, Mathematics of
Computation 73, 246, 1023-1030, 2004.
Modelling Cyber Security: Approaches, Methodology, Strategies 59
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-59
Abstract. While the classic symmetric encryption systems require a single key for
both encryption and decryption, public-key systems are based on the existence of
two distinct keys, one private and one public, and on the concept that, while the
private key is never transmitted over any channel, and is therefore known only by
its owner, the public key is made publicly known. Public-key systems are thus
extremely useful in open network scenarios, where not all users are known in
advance, or where it is simply impractical to establish a secure channel with any of
them over which to exchange symmetric keys for the ensuing communications
protection. Asymmetric systems are very interesting from a mathematical point of
view, since they are based on one-way trapdoor functions, which are invertible
functions that are “easy” to compute in one direction and “difficult” to compute in
the opposite direction, with the additional condition of being “easy” to compute in
that direction if additional information (the trap) is available.
Introduction
The need to protect communications has historically been associated with military and
government contexts. Although they were at times very ingenious, the techniques that
were used to protect communications were more an art than a science and were known
only within restricted circles of specialists.
Only in the last 30 years, has the need for data protection become more and more
evident in many fields of our everyday life, like mobile communications, e-commerce,
and ATM machines.
Due to these new applications, we observe on one hand the development of new
cryptographic mechanisms, and on the other a diffusion of knowledge tending towards
open research (academic) communities. This has led cryptography to be based on
stronger formal mathematical foundations.
Unfortunately, despite this progress, this does not mean that we are now able to
build systems with absolute and mathematically provable security, since many building
blocks of modern cryptography are still based on unproved mathematical assumptions.
Moreover, the same mathematical knowledge available to cryptographers is obviously
also available to cryptanalysts. However, we now have a common framework to better
assess our mathematical model through the use of formal tools and therefore are able to
avoid repeating the same mistakes in new and different contexts.
Prior to the 1970s, communications protection basically consisted of encrypting
and hiding messages. The former is obtained using cryptographic measures in the
attempt to make messages unintelligible to possible interceptors, while the latter uses
steganographic methods in order to make the messages difficult to detect. These
techniques are therefore complementary and both should be used whenever possible. In
the following, however, we will focus only on cryptography.
It was in the 1970s that the use of cryptography has experienced a remarkable
expansion. This is because applications in military fields, and even more so in
60 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
commercial fields, require security mechanisms to ensure data integrity that go well
beyond simple encryption, such as digital signatures. This increase in the use of
cryptography is basically due to the introduction of a new class of cryptographic
primitives, called asymmetric or public-key algorithms. In fact, the conceptual meaning
and the foreseeable practical impact of the new paradigm were so extensive that the
authors of the seminal paper about public-key cryptography gave it the title “New
Directions in Cryptography” [1].
While the classic symmetric encryption systems require a single key for both
encryption and decryption, public-key systems are based on the existence of two
distinct keys, one private and one public, and on the concept that, while the private key
is never transmitted over any channel, and is therefore known only by its owner, the
public key is made publicly known. This feature makes public-key systems very
versatile and theoretically suitable not only for encryption but even more so for
authentication and key management.
Public-key systems are thus extremely useful in open network scenarios, where not
all users are known in advance, or where it is simply impractical to establish a secure
channel with any of them over which to exchange symmetric keys for the ensuing
communications protection.
On the other hand, public-key systems are very slow and are therefore seldom used
alone. More often than not, they are part of an hybrid system, in which they are used to
determine a session key, which is then used to protect a single communication through
symmetric key algorithms.
In some situations, asymmetric systems are not used at all, either because of their
poor efficiency (for example in constrained environments) or because of the specific
scenario (in military or diplomatic networks, due to their strictly hierarchical nature,
entirely symmetric systems often represent the best solution).
Asymmetric systems are very interesting from a mathematical point of view, since
they are based on one-way trapdoor functions, which are invertible functions that are
“easy” to compute in one direction and “difficult” to compute in the opposite direction,
with the additional condition of being “easy” to compute in that direction if additional
information (the trap) is available. This additional information represents the private
key, which must be “difficult” to obtain from the knowledge of the public key only. For
practical purposes, hereinafter, by “easy” and “difficult” we mean computationally
feasible and unfeasible. The notions of complexity theory that we will introduce below
are the basis for the quantitative measure and formal tools for handling these concepts.
The aim of this paper is to briefly present a possible classification of the various
cryptographic techniques and their goals, paying special attention to public-key
systems and their underlying mathematical problems. The paper is organised as
follows: Section one is devoted to presenting some complexity theory elements which
will be used in the following analysis. The second section will list the goals of modern
cryptography and the techniques applied to fulfil these goals. The last section will
discuss the two most widely used public-key systems (RSA, and Diffie-Hellman) from
a complexity theory perspective.
n time atoms
2 4 microseconds 4
5 32 microseconds 32
10 1 second 1024
20 17 minutes 107
40 34 years 1.1*1012
80 3.8*1013 years (>1011 years, believed 1.2*1024
age of the universe)
128 1.1*1028 years 3.4*1038
256 3.7*1067 years 1.2*1077(~1077,
believed number of
atoms of the
universe)
In the current digital era, not only is data interception even easier than in the past, but
the modification of data in transit or the creation of fake data can also be very simple
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems 63
Cryptographic applications today vary from the most well-known, such as secure
transactions on the Internet, to the most surprising,such as mental poker (a way to
remotely play a fair game without any need of a trusted third party) [3]. However,
basically all of them can be modelled according to the previous classification.
These goals can be accomplished by using a number of cryptographic primitives.
As we will see, the same goals can be reached by the use of different primitives or their
combination, and, in fact, primitives can be consistently classified in many different
ways. One of the possible high-level classifications defines three classes: unkeyed
primitives, symmetric key primitives, asymmetric key primitives. Using this
classification, we can give the following overview of the primary tools of modern
cryptography.
3. Unkeyed Primitives
The main primitives in this class are random sequences and hash functions. These
primitives are keyless, however, since they are building blocks for many cryptographic
operations, they satisfy strict requirements.
The generation of random sequences, for example, is of paramount importance in
the production of cryptographic parameters, since poor generation can significantly
reduce the complexity of an exhaustive search attack on these parameters. They must
therefore satisfy extremely stringent cryptographic constraints, which are usually not
required for standard random generators.
Hash functions are well known primitives that take an input (message) of variable
length and produce a fixed length output. Analogously to random generators, when
used in cryptographic applications, hash functions must satisfy extra requirements, the
first of which is the (practical) impossibility of finding two messages with the same
hash. Consequently, the obtained value represents an unambiguous digest of a given
message and can, therefore, be used to guarantee the integrity of the message from
unintentional data corruption.
64 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
These primitives are based on sharing a secret key between two users. They provide
tools for message encryption, sender authentication, and data integrity.
As encryption primitives, they fall in one of two categories: block ciphers and
stream ciphers. While from the security point of view there is no general reason to
prefer one class over the other, the distinction is sometimes relevant with regard to their
implementation. Block ciphers are, in fact, considered to be more versatile.
Furthermore, standard schemes exist to convert block ciphers into to stream ciphers
(Output Feedback Mode, Counter Mode [4]) when needed. Among a wide set of
available symmetric ciphers, the currently most used is certainly the AES (Advanced
Encryption Standard [5]).
MAC (Message Authentication Codes) functions are essentially keyed hash
functions and thus can be used to guarantee not only data integrity but also data origin
(authentication); since the secret key is shared only between the sender and the
receiver, when the latter verifies the correct value of the MAC he also has proof of the
sender identity. Note however that this does not allow for non repudiation, since both
sender and receiver can later claim that a given message was produced by the other
party.
Native MAC functions exist, but it is common to use schemes based on other
primitives in practice; for example, see HMAC [6] and CMAC [7] to convert unkeyed
hash functions and block ciphers to MAC.
cryptosystems [8]) or because they are extremely inefficient with regard to speed or
public key size (like the McEliece cryptosystem [9]).
6. RSA, Diffie-Hellman
In this section, we briefly analyse the mathematical problems underlying the two most
used public-key cryptosystems (RSA and Diffie-Hellman) and especially focus on the
complexity issues.
6.1. RSA
This algorithm [10] allows the implementation of both encryption and digital signature.
Without going into detail, we recall from a mathematical point of view that its security
is strictly linked to the problem of integer factorisation (IFP) [11], since operations are
performed with modulus, which is an integer, N, where N is equal to the product of two
primes of adequate size (N=pq, the size of p and q being today typically in the range
[1024, 4096] bits). While the modulus N is part of the public key, and is therefore
known to anyone, the primes p and q are not public and allow for the private key to be
computed. It is clear then that solving IFP means breaking RSA, but it is interesting to
note that, in principle, RSA could be broken in some other way, even if this occurrence
appears to be quite unlikely. The conclusion is that IFP and RSA are not theoretically
equivalent problems and RSA may in fact be easier (a very recent result [12] however
provides strong evidence that equivalence may actually hold true, even if formal proof
is still missing. It is interesting to note that another public-key system exists, that is
attributable to Rabin [13], which can be proven to be as difficult to crack as IFP and in
this sense may be considered to be stronger than RSA but, due to its decryption
complexity, it has never gained widespread practical use).
As of today, no efficient algorithm to solve IFP has been discovered. More
precisely, no polynomial time algorithms are known, since the most efficient is the
General Number Field Sieve [14], which, for a small constant c (n, as usual, is the
number of bits representing the integer to be factored), has the complexity
.
Another number theory problem related to RSA is the primality problem (PP), i.e.
to determine if a given integer is prime or composite. Each RSA user must in fact
choose a different modulus N and therefore a different couple of primes (p, q). As a
consequence, it is important to have algorithms to quickly and affordably determine the
primality of a number of any reasonable size. Fortunately, this problem has been solved
both in theory and in practice.
Extremely efficient primality tests have been known for a long time, and have been
widely used in practice. Their only drawback is that they are probabilistic rather than
deterministic. This means that the outcomes they provide may be wrong. This
apparently surprising feature is actually of no practical concern, since the probability of
error can be mathematically computed (upper-bounded) and made as small as is
desired. The most commonly used probabilistic algorithms are the Soloway-Strassen
[15] and the Miller-Rabin [16]. Both algorithms consist of k iterations of a basic round,
k being an integer number chosen by the user. Computational complexity and error
probability can be easily determined, according to the value of k. For example, the
Miller Rabin test with k iterations has a computational complexity O(k*n3) and an error
probability (4)-k, while the Soloway Strassen test with k iterations has a computational
66 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
complexity O(k*n3) and an error probability (2)-k (n being the number of bits of the
tested integer). It is clear that with moderately small values of k, the resulting
algorithms are very efficient and the probability of error is so low as to be totally
negligible.
From a theoretical point of view, several deterministic algorithms to solve PP have
been known for a long time. Some of them are trivial and others are more complex, but
all of them have either exponential complexity or polynomial complexity that is based
on some unproved mathematical assumption (typically the Riemann hypothesis). In
2002, three Indian researchers [17], for the very first time, found an algorithm that was
at the same time deterministic, polynomial and unconditional (i.e. not based on any
conjecture). The theoretical interest for their algorithm, later improved by other
researchers, is enormous, but from a practical perspective, their result is totally useless
since the resulting complexity (O(n12) in the original version and O(n6) in an improved
variant) cannot compete with that of probabilistic algorithms.
6.2. Diffie-Hellman
This protocol allows a secret key to be generated between two users without any prior
agreement being made. The security of the scheme is based on the Discrete Logarithm
Problem (DLP) in a cyclic group. The protocol was originally formulated to work in
the cyclic group of natural numbers where the modulus is prime (of proper size, say
1024 bits), but recently it has become more and more common to use a cyclic subgroup
of specific elliptic curves defined over Galois fields. This choice allows for much faster
implementation and shorter parameters (including public keys), while keeping the
security level the same. Independently of the domain in which computations are carried
out, the underlying problem is the DLP. As for IFP, there are currently no algorithms
working in polynomial time. As of today, the most efficient algorithm to solve DLP is
the Index Calculus Algorithm [18].
Similar to the RSA case, the Diffie-Hellman cryptosystem has no formal proof of
equivalence with the underlying hard problem. While it is clear that solving DLP would
break Diffie-Hellman, it is still unknown whether the opposite is also true, despite
some evidence that this may be the case [19].
IDP and DLP share some interesting features. With regard to size, when we consider
DLP for natural numbers, the size of the used modulus for IDP and for DLP is the same
for an equivalent security level (>= 1024 bits for today’s computation power). With
regard to security, both of them are believed to be intractable, but there is no formal
proof for this.
However, it is interesting to observe that solving DLP would lead to the solution of
IDP [20], while there is no evidence of the opposite.
The third considered problem, PP (Primality Problem), is evidently linked to IDP.
While solving IDP (factoring a number) immediately solves PP, the opposite is not true
at all. Determining the primality of a number is by far easier than finding its factors and
actually provides no way to do it. With regard to asymmetric algorithms, this means
that improving the existing primality tests (either deterministic or probabilistic) does
not lead to any threat to public-key systems like RSA or Diffie-Hellman.
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems 67
Conclusions
In this paper we have presented a short overview of the main tools available in modern
cryptography, with special emphasis on the most used public-key algorithms (RSA,
Diffie-Hellman) and their related mathematical problems. These problems have been
considered principally from a complexity theory point of view, since their complexity
has an impact on their efficiency (primality problem) and on their security
(factorisation problem, discrete logarithm problem). Furthermore, links between the
different problems have been described and discussed.
References
[1] W. Diffie, M.E.Hellman, New Directions in Cryptography IEEE Transactions on Information Theory,
vol. IT-22, Nov 1976, pp 644-654
[2] J.Menezes, P.Van Oorschot, S.A.Vanstone, Handbook of Applied Cryptography ,CRC Press, 1996
[3] A. Shamir, R. Rivest, and L. Adleman, Mental Poker, Technical Report LCS/TR-125, Massachusetts
Institute of Technology, April 1979.
[4] Recommendation for Block Cipher Modes of Operation. Methods and Techniques. NIST Special
Publication 800-38A, 2001 Edition
[5] Advanced Encryption Standard (AES), FIPS PUB 197, November 2001
[6] The Keyed Hash Message Authentication Code (HMAC), FIPS PUB 198, March 2002
[7] Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Nist
Special Publication 800-38B, May 2005
[8] The rise and fall of knapsack cryptosystems, C.Pomerance editor, Cryptology and Computation Number
Theory, volume 42 of Procedings of Symposia in Applied Mathematics, 75-88, American Mathematical
Society, 1990
[9] R.J.McEliece, A public key cryptosystem based on algebraic coding theory, DSN progress report 42-44,
Jet Propulsion Laboratory, Pasadena, 1978
[10] A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communications of the
ACM, v.21,n.2, Febr1978, 120-126
[11] Richard P. Brent, Recent Progress and Prospects for Integer Factorisation Algorithms, Computing and
Combinatorics", 2000, pp.3-22
[12] D.Aggarwal, U.Maurer, Breaking RSA Generically is Equivalent to Factoring, at eprint.iacr.org/
2080/260
[13] T. Rabin, Digitalized signatures and public key functions as intractable as factorization, MIT/LCS/
TR-212, MIT Laboratory for Computer Science, 1979
[14] Arjen K. Lenstra and H. W. Lenstra, The development of the number field sieve, Jr. (eds.). Lecture
Notes in Math. (1993) 1554. Springer-Verlag.
[15] R.M.Solovay and V.Strassen (1977) A fast Monte-Carlo test for primality, SIAM Journal on
Computing 6 (1): 84–85.
[16] G.L.Miller, Riemann's hypothesis and tests for primality , Journal of Computer and System Sciences,
13 (1976)
[17] M.Agrawal, N.Kayal, N.Saxena, PRIMES is in P, Annals of Mathematics 160 (2004), no. 2, pp. 781–
793.
[18] O.Schirokauer, D.Weber, T.Denny, The effectiveness of the index calculus method, 2006, Algorithmic
Number Theory, Lecture Notes in Computer Science, vol 1122/1996
[19] U.Maurer, Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete
Algorithms, Crypto94, Lecture Notes In Computer Science; vol. 839
[20] E,Bach, Discrete logarithm and factoring, Report no. UCB/CSD 84/186, Comp. Sc. Division (EECS),
University of California, Berkeley, June 1984
68 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-68
Introduction
• Assessment: Is the preparation phase for the other three steps. Stated as a
separate action, it deals with policies, procedures, regulations and other
managerial duties.
• Protection: Is the application of countermeasures that aims at reducing
possible compromising events.
• Detection : Is the intrusion identification process, for which intrusion is
intended as policy violation or computer security incidents.
• Response : Is the process that validates the findings of the detection phase
and takes steps to remediate intrusions. Response activities include “patch and
proceed” as well as “pursue and prosecute”.
Risk is the possibility of suffering harm or loss. Risk is a measure of the existing threat
to an asset. The asset is anything of value, which in the security context could refer to
information, hardware or intellectual property. Risk is frequently expressed in terms of
a risk equation, where:
2. Detection
Both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are
technologies that will help to enhance the security environment of private sector
companies and government agencies.
These technologies provide visibility and also offer many other benefits related to
the network monitoring activity. The IDS and IPS provide the real time monitoring of
network activity, while contemporaneously consenting for the relevant information to
be stored in order to perform data analysis and/or reporting at a later date. In the
decision-making process, visibility has an important role since it allows a security
policy, based on quantifiable real world data, to be envisaged.
Another main aspect that ought to be kept in mind, is network control; IPS
technology provides active network control capability. Control is the key to
enforcement and makes it possible to enforce compliance with security policy.
4. Anomaly-Based IDS
Anomaly-based IDS, also known as behaviour-based IDS, apply various forms of logic
in order to detect security events. Such applications try to establish what a “normal”
profile for system or network behaviour is, and successively individuates any
deviations from this profile. A profile is generally established through a modelling
process that has been incorporated into the IDS. To a significant extent, this means that
all behaviour-based IDS systems apply “normalisation” theory to event detection in
spite of the differences in which a base profile is developed.
In anomaly-based IDS, the following logic may be implemented:
5. Signature-based IDS
This kind of IDS system uses predefined attack signatures to detect security events and
report anomalous behaviour. The signature definitions may represent known system or
network vulnerabilities or known patterns of malicious activity. Normally, the vendor
provides automatic updates to the signature database and the administrator may define
or edit the signature. Of course, this kind of technology is less suitable for identifying
new or unknown attacks.
In signature-based IDS, the following logic is implemented:
State transition analysis. This system works by establishing a series of states
that represent attack activities. These states are, for example, reconnaissance,
mapping, penetration, etc. Detection involves assessing the system or the
network activity against these states that have been defined through the use of
signatures.
Model-based reasoning. These techniques are more closely representative of
behaviour-based IDS but are administrator driven. This kind of IDS generally
uses some form of predicting logic to determine which patterns of activity to
search for and in which resources to search; the IDS keeps accumulating this
information until an alert threshold is reached and then an alert is generated.
The main difference between the two technologies is that signature-based detection
exploits known signatures that describe malicious activities, whereas anomaly-based
detection considers all “non-normal” activities as malicious.
Signature-based IDS is currently more widely implemented than behaviour-based
IDS, since it is perceived to be easier to adapt to a specific system or network
environment and its known vulnerabilities.
One of the main concepts in the deployment of IDS is that this is a useful tool for
capturing information and providing visibility in a network. For critical infrastructures
that have an added need for full visibility, it is common to install IDS devices in all the
primary network points in order to provide visibility internally as well as externally.
This kind of deployment provides the data needed to track down potential internal
threats as well as those posed to the network from the outside.
Another concern about IDS deployment is the performance factor. Today, IDS
solutions have come a long way in design and use of high performance components
that help ensure the greatest amount of data capture. In any case, even with the higher
performance components, it is well known that current IDS implementation has the
tendency to drop packets, due to the high throughput of today’s high bandwidth
network devices. Performance is one of the primary key issues in IDS deployments.
Encrypted traffic is another point to bare in mind, since IDS do not currently have
the ability to decrypt packets, thus blinding the security administrators as to what is
coming into and going out of a mission critical network. The use of VPN and other
encrypted data streams do increase the need to get solutions like IPS to the perimeter.
D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network 73
Combining the blocking capability of a firewall together with the deep packet
inspection of the IDS, we obtain a new obstruction: Intrusion Prevention Systems. Still
today there are many definitions for IPS and many views on what the requirements for
IPS implementation should be. Some people suggest that IPS is the evolution of IDS
and that IDS is a technology that will eventually disappear. There are companies that
are combining multiple technologies to enable organisations to improve the level of
protection of their networks through a combination of passive network discovery,
behavioural profiling, and integrated vulnerability analysis to deliver the benefit of real
time network profiling.
In many cases, the argument is that the decision to deploy IDS or IPS technology
much resembles that of the chicken and the egg.
As organisations start to realise the potential savings associated with preventing
downtime caused by the almost weekly worm or virus attacks, they will be more
inclined to adopt measures like IPS.
IPS and IDS technologies can and should be able live together. IPS technology
must be placed at the perimeter of the network, to help prevent zero day attacks such as
worms or viruses, using anomaly-based rules as well as signature-based inspection. The
adoption of IPS at the ingress/egress points of an organisation’s network will help
ensure that both new and previously identified threats are dropped at the perimeter.
Therefore, IPS deployment along the outer portion of the network will provide the
preventive measures and control needed to contrast new and existing threats, while
including IDS on the inside of the critical network nodes will provide visibility and
confirmation of inside activity.
IPS and IDS technologies are only two of the many resources that can be deployed
to increase visibility and control in a complex and critical network infrastructure.
In fact, an exhaustive approach to the topic of security, which is beyond the target
of this paper, should take the concept of Defence in Depth into account. The Defence in
Depth approach has been presented in many papers and books. The underlying idea of
this approach is to provide multiple levels of security. The idea behind the Defence in
Depth approach aims at defending a system against any particular attack by using
several, varying methods. It is a layering tactic, conceived of by the National security
Agency (NSA) as a comprehensive approach to information and electronic security.
Conclusion
Winning the challenge of security and service availability is a priority for mission
critical networks that provide real-time services like Voice over IP and other strategic
services. Choosing the appropriate security architecture solution is the most important
target for mission critical networks. The use of both the discussed technologies, IDS
and IPS, will positively influence an organisational security posture. IPS at the border
of the network will increase the visibility and the control of intrusions and attacks. IDS
systems, used to monitor the internal network, will provide the least intrusive method
for identifying possible internal threats. With these two technologies, the network will
have a perimeter and core defence that can combat zero day attacks and counter
existing threats, as well as being able to render activity in the internal network visible
and be capable of providing forensic analyses.
74 D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network
References
Abstract. Considering that one of the most dynamic and attractive segments of the
commercial world is the financial sector, it naturally becomes a favourite target for
information warfare, due to the direct impact an attack on this sector could have on
economic stability. Our reliance on infrastructures that support the use of
information is subject both to being used for violence itself or to being the target
of violent acts; industries such as broadcasting, or banks, stock markets, and
telecommunication companies are dependant on technologies and a disruption of
their systems can potentially cause serious harm to basic societal interests. All
corporate leaders must be aware of the diversity of potential attacks and should
plan and implement measures to defend their organisations. In order to assure
secure information exchange between business partners, it is mandatory that all
involved parties secure their business environments by implementing the
appropriate security measures. There is need for international response wherein the
authorities and organisations alike use military expertise as consultancy or
knowledge transfer in order to establish appropriate frameworks.
perfectly legitimate and, in this way, a financial organisation can unknowingly become
the technical support for violence.
Banking and financial services industries are key components in maintaining and
integrating economies, and, in turn, information technology is the heart of these
industries’ operations the moment that the vast majority of all financial transactions are
made electronically. In this interconnected world, the organisations that provide
financial services are not the only ones that must implement measures against
organised crime and cyber threats. All corporate leaders must be aware of the diversity
of potential attacks - including organised crime, high-tech espionage, or cyber-attacks
that have been organised by individuals (hackers) or by groups that have been
sponsored by nation-states or even by business competitors – and should plan and
implement measures to defend their organisations. Nevertheless, corporate leaders must
be aware that in the context of a networked environment, the security of their
organisation depends on the security of others.
As mentioned earlier, in an interconnected world such as the one we have today, in
order to assure secure information exchange between business partners, it is mandatory
that all involved parties secure their business environments by implementing the
appropriate security measures. We all know that in security, through propagation, a
weak link in the chain can be exploited and used to compromise the information that
transits that chain.
Unfortunately, today it is not an exaggeration if we say that every organisation is
faced with the threat of cyber attacks. Therefore, regardless whether the threat level an
organisation might be faced with is high or low, it always needs to be taken seriously.
Building company defences will not always be enough to reduce threats. Often, more
extensive cooperation is required in order to provide a more consistent and effective
response to cyber threats.
In order to build a reliable defence system against cyber threats, three directions
should be considered:
-building solid corporate governance for the organisation
-joint approach of organisations against similar threats
• cooperation for response against cyber threats
• common prevention programs
-world-wide cooperation
• there is need for international response which should include those
countries that are currently safe havens for cyber-criminals; international
cooperation between authorities against cyber-criminals will improve the
capabilities of neutralising sources from which the attacks originate;
• using military expertise as consultancy or knowledge transfer in order to
establish appropriate frameworks for conducting cyber warfare both
offensively (aggressive defence) and defensively; in this respect
collaboration protocols should be established with governments that can
in this way better support the private and public sectors in setting up such
frameworks;
As is clearly illustrated above, the measures to be taken are not only local but also
regional and global. For example, because cyber crime and cyber terrorism are a trans-
national phenomenon, legal enforcement cannot be effective as long as it remains on an
exclusively local or regional level. This is particularly critical for large corporations
operating in foreign countries, which are subject to various national legal restrictions
that could possibly impact the overall protection strategy of the corporation itself.
P. Campobasso / A World-Wide Financial Infrastructure to Confront Cyber Terrorism 77
security threats that the various actors must deal with today. Without a full picture and
a joint approach, we limit our response capabilities in the face of cyber crimes.
UniCredit is sensible to these issues and actively promotes cooperation with national
and international actors; it aims at exchanging knowledge and expertise, to improve
overall awareness and response capability to crimes. Like possibly other large players,
Unicredit is already active in this area of cyber defence, and practical returns are
expressed in terms of improved awareness, prevention capabilities, and loss reduction.
Through the implementation of a security model based on international standards and
best practices, having reliable AML in place, along with anti-fraud mechanisms, being
concerned with permanently improving its prevention levels, detection and response
capabilities, Unicredit Group achieves excellent results in minimising losses.
References
[1] Raphael F. Perl, Head of the OSCE Action against Terrorism Unit. April 2008. Remarks on ” Terrorist
Use of the Internet” at the Second International Forum on Information Security.
[2] Sir Winston Churchill, Reader’s Digest, December, 1954.
[3] Nain D., Donaghy N., Goodman S. The International Landscape of Cyber Security. In:Straub D,
Goodman S, Baskerville R (ed) Information Security: Policy, Processes, and Practices. M.E.Sharpe,
New York. 2008.
[4] INTERPOL Information Technology Crime. 2008. http://www.interpol.int/Public/TechnologyCrime/
default.asp.
[5] INTERPOL Information Technology Crime. IT security and crime prevention methods. 2008. http://
www.interpol.int/Public/TechnologyCrime/CrimePrev/ITSecurity.asp
[6] Creating a Safer Information Society by Improving the Security of Information Infrastructures and
Combating Computer-related Crime. Communication from the Commission to the Council, the
European Parliament, the Economic and Social Committee and the Committee of the Regions. 2000.
http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!
DocNumber&lg=en&type_doc=COMfinal&an_doc=2000&nu_doc=890
[7] CORDIS ICT Challenge 1: Pervasive and Trusted Network and Service Infrastructures. Information and
Communication Technologies. 2008. http://cordis.europa.eu/fp7/ict/programme/challenge1_en.html.
[8] Countering the Use of the Internet for Terrorist Purposes, Decision No. 7/06. Organization for Security
and Co-operation in Europe. 2006. http://www.osce.org/documents/mcs/2006/12/22559_en.pdf
[9] Cyber threat on the rise as terrorists recruit computer specialists, says OSCE expert. Secretariat –
Action against Terrorism Unit. Organization for Security and Co-operation in Europe Press Release.
April 10, 2008. http://www.osce.org/atu/item_1_30591.html.
[10] Security, Trust, and Data protection. ISSS (ICT). European Committee for Standardization. 2008. http://
www.cen.eu/cenorm/sectors/sectors/isss/activity/securitytrustdpp.asp
[11] Cyber Security. Inter-American Committee Against Terrorism. Organization of American States. 2006.
http://www.cicte.oas.org/Rev/En/Programs/CyberSecurity.asp
[12] Resolution: Date and Venue of the Ninth Regular Session of the Inter-American Committee against
Terrorism. CICTE/RES. 1/08 Cyber Security. Inter-American Committee Against Terrorism.
Organization of American States. March 7, 2008. http://www.cicte.oas.org/Rev/En/Documents/
Resolutions.asp
[13] Best Practices in Security Governance. Aberdeen Group, USA. 2005.
[14] Allen, Julia. Governing for Enterprise Security. Carnegie Mellon University, USA. 2005.
[15] Privacy Framework Principles and Criteria, USA and Canada. American Institute of Certified Public
Accountants/Canadian Institute of Chartered Accountants. 2005.
[16] Hallawell, Arabella. Gartner Global Security and Privacy Best Practices. Gartner Analyst Reports,
USA. 2004. www.csoonline.com/analyst/report2332.html
[17] Microsoft Windows Malicious Software Removal Tool disinfections by category, 2H05-2H07
[18] CSI Computer Crime and Security Survey Report. 2008.
[19] IBM Internet Security Systems X-Force Report. 2007.
Modelling Cyber Security: Approaches, Methodology, Strategies 79
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-79
Abstract. Critical Networks monitor and control the most valuable assets of
national and homeland security and usually refer to operational, real-time
networks. Ecosystems involving Critical Networks, on the other hand, often
include inter-connections with external, Less Secure Networks.
There is a constantly increasing demand to connect Critical Networks to Less
Secure Networks or ecosystems in order to enable more business processes and
improve business continuity and day to day operations.
This paper describes three models of ecosystems that involve Critical Networks
and Less Secure Networks, in which the role of the Critical Network differs within
each of the proposed ecosystems:
1. Production/DCS (Data Control System) Network - An Industrial (Critical)
Network (for example, an oil refinery) which is monitored by a Business
Network within the organisation.
2. Remote Infrastructure Management – Assets (for example, data centres)
within a Critical Network that are monitored by a third party support centre
(for example, equipment vendors).
3. Lawful Interception – A Critical Network that monitors assets within
External Networks (for example, Service Providers, Telecomm Operators).
This paper analyses the IT Security threats inherent to the above ecosystem
models. It describes the pros and cons of the existing IT Security approaches for
mitigating these threats, and presents a novel pragmatic approach that can
completely eliminate these risks, while maintaining the business processes that
require inter-connectivity.
Introduction
Cyber Terror
“CIA Confirms Cyber Attack Caused Multi-City Power Outage: We have
information that cyber attacks have been used to disrupt power equipment in several
regions outside the United States. In at least one case, the disruption caused a power
outage affecting multiple cities. We do not know who executed these attacks or why, but
all involved intrusions through the Internet.”
(SANS Organization - January 18, 2008 - www.sans.org/newsletters/newsbites/
newsbites.php?vol=10&issue=5&rss=Y)
Cyber Crime
“Federal prosecutors have charged 11 people with stealing more than 41
million credit and debit card numbers, cracking what officials said on Tuesday
appeared to be the largest hacking and identity theft ring ever exposed. … Once the
thieves identified technical weaknesses in the networks, they installed so-called sniffer
programs, obtained from collaborators overseas.”
(New York Times – 5 August 2008)
Cyber Warfare
“While Russia and Estonia are embroiled in their worst dispute since the
collapse of the Soviet Union, a row that erupted at the end of last month over the
Estonians' removal of the Bronze Soldier Soviet war memorial in central Tallinn, the
country has been subjected to a barrage of cyber warfare, disabling the websites of
government ministries, political parties, newspapers, banks, and companies.”
(The Guardian, May 17, 2007)
are part of ecosystems that interconnect multiple networks of varying ownership, and
varying levels of control and security. This interconnection to external Less Secure
Networks is essential for the operation of the Critical Network and the Critical National
Infrastructure.
This article provides a detailed description of models of ecosystems that involve
Critical Networks, the IT security threats inherent to the ecosystems, and the pros and
cons of the existing IT security approaches for mitigating those threats.
The article will further present a novel pragmatic approach that completely and
eternally eliminates the risks, without reducing the functionalities and services of the
Critical Network within the ecosystem.
Lawful interception (LI) is the process by which Law Enforcement Agencies (LEAs)
and Security Organisations legally obtain real-time communication intercepts from the
communications of suspects and criminals. In particular, this involves interconnecting
the Critical Network at the LEA facility, where the information is gathered and
analysed, to the Service Provider’s networks, from where the information is obtained.
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks 83
Interconnection is mandatory, since it is the only way in which the LEA can obtain
the necessary information in real-time.
- Because an attacker will first try the path with the best cost/performance ratio!
Let's assume, for the sake of simplicity that a criminal or terrorist entity wants to
penetrate an electric plant's Production/DCS Industrial network.
Scenario I: The entity tries to hack into the plant's Industrial network via one of
the sensors or controllers, or even by tapping into the medium network (which can
be wireless) – a physical-access attack.
Scenario II: The entity tries to hack into the Industrial network via a connection
that the network has to a third-party over the internet – an online attack.
Considering the sensitivity of Critical Networks, the potential damage that could be
caused by an attack, and the high levels motivation that exist to attack them, a solution
for protecting the external connections should provide ultimate security while having
little or no effect on the business and operational requirements.
Standard IT security solutions and technologies such as firewalls, content filters
and intrusion detection and prevention (IDP) systems, while good enough for most
organisations and users, are not sufficient for securing external connections to Critical
Networks.
Firewalls are circumvented on a daily basis, content filters are bypassed, and IDP
systems detect mainly known attacks. There is an abundance of security patches and
software updates being produced and installed on a daily basis, which only keep the
security products up-to-date for yesterday's attacks and vulnerabilities.
As for Critical Networks, standard IT security measures are insufficient, primarily
because they are:
• Software-based and running over and operating system subject to bugs,
software vulnerabilities and online hacking and penetration
• Configurable – many security products are partially configured or configured
poorly
• Partial – none of which provides, by design, 100% security
To emphasise the extent of the risks, below is a risk-analysis table detailing the
probability and severity of security threats in the three types of ecosystems that are
protected by software-based security solutions.
86 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
Since the importance and sensitivity of Critical Networks is beyond question, a Critical
Network ought to be secured in the best way possible. Hence, imposing a segregation
topology seems to be the most obvious choice because it would leave the Critical
Network physically isolated from the External Networks while still enabling the
business processes to continue to function.
Implementing the connection of External Networks from or to the Critical Network
via real-time physical unidirectional gateways, allows the complete and eternal
mitigation of all the above mentioned IT security threats, while maintaining the
business processes within the ecosystem.
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks 87
We will now detail how the three models of ecosystems we previously described can be
secured using physical unidirectional gateways.
Figure 7. Production Remote Infrastructure Management (RIM) topology - with a unidirectional gateway
90 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
3. Summary
Critical Networks are the heart and soul of Critical National Infrastructures, which in
turn are high-end and attractive targets for cyber-terror and cyber-attacks.
Based on the potential damage that can be caused by a cyber attack on Critical
Networks, and taking into consideration the relatively low cost and simplicity of such
attacks, Critical National Infrastructures must secure their Critical Networks in order to
protect their assets.
There are a multitude of vulnerabilities and weak points in Critical Networks,
some of which require costly and complex solutions to protect or strengthen. However,
the entry points, which are the most likely to be exploited – the connections to External
Networks – can be fully and sufficiently protected using physical unidirectional
gateways. These last are a relatively simple and cost-effective solution that completely
eliminates the IT Security risks originating from connections to external Less Secure
Networks.
Modelling Cyber Security: Approaches, Methodology, Strategies 93
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-93
Abstract. In this article, we discuss the cyber security approach taken by ERDF
(Electricité Réseau Distribution France) as a preliminary step in its smart meters
deployment project. First, we focus on the emerging risks introduced by the new
technologies and their usages. Then, we explain how and why we have to define
high-level security objectives independently of the technical solutions, and
conclude by emphasising the committed involvement needed from the whole
metering community and supply-chain in order to achieve these objectives.
Keywords. Security, smart metering, SCADA, risk management, security
objectives
Cyber-security for industrial systems has recently been gaining a lot of attention, due to
the fact that such systems are getting more complex, interdependent, and
interconnected. Particular attention is given to Critical Infrastructure Protection such as
energy, transportation, telecommunications, or water, which are all monitored and
controlled by industrial systems. This is also the case for the electricity distribution
network.
A metering system is a central part of such an electric grid. In addition to
measuring electricity consumption, its role is to deliver electricity to end users,
including critical users such as hospitals or emergency services. It handles and
processes sensitive commercial and technical data, such as nominative information and
consumption data, or remote control meter commands such as electric power
modification.
ERDF, the main distribution subsidiary of EDF in France, is currently identifying
requirements for its pilot project of 300,000 smart metering points for its domestic
users in order to prepare for the potential general deployment in France of the system.
The system would enable a wide range of new services to be offered to the consumer
and new management capabilities made available to power utilities.
The metering world is changing dramatically due to its steadily growing reliance
on information technologies. This implies that there is a clear need for a more global
approach to cyber security. The challenge to balance the cost/benefit ratio, must take
the specifics of metering and the whole spectrum of the associated risks into account.
In this equation, the sheer number of meters, which have been distributed on a national
scale, has to be underlined; each euro spent is multiplied by tens of millions. The long
life span of such systems, typically 20 years, is another structuring fact, especially for
risk characterisation and security level continuity.
The metering system is very complex and consists of many different players
(solution providers, integrators, public regulators, meters builders, etc.). Complexity is
an anathema for security: it usually takes too long and costs too much money to protect
94 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
The security process aims at managing risks in accordance with the company’s
objectives. Since total security is not attainable, this means that our limited resources
have to be used efficiently and with purpose. Risk management is the process that helps
us to protect our critical assets and operations with proportional, coherent, and
verifiable measures, thus a balanced cost/benefit ratio. This process is a crucial tool in
the decision-making process; it allows us to conscientiously make trade-offs, state our
security posture, and choose the appropriate measures.
Security, like trust or assurance, could (and should) add real value to a company’s
image and inspires confidence in stakeholders..
Since security is not a static state that is present or not present, we ought to define
security levels as a continuous cycle that constantly changes over time. Without a
proactive approach to security, the levels of security would rapidly decrease over the
lifetime of the system.
Products and technologies alone cannot solve security problems; they can only
provide security when used efficiently, through consistent and thoroughly defined
processes. We can mention two such processes:
the business continuity planning process, which defines how to recover after a
disruption or disaster and how to restore the critical functions in order to keep
the business going,
the incident management process, which describes how to log, record, and
resolve security incidents, including legal aspects and evidence management.
It is certain that security incidents will occur; we just don’t know when they
will take place. Therefore, we must anticipate how such incidents will be
handled.
System design phases should cover technical and functional aspects, but also non-
technical ones, right from the start, that include considerations regarding people (e.g.,
responsibilities or organisational issues) and process dimensions.
In addition, new technologies come with new risks. Attackers are creative people;
they are constantly finding new ways to abuse the system. Moreover, as
aforementioned, because access to the meters is relatively easy, part of the system
providing security is located in the potential attackers’ hands, making it more
complicated to globally render the system less vulnerable.
There is a wide spectrum of threats that ranges anywhere from fraud and
competitors to cyber-terrorism. Malicious actions, such as the remote shutdown of
numerous meters, could lead to an economic disturbance, distrust within the society,
and even safety issues. The risks may be roughly classified as follows:
Classical petty offenders, who are more concerned with lowering the bill and
stealing money, modify consumption indexes, tariffs to their own benefit.
There are no damages to the system apart from financial ones (easy physical
access);
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 95
Organised crime targets consumption data, in order to alter or sell it. These
kinds of threat agents could also try to distribute or sell “cheat boxes” on the
Internet in order to automate fraud. The automatic collection of consumption
profiles of many users or particular users (VIP, etc.) could be interesting for
organised crime;
Cyber-terrorism could have major impacts on the electric distribution network
and could lead to the disruption of electrical power to strategic areas,
impacting the economy and compromising safety.
There are already a few examples of cyber-attacks on metering systems, including
one that targeted the AMM (Advanced Metre Management) system of ENEL in Italy.
The method to change the tariff rate on the meter without paying the fee, of course, was
published on the Internet (cf. Fig. 1). ENEL has successfully responded to this threat,
but all actors in energy distribution are now warned that the cyber-threat is very real
and should be taken into account.
We cannot avoid these threats, nor can we eliminate all of the risks definitively.
What we can do is reduce the risks to an acceptable level. The approach we’ve used is
based on well-known best practices, like Common Criteria (ISO 15408) and EBIOS
(Expression des Besoins et Identification des Objectifs de Sécurité). EBIOS is a
method for risk management used in numerous big projects in different sectors, for
example by the French Atomic Energy Commission and the Council of the European
Union. EBIOS was designed by French DCSSI (Information System Security Central
Direction, a dependant of the French government).
Our approach includes:
Statement of security needs (according to the context), metering processes,
and challenges
Threat and risk analysis
Security objective definitions, according to the threats and assumptions. Those
objectives form the security policy of the Automated Metering System.
96 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
The risk management process used for the AMM system is composed by a three-
step approach that is illustrated in Fig.3:
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 97
Objectives:
Sum up the technical, business, regulatory context
Identify essential elements, functions and information, which constitute the
added value of the information system
Essential elements are linked to a set of entities of various types: hardware,
software, networks, organisations, human resources and sites
ERDF example:
Target: AMM Information system
Context: business, regulatory, technical, etc.
Essential elements:
o Detection of low voltage incidents,
o Supervision of the communication chain,
o Local actions on the meter, etc.
Entities:
o Hardware: meters, concentrators, servers, etc.
o Software: firmwares, applications, etc.
o Sites: MV/LV transformers, meter’s sites, etc.
2.2. Step 1 – State the sensitivities to threats of the assets that need protection
Figure 5. Step 1 – state the sensitivities to threats of the assets that need protection
Objectives:
The sensitivity of each essential element to threats must be expressed
Expression is based on various security criteria such as availability, integrity
and confidentiality
If this sensitivity is not covered, there will be an impact on the organisation
ERDF example:
We begin by focusing on critical assets that would need protection. This step
involves interviews with the individuals that are responsible for each business process.
The covered topics include the description of the business process and the security
sensitivity of the process. The level of sensitivity is broken down using criteria such as
CIA (Confidentiality, Integrity, and Availability) and an additional criterion which is
Accountability (proof of responsibility for an action). In this analysis, we focused on
the potential impact a malevolent action would have.
2.3. Step 2 – Study the threats in the environment – “there are threats to my assets”
Objectives:
Identify main threat agents
Identify the vulnerabilities of the components
Identify the attack methods and scenarios
ERDF example:
There are 688 vulnerabilities defined in the EBIOS method. We adapt the method
to suit our needs.
For example, according to the “no authenticity guaranteed” attack method, we
have vulnerabilities, such as “use resource without accountability” or “no
authentication of source or destination”.
These threats to the identified assets are categorised before performing a risk
analysis: the probability (likelihood of the risk) and impact (consequence if the risk
occurs) of attacks are evaluated in order to define risk levels. It is then stated what the
acceptable level of risk is (cf. step 3).
Objectives:
Determine how the essential elements can be affected by the threat agents
(risk)
Threat agents can affect the essential elements by using a given attack
method to exploit their vulnerabilities
The security objectives mainly consist in shielding any vulnerabilities from
the entities that represent what are considered to be the existing risks
ERDF example:
Our goal is to state our security objectives without specifying the technical
solutions. These objectives constitute the long-term security policy.
In order to illustrate the methodology, two macroscopic security objectives have
been identified for ERDF future Smart Meters System:
Protection of critical orders (authenticity, integrity and non-repudiation).
Critical orders, such as changing the electrical power subscription or targeted
curtailment, should definitely be secured by using strong security mechanisms
(with regard to the identified threats and attack scenarios):
• to authenticate the sender,
• to verify that there is no unwanted modification, and
• to make the sender responsible for his actions.
“Evolution”. Keeping in mind that the metering system components will need
to be upgraded during their long life, the ability to upgrade these components’
firmware, software, or application has to be an essential and inherent feature
of the system. Since new security functionalities could also become useful in
the future, the upgrade could be used to integrate those new functionalities.
This upgrade process itself ought to be secured!
Objectives:
Specify the required security functionalities
Demonstrate that the security objectives are perfectly covered by these
functional requirements
Specify assurance requirements to allow the required level of confidence to
be obtained and then demonstrated
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 101
ERDF example:
We want to state our security objectives without specifying the technical solutions.
These objectives constitute the long-term security policy and should reduce all possible
risks.
Security objectives must not depend on technologies. For example, if classical telecom
lines are used instead of mobile phone communications, or any other wide area
network technology, for technical reasons, security objectives should remain the same.
If the data is confidential when transmitted through the lines, the same data is of course
still confidential when transmitted over other media.
Those objectives have to be stated clearly, even if there is not an adequate
technological answer to fulfil them today. Long-term objectives must be addressed; a
new technology or product could appear from one moment to the next and be the
answer to our needs.
We only state our security objectives and what we believe to be an acceptable level
of risk. The technical requirements and solutions to achieve our security policy are
handled by the solution providers.
When accomplishing the security objectives, one should never forget that the
security chain is only as secure as the weakest link. Each link has to be taken into
account; this includes operators performing actions on the Information System, local
and wide area networks, meters, etc. Tightening security measures can happen on
different levels, including technical, human (education, training, and awareness), and
procedural levels. In fact, it is crucial that none of these dimensions should be
forgotten.
As illustrated in Fig. 11, all components have to be considered, from smart meters
to the metering Information System, including network communications. The risks that
an attack could occur for every element of the chain, from equipment to data or orders
through the supervisory and operation centre.
All actors, from constructors to public regulators, have an important role to play in
ensuring the cyber-security of the supply chain in metering systems.
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 103
Conclusion
Security objectives should be clearly stated, without specifying any technical solution,
in order to protect our critical assets against thoroughly identified risks. Options should
be kept open, in order to leave opportunities for future potential evolutions. The
management support is essential throughout the whole process. All of this work has to
be done before the metering system is designed. More generally, all metering actors,
utilities, regulators, solution providers, manufacturers, and integrators, will have to be
involved in a global security approach that allows for experience and knowledge
sharing. The earlier this is done, the better.
References
Abstract. This study presents a new and unique perspective -- the marketing
perspective -- to analyse and increase our understanding of the global terror
phenomenon. Based on a quantitative-statistical content analysis of the
statements of Al-Qaeda's leaders, I examined how a global terror organisation,
such as Al-Qaeda, markets itself using the international media and the Internet
between the years 2000-2008.
The findings reinforce the idea that Al-Qaeda's leaders consciously adopt a
nihilistic-destructive approach and aim to destroy the "other" world, which it
views as a world that is not a "pure" and "authentic" Islam, from its point of
view. They encourage the willingness to kill and to die in the name of God and
emphasise that the Jihad activists are their primary agents for cultivating and
distributing the "martyrdom culture". Furthermore, Al-Qaeda and its partners
utilise the Internet not only to intensify its power and radicalise the strength of
the Jihadi image, but also to empower its worldwide strategic threat. By
knowing "our enemy" and its uncompromising ideology and strategy, we can
actively help to confront Al-Qaeda today, with counter-marketing-warfare and
undermine its discourse.
Introduction
This study presents a new and unique perspective, the marketing perspective, for
analysing and increasing our understanding of the global terror phenomenon. Although
radical movements have been previously perceived as irrational ideological zealots by
the West, my results demonstrate that Al-Qaeda currently acts as a rational actor, and
thus can be examined using rational models and theories [1]. Therefore, once we have
rationalised the actions of Al-Qaeda, we can improve our comprehension of how to
counteract the global jihad group and reduce its influence and worldwide threat by
employing marketing warfare tactics.
Al-Qaeda leaders and supporters, who strive to influence "the hearts and minds" of
the Muslim population around the world, use the resources of the Internet to promote
and distribute its vision, ideology and policy, as well as its militant messages and
values. Motivated by militant ideology, their objective is to position a powerful image
of the organisation and its actions into the “awareness” of the public opinion, and
thereby, influence the worldwide political and communications agenda.
Marketing, in essence, deals with and concentrates on influencing public opinion
[2]; for militant organisations such as Al-Qaeda, efforts to persuade and convince the
masses can be "translated"/modelled into marketing terms and tools. An example of
1I am grateful for the Netvision Institute for Internet Studies (NIIS). I am particularly grateful to Prof. Shaul
Mishal and to Prof. Alex Mintz, and for the comments made here by Prof. Niv Ahituv.
Address correspondence to Anat Hochberg-Marom, Tel Aviv University, Israel. E-mail:
anathoch.mr@gmail.com
110 A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy
this is the use of a destructive approach and coercion tactics to distribute and promote
their vision, policy etc.
There is no doubt that for the global jihadists, the Internet is an important tool to
be implemented as a form of "soft power"; Al-Qaeda and its partners utilise the cyber
arena in the "war of ideas" in order to inflame millions of readers and viewers, and
transform a large number of them into militants and even suicide bombers [3]. How
does Al-Qaeda promote and distribute Global Jihad on the Internet, so that it becomes
so very attractive to the masses (including non-religious and non-Muslim people all
over the world)?
While most studies deal with defence strategies that are designed to block potential
cyber attacks, my research presents a totally different approach and methodology to
analyse and confront the global terror phenomenon. In the research, I conducted a
quantitative-statistical content analysis of the statements made by Al-Qaeda's leaders,
using DVD/video recordings (containing approximately 3,500 minutes of airtime) that
have been released over the international media channels and the Internet between
2000 and 2008. By implementing a universal marketing model2 on Al-Qaeda
recordings, and by analysing Bin Laden's and Zawahiri's statements, I was able to
thoroughly examine their ideology and strategy as well as the patterns of their actions.
My aim was to reveal some practical insights. The results are briefly described below.
Empirical results strengthen the common view that the Jihad is perceived by Al-Qaeda
as the highest religious value (rated 41%) and described by Bin Laden and Zawahiri as
the political objective and military tool used to advance and distribute its perception of
the world. "Ummah", in Arabic, literally means a "nation" but can also mean a
"universal community"; this, in Al-Qaeda's view, is a global Islamic civilisation.
However, this concept surprisingly has the lowest frequency among favourable
religious values, with a rating of only 25%. This is the opposite result to what we had
anticipated. In fact, we would have expected that for Al-Qaeda leaders, who often
claim to defend Islam from Western hegemony, a universal value would be the primary
tool for consolidating and intensifying the unity and solidarity among worldwide
Muslim populations.
In addition, Bin Laden and Zawahiri do not mention any political program for
constructing a nation based on any specific model. This is a clear indication that the
leaders of Al-Qaeda are selling an image rather than a concrete ‘product’ and are
exploiting the hopes, desires and weaknesses of people as a means to another end’.
From a marketing perspective, we can generally infer that, although they call for
building a universal caliph, their "constructivist" approach is implemented by negative
orientation and coercion tactics; this includes killing anyone who is perceived to be an
"infidel" or "apostate" from their perspective, including their Muslim "brothers" who
do not adhere to their "pure" Islam. Furthermore, the above findings reinforce the idea
that Al-Qaeda's leaders are not only motivated by a non-constructivist approach, but
they also consciously adopt a nihilistic-destructive approach, aiming to cause political-
social anarchy and impose a "pure" and "authentic" Islam.
2 The Marketing model is known by the abbreviation "4P's". It argues that marketing strategy is determined
by four attributes: Product, Price, Promotion and Place. McCarthy, E. Jerome: Basic Marketing, Irvin
Homewood, IL. 1960; Kotler, Philip and Andreasen R. Alan, Strategic marketing for nonprofit organizations,
Pearson/Prentice Hall, Upper Saddle River, NJ, 2003
A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy 111
Empirical findings reinforce the idea that, for Al-Qaeda, participation in Jihad and self-
sacrifice (i.e., committing suicide) is a matter of strength that stems from having a
strong faith and devotion, as opposed to the Western claim, that it is a matter of
weakness and a "nothing-to-lose" position. "Price" for Al-Qaeda followers/supporters,
is framed by the willingness to sacrifice the present comfortable life and lifestyle
(including family, social connections, status at work, wealth etc.) for the "hereafter"
and the collective virtue.
It is interesting to note that in their statements, Bin Laden and Zawahiri, who use
religious and psychological incentives to encourage sacrifice, emphasise the need to
have a strong "belief-in-God" and a great sense of power; they glorify personal
characteristics such as determination, courage, decisiveness and above all, the
willingness to kill and to die for the sake of God, contrary to the "desire-for-pleasure",
as is perceived to be common in the West, for the sake of the individual.
From this perspective, it is reasonable to infer that Jihad appeals to young people
around the world, who want to express their courage and leadership no matter what
religion, nationality or language background they come from. Furthermore, by its
aggressive-destructive approach, Jihad inspires and empowers young people to act and
to take risks. In this way, when they are given the chance to actively participate in a
cause or feel they have some control over their destiny, they consequently feel that they
have fulfilled their sense of power and desire for eternal life as a martyr/"shaheed".
On-line D'awa/education for Al-Qaeda is the most popular form of promotion used
(rated 55%) to clarify and glorify the advantages achieved from adherence to religious
values. Bin Laden and Zawahiri strive to influence the perceptions, opinions and
beliefs of Muslims. They do this by using different rhetorical devices and wording that
combine political rhetoric as well as Islamic symbols and narratives to describe the
"crisis of values" of Islam and the urgent need to act [4]. While they rationally and
emotionally apply different messages to differing target audiences, they arouse and
reinforce feelings such as hate, humility and fear that are diverted towards fuelling an
active Jihad (both physical and virtual) against the West.
Moreover, it is important to remember that the term Jihad is perceived differently
by the West than by Al-Qaeda and extremist Muslim groups. In the West, Jihad is
understood and narrowly perceived to be a “holy war”. For Al-Qaeda’s leaders,
however, Jihad is a total and eternal military struggle that is identified with the victory
of the spiritual over the materialistic and, therefore, a victory of Islam over the West.
Utilising Western virtual capabilities against Western values, on-line D'awa
enables Al-Qaeda to intensify its power and radicalise the strength of the "Jihadi"
image, not only for those who participate in the virtual "war of ideas", but also for the
worldwide population outside the net.
More importantly, in the absence of regulation and control, the cyber arena enables
the development of an independent Global Jihad discourse that is characterised by a
contextual meaning and identity. Thus, we can infer that the significance of the on-line
D'awa for Al-Qaeda is not only the empowerment of its activity and status, but also its
worldwide strategic threat. Furthermore, in my opinion, in the Internet era, Jihad has
became a popular "global trademark" that no longer depends on any specific
112 A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy
organisation or leader (such as Al-Qaeda and Bin Laden respectively), and therefore it
is more dangerous, as opposed to the common perception in Western discourse on the
subject.
4. How Does a Global Terrorist Organisation Distribute its Messages and Values
("Place")?
The next question that I examined was: "who are the agents that practically distribute
non-tangible assets, such as the Global Jihad of Al-Qaeda"? In a religious collectivist
society, such as Islam, it is accepted that religious scholars are the mediators between
the holy and the worldly. They are the main channels through which religious values
and messages are distributed. However, Bin Laden and Zawahiri, who tend to resist
religious authority (i.e., the institutional 'Ulema'), have developed an alternative
distribution channel, namely, independent religious scholars. These last assume
responsibility for distributing Al-Qaeda’s ideology and perceptions.
Nonetheless, based on empirical evidence, Al-Qaeda leaders emphasise that the
Jihad activists (rated 61%, which is the highest rating) are their primary agents used to
cultivate and distribute the "martyrdom culture", and who also use terror activity to
impose their "true" Islam. From an Al-Qaeda point of view and as derived from a
religious decree (i.e., "tawhid"/the "oneness" of God), Jihad activists are perceived as
the most faithful believers, who are obligated to distribute the global Islamic message.
Moreover, since they are the expression of such strong faith and total fidelity to God,
the Jihad activists are glorified as the ideal model for "Jihad activity", and because of
this, they are willing and determined to sacrifice their lives to the cause.
From this perspective, we can currently deduce that, in the eyes of Bin Laden and
Zawahiri, extremist young Muslims are considered to be militant "weapons" against the
West and its supporters (who are perceived to be "infidels") and not the peaceful future
generation. Therefore, based on the above as well as on other empirical findings, there
is strong evidence that Al-Qaeda is not aspiring to construct and consolidate the
Muslim world, but is motivated by a militant-nihilist approach with the intent to
destroy the "other" world that, from its point of view, is not Islamic.
Conclusion
By knowing "our enemy" and its uncompromising ideology and strategy, we can
actively help to confront Al-Qaeda today by applying techniques of counter-
marketing-warfare in order to undermine its discourse; when appealing to young
Muslims in particular, we ought to emphasise the importance of choosing a peaceful
and constructivist approach to life rather than destructiveness and darkness.
Through the proactive use of the internet, and more specifically with tools of
promotion, the West, and in particular Europe, can counteract Al-Qaeda's attractiveness
and positively influence "the hearts and minds" of the future Muslim generation.
Particular attention should be dedicated to the Muslim citizens of Europe.
A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy 113
References
[1] Walid Phares, The War of Ideas: Jihad against democracy, Palgrave Macmillan, New York, 2007.
[2] Philip Kotler, Kevin Lane Keller, Marketing Management, Pearson/Prentice Hall, Upper Saddle River,
NJ ; London, 2009; Alen R. Andreasen, Philip Kotler, Strategic marketing for nonprofit organizations,
Prentice Hall, Upper Saddle River, N.J, 2003
[3] Walid Phares, The War of Ideas: Jihad against democracy, Palgrave Macmillan, New York, 2007;
Reuven Paz, "Reading Their Lips: The Credibility of Jihadi Web Sites as ‘Soft Power’ in the War of the
Minds" PRISM Series of Special Dispatches on Global Jihad, vol. 5/5 (2007) at: http://www.e-
prism.org/images/PRISM_no_5_vol_5_-Reading_Their_Lips_-_Dec07.pdf
[4] Oliver Roy, Globalized Islam: the search for a new Ummah, Columbia University Press, New York,
2004; Rohan Gunaratna, Inside Al Qaeda: global network of terror, Columbia University Press, New
York 2002; Gilles Kepel, The war of Muslim minds: Islam and the West, Belknap Press of Harvard
University Press, Cambridge, Mass, 2004; Marc Sageman, Understanding terror networks, University
of Pennsylvania Press, Philadelphia, 2004
114 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-114
Abstract The complex relationship that exists between Islam and the Western
world makes it necessary to enlist an increasing number of people who are capable
of understanding these two cultures and of mediating between them. The Islamic
world, in all its variety and diversity, becomes even more complex when it enters
the West through immigration, where immigrants no longer have a purely
superficial physical contact with the Western world, as was the case throughout the
whole of the colonial period, but live within it. It is often the case that the products
of both societies do not integrate, but tend to dis-integrate, not knowing to which
world they belong. People using religious symbolism to pursue political ideas,
opting for terrorism as their means of struggle, are able to exploit this sense of
searching for an identity. This type of exploitation avails itself of the multiplier
effect of the virtual world to bolster support; but without an adequate
counterweight, this can cause damage which, while not irreparable, can impair our
complex societies. This paper takes a fresh approach to counter this phenomenon
which could prove to be extremely effective when contrasting this quest to enlist
support.
Introduction
Contemporary conflicts, whatever their nature, are not only being fought out in the real
world, but also in the virtual world, for operational, logistical and “marketing”
purposes, particularly, in the latter case, through a propaganda mechanism which can
lead to recruitment and indoctrination.
The potential the Internet offers for achieving these aims initially seemed to be
fairly limited. Wiktorowicz,1 for example, maintained that before people took part in
acts of violence they had to undergo a long process of “socialisation”; Sageman wrote
that:
“for the type of allegiance that the jihad demands, there is no evidence that
the Internet is persuasive enough by itself”.2
While the opinions voiced only a few years ago were well-founded, and to a large
extent are still valid today, they obviously could not take into account the degree to
which the Internet is now able to contract time and space.
There are, however, a number of scholars who believe that the important part that
the Internet plays in recruitment is bound to increase.
1Wiktorowicz, Quintan, “Joining the Cause: Al-Muhajiroun and Radical Islam”. Department of International
Studies, Rhodes College at http://www.yale.edu/polisci/info/conferences/Islamic%20Radicalism/papers/
wiktorowicz-paper.doc
2 Sageman Marc, Understanding Terror Networks, University of Pennsylvania Press, Philadelphia, 2004.
A.G. Monno / A New Paradigm for Countering Jihadism 115
In his book, “On Intelligence”,3 Robert Steele predicted that there would be greater
recourse to open sources in which the Internet would play a paramount role in the
optimum management of Intelligence.
Neumann has written that:
“….it would be a mistake to brush aside or ignore these instances of self-
recruitment merely because they do not fit with long established views about
group dynamics and the importance of social bonds. It is easy to forget how
quickly the Internet has evolved, and it may well be the case, therefore, that
widely held assumptions will have to be reassessed as the new medium
continues to change the way in which we communicate”. 4
In operational terms, the November 2008 Lashkar-i-toiba terrorist operation, carried
out in Mumbai, demonstrated the essential role of the Internet and modern technology.
But apart from the operational applications, I would like to focus my attention on
the phases of both the enlistment of support and of recruitment – particularly in the
Western world – by the organisations that draw their inspiration from so called jihadist
theories, and on an innovative potential means of combating them, which as far as I
know has never been tried.
In a special report published in March 2004, by the “United States Institute of Peace”
entitled “www.terror.net: How Modern Terrorism Uses the Internet”, Gabriel
Weizmann examined the various possibilities provided by the virtual world that would
be able to be exploited by all organisations, many of which are considered to be
terrorist groups, to attain their ends.
These possibilities consist above all of:
Spreading their ideology and view of society and the world to attract support;
Challenging ideologies and policies at odds with their own;
Recruiting people in several stages initially by merely attracting people
interested in or feeling sympathy towards an idea or ideal, and gradually
leading to all-out active involvement;
Extolling its actions and consequently building up myths and decrying
everything done by the adversary.
Using the Internet, these groups put forward what Professor Anat Hochberg-
Marom has called “the marketing perspective” and, following standard marketing
practice, most of their activities are performed in virtual mode.
The Western mind often underestimates the importance of the modern mass media
and propaganda in the Islamic world, despite daily events that demonstrate the
contrary.
Khomeini’s revolution, whose ideas were propagated above all through sermons
distributed on audiocassettes, as well as images broadcast on al Manar (Hezbollah's
TV network) or al Aqsa TV (Hamas’s network), and videos broadcast over the Internet
on sites linked to the jihadist world, show that the Islamic world has certainly not
remained aloof from modernisation or using the most common communications tools.
Anyone who thinks that the style of these messages lacks communicative effectiveness
would fall into what Edward Said denounced as “Orientalism” – the wholly Western
capacity to apply thought patterns that might work well, albeit not even everywhere,
for the average Western culture and are considered to be superior, without taking into
3 Robert Steele, On Intelligence: Spies and Secrecy in an Open World (AFCEA, 2000).
4 Peter R. Neumann, Joining Al Qaeda - Jihadist Recruitment In Europe, Adelphi Paper 399, Routledge for
the International Institute for Strategic Studies, London 2008.
116 A.G. Monno / A New Paradigm for Countering Jihadism
account the fact that the vast majority of the world’s population has other cultural
archetypes.
1. The Reality of the Islamic World and its Relations with the West
Although due account must be taken of the fact that democracy, as it is understood in
the West, is certainly not part of the tradition of most countries in the Islamic world,
one might raise the issue of the responsibilities of the colonial and imperial powers in
this regard. But this would fall outside the scope of this paper.
It is important to remember that only one in five of the almost one and a half
billion Muslims in the world live in regions that the West views as typically Islamic,
that is to say, in places from which the message of Muhammad was propagated; most
Muslims live in Asia and Africa, while many millions have now settled in the Western
world.
From the ethnic, social and religious points of view, the Muslim world is not
monolithic. In addition to the well-known difference between Shi'ites and Sunnis, there
are also numerous other distinctions within both these branches of Islam.
The difference between the Twelver and the Fivers Shi'as, the presence of the
Isma’ili sects, from which the noted Hashshashin originated within the Shi'ite world, to
mention but a few, and the numerous differences amongst the Sunnis, including those
of the four leading legal schools, each of which is linked to a cultural and ideological
archetype and present in different areas of the Sunni world, underlie the complexity of
this subject.
Furthermore, the message of Muhammad envisaging the establishment of a new
society united by new bonds of solidarity – the Ummah – intended to replace the
previously existing tribal ties never came into being in practice, except within the
Islamic imaginary. Even the much-lauded period under the leadership of the “Rightly
Guided Caliphs”, or the al-Khulafa ar rashidun, the first four caliphs, successors of
Muhammad, should be viewed with a certain detachment, considering that three of
these caliphs died violent deaths which, if nothing else, suggests a certain degree of
internal strife.
For Muslims, Islam is a unicum in which it is meaningless to try to distinguish
between the legal and the moral spheres, both of which have their origins in the Sharia,
the path revealed by God, whose founding pillars are the Qur’an and the Sunnah of the
Prophet.
Not having a priestly class as a mediating authority between man and God, which
Muslims consider to be a direct relationship, no-one has ever been seen as the
depositary of the orthodox interpretation of Islamic truth.
In Islam, those the Western world equates with its concept of clergy are, in reality,
interpreters, responsible for safeguarding the dogma, rituals and law of Islam, and for
making decisions regarding the lawfulness of new ideas and theories. Due to the
extreme complexity of the revealed language, over time the roles of the ulama and the
fuqaha, or religious scholars and experts in sharia law in general and in fiqh in
particular came into being. 5 As Khaleed Mohammed has put it, “Even for native Arabic
speakers, the Qur’an is a difficult document. Its archaic language and verse structure
5It is important to note that fiqh, may be considered a part of Islamic jurisprudence in that it complements
sharia law. Given its nature, fiqh has developed and evolved over time.
A.G. Monno / A New Paradigm for Countering Jihadism 117
are difficult hurdles to cross”[6]. This function, of interpreting and safeguarding, has
been of enormous importance throughout the Islamic world, legitimising, de facto, the
role of these ulama and, fuqaha as leaders of the various communities in return for
protection and patronage.
It should be recalled that the greatest peril that the Islamic community can face is
fitna, the splitting of the community. According to traditional Islamic teaching, it is
preferable to accept the lesser evil of an usurper as the leader of the community than to
permit internecine strife within the community In time this results in the acquiescence
of the people to the status quo.
Language is another factor which helps to increase the structural diversity of the
various Islamic communities.
Contrary to what is sometimes thought, although classical Arabic was the language
used for revealing the Qur'an, which must be maintained and memorised in that
language, it does not perform any other bonding functions to hold the Islamic world
together. For example, it is impossible for Muslims from Pakistan, Albania, Indonesia
and Nigeria to hold a conversation because of a lack of widespread familiarity with
spoken classical Arabic.
One can therefore well imagine what happens when all this is transferred to the
Western world, where millions of Muslims live as members of religious and ethnic
minorities, initially stemming from a colonial past and subsequently from immigration
and globalisation.
According to classical Islamic theory, living in the lands known as dar al harb
(house of war) or at most dar al hudna or dar al suhl (house of the truce) is a negative
condition for Muslims. This condition may, in principle, be considered temporary,
because it is impossible in such places to fully deploy the Islamic identity, which
entails membership to the ummah (the Islamic community).
Over the years, in order to preserve and not lose their customs and traditions and
not to feel dispossessed, the Islamic communities in the West have had to adjust to their
situation by looking to their places of origin as benchmarks.
Since these communities have never really been accepted into the Western world,
they have become inward-looking in order to survive.
The Muslim presence in Western Europe, which was rare until the dawn of the
19th-century, began to gain ground in the colonial period. The First World War led to a
sharp increase in the Muslim population because of the need for labour, in addition to
their use in the instrument of war as such. Some 72,000 Muslim colonials died for
France, and between 45,000 and 75,000 died for Britain. By the end of 1918, there
were officially 59,088 North Africans living in France. By 1929, this number had
increased to 69,800 and 102,000 by 1931. In the United Kingdom, there were between
10,000 and 20,000, in addition to several hundred converts7.
In both these Western countries, which were driving forces of Western colonialism,
the Muslim identity was defended through such sufi orders as the Alawiya, and through
the penetration of the two leading schools of thought already present in India, the
Barelwi and the Deobandi, which propagated different ideas but shared the need to
come to terms with a situation in which the Islamic religion had ceased to be dominant
6 http://www.meforum.org/717/assessing-english-translations-of-the-quran
7 Clayer Nathalie & Germain Eric editors: Islam in inter-war Europe;- Hurst publisher; London (UK); 2008
118 A.G. Monno / A New Paradigm for Countering Jihadism
and had become a minority faith. These schools were therefore committed, with
differing perspectives, to preserving the Islamic identity.
The Second World War not only made use of the colonies’ military personnel,
labour force and resources, but it also brought the war, the ideologies and the armies
into the Muslim world, from Africa to Asia, with great loss of life; one-half of the
Indian forces used by the United Kingdom in the Second World War came from one
region of India alone, the Punjab, which was overwhelmingly Muslim.
In a purely personal note, I should like at this point to recall the sense of
community that one experiences in seeing Christians from Britain, New Zealand, South
Africa and Australia, Muslims from India and Jews, who fought with the Jewish
Brigade, resting together in the British Military Cemetery at Camerlona (Ravenna-
Italy).
In the post-war period, political ideologies and a heightened self-awareness in the
colonial world, driven by veterans such as the Algerian ben Bella, eventually led to the
collapse of the European colonial powers, which were embroiled in conflicts in which
the resources of the immigrants and appeals to Islam as a compacting force played no
small part.
From that moment onwards, the Islamic presence in the Western world was made
up not only of immigrants as cheap labour, but also of political refugees and migrants
living abroad to study and to take up highly skilled occupations.
But perhaps the most important change was in the attitudes of the migrants
themselves, who were no longer interested in returning to their original homeland, but
wanted to lead a new life in a new place that was extraneous to their culture of origin.
It was in this environment that the second- and third-generation Muslims have
grown up, for whom the integration – or, rather, the conflict prevention – policies
implemented until then in Western countries appeared to have failed, just as the United
States’ ‘melting pot’ concept no longer seemed to be relevant to current needs.
The perceptions and feelings of second- or third-generation Muslims in the
Western world have been highlighted by several of their writers, and in this connection
I would recall the description made by Hanif Kureish in his book, “The word and the
bomb”.
Not being fully accepted due to the colour of their skin or their allegiance to
another religion, which was viewed as a threat to the local modus vivendi, they feel
uprooted from the social fabric and they identify with, and idealise, the other half of
themselves that is linked to their distant origins and homeland and which often bears
little resemblance to reality, while at the same time fully satisfys some internal
aspiration.
Oliver Roy has written that, “Neofundamentalism has gained ground among
rootless Muslim youth, particularly among second- and third- generation migrants in
the West. Even if only a small minority is involved, the phenomenon feeds new forms of
radicalization, among them support for al Qaeda, but also a new sectarian
communitarian discourse, advocating multiculturalism as a means of rejecting
integration into western society. These Muslims do not identify with any given nation-
state, and are more concerned with imposing Islamic norms among Muslims societies
and minorities and fighting to reconstruct a universal Muslim community, or ummah”. 8
The younger generations are having to carve out an identity of their own for
themselves, as both citizens of states that belong to the Western world and as followers
of the Muslim faith, the latter experienced in a world that is alien to the social fabric of
8 Oliver Roy; Globalized Islam -Columbia University Press- New York- 2004-pag. 2.
A.G. Monno / A New Paradigm for Countering Jihadism 119
the life, daily experiences and codes of conduct that constitute the very essence of
Islamic culture and in which a common language becomes the bonding agent.
I am speaking, here, of an Islamic faith and experience lived through the customs
that have been handed down within the family, with precepts, traditions and customs
that are often thought to be Islamic while, in reality, they are features of the culture of
the place from which the family originated, and where the disassociation between the
two worlds can be extremely pernicious.
This by no means applies only to the Islamic world transplanted into the West, in
which two worlds are in a state of conflict within one and the same individual. It is a
phenomenon that has also emerged recently within the Islamic world itself.
Antonio Giustozzi 9 has written that: “Gul (Imran Gul, programme director of the
Sustainable Participation Development Program, an NGO based in Banu, just outside
North Waziristan) believes that the tribal system is in crisis and that it can no longer
provide peace, income, a sense of purpose, a social network to the local youth, who
then turn to radical movements (collectively known as the Pakistani Taliban) as the
only outlet where they can express their frustration and earn the prestige once offered
by the tribal system”.
This quest for an identity has obviously paved the way for the emergence of a new
class of preachers, imams, leaders of mosques that follow the new Islamic ideologies
which are seeking a new dimension of Islam and Islamic culture, which have originated
with such thinkers and intellectuals as Muhammad Abdu, Rashid Rida and Gamal al
Din al Afghani.
This new ideology reinterprets Islam, not along the lines of the past – which had
led to the decline of Islam as a unicum of din and dawla, State and faith, in which the
concept of watan (nation) had acquired primacy over the concept of ummah
(community in the broadest sense of the term) – but by seeking to “modernise” the
Islamic world through the use of the modern media detached from the Western culture
that is usually linked to them.
It is, therefore, a case of a revival of the Islamic world in a Western context with
rapidly evolving ideologies and programmes, while remaining fiercely attached to
basic elements related to its security in terms of resources and the economy.
The development of this way of thinking has given rise to numerous schools of
thought, such as those developed by the Muslim Brotherhood and by such ideologues
as Hassan al Banna, Sayyd Qutb and Abu ala al Mawdudi, who are considered to be the
masterminds behind the modern extremist movements.
These are the innovative driving forces advocating a revisitation of Islam through a
doctrine called Salafiyya. This doctrine is based on the premise that it is only by
returning to the original Islam, the Islam of the Salaf 10 or “Companions of the
Prophet”, that all problems can be solved relying on one simple certainty: a doctrine
that had made it possible for a small community caught between two empires, animated
solely by total devotion and submission to the one God, to create a new “empire” by
destroying the other two had demonstrated de facto its soundness, and in their eyes,
9 Antonio Giustozzi; Koran, Kalashnikov and laptop – The neo-Taliban insurgency in Afghanistan- Hurst &
10A term meaning predecessors, applied to the ideology that seeks to recreate a lifestyle and world based on
the practices of the earliest Muslims.
120 A.G. Monno / A New Paradigm for Countering Jihadism
This leads us to an analysis of what the cyber-world can signify today in the Islamic
cultural faith.
Most of the modern Islamic websites, or rather the sites dealing with issues of
relevance to Islamic culture and the Islamic faith, are located in various places in the
Western world, and the language they normally use is English.
As a result, in a world without specific cultural and religious familiarity with the
Muslim world, the website managers, like the preachers in the mosques mentioned
earlier, are able to insert their own ideas and pass them off as being part of traditional
Islam.
Confirmation of this can be found in two articles published in the “Middle East
Quarterly”11 entitled:
Assessing English translations of the Quran; 12
Beheading in the name of Islam.13
11 http://www.meforum.org/meq/issues
12 http://www.meforum.org/717/assessing-english-translations-of-the-quran
13 http://www.meforum.org/713/beheading-in-the-name-of-Islam
A.G. Monno / A New Paradigm for Countering Jihadism 121
These two articles demonstrate that traditional Islamic knowledge, that is to say,
the knowledge of the ulama and the fuqaha, has been manipulated and tailored to suit
the ideas of one or more groups and used by these groups to achieve their own ends.
Khaleed Mohammed, the author of the first of these two articles, offers an in-depth
examination of the English translations of the Qur'an, and shows how they have been
monopolised and sponsored by the present Saudi dynasty, with the aim of ensuring the
greatest possible diffusion worldwide. Suffice it to say, the English translation of the
Qur'an by Mohammed Asad14 has been banned in Saudi Arabia. The author himself has
written that, “Indicative of the desire and drive of Saudi Arabia to impose a Salafi
interpretation upon the Muslim world, the kingdom has banned Muhammad’s work
over some creedal issues. Because the Saudi government subsidizes the publication and
distribution of so many translations, the ban has in effect made Asad’s translation both
expensive and difficult to obtain. Nevertheless, it remains one of the best translations
available both in terms of its comprehensible English and generally knowledgeable
annotations”. It is relevant to note that Asad was a member of the Libyan Senussya
resistance against the Italian occupation, a Mujahideen ante litteram, and yet, because
his translation does not fit in with a one-sided and monopoly-oriented reading of Islam,
his version has been censored.
The author of the second article, Timothy R. Furnish, in his analysis of
decapitation in Islamic theology, notes that everything that has been publicised and
advocated as rooted in Islamic theology by the so called “jihadist” groups - such as al
Tawhid wa al Jihad, whose leader was abu Mus’ab al-Zarqawi - is by no means
consistent with the tenets of classical Islamic theology.
Zarqawi has said that he would “accept comments from ulema regarding whether
his killing operations are permitted or forbidden according to Islam – provided that the
ulema are not connected to a regime and are offering opinions out of personal
conviction and not to please their rulers”. 15
It is interesting to note in this regard that one Islamic website linked to “jihadist”
doctrine16 makes reference to “The Book of Jihad” by Abi Zakaryya Al Dimashqi Al
Dumyati, also known as Nahaas (who died in 1411), to subvert the well-known and
established classical doctrine regarding jihad.
This site claims that the difference between the “greater” and the “lesser jihad”,
which is an important element in official Muslim doctrine and is considered to date
back to the great authors of the past, did not in fact exist at all. When arguing the
reasons why this hadith did not exist, the site obviously refers to ibn Tamiyya and a
series of ulama who also recorded some of the hadith of the Prophet, namely those
supporting war as the only possible interpretation or meaning of jihad. The site
exclusively referred to these as the sole means of understanding the meaning of jihad,
adding that the other version “had never been reported by any scholar as having
anything to do with the hadith”. This collection of hadith and this theory of jihad tend
14 Born Leopold Weiss, in July 1900, in what was then Austro-Hungarian Lwów in the Austro-Hungarian
Empire, was a Jew who (in 1926) converted to Islam, thus changing his name to Mohamed Asad. During
World War II, he was imprisoned by the British in a camp for enemy aliens (because of his Austrian
nationality) while his father was interned by the Nazis for being Jewish. In 1949, Asad joined the Pakistan
Foreign Ministry as head of the Middle East Division and, in 1952, went to New York as Pakistan’s
representative to the United Nations.
15
Al-Zarqawi Associate, Al-Zarqawi Unconnected to Al-Qa'ida, Seeks to Expand Fighting to Entire Region,
Middle East Media Research Institute (MEMRI), Sept. 23, 2004.
16 http://www.masterplanstewardship.org/ConstantContact/PDF/Mashari_Book_of_Jihad.pdf
122 A.G. Monno / A New Paradigm for Countering Jihadism
to look only at those deeds performed by the Prophet which support this interpretation
of the doctrine. Although I am not saying that the website deliberately ignored other
deeds, it certainly did not attempt to search for them, and when doubts arose – as often
happens with events and issues needing interpretation – it was only logical to offer an
interpretation that supported its particular views.
It is no coincidence that the author the site refers to was one of the main sources
from which Bin Laden’s mentor, Sheikh Azzam, drew.
This might seem to suggest that the Internet only propagates messages connected
with the type of Islamic doctrine that, in the West, is defined as “fundamentalist” – a
term that was originally coined to identify theories connected with Christianity, and
which therefore has no corresponding meaning in the Islamic cultural language. But
this is not the case.
As I have already pointed out, Salafi doctrine comprises numerous schools of
thought, including those which the Western world deems jihadist. These last, however,
are certainly not the only ones, as Gilles Kepel has pointed out in his book, “The War
for Muslim Minds”.
The aim of the radical preachers is obviously to recruit followers and get them to
adopt their ideas, and thus lead them to commit actions using terrorism as the primary
means to achieve their purposes.
Although it has not yet been possible to profile the so-called ‘jihadist’ terrorists
living in the Western world, the analysis carried out by Marc Sageman, in his
“Leaderless Jihad”, is particularly interesting in that it topples a number of the myths
connected with the reasons underlying the support that certain ideas attract – such as
poverty, immaturity, ignorance, sexual frustration and so on – and, instead emphasises
the importance the criterion of justice has, which far outweighs the concept of
democracy and that of brotherhood, both of which lead people to subscribe to certain
ideas.
17 John Bagot Glubb, The Great Arab Conquests, J.B.G. Ltd, Hodder & Stoughton, 1963.
124 A.G. Monno / A New Paradigm for Countering Jihadism
jahilyya and takfir, ignorance and apostasy, revisited in a modern form by the Egyptian
ideologist Sayyd Qutb. All of this is obviously viewed one-sidedly, for there is no judge
to issue a ruling and no common agreement on what is right and what is wrong, apart
from whatever it is that the members of the group want. The structure, the military
activities and the organisation are based on patterns borrowed from an ideal and
idealised past, as one clearly sees from the statements issued in the wake of every
terrorist attack.
Who, then, is better equipped to penetrate and change the indoctrination and the
quest for support by the “jihadist” preachers than an expert who is thoroughly familiar
with the Islamic world?
Who, better than an expert, can learn and understand when a virtual ummah is
being created on the Internet, in which to grow a new community, but above all, can
perceive in which direction the movement is heading, whether it be towards an area
characterised by da’wa, preaching, through which to carry out a social revolution based
on the construction of a critical mass within society, or towards the jihad, namely, a
militant approach, by declaring war against the political leaders of nations forming part
of the Islamic world who fail to observe the precepts and the contents of sharia law?
What I have said above only gives a slight indication of the complexity of this
subject area to anyone who is not a scholar or expert on the Islamic world because it is
impossible to address such complex issues using superficial knowledge and inaccurate
information-gathering tools, particularly on the part of members of the security
services.
Conclusions
References
[1]John Bagot Glubb, The Great Arab Conquests, J.B.G. Ltd. Hodder & Stoughton, 1963.
[2]Marc Sageman, Leaderless Jihad, University of Pennsylvania Press, Philadelphia, 2008.
[3]Gilles Kepel, The War for Muslim Minds, The Belknap Press of Harvard University Press, Cambridge and
London, 2004.
[4]Montasser al-Zayat, The road to al Qaeda, Pluto Press, London, 2004,
[5]Peter R. Neumann, Joining al Qaeda, Adelphi Paper 399, Routlege for The International Institute for
Strategic Studies.
Modelling Cyber Security: Approaches, Methodology, Strategies 125
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-125
Abstract. Deterrence is an ancient strategy (as early as the 4th millennium BCE)
based on defence and retaliation to prevent undesirable behaviour from a potential
attacker. Specifically, deterrence—both classical and cyber-related—is based on a
potential attacker perceiving an unacceptable cost and consequently refraining
from attack. Similarly to nuclear deterrence, cyber-deterrence may be an effective
strategy against foreign governmental attackers, who might refrain from attacking
for fear of retaliation. However, cyber-deterrence may not be as effective against
individual terrorist hackers or clandestine organisations that have a high propensity
towards risks or simply believe they can attack with impunity. This paper outlines
some solutions to the fundamental challenge of modelling deterrence in Cyberia
and discusses theoretical and policy implications based on computational social
science.
Keywords. Deterrence, infrastructure protection, cyber security, cyber attacks,
cyber warfare
Introduction
Challenges and opportunities posed by the rise and evolution of the Internet and related
IT systems—“Cyberia”, for short—have called into question traditional policies and
national security priorities. [1, 2, 3] When faced with threats, deterrence is often
invoked as the natural and logical policy to design and implement. However, deterrence
is an ancient strategy (applied as early as the 4th millennium BCE) based on defence
and retaliation to prevent undesirable behaviour from a potential attacker. More
specifically, as a well-defined form of social power relation, deterrence—both the
classical version that began in Mesopotamia and the more recent cyber-related
adaptation—is always based on a potential attacker perceiving an unacceptable cost
and consequently refraining from attack. [4, 5] As a consequence, cyber-deterrence
may be an effective strategy against foreign governmental attackers, assuming all the
necessary requirements are met (i.e., credibility of capability and credibility of intent,
each of which has its own component requirements). As with nuclear deterrence
between states, state attackers may refrain from attacking for fear of retaliation.
However, cyber-deterrence may not be as effective against individual actors (e.g.,
terrorist hackers) or clandestine organisations that have a high propensity towards risks
* This chapter was presented at the NATO Advanced Research Workshop (ARW) on Operational Network
Intelligence: Today and Tomorrow, L'Arsenale, Venice, Italy, 6–7 February, 2009. I am grateful to S.
Numrich, M. Zalesny, and A. Vespignani for comments and discussion on an earlier version of this paper.
Many thanks to Professor Umberto Gori for the invitation to participate in the NATO ARW as well as for
comments received by workshop participants, especially M. Agazzi, N. Ahituv, M. Arditti, A. Gazzini, G.
Grasso, .A. Hochberg-Marom, G. Iovane, E. Peshin, P. Rapalino, U. Rapetto, F. Sanfelice di Monteforte, E.
Tikk, and A. Vidali. The author is solely responsible for the views expressed in this chapter.
1 Corresponding Author: Prof. Claudio Cioffi-Revilla, Director, Center for Social Complexity, George Mason
University, 4400 University Drive, MSN 6B2, Fairfax, Virginia 22030 (near Washington DC), USA. E-mail:
ccioffi@gmu.edu URL: http://socialcomplexity.gmu.edu
126 C. Cioffi-Revilla / Modelling Deterrence in Cyberia
or simply believe they can attack with impunity. This chapter frames the problem of
deterrence in cyberspace in terms of the classical theory of deterrence and uses such a
framework to gain some insights into the problems and solutions to modelling
deterrence in Cyberia.
1. Elements of Deterrence
but also the credibility of intentions (or willingness to retaliate). In the theory (and
practice) of deterrence as a strategy to ensure security, both forms of credibility are
viewed as necessary conditions. In practice, each type of credibility is ensured by
multiple means. These include diverse systems that guarantee a high degree of
reliability in the delivery of punishment and multiple signals and organisational
arrangements ensuring an elevated level of credibility with respect to willingness.
Thus, while the foundations of deterrence require serialisation (as in a supply chain),
the implementation of deterrence is based on parallelisation in order to ensure and
communicate sufficiently high levels of credibility in terms of both capability and
willingness. [12]
Redundancy plays a critical role in deterrence theory and practice, because many
of the basic systems and processes involved with deterrence have a serialised structure
that by nature will degrade overall performance. Redundancy, however, has costs that
are both material and organisational. [13] Examples of deterrence redundancy include:
1. For credibility of capability: Develop multiple systems to inflict devastating
retaliation and ensure efficient defences.
2. For credibility of intent: Communicate resolve to employ retaliation through
multiple signals that minimise or eliminate uncertainty.
3. For defensive fortifications: Establish effective and efficient defensive
systems capable of withstanding potential attack. (An additional valuable
feature of defensive security systems is that they fail by drift and in isolated
modes, rather than catastrophically or in interactive ways.)
In addition to retaliation, deterrence also relies on defence or fortification, which
takes on numerous forms: layered defences, choke points, overlapping fields of fire,
observation detection, baffled entries, etc. (For the classic study of deterrence and
defence see [14].) The overall purpose of defence is to lower the base probability of the
attacker’s success, which can positively interact with the credibility of the defender’s
deterrence. (A mighty or impenetrable defender might also be—in the mind of a
potential attacker—a merciless retaliator.) Therefore, in the implementation of
deterrence, defence is just as important as retaliation and it is a feature that should not
be overlooked within the complex context of cyber-deterrence.
When deterrence fails, two additional considerations are mitigation (what can be
done in advance of an attack to lessen the effects of undeterred attack) and prosecution
(how can the perpetrators be found and brought to justice). Both types of preparatory
issues acquire special significance in the cyber context. Unfortunately, only scant
attention is paid to both, especially the latter.
2. Cyber-deterrence
Within the specific context of cyberspace [6]—a world fundamentally different from
the one in which deterrence originated among Sumerian city-states several thousand of
years ago [9]—a deterrence strategy by the government would seek to prevent attacks
to the nation’s IT infrastructure and related systems by threatening unacceptable
retaliation to potential attackers [15]. Given such requirements, the following two
classes of questions immediately emerge as fundamentally important in the cyber
context:
128 C. Cioffi-Revilla / Modelling Deterrence in Cyberia
Summary
From a national strategy perspective, the reliability or even the very feasibility of
deterrence as a viable strategy for cyber-security seems dependent on the character of
the threatening actor or potential attacker. For some potential attackers, such as
national governments, deterrence would seem quite viable against cyber attacks: If you
attack our cyber infrastructure, we will retaliate accordingly with unacceptable damage
to your assets (which may or may not include the attacker’s cyber assets; population or
other assets may be as effective, albeit possibly disproportionate). For other potential
attackers, such as individuals or clandestine organisations, deterrence is a far more
problematic strategy that may be sub-optimal and inefficient—even dangerous—for
ensuring the nation’s cyber-security. Against such actors it may be advisable to adopt
more active preventive strategies, given the difficulty or even impossibility to
implement viable retaliation. Overall, the value of a deterrence strategy for ensuring
cyber-security seems to decline with the decrease in the formal organisational level of
the potential attacker, ranging from effective (against a foreign government) to
ineffective (against a resourceful individual hacker).
References
[1] J. Arquilla, and D. Ronfeldt, eds., Networks and Netwars, RAND Corporation, Santa Monica,
California, 2001.
[2] D. Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, McGraw-Hill, New York, 2003.
[3] G. Weimann, Terror on the Internet: The New Arena, the New Challenge, United States Institute of
Peace, Washington, DC, 2006.
[4] J. Knopf. Three Items in One: Deterrence as Concept, Research Program, and Political Issue, Annual
Convention of the International Studies Association, San Francisco, CA, March 26-29, 2008.
[5] J. Knopf, The Fourth Wave in Deterrence Theory: A Critical Appraisal, Annual Meeting of the
American Political Science Association, Boston, MA, August 28-31, 2008.
[6] Threat Working Group of the CSIS Commission on Cybersecurity for the 44th Presidency, Threats
Posed by the Internet, Center for Strategic and International Studies, Washington, DC, 2008.
[7] M. Lawlor, Virtual Hackers Help Take a Byte Out of Cybercrime, SIGNAL Magazine, February 2004.
[8] T.C. Schelling, Arms and Influence, Yale University Press, New Haven, Connecticut, 1966.
[9] C. Cioffi-Revilla, Origins and Age of Deterence, Cross-Cultural Research 33 (1999), 239–264.
[10] F.C. Zagare, and D.M. Kilgour, Perfect Deterrence, Cambridge University Press, 2000.
[11] C. Cioffi-Revilla, A probability model of credibility: Analyzing strategic nuclear deterrence systems.
Journal of Conflict Resolution 27 (1983), 73–108.
[12] C. Cioffi-Revilla, Politics and Uncertainty: Theory, Models and Applications, Cambridge University
Press, 1998.
[13] C.L. Streeter, Redundancy in Social Systems: Implications for Warning and Evacuation Planning,
International Journal of Mass Emergencies and Disasters 9 (1991), 167–182.
[14] G.H. Snyder, Deterrence by denial and punishment, Woodrow Wilson School of Public and
International Affairs, Center of International Studies, Princeton University, 1959.
[15] J.A. Lewis, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on
Cybersecurity for the 44th President, Center for Strategic and International Studies, Washington, DC,
2008.
[16] J. Fritz, How China will use cyber warfare to leapfrog in military competitiveness, Culture Mandala 8
(2008), 28–80.
[17] M. Mousseau, and D.Y. Mousseau, How the Evolution of Markets Reduces the Risk of Civil War, 4th
Annual General Conference of the European Consortium for Political Research (ECPR), University of
Pisa, Italy, 6-7 September 2007.
[18] Y.H. Ferguson, and R.W. Mansbach, Polities: Authority, Identities, and Change, University of South
Carolina Press, Columbia, South Carolina, 1996.
[19] B. Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Springer, 2006.
[20] M. Tsvetovat, and K. Carley, Structural Knowledge and Success of Anti-Terrorist Activity: The
Downside of Structural Equivalence, Journal of Social Structure 6 (2, 2005), online.
C. Cioffi-Revilla / Modelling Deterrence in Cyberia 131
[21] C. Cioffi-Revilla, and P.P. Romero, Modeling Uncertainty in Adversary Behavior: Attacks in Diyala
Province, Iraq, 2002-2006, Studies in Conflict & Terrorism 32 (2009), 253–276.
[22] J.J. Thomas, and K.A. Cook, eds., 2005. Illuminating the Path, IEEE Computer Society, Los Alamitos,
CA, 2005.
132 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-132
Introduction
1 www.wikipedia.org
2 www.geonomics.energy.gov
3 Net-generation is a term that has been applied to the generation that has had access to Internet throughout
its adolescence and, thus, is not only aware of the web is also computer literate. This is a recent phenomenon
of this last decade.
M. Agazzi / The Cutting Edge of Cyber Network Development 133
growing complexity of the Internet (think of the creators of Facebook), the Internet’s
latest evolution with WEB2.04 (an example of which is the success of platforms like
Facebook, MySpace, Google, Wikipedia, Wikidocs, Linkedin, YouTube, Linux,
SecondeLife, Human-Genome-Project etc. etc.), and with virtual computing.
This acceleration creates a fast-paced movement (for example Linux is created and
made possible by the community of programmers who contribute to the construction of
this open source operating system), which produces evident technological progress
within the spheres of nanotechnology, biotechnology, and grid-computing. This has a
marked effect on molecular sciences, on the study of materials, mechanics and others.
Scientists pose questions that are stimulated by these new emerging paradigms in
an attempt to understand whether humankind could undergo significant changes, and
therefore bring about further evolution in humankind. The question that naturally arises
is: what has drastically changed our cultural habitat in this historical moment? We may
dare say Internet, the worldwide interconnection.
1. Emerging Paradigms
4 WEB2.0 is a term used for the more heterogeneous components such as the mashup applications of Google-
Map that replaced the old Internet architecture in use around 2000. It is also characterized by sociological
aspects, like communities that come together through Internet portals, such as Facebook, that are called
community platforms.
134 M. Agazzi / The Cutting Edge of Cyber Network Development
focus all of our attention on these movements, avant-garde activity would then become
visible. With the aid of readily available technology and the global diffusion of the net
and bandwidth, the forefront of cyber activity is rapidly evolving within this growing
complexity and is undergoing a transformation.
5 Symanatec, Symantec Report on the Underground Economy, of July 07- June 08, www.symantec.com,
2008.
6 http://nytimes.com/2008/08/12/technology/12theft.html?pagewanted=2&_r=1
M. Agazzi / The Cutting Edge of Cyber Network Development 135
organisation cloned new ATM cards that were provided by Chinese contacts,
whereupon the cloned cards were subsequently introduced into the North American
market7. It is possible to note that the economic mechanisms inherent to the
underground economy have transformed the ‘species’ of cyber-criminals, forcing them
to highly specialise in order to survive. In other words, the specialisation undertaken by
cyber-criminals is required in order to maintain control over the growing complexity of
the web, and allows them to secure a greater advantage from their own abilities. Those
who create malicious applications do not expose themselves to open use on the field,
but rather hold the source code and each time they are asked for a malicious code, they
introduce slight variations in the code itself. Since research and development
investments are expensive, they limit themselves to selling the application on the
network at market price. One exception are the malwares, which allow the introduction
of backdoors on the grids of the processors. Because they serve specific purposes, such
as the gathering of precise forms of information that include on-line account codes or
other highly profitable data, the malwares tend to follow direct-marketing channels and
do not have an official quotation.
1.2. Cyber Crime Community and Social Networking Instruments: Their Avant-garde
Cyber Network Strategy
The actions that this illegal business takes to publicise or advertise their activities are
channelled through topics that are posted on web-forums and that employ either a
multi-channel or thematic strategy to contact buyers and inform them of the different
categories of goods and services offered; this procedure helps to promote goods and
services worldwide. Cyber-crime communities populate web-based forums using self-
defining strategies thanks to the options that manage the account registration of
members and the private messaging on such forums. The aforementioned topics re-call
other forums on which illegal goods and services are traded. Payments are often made
with on-line accounts or through the exchange of goods and services. The administrator
has a prime role in creating the forum and setting the basic access rules for the different
user groups: administrator, moderator and member. The administrator is usually also
one of the moderators. His role consists in administering the server; building
classifications for goods and services, which are fitted into sub-forums; and checking
on the security policies that govern the forum. When a new forum is set up, the
administrator also creates a moderator, whose role is to keep the forum going through
communication strategies typical of its specific market, including the possibility of
deleting or correcting inconsistent topics and of creating new sub-forums for the new
thematic channels.
The forum members have the possibility to write topics and, once the forum is
running, can vote for the most interesting topics on the basis of pre-set regulations. The
moderator’s role is assigned to the author of the most voted topics. This gives the cyber
criminals sufficient reason to register on the forum repeatedly under different nick-
names in order to drive his nomination as moderator. Since goods and services have a
variable quotation and can become outdated, the oldest topics are automatically
deleted. On the other hand, when the community’s attention is focused on certain goods
on sale, then the topics are repeated over and over with the same message so that the
7 Symaatec, Symantec Report on the Underground Economy, of July 07- June 08, www.symantec.com,
November 2008
136 M. Agazzi / The Cutting Edge of Cyber Network Development
search-engine within the web-forums will list topics on which the article that is being
promoted will appear.
The administrator changes nick-name often to avoid authority tracking activities.
When the forum server itself is bought in the underground economy, the administrator
appears at the moment of launch, only then to then disappear whilst the forum
moderators’ role is elective within the community, according to the principles that
regulate the basic settings. The web-forum can also remain active on the server for a
limited time, sometimes a few months, before it gets exported to a different server.
These movements are facilitated by the wideband available and are especially used to
elude authority control. Access to the community is possible after registering a nick-
name, a brief self-description, and an avatar; if this isn’t convincing, the administrator
denies access to the forum. Registration can also be completely automatic and it is left
to the moderators to deny future access, if the applicant’s credentials are not
convincing; the web system is able to discredit a registration instantly. Forums also
have filters that block access to IP addresses that are considered unsafe which then
place them on blacklists. The access of new visitors to the forum triggers an on-line
alert system that is visible to the community. Some forums use mash-up technologies
with geo-defining applications, which are able to visualise the on-line users’ ISP
position on a world map; this is so that the community can take the necessary
countermeasures to elude police control.
Since malware production can be costly, it is possible to trade specific components
which, once assembled, give the desired result. On the net, the same nick-name can buy
malware software components and then sell malicious applications that have been
assembled with the final code and supplied with directions. The most dangerous
malwares are the polymorphic type; not only is the code assembled in steps, and often
encrypted, the malware is also able to transform its structure. The malware code
encryption makes it difficult for anti-virus systems to recognise the malware. The
malware code encryption is composed with the use of encryption tool-kits that are
traded on the black market. In other words, the underground economy offers the entire
supply-chain access to goods and services at market value, be they from the production
to the final assembly of malwares of all sorts, (and that are intended for fraudulent use
by cyber-criminals), to directions for hacking techniques on how to black out the
source (personal IP), generate spam, and also take on a false identity. These techniques
underlie the distributed-denial-of-services (DDoS) attacks, for it is easier to take action
in a chaotic situation. These attacks are created by dangerous malwares, botnets8;
Estonian and Georgian banks, in fact, were their victims in April 2007.
The leading edge of the virtual world transmits/leads the transformation. With this
last, the criminal network expands and techniques simultaneously improve. Proximal
networks make use of temporary trajectories and affect the outer digital realities of the
real economy. The U.S. authorities reported that cyber-crime activity paid Russian
criminal groups over $150 million in 2006; through the use of phishing techniques,
credit cards were stolen using servers located in North America and the cards were
subsequently cloned in a Russian factory,
Occasionally, such techniques rely on databases containing identity-related data.
These databases can be bought on the forum (identity theft information is sold in lots,
just as credit card codes are) depending on the scale economy of the market and also
because the percentage of faulty data causes rejects or discards that in turn cause
8 Cisco, Cisco 2008, Annual Security Report,, www.cisco.com, 2008, p.10, Botnets consist of thousands of
malware-compromised computers. Those who control the botnets can rent out the processing power and
bandwidth available to these computers, or use it themselves.
M. Agazzi / The Cutting Edge of Cyber Network Development 137
irreplaceable gaps. The U.S. authorities have related these specific crimes to the
Russian Business Network (RBN). The RBN’s servers are believed to be responsible
for the diffusion of malicious codes like the MPack exploit toolkit 9 and the Peacomm
Trojan virus botnet, (this last through the Internet Relay Chat). It is evident that the the
avant-garde cyber criminals are plumbing our depths, our virtual spaces, our digital
routes, on which we have built financial structures, research centres, economic
development, and power and control structures, in search of an Achilles’ heel.
9 www.symantec.com
11 The financial loss is also caused by servers that when under DOS attack are not able to satisfy on-line user
requests. Enterprises lose thousands of transactions per hour since the services under attack are no longer
available. During these attacks, keylog softwares are installed on the computers to transmit identity, banking
access codes, and credit card codes to remote servers.
12FloConway, Jim Siegelman, Dark Hero of the Information Age – In Search of Norbert Wiener the Father of
Cybernetics, Perseus Books Group, 2004
138 M. Agazzi / The Cutting Edge of Cyber Network Development
wherein complex systems are conditioned by feedback13 that is received from the
ecosystem it interacts with. He had especially highlighted the dangers of a negative
random motion, which he called “nervous disorder”, which occurs when non-linear
systems are carried past their limits. One step that could be taken against cyber crime
would be to be able to identify the location from which the infection first originated by
following the initial signs of “nervous disorder”. Unfortunately, this is much like
looking for a needle in a haystack! What are we really supposed to be looking for?
Today, the web is a highly complex system, and so non-linear. Swarms of malwares are
able to cross peripheral digital borders without even leaving a trace (just think of the
failure of British intelligence during the Second World War, when the launch pads for
the V2 missiles weren’t recognised despite having previously been photographed by
aviators).
Norbert Wiener had imagined problems with feedback. His research was followed first
by the work of Pitt and McCalloch at MIT and then by Hopfield’s research. Hopfield
discovered the so-called “Hopfield nets” model, which was published in 1980 and
became the basis for the development of the Artificial Neural Network (NN).
Hopfield’s model is the point of departure for many real-time and near-real-time
applications based on artificial intelligence that have been intended for commercial use.
The question that could be asked is whether a real-time system based on the Artificial
Neural Network model (NN), fed by key-indicators (automatically sent by intelligent
agents located on the server), would be effective in identifying attacks right from the
initial stages. Were this the case, appropriate steps to neutralise the attacks could be
taken in almost real-time, either by taking action on the network’s peer-to-peer nodes
or by up-dating the servers’ anti-virus systems. Clearly, this presumes some form of
supranational coordination, which, from my point of view, continues to be an ongoing
issue.
The difficulties encountered by the authorities in the fight against cyber-crime
activities are also due to the fact that State laws have jurisdiction only within domestic
borders, whilst cyber-crimes move on worldwide trajectories. Since malware code is
generally encrypted14 and is spread thanks to a peer-to-peer mode, months may go by
before a new malicious application is identified. In these conditions, even authority
control is deceived because the patterns containing malwares cannot be recognised at
an early stage.
However, credit institutions and banks with on-line accounts have or are in the
process of adopting data mining systems to track down unauthorised use, promptly
informing the client when unusual on-line payments are made. As a matter of fact,
nothing else is done and, in most cases, crimes go unpunished. It is highly unlikely that
the majority of crimes have ever come to light, and in the few cases that one has, they
have never, or rarely, been rendered public. Cyber crimes occur especially when the net
is not sufficiently protected or when the firewalls and anti-virus systems are out of date.
This lack in technology creates the ideal conditions for cyber-criminals not only to
successfully install backdoors on the net processors, but also allows them to be able to
13Pitt and McCulloch worked on this idea, then Hopfield defined a model known as “Hopfield’s net” which,
when further developed, became the basis for the realization of important commercial applications.
conduct industrial espionage and delete their traces. This ability to cover their traces,
the malfunction of the processors is easily attributed to chance.
This demonstrates how important the introduction of encryption truly is. Not only
would it protect databases that store identity information and credit card and bank data,
it would also protect sensitive data in general, especially archives of strategic interest to
organisations. However, encryption is costly; because it requires extra computational
resources, and therefore requires a considerable level of investment. In relation to the
quantity of code to be modified, however, not all software is able to run with an
encryption for storage in the Input/Output level. This is particularly true for projects
that have incorporated Product Lifecycle Management software, which are often used
in R&D. Over the life span of high-tech products, or in old Enterprise Resources
Planning Solutions, further software updates would be required. At this point we can
relate to what Niklaus Wirth, inventor of the famous program languages modula,
pascal and algol, in January 1997, during the conference “Software: Quality or
Quantity, that is the question”, stated what he defined as Reiser’s Law “Software is
getting slower more quickly than hardware getting faster”.
Conclusion
In conclusion, the post-industrial epoch is characterised by the use man has made of
computer science. The technological progress we are experiencing in different areas, is
part of the well-being we are used to and, therefore, based on the good use man has
made of global interconnection over the past decade. The digital age is the new habitat;
it is a drastic change, that with it brings transformations within each field that are yet to
be fully analysed. However, the changes that are taking place have lead to an evolution/
transformation of cyber-crime groups. The avant-garde of cyber criminals in
cyberspace gains strength from coming in contact with the proximal networks with
their temporary trajectories, and, once this has been accomplished, the transformation
may be considered complete.
References
[1] Flo Conway, Jim Siegelman, Dark Hero of the Information Age – In Search of Norbert Wiener the
Father of Cybernetics, Perseus Books Group, 2004.
[2] Ray Kurzweil, The Singularity is Near: When Humans Transcend Biology, Viking Press, 2005.
[3] Don Tapscott, Anthony D. Williams, WIKINOMICS-How Mass Collaboration Changes Everything,
Portfolio, 2006.
[4] Niklaus Wirth, Software Quality or Quantity, That is the question, Managing Software – Quality –
Engineering Success, WWW.INFOGEM.CH/Taungen/1997/Niklaus_Wirth.pdf, Jannuary 27, 1997.
[5] Symantec, Symantec Report on the Underground Economy of July 07-June 08, www.symantec.com,
November 2008.
[6] Cisco, Annual Security Report, www.cisco.com, 2008.
[7] Sophos, NAC 2.0: A new model for a more secure future, www.sophos.com, July 2008.
[8] Sophos, Sophos Threat Report July 2008, www.sophos.com, 2008.
140 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-140
Introduction
The everyday life of citizens in modern societies relies on the critical services provided
by a variety of entities, including among others: power stations, stationary/cellular
telecom providers, public utility companies, banks, healthcare providers, food
manufacturers, transportation, and education systems. All modern Critical
Infrastructures (CI) rely on Information and Communication Technologies (ICT) for
their ongoing operations, control, and monitoring activities, as well as for interactions
involving data exchange with their peer CIs [1-4].
In many cases, CIs sub-contract Network Service Providers (NSP) to dispatch their
transactions. Consequently, CIs depend upon the availability and performance of NSP
backbones and are prone to malicious attacks. Dependence or interdependence between
CIs, or within various divisions of a CI, creates another significant risk, where the
failure of one critical CI, resulting from a malicious attack or communication failure,
can result in horrendous cascading effects that hamper dependent stations in the same
or other CIs [5]. Nowadays, terrorists and the agencies of rival governments can easily
create new malware in order to attack CIs [6]. Following the announcement of newly
discovered vulnerabilities, a new malware may be developed, tested and then launched
towards the critical networks [7].
As a case in point, during April 27, 2007, officials in Estonia relocated the "Bronze
Soldier," a Soviet-era war memorial commemorating an unknown Russian who died
fighting the Nazis. The move incited rioting by ethnic Russians and the blockading of
the Estonian Embassy in Moscow. The event also marked the beginning of a large and
sustained distributed denial-of-service attack on several Estonian national Web sites,
including those of government ministries and the prime minister's Reform Party. Often,
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware 141
these attacks are conducted in the initial stages of conventional wars to achieve a
strategic advantage in command, communication, and control capabilities 1.
Critical Information Infrastructure Protection (CIIP) from attacks originating on
the Internet is a great withstanding challenge; improving CII security by disconnecting
them from other networks is often in direct contradiction with the open and
interoperable nature of modern web-based platforms and applications. In many
instances, CII are attacked via the computers of innocent home users that have been
compromised by attackers. Industry reports suggest that individual users receive
malware mainly from the Internet [8]. In fact, an online safety survey conducted by
America Online and the National Cyber Security Alliance (NCSA), revealed that 81%
of the respondents were found to be lacking recently-updated anti-virus software, a
properly-configured firewall, and/or spyware protection. In the same survey, 74% of
the respondents claimed to use the Internet for “sensitive” transactions from their home
computers, including among others banking, stock trading, and reviewing personal
medical information [8].
Numerous tools are available nowadays to address different facets of the
aforementioned challenges [9-11]. Anti-virus, -Spyware and -Adware utilities focus on
a host-based protection of end user devices. Intrusion Detection/Prevention Systems
(IDS/IPS) and firewalls focus on tackling malware at the core and edges of ISP/NSP
and enterprise networks. Penetration tests are often used to evaluate how robust CII are
and their compliance with security criteria and guidelines [12].
One of the major loopholes in these technological solutions in relation to malware
is that they are mostly based on the signatures (either content or behavioural) of known
malwares. This limitation is very critical the moment that new attacks are based on new
malware (unknown to the detection systems) that are able to compromise distributed
networks with thousands of computers in a matter of minutes. Moreover, the
exploitation of newly discovered vulnerabilities is discovered every day. They are
being used by attackers to develop new malware that in many cases is capable of
compromising the existing systems without being detected until a software patch has
been released or a new signature has been released. This situation, therefore, calls for
employing maximum automation and minimising the response time of all security
technology used to tackle new unknown malware.
This article describes three alternative approaches to harden and secure the
networks used by CI and boost their immunity against malicious attacks. The first
approach proposes to purify malicious traffic on public NSP/ISP networks in order to
minimise the risk that innocent users will be unwittingly exploited and used by
perpetrators as launch pads for attacks on CIIs (section 1). The second approach
focuses on overlay networks established between CIs, where communication patterns
between CI are mapped to underlying physical networks and the most critical routers
are pinpointed, thereby enabling the cost effective deployment of malware filtering
devices (section 2). Lastly, the third approach focuses on detecting hidden botnets,
which often serve as a launch pad for Distributed Denial of Service (DDoS) attacks on
CIIs (section 3). Concluding remarks are described in section 4.
Enterprises and ISPs serving private customers are connected to the Internet through
Network Service Providers (NSP). Nevertheless, traffic flowing through the NSP
1 http://news.zdnet.com/2100-1009_22-152212.html
142 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
infrastructure usually has not been purified from malware, in the same quality as the
clean drinking water that we receive nowadays from public water supply companies.
Moreover, it is estimated that only 15% of the Internet users are protected with an
updated anti-virus [1], and therefore end users can not be relied upon to protect
themselves from being unknowingly exploited as launch pads for attacks against CIIs.
As a result, terrorists and/or governments can easily attack CIs through innocent user
hosts without detection.
Detection of malware by NSPs on their core networks provides a better economy
of scale because NSPs are more likely to posses the resources to handle unknown
malware and thus, are more likely able to prevent thousands of end users from being
infected and later used to launch DDoS attacks. Such a centralised approach provides
very fast and effective detection. Figure 1 describes this centralised NSP-oriented
approach, which is comprised of three main phases [13]: first, it removes known
malware by standard signature-based IPS filtering devices (a); then, it assembles
executable files from observed traffic (b); next, these files are forwarded for back-end
analysis by an ensemble of detection plug-ins capable of detecting new malware based
on similarity to known malware (c). Finally, in the event a new malware is detected by
the ensemble of plug-ins, the signatures are published and updated instantaneously on
all IPS filtering devices (d).
Critical Infrastructures communicate with each other over the public web and their
communication patterns form an Inter-CI overlay network. Overlay networks [14] can
be used to model both attack propagation channels as well as legitimate data exchange.
Knowledge of extant overlay networks is useful for network security personnel in fine-
tuning security appliance deployment according to the expected communication
patterns that are determined by application usage. Acquiring the structure of overlay
networks, however, is a challenging task due to the absence of information on "who
communicates with whom".
Therefore, there is a need to protect the overlay network formed by CI, and this
can be achieved by securing either the overlay network or the underlying NSP network
or both. A conceptual diagram of the overlay network and the underlying NSP network
with Distributed Intrusion Detection Systems (DNIDS) is depicted in Figure 3.
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware 145
a) CI Overlay network
b) R5 is the central node when the overlay network is not taken into account
Figure 4. Pinpointing the Central Node (with and without taking into account the overlay network)
148 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
The aforementioned overlay approach will provide cleaner traffic for CIs in a cost/
effective fashion. Like the centralised approach, it will reduce the number of Internet
users connected to the overlay network that can be used for launching cyber-terror
attacks. As customers of the NSP infrastructure, CIs will therefore be better protected
from cyber attacks.
3. Detection of Botnets
The underlying idea of this approach is to closely monitor computers, servers, and
other computerised devices that are being used by CIs, and identify computers that
have been unknowingly infected with malware, which can be later used by the attacker
to launch DDoS attacks. Whenever an infected computer is detected by a backend
analysis system, the user is guided on how to remove the relevant malware, or the
infected computer is disconnected from the network.
Figure 5 (a) depicts the first stage, where measurements of system- and application-
level features from the monitored computer are extracted by a distributed agent and
forwarded to the backend system for deeper analysis by an ensemble of plug-ins. The
voting of various plug-ins are meshed into a single diagnosis regarding the status of the
monitored computer – infected/non-infected. Figure 5 (b) and (c) depict the possible
outcomes after meshing the recommendations from the ensemble of plug-ins.
References
[1] T. G. Lewis, Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation
(Hardcover), Wiley, Hoboken, New Jersey, 2006.
[2] R. Radvanovsky, Critical Infrastructure: Homeland Security and Emergency Preparedness, CRC Press,
Boca Raton, Florida, 2006.
[3] U. S Government Accountability Office, Critical Infrastructure Protection, 2008. Available from:
http://www.gao.gov/new.items/d081157t.pdf
[4] S. Flynn, The Edge of Disaster: Rebuilding a Resilient Nation, Random House, New York, 2007.
[5] M Amin, Toward self-healing energy infrastructure systems, Computer Applications in Power, IEEE,
14 (1), (2001), 20-28.
[6] L Janczewski, A. M. Colarik, Managerial Guide for Handling Cyber-Terrorism and Information
Warfare, Idea-Group, 2005.
[7] C. Wilson, Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress,
CRS Report for Congress, 2008.
[8] NCSA Study, http://www.staysafeonline.info/pdf/safety_study_2005.pdf.
[9] Symantec Internet Security Threat Report (January-June 2004), www.symantec.com.
[10] The Danger of Spyware, Symantec Security Response. www.symantec.com, June 2003.
[11] Symantec 2006 Security Report. www.symantec.com.
[12] J. S. Tiller, The Ethical Hack: A Framework for Business Value Penetration Testing, CRC Press, Boca
Raton, Florida, 2003
[13] Y. Elovici, A. Shabtai, R. Moskovitch, G. Tahan, C. Glezer, Applying Machine Learning techniques for
detection of malicious code in network traffic, The 30th Annual German Conference on Artificial
Intelligence (KI-2007), Springer, LNCS 4667, 44-50, Osnabrueck, Germany, September 10-13, 2007.
[14] SP Gorman, L. Schintler, R. Kulkarni, and R. Stough. The revenge of distance: Vulnerability analysis of
critical information infrastructure. Journal of Contingencies and Crisis Management, (2004), 12:48-63.
[15] L. C. Freeman. Centrality in social networks conceptual clarification. Social Networks, 1 (1979),
215-239.
Section 2.2
Police and Military Force Operations
and Approaches
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 153
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-153
Service
Abstract. The Postal and Communications Police Service is the central agency of
the Italian National Police that has been entrusted with the prevention of and
response to the various and multiple forms of cyber crime; approximately 2000
officers are located throughout the Italian territory. The protection of national
critical information infrastructures (hereafter C.I.I.) that support and operate the
vital points of the community has recently been added to its competences. The
possibility that the security of a countrymay be compromised by cyber attacks on
C.I.I. of terrorist or criminal nature , represents a real threat that is presently felt at
both the national and international level. In Italy, in particular, a twofold solution
had to be reached; firstly, the prevention of and response to any type of cyber
crimes against C.I.I. computer systems and networks; secondly, the exclusive
assignment of this task to a specialized agency. In fact, art. 7 bis of Law 155 of
31.07.2005 states that the exclusive competence of protecting the critical
information infrastructures of national relevance is devolved upon the Postal and
Communications Police Service. Following the enactment of the Minister of the
Interior's Decree on 09.01.2008, a National Cyber Crime Centre for the Protection
of Critical Information Infrastructures (Italian acronym, CNAIPIC) was instituted
within the Postal and Communications Police Service. This Centre is equipped
with high technology resources and staffed with highly skilled personnel, and will
be the sole office in charge of the prevention of and response to cybercrimes
(common crimes, organized crime and terrorism) targeting national critical
information infrastructures that have institutional functions or provide operating or
controlling services strategic to the security and prosperity of the country.
Introduction
The information society we live in relies essentially on computer science. In fact, all
the processes necessary to its operation are created and managed by means of
electronic tools and information networks.
Those processes whose suspension could cause the disruption of the normal course
of life in a country are considered to be critical. These processes are characterised by an
increasing level interdependence and interconnection, and therefore the companies and
154 D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures
institutions that own the systems and networks related to those services are considered
to be critical information infrastructures.
The possibility that the security of everyday life in a country may be compromised
by attacks on critical infrastructures, whether of terrorist or criminal nature, is now a
real threat.
This scenario necessitates that a tangible and effective logic in the way governance
is applied take all possible threats and attacks on a system’s security and its related
interests and values into account. The origin of attack may come from common crimes,
organised crime, or terrorist and subversive criminal phenomena.
The threat, endangerment, or destruction of such a technological system including
the illegal removal of data and information utilised by the system, in order to gain an
immediate profit (regardless of their intrinsic value), or using them improperly for
other purposes, today represent the criminal conducts that expose the security and
prosperity of the social system as a whole to the greatest dangers.
Just as with the advances in technology, the approach to security has undergone a
radical change.
With this regard, the approach employed by the Postal and Communications Police
Service (hereinafter referred to as PCPS), by virtue of its particular skill in preventing
and combating cybercrime, designed to achieve two fundamental objectives:
• the protection of "technological infrastructures", which, on the network, have
a strategic importance for the security and prosperity of a country;
• the protection of network "users" and the assets they entrust every day to
information infrastructures, with particular reference to crimes relating to the
exploitation of children, identity theft and internet fraud.
systems of the critical infrastructures of national interest to the PCPS, by virtue of their
special skill 1.
For that reason, a National Cyber Crime Centre for the Protection of Critical
Information Infrastructures (CNAIPIC)2 has been established within the PCPS; this is a
type of privileged emergency service that, through exclusive and secure connections,
shall receive and transmit information and data relevant to the prevention of and
response to cyber threats and attacks on the systems of national critical infrastructures.
The Minister of the Interior3 , by means of a decree, has also taken measures to
identify the national critical infrastructures that would benefit from the protection
services provided by the CNAIPIC. Furthermore, the Department of Public Security
has and continues to promote, together with public and private bodies that provide
services considered essential for our nation, a number of agreements designed to
establish shared protocols for staff training and actions to take in the eventuality that
computer incidents occur. The Department works in close cooperation, through the
exchange of information, with other bodies involved in the protection of critical
infrastructures at the national and international level.
The CNAIPIC can also make use of particularly effective investigative tools,
typically used in the fight against terrorism, such as undercover investigations on the
internet and the preventive interception of internet and computer communications4.
As a matter of fact, in 2008 the CNAIPIC has:
• detected 228 cyber attacks on national critical information infrastructures;
• monitored 4712 websites;
• submitted 851 reports concerning the attacks or threats detected;
• and, finally, started 64 investigations on this phenomenon.
2. The Protection of Internet Users: The National Centre for Combating Child
Pornography Online (CNCPO) and the On-line Police Station (Commissariato
Virtuale)
Traditional forms of crime have evolved into and expanded to incorporate the concept
of computer crime and computer related crime. These are namely criminal phenomena,
where information and communication technology plays a leading role within the legal
1 Art. 7 bis, paragraph 1, of Law 155 of 31.07.2005, which has converted the L.D. 144 of 27.07.2005 with
amendments, states as follows: "…being understood the competencies of information and security services,
set forth in articles 4 and 6 of Law 801 of 24.10.1977, the agency of the Ministry of the Interior in charge of
the security and regularity of telecommunication services shall also provide the protection of critical
information infrastructures of national interest, identified by decree of the Minister of Interior, through
privileged connections regulated by means of appropriate agreements with the owners of the infrastructures
concerned".
4 Art. 7 bis, paragraph 2, of the aforementioned Law 155 of 31.07.2005 states as follows: "For the purposes
referred to in paragraph 1 and for the prevention of and response to terrorist activities and activities
encouraging terrorism carried out by means of computer tools, the police officers serving with the agency
indicated in paragraph 1 may perform the activities set forth in art. 4, paragraphs 1 and 2 of L.D. 374 of
18.10.2001, converted with amendments by Law 438 of 15.12.2001, and those set forth in art. 226 of the
implementing, coordinative and transitional provisions of the Code of Penal Procedure, described in L.D.
271 of 28.07.1989, also upon request or in cooperation with the law enforcement agencies therein".
156 D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures
system, both as the legally acknowledged and protected target of the illegal action and
as the tool used to commit the offence.
In the background of this new criminal scenario, some known individuals of the
Italian crime and terrorism panoramas, such as Totò Riina, Raffaele Cutolo, Morucci
and Renato Curcio, can rightly be replaced – in the people's imagination - by go-ahead
computer experts who, although very young and in low-structured organisations, have
the same ambitions and determination of their predecessors.
It is necessary to take into account the extent of the Internet population,
represented by millions of users, to get an idea of how serious the criminal impact
might be on the so-called "global village".
According to data provided by ISTAT (Italian Statistics Institute), the use of
computers and the internet by young people has exponentially increased in all age
groups, and about 70% of 14-year-olds use them on a daily basis. This figure, although
encouraging and satisfying in some respects, for the obvious positive impact on the
social and cultural growth of our children, in others requires us to raise the security
threshold to ensure that they and, more generally, the weakest individuals of our
society, do not become victims of cyber criminals while surfing the net.
Online child pornography, internet fraud, hacking activities, distribution of
malicious codes, creditcard cloning, release of original works in violation of copyright
laws, spamming, and phishing are all new crimes that threaten the community and the
assets related thereto.
In order to counter such a widely diffused criminal phenomenon, an equally
comprehensive strategy is necessary.
For each of the aforementioned offences, not to mention the many others, the
PCPS conducts various activities of cybercrime prevention and response. It does this
with a staff of approximately 2,000 operatives that are divided into specialised units
distributed across the country (20 regional departments and 76 provincial sections) and
coordinated by the headquarters in Rome (the Service).
The protagonists of this new approach are the National Centre for Combating
Child Pornography Online (CNCPO) and the On-line Police Station (Commissariato
Virtuale).
These two functional units within the PCPS are responsible for monitoring
criminal phenomena that, just as for terminal patients, are “treated” through constant
specific response actions.
The CNCPO was established by Law 38 of 6 February 2006, concerning
"Provisions on combating the sexual exploitation of children and child pornography
D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures 157
5 In fact, art. 19 of the above mentioned Law 38 of 06.02.2006 provides that, after art. 14 of Law 269 of
03.08.1998 on "Provisions against the exploitation of prostitution, pornography, and sexual tourism to the
detriment of children, as new forms of slavery", is added to art. 14 bis, entitled "National Centre for
Combating Child Pornography on the Internet", which states:
"1) A National Centre for Combating Child Pornography on the Internet, hereinafter referred to as the
"Centre", is established within the agency of the Ministry of Interior indicated in paragraph 2 of art. 14, with
the task of gathering all reports, also coming from foreign law enforcement agencies and from private and
public bodies involved in the fight against child pornography, relating to websites disseminating, by means of
the internet and other communication networks, material resulting from the sexual exploitation of children,
as well as the operators and the possible beneficiaries of payments. All police officers are obliged to transmit
these reports. Without prejudice to the actions and determinations of the J.A., in case of positive feedback the
website reported, as well as the names of any possible operator and beneficiary of payments, shall be
included on a list to be continuously updated.
2) The Centre takes advantage of the existing human, financial and instrumental resources. The constitution
and the operation of the Centre should not bring about new or increased burdens on the State budget.
3) The Centre shall notify the Presidency of the Council of Ministers - Department for equal opportunities –
of all information and statistics relating to child pornography on the Internet, useful for the preparation of
the National Plan for the prevention of and response to paedophilia and the annual report referred to in art.
17, paragraph I".
6 This procedure is governed by art. 14 quater of Law 269 of 03.08.1998, as introduced by the above
7 This obligation is set forth in. art. 14 ter of Law 269 of 03.08.1998, also introduced by the above mentioned
8 The procedures in question are governed by art. 14 quinquies of Law 269 of 03.08.1998, also introduced by
websites and their users, and a constant response activity using exclusive undercover
techniques9.
Over the past six years, in fact, through complex investigations conducted by
police officers specialised in computer science, electronics, telecommunications and
psychology, 4450 subjects have been identified and reported to the J.A., and 238 have
been arrested.
In our country 177 child pornography websites have been discovered and
inhibited, while 10,977 more sites with the same contents, whose servers were located
abroad and unreachable by the Italian justice system, were reported to the competent
foreign law enforcement agencies.
From the operational-investigative point of view, the growth of cybercrime has
required a review of the strategies used to fight this phenomenon, thus highlighting the
need for forms of closer cooperation among police agencies in the world, and the need
for shared technological tools of investigation.
Essentially, in order to achieve more satisfying results we need to institute some
excellent but not homogeneous investigative approaches, and adopt more coordinated,
accurate and harmonised strategies, all the while respecting the autonomy of each
single State.
The indispensable requirements for this change to take place are:
• Standardised international regulations;
• shared course of action;
• real-time constant exchange of data and information;
• and, above all, common software using the same "language".
In our country, the attention of the law making authority given to cybercrime has
always been punctual and effective. As a matter of fact, the Italian law framework has
been integrated with regulations in line with the evolution of this criminal phenomenon
since 199310 - the year when law provisions intended to punish cybercrimes were
introduced in our legal system.
At international level, with the ratification of the Convention on Cybercrime11 in
Budapest on 23 November 2001, Italy came to the forefront in the prevention of and
response to cybercrime.
As for the shared investigative software, an important role can be played by private
industries; in particular, Microsoft developed the Child Exploitation Tracking System
(CETS) following the suggestions and indications of various law enforcement agencies,
including the Italian police force. This has created an international police network to
9 In fact, art. 14 paragraph 2 of Law 269 of 03.08.1998 states: "As part of the tasks pertaining to
telecommunication policing, as defined by the decree referred to in art. 1, paragraph 15 of Law 249 of
31.07.1997, the agency of the Ministry of the Interior entrusted with the security and regularity of
telecommunication services shall perform, upon reasoned request of the J.A., the activities necessary to
respond to the crimes, referred to in art. 600-bis, par. 1, art. 600-ter, par. 1, 2 and 3, and art. 600-quinquies
of the Penal Code, committed through the use of computer systems, or telematic means of communications or
telecommunication networks publicly available. For this purpose, the personnel in charge can use covert
data even to activate websites, implement and run communication areas or exchange on networks or systems,
or to participate therein. The above mentioned specialised personnel performs for the same purpose the
activities described in paragraph 1 also via the internet".
10Law 547 of 23.12.1993 concerning "Amendments and additions to the Penal Code and Penal Procedure
Code regulations on Cybercrime".
References
[1] S. AMORE,.V. STANCA, S. STARO, I crimini informatici: Dottrina, Giurisprudenza e Casi Pratici di
Indagine, Halley editrice, Macerata, 2006.
160 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-160
Abstract. The theme of the discussion is very topical due to the fundamental role
that cybernetics and data transmission play in our everyday life. Often, each
technological innovation brings, along with the benefits, risks for society at large.
The Carabinieri are working in today’s global scenario, sure that the only effective
way to fight terrorism is through the concerted coordinated and cooperative efforts
of all possible resources, in the areas of intelligence and investigations, where the
control of the territory, both real and virtual, plays a pivotal role.
Introduction
I would like to thank Professor Gori for giving me the opportunity to illustrate in this
prestigious setting the efforts of the Italian Carabinieri Corps in the fight against
terrorism in Cyberspace.
The theme of today’s discussion is very topical due to the fundamental role that
cybernetics and data transmission play in our everyday life. Frequently, each and every
technological innovation not only brings with it, but also risks for society at large. The
threat which comes from the illicit use of the Internet does not stop at the most obvious
effects of “cyber-crime”, such as tele-fraud and the presence of child pornographic sites
on the net. The potential power offered by internet has been used, in fact, by terrorist
groups of different natures, means and ideology, to various ends: to obtain visibility, to
maintain high levels of intimidating pressure through the media, to organise activities,
to search for information, and to recruit new members. These strategies have been
confirmed and demonstrate the rising use of the web by internal subversive and
international organisations, to plan and make attacks, to pass documents between
members and to sustain public “campaigns”.
Analysis of extremist projects revealed a steady increase in the use of Information and
Communication Technology by the Marxist-Leninist Italian organisation, “the Red
Brigades” and by the pro-anarchist wing of internal subversive groups.
The Red Brigades of the Combatant Communist Party (B.R.-P.C.C.) claimed
responsibility for the murder of Marco BIAGI (killed on March 19, 2002 in Bologna),
in an e-mail sent from a mobile telephone to several hundred addresses.
The Federazione Anarchica Informale (FAI), or The Informal Anarchist
Federation, an informal militant team may be the most dangerous group in Italy. From
the first terrorist attacks that took place in Bologna, Italy at the home of the former
President of the European Commission, Romano Prodi, in December 2003, the Internet
was used as a means of communication between the local members of the group to
G. Cataldo / Fighting Terrorism in Cyberspace 161
spread its plans and organise the attack. Thanks to Internet, the group, was able to
organise a well-ordered structure.
2. International Terrorism
For international terrorism, the web has become of crucial importance in maintaining
contact and giving orders to the cells situated in different locations across the globe.
During Operation “Tracia”, which was conducted against a Kurdish organisation
(DHK-PC) active in Turkey, the Carabinieri Corps was able to demonstrate that the
operational cells, one of which was located in Italy, used internet to exchange
encrypted and camouflaged files. It was necessary to analyse the encryption program in
order to isolate parts of the code key, after which an attack (the so called ‘brute force’)
to recover the password was carried out. The internet was also used to disseminate
proclamations taking responsibility for the attacks; these were sent from Perugia, Italy
to a newspaper editor in Turkey.
The investigation that was opened after the terrorist attack in Nasiriya verified that
the internet was also used by the terrorists in charge of this criminal act. Many open
sources, in particular websites that specialised in Islamic terrorism, had given out
information on the presence of an Abu Musab Al Zarqawi file entitled “Winds of
Victory” that was circulating on the internet. The video, produced by the “Section for
Propaganda” of the “Jamaa al Tawhid wal Jihad” (Monotheism and Holy War Group)
explained the religious ritual that was adopted by the “martyrs” to prepare themselves
for suicide missions targeting the American and Coalition Forces in Iraq. On one hand,
the document publicised the operational capacity of the organisation and encouraged
the inflow of mujahiddin to Iraq. On the other hand, through the violence and brutality
of the message, the document was intended as a warning to its enemies. At the same
time, the movie explained the religious rituals that were celebrated by “shahid” before
their suicide missions against the civilian or military targets selected by the
organisation. Actions in the various scenes reflected the preparation of the attacks, the
moments that preceded them, the distance covered by the “shahid” up to destination
and the explosion at the target object of the attack.
Among the terrorist acts listed in the movie, we found the attack to the military
base “Maestrale” on 12 November 2003, and the one against the headquarters of the
UN in Baghdad on 19 August 2003.
The multitude of possibilities that cyberspace offers are exploited by international
terrorist groups that use the web as a means to asymmetrically spread conflict from its
traditional, physical battleground to the virtual territory of cyberspace.
The Net has proven to be an efficient instrument for communication, recruitment,
financing and training. These groups frequently take advantage of the so-called “deep-
web”1, in other words, the use of compressed files that are not normally detectable with
the usual search engines and whose the access is limited to users who possess the
relevant keywords and knowledge of the specific information pathways.
We need not forget, in fact, that for terrorism to develop on an international scale,
the media are an essential element. Frequently, the very act of media reporting is
exploited as a form of propaganda by terrorist groups, in that by covering events, the
media are able to rapidly reach an unlimited number of people, thus publicising the
success or failure of an attack, or simply allowing the terrorists to see the effect that
1 “Deep web” is used to avoid normal checks or controls and is based upon compressed and hidden files. Log
in is limited, and it is necessary to know passwords or specific paths to access the information.
162 G. Cataldo / Fighting Terrorism in Cyberspace
their actions have had. In this way, the traditional media, such as television and radio,
are among the tools that, if used to influence the public (in this case, a passive
spectator), do not guarantee interaction with the structure. On the contrary, the Internet
can be the point of interactive convergence for militants, who gather on the web in a
"virtual sanctuary", which enables them to communicate without high risks and find
training and indoctrination manuals. Therefore, the internet can easily be used in
compliance with terrorist logic because it can be used to radicalise, to recruit and to
train activists.
Internet has become an essential tool, for the strategy of Al Qaeda in particular.
The strategy is to essentially engage the countries of the Western world in a “permanent
jihad”, or long term war, in multiple crises theatres, with the ultimate intention of
eroding the sense of security and destroy alliances in the targeted countries.
The Net perhaps represents the main tool with which Al Qaeda’s ideology can be
spread to achieve a sort of “jihad of the word”. It is the way through which a doctrinal,
psychological and terminological manipulation of the holy texts and tradition may be
used to motivate suicide attackers, the protagonists of the so-called “jihad of the
sword” against the West.
The interest of the Al Qaeda terrorist organisation in the media sector is confirmed
by the increasing quality in their audio and video products. These are often tailored to
the different people they are targeting, and present international events in such a was as
to demonstrate the supposed Western design to persecute the Islamic world.
The primary efforts made have been in the fields of propaganda and indoctrination.
They are aimed at the radicalization of the Islamic community in both countries of
Muslim faith and the West, and often specifically target young people. In addition,
European countries are also facing the threat of “home-grown” terrorism. What is
“home-grown” terrorism? “Home-grown” terrorism is a form of terrorism which
primarily involves “second generation” immigrants that, although perfectly integrated
into society and do not participate in fundamentalist groups, are driven by intimate and
personal convictions and religious pressures to act in the name of the Islamic ideal.
This form of terrorism recruits its members mostly within the heterogeneous
components of the virtual community that wish to partake in acts of violence and which
use the web to strengthen and reinforce their contacts and ties.
Through the use of the internet, fundamentalist terrorism has attempted to
influence public opinion and the political resolutions of governments, while conducting
kidnappings in theatres of crisis. In February 2006, the Net was used to direct protest
demonstrations in different Muslim countries against the publication of political
cartoons in some European newspapers, which were claimed to be blasphemous
towards the Islamic religion. 2 Recently, the notification of the eventual broadcast of an
anti-Koran video on the web was enough to cause apprehension and fear of possible
violent reactions.
3. Fighting Cyber-terrorism
Specialised units of the Carabinieri are engaged in the fight on cyber terrorism and are
trained to use the use of the latest telecommunication interception technology. This
monitoring activity made it possible to identify and locate internet sites where the
visitor is invited to join an “electronic jihad”. In other words, the attack and destruction
2 In Denmark, on February 12, 2008, three persons suspected of being involved in the organisation of the
of websites considered to spread messages that are offensive to Islam. This kind of
propaganda has the potential of becoming or developing into concrete actions of
information sabotage.
The info-investigative activities that were conducted by monitoring the net
revealed how the terrorist cells are composed and how they disseminate their lessons.
Documents have been uncovered regarding precise indications of the organisation of a
terrorist attack involving explosives, as well as the successful execution of ICT
exploits.
In the security system, no police force or an intelligence agency is exclusively in
charge of monitoring Internet sites containing terrorist contents. An active contribution
aimed at prevention is conducted by each police force and information agency within
their own competence.
Apart from the role played by the Judicial Authority in the investigation,
coordination in the prevention phase is managed by the Minister of the Interior, through
the National Authority for Public Security, which uses the Anti-terrorism Strategic
Analysis Committee.
In this commission, positive synergy is reached between the various institutions in
charge of developing action to fight terrorism. These actions are decided in weekly
joint meetings between The Central Director of the Prevention Police, The chief of the
II Division of the Carabinieri General Headquarters, delegates from the directors of
AISI3 and AISE4 (the two Italian intelligence services), a representative of the
Department of Penitentiary Administration and an officer of the General Headquarters
of the Guardia di Finanza (Anti-Fraud Force). During the meetings, particular attention
is paid to monitoring Jihadist sites.
While monitoring activities are carried out during the preventive and informative
police activities and before investigations, an internet site may be shut down only after
a judicial decision has been made. This can happen only once an investigation has
verified the presence of illicit contents on the site.
The use of internet by terrorist groups is considered a concrete threat for the
security of the European Union as well. Therefore, The European Office of the Police –
Europol, since 2006, has actuated a specific project, “Check the web”, in order to raise
the levels of police cooperation in this sector. The goal is to establish a form of
common elaboration and consequently a common approach to fight terrorism. The
Carabinieri actively take part in this project.
This is not a spontaneous initiative, but a decision that was taken in conformity to
the Force’s institutional objectives, which are to increase the levels of control over the
territory, in a virtual sense (like cyberspace), and increase investigative quality.
In this fight against terrorism, activities must be directed in such a way as to to
prevent the biased use of the web; the error of associating or mistaking the Islamic
world with terrorism must be avoided. In this type of struggle, we must acquire
familiarity with different agents and not only from the intelligence point of view, but
also a cultural one.
However, technology is not enough; human resources capable of fighting these
activities are essential and must be developed. for this reason, many specific courses of
3 AISI - Agenzia Informazioni e Sicurezza Interna, the Italian Internal Information and Security Agency
4 AISE - Agenzia Informazioni e Sicurezza Esterna, the Italian Foreign Information and Security Agency
164 G. Cataldo / Fighting Terrorism in Cyberspace
varying levels have been organised to learn the Arabic language and culture and
include internships in Qatar and Tunisia.
This is the perspective in which the Carabinieri are moving in today’s global
scenario, sure that the only effective way to fight terrorism must be accomplished
through the concerted, coordinated and cooperative efforts of all possible resources, in
the areas of intelligence and investigations, where the control of the territory, real and
virtual, plays a pivotal role.
Modelling Cyber Security: Approaches, Methodology, Strategies 165
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-165
Abstract. Just as with the air and maritime domain - namely those geostrategic
spaces where police authorities are unable to carry out law enforcement activities
independently without military assistance - cyberspace could also become the
object of military attention, from the moment that, like the other two, it is an
environment where adversarial activities can be carried out by state or state-
sponsored actors within the framework of international controversies among states.
Due to the fact that the military was the first public sector to take serious steps
toward ensuring adequate levels of security on its IT systems, and therefore holds
an advantage in this field, military participation in questions of cyber security at
the national and international levels could potentially be beneficial for all state
agencies concerned with security issues of this nature.
Introduction
The most recent Declaration on Alliance Security (DAS), issued by the NATO Heads
of State and Government, at the end of the Strasburg-Kehl summit in April 2009, has
inserted cyber attacks among the “new, increasingly global threats” which our nations
and the world are facing, together with terrorism, the proliferation of weapons of mass
destruction, and their means of delivery.
Some sceptics may remark that such a phrase is to take one step closer to a sort of
dangerous snowballing of the cyber security issue since the Estonian IT networks were
first attacked a few years ago. The fact that both commercial and state-owned nets were
hit hard, thus temporarily bringing not only these networks to their knees but also the
Nations themselves, has, quite understandably, deeply worried all NATO statesmen,
fearful of finding their own nations under similar stringencies, which could hit them in
particularly sensitive moments of their political or economic life. Thus, the DAS has
been drafted with the inclusion of this new, strong and almost bellicose wording on
cyber attacks.
These concerns, though, are further complicating a situation where – it is sad to
say – strategic mistakes, outlined below, have piled up to such an extent that the whole
problem may be likened to a Gordian knot, difficult to untangle without cutting it in
one straight and direct move.
It is fair to say that when the impulse to use the extensive resources, made available by
Automatic Data Processing within a network context, became incessant, the private and
public sectors decided to maximise the exploitation of these new possibilities. This
was, of course, natural for individuals, who found in the Internet a new and most
convenient way to communicate with others. This new impulse to use Internet as a
means of communication was especially motivated by the inherent limitations of the
classical mail system and the telephone (fixed or cellular).
166 F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War
This novelty was indeed extremely promising, also for profit-seeking corporations,
such as industries, banks, and contractors for a variety of reasons. Primarily it allowed
them to increase their efficiency, to simplify their structure, to hire less employees, as
well as achieve an easier and more effective customer-provider relationship.
It is worth mentioning, however, that both these kinds of actors, by adopting the
networked approach, were fully aware that there were naturally some risks that would
come with such a choice. The service was provided, in fact, by a number of
commercial firms, which operated within the free-market space. They were thus
exposed to the dangers that are linked to the possibility that someone could use
countermeasures to check and slow their success, as well as to try to exploit the new
facilities, for petty or major criminal purposes, at the customers’ expense.
Government bodies, throughout the world, were also quick to discover that these
new and revolutionary electronic tools were instrumental to aid in dramatically
enhancing their effectiveness. Unfortunately, due to both budget restrictions and an
inability/lack of determination to rapidly modernise their structures, many governments
decided to forego operational security and to walk along the slippery road of the
“Commercial Off-The-Shelf”(COTS) systems. Another reason for which governments
were hesitant to make the necessary investments was that these systems were
undergoing such significant improvements, every two-three years, that the
governmental procurement procedures would have never been able to keep pace with
the ongoing progress.
The predictable overall result of such widespread favour for these COTS systems,
by a multitude of entities, has been the consequent bonanza for spies, jammers, hackers
– namely those willing to undermine the credibility of existing networks – and all those
having a vested interest in muddling the cyber-waters, be they sponsored by other
states, or, being industrial corporations, individual adventurers and businessmen. All of
them have enjoyed the great advantage of being able to acquire the very same systems
of their intended victims on the market, and have therefore been able to study their
weaknesses and vulnerabilities in depth before acting at the chosen moment.
It is fair to say that, in the field of cyber security, state actors avail themselves of
two technical approaches in particular. The first is to have a good encryption system
put in place. Encryption is coupled with the use of specially hardened computers (to
make them more resistant to external intrusion), and, in addition, those networks that
handle sensitive data and information are physically separated from the greater
network. Nevertheless, not everybody can implement this complicated and expensive
approach; many, therefore, will necessarily continue to rely on COTS computers that
are connected to and through the Internet, albeit with encryption devices, and will be
exposed to all of the related inconveniences and vulnerabilities that this entails, for
years to come. Encryption is not all that is required to protect networks, and Estonia
and Georgia are only the first two instances of what may happen to those states that do
not take more prudent measures, such as those described above.
But the case of these two countries has raised another serious problem, which is
fraught with potentially dangerous consequences. All hindrances to networked systems,
as well as all instances of unlawful use of the Internet, were up until this moment
considered to be law enforcement issues and, in many nations, fell under the
jurisdiction of the judiciary pillar and state police, who carried out criminal
investigations, often supported by Interpol structures, whenever required.
3. Cyber Security, the International Context and the Role of the Military
In the case of the cyber attacks on Estonia and Georgia, however, suspicions were
raised that the massive cyber attacks were part of another state’s reaction to events
within these countries that were undesired by that state. Should this suspicion be
confirmed beyond any reasonable doubt, this could imply that electronic warfare,
namely what has already been defined several years ago as “soft kill” activity, will have
found yet another domain for its application in the world of interstate conflicts and –
what is worse – any massive disruption of networks in a country may be attributed to
another states’ actions.
Therefore, how the cyber misfits can be kept under control beyond the criminal
investigation level, is an issue that must be considered in depth by governments, since
it has become an issue for national security on the whole. Fortunately, the possibility
exists to effectuate effective approaches that have already been used in similar cases.
Just as with the air and maritime domain - namely those geostrategic spaces where
police authorities are unable to carry out law enforcement activities independently
without military assistance - cyberspace could also become the object of military
attention, from the moment that, like the other two, it is an environment where
adversarial activities can be carried out by state or state-sponsored actors within the
framework of international controversies among states.
Due to the fact that the military was the first public sector to take serious steps
toward ensuring adequate levels of security on its IT systems, and therefore holds an
advantage in this field, military participation in questions of cyber security at the
national and international levels could potentially be beneficial for all state agencies
concerned with security issues of this nature.
Cyber space, though, is characterised by a specific problem, which is not as
relevant for the air and sea domains. In each nation, a number of firms have been used
for centuries to provide essential collective services, such as the electric companies.
Apart from causing losses and damages, the magnitude of which has already been
experienced during the periodic “black-outs” resulting from occasional events and
168 F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War
mistakes, any attack against such infrastructures could cause the Nation to enter into a
state of temporary chaos.
Setting this peculiarity aside, by going into depth and examining how the military
carries out its activities in the air and at sea, the multiple and varied approaches to
problems, as well as a form of labour division that the military employs, become
readily apparent and could conceivably be applied, as a template, to cases regarding
cyber security as well.
On one hand, surveillance, control and coordination are normally delegated to
international organisations, and NATO is often in the front row. On the other, every
state continues to independently carry out its own protection and enforcement
activities; each state maintains its sovereign rights and exclusive duties over its own
resources and assets and hoists its own flag on such, wherever they might be, as well as
over its own territorial air and maritime spaces. This activity is carried out in
coordination with others, where and when friendly relations exist between them.
Of course, bilateral or multilateral agreements among states improve this situation,
ensuring that the spaces belonging to smaller states enjoy a higher degree of protection
and control, which is exerted by larger and more powerful countries on their behalf,
and through a timely coordination with them.
Another complementary feature that is adopted to tackle the problems of the wide
international spaces, especially when fighting a mix of potential aggressions and
international organised crime, has been the inter-agency approach. This approach
mobilises special expertise, procuring great advantages for the concerned states. This is
particularly the case for drug enforcement in some regions, such as the Caribbean.
Nonetheless, to make a long history short, all attempts to collectively use the
global Navies/Air Forces, to say nothing of international police enforcement activities,
to protect global commercial trade/air traffic - as some nations are proposing - have
met, so far, with a flat refusal by all governments concerned. This attitude was apparent
already during the first Gulf War, and has been confirmed by the most recent decisions
taken in the counter-piracy activities off Somali waters. This approach has clearly led
to the formation of many gaps. especially in the maritime domain, where merchant
vessels harbouring flags of convenience have become the rule rather than the
exception, and these gaps have, for instance, only served to encouraged piracy to
flourish again.
To date, no change to the present state-centric approach to the air and maritime
domains is in view, and, most likely, there will be no exception in the approach chosen
to handle global threats related to cyberspace, as it has been defined by the NATO
Declaration on Alliance Security, in that virtual yet vital space.
But let us make some preliminary considerations, which may be helpful to start
reflecting in depth on the cyber security issue.
First and foremost, even now it is almost impossible to catch another state in real
time while it still has the cyber “smoking gun” in its hand. Even if we don’t know all
there is to know on the recent cyber attacks, it is at least proper to assume that proxy
agents have been, and will be used in the future, by states willing to inflict this kind of
damage on others; these measures effectively hide the true culprits.
This sort of activity is seldom carried out independently of a serious dispute
among states. This basically means that there is an interval of time available, which
allows for some monitoring and preliminary damage-control actions to be prepared,
F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War 169
during the initial stages of the crisis. It is worth asserting that self-defence against any
sort of cyber attack is a key responsibility for each state, which in some cases may
decide whether to extend these defence measures or not to the industries that are most
relevant to ensuring a state’s overall good function (i.e. critical infrastructures, such as
the electric companies, transportation, communication networks, water supply).
In addition, the fact that principals are generally not easy to detect means that any
justification for a timely and proportional retaliation using classic measures is difficult,
if not impractical, in that it could needlessly complicate international relations, along
with the risk that such actions meet with the disapproval of the public opinions
concerned.
Second, in our countries, civilian control over military activities is an unquestioned
rule, and rightly so. Cyber space, however, is far too specialised a domain to allow
swift political decisions, at least in our times, to be taken regarding retaliations.
Therefore, special decision-making support agencies, to be provided with politically
endorsed and clear terms of reference, need to be established in order to allow for these
cases to be handled effectively and efficiently.
Third, a monitoring system, capable of spotting state-sponsored cyber attacks has
to be put in place. Despite the increasing world trend to outsource, this monitoring
activity cannot easily be delegated to commercial firms; the risk that a provider may
“cry wolf” to disqualify a competitor would always loom over the decision-makers at
the political level were such outsourcing to be used. It must be noted that, to date, no
key activity has been outsourced by states that have in the past chosen to sign
outsourcing contracts with multi-national firms.
Last but not least, the high costs of any monitoring system may discourage several
countries from undertaking this sort of development on their own. It is fair to say,
therefore, that a convenient solution for many nations may be to delegate such a
monitoring activity to collective security organisations, such as is the case with NATO,
which has been given responsibility in the air domain for decades, and more recently in
some maritime areas. Incidentally, NATO expertise is already exploited whenever
states require assistance for cyber protection, thus benefiting all.
Research and development activities, whose aim is to enhance the security of
national activities of great public interest, are also most convenient when carried out
through multinational cooperative projects.
The cyber sector allows for many of these possibilities to be realised, within either
the NATO or the EU/EDA contexts. Even if it is a matter of policy, to chose one or the
other organisation, it is worth noting that while NATO has much expertise, the EU is
multi-disciplinary, and is therefore better equipped to handle the issues involving non-
military, state, or local agencies and key infrastructures in accordance with the wishes
of its Member States. All things considered, great potential for collaboration exists
between these two international organisations, provided the two structures are willing
to share their know-how.
The big question, though, concerns confrontational activities, such as retaliation.
Everybody should consider what the political implications of a collective response
would be, even were they to be “in kind” to adversarial acts that had been carried out
against a single state. As with the air and at sea, individual nations are the most
appropriate actors to carry out this sort of action, which cannot be considered
separately from other political factors.
170 F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War
Conclusion
To conclude, there are problems quite similar to what happens in the air and at sea in
the cyber dimension; therefore, the approach to manage, nay, to control this domain
could be the same, where individual countries decide to what extent their non-military
agencies and key infrastructures have to be protected, where cooperative developments
might be beneficial in finding valid solutions to carry out prevention by stepping up
security, and where international organisations could help by managing the monitoring
structures.
Nonetheless, any temptation to retaliate, be it in kind or not, is a serious decision,
where single governments must decide in isolation and be ready to carry the weight of
the responsibilities that come with their decisions, in that responsibility for unilateral
actions cannot be spread around even among friends.
By taking such a multifaceted approach, countries might be able to avoid being
mauled by others, be they other states or criminal organisations, and the Western
Community will avoid the risk of another “cyber-Serajevo”, which is a clear and
present danger that has to be prevented at any cost.
Section 3
European Measures and Legal Aspects
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 173
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-173
Privacy is one of the most powerful fundamental ethical values in Western cultural
history. It organises a broad spectrum of knowledge and cultural practice, from politics
to law, from health to hygiene and sexuality, from family relations to commerce. Its
moral core, it is argued, has given rise social principles such as autonomy, integrity,
independence. These values form the foundation of today’s shared understanding of
human rights, citizenship and civic obligation and are at the core of the European civil
life. Closely related to the notion of privacy as inviolate, that which is personal is the
notion of privacy as intimacy. Ideas like love, friendship, loyalty and trust are only
possible in relation to some sort of assurance of privacy.
Directive 95/46/EC (on the protection of individuals with regard to the processing
of personal data and on the free movement of such data)3 was developed to harmonise
national provisions in this field and states:
“Member States shall protect the fundamental rights and freedom of natural
persons, and in particularly their right to privacy with respect to processing
of personal data”.
In this Directive, the classical concept of privacy is transformed into the notion of
organised information relative to a single person, i.e., the intimate knowledge of the
individual: personal data. The assumption that one has the right to control knowledge
about oneself no longer holds true. Personal data are no longer personal, but rather
transportable, commercial, marketable. At the same time, the EU Member States have
the responsibility to both protect the privacy of the European citizen and ensure their
security.
It may generally be conceived that security and privacy are in opposition. And it
may be said that there is a zero-sum game between the two, for which an increase in
security is ordinarily said to come only at the cost of a decrease in privacy and vice-
versa. European citizens, it is often suggested, enjoy less and less privacy as
technological developments allow an ever growing invasion of the private sphere.
This zero-sum approach to security and privacy is not mandatory. Technology is
capable of improving compliance with those principles that protect an individual’s
privacy. It could empower individuals, by giving them easier access to, and control
over, information that directly pertains to them. It would allow them to decide how,
when, and which parts of their personal data could be disclosed, and to whom and for
which uses.
The best protection for individuals is that their personal information is only
collected where it is considered to be essential. Privacy enhancing technologies (P.E.T.)
have traditionally been limited to “pseudo-denomination” tools: software and systems
that allow individuals to withhold their true identity, and only reveal it when absolutely
necessary.
Examples of a more extensive approach to privacy enhancing technologies
include:
encrypted biometric access systems that allow the use of a fingerprint to
authenticate an individual’s identity, but do not retain the actual fingerprint;
secure online access for individuals to access their own personal data in order
to be able to check accuracy and make amendments;
3 http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats 175
As has been emphasised by Javier Solana, speaking of The Common Foreign and
Security Policy and European Security and Defence Policy 4:
“...we are stronger when we act together. Over recent years we have created
a number of different instruments, each of which has its own structure and
rationale”.
In the EU Security context, the NATO definition of “Force Interoperability”5 , calls
for :
“The ability of the forces of two or more nations to train, exercise and
operate effectively together in the execution of assigned missions and tasks”,
This definition could be expanded to include and incorporate the following
concept:
“The ability of the resources of one or more PMS and of one or more EU
Agency/Institution to train, exercise and operate effectively together in the
execution of the tasks/missions foreseen in an agreed Common Security
Capability Plan (CSCP)”.
NATO considers the defence against terrorism one of its primary tasks. The same
is true for the European Union. Twenty five of the twenty eight NATO Member States
are European or members of the European Union. To refuse to consolidate or align
efforts made in the Security domain of these two major global institutions, would not
make logistical sense, just as it would cause unacceptable levels of wasted time and
resources.
An example of such collaboration regards maritime surveillance, which is of the
highest importance in ensuring the safe use of the sea and in securing Europe's
maritime borders. The improvement and optimisation of maritime surveillance
activities, and interoperability at the European level, are important and crucial for
Europe to be able to properly and successfully handle the challenges and threats that
4 A SECURE EUROPE IN A BETTER WORLD - presented by Javier Solana, EUHR for CFSP - European
Council, Thessaloniki (Greece), June 20, 20003
are related to many maritime activities including safety of navigation, marine pollution,
law enforcement, and overall security.
Surveillance activities are carried out by individual Member States, but most of the
activities and threats that they address are transnational in nature. Within most Member
States, surveillance activities concerning fishing, the environment, policing of the seas,
or immigration fall under the responsibility of several different enforcement agencies
that operate independently one from the other. This often results in the sub-optimal use
of scarce resources.
The EU Commission, therefore, advocated the need for a higher degree of
coordination on maritime surveillance by intensifying forms of cooperation within and
among the coast guards and other appropriate agencies of the Member States.
Although it would be a gradual process, developing an integrated network of
vessel tracking and e-navigation systems for European coastal waters and the high seas,
including satellite monitoring and long range identification and tracking (LRIT), would
provide an invaluable tool to public agencies.
Substantial progress along these lines is present in the EC Regulation No
863/2007, which establishes a mechanism that allows for rapid operational assistance
to be provided to a requesting Member State for a limited period of time when faced
with a situation of urgent and exceptional pressure. This would especially be the case
for situations occurring at the arrival at points of the external borders of large numbers
of third-country nationals attempting to illegally enter the territory of the Member State
requesting assistance. Aid would be provided in the form of Rapid Border Intervention
Teams (hereinafter referred to as teams). This Regulation also defines the tasks to be
performed and powers to be exercised by members of the teams during operations in a
Member State other than their own.
The threats that the EU is exposed to are shared with all of our closest partners.
International cooperation is a necessity and our objectives ought to be pursued through
both multilateral cooperation in international organisations and direct partnerships with
key actors. It is for this that the transatlantic relationship that exists between the
European Union and the United States is irreplaceable. By acting together, the EU and
the US form a formidable force for good in the world.
The security of strategic infrastructure is only as strong as its weakest link. If one
Member States imposes rigourous security standards in relation to a particular cross-
border infrastructure, that infrastructure and the services it provides will still be
vulnerable if another Member State does not impose adequate or similar measures of
protection on its side of the border.
The interdependencies that exist between the various sectors do define an
environment where a particular event could readily have a cascading effect on other
sectors and areas of life, which are not immediately and obviously interconnected.
The existence of a multitude of levels of protection and standards across EU
Member States increases costs for businesses, which have to incur redundant security
investments depending on the jurisdictions under which they operate. Therefore, the
EU ought to define a security standard for strategic infrastructures to avoid unnecessary
inefficiencies in the allocation of resources.
The principle of subsidiarity may be invoked the moment the measures that need
to be undertaken cannot be effectively achieved by any single EU Member State and
must therefore be addressed at EU level.
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats 177
Although each Member State has the responsibility to protect the critical
infrastructure present under its jurisdiction, it is crucial for the security of the European
Union to make sure that the most important infrastructures that have an impact on two
or more Member States, or on a single Member State in the case that the critical
infrastructure is located in another Member State, are effectively protected and that
individual Member States are not rendered vulnerable because of the existence of lower
security standards in other Member States.
The EU’s effort to protect critical infrastructure will soon turn to concrete
measures for Europe’s information and communication technologies (ICT) sector with
the release of a new policy paper6. The general aim of the document is to urge the 27
member nations to define a common set of response criteria regarding cyber-attacks
and, specifically, to align their national regulations.
5. Security, Along with Safety, Must be Embedded into Systems and Certified
with Proper Labelling
It is common understanding today that incorporating safety into the design process has
a positive impact on a company's safety, quality and productivity. Costs can be
lowered, task performance improved, and life-threatening work hazards reduced. Cost
benefits are maximised when applied at the earliest stages of development, but owners
will experience benefits when safety is considered at every stage in the project
continuum. Similar benefits could be associated to the introduction of security and
environmental criteria as early as possible into the product life cycle.
It is interesting to remember that the EU recently promoted a Safety Certification
and Authorisation Team (SafeCert Team)7, that has been given the task of dealing with
the harmonisation of decision-making criteria regarding the procedures for safety
certification of railway undertakings and the safety authorisation of infrastructure
managers.
The market for security solutions in Europe is is still highly fragmented and has a
long way to go before it matures. This hinders the industrial base of security
technology, preventing it from exploiting its overall potential and accessing market
opportunities more effectively. It is necessary to analyse not only the role that standards
play but also that of the process of standardisation in organising the market from both
the demand and the supply side. Thus far, most of the impetus has been focused on the
European Security Label, the basis of which is the final Communication from the
European Commission COM (2008)133, “Towards an increased contribution from
standardization to innovation in Europe, namely standardization” 8.
The aim of the Communication is:
To contribute to the development of sustainable industrial policy.
To unlock the potential of innovative markets.
6 “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and
resilience"; COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE
COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF
THE REGIONS on Critical Information Infrastructure Protection; http://ec.europa.eu/information_society/
policy/nis/docs/comm_ciip/comm_en.pdf
8 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0133:FIN:EN:PDF
178 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
In contrast to the massive visible threat of the Cold War, none of the new threats of
today is purely military; nor can any be dealt with by relying on purely military means;
each threat requires a mixture of instruments. Their proliferation is contained not only
by controlling exports, but they are also handled by applying multiple forms of
political, economic and other pressures. A key element in fighting the proliferation of
new threats is to contemporaneously tackle the underlying political causes of the
threats themselves.
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats 179
9 http://www.consilium.europa.eu/uedocs/cmsUpload/78367.pdf
180 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
The European Security Research and Innovation Forum (ESRIF) was established in
September 2007, on the basis of a joint initiative of the European Commission and EU
Member States.
ESRIF is an informal group, set up jointly and co-owned by its stake-holders from
the demand and supply side of security technologies/solutions, as well as from civil
society. It thus includes independent representatives from industry, public and private
end-users, research establishments and universities, as well as non-governmental
organisations and EU organisations and entities. With this kind of composition and
approach, ESRIF hoped to overcome the boundaries and limitations inherent of a more
formal structure. ESRIF is the only large scale, high level, attempt of this kind in
Europe. It is also supported by FP7 (Seventh Framework Programme) Associated
Countries. ESRIF’s mandate is limited to advising on security research and innovation.
The primary reason for creating ESRIF was the need for:
Coordination of the strategy and implementation of European and National
Security Research Funding Programmes;
Taking a mid- and longer term perspective for civil security research in
Europe, going beyond pure research and also embracing innovation elements;
Improving coordination between security policy and its implementation on the
one side and security research on the other, including the demand and supply
side of security technologies/solutions and considering the economic effects of
future civil security research
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats 181
10 http://ec.europa.eu/enterprise/security/doc/border_control_workshop/k_giovanni_barontini.pdf
182 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-182
In the commercial, government and military sectors of EU Member States, there has
been a significant impulse to increase interconnectivity and interoperability between
systems in order to enable and increase operational benefits. The nature of the ICT
(Information and Communication Technologies) market has also produced many
common ICT components, which consequently share common vulnerabilities. In areas,
such as critical national infrastructures, there is already a high degree of cross border
interconnection and interdependency between systems. The complexity and criticality
of these systems cannot be overemphasised.
The threat to these federated systems is growing. Terrorists and other disaffected
organisations and individuals have identified the dependence of EU countries upon
these systems and the potential impact a successful attack could have. However, while
these “systems of systems” are increasingly closely integrated horizontally, their
protection is all too often aligned vertically, within countries and within companies.
This misalignment presents enticing opportunities to attackers.
This is why Information Sharing (IS) has become a key component of modern
protection and is one of the main pillars of Intelligence. Information Sharing has gained
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection 183
in popularity after 9/11, and, today, it is at the centre of many National Security
Intelligence Strategies, as may be demonstrated by the growing policy initiatives, as
well as operational IS initiatives (i.e. Warp, Intellipedia, A-Spaces, etc…) including at
the European level (i.e. CIWIN, M3I, NEISAS, European Rapid Alert Platforms,
etc…).
There are many initiatives and projects in Europe on Information Sharing, most of
them, however, are managed on a national level. Some exceptions are those systems
that interconnect operators in a specific sector (i.e., banks, air controls, adjacent Power
Transmission Operators, etc.), which are typically used for daily operations and not
specifically for Critical Infrastructure Protection (CIP).
According to an European Network and Information Security Agency (ENISA)
study 1, “EISAS – European Information Sharing and Alert System,” 13 Member States
do not have any known Information Sharing activity, 5 Member States have a dedicated
level of organisation, and the other 9 have some initiatives that are managed by non-
dedicated organisations. In the study, only two Member States are reported to have
organisations that are in charge of Information Sharing and that have Critical
Infrastructure Operators as their constituency. These numbers, though, do not
completely reflect reality; many other Member States are running information
exchanges that are facilitated by government organisations, where Critical
Infrastructure Operators meet regularly (for instance, the Information Exchanges
managed by CPNI in the United Kingdom, or the NICC in the Netherlands). These
initiatives are all very successful, primarily because of the importance that has been
given to the development of trust among all participants, including the government.
1 www.enisa.europa.eu/doc/pdf/studies/EISAS_finalreport.pdf
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection 185
3 COM(2002) 263 final 28.5.2002 - eEurope 2005: An information society for all - http://ec.europa.eu/
information_society/eeurope/2002/news_library/documents/eeurope2005/eeurope2005_en.pdf
186 A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection
amongst other things, the task of fostering and enhancing cooperation between relevant
stakeholders, information gathering, the exchange of best practices and the
establishment of synergy between public and private sector initiatives.
ENISA has been active in raising awareness of the need for information sharing
and has produced many studies in this area, in particular, the EISAS – European
Information Sharing and Alert System Feasibility Study 2006/7. Although this
feasibility study focused on the citizen and small to medium enterprise, there are
aspects of the study which also relate to CIP, government and large enterprise
communities, such as the need to adopt a standardised approach to information sharing.
Furthermore, on 30 March 2009, European Commission Directorate General
Information Society and Media (DG INFSO) issued a Communication 4 that announces
the launch of a policy initiative to Protect Critical Information Infrastructures in
Europe. The initiative focuses on the following five areas:
Preparedness and prevention: to ensure preparedness, by defining a baseline
of capabilities and services of national/governmental Computer Emergency
Response Teams, creating a European Public-Private Partnership for
Resilience and a European Forum of Member States to share information,
good policy and operational practices.
Detection and response: to provide adequate early warning mechanisms, by
supporting the development and deployment of a European Information
Sharing and Alert System, reaching out to citizens and SMEs, and being based
on national and private sector information and alert sharing systems.
Mitigation and recovery: to reinforce EU defence mechanisms for CII via
the development of national contingency plans by Member States and the
organisation of regular security incident response and disaster recovery
exercises for large scale networking in a move to stimulate stronger pan-
4 http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection 187
While we all basically agree on what the benefits of IS are, we are a little less sure
about how to actually build a successful model. Too often the discussions are quickly
oriented towards aspects related to the IT systems, appropriate tools and protocols etc.
This is not to imply that technology is a minor concern, but simply to highlight that it
tends to become a dominant topic.
As a matter of fact, many technological challenges still remain. Despite the many
good examples of Information Sharing, progress towards making these virtual
platforms universal is hampered by the lack of a common language and framework. For
communication to occur between people, there is more to the equation than merely
final 30.3.09
615041/08 31.10.08 proposal for a council decision on a Critical Infrastructure Warning Information
Network (CIWIN) - http://register.consilium.europa.eu/servlet/driver?lang=EN&ssf=DATE_DOCUMENT
+DESC&fc=REGAISEN&srm=25&md=400&typ=Simple&cmsid=638&ff_TITRE=&ff_FT_TEXT=CIWIN
&ff_SOUS_COTE_MATIERE=&dd_DATE_REUNION=&srs=26&rc=37&nr=119&page=Detail
choosing a specific vocabulary from native languages such as English or Italian. When
speaking of communication involving computers, it is also more than choosing a
standard based on the XML framework.
What has been missing in the past is a management messaging standard that
describes a set of requirements on how these should be used. One good example of a
requirement for a management messaging standard is the need to have a common
understanding of how shared information can be distributed virtually. The Traffic Light
Protocol (TLP) is a specific example in use by many organisations, which takes the
sensitive nature of some types of information into account. It is important that the TLP
be recognised and understood in communications involving people and computers,
where both must follow the agreed rules for information distribution. It is also
important to recognise that the TLP may be just one example of good practice.
In designing an IS system, we suggest that along with the IT complexities, one
should equally focus attention on other key dimensions, which ultimately will
determine the success of the IS system. A successful model must consider at least 5
macro areas:
Value Exchange - the essence of any IS environment.
Policy and Organisation – the structure, rules and process.
Technology – the IT solution.
Culture – the willingness to participate.
Economic – the resources.
Abstract. While the two organisations, the EU and NATO, share interest in the
field of Critical Infrastructure Information (“CII”) protection, and while the
interests of these organisations have developed significant overlaps, personal data
protection in the EU legal framework may become a factor that could hinder the
creation of effective cyber defence, unless timely and duly attended to by the
interested nations and entities. This article will provide insight into personal data
protection issues that relate to the exchange of information concerning cyber
incidents and, based on considerations pertinent to national approaches, it will
provide guidance on how to minimise the related legal risks that come with cyber
incident management.
Introduction
About a year ago, NATO adopted two documents that will shape the way cyber
incidents of concern to (inter)national security will be managed. 2 The cooperative
aspect of managing cyber incidents of relevance for NATO will require national
regulatory action in regard to defining the critical information infrastructure and
providing a proper legal basis for information exchange between NATO and its
member states.
Cyber incidents may range anywhere from simple deviations from internal security
regulations to criminal acts, acts of cyber terrorism, and even warfare. The
investigation and management of such incidents is based on sharing and comparing
traffic data and server logs, including IP addresses. Countries subject to both the EU
1 Eneken Tikk works as the Legal Advisor to the NATO Cooperative Cyber Defence Centre of Excellence
(“CCD COE”) and is currently the Research Fellow for the Center for Infrastructure Protection of the
George Mason University Law School.
2NATO Cyber Defence Concept (MC, 13 March 2008), based on the NATO Cyber Defence Policy (NAC, 20
December 2007).
190 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
During 2007 and 2008, the CCD COE legal team analysed the legal aspects of five
major cyber incidents – Estonia, Radio Free Europe in Prague, Lithuania, Georgia, and
Burma4.
The Estonian cyber incident that occurred in early 2007 was a landmark case,
where publicly sharing information about the cyber attacks turned out to benefit the
government in its efforts to defend itself against its invisible enemy. Since then, major
IT security think tanks and international media channels keep a column on cyber
incidents of international concern.
There is an increasing amount of information available about politically motivated
and government-targeted cyber incidents. The management of cross-border cyber
incidents and conflicts, however, requires extensive and detailed information-sharing
among governmental entities and also among these last and the entities responsible for
the information infrastructure, which are often privately owned. This kind of
cooperation is inevitable between nations and international organisations.
The data of interest comprises not only details about the course of action and
background of the incidents but also real-time reporting on targets and, most
importantly, details of the server logs, which make it possible to differentiate the good
traffic from the bad, block hostile IP addresses, and trace the origin of the attacks.
With cyber defence developments in NATO, sharing information on cyber
incidents will form an essential part of the national cyber security agenda. The study of
3 While there is no internationally accepted legal definition of cyber threats (one of the key reasons for
difficulties related to the implementation of personal data protection rules), the concerns of cyber security
involve stakeholders such as international organisations, governments, the private sector and IT infrastructure
providers, as well as home users. The incidents that may affect the functioning of a society’s critical
infrastructure may initially occur as simple human error and the deviation from internal information security
regulations, or they may turn out to be intentional, often politically motivated, criminal activities or
coordinated and well-targeted attacks that support other hostile activities towards the entity or nation in
question. Therefore, the term “cyber defence” is to be understood to cover the prevention of and potential
responses to different types and levels of cyber threats.
recent cyber incidents shows that the nature of the information infrastructure5 in
conjunction with the territoriality principle6 make it difficult for a nation, when acting
alone, to defend itself against cross-border cyber attacks.
NATO has developed a mechanism to assist nations in case of severe cyber attacks,
but the implementation of the relevant provisions of the Cyber Defense Policy and
Cyber Defense Concept requires structured and well-coordinated information sharing
on those aspects that demonstrate the relevance the said cyber incidents have for
NATO.
In order to meet the criteria for receiving help from rapid reaction teams,
consulting or any other type of assistance, the nation must satisfy a burden of proof of
the relevance of the conflict for NATO. This can only be done after a thorough analysis
of the underlying facts about the nature, extent and sources of the incident has been
completed.
In summary, effective defence relies on cooperation, and effective cooperation
needs precision in terms of facts of the incidents. Effective measures of defence depend
on accuracy of information and in order to achieve prosecution, the evidence must be
able to indicate the source of the attacks.
Estonia is one of the countries that is both a NATO nation and an EU member
state. In the context of cyber security there is an increase in the interrelation of the
activities and areas of concern for these two major and influential organisations;
sharing information on cyber incidents is just one of them.
5 The nature of the information infrastructure can be best explained by the rationale that was employed in
developing the Internet. It was designed as a response to national security concerns to provide a
communications network that would work even if some of the sites were physically destroyed. If the most
direct route was not available, routers would direct traffic around the network via alternate routes.
6 The contemporary legal framework adheres to the concept of sovereignty, which is granted to the nations on
the basis of the physical dimensions of their air, land and sea territory. While few other arrangements exist
(the common understanding of governing high seas and space), so far no general agreement has been
concluded with respect to the governance and control of the Internet. Therefore, conduct on the Internet can
only partly and conditionally be subjected to a nation’s jurisdiction.
192 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
The EU is known for its wide-reaching and effective information society regulation7 ,
which is reflected in the national legal systems of not only EU member states but also
EEA countries and others. 8
NATO is known as a security and defence organisation, which focuses on issues
that in practical terms remain beyond the scope of the applicability of the EU law. The
“security” paradigm has been changing over the past couple of decades, expanding the
focus of defence interests beyond kinetic and symmetric threats to include issues such
as terrorism, electronic warfare and critical infrastructure protection.
Thus, in the past few years, the interests of these organisations have developed
significant overlaps. This is especially the case since NATO has begun to look more
into the cyber attacks and has recognised that not only cyber incidents against military
targets but also those directed against national governmental and possibly private
critical infrastructure functions may affect (inter)national security, thus deserving the
interest of this military organisation. It is due to this interest that a common playing
field has emerged for the two organisations.
While the two organisations share interest in the field of Critical Infrastructure
Information (“CII”) protection, personal data protection in the EU legal framework
may become a factor that could hinder the creation of effective cyber defence, unless
timely and duly attended to by the interested nations and entities.
There seems to be some inconsistency in the application of the Directive 95/46/EC
(herein after referred to as ‘the Directive’ or ‘the ‘Personal Data Protection Directive’)
by the Member States. These differences in interpretation and application of the
Directive are particularly evident when looking at the approach taken by Germany in
comparison with Sweden. These two cases will be discussed below. The dominant view
held by the EU data protection authorities, however, requires that information sharing
7 Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common
regulatory framework for electronic communications networks and services (Framework Directive), OJ L
108, 24/04/2002 pp. 0033-0050; and four specific Directives: Directive 2002/20/EC of the European
Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks
and services (Authorisation Directive), Directive 2002/19/EC of the European Parliament and of the Council
of 7 March 2002 on access to, and interconnection of, electronic communications networks and associated
facilities (Access Directive), Directive 2002/22/EC of the European Parliament and of the Council of 7
March 2002 on universal service and users' rights relating to electronic communications networks and
services (Universal Service Directive), Directive 97/66/EC of the European Parliament and of the Council of
15 December 1997 concerning the processing of personal data and the protection of privacy in the
telecommunications sector).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data (Personal
Data Protection Directive); OJ L 281, 23/11/1995 p. 31; Directive 2002/58/EC of the European Parliament
and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy
in the electronic communications sector (Directive on privacy and electronic communications); OJ L 201,
31/07/2002 pp. 0037 – 0047.
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects
of information society services, in particular electronic commerce, in the Internal Market ('Directive on
electronic commerce'), OJ L 178 , 17/07/2000 pp. 0001–0016.
Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for
electronic signatures was published in the Official Journal of the European Communities; OJ L 13,
19/01/2000, p. 12.
Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of
public sector information; OJ L 345, 31/12/2003 pp. 0090–0096.
8 Currently, personal data can flow between the 27 EU member states and three EEA member countries
(Norway, Liechtenstein and Iceland) and to Switzerland, Canada, Argentina, Guernsey, and the Isle of Man.
An exception is granted to the US Department of Commerce under the Safe Harbor Privacy Principles, and
the transfer of Air Passenger Name Records to the United States Bureau of Customs and Border Protection.
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats 193
regarding cyber incidents be supported by specific legal provision under the national
law of each Member State.
Systematic data protection in Europe dates to the aftermath of the Second World War
and arises from the need to face the threat that people could be potentially mistreated
based on an abuse/misuse of personal data available to the state. 9 Essentially, the EU
data protection regulatory framework is based on the prohibition of processing personal
data and has issued different exceptions that allow the data to be processed under a set
of personal data protection principles and restrictions.
Directive 95/46/EC serves as the basis for personal data protection legal acts in
nearly 30 advanced information societies. Personal data are defined as "any
information relating to an identified or identifiable natural person ("data subject"); an
identifiable person is one who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;" (art. 2 a).
This definition is intended to be extensive. Data are "personal data" when someone
is able to link the information to a person, even if the person holding the data cannot
make this link themselves. Some examples of "personal data" are: address, credit card
number, bank statements, criminal record, etc.
Recently, EU data protection supervisor, Peter Hustinx, shared his opinion on IP
addresses as personal data, pointing out that IP addresses are also protected under data
protection laws. Speaking to ZDNet at an RSA information security conference in
London, he said that a person does not have to be identifiable by name in order for
details of computer usage to be protected. Companies that gather addresses that might
or might not be personal data should just treat them all as personal. When companies
are unsure whether information, such as activity or server logs or a record of Internet
protocol (IP) addresses, are personal data or not, they should treat it all as personal
data. 10
9 In 1939, the German authorities conducted a census to register German Jews and those who were half
Jewish with the Reichssicherheitshauptamt. While the authorities claimed that personal data, such as
religious inclination and nationality, were confidential, a national registry was created on the basis of those
data to point out which citizens had a Jewish parent or grandparent. Similar registries were created and
updated in Poland and compared to the data of the 1933 census. After the census, the German citizens were
listed in the Reichskartei as Aryans or non-Aryans and their fate for the purposes of the Second World War
was determined by the Nazi authorities controlling those registries.
In this context, the statistical data was put to the service of the governing regime. Extremely high regard to
population policy transformed normally quantitative data about people into a qualitative and psychological
basis of reigning. Although statistical in nature, this information relied on the penetration of private and
public lives, recording and categorising such data, and last but not least, subdivision of the data.
The census based on religion and nationality were not the only listed categories of information. In 1935, the
authorities created the labour registry, in 1936 the health registry, in 1939 the population registry, and in 1944
the personal identification number system. From 1934 on, those with hereditary illnesses were registered. By
the beginning of the war, the authorities had a clear picture of family planning, land inheritance and health
status of the population. These statistics were put to service by and under the control of the authorities.
10 Michael, James. EU DP Supervisor says IP addresses are protected. Privacy Laws and Business
International Newsletter, December 2008, issue 96, page 9.
194 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
In the event personal data is treated, any processing 11 of such data falls under the
jurisdiction of the Directive unless it has otherwise been provided for under national
law.
In the context of information exchange regarding cyber attacks, one of the more
important provisions of the EU Data Protection Directive in the context of exchange of
information about cyber attacks is Article 25, which prohibits the transfer of personal
data to third countries.12 In principle, the transfer of personal data to countries outside
of the EU requires the European Commission to assess the specific personal data
protection regulations and practices of the country concerned.
Since cyber threats have affected different countries, the national courts have the
task of providing guidance on how to deal with those threats in the context of personal
data privacy concerns. Interestingly, the views and approaches to the balance between
privacy and security expressed by the various national courts indicate not only a
difference of position and approach from country to country, but it also highlights the
existing challenge of finding a balance for the application of the directive itself.
In a verdict of 27 February 200813 , the Bundesverfassungsgericht (German
Constitutional Court, henceforth “BVerfG) ruled that from the right to personal self-
determination comes an individual’s right to security and integrity of information
systems (Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität
informationstechnischer Systeme). The essence of this ruling reflects Germany’s well-
established guarantees of personal privacy, privacy of communications, and protection
of personal data, and it emphasises the duty to refrain from violating the privacy of the
user without a proper basis in applicable law.
The court emphasised that covert infiltration in information systems resulting in
the surveillance of a person’s use of that system is only allowed when there is
a) effective evidence, b) a real threat, c) a legally protected value, and d) where the
authority for such interference is clearly provided for in the law. This effectively
provides a relevant authority with a checklist of legal criteria/conditions that must be
met in order to carry out a surveillance procedure. The court specified that threats to
the fundamental institutions or existence of the state itself would indeed be a category
that could justify such interference, indicating, inter alia, that under certain
circumstances surveillance can be justified as a pre-emptive measure. In addition to the
factual and legal necessity outlined above, and as part of the legal basis of authority
requirement (element d) also referenced above, resorting to such measures in Germany
would usually also require a court order as a prerequisite.
11 Under Article 2 (b) of the Directive, processing personal data ('processing') shall mean any operation or set
of operations which is performed upon personal data, whether or not by automatic means, such as collection,
recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or
destruction.
12 The Member States shall provide that the transfer to a third country of personal data, which are undergoing
processing or are intended for processing after transfer, may take place only if, without prejudice to
compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third
country in question ensures an adequate level of protection,
The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the
circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration
shall be given to the nature of the data, the purpose and duration of the proposed processing operation or
operations, the country of origin and country of final destination, the rules of law, both general and sectorial,
in force in the third country in question and the professional rules and security measures which are complied
with in that country.
13 http://www.bverfg.de/entscheidungen/rs20080227_1bvr037007.html
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats 195
BVerfG represents a cautious approach to how and to what degree the authority of
the state has over private communications and in particular the surveillance of such
communications.
As such, the judgement in Germany is in counter position to recent developments
under Swedish law, where a bill was passed in June 2008 that allowed for monitoring
of all emails, text messages and phone calls for the purpose of national security.14 This
legal instrument received widespread public criticism for excessively restricting civil
liberties, violating integrity and creating a "big brother" state. According to the law, the
state institution given the authority for surveillance, FRA (Försvarets radioanstalt, the
Swedish National Defence Radio Establishment) – unlike the police – would not be
required to seek a court order to commence surveillance15; however, the Swedish Data
Inspection Authority would supervise the activities of the FRA, and a collective board
would be instituted to decide on surveillance in specific cases.16
The UK Information Commissioner's Office (ICO) has issued a statement that
isolated IP addresses do not constitute personal data, but become personal data if they
are used to create a profile on an individual or when in the hands of an ISP. According
to the ICO’s reasoning, it is difficult to use IP addresses to build up personalised
profiles. Many IP addresses, particularly those allocated to individuals, are 'dynamic'.
This means that each time a user connects to their internet service provider (ISP), they
are given an IP address, and this will be different each time. So if it is only the ISP who
can link the IP address to an individual it is difficult to see how the Act can cover
collecting dynamic IP addresses without any other identifying or distinguishing
information. Some IP addresses are 'static', and these are different. Like some cookies,
they can be linked to a particular computer, which may then be linked to an individual
user. Where a link is established and profiles are created based on static IP addresses,
the addresses and the profiles would be personal information and covered by the Act.
However, it is not easy to distinguish between dynamic and static IP addresses, so there
is limited scope for using them for personalised profiling. 17
The ICO approach is a purpose-based approach, where the applicability of the
Directive would depend on whether processing the data is intended to justify the aim of
the Directive itself or not. However, in light of personal data protection regulation in
the EU and the numerous rulings of the European Court of Justice and the European
Court of Human Rights, the focus of the Directive may have shifted towards a German
school of interpretation.
Furthermore, the EU data protection authorities have recently supported a rather
protective approach towards personal data protection. Thus, the personal data
protection regulation under the First Pillar may have a cooling effect on the
implementation of measures regarding Third Pillar concerns and more generally, affect
the way that the world manages cyber incidents.
16Thelenius-Wanler, Emma. Riksdagen röstade igenom FRA-lag. Dagens Nyheter, June 18, 2008. <http://
www.dn.se/DNet/jsp/polopoly.jsp?d=147&a=795317>
17 http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/
collecting_personal_information_from_websites_v1.0.pdf .
196 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
In the hierarchy of fundamental rights, the right to privacy has traditionally been
considered one of the most significant, coming right after the “vital” rights to life,
health, and freedom. 18 As long as there are security concerns regarding these legally
protected values, creating exceptions from the Directive may be seen as a matter for
national regulation.19
But contemporary cyber incidents are often difficult to legally categorise. The
Estonian cyber incident, often referred to as Cyber War 1.0, did not really result in loss
of life or freedom, but rather portrayed a novel set of threats that does not readily fit
into the existing perception of threat. Similarly, nobody was killed or injured in
Georgia as a result of DDoS attacks against government and media websites.
Modern information societies have become greatly dependent on information
infrastructure and consequently may not only be vulnerable in “traditional” ways but
also in the context of accuracy, reliability and security of information, not to mention
those ways that could restrict the freedom of information and speech. These threats are
not readily justified exceptions from the area of application of the Data Protection
Directive. As a matter of fact, these threats do not fall within the focus of the law of
armed conflicts or criminal law in the field of IT, either. 20
Therefore, in order to create legal certainty for processing data about cyber
incidents, the concept of cyber threat as well as the components of cyber incident
management, such as transmitters and recipients of data and the nature, purpose and
possible legal effect of data processing, need to be defined under the national
regulatory framework.
Otherwise, different opinions regarding the applicability of the personal data
protection framework may hamper legal proceedings related to cyber incident
management and create even more inconsistency in implementing the measures created
for this complex and sophisticated legal area.
Under the circumstances, where the extent of cyber security exceptions under the EU
Personal Data Protection Directive is unclear, the nations are in a position to consider
additional regulatory steps to reduce the risk of personal data privacy invasion and to
support the interaction between national CERTs, the private sector, the government and
international entities dealing with cyber defence.
These include: clearly indicating and better defining the area of applicability of the
national personal data protection regulation; defining the elements of critical
infrastructure that, if attacked or otherwise disabled by electronic means, would be part
of a member state’s request for assistance to NATO; and using other, possibly
18 Vital interests of the data subject or a third person are a legitimate basis for processing personal data
without additional consent requirements under Article 8 (2) c.
19 According to Article 3 (2), this Directive shall not apply to the processing of personal data in the course of
an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of
the Treaty on the European Union and in any case to processing operations concerning public security,
defence, State security (including the economic well-being of the State when the processing operation relates
to State security matters) and the activities of the State in areas of criminal law.
20LOAC was drafted with kinetic and bloody wars in mind, whereas most of the criminal law pertaining to
IT incidents has the economic effect of IT criminality in the background.
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats 197
technical, economic, policy etc. measures in order to shape society’s tolerance and
general understanding of cyber security.
5.1. Making a Provision Concerning the Area of Applicability of the EU Personal Data
Protection Regulation in the Field of Cyber Security
As indicated by the BVerfG, the elements necessary to design the national view of
cyber security clearly ought to provide for the aforementioned conditions of
a) effective evidence of, b) a real threat against, c) a legally protected value, and d) the
authority for interference.
In other words, the exceptions to the national data protection regulation have to be
tied to national threat assessment procedures and legally accepted means of cyber
deterrence. Last but not least, the authority must give clear indications that allow for
the immediacy of a threat to be determined.
Defining the components of national information architecture, that are not only critical
for the State to function correctly but also to preserve national security, will render the
institutions that are part of the information flow transparent in case of a cyber incident
of concern to national security. This will, on the one hand, establish the framework for
the potential focus regarding personal data processing and thereby serve as part of the
legal basis for data processing.
On the other hand, defining the components that are critical to national, and
possibly international security, will outline what the potential threat assessment and
risk management criteria are for the institutions involved. For example, under the
Directive 95/46/EC, the private sector is under obligation to provide the data subject
with a comprehensive understanding of the potential uses of the data available about
him or her. The definition of CII elements will help to determine and define additional
legal measures such as audit obligations, threat assessment and reporting measures or
potential restrictions to terms of use of critical information systems.
5.3. Defining the Procedure for the Exchange of Information Regarding Cyber
Incidents
There are a number of persons involved in gathering accurate and consistent data on
cyber incidents. Provided that the addressee of the information about the incident is
NATO Cyber Defence Management Authority, the information will be readily
accessible to potentially all NATO nations. The information will be provided by a
designated national authority that, under most circumstances, is not in the position to
directly gather data, but will be enabled to use different sources, such as national
CERTs, components of the CII under attack and ISPs. Last but not least, information
may be directly or indirectly collected from the data subjects.
In order to minimise the risk that the information and details of the incident are not
misused, the potential chain of information ought to be defined so as to create a correct
legal basis for processing such details.
198 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
5.4. Engaging Soft Law and Self-regulatory Means to Enhance National Cyber Defence
Capability
The law in the field of cyber defence and cyber security is evolving and is, to a great
extent, dependent on political (and popular) views on the issue. It is important therefore
that all legal measures be communicated to the general public from the moment that
such regulation could necessitate a reduction in the sphere of privacy and anonymity of
the data subject in order to ensure national cyber security. Laws regarding privacy may
very well need an element of public dialogue to better support the activities of the
cyber defence authorities and law enforcement agencies and to increase the
understanding and cooperation of these last with the data protection authorities.
Creating an understanding between all stakeholders of the information society is a
task that no government is capable of implementing on their own. Consequently, a
global approach to the development of national cyber security policies and strategies
must be taken that incorporate not only international concerns but also the interests of
the private sector and the habits of individual consumers in the information society.
The ideas presented above, which take a generalised look at national approaches into
account, aim at identifying more effective cyber defence policies and strategies. As
international cyber security concerns evolve, more constructive and sophisticated
cooperation is needed between the EU and NATO, and potentially other international
organisations, to ensure that any loose ends in the defence measures adopted are kept
under control and resolved.
As countries build their national cyber defence framework, they face the privacy
vs. security test. It is not only about choosing between the approaches of Germany and
Sweden, which find themselves on either end of the privacy vs. security spectrum, but
it is also a question of taking the factors of cyber threats unique to each nation and
balancing them with the international cyber security agenda and concerns.
Recognising and defining CII as an aspect of cyber threats of national/NATO
relevance will serve to facilitate the management of cyber incidents by enabling a
model and procedures to be created that are capable of addressing the incidents and any
information connected to them.
In defining how personal data ought to be processed for cyber security purposes,
two courses of action must be considered and pursued - transparency and visibility for
the data subjects and a systematic approach to be taken by the authorities to manage
cyber conflicts.
National Data Protection Authorities will play an important role in reconsidering
national approaches to data processing as they take aspects of cyber defence into
account. In developing their views on the implementation of the EU Directive, they
may need to rethink the essence and aims of personal data protection in Europe and,
thus, reshape the landscape of personal privacy.
Modelling Cyber Security: Approaches, Methodology, Strategies 199
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-199
Abstract. Appropriate laws and efficient judiciary and law enforcement agencies
that are not corrupt, are the first line of defence against cyber aggression. Due to
the border-less nature of the internet and activity on the internet, it is also clear that
criminal laissez faire (in other words, a “crime friendly” legal system) in one
country jeopardises anti-crime efforts in many others. An efficient legal system is,
in and of itself, a form of “antivirus” and adds value to all of the existing technical
anti-virus solutions; it is also the only anti-virus that criminals and terrorists alike
are afraid of. But is the legislation of the NATO countries and other countries,
particularly Eastern European Countries (hereinafter, EE), on cyber criminality,
adequate and capable of supporting law enforcement agencies in their fight against
cyber criminals?
Keywords. criminal code, cyber criminality, Croatia, East European Countries,
cyber war, cyber army
Introductory Remarks
Is the legislation of the NATO countries and other countries, particularly Eastern
European Countries (hereinafter, EE), on cyber criminality, adequate and capable of
supporting law enforcement agencies in their fight against cyber criminals? Are the law
enforcement agencies, in NATO countries and in other EE countries, sufficiently
supported politically and juridically to be able to cope with cyber “warriors” regardless
of the motives of these attackers? If yes, then this article is of no consequence. If not,
what happens next? These questions need an answer, an honest one and not simply a
politically correct one! In the interest of common security and welfare of the citizens,
these questions must be given an answer.
At the same time, we are perfectly aware of how much the business world needs
“virtual” shares in order to carry out ordinary operations on the stock exchange.
Therefore, the challenges that legislators, internet users, policemen and criminals face
once they start using their computer become readily understandable.
In other words, having appropriate laws (1), both ius and lex, in place and efficient
judiciary and law enforcement agencies that are not corrupt, are the first line of defence
against cyber aggression. This is the strategic defence structure of every democratic
country. Readers know that law and order are the basis of any free society and that
“chaotic freedoms” (such as free license) are the enemies of freedom and human
dignity.
It is evident that the cyber world has many elements of “chaotic freedoms”. In these
last few years, policing of the web has appeared even to politicians to be a necessity. As
a result, in most countries, legislation regarding socially unacceptable activities on the
web has been promulgated. A legal analysis of cyber space, although necessary in and
of itself, also helps those in the field to better understand, from a technical viewpoint,
200 I. Paparela / Crimen Ex Machina: A Legal Approach
how their work fits into the social and security dimensions of cyberspace, be they
within country boundaries or the international arena.
Efforts made by police forces in this field, like elsewhere, can be neutralised or
rendered ineffectual by inadequate laws and corrupt judges. Due to the border-less
nature of the internet and activity on the internet, it is also clear that criminal laissez
faire (in other words, a “crime friendly” legal system) in one country jeopardises anti-
crime efforts in many others.
The juridical approach to face cyber criminality focuses on the human element, which
is essential to the question of cyber regulation. In other words, the juridical approach
focuses on human behaviour as it uses a “machine”. An efficient legal system is, in and
of itself, a form of “antivirus” and adds value to all of the existing technical anti-virus
solutions; it is also the only anti-virus that criminals and terrorists alike are afraid of.
Each one of these aspects has its own legal rules that regulate how they function within
a given context and circumstances. All users are expected to respect those rules. Legal
systems are put in place to “make life difficult” for those who would infringe upon the
rules. Those who abuse the internet and its rules, however, can be very dangerous
because of the effects that they can have not only in the virtual world but also in the
real world.
In this section, national legislation on cyber activities will be briefly presented and
emphasis will be placed on the improvements that would need to be made in each of
the presented legislation.
Recently, Western countries have found that legally policing the Internet is a public
interest. (Russia, China, and Arab countries police their cyber space efficiently).
Most Eastern European countries (EE) have some form of basic “cyber legislation” in
place. However, they may still be considered to be “numerical paradises”, the Balkan
countries among them. The reasons for which are: that criminality, in general,
flourishes better there than in other parts of Europe; the existing legislation is
incomplete nor is it properly enforced.
Criminal codes in Croatia and Slovenia have articles that directly deal with cyber
criminality (2). Serbia and other countries also have similar legislation (3). Neither
Penal Code nor Code of Criminal Procedures in the EE countries discourage people
from committing illegal acts in general and ipso facto on the Internet (4). Punishments
are frequently lenient (5). In fact, this author currently knows of only four cases of
criminal activities that have gone before the courts in Croatia for which the sentences
have been lenient. In other EE countries judicial policy is about the same!
I. Paparela / Crimen Ex Machina: A Legal Approach 201
Both criminals and terrorists need money more than cell phones or computers. For
this reason they look for safe places, like Balkan countries (6), so that they can carry on
with business in total impunity. In order to do this, however, the criminals need new
identities and passports to fit that identity. They also need lawyers, public notaries,
court experts and accounting auditors, who will assist then in various procedures
regarding trade documents, corporate registration and other “business activities”. Thus,
the visible part of the business hides the illegal aspects.
One might ask where the computer is in all of this? The following is a real life example
from Croatia:
The real estate records of the whole country may be found on the Internet. This enables
everybody to see the land or house and the name of its owner; the latter is usually a
normal citizen. Crooks, who need to legalise dirty money or want real estate for
speculation purposes, pay the police for a new identity superimposed on the name of
the innocent owner, after which, they buy and sell under the new identity. The public
notary asks no questions and the business is done. When the owner discovers his
tragedy and asks the police for help, the police officer simply tells him that his
department does not investigate real estate disputes and that he has to go to the court,
which is competent ratione loci. In other words, the owner is told to go see the judge
who is in contact with crooks and who “legalised” this operation. The result for the
honest man is evident.
Several thousand of such operations have taken place all over the area and represent
tens of millions of euro and large profits for criminals. Many Russian and Serbian
criminals have Croatian passports.
202 I. Paparela / Crimen Ex Machina: A Legal Approach
From what has been said above, it is evident that criminals, in general, and cyber
criminals, in particular, are free, and indeed have a relatively free range of action, in EE
& Balkan countries.
This has implications on the NATO area of interest, because it is from those countries
that cyber attacks can be launched to strike targets anywhere in the world. Some of
these countries are EU and NATO members, which implies that their citizens can move
freely within the entire EU area. Many people in EE countries are jobless or want to get
rich quickly, like their leaders have done. Those are normal, everyday citizens that have
no criminal past or criminal connections. Criminals on the other hand have been able to
steal their names and addresses and have started to use them for their drug businesses,
on a one shot basis.
The same techniques are often used in illegal cyber activities. For example, students are
offered free computers or laptops. Those laptops are then used for the dissemination of
pornography or any other criminal purposes, more often than not without knowledge of
the student.
The standard abuse of the stock market and other forms of criminal banking is kept
secret and no one wanted to speak of it to this author. Bearing in mind that Bosnia is a
poor country and that in this poor country banking density has almost reached the same
proportions as in Geneva, it is left to the readers to draw their own conclusions.
New draconian legislation is needed: fragenti fidem non est fides servanda!
3. Computer as a WMD
1 NEC (Network Enabled Capabilities) are a less radical concept than Network Centric Warfare and aim at
merging the existing systems and platforms in an effective communication network. In the text, this concept
is used allegorically.
I. Paparela / Crimen Ex Machina: A Legal Approach 203
This implies how important it is that each and every government seriously polices its
territory as well as its cyber space. If the police and judiciary in such a country,
however, are corrupted, assistance to the authorities of a country that has been attacked
is not guaranteed or it is misleading. How evidence is handled and administered is
absolutely crucial, but within states where high levels of corruption exist this is next to
impossible.
When an aggression is actually committed by a government, questions of international
law are also raised. This requires the re-examination of military doctrine.
There are, more or less three possibilities of attack: Virtual vs. Virtual; Virtual vs. Real;
Real vs. Virtual. Within this context it might be of some interest to read old soviet (yes
soviet) military authors once again (8). Virtual reality is the sixth dimension of military
operations: Ground, sea, underwater, air, cosmos, and cyber space. This then goes back
to ground operations if and when dominance is the purpose of the war.
Rethinking cyber war is a challenge, because one has to deal differently with concepts
of time and space in the cyber reality and link them with the parallel concepts of
ordinary, physical reality. Cyber space may be simultaneously considered to be an
independent entity in its own right or an element, sine qua non, in any operation that
takes place within the other five aforementioned dimensions. This is why the Russian
military speaks (9) of informaticeske vojsk (cyber army), informaticeska vojna (cyber
war) and realna virtualna vojna (real virtual war) and they quote American authors,
Marcus Ranum and Bruce Schneider (10).
Top commanders must react more quickly than platoon commanders in this new and
rapidly shifting environment. They must have the reflexes of a water polo goal keeper.
The initial phase of a war (nacalni period vojni) follows the same political logic, but
radically changes the technology that is used. This is another point of concern and
would be an important research subject.
One can imagine the legal implications when governments start to think about the non-
proliferation of cyber technologies, or about the reduction of cyber forces.
Intelligence agencies, which work in cyber space, need to have a lot of knowledge,
experience and wisdom. Mathematical modelling is necessary and helpful, but the
results depend on initial inputs, which are arbitrary. Thus, human intelligence
(agenturnaja razvedka) factor remains as important as ever.
En guise de conclusion
The answer to the two questions that are asked at the very beginning of this paper is
clearly, no.
The intention of this paper was to highlight the importance of the laws, which protect
free nations of totalitarian threats. Security is not divisible. Even if it were divisible it
would have prohibitive costs. EE countries are the weak link in the security chain, for
many reasons, but above all because of the corruption that runs through their
government agencies.
Public opinion in the West is also a liability for defence and security organisations, and
it is not favourable to the proposal of a legally based control over Internet activity; this
shows the effects of brain washing on the populations and youth. Various “gurus”,
Madonna, Beatles and other starlets, have more credibility than heads of security
services in the eyes of public opinion. But this same public opinion requires protection
when their bank accounts or credit cards are lost or stolen. Do they not believe that
“Hannibal is ante portas”? In reality, why should they? Have they any example in
society?
204 I. Paparela / Crimen Ex Machina: A Legal Approach
NOTES
Niv AHITUV
Marko and Lucie Chaoul Chair for Research in Information Evaluation and the
Academic Director of Netvision Institute of Internet Studies at Tel Aviv University.
Paolo CAMPOBASSO
Senior Vice President of UniCredit Group.
Giovanni CATALDO
Chief of the Section on Terrorism in the Organised Crime Office at the Carabinieri
General Headquarters.
Claudio CIOFFI-REVILLA
Professor of Computational Social Science and Founding Director of the Center for
Social Complexity at George Mason University, Jefferson Science Fellow at National
Academy of Science.
Yuval ELOVICI
Director of the Deutsche Telekom Laboratories at Ben-Gurion University and Senior
lecturer at the Department of Information Systems Engineering, Ben-Gurion
University.
Alessandro GAZZINI
Principal at Booz & Company. He leads Booz’s Risk, Resilience and Information
Assurance related activities for the European Union and Middle Eastern markets.
Umberto GORI
Full Professor (r) of International Relations and Strategic Studies, University of
Florence. Professor at the Naval Academy and Air Force College. President of CSSI.
Director of ISPRI. President of the Scientific Committee, Master in Intelligence and
Security, Link Campus University of Malta.
Giancarlo GRASSO
Senior Advisor to the Chairman and CEO of Finmeccanica S.p.A., Chief of the Italian
Delegation at N.I.A.G., Deputy Chairman of ESRIF, and Chairman of the ASD
Security Commission.
Anat HOCHBERG-MAROM
Department of Political Science, Faculty of Social Science at Tel Aviv University.
206 Curricula Vitae of the Authors
Gerardo IOVANE
Associate Professor in Mathematics Analysis at the University of Salerno, National
Scientific Expert at NATO (Research and Technology Agency), and Scientific Expert
at the Ministry of University and Scientific Research (MIUR).
Serena LISI
Centre of Strategic and International Studies (CSSI), University of Florence.
Guglielmo MORGARI
Crypto team leader at TELSY Elettronica e Telecomunicazioni S.p.A. His current
technical interests are encryption algorithms with a main focus on the development and
cryptanalysis of stream ciphers; security protocols; cryptographic primitives
implementation on general purpose and dedicated hardware.
Haris MOURATIDIS
Principal Lecturer in Secure Systems and Software Development at the School of
Computing, Information Technology and Engineering (CITE) at the University of East
London, where he is also the Field Leader for the Secure Systems and Software
Development Field.
Marco PAGGIO
Project leader and technical Director at TELSY Elettronica e Telecomunicazioni S.p.A.
and member of IEEE.
Esti PESHIN
Former Chief Executive Officer, Waterfall Security Solutions Ltd.
Ivo PAPARELA
Full professor at the University of Dubrovnik. His current research is focused on the
legal and economic aspects of stock markets in South-Eastern Europe and on corporate
accounting laws and standards.
Andrea RIGONI
Booz and Company.
Asaf SHABATAI
Deutsche Telekom Laboratories at Ben Gurion University.
Pascal SITBON
Expert Researcher and Project Manager on Industrial Control Systems, Cybersecurity
at EDF (Electricité de France).
Sergio STARO
Deputy Questore of the Italian National Police, Senior Police Officer of the Computer
Crime Unit and Head of the International Relations Section of the Postal and
Communications Police Service.
Eneken TIKK
Head of the Legal Task Team of the Cooperative Cyber Defence Centre of Excellence
(CCD COE), Estonia.
Ari VIDALI
CEO of ENVISAGE Technologies Corp. (USA). Founder of iFORCES (the Institute
For Operational Readiness and Continuous Education in Security). Consultant for the
Federal Government, Homeland Security, Emergency Management, Military, Law
Enforcement, First Responder, Higher Education and Medical industries.
Domenico VULPIANI
Superior director of the Italian State Police. Since 2001, he has been the Director of the
Postal and Communications Police Service, which objective is to protect
communications and counter postal, computer and cyber crime.
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 209
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
LIST OF PARTICIPANTS
NATO ARW - Operational Network Intelligence: Today and
Tomorrow
Subject Index
allegories 43 immigration 114
Al-Qaeda 109 information security 5
asymmetrical war 43 information sharing 182
authentication 11 infrastructure protection 125
biometrics 11 integrated approach 43
botnets 132 internal subversive organisations 160
CNAIPIC 153 international terrorism 160
CNCPO 153 Internet 109
collective intelligence 132 Islam 114
content analysis 109 IT security 182
control of virtual territory 160 Jihad 109
counter-marketing-warfare 109 language evolution 43
criminal code 199 lawful interception (LI) 79
critical information malicious application 132
infrastructure(s) 140, 153 malware 132, 140
critical information infrastructure marketing perspective 109
protection 182 one way link 79
critical infrastructure(s) on-line Police Station 153
protection (CIP) 79, 182 open information society 5
critical national infrastructures peer-to-peer 132
(CNI) 79 postal and communication service
critical networks 79 of the Italian National Police 153
Croatia 199 privacy 5
cryptography 43 privacy of an organisation 5
cyber army 199 propaganda 114
cyber attacks 79, 125 recruitment 114
cyber-crime 160 remote infrastructure management
cyber crime community 132 (RIM) 79
cyber criminality 199 risk management 93
cyber security 11, 125, 140, 182 rootkits 132
cyber war 199 rustock 132
cyber warfare 125 Salafism 114
deterrence 125 SCADA 79, 93
distributed-denial-of-services 132 secure manual uplink (SMU) 79
East European Countries 199 security 11, 93, 182
encryption 43, 132 security objectives 93
entropy 43 segregation topology 79
fuzzy theories 43 smart metering 93
hacking 79 social engineering technique 132
human-computer interaction 11 steganography 43
illegal underground economy 132 terrorism 114
214
Author Index
Agazzi, M. 132 Mouratidis, H. 29
Ahituv, N. 5 Paggio, M. 68
Campobasso, P. 75 Paparela, I. 199
Cataldo, G. 160 Peshin, E. 79
Cioffi-Revilla, C. 125 Rigoni, A. 182
Elovici, Y. 140 Sanfelice di Monteforte, F. 165
Gazzini, A. 182 Sgobbi, D.A.M. 59, 68
Gori, U. vii Shabtai, A. 140
Grasso, G. 173 Sitbon, P. 93
Hochberg-Marom, A. 109 Staro, S. 153
Iovane, G. 52 Tikk, E. 189
Lisi, S. 43 Vidali, A. 11
Monno, A.G. 114 Vulpiani, D. 153
Morgari, G. 59
This page intentionally left blank