MODELLING CYBER SECURITY:

APPROACHES, METHODOLOGY, STRATEGIES

NATO Science for Peace and Security Series

This Series presents the results of scientific meetings supported under the NATO Programme:
Science for Peace and Security (SPS).

The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence
Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and
Mediterranean Dialogue Country Priorities. The types of meeting supported are generally
“Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series
collects together the results of these meetings. The meetings are co-organized by scientists from
NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries.
The observations and recommendations made at the meetings, as well as the contents of the
volumes in the Series, reflect those of participants and contributors only; they should not
necessarily be regarded as reflecting NATO views or policy.

Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest
developments in a subject to an advanced-level audience.

Advanced Research Workshops (ARW) are expert meetings where an intense but informal
exchange of views at the frontiers of a subject aims at identifying directions for future action.

Following a transformation of the programme in 2006 the Series has been re-named and re-
organised. Recent volumes on topics not related to security, which result from meetings
supported under the programme earlier, may be found in the NATO Science Series.

The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media,
Dordrecht, in conjunction with the NATO Public Diplomacy Division.

Sub-Series

A. Chemistry and Biology Springer Science and Business Media

B. Physics and Biophysics Springer Science and Business Media
C. Environmental Security Springer Science and Business Media
D. Information and Communication Security IOS Press
E. Human and Societal Dynamics IOS Press

http://www.nato.int/science
http://www.springer.com
http://www.iospress.nl

Sub-Series E: Human and Societal Dynamics – Vol. 59 ISSN 1874-6276

 Modelling Cyber Security:
Approaches, Methodology, Strategies

Edited by
Umberto Gori
University of Florence, Italy
Department of Political Science and Sociology
CSSI (Centre for Strategic and International Studies)
ISPRI (Institute of Forecasting Studies and International Research)

Amsterdam • Berlin • Tokyo • Washington, DC

Published in cooperation with NATO Public Diplomacy Division
Proceedings of the NATO Advanced Research Workshop on Operational Network Intelligence:
Today and Tomorrow
Venice, Italy
5–7 February 2009

© 2009 The authors and IOS Press.

All rights reserved. No part of this book may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means, without prior written permission from the publisher.

ISBN 978-1-60750-074-2
Library of Congress Control Number: 2009940564

Publisher
IOS Press BV
Nieuwe Hemweg 6B
1013 BG Amsterdam
Netherlands
fax: +31 20 687 0019
e-mail: order@iospress.nl

Distributor in the USA and Canada

IOS Press, Inc.
4502 Rachael Manor Drive
Fairfax, VA 22032
USA
fax: +1 703 323 3668
e-mail: iosbooks@iospress.com

LEGAL NOTICE
The publisher is not responsible for the use which might be made of the following information.

PRINTED IN THE NETHERLANDS

 v

Chief Editor: Umberto Gori

Text Editor: Margot J. Wylie

Editor’s note: The views in each independent article of this publication are those of the
respective author and the editor is in no way responsible for the individual authors’
opinions and statements. This publication is a product of the NATO ARW “Opera-
tional Network Intelligence: Today and Tomorrow”, but does not necessarily reflect the
views of NATO.
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies vii
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.

Introduction
Umberto Gori
University of Florence
Co-director of the NATO ARW

Securing cyberspace, however it is defined, is an extremely difficult strategic challenge

that requires cooperation between the public and private sectors, military and civilian,
of our societies. Cyberterrorism and cybercrime are on the rise. Almost all observers,
with rare exception, share this view. The most important activities in the world today
rely upon computers. It is therefore necessary to fully understand the characteristics,
principles and challenges that underlie the development of secure information systems.
Security should be considered within the entire context of information systems devel-
opment and not in isolation. However, as it has been said by Dr. Mouratidis (1), infor-
mation systems engineering and security engineering research communities tradition-
ally work independently. “As a result of this situation, security is usually considered
after the analysis, design and implementation of the system has been completed. Secu-
rity mechanisms are enforced into the system without considering the overall design
and this usually results in problematic systems and security vulnerabilities”. One
should not forget that the security of a system is only as strong as its weakest part.
Internet, which is now used as a weapon in the hands of terrorists and criminals,
was not designed or created to withstand an environment under attack. Its protocols
derive from the protocols of Arpanet, which was used by only a few scientists and re-
searchers in a spirit of intellectual and scientific cooperation. Its evolution contributed
to exceptional progress in many fields, social and technical, of human activity.
At the same time, however, its impressive interconnectedness is now the major
cause of its vulnerability. Other causes of vulnerability are software flaws, users’ be-
haviour, an inadequate number of cyber security specialists, the insufficient amount of
money allocated to activate countermeasures, and the lack – in my opinion – of a com-
prehensive and multidisciplinary approach to cope with the cyber threats.
There is broad consensus that new methods for designing and engineering more
secure systems are urgently needed. This implies more public intervention to fund re-
search, as private companies usually neglect this type of investment. Another action to
be taken is the internationalisation of efforts. Only international cooperation is likely to
reduce, if not eliminate, the consequences of malicious attacks.
According to a Symantec report, the year 2008 was dominated by new web infec-
tions (one new infected webpage discovered every 4.5 seconds), by malicious email
attachments (five times more in comparison to the year before), by new ‘scareware’,
i.e. fake antivirus software websites (five identified every day) which deceive users –
myself included – and by spam (97% of business email) (2). In other words, the more
technology advances, the greater the increase in the number of threats.
Another source, CERT/CC – the Computer Emergency Response Team Coordina-
tion Center – has identified thousands of computer vulnerabilities which only increase
exponentially year after year. According to a publication of IBM, in the first half of
viii

2005 there were more than 237 million attacks to information security all over the
world. States cannot control cyber crime at the individual state level and therefore in-
ternational cooperation is highly needed.
Some believe that privateering can be a solution to cyberspace threats, though this
is not without complications (3). The situation is similar to the time when weak states
had to rely on privateers, namely pirates with government sanction (Letter of Marque).
Actually, most states, today, do not have the possibility to cope with the exponential
rise of cyber threats and the excessive costs for countermeasures.
The main characteristics, or properties, of security are: confidentiality, authentica-
tion, integrity, access control, non-repudiation, and availability. Normally, at least thus
far, security is mainly considered a technical challenge, but other aspects should be
considered. The human and social factors, for instance, may also have a significant
impact on security. After all, security is a game of action and reaction.
Technology has altered and corroded the State’s authority and strengthened non-
state actors, in particular transnational crime and terrorist organisations. Cybercriminals
and cyberterrorists have already “crossed over into the spectrum of information war-
fare”. As a consequence, states cannot control cybercrime at the individual state level.
Internet offers an ideal opportunity for cybercriminals to make money, organise at-
tacks, infect our democratic institutions and our economies, while remaining in perfect
anonymity. It is therefore imperative to elaborate measures, both national and interna-
tional, against high-tech criminal behaviour. Because our traditional laws are devised to
protect physical property and physical ‘goods’, and not the virtual assets of the world
of computers, our juridical systems need to be revised as well.
The internet allowed Islamic terrorism not only to become a global phenomenon
but also to create a virtual community corresponding to the Umma of Salafism. In other
words, as everybody can see, cyber-threats are likely to be a major problem in the years
to come.
Of the ten information warfare trends discussed by K. J. Knapp and W. R. Boulton
(4), I would like to mention only five: the various dangerous forms of cyber weapons,
such as ‘e-bombs’; how the private sector and the non-critical infrastructures are the
primary target, and how, should the critical and/or military targets be hit, avoiding
heavy retaliation ought to be a consideration as well; that cyber technology is increas-
ingly used in influencing public perception; that cyber technology is increasingly used
in corporate espionage; that cyber technology is increasingly used against individuals
and small business.
Our NATO Advanced Research Workshop Operational Network Intelligence: To-
day and Tomorrow, held at the Italian Navy Arsenal in Venice in February 2009, tried
to take all of these problems into account and to rethink present strategies and identify
urgent measures to be taken in order to minimise the strategic and economic impacts of
cyber attacks.
The book is divided into three parts. The first section addresses various conceptual
approaches to security, and the issues connected to the conceptualisation of such; sev-
eral actual methods employed for security purposes, beginning with the concept of
cryptography and how it is applied; and the description of other security meth-
ods/systems. The section concludes with two articles that illustrate concrete examples
of actual security approaches.
In the introductory article, Niv Ahituv explains why an open information society
(OIS) is inevitable and how shared information may lead business to evolve toward one
of two possible extremes: global monopolies or a much more creative and sophisticated
 ix

form of management. OIS may also generate a magnified version of “1984”, or a better
and improved process of recruitment and human communications.
The essay by Ari Vidali explores some of the root causes of the usability problem
and how proper security practices are consistently being ignored or circumvented by
the users. After all, the security of any information system is only as strong as its
weakest link, i.e. human beings. The question is whether it is possible to reconcile
maximum security, which requires a ‘closed system’, and maximum utility, which re-
quires ‘openness’. Some very concrete proposals are put forward.
Haris Mouratidis describes a methodology that takes both the technical and social
aspects of security into consideration, arguing that a security focus should be intro-
duced throughout the development lifecycle. He believes that Secure Software Engi-
neering (SSE) “is concerned with the unification of any area of research that can con-
tribute to the development of knowledge (theoretical and practical), principles, prac-
tices as well as the establishment of a research agenda regarding secure software sys-
tems development”. In other words, SSE should become a real discipline.
Serena Lisi, a former student of mine, deals with an interesting problem: how to
reconcile two different approaches to the theory of codes, the technological and the
cultural and allegorical ones.
She is of the opinion that the two approaches are progressively merging together to
create a new integrated and fuzzy approach along the line of thought of Burt Kosko, the
well-known scholar author of Fuzzy Thinking: The new Science of Fuzzy Logic.
On the same subject, but from a mathematical and a revolutionary point of view,
Gerardo Iovane demonstrates, with fascinating and sophisticated reasoning, that the
sequence of prime numbers is deterministic, and not stochastic, as everybody has be-
lieved for several centuries. But the genetics of primality shows us a potential and in-
trinsic weakness of current security systems, since numerical security keys are based on
prime numbers. The reaction to this threat – Iovane says – must be synergic. The con-
clusion is alarming: since we will probably have more accurate and rapid algorithms to
generate numeric keys to crack code and data encryptions in the near future, it is high
time to find new strategies, both technological and social. Otherwise, “the progress of
knowledge could itself become a Trojan horse and defeat us”.
Dario Sgobbi, of the Italian Navy, contributes two essays to this book. His co-
authors are Guglielmo Morgari (for the first paper) and Marco Paggio (for the second).
The first contribution, which requires a sound knowledge of mathematical concepts,
deals with asymmetric (public-key) algorithms. A possible classification of the various
cryptographic techniques is presented, with particular emphasis on the RSA (an acro-
nym from the names of R. Rivest, A. Shamir and L. Adleman) and Diffie-Hellman sys-
tems. It is worth mentioning here that Shor’s algorithm (a quantum algorithm for inte-
ger factorisation) is important because it can – at least in theory – be used to ‘break’ the
public-key cryptography. In addition, elements of complexity theory are discussed, as
the evaluation of the complexity of an attack shows the concrete possibility of the
same.
The second paper deals with the security process, and analyses some classifica-
tions and properties of two technologies, which enhance the process itself: the Intrusion
Detection System (IDS) and the Intrusion Prevention System (IPS).
In his essay, Paolo Campobasso warns that information warfare has moved beyond
the military dimension and has begun to threaten the commercial world as well. In par-
ticular, the banking and services industries have at the same time become targets and
“innocent” technical supporters of cyber terrorism. Therefore, there is great need for
x

international response through close cooperation with the military and law enforcement
agencies on all levels.
The paper by Esti Peshin presents an approach to protect Critical National Infra-
structures via unidirectional connectivity, namely connecting them with less secure
networks via real time physical unidirectional gateways (using a single fibre optic ca-
ble). This system eliminates the risks due to the standard incomplete IT security meas-
ures.
A case of critical infrastructure protection concerns the electricity distribution net-
work. It is the case discussed by Pascal Sitbon in his paper, which deals with the secu-
rity approach taken by the ERDF of Electricité de France for its pilot project of
300,000 smart metering points in view of the general deployment of the system in the
country. It is worth mentioning that the world’s largest smart meter deployment (to
over 27 million customers) was undertaken in Italy by ENEL between 2000 and 2005.
Obviously, due to the widespread distribution of this electronic device, there is an ele-
vated possibility of cyber attacks, similar to the one made against the AMM (Auto-
mated Meter Management) of ENEL. The conclusion by the author is that all metering
actors should be involved in a global security approach as early as possible.
The second section concentrates on terrorist attacks and attacks on critical infra-
structures and concludes with various police and military force operations and ap-
proaches.
Anat Hochberg-Marom presents a marketing strategy to contrast the global terror
of Al-Qaeda’s leaders. On the basis of her quantitative-statistical content analysis of the
statements of Al-Qaeda’s leaders, she finds that they adopt a ‘nihilistic-destructive’
approach and aim to destroy the Dar al Harb. The Jihad is considered the highest reli-
gious value (rated 41%), whereas the Ummah is rated only 25%. As radical move-
ments behave as rational actors, it is possible to use rational models and theories to
study their strategies and reduce their nefarious influence. A counter-marketing warfare
is highly needed.
Another paradigm for countering Jihadism is offered by Antonio Guido Monno,
more or less on the line described by Hochberg-Marom. His approach, however, far
from being quantitative and statistical, reflects a sound historical knowledge of the Is-
lamic culture, and advocates a strategy of defence against Islamic ‘fundamentalism’
that implies the use of scholars and experts of the Islamic world directly in the field of
cyber-counterintelligence. Although cultures are not transmitted easily, it is possible to
counter the “jihadist” interpretations of the Quran, which are not consistent with the
tenets of classical Islamic theology.
Claudio Cioffi-Revilla uses deterrence theory to examine whether deterrence is
feasible in cyber space (“Cyberia”). After discussing the conditions that make deter-
rence reliable, and introducing some key innovations made possible by computational
social science (such as genetic algorithms), the author concludes that “the value of a
deterrence strategy for ensuring cyber security seems to decline with the decrease of
the formal organisational level of the potential attacker”. In other words, deterrence
seems viable if the potential attacker is a State. In other cases, if the threatening actor is
an individual or a clandestine organisation, the best strategy seems to be a preventive
one.
The paper by Maurizio Agazzi defines our time as the collective intelligence era in
which an enormous quantity of information is shared through Internet platforms. Start-
ing from this idea, the author focuses his research on the illegal underground economy
and the malicious use of web-forums by cyber-criminals. Phishing generator toolkits,
 xi

password recovery tools, encryption and compression utilities, mobile viruses, credit
card information, identity theft information, and so forth, are some of the goods and
services which are traded from servers located in countries which do not contrast cy-
ber-crime activities. In particular, malicious botnet applications are some of the greatest
threats, as exemplified by the case in Estonia. A prospective real-time system based on
the artificial neural network model could perhaps be effective in identifying attacks
right from the initial stages on the condition that a supranational coordination be possi-
ble.
Y. Elovici and A. Shabtai deal with the protection of critical information infra-
structures (CIIs) from malware. These attacks may be conducted in the initial stages of
conventional wars to achieve a strategic advantage in command and communication
capabilities. The authors describe three alternative approaches to secure the networks:
detection of malware by the network service providers (NSP) to prevent innocent users
from being exploited and used as launch pads for attacks on CCIs; protection of the CIs
overlay network; detection of hidden botnets.
The centralisation of the protection of the CCIs is the strategy used in Italy,
Domenico Vulpiani and Sergio Staro say in their paper. In fact, it is the Postal and
Communications Police Service (a specialised Agency of the Italian State Police)
which has the exclusive competence of protecting the critical information infrastruc-
tures of the country. For this purpose, a National Cyber Crime Centre for the protection
of CIIs was instituted in 2005.
Moreover, this body is also entrusted with the prevention of and response to the
various forms of cyber crime, such as common crimes, organised crime and terrorism.
The role of the Carabinieri Corps in the fight against cyber terrorism is described
by Giovanni Cataldo. Specialised units of the Corps are trained to use the latest tele-
communications interception technology. Obviously, no police force or intelligence
agency is exclusively in charge of monitoring Internet sites. An Anti-terrorism Strate-
gic Analysis Committee, whose members are officials from the security and intelli-
gence forces, meets every week to decide synergic counter-measures.
The transition from cyber crime and cyber terrorism to something similar to a cy-
ber war is examined by Ferdinando Sanfelice di Monteforte, who, starting from the
NATO Declaration on Alliance Security of April 2009 that defines cyber attacks the
“new, increasingly global threats”, refers to the recent attacks on Estonia and Georgia
that were supposedly delivered by a State actor. The train of thought is complementary
to the one suggested by Cioffi-Revilla, but whereas this author defines the technical
rules of a possible retaliation, the Admiral examines the political conditions and effects
of the same.
We come, at this point, to the last section of the ARW, which focuses on the Euro-
pean measures and several related legal issues.
The first paper in this section deals with the role of Europe in matching today’s
asymmetric threats. In the first part, Giancarlo Grasso underlines how the philosophy
of the European Union is aimed at reconciling two apparently opposite concepts such
as security and privacy. The protection of human rights is one of the fundamental val-
ues at the basis of EU material constitution. In the second part, the author emphasises
the necessity to pass from interoperability to network centric systems in the struggle
against terrorism. Here, and in some other cases, the paper has a normative approach,
though also it underlines some EU achievements (e.g., EDA, FRONTEX, ESRIF, etc).
The second essay of the section is authored by Alessandro Gazzini and Andrea
Rigoni. It adds new valuable information with regard to the steps taken by the EU to
xii

ensure information sharing among its Member States. Examples, such as ENISA
(European Network and Information Security Agency), NEISAS (National and Euro-
pean Information Sharing and Alerting System), CIWIN (Critical Infrastructure Warn-
ing Information Network) and so forth, are considered by the authors, who also de-
scribe the many benefits of information sharing both for the Member States and private
stakeholders. In short, information sharing (IS) is mentioned by the EU as “one of the
key elements of a successful critical information infrastructure protection strategy”.
Clearly, bi-directional trust is the pre-condition for IS to work successfully.
The last two contributions have a legal approach. The paper by Eneken Tikk deals
with the antinomy privacy-security and how it is managed in the EU context. Another
point discussed regards the difficulty of transmitting the personal data of EU citizen to
the NATO or non-EU States due to the stringent European legislation in the field. An-
other problem to be solved concerns the necessity to demonstrate the relevance for
NATO that a given cyber incident has in order to activate the proper measures of the
Alliance. Despite some difficulties, more cooperation between EU and NATO is highly
needed. Hence, the paper is in some way complementary to the two previous ones.
Last, and hopefully not the least, the essay by Ivo Paparela creatively expresses, in
a non traditional form, his question as to whether the legislation in the NATO coun-
tries, and in particular in Eastern European countries, is adequate and capable of sup-
porting law enforcement agencies in their fight against cyber criminals. The conclu-
sions, after having conducted research on some legislations on cyber activities, are –
according to the author – pessimistic, though provisory. The reasoning seems to be
correct, but he who writes these lines wants to emphasise that the responsibility for
some statements in this essay is solely that of the author.
Some final proposals were elaborated in our Workshop. Each participant was
asked to propose two or three concrete solutions in the area they personally felt was of
critical importance.
What follows is a compendium of their proposals and ideas. Many conference par-
ticipants presented more than one proposal, often in more than one area of cyber secu-
rity. Therefore, the proposals have been arranged according to argument in order to
facilitate comprehension and identify common themes, the compilation and organisa-
tion of which has been arranged by Margot J. Wylie, BSc. at the University of Flor-
ence, one of our most brilliant students to whom I want to express here all my gratitude
and appreciation.
The proposals may be divided into general work areas, such as: research, the legis-
lative and regulatory measures, co-operation, strategies, technical and economic meas-
ures. All recognised that to face the multifaceted problem of cyber security it was nec-
essary to work on different layers, not only in their field of research and development,
but also in all areas that are touched by questions of cyber security.
As far as research is concerned, several proposals regarded specific suggestions of
methodology and approach. Essentially, a multidisciplinary approach was suggested in
reference to the study of cyber security and crime. One suggestion specifically advo-
cated the combination of methodologies, such as mathematical programming, object-
oriented and agent-based modelling, and fuzzy logic with risk management tools, such
as fault tree analysis, failure modes and effect analysis (FMEA), etc. to identify, moni-
tor or predict possible disruption factors related to operational or social networks. An-
other was based on implementing marketing and management tools and concepts to
better understand and analyse the global terror phenomenon and terrorist organisations
and their use of the Internet.
 xiii

Other proposals regarded the creation of multidisciplinary research centres and

projects with experts coming from all sectors. From the presentation and discussions
held during the conference, it became very clear that there is great need for collabora-
tion between various areas and sectors of society when facing questions of cyber secu-
rity. Several suggestions highlighted the need for the creation of an international net-
work of cyber security centres of excellence. Others recommended that NATO hold a
leading and important role in stimulating joint research projects and centres and that
private, academic, law enforcement agencies, and military resources should be in-
volved in such projects with the objective of developing active information defence and
protection measures.
Other suggestions emphasised the need to create a merger between private and
public institutions, and form serious, lasting forms of co-operation with research cen-
tres and universities.
Some research proposals focused on the specific objective of gathering informa-
tion on cyber events. The finality of these proposals revolved primarily around obtain-
ing the data necessary for gaining a clear understanding and picture of the global inci-
dence of cyber crimes and threats, especially in regards to the protection of critical in-
frastructures. Although, as some participants observed, there are already existing initia-
tives that collect, aggregate and analyse cyber threats as part of an early warning sys-
tem (see www.itu.int/cybersecurity), there are many possibilities to extend or expand
the reach and the entity of such initiatives. In fact, it was suggested that an international
observatory or observatories be created within NATO or the EU framework that would
be able to systematically record cyber events. Should more than one observatory or
centre be constituted, NATO would be able to compile all reports of threat analysis
from the various centres thus rendering the comparison of the threats and threat levels
between member States possible. Several other proposals were of a specifically more
academic or cultural nature. While it is evident that technical and legal measures are of
paramount importance, not to mention co-operation and preparing viable and practical
approaches in response to eventual real threats, the cultural aspect was certainly not
ignored. Several proposals took a preventative approach, underlining the necessity of
understanding the mechanisms and reasons for which people are drawn to visit extreme
or radical websites and the motivations behind why they ultimately join extremist or
radical groups, hence becoming threats in both our physical and virtual space. The
creation of a research institute, possibly even of a virtual nature, composed of three to
four interconnected centres was suggested. The purpose of such an institute would be
to monitor websites in order to understand what people are looking for or doing with a
particular site itself. The scientists and academics involved ought to be comprised of
specialists not only Western in origin, but also those from the regions from which ex-
tremist or radical cyber activity originates. From the information gathered and the con-
clusions made by the centres, preventative solutions aimed at facing threats even before
they became serious would be possible. Proactive cultural activities and measures
could then be realistically realised to stop or reduce the dissemination and propagation
of radicalism.
It was also suggested that the centres of the research institute divide among them
the topics relevant to cyberspace and send monthly reports to NATO and the interested
states and governments.
On a general note, it was suggested that a culture of security ought to be fostered at
the university level and that security considerations ought to be inserted in any project
right from the beginning.
xiv

Other proposals were of an overlapping nature that seemed to interconnect the

concepts of legislation, cooperation and the division of competence, wherein legisla-
tion not only addresses both the general and specific areas of cyber-security, but it is
also delegated to various levels of government. Various forms of cooperation are pro-
posed, as are assorted combinations of actors to be involved in such cooperation.
The need for the implementation of a certification process of IT/SW products was
addressed by several participants in the conference. It was suggested that legislation be
created to ensure best practice. It was also suggested that incentives be created to
stimulate all solution providers to take security requirements into account and to follow
best practice. Creating forms of sponsorship to ensure security measures from the be-
ginning in solution development was suggested as well.
In discussing the content and management of websites, it was recognised that a le-
gal problem exists when defining radical and extremist expressions on the Internet.
How does a State or group of States, such as the EU or NATO, define these terms and
give them parameters? How does one decide what is considered to be ‘unacceptable’?
Several solutions were proposed regarding this issue. It was suggested that the EU leg-
islation on incitement to hate and violence be integrated into the national legislation of
each Member State. When dealing specifically with the removal of websites, Member
States ought to agree on a notice and take down procedure. In cases where laws already
exist, it must be implemented and it needs to be effective. A possible solution to issues
regarding legislative gaps, i.e. when no legal justification exists to remove or shut a
website down, was to invite moderators of radical or extremist websites to discuss con-
tent and ask them to filter their information.
Making an inventory of all legislation and other legally binding acts regarding cy-
berspace and more specifically cyber-criminality that currently exist within the EU and
NATO countries could possibly be a starting point for any initiative in the legislative
field. It presents not only the possibility of determining what measures do and do not
exist, but it offers the possibility of comparing the existing measures and their effec-
tiveness as well.
It was also suggested that candidate countries (for instance, Albania and Croatia)
be subject to a special audit in order to determine the level at which their internal legis-
lation corresponds or not to the EU acquis on cyberspace and cyber criminality. This
point was made with the reserve that excessive legislative standardisation and homog-
enisation be avoided.
The need to legislate and create regulatory institutions in the field of cyber security
was discussed at length: it was recognised at the same time that an important division
of competence must not be disregarded. In fact, it was pointed out that two fields of
competence exist, as do two institutions. While NATO is, and ought to continue to be,
responsible for operational and technical issues, the EU Commission is the body that is
responsible for the regulatory aspects of cyber security. It ought to create regulatory
institutions and set up security standards, modify laws and create them, where needed.
The EU ought to work on the financial and legal aspects connected to the creation of
these structures and inform the citizens of all matters connected to such activity.
What is essential, however, in perpetuating and sustaining cohesive and co-
ordinated action is the close co-operation between NATO and the EU. The proposal,
therefore, suggested that an apposite roundtable be created around which EU Commis-
sion and NATO representatives are equally represented and whose objective would be
to ensure that the two institutions work more closely together and to guarantee a cohe-
sive and rational development of the respective competencies.
 xv

In regards to information sharing, one specifically regarded the necessity of devel-

oping policies and legislation at the EU level in order to ‘neutralise’ competitive behav-
iours when dealing with security information exchange platforms and forums, without
which exchange of information would most likely fail or lack in content.
Co-operation was a dominant theme throughout the conference: It was understood
that in order to fight cyber terrorism and crime, there must be co-operation. Sugges-
tions ranged from proposals to involve each country’s respective politicians and policy-
makers when speaking of the security sector (to be managed within the EU context), to
creating forms of co-operation to bring military and police forces together (within the
NATO environment). On a broad scale, the EU and NATO organisations would need to
remain in close contact. Other proposals emphasised the need to enhance co-operation
not only between the respective governments, armed services and universities, but be-
tween these sectors themselves. In all of these proposals, however, it was underlined
that individual roles must remain delineated and separate wherein the military must
maintain its sphere of competence, the government must maintain its role and so forth.
To promote clarity and facilitate co-operation, it was proposed that an organisation
or organisations on the civilian level comparable to those existing within the govern-
ment or military be established.
A further proposal focused on security issues arising in the so-called ‘last mile’, in
other words, security issues related to end user use. In fact, while large companies have
the money to invest in the R&D of security systems to protect their business, small to
medium sized companies or peripheral offices without the money to invest in security
often remain, if not unprotected, highly exposed and vulnerable to attack.
Another weak point in end user use for small to mid-sized companies is the con-
stant contact with local IT maintenance companies that work unsupervised in the vast
majority of cases. The suggestion that was made was to give this last mile more atten-
tion and, under the supervision of NATO, invest in creating a common policy. A work-
shop could be formed on the creation of inexpensive and certified common tools for the
companies and entities exposed or at risk. It is important to note that, due to market
mechanisms connected to the rules of competition, without the organisation and guid-
ance of a public entity or the establishment of a public framework, such as could be
done with the EU or NATO, economic agents will not come together to resolve these
security issues.
The concept of information sharing was a common theme in the proposals that
were made by the conference participants. While it was recognised that various experi-
ences in security issues ought to be shared and divulged via solutions such as an inter-
operability platform based on web 2.0 or through the creation of Wiki on topics such as
vulnerabilities, cyber incidents, and technical solutions, it was recognised that security
concerns had to be respected when developing these systems or platforms. It was sug-
gested that there be various phases of information sharing, beginning with less confi-
dential material. A proposal was made to create a protected network specifically in-
tended to link key players together and permit the safe transmission of classified infor-
mation within the context of multi-level co-operation.
Internet surveillance was an important theme, addressed by several conference
members. Surveillance, however, was tightly coupled with the concept of increasing
public awareness of cyber security and giving the public a space to communicate with
the authorities on questions of cyber security. One suggestion to increase public aware-
ness was to establish an international security awareness day that would involve all
levels, including small to medium enterprises.
xvi

As for cyber security itself, it was generally perceived that our ‘virtual’ boundaries
are not as well protected as our physical boundaries and, therefore, it was suggested
that measures be implemented to carefully monitor traffic over national, EU and NATO
network exchange nodes.
In that cyber space ought to be considered a public space, proposals were also
made to actively monitor the internet, just as the streets are (a pilot study in Nether-
lands has already had some success). The surveillance proposal focused on involving
end users in publicly policing our virtual community through the creation of a reporting
centre responsible for monitoring suspicious activity on the Internet. All information
gathered could then be passed on to NATO from the various reporting centres and sys-
tematically compare the information collected from each Member State.
One proposal focused on the need to develop theoretical and practical models on
radicalisation using actual law enforcement case files (as was mentioned by a confer-
ence participant, a separate ARW is dealing with just this topic). The model could then
be used to improve the analysis capabilities by creating analytical tools which could be
distributed to Member States by NATO.
NATO itself could be the forum within which various experience and the effec-
tiveness of each Member State’s tools are exchanged.
When speaking of actual strategies and practical approaches to address cyber se-
curity issues, cyber attacks or threats of any sort, it was recognised by many conference
participants that role models and strategies have to be created, that EU and NATO
countries must be prepared to face future threats from ‘virtual’ space. Diverse solutions
on how to prepare and be prepared on a practical level were proposed. The need to
maintain an awareness of what is being done in the rest of the world or in the multitude
of sectors that are daily faced with questions of security was pointed out by one confer-
ence member. One proposal advocated the establishment of a response convention that
would be able to be activated in the eventuality that a given country were attacked, a
convention that would put response plans in place and that would stimulate the ex-
change of information on a tactical level. Another proposal urged the creation of exer-
cises and drills to increase response capability by preparing response teams and opera-
tors for extreme situations.
It was also pointed out that many of the proposals and actual policies focus on the
response to attacks and take a defensive approach. It was suggested that a think tank be
instituted to develop offensive measures and, as a first step, learn the processes of de-
radicalisation.
Of the proposals made, many were technical in nature. In this broad category, it
was possible to identify such themes as: the development of IT security systems and
solutions, the use of hackers in systems tests, and, from a more economic perspective,
the reduction in costs and time employed in the development sector.
In the proposals that dealt with systems and solutions development, it was gener-
ally recognised that today’s networking is still based on protocols that are fundamen-
tally not secure (ISPEC and IPv6 being the evolution of TCP/IP), and therefore, a new
and secure network protocol that incorporates security measures right from the initial
development stage is in order. At the same time, it was pointed out that the file systems
normally used to store and manage information, even in classified environments, do not
guarantee the security of the information itself. It was proposed that a secure system be
developed wherein security is considered throughout the development stages.
It was agreed that encryption methods ought to play an important role in securing
not only the storage and management of information, but also its transmission over the
 xvii

network. The development of electronic labelling technologies was also suggested for
the secure transmission of information over the networks.
One proposal specifically referred to finding new methods to increase the level of
security of end users. While it is known that many advances have been made in bio-
logical parameters, not only was it suggested that the area of human emotions be ex-
plored, it was also suggested that the use of images ought to be researched to see how
these might be applied and used in increasing the level of security in end user access.
It was also recognised that there ought to be set security standards and certification
processes. In the meantime, however, there ought to be an immediate, if temporary,
solution in assuring that our systems and network solutions are safe. One of the recur-
rent themes in the proposal session was that the security level of all systems and net-
work solutions must be tested. The dominant idea was to involve or use hackers to test
whether information systems are secure or not, be that via red teaming or launching a
challenge to hackers to try and penetrate the test networks of a distributed and open
source model. A variation of this theme was to create technical groups whose scope is
to systematically attack systems in order to reveal any weak points that may exist.
Last but not least, practical aspects of an economic nature were addressed in sev-
eral proposals regarding the fields of research and development. While it was clear that
investments needed to be made in IT technology and research and that security meas-
ures and requirements ought to be incorporated right from the outset, it was also
pointed out that both the costs and time invested in the research and development of
actual IT security solutions and in the evaluation of such solutions had to be reduced.
At the end of this brief presentation of the main results of this Workshop, I feel it
my duty to give my thanks to a group of colleagues and friends. First of all, I want to
express my gratitude to Dr. Shai Blitzblau, University of Tel Aviv and co-director of
the ARW, whose scientific and impressive technical know-how was indispensable for
the success of the conference. His ideas and long experience animated the workshop. It
only grieves me that, due to his overwhelming activities, he could not produce an essay
for this book in due time. Thanks also go to my friend Paolo Lezzi, who, from his of-
fice of Maglan Group in Milan, helped in the difficult task of organising the event.
I owe heartfelt gratitude to Margot J. Wylie, already mentioned, for her intelligent,
painstaking and enthusiastic work of synthesising the discussions held during the ses-
sions. Without her contribution this presentation would have been much more difficult.
Moreover, she is also to be credited for revising all the papers from a linguistic and
publishing point of view.
My debt of gratitude also goes to my young colleague Ilaria Maltagliati, who as-
sisted me in the long months of preparation of the meeting with intelligence, spirit of
initiative, and enthusiasm. The same should be said of Serena Lisi, one of the authors
in this book, whose artistic temperament and vivacious eclecticism contributed to the
publicity campaign and formalities of the initiative. Both of them are working in the
University Centre of Strategic and International Studies (CSSI).
Some other friends deserve to be mentioned here: Renate Cuda Sommerfeld, Jac-
queline Marchal, Anna Maria Petruccelli, Reut Rahav, Pietro Stopponi, whose sugges-
tions and clerical assistance during the meeting contributed to the success of the ARW.
Obviously, my thanks go to the key speakers who animated the discussions of the
(about) eighty participants coming from fifteen countries of the world, and, in particu-
lar, to those of them – the major part – who put down in writing their ideas, and made
this book possible.
xviii

Last, but not least, my deep gratitude goes to the Defence General Staff, and in
particular to the Italian Navy which accepted to accommodate the ARW in its ancient
and historical dockyard in Venice, and which offered an invaluable logistical support.
My gratitude also to the sponsors – Unicredit, Waterfall Solutions, Ispri/Cerpre,
Agricola snc. – which contributed to make the costs of such an expensive city as Ven-
ice affordable.
All sectors of the society were represented at a very high level around the table:
from the university, industry, banks, the military, police forces, computer scientists,
lawyers, mathematicians, technicians, and so forth. Against the same threats they felt
themselves a community: the only way to face terrorism and crime. Thanks to all of
them.

Umberto Gori
University of Florence, August, 2009

Notes

(1) Secure Information Systems Engineering: A Manifesto, in: “International Journal

of Electronic Security and Digital Forensics”, vol. I, issue 1, 2007, pp. 27–41.
(2) Tanji Michael, INFOSEC privateering as a Solution to Cyberspace Threats, in:
“Journal of Cyber Conflict Studies”, vol. 1, issue 1, pp. 4–10.
(3) Green Cloud Security, White Paper Top 7 Security Threats in 2009, 2008–2009.
(4) Kenneth J. Knapp and William R. Boulton, Ten Information Welfare Trends, in:
L. J. Janczewski and A. M. Colarik, Cyber Warfare and Cyber Terrorism, IGI
Global, Hershey, PA, 2008, pp. 17–25.

Suggested Readings

• Cyber Security: A Crisis of Prioritization, Report to the President, NCO/IT

R&D, 2005, pp. 58.
• W. Stallings, Cryptography and Network Security: Principles and Practice,
4th Ed., Prentice Hall, Upper Saddle River, N.J., pp. 592.
• H. Jahankhani, Evaluation of cyber legislation: trading in the global cyber vil-
lage, in: Int. J. Electronic Security and Digital Forensics, Vol. I, No. 1, 2007,
pp. 1–11.
• D. L. Watson, Stealing corporate secrets using open source intelligence (the
practitioner’s view), in: op. cit., pp. 71–75.
• S. Ahsan, IT enabled counter terrorism infrastructure: issues and challenges,
in: op. cit.
• M. Watney, State surveillance of the internet: human rights infringement or e-
security mechanism?, in: op. cit., pp. 42–47.
• L. Yang and S.H. Yang, A framework of security and safety checking for
internet-based control systems, in: op. cit., vol. I, No.1/2, 2007, pp. 185–200.
• N. Stakhanova, S. Basu, J. Wong, A taxonomy of intrusion response systems,
in: op. cit., pp. 169–184.
 xix

• M. P. Gallaher, A.N. Link, B.R. Rowe, Cyber Security – Economic Strategies

and Public Policy Alternatives, E. Elgar Publishing, Cheltenham, UK and
Northampton, MA, USA, 2008, pp. 266.
• L. J. Janczewski and A. M. Colarik, Cyber Warfare and Cyber Terrorism, IGI
Global, Hershey, PA, 2008, pp. 529.
• N. Carr, The Big Switch: Rewiring the World, from Edison to Google, W. W.
Norton & Company, New York, 2009, pp. 276.
This page intentionally left blank
 xxi

Contents
Introduction vii
Umberto Gori

Section 1. Approaching Security

Section 1.1. Conceptual Approaches to Security

Thoughts on the Open Information Society: Does the Concept of “Privacy of an

Organisation” Exist? 5
Niv Ahituv
Striking the Balance: Security vs. Utility 11
Ari Vidali
Secure Software Engineering: Developing the New Generation of Secure
Systems by Introducing a Security Focus Throughout the Development
Lifecycle 29
H. Mouratidis

Section 1.2. Current Methods Applied to Security

A Fuzzy Approach to Security Codes: Cryptography Between Technological

Evolution and Human Perception 43
Serena Lisi
Cryptography and Security: Evolutionary Information Theory and Prime
Numbers Genetics 52
Gerardo Iovane
A Note on Public-Key Cryptosystems and Their Underlying Mathematical
Problems 59
Dario A.M. Sgobbi and Guglielmo Morgari
Intrusion in a Mission Critical Network: A Tutorial on Intrusion Detection
Systems and Intrusion Prevention Systems 68
Dario A.M. Sgobbi and Marco Paggio
A World-Wide Financial Infrastructure to Confront Cyber Terrorism 75
Paolo Campobasso
A Pragmatic and Foolproof Approach for Connecting Critical/Industrial
Networks to External Less Secure Networks 79
Esti Peshin
A Cyber Security Approach for Smart Meters at ERDF 93
Pascal Sitbon
xxii

Section 2. Understanding Terrorism and Its Interaction with Critical

Infrastructures
Section 2.1. Facing Terrorist Attacks and Attacks to Critical Infrastructures

Al-Qaeda: Its Global Marketing Strategy 109

Anat Hochberg-Marom
A New Paradigm for Countering Jihadism 114
Antonio Guido Monno
Modelling Deterrence in Cyberia 125
Claudio Cioffi-Revilla
The Cutting Edge of Cyber Network Development – A Paradigm to Translate
and Predict the Network Strategies of Avant-Garde Cyber Criminals 132
Maurizio Agazzi
Protecting Critical Infrastructures from Cyber Attacks Involving Malware 140
Y. Elovici and A. Shabtai

Section 2.2. Police and Military Force Operations and Approaches

Protecting Critical Information Infrastructures: Domestic Experience and

Competencies of the Postal and Communication Service of the Italian
National Police 153
Domenico Vulpiani and Sergio Staro
Fighting Terrorism in Cyberspace 160
Giovanni Cataldo
Cyberspace Control: How to Avert a Cyber World War 165
Ferdinando Sanfelice di Monteforte

Section 3. European Measures and Legal Aspects

The Role of Europe in Matching Today’s Asymmetric Threats 173

Giancarlo Grasso
Information Sharing in the Context of European Union Critical Information
Infrastructure Protection 182
Alessandro Gazzini and Andrea Rigoni
Defining Critical Information Infrastructure in the Context of Cyber Threats:
The Privacy Perspective 189
Eneken Tikk
Crimen Ex Machina: A Legal Approach 199
Ivo Paparela
Curricula Vitae of the Authors 205
 xxiii

List of Participants. NATO ARW – Operational Network Intelligence:

Today and Tomorrow 209

Subject Index 213

Author Index 215
This page intentionally left blank
 Section 1
Approaching Security
This page intentionally left blank
 Section 1.1
Conceptual Approaches to Security
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 5
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-5

Thoughts on the Open Information

Society: Does the Concept of "Privacy of
an Organisation" Exist?
Professor Niv AHITUV1
Academic Director, Netvision Institute for Internet Studies
Tel Aviv University

Abstract. It is argued that computer networks proliferate to such an extent that

individuals and organisations, for the most part, might as well give up in their
efforts to protect most of their databases. Moreover, most of the information
required for management decision-making processes is open and readily available
on the web. As for individuals, it is not certain whether privacy is what they are
looking for. The virtual community networks and the global social networks (e.g.,
Facebook, Linkedin, Youtube, and blogging) provide counter-privacy-seeking
examples. Electronic information and on-line data analysis are accessible to
everybody, be it an individual, a firm or a government. This eventuality heralds the
dawn of a new era for society -- the open information society (OIS).
This article focuses on organisations rather than on individuals. It explains why an
open information society is inevitable and how this stage of societal development
has almost been reached. In particular, the implications for organisation
management are discussed.
The assertion presented is that shared information may lead businesses to evolve
toward one of two possible extremes: global monopolies or a much more creative
and sophisticated form of management.
As far as relationships between individuals and organisations are concerned, the
OIS may generate either a new form of feudalism, in which the organisation fully
controls its employees ("1984" augmented with information technology), or better
and improved processes of recruitment and human communications.
With regard to the protection and the search for information, it is better to focus on
tightening security for a very limited segment of the organisational information
thus freeing up resources that may then be directed toward "legal" searches in
open information depositories.

Keywords. Privacy, Privacy of an Organisation, Open Information Society,

Information Security

Introduction

In the not-too-distant future, it will be hard to find a company that doesn't embrace the
Open Information Society (OIS) framework [1, 2, 3, 4]. Any company that tries to
ignore it is guaranteeing its own extinction. The purpose of this article is to attempt to
analyse the implications that the OIS has on businesses and organisations.

1
ahituv@post.tau.ac.il
6 N. Ahituv / Thoughts on the Open Information Society

1. Trend-setters

Like it or not, business and industry usually set a lot more trends than governments or
private individuals. Logic dictates that legislatures should shape the framework for
what is considered acceptable behaviour in a democratic society, but reality is a
different ball game.
The private sector believes in the free market; if there's a good idea out there,
business will jump on the bandwagon. Government and the public sector, on the other
hand, nearly always lag behind. They are so concerned with politically and
administratively doing the right thing and so preoccupied with the bureaucratic
mechanisms that they have built by themselves that they display an inherent
conservatism at nearly every step of the way.
For many companies, the OIS is a lot more than a distant and future vision; it has
already happened, and it's helping them carve and expand market niches while their
competition falters.
Take some of the leading airline companies, for example. They now encourage
customers to take advantage of e-ticketing since they have realised that it is less
expensive for them, in terms of the costs associated with checking in and the
commissions paid to travel agencies. Not only have they offered reduced prices for e-
tickets, but as an incentive they have also opened separate check-in lines for customers
with electronic tickets, promising that the process is more expeditious.

2. The Innovators

Excluding NASA, which spends billions of dollars in research areas that no business
could ever even afford to contemplate, and a few industrial sectors in which R&D is
largely government-funded (such as aerospace, nanotechnology and nuclear energy),
most technological innovations come from the private sector. Relatively unencumbered
by political constraints, the business world examines a situation with a critical eye as to
what is possible and what may be profitable. Lawmakers, on the other hand, tend to be
conventional and it is tough to convince them that change is occurring as rapidly as it
is. While they ought to be the ones paving the way for the OIS, realism forces us to
understand and accept that, due to the respective characteristics of legislators and the
legislative process and the economy today, the business world will lead the way.
Evolving information technology offers too many examples to count, where
technological progress has outstripped the laws that govern it. All one has to do is look
at what happens when people start to do business electronically. Good old-fashioned
signatures have become a thing of the past, and now it has become difficult to prove in
court that commitments were made. A large number of countries have recently instated
laws to deal with the legitimacy and authenticity of electronic signatures. However,
such laws and regulations would have never been created had a true need not emerged
from the private sector.
One might then ask, what happens when a computerised inventory control system
and an online ordering system make a decision together to ship merchandise from the
vendor’s warehouse to the customer’s storage centre? Since no human being was
involved in the decision to ship goods, who is responsible in the event of a dispute?
Moreover, suppose the vendor and the customer reside in different countries and the
warehouse is located in a third country; which legal system will be enforced should
 N. Ahituv / Thoughts on the Open Information Society 7

there be a dispute? In the event that the merchandise is downloaded electronically, such
as music or software, how do the custom authorities collect the tax, or how does the
national bureau of statistics analyse the annual balance of payments (import–export)
rates?
It's important to understand that only a handful of big companies can afford to sit
back and wait for the government to blaze a trail through the technological wilderness.
While lawmakers struggle to comprehend and adequately respond to this rapidly
shifting reality, big business is pushing forward and contributing to this daily changing
reality. This in turn creates further difficulties for legislators in their endeavours to
legislate. The current lag that exists between the creation of legislative boundaries and
standards and the actual current situation means that a lot of time and money are being
wasted. The only alternative would be to stop the clock on change, and this is clearly
not in the interest of the business world. In most cases, businesses operate in order to
turn a profit. They make decisions on the basis of economics, not a love of high-tech
"toys." Therefore, they cannot be halted and their commercial initiatives cannot be
suspended.

3. The Key: Good Communications

The mere act of acquiring PCs, servers and other computer hardware doesn't guarantee
a rosy future for any company, just as having an excellent product isn't always enough
to ensure success. The key to success is twofold: good communications among all of
those computers, and learning how to integrate and exploit the data accumulated on
them.
As increasing numbers of companies computerised their internal distribution
systems, they turned to and began to focus on their relations with the outside world.
This holds true for Electronic Data Interchange, hereinafter EDI. When this technology
began to show promise in the late 1980s, a few large corporations tentatively embraced
it. However, only when companies like Eastman Kodak, IBM and GM announced that
EDI was mandatory for anyone who sought to do business with them did it get its first
serious boost. Today, of course, governments use it (e.g., e-government applications),
and laws regarding this new style of completing transactions have been either instated
or tabled. Nobody disputes, however, that big business got EDI off of the drawing
board and into the warehouse or the virtual retail store long before legislators began to
regulate it.
What was one of the first organisations in Britain to address the complex issues of
standardising coding guidelines? None other than an alliance of retailers, wholesalers
and manufacturers who had set standards for product coding and scanning.
Government didn't do it. Individuals didn't do it. Business - large and small - did it, and
the world followed suit.
EDI and its offspring, B2B, B2C, B2P, G2B and e-government make sense. If a
hotel provides each of its regular suppliers with daily occupancy rates, then the
greengrocer and the dairy supplier can ship the appropriate amounts of food items to
meet the day's demand. Such automatic supply agreements must, of course, be based on
careful advance calculations, and the hotel must have ways of overriding standard
supply orders in the event of, say, a Polynesian theme night, which might boost the
need for certain tropical fruits and other foodstuffs.
8 N. Ahituv / Thoughts on the Open Information Society

This override capability could be called Management by Exception. In other

words, once the hotel's food and beverage manager gets the formula ironed out with
each supplier, s/he would not need to place daily supply orders. The goods would
arrive almost automatically in the amounts needed for any given day. Only when the
manager wanted to change something about the standard procedure would s/he need to
communicate - electronically, of course - with the suppliers to notify them of the day's
exception. Such exceptions flow in both directions. The food and beverage manager
might notify the poultry supplier of a large vegetarians' conference, and the fresh fruit
supplier might notify the hotel that the raspberry season has ended. However, this
electronic communication puts an end to the "privacy" of the hotel, since dozens of
suppliers along the chain of supply are becoming intimately familiar with the hotel
level of occupancy and financial success.

4. B2B: A Step in the Right Direction

Once a company embraces e-commerce, it is well on its way toward adapting a broad
range of other technological developments. When British department store chain Marks
& Spencer (M&S) told its suppliers in the early 1990s that it wanted to conduct product
design via an electronic network, each supplier had to either adapt or find new clients.
For Delta Textiles Ltd., an Israeli fashion underwear manufacturer worth $200
million in sales a year that sells 35% of its total production to the London-based Marks
& Spencer, the choice was clear: it began to examine the two CAD systems selected by
M&S and to accommodate its own internal systems for working electronically with its
largest client.
Until the new system was set up, Delta's design team members shuttled back and
forth between Tel Aviv and London every month to present the latest style ideas to
M&S buyers. As soon as the new system was operational, a Delta team in Tel Aviv and
an M&S team in London were able to spend as much time as was needed working
"together", eliminating the need to leave the office, at least on a frequent basis.
However, it is clear to everyone that for such cooperation to work, Delta’s design
records must be exposed to M&S buyers. At the same time, those buyers can access
the electronic files of Delta’s competitors. Therefore, a lot of trust is required if there
is a true desire to maintain such cooperation.

5. If You Can't Beat 'Em, Join 'Em

The greatest shortfall of businesses that embrace OIS and all its components may lie in
the billions of dollars that are spent annually trying to plug the holes that form in the
walls of secrecy surrounding their operations. Like the little Dutch boy with his finger
in the dike, they already realise that the holes can not be plugged forever nor can all of
them be sealed off; there will always be leaks, so why waste so much money and
manpower fighting them?
Industrial espionage poses a far greater threat to "secret" information than do
hackers.
Hackers get more publicity, because they seek access to this information for the
thrill of it, and half of that thrill comes from boasting about it afterwards the real threat
 N. Ahituv / Thoughts on the Open Information Society 9

comes from those who infiltrate a system, leave no footprints, and learn all sorts of
secrets with the intent to use them to change the competitive playing field.
This activity used to be called industrial espionage, but now it is generally referred
to as information-gathering, or data mining. Simply put, anybody who does not do
his/her utmost to find out what others do not want him/her to know runs the risk of
losing competitiveness and being left behind. In fact, today it does not necessarily
require that illegal action be taken to find information on your competitors; Google and
other data depositories can provide you with almost all you need. For example, Google
Trends can provide a lot of open, free and analysed information on business
organisations.
Since knowledge will eventually be open to all in an OIS, the swift reaction to new
realities will be a prerequisite for survival. Companies will have to establish or enhance
their scouting departments, since even the slightest delay or oversight could be crucial
to their continued success.
The upper echelons of a business will have to take an active role in scouting and
using technology. Scouts provide management with frequent reports on potentially
adaptable technologies and business intelligence. Management will have to set the
company's priorities and determine how to allocate resources between promising
ventures.

6. Prioritising Information Security Measures

With the whole world looking into their computer databanks, companies will have to
make careful decisions about what information to protect. Protection will be much
more difficult than it is today. Although it will still be possible to keep particularly
sensitive data out of the public's reach, the steps that need to be taken to protect it will
not only cause inconvenience even for the people who are supposed to have access, but
the cost of taking these measures will be near to prohibitive.
In an OIS, the management of any given company will need to adjust to an
environment in which their every move can be observed by the public in general, and
especially by their competitors. This new reality will force companies to focus on
products and innovations that produce immediate payoffs, requiring companies to
invest to obtain the high levels of creativity and originality needed to create such
products. The pursuit of such short-term, dynamic goals requires organisations to adapt
to more flexible production and marketing facilities. Companies will need to be willing
and able to switch their production lines from one product to another on short notice.
Likewise, in order to meet the needs of each new product, distribution and marketing
techniques will undergo rapid adjustment.
It grows increasingly clear that as the OIS moves closer to becoming a reality,
quick decision-making is needed. People with vision have seen this coming for years.
As B2B expands into the realm of R&D, as portrayed earlier in the Marks and
Spenser – Delta example, the dangers regarding information protection could become
even greater. What would happen, for instance, in the case that Delta submits a design
idea electronically and Fruit of the Loom - or any other underwear manufacturer that
sells their products to M&S – wishes to access it electronically? And that is to say
nothing of the inherent danger of having next year's fashions - complete with
multimedia representations - stored on the computer of a company that may buy
them... or even steal them.
10 N. Ahituv / Thoughts on the Open Information Society

One possible reaction to such a scenario is to redouble efforts to protect

information. It may sound like a good plan, but it just isn't feasible. If a company is run
by people who are smarter than the people running all of the competing firms, then this
prescription is fine. But how often does that happen? It seems more than a little
presumptuous to presume that one company can keep spies out of its own systems
while getting its own spies to infiltrate everyone else's. In the real world, every
company has successes and failures in the realm of intelligence-gathering.
Rather than spending billions of dollars in the futile effort to keep people out of
their systems, increasing numbers of companies realise they can actually turn a profit
by charging access fees to outside users who want to log on to their databases. Given
the choice between paying for legally obtainable information or breaking the law in
order to steal it just to save the fees, the vast majority of decision makers will opt for
the legal route.
Take companies whose main goal is to sell information, for example. The
Financial Times, Reuters, Dow Jones and many other companies have their databases
open to the public. While these are often partially free, full access is offered only by
paying a fee, and these companies often earn large profits from it. Fear of “electronic
theft” is not that strong in these situations.
Nevertheless, while governments and many individuals seem oblivious to the
revolution that is changing the way we live our lives, business leaders are working
overtime to shape the future. That is why they are opening their networks to the public;
letting anyone access their files through Internet services; giving suppliers, clients and
potential partners access to databases that used to be off-limits; and taking countless
other steps to break down the barriers that used to create so much incentive for spying.
And, if it makes sense, financially speaking, then big business will, indeed, lead the
way to the OIS.

References

[1] Niv Ahituv, “The Open Information Society”, Communications of the ACM, Vol.44, No. 6 (June
2001), pp 48-52.
[2] Niv Ahituv, A World Without Secrets: On The Open Information Society, Am Oved Publishers, Tel
Aviv, Israel, 2001 (in Hebrew)2, 188 p.
[3] Tom Friedman, The World is Flat, Farrar, Straus and Giroux, New York, 2005
[4] Richard Hunter, World without Secrets: Business, Crime, and Privacy in the Age of Ubiquitous
Computing, John Wiley, 2002.

2
A pdf draft version in English is available upon request.
Modelling Cyber Security: Approaches, Methodology, Strategies 11
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-11

Striking the Balance: Security vs. Utility

Ari VIDALI
CEO, ENVISAGE Technologies Corp.

Abstract. Maximum security requires, by definition, a “closed system” whereas

maximum utility requires “openness.” Is it possible to reconcile these two
extremes? Can a highly secure system actually be easy to use?
With the exponential adoption of technology, highly interconnected
computer & telecommunications systems have become an indispensable
component of modern societies. Our reliance on information technology has
penetrated almost every facet of daily life. Our critical services, financial systems,
transportation and commerce rely upon the confidentiality, integrity and
availability of these systems. Notwithstanding some promising advances,
networked systems remain highly vulnerable to attack and exploitation by hackers,
cyber criminals and terrorists despite the significant efforts and investments that
have been put forth to detect, deter and mitigate these threats.
Most experts agree that the security of any information system is only as
strong as its weakest link; the human beings who create and use them. This paper
explores some of the root causes of the usability problem and how proper security
practices are consistently being ignored or circumvented by the very users and
organizations they were designed to protect.
We propose that this reality must be understood and addressed in order
for systems engineers to architect effective, easy-to-use security solutions that
enhance rather than limit system utility. In our paper, we propose that the security
systems of the future must be highly convenient, largely transparent to end users,
fully integrated across security domains, threat aware, and able to modify security
policies “on the fly” in response to changing threat environments.
In a culture driven by convenience, one-stop-shopping and near universal
access to information, system users will continue to find ways to circumvent even
basic security protocols if they are too onerous and burdensome. While highly
complex, inter-connected systems will always have flaws that can be exploited; the
vast majority of attacks on cyber-infrastructure are made possible because of
human nature.
Technology has become an indispensable tool for modern societies. Has
our reliance upon technology become a two-edged sword? We argue that as
hackers, cyber criminals, and terrorists become more technically sophisticated, the
very technology that contributed to the rise of the western world is being exploited
as one our greatest weaknesses by those with nefarious intent. Our paper
concludes that to stem the tide, the security community must address some of
these root causes of cyber insecurity.

Keywords. Security, Cyber security, Usability, Biometrics, Authentication,

Human-computer interaction
12 A. Vidali / Striking the Balance: Security vs. Utility

“The more secure a system is, the harder it is to use.

The harder it is to use a system, the less secure it will be.”
Brian R. Krause, Adducive

Introduction

It is September 11th, 2013. In a dimly lit room on the outskirts of Peshawar, in Pakistan,
five men stare into their computer monitors as their fingers rapidly tap on keyboards.
Unbeknownst to them, their state-of-the-art equipment was funded by a relatively
new drug cartel operated by Taliban warlords. With the massive financial resources
derived from the burgeoning poppy trade, the cartel was able to ensure that the five had
sufficient funds for their purposes.
Calling themselves the New Islamic Martyrs Brigade, the five men are about to
launch a cyber attack on the Western World unlike anything ever seen before. Fueled
by the propaganda they have absorbed from radical Islamic websites, and violently
motivated by the inflammatory rhetoric of impassioned fundamentalist clerics, they are
driven by a single-minded objective: to deal a devastating blow to the very heart of
western capitalism by crippling its vital information infrastructure.
After a year of careful planning, preparation, complex coding and target selection
they are ready. For months they had been foiled in their attempt to crack the passwords
of the critical edge routers vital to their plans. The systems administrator had used
strong password authentication to protect them and combined with the cryptographic
strength of the authentication mechanisms, they had been delayed in their progress.
Luckily for them, an audit had required a new policy of changing the password every
thirty days. Harried help desk staff had provided the forgotten password to a coworker
in Instant Messaging rather than walking it down two floors, and the minor breach had
been exploited. A well designed and near invisible piece of code was installed on the
worker’s computer and silently duplicated itself across the network capturing the
keystrokes executed on the compromised machines. It sent the logs to anonymous
Yahoo accounts, setup for this very purpose by the five men.
Just two weeks ago, the five received, via a PGP-encrypted message, the
assurances of a highly-placed leader of the Hezbollah terrorist network that their efforts
would be augmented by multiple simultaneous suicide bombings. The message also
included instructions for coordinating their attacks with similar cyber terror cells in
Iran and Venezuela who had amassed vast botnet armies to unleash upon the west at the
appointed time. The five men had no doubt that their efforts would result in the
“mother of all terror incidents.” The careful planning, research, social engineering and
brilliant coding had yielded not only a treasure trove of high-access accounts for vital
systems, but also had allowed them to study weaknesses in the security of the systems
they intended to target.
At exactly 9:00 a.m. EST, an IT analyst at the New York Stock Exchange notices
increased traffic on the NYSE backbone. At 9:10, all of the servers lock-up and stop
functioning. At 9:45, the head of the NYSE issues a statement that all trading is
suspended due to a malfunction. This is followed by statements from the NASDAQ
that they too have suspended trading. As reporters investigate, rumors surface that the
machines and backups have been compromised and the timetable for recovery is
unknown. Investors around the world begin to panic, forcing European stock markets
to close after a 12 point decline due to panic selling and the spread of rumors of a
pending meltdown in Asian indices.
 A. Vidali / Striking the Balance: Security vs. Utility 13

Halfway across the Globe, in London’s Heathrow airport, air traffic control notices
irregularities in its state-of-the art Pegasus-ATC traffic control systems. Installed just
four years ago, the systems were said to be impervious to attack. Five minutes later,
during heavy traffic, none of the primary or backup systems are working. The Prime
Minister is briefed and decides to re-route all incoming flights to Gatwick, but by then,
it is too late as two planes that were circling the airport under heavy fog collide. There
are no survivors; the death toll is 467.
10:00 a.m. EST. All of the major news networks around the globe begin reporting
on an urgent warning from the Center for Disease Control about water contamination in
cities across America including Los Angeles, New York, Detroit, Miami, Des Moines,
Atlanta, Chicago and Philadelphia. Officials deny that the CDC has issued any such
reports, yet each of the contacts that typically received press releases had received the
urgent warning. Grocery stores are without bottled water within the hour.
11:00 a.m. EST. Explosions are reported at five rural elementary schools in the
Midwest. Hundreds of children are injured; officials refuse to comment on the death
toll, citing the need to contact affected families. Cellular phones, already taxed with
traffic from earlier incidents cannot respond to the load. Anxious parents across the
country rush to take their children out of school, congesting freeways and impeding
rescue efforts.
12:00 p.m. EST. 15 million users of the largest Voice over IP provider in the
United States cannot receive a proper dial tone; instead, they hear a pre-recorded
message in broken English informing them of the impending destruction of their way
of life. The botnet armies assembled by the Venezuelan and Iranian cells, exploiting a
little known weakness in IPv6’s IPsec implementation that, combined with an exploit
of Cisco IOS’s implementation of stateless address auto-configuration, are wreaking
havoc with Cisco routers all across the Internet. Not since the Conficker worm
outbreaks in 2008 and 2009 has such a rapid, widespread attack been seen. Already,
48% of the core routers on the Internet are down, locking up telecommunications
across vast areas of the Internet. The general population is in a frenzy of panic.
At 12:01 p.m. EST, a secure call is routed to U.S. President who is aboard
AirForce One, travelling to an undisclosed location. The call, which is put through
from the Situation Room, and which was originally received by the Secretary of
Defense, is from a middleman in the Ukraine who relays the terrorist’s demand for an
immediate withdrawal of all foreign military personnel from the Middle East, including
the emptying of bases in Iraq, Afghanistan, Saudi Arabia, as well as the joint forces
base of operations in Amman Jordan, which was established in 2011. In addition, all
shipments of arms or aid to Israel are to immediately cease. The White House has 72
hours to comply or further attacks will occur.
Back in Peshawar, the five men watch with glee as Al Jazeera reports on the
devastation. They are deeply satisfied with the results of the first wave of their
carefully planned attack. . .
14 A. Vidali / Striking the Balance: Security vs. Utility

1. Cyber Insecurity – A Look at the Current State of Affairs

In the early 1980’s, network pioneers at DARPA1 , along with several academic
institutions, developed a successful open standard for linking computer networks
together. The resulting TCP and later TCP/IP protocol ushered in the Internet age.
The basic concept that computer systems can be easily, cheaply and reliably linked
together to exchange information has, within the span of three decades, revolutionized
almost every facet of modern life and ushered in the era of pervasive computing, the
Internet and the mobile communications revolution. It has been the very “openness” of
these early implementations that was the driving factor in widespread adoption. And
indeed, the growth of interconnected computer systems has been nothing less than
staggering. Worldwide usage of networked computer systems has grown to an
estimated 1.43 billion users, which amounts to 21% of the world’s total population. [1]
In history, no prior technology has achieved such rapid adoption.
With such interconnectedness and widespread adoption comes the possibility that
these tools can be used to harm the very societies that have come to rely heavily on
them.
Our cyber-infrastructure -- including most of the technologies, protocols, and
information systems that make up or reside in cyberspace -- was not originally
designed with high security in mind. While systems security has improved, it has been
added, after the fact, onto existing structures that utilise archaic authentication
mechanisms which do not take into account the fallibility of human beings. This is due
in part to the economics of technology development; most buyers are unwilling to
spend the premium needed for true secure computing.
This situation has not escaped the notice of disreputable actors who are finding
ingenious ways to exploit cyber-insecurity for monetary gain or with malicious intent.
According to a report released by IBM in 2005, “there were more than 237 million
overall security attacks in the first half of the year.” [2]
Our society’s increasing reliance on these technologies, coupled with the
persistent, well publicized2 vulnerabilities within our cyber infrastructure make it
relatively easy to exploit, disrupt, disable or cause mayhem on critical systems.
In a recent report, the Congressional Research Service (CRC) outlined current
terrorist capabilities for cyber attack and warned that terrorist organizations, state
sponsors of terror and extremist groups are becoming increasingly aware of the
essential role of critical information systems and will either develop their own
capabilities for cyber attack, forge alliances with cyber-criminals, or hire hackers to
assist them in targeting critical infrastructure. [3] The CRC cites a key report from the
House Homeland Security Committee, wherein FBI officials indicated that extremists
have used identity theft and credit card fraud to support recent terrorist activities by Al

1The Defense Advanced Research Project Agency is an agency of the United States Department of Defense

responsible for the development of new technology for use by the military.

2A prominent example was made public at the July 2005 Black Hat computer security conference where an

exploit was demonstrated to show how commonly used Internet routers could quickly be hacked. Victor
Garza, Security Researcher causes furor by releasing flaw in Cisco Systems IOS, SearchSecurity.com, July
28, 2005.
 A. Vidali / Striking the Balance: Security vs. Utility 15

Qaeda cells3. Finally, the report concludes that if the current trends continue, cyber
attacks will certainly become “more numerous, faster, and more sophisticated”, likely
outpacing the ability of government agencies and private organizations to prevent,
respond to and recover from concerted attacks.
Deputy Attorney General Mark Filip, in his address to the International Conference
on Cyber Security, stated that “Cyber crime and cyber terrorism are issues that
transcend customary bureaucratic and national boundaries, and because both public and
private Internet infrastructures are "closely linked," they transcend the usual public/
private dichotomies as well.” [4]
This “interlinked” system of systems allows for numerous attack vectors, ranging
from a single targeted breach to a widespread coordinated cyber attack. The objectives
of a cyber attack include the flowing four areas: [5]
1. Loss of integrity, such that information could be modified improperly;
2. Loss of availability, where mission critical information systems are rendered
unavailable to authorized users;
3. Loss of confidentiality, where critical information is disclosed to
unauthorized users; and,
4. Physical destruction, where information systems create actual physical harm
through commands that cause deliberate malfunctions.
Many experts agree that one likely scenario for a cyber attack would be its use in
conjunction with a conventional physical, chemical, biological, radiological or nuclear
(CBRN) terrorist attack. Such a scenario could include direct attacks against first
responder communication infrastructure or 911 call centers simultaneously with the
detonation of explosive devices.
The Internet, which has penetrated almost all of our daily lives and is critical to the
functioning of our knowledge economies, was designed for research and information
sharing. Almost all but the most sensitive information systems are either directly or
indirectly connected to the Internet and are therefore vulnerable to its design flaws. The
continued and concerted Distributed Denial of Service(DDoS) attacks against the Net’s
DNS infrastructure is troubling in that many believe those responsible are merely
conducting tests and that a full scale attack is a real possibility in the near future. [6]
Many of these large scale attacks exploit weakly secured workstations from around
the world and transform these computers into “zombies”. These, in turn, are then
aggregated into botnet armies, which can be unleashed in devastating distributed denial
of service attacks. Had the users of these workstations properly secured them, such
attacks would be vastly more difficult, as each workstation would have to be
individually hacked.

2. Closed vs. Open Systems

It has been humorously stated that a computer is in fact quite easy to secure. Why, we
can simply turn it off, lock it in a steel vault, destroy any key and ensure that it is not
connected to anything. Voila, we now have a highly secure computing environment!

3According to FBI Officials, Al Qaeda terrorist cells in Spain used stolen credit card information to make

numerous purchases. Also, the FBI has recorded more than 9.3 million Americans as victims of identity theft
in a 12-month period; June 2005. Report by the Democratic Staff of the House Homeland Security
Committee, Identity Theft and Terrorism, July 1, 2005, p.10
16 A. Vidali / Striking the Balance: Security vs. Utility

Unfortunately, while the computer in this scenario is highly secure in its

impenetrable steel vault, it is also completely unusable, consequently forcing anyone
who needs to actually perform a productive task to seek out a machine that is
significantly less secure.
On the flip side, a completely unsecured computer with no authentication
requirement, connected to an un-firewalled public network is almost certain to be
compromised4 , thus putting the user of that machine in danger of having their identity
stolen by cyber criminals, their files damaged, the system rendered inoperable, or
worse, sensitive information compromised and used for illegal activities.
It is logical to conclude that if people cannot use secure systems, they will seek to
use systems that are less secure or will find ingenious ways to circumvent security
policies. Ignoring best practices to get their work done will render the system less
secure than before. For example, it is common to find that government personnel who
cannot access their work email or files from home are regularly utilizing free internet
email accounts such as Gmail or Yahoo to send messages and attachments to each other
when they are not at their workstations. Thus, a theoretically secure system which is
not usable does little to improve the situation and tends to create a false and dangerous
sense of security within an organization.
So how do we strike a balance between the need for trusted, secure information
systems and the convenience, ease of use and usability of our information systems? We
need to design security solutions that are tailored specifically to the weakest link:
human beings. To do so, we must understand the limitations and motivations of average
people who use security solutions.

3. Security’s Weakest Link

As Bruce Schneier wrote, “Security is only as good as its weakest link, and people are
the weakest link in the chain.” [7] Hackers and cyber-criminals understand this
phenomenon significantly better than most technology companies. While the “human
factor” is generally accepted as a significant issue by the security community, the
majority of the discussions and research surrounding cyber security are focused on the
technical and policy challenges of securing cyberspace5. In addition, there are a scarce
number of resources, including scholarly papers, blogs, books or articles, that are
devoted to the subject of the usability of security solutions. Yet this issue is arguably
one of the most glaring and pervasive root causes of cyber insecurity. Given the fact
that most users interact with computer security on a daily basis, Angela Sasse,
comments that the current state of affairs amounts to nothing less than a major usability
crisis [8] and suggests that “unusable security systems are not only expensive, but
ineffective.”
This is because common security mechanisms have failed to acknowledge even the
most rudimentary usability and human-computer interaction design principles, such as
minimizing user’s mental workloads, task context or an understanding of user
motivation and self-image. Our continued reliance on password authentication as a

4In November 2002, the Honeynet Project placed unpatched Windows 2000 computers on the Internet and

found that they were being compromised after just five minutes. The Honeynet Project, "Forensics" (Jan. 29,
2003); http://honeynet.overt.org/index.php/Forensics.

5 Such as: which technologies will be used, what standards will be implemented, what sorts of policies will

need to be crafted to coordinate our security and law enforcement efforts nationally and internationally or the
varying roles of government, academia and the private sector, in securing cyberspace.
 A. Vidali / Striking the Balance: Security vs. Utility 17

common security mechanism is proof that not much has changed in the last few
decades.
As far back as 1999, Adams & Sasse conducted both interview and questionnaire
studies with people inside and outside an international telecommunications company
[9] and concluded that users:
• Could not cope with the proliferation of passwords,
• Received little instruction, training or support, and
• Were not motivated to behave in a secure manner.
A decade later, the average user’s exposure to password authentication is even
more out of control. We are juggling everything from bill payments, eCommerce,
social networking sites (like MySpace, GoogleApps, Instant Messaging) and an
explosion of Web 2.0 Software as a Service (SaaS) offerings, credit and debit card PIN
numbers, VoiceMail access codes, in addition to the numerous work and home related
computer login accounts that most of us are required to maintain. It has been estimated
that today, the number of individual username/password combinations that the average
person is required to contend with regularly is in the high teens. That number is
significantly more than the average person can remember without an artificial aid.
Unfortunately, the aid is often writing the passwords down, storing all of them in a
single location or using the same password everywhere6 , thus defeating the purpose of
strong password authentication.

4. Understanding the Usability Problem

Let us consider for a moment some basic principles of human memory and motivation
and how these apply to security technology:
Human memory has limitations: Most of us are not good at remembering the
random sequences of characters required by strong password authentication methods.
Humans have trouble remembering more that 7 ± 2 unrelated characters. Moreover,
there is a limit to the number of passwords we can remember. Finally, unaided recall is
much more difficult than cued recall, resulting in the proliferation of the “Security
Question” or password reminders. While these “fixes” aid recall, they also introduce
additional significant security risks.
Humans don’t think randomly: We don’t do well when we are required to invent a
random string of characters and commit them to memory on the spot. Pattern
recognition is one of our strongest skills, so when asked to create many unique
passwords, we unintentionally or intentionally introduce patterns.
Human memory decays over time: We cannot recall passwords we use
infrequently. Conversely, we cannot forget (on command) memorized items we no
longer need. Thus, when we are forced to change our passwords, we commonly forget
the new one or confuse the new one with the old.
Humans are goal oriented: Security is not a goal most users strive for, rather it is
seen to get in the way of their production tasks. People use technology in order to
perform meaningful tasks. In this context, security is viewed as an “enabling task” or
“hurdle” the user is required to overcome in order to perform their production task.
“When security conflicts with a user’s production task they often respond by

6 Hackers and social engineers exploit this fact as it is much easier to direct their energies against soft targets
to obtain one or two of a user’s commonly used passwords, which in turn are probably the same passwords
used to access more sensitive systems at work.
18 A. Vidali / Striking the Balance: Security vs. Utility

circumventing security mechanisms, and perceive security as something that makes

their life difficult.” [10]
Security performance matches our motivation: Several research studies have
concluded that users simply lack the motivation to expend the extra effort on security.
[11] This is often due to a set of beliefs and behaviors on the part of those that do not
comply with security practices. These include the notion that the threat of security is
not “real”7 and therefore the extra effort is not warranted and/or that users do not
believe that their actions will make any significant difference anyway, e.g. that a
determined attacker will get access to their system regardless of what they do, or “no
one else follows the rules, why should I?” This indicates that there is a cost/benefit
equation that most users undertake when evaluating the effort they will put forth to
secure their information. In this context, it is important to acknowledge that people will
only expend the extra effort if they truly believe they are at risk.
Humans are interpersonal: People like people, and they tend to want to be helpful
to others. That is why social engineering is so effective. Also, it is this tendency which
often leads to circumventing security best practices. If a colleague needs access to a file
or a system, we are likely to help this person because as humans we value relationships
more than organizational policies.
Human nature is the reason why social engineering is such an easy and lucrative
means of attack for cybercriminals. Kevin Mitnick, the famous and controversial
computer hacker of the late 20th Century, was a master of social engineering
techniques. In his book, The Art of Deception [12], he provided numerous examples of
how he easily gained illegitimate access to computer systems using username and
password combinations which he obtained by artfully duping end-users into giving him
their credentials.
As none of the previous points are new revelations, why is it that we continue to
use standard password authentication to secure our critical systems? Consider that not
only is password authentication counter-intuitive to humans, in many cases, it relies on
only a single “strong” security element, the password, which as we have seen is
inevitably being compromised by human behavior and limitations.
If we are to strengthen cyber security, the problem must be viewed as more than a
technical challenge. Security as a system must be engineered around the people who
use it, the context within which it is used, and its surrounding environmental
conditions. The current lack of usability and human-computer interaction principles
almost guarantees that only the most sensitive data handled by the most security-
conscious persons has a chance of being adequately protected. Yet even under these
ideal circumstances breaches of security continue to crop up. For example, former CIA
director John Deutsch, arguably a very security-conscious person with significant
motivation to protect Government secrets, lost his security clearance because he wrote
a classified memo on his unprotected home computer. “The U.S. Department of
Defense's Inspector General blasted Deutsch for particularly egregious violations of
security protocol involving his doing classified work on an unsecured home computer,
while serving in DOD posts in 1993 and 1995. An investigation into similar practices
by Deutsch, while director of the CIA, cost him his security clearance in 1999. ” [13]

7 In an experiment conducted in 2004, regular commuters in London where asked if they would reveal their

email passwords for a bar of chocolate. A troubling 34% revealed their passwords without needing to be
bribed. Over 70% revealed information about themselves that could be used by identity thieves. BBC,
Tuesday, 20 April, 2004: Passwords revealed by sweet deal. http://news.bbc.co.uk/1/hi/technology/
3639679.stm
 A. Vidali / Striking the Balance: Security vs. Utility 19

5. Anatomy of Security Mechanisms

The principle of strong security includes the common notion that in order to secure an
information system we need a combination of multiple vectors to establish a trusted
connection:
• Something I am – Identification – Who you are, positive identification
• Something I know – Authentication – Something only you uniquely know
• Something I have – A token, smart card, keycard etc.
• Somewhere I am – Location – a physical or logical “area” from where I can
access a system. (e.g. IP filtering, Internet Zones)
To be secure, a system must incorporate at least two of these vectors to establish
trust. In addition, once a user is positively identified and “trusted” we must also know
what actions that user is authorized to perform on the system, or in other words, his/her
authorization level. Upon cursory review, password authentication conforms to security
best practice by requiring two of the aforementioned vectors to authenticate a user and
allow them access to an information system:
1. Something I am - username and,
2. Something I know - password
Let us however, for a moment review standard password authentication in more
detail. By accessing the login screen a user is prompted for a username and password to
gain access to the system’s functions. The username supposedly serves to identify the
individual seeking to gain access. In combination with the proper password, access is
granted. In most cases, the username is ridiculously easy to guess as it almost
universally based on publicly available information, e.g. a person’s email address, a
subset thereof, their name or an abbreviation of their name. For Voicemail systems, the
username is almost always the individual’s phone number or mailbox number. Some
financial systems try to mitigate this fact by utilizing identifiers that are considered
“more secure” such as Social Security numbers, yet even these can be relatively easy to
obtain over the internet for as little as ten US dollars.
Thus, one of the most critical elements of our security system can be said to be
ineffective at positively identifying a user, leaving only the password to stand in the
way of a determined attacker. As we have seen, passwords are significantly less secure
than we would like. Likewise, because the ‘identification” component of this
authentication scheme is so weak, all it takes is a name, phone number or email address
for any malicious attacker to acquire enough information to initiate an attack.
As if this state of affairs was not bad enough, there are numerous readily available
tools that are designed to automatically exploit known weaknesses in operating systems
and commonly used commercial software applications that can collect login credentials
in order to assist a hacker in compromising vulnerable systems. These tools are easily
available for download from the Internet and can be utilized by relatively
unsophisticated attackers.
In addition, password authentication is severely flawed from a usability
perspective in that it requires 100% unaided recall of the non-meaningful items that
make up strong passwords. Given the limitations of human memory outlined above,
password authentication causes people to constantly compromise both the strength and
secrecy of the password in question. It is not a stretch to conclude that both vectors
(username and password) are compromised when it comes to password authentication.
This traditional scheme provides near zero non-repudiation support as there is no
way for the system to positively identify the user beyond checking that the username
20 A. Vidali / Striking the Balance: Security vs. Utility

and password combination matches what is stored in a database. Clearly, from a

security perspective, password authentication has utterly failed to provide adequate
protection for sensitive systems and yet it continues to be one of the most commonly
used security methods in cyberspace.
While we are not arguing that password authentication has no merit whatsoever,
we are pointing out that it is an inadequate security mechanism for most systems and
should be utilized only on the least critical systems. This brings us to an important
conclusion: selection of the proper security system should be based upon an
appropriate security risk assessment. In the U.S., before September 11th, many systems
that support vital services had not been assessed for risk in the context of terrorism or
cyber warfare. Today, with awareness on the rise, a number of military and sensitive
governmental systems have implemented additional layers of security including the use
of Common Access Cards (CAC) and or biometric security mechanisms to harden their
systems.

6. Driving Principles for Usable Security

To solve the usability problem, the security systems of the future must be highly
convenient, largely transparent to end users, fully integrated across security domains,
threat aware, and able to modify security policies “on the fly” in response to changing
threat environments.
Convenience and transparency are absolutely critical if we are to solve the
problem. As previously stated, the less a person encounters security as a hurdle to their
production task, the more effective the solution will be. An example in the physical
world would be a self-locking door. For those that do not have this convenience, many
forget to properly lock their doors when leaving their homes.
Thus, in simple terms, our user’s behavior indicates that they need security that is
quick, convenient and easy to use. They want to know that their identity, files, systems
and facilities are consistently secured in a manner that maintains their privacy, yet
alerts them when a potential breach has occurred. While users are understanding of the
need for authentication and are willing to provide credentials, it is unrealistic to ask
them to provide too many different sets of credentials during their daily workflow.
Users should be required to remember as few things as possible in order to access our
systems. Also, security must be contextualized with user’s production tasks and be
appropriate for the sensitivity of the system and applicable threat environment.
So at a minimum, future security mechanisms should:
1. Positively identify a person (not a username)
2. Require strong passphrases
3. Be threat-aware, i.e. able to discern threats, take appropriate actions and notify
appropriate user(s) or authorities of a breach. Also, they should be able to
share information in order to act as a threat early warning system.
4. Adapt in real-time – allowing for additional security to be imposed during
times of increased threat, automatically add layers of security to sensitive
information when an attack is perceived.
5. Be largely transparent/convenient
6. Be integrated – allowing user credentials to be used for physical and virtual
access
7. Be designed to safeguard our personal privacy
 A. Vidali / Striking the Balance: Security vs. Utility 21

6.1. Positively Identifying a Person

To establish objective trust and non-repudiation requires that we look beyond the easily
compromised username for positive identification. Biometric identification does this by
using one or more unique and intrinsic physical (fingerprints, iris, retina, facial or hand
geometry, palm vein patterns) or behavioral traits (typing dynamics, signature
recognition, voice pattern) of an individual to establish a positive identity match. The
advantages of biometric identification include:
• Very easy to use/convenient – we don’t forget our fingerprints or face
and, unlike tokens, these cannot be “lost”
• Limited Attack Surface – it is almost impossible for a remote attacker to
access the information necessary to initiate a direct attack or steal the
user’s identity
• Relatively fast – it can take under a second to verify a match
• Increasingly accurate – accuracy has improved significantly over the last
2 years
• Becoming cost effective – costs for biometric devices have come down
significantly8
While biometrics has significant advantages, detractors point out that the
technology is still problematic due to:
• Inability to change a biometric – unlike a username, once a biometric
signature is stolen, it is not easy to change and we only have a limited
number of biometric identifiers.
• Greater consequences - Criminals may be incentivized to cut off user’s
fingers, hands, other body parts or even kill in order to gain illicit access
to secure systems. 9
• Surrounding systems weak – biometrics can still be compromised via
system circumvention, verification fraud and enrollment fraud. [14]
• Biometric verification is not 100% accurate - This is due to the need for
match threshold values (similar to a metal detector) to take into account
the changing characteristics of the Biometric. Faces age, fingers can be
scarred and our voice may change due to a sore throat. Depending on the
threshold settings, and the “noise” encountered when scanning the
biometric, false verification can occur as well as false rejections.
• Fabricated biometrics - It is theoretically possible to recreate source
biometric data from associated templates, thus possibly compromising the
biometric. [15]
Nevertheless, biometric identification holds significant promise by utilizing
numerous “immutable” physical and behavioral attributes, which, when fused, could

8The cost of a fingerprint sensor has fallen from around $20 dollars four years ago, to under $5 in 2007 and is

being incorporated into everything from laptops and cell phones to USB keys and hard drives.

9A common story we hear regarding this objection is about the man whose new Mercedes was carjacked. The

car had a biometric lock and therefore the thieves removed the man’s finger in order to start the car. Despite
this popular story, many of today’s biometric devices have “live” sensors in them that would actually
incentivize a criminal to keep the individual alive as long as they need access. In addition, while this
information can be coerced from someone by force, so can a username, and the nature of the crime creates
significant visibility for the perpetrators thus effectively removing the shield of anonymity cybercriminals
hide behind.
22 A. Vidali / Striking the Balance: Security vs. Utility

form the basis for identification systems that are nigh impervious to identity theft.
These multi-modal or “fused” biometrics systems are more reliable due to their ability
to acquire multiple pieces of evidence to identify a person. Imagine a computer, vehicle
or door that not only recognizes your face but scans your iris and asks you how your
morning is going while analyzing the voice pattern of your response to positively
identify you. Humans can instantly recognize each other. We do this by simultaneous
synthesis of many visual, auditory and olfactory cues. In fact, our recognition is so
keen that it works even when the subject in question has altered their appearance or
sounds differently due to a cold. If a security system were as perceptive, it would be
incredibly difficult to circumvent as an attacker would be required to fool multiple
sensors simultaneously. In the future, we predict that multi-modal biometric technology
will be able to mimic how humans recognize each other by fusing biometric sensors
together and allowing security systems to evaluate our identity “holistically.” In this
scenario, match threshold values can be consolidated across multiple vectors, enabling
drastically improved recognition and the near elimination of false positives. [16] In
other words, a user may have a swollen face, but the system would still recognize her
because her height, iris and voice prints match.

6.2. Strong Passphrases

Supporters of biometric authentication have gone so far as to suggest that the biometric
is all that may be necessary to positively identify a user and allow access to a sensitive
system. While highly convenient and in some cases transparent for the user, we
disagree on the grounds that while current biometric technology provides a
significantly stronger mechanism for positive user identification, it still has sufficient
vulnerabilities that must be addressed before we can completely eliminate strong two-
factor authentication.
Since multi-modal biometrics are not yet cost effective for most implementations,
one thing that could be done to increase the usability of most authentication systems is
to eliminate the “strong password” and replace it with a the more usable “passphrase.”
It is much easier for humans to both create and remember a 47 character phrase like
“Securing my identity in 2009 is very important!” rather than a meaningless string of 8
random characters such as “!$3^1@Z&”.
Numerous debates surround the topic of the cryptographic strength of a passphrase
vs. the strong password and the related entropy10 of each. Most agree however that the
longer passphrase (30 characters or more is typical) enables increased cryptographic
strength, rendering many kinds of brute force attacks highly impractical. More
importantly, because the passphrase is relatively easy to remember, we are far less
likely to write it down.

10 Entropy is a measure of the uncertainty associated with a random variable. There are three components to

entropy: the number of items chosen, the size of the set from which they are chosen, and the probability that
each individual item is chosen. Since pass phrases are longer than passwords, they have the potential for
higher entropy than passwords, (even if they are picked from the same character set) making them much
harder to crack.
 A. Vidali / Striking the Balance: Security vs. Utility 23

6.3. Threat Awareness

A door is a physical barrier; if there is a lock on it, only authorized (key holders) are
supposed to be allowed access. Yet, a thief can steal the key, pick the lock, break down
the door or go through a window. In the physical world, we use alarm systems that
include various sensors (contact, motion, and pressure) to sense unauthorized
intrusions. Once an intrusion is detected, an alarm sounds and authorities are
dispatched to the property. At the network level, intrusion detection/prevention systems
have evolved significantly allowing for real-time responses such as blocking suspicious
traffic and automatically alerting administrators. When we look at most authentication
systems however, they do little to proactively sense and defend against threats or alert
account owners and administrators of a possible breach. In short, most are not threat
aware. At best, they lock a user account after a certain number of login attempts and
require reactivation and may log unsuccessful attempts in a log file or audit trail. While
this is useful for forensic analysis after the system has been compromised, this does
little to prevent or deter an attacker that has already stolen valid credentials. In
addition, many attacks originate from inside the network by disgruntled employees
utilizing their own credentials or those stolen from colleagues.
In order to secure systems from these sorts of threats, developers may be able to
incorporate some of the lessons learned by the financial industry. Given the enormous
costs associated with credit card fraud, many credit card companies have become adept
at tracking individualized spending patterns (what cardholders typically buy, where
they usually buy, average transaction sizes) and can proactively alert consumers of
unorthodox spending patterns or charges originating from locations not commonly
associated with the card holder. If we apply this principle to an authentication system, it
would be able to perceive a threat by sensing anomalous behaviors in the user. For
example, a user who is attempting to enter a building at an unusual hour or login to a
system from an atypical remote location. Biometric sensors could further enhance this
approach by adapting speech recognition to detect stress or fear in the user’s voice,
scanning for pupil dilation or recognizing when an unknown person is standing too
close to a user.

6.4. Adapt in Real-time

Security systems should not only recognize threats, but also be capable of adapting to
these threats in real time. When no threat indicators are present, adaptive security
systems should remain relatively transparent and not interfere with user’s productive
workflow. However, when a threat is identified, the system should be “smart” enough
to adjust its behavior and increase its security posture in a manner commensurate with
the threat it perceives. While we may be several years away from biometric fusion and
artificial intelligence that is capable of judging threats based on user behaviors and
situational awareness, we do have the technology today that could block access to
systems for users who are being forced to reveal their credentials. Similar to a silent
alarm system, a person who is under duress to reveal her password may provide a
“safeword” instead. The system, upon receiving the “safeword”, would automatically
secure critical or sensitive data and “pretend” to allow the attacker access to the system
while notifying authorities and logging all activity on the workstation.
24 A. Vidali / Striking the Balance: Security vs. Utility

6.5. Largely Transparent and Convenient

When Windows Vista was released, many of the complaints about the operating system
were directed at the incessant security messages that the operating system directed at
the users. One "feature" that Microsoft added to Windows Vista is the ability to stop
programs from starting to begin with. This was aimed at reducing the threat of viruses
and malware so common on home computers. Microsoft implemented this in the form
of the User Account Control (UAC). The UAC was incredibly “chatty” and constantly
asked users whether they wanted a program to continue or if it should cancel the
operation. While the purpose was to warn users when an unknown or unwanted
program asked to start, Microsoft coded the service to display the message repeatedly
for almost any non-Microsoft program. These messages were so frequent and annoying
that most users simply ignore them and become used to clicking continue to get back to
their production task. Microsoft’s willful disregard for usability was further
underscored by outrageous comments made at the RSA 2008, in San Francisco, where
Microsoft admitted that UAC was designed, specifically, to annoy. Microsoft's David
Cross stated that "The reason we put UAC into the platform was to annoy users. I'm
serious," said Cross. [17]
It is no surprise that soon after Vista was released, a slew of internet pages, blogs
and forum posts sprang up with instructions on how to turn UAC off and according to
Ars Technica’s Ken Fisher, “…one of the most popular post-Vista install activities is
disabling UAC.”
So what have we learned? In this case, while the concepts of threat awareness and
user notification were laudable additions to the Vista OS, the implementation was an
unmitigated disaster and many Vista systems became significantly less secure as a
result.

6.6. Integrated Security

Integrating application and network security is not a new concept; Single Sign-On does
just that. Once single sign-on is in place, keeping the managed passwords can be
changed to the strongest format allowed by the applications and managed
automatically. If they are never known by the user, they cannot be disclosed, written
down, or handled carelessly. However, if a single sign-on system is not reliable, users
and administrators will not trust it, creating back doors or leaving critical systems
vulnerable. In addition, many of today’s implementations are prone to creating a single
point of failure or a single point to break in. Usability is security, but reliability is
important for both. The ability of single sign-on to eliminate the need for numerous sets
of credentials is a drastic improvement in usability and, if implemented correctly, has
significant advantages for increased cyber security. If we take this concept one step
further, we could include physical access as an integrated component of our
authentication system. There are companies today that have created locks which can
not only read credentials11, but also write data directly back to the credential. This

11 For example CoreStreet (http://www.corestreet.com) provides locks that can read and write to a token
(FIPS 201 compliant smart card) thus allowing physical access privileges to be denied (without the need for
changing a lock) should the user’s network and system access be revoked. The same goes for increasing a
person’s access rights to facilities, for example when they have achieved security clearance. This has been a
costly problem with standard locks and keys issued to employees.
 A. Vidali / Striking the Balance: Security vs. Utility 25

gives administrators unprecedented access to monitor entry/exits from facilities 12 and

quickly change access privileges when necessary without the expense of replacing
hardware for sensitive areas.
When traveling, we use an internationally accepted passport, which represents a
“trusted” credential that allows us to legitimately enter or exit any country in the world.
From a usability standpoint, a unique, internationally recognized, trusted token that
when used in conjunction with a passphrase, biometric or other identifier gives a user
access to all their accounts, their vehicle, computer, and place of work could be an
interesting concept to pursue. However, for this to be feasible, we would be faced with
the Herculean tasks of ensuring the token cannot be forged yet remains easy and
convenient to reissue when lost or stolen. It would also be necessary to incorporate the
technology within a framework of strong safeguards to protect the personal privacy of
the users. No small feat.

6.7. Safeguard Personal Privacy

It cannot be stressed enough that if users do not trust that their privacy is being
protected, or if the actions being taken by a security system are not disclosed to the
users, they will not accept such a system or will intentionally bypass the system to
protect their privacy. Several studies indicate that the majority of people who find out
that software operates in a covert manner to compromise their privacy will discontinue
use of that software application. The most important aspect of maintaining user trust is
full disclosure of what the system may track and a clear understanding of the cost
benefit of the technology. 13 People are rightfully afraid of an Orwellian scenario, where
every step they take in both cyberspace and the real world is monitored by “authorities”
and will strongly resist any security technology that violates their privacy.
Yet, it is ironic that millions of people around the world post much of their
personal data daily on the internet via social networking and other sites14 and act as if
they are completely unaware that most of their activities can be easily followed, for
they leave digital “breadcrumbs” wherever they go. Blogs, MySpace entries, IRC
traffic, credit card records, phone records, internet activity logs, financial systems and
even our healthcare records are exposing our digital DNA to potential attackers. Today,
these “breadcrumbs” are distributed across the hundreds of web servers, applications
and the individual systems, which make aggregating this information somewhat
impractical. A single unifying identifier that can link all of these disparate systems
together, while highly “usable” will open a Pandora’s Box of privacy issues that our
societies may never be able to solve.

12Which we have seen could be useful in establishing normal baselines of activities in order to detect unusual
patterns of behavior that would enhance our detection of anomalous events.

13There are countless examples of a user’s voluntary willingness to part with personal information in order to

increase convenience. After 9/11, several companies launched registered traveler programs aimed at
capitalizing on traveler’s aggravation with increased security. Once such program, “Clear” (http://
www.flyclear.com), is now operating in twenty US Airports, and in exchange for $199 per year and
submitting personal information and a biometric for a background check, air travelers can access a special
security lane with almost no wait time. In August 2008, a laptop with 33,000 Clear records was lost or stolen
from the San Francisco Airport. Needless to say, the hard drive of that laptop was not encrypted, proving
once again that human error and lack of vigilance remain primary sources of cyber insecurity.

14 It may be interesting to note that the vast majority of these users are individuals who have grown up with
technology (Generation Y or the Millennials) and who don’t seem to have the same suspicions or concerns
regarding the security and privacy of their personal information.
26 A. Vidali / Striking the Balance: Security vs. Utility

The privacy challenges we face are enormous and cannot be exhaustively

discussed in this paper. Suffice it to say, the privacy question is of paramount
importance to our security and that it has intersecting moral, policy, legal, and
technology dimensions.

7. The Security System of the Future

It is September 1, 2013. In a dimly lit room on the outskirts of Peshawar in Pakistan,

five men stare into their computer monitors as their fingers rapidly tap the
keyboards. . . Suddenly, they are startled by a loud explosion and a blinding flash of
light. Before they can recover from the flash, they are laying face down with their
hands zip-tied behind their backs, looking up at the threatening muzzles of silenced
H&K MP5 submachine guns. The operators who wield them are the highly trained
professionals of the International Cybercrime Task Force. This elite, international law
enforcement unit was established by a mutual treaty and has the jurisdiction to arrest
and bring criminals wanted for cybercrimes before an international tribunal.
Accompanied by two armed Pakistani police officers, they make quick work of seizing
the computer equipment for digital forensic analysis.
For almost a year, these men have been under close watch by the International
Cybercrime Coalition (ICC), an International organization founded in 2011 with
participants from over 40 countries and almost all major software and networking
vendors. The ICC, which is tasked with blending information from all the participating
countries’ cyber-security fusion centers, is closely linked with international law
enforcement agencies. The ICC, together with the cooperation of prominent technology
companies, including Microsoft, McAffee, Norton, Cisco, GoogleLabs, Barracuda,
SonicWall, and over 20 other leading technology providers, developed an early
warning framework that could be installed on any number of devices, was threat aware
and could upload new threat models in real time.
The ICC was successful in developing a vast, opt-in early warning network dubbed
Operation CyberShield, which was launched by creating a successful marketing
campaign for security awareness. Users, many fed up with the constant spam, viruses,
malware and worms infecting their computers, were informed that they could assist
cyber enforcement officials by downloading the free CyberShield software package.
CyberShield was designed to constantly monitor in-bound activity originating
from their network connection and automatically alert users and the ICC authorities of
suspicious hacking attempts on user’s computers. Within six months of international
campaigning, over 5 million computers had the software installed. CISCO and
Microsoft made the software an integrated option within their operating systems and
numerous open source versions were released two months later. Pretty soon, the
CyberShield network was growing at the rate of 10% per month.
By the time the men in Peshawar began their attempts to compromise critical
machines, over 48 million computers, routers and firewalls on the internet were acting
as early warning systems. Unfortunately for the plotters, several of these had the
CyberShield system installed.
One hundred seventeen of these devices sent critical alerts to the ICC fusion
center, which, upon automated cross referencing of the involved MAC & IP hacker’s
source addresses, flagged the addresses for further observation.
But CyberShield was not just an early warning system. As administrators and users
were alerted to the threat, they activated its “HoneyPot” mode; the software spawned a
virtual machine that “pretended” to be the compromised host at the mercy of its
 A. Vidali / Striking the Balance: Security vs. Utility 27

attacker. CyberShield automatically redirected all traffic originating from the attacker’s
network address to the HoneyPot, all the while logging the illicit activities. The tables
were now turned. . .
Back at the ICC fusion center headquarters, logs from the HoneyPots poured in,
and within hours, cyber security analysts had identified the vulnerability and security
patches that were developed by the involved vendors were automatically distributed
through the CyberShield network to all of its connected machines. During this entire
time, the five cyberterrorists remained blissfully unaware that their intrusion had been
detected and that they were under counter-surveillance.
Later that day, authorities are able to decode an encrypted message from Hezbollah
terrorist leaders and were made aware of the numerous conventional attacks that were
planned to coincide with a massive cyberattack planned for the 11th of September. The
message referred to similar groups in Venezuela and Iran and authorities begin cyber
surveillance operations targeted at those countries’ subnets, uncovering two additional
cyber-cells involved in the attack.
ICC authorities increased threat levels across cyberspace and coordinated with
Law Enforcement in the US and the UK that were investigating Hezbollah plots. The
additional information gleaned from the computer logs seized in Pakistan provided
investigators significant leads that led to the arrests of several cell members in the
Midwest and East Coast involved in the scheme.
Numerous arrests are made the following week after additional evidence was
gathered from the captured men’s homes.

Conclusion

Technology has become an indispensable tool for modern societies, yet our cyber
infrastructure remains highly vulnerable to attack. In this paper, we have explored some
root causes of cyber-insecurity and conclude that a significant problem lies with
humans. If we do not begin designing systems that squarely address human limitations
and recognize that usable solutions are a crucial component of strong security, we will
undoubtedly remain highly vulnerable and, within a decade, see our technology turned
against us in continued, more sophisticated and damaging attacks.
As we designed the scenario outlined in the introduction, it was frightening to note
how many possible avenues of cyber attack exist and how fragile and tenuous our
economies and way of life actually are. As we pursued outlining both the problems and
some possible solutions it became clear that there is no single “magic bullet” approach
that will guarantee our safety. It is more a question of constant vigilance and the will to
evolve our security solutions to deal with 21st Century threats.
Finally, to succeed in hardening our security across cyberspace will require
unprecedented cooperation between nations, companies, academia and citizens as the
challenges are both formidable and multi-dimensional. The price of not solving these
problems may be nothing less than our way of life.

References

[1] http://www.internetworldstats.com/stats.htm
[2] IBM Press Release, Government, financial services and manufacturing sectors top targets of security
attacks in first half of 2005, August 2, 2005
28 A. Vidali / Striking the Balance: Security vs. Utility

[3] CRS Report for Congress: Terrorist Capabilities for Cyberattack: Overview and Policy Issues, January
22nd, 2007
[4] Law enforcement on the cyber beat: Government Security News, January 8th, 2009
[5] U.S. Army Training and Doctrine command, Cyber Operations and Cyber Terrorism, Handbook No.
1.02 August 15th, 2005 P.II-1 and II-3
[6] DNS Attack: Only a Warning Shot; http://www.darkreading.com/security/perimeter/showArticle.jhtml?
articleID=208804344
[7] Schneier, B., Secrets and Lies, John Wiley & Sons, 2000
[8] Mark Sasse, Angela M., Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery,

Department of Computer Science, University College of London

[9] Adams, A. and Sasse, M.A. (1999), Users are not the enemy, Communicatins of the ACM, Vol. 42, No.
12 December, 1999
[10] Sasse, Angela M., Computer Security: Anatomy of a Usability Disaster, and a Plan for Recover,
Department of Computer Science, University College of London
[11] Weirch & Sasse, M.A, 2001: Pretty Good Persuasion: A first step towards effective password security
for the Real World. Proceedings of the New Security Paradigms Workshop 2001 (Sept. 10-13
Cloudcroft NM), pp. 137-143. ACM Press
[12] Kevin Mitnick, The Art of Deception, 2002
[13] Forbes, Arik Hesseldahl, December, 1st, 2000. Disaster of the Day: The CIA http://www.forbes.com/
2000/12/01/1201disaster.html
[14] Wayne Penny, GSEC Certification Practical, SANS Institute 2002: Biometrics: A Double Edged Sword
[15] Adler, School of Information Technology and Engineering, University of Ottawa, Ontario, Canada:
Sample images can be independently restored from face recognition templates
[16] Brad Ulery, William Fellner, Peter Hallinan, Austin Hicklin,Craig Watson. Evaluation of Selected
Biometric Fusion Technique: Studies of Biometric Fusion, July 20, 2006
[17] Ken Fisher, Ars Technica, April 11, 2008: Vista's UAC security prompt was designed to annoy you
Modelling Cyber Security: Approaches, Methodology, Strategies 29
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-29

Secure Software Engineering: Developing

the New Generation of Secure Systems by
Introducing a Security Focus Throughout
the Development Lifecycle
H. MOURATIDIS
School of Computing, Information Technology and Engineering
University of East London, England
haris@uel.ac.uk

Abstract. In this paper we argue that, in order to develop the next generation of
secure software systems, a security focus must be introduced throughout the
development lifecycle. We also argue that security is not just a technical issue,
and we explain how considering security issues from the earliest stages of the
development process leads to the development of more secure software systems.
After looking at the limitations and barriers of existing research and industrial
approaches, with respect to the engineering of secure software systems, we
briefly describe a methodology, which considers both the social and the technical
aspects of security and supports the objective of considering security from the
early stages of the software systems development. Moreover, we also argue that,
in order to provide a security focus throughout the development lifecycle, we
need to look at the issue collectively, rather than individually, by establishing a
discipline that will form the basis of an in depth understanding of the security
issues involved in the development of software systems; provide the appropriate
knowledge and best practice to assist software and security engineers in
developing secure software systems; and also educate system users on security
related issues.

Introduction

Security systems have been used to protect humans since the start of time. Initially,
physical security systems, such as mechanical traps, walled castles and ramparts, door
locks and alarms, were put in place as protection from intruders. More recently, the
storage of important information in electronic format has introduced the need for
computer security systems, such as firewalls, intrusion detection systems and antivirus
software. The field of Computer Security, although newer in comparison with physical
security, is definitely not a new topic and has been an actuality since the 1960s [1].
Nevertheless, it was not until the advent of distributed systems and computer networks
that the security of information systems has become an issue of monumental concern.
Current software systems contain a large quantity of important and sensitive
information ranging from medical records, to financial accounts, to confidential
government information, to military secrets. As a result, the need to protect such
30 H. Mouratidis / Secure Software Engineering

information and develop secure software systems is no longer an option, but rather a
necessity. It is therefore of paramount importance to fully understand the underlying
characteristics, principles and challenges involved in the development of secure
software systems. It is only then that we will be able to create software systems capable
of safeguarding the information that is stored in them. As we gain an in depth
understanding of of how to develop secure software systems, it is important to
understand that software systems operate within the greater context of “human society”
and not in isolation. This is because a number of factors can affect the security of a
software system. Such factors, however, do not necessarily challenge the technical
issues related to the security of a software system. Consider, for example, the scenario
in which a system, X, operates a password protected policy, where each user must enter
a correct username and password to gain access. Consider also that user Y has written
down his/her password and has attached it to their computer screen. An attacker, Z, can
gain access to the system using the details of user Y. Although the technical security
solution of the system is not under attack, the human interaction with the system has
introduced security vulnerabilities.
Despite the need to consider software systems security as a multidimensional
issue, current research work mostly focuses on the technical issues of software system
security, such as authentication and encryption. Although this work is very important,
we believe that it cannot achieve the development of secure software systems on its
own. A multidimensional treatment of security is needed to form the basis for an in
depth understanding of security issues involved in the development of software
systems; provide the appropriate knowledge to assist software systems engineers and
security engineers in developing secure software systems; and also educate system
users on issues related to the security of software systems.
In this paper, we review the current state of the art in the area of secure software
engineering, and we briefly present a security-aware methodology that enables
software engineers to generate the appropriate security requirements for a system by
analysing its environment, including its stakeholders. This allows software engineers
not only to understand the technical challenges and requirements of the system but,
equally important, the challenges and security requirements introduced by the social
aspects of the system (environment, stakeholders, users and so on). The necessity of
introducing a discipline to support engineering secure software systems is also
discussed. In particular, Section 1 reviews research work in the area, whereas Section 2
briefly presents the Secure Tropos methodology. Section 3 discusses the foundations
for a Secure Software Engineering discipline and , finally the last Section concludes the
paper.

1. Secure Software Engineering: State of the Art

Initial work from the software systems engineering community produced a number of
methods and processes intended to address non-functional requirements, including
security. Chung [2] proposed the Non-Functional Requirements (NFR) framework to
represent security requirements as potentially conflicting or harmonious goals and to be
able to use them during the development of information systems. From the security
engineering community, Schneier [3] proposed attack trees as a useful way to identify
 H. Mouratidis / Secure Software Engineering 31

and organise different attacks in an information system, whereas Viega and McGraw
[4] proposed ten (10) principles for building secure software. More recently, Anton et
al. [5], proposed a set of general taxonomies for security and privacy, to be used as a
general knowledge repository for the (security) goal refinement process. The pattern
approach has been proposed by a number of researchers to assist security novices to act
as security experts. Schumacher and Roedig [6] proposed a set of patterns, called
security patterns, which contribute to the overall process of secure information systems
engineering. Fernandez [7] specified security models to be object oriented patterns that
can be used as guidelines for the development of secure information systems.
Although useful, these approaches fail to define a structured process that takes
security into account. A well defined and structured process is of the utmost importance
when considering security during the development phase.
On the other hand, a number of researchers model security by taking the behaviour
of potential attackers into account. Van Lamsweerde and Letier [8] use the concept of
security goals and anti-goals. Anti-goals represent malicious obstacles set up by
attackers to threaten the security goals of a system. In addition, Van Lamsweerde [9]
also defines the notion of anti-models, models that capture attackers, their goals and
capabilities. Similarly, Crook et al. [10] introduce the notion of anti-requirements to
represent the requirements of malicious attackers. Anti-requirements are expressed in
terms of the problem domain phenomena and are satisfied when the security threats
imposed by the attacker are realised in any one instance of the problem. Lin et al. [11],
incorporate anti-requirements into abuse frames. The purpose of abuse frames is to
represent security threats and to facilitate the analysis of the conditions in the system in
which a security violation occurs. An important limitation of all of these approaches is
that security is considered a vague goal that has to be satisfied, and they all lack a
precise description and enumeration of specific security properties.
Differently, another “school of thought” indicates the development of methods to
analyse and reason about security that is based on the relationships between actors
(such as users, stakeholders and attackers) and the system. Liu et al. [12] have
presented work to identify security requirements that are analysed, during the
development of multiagent systems, as relationships amongst strategic actors.
Moreover, secure Tropos [13] has been proposed to deal with the modelling and
reasoning of security requirements and their transformation to a design that satisfies
these last (see more information in the next section). Secure Tropos has been
complemented by works in the areas of security attack scenarios [14] and a security
patterns language [15].
Another direction is based on the extension of use cases and the Unified Modelling
Language (UML). Initial work by McDermott and Fox [16] adapt use cases, which are
called abuse cases, to capture and analyse security requirements. An abuse case is
defined as a specification of a type of complete interaction between a system and one
or more actors, where the results of the interaction are harmful to the system, one of the
actors, or one of the stakeholders of the system. Similarly, Sindre and Opdahl [17]
define the concept of misuse case, the inverse of use case, which describes a function
that the system should not allow. They also define the concept of mis-actor as someone
who intentionally or accidentally initiates a misuse case and to whom the system
should not give support. Alexander [18] adds Threatens, Mitigates, Aggravates links to
the use case diagram, while Jurgens proposes UMLsec [19], an extension of the
Unified Modelling Language (UML), to include the modelling of security related
32 H. Mouratidis / Secure Software Engineering

features, such as confidentiality and access control. Lodderstedt et al. [20] also extends
UML to model security. In their approach, security is considered by analysing security
related misuse cases.
A significant limitation of the use-case/UML related approaches is that, although
they treat security in system-oriented terms, modelling and analysis of security
requirements at a social level are still lacking. In other words, they lack models that
focus on high-level security requirements, meaning models that do not force the
designer to immediately go down to security requirements.
On the other hand, a large amount of work has been devoted to security policies
and the definition of security models. Various models have been proposed based on
mandatory access control (MAC), discretionary access control (DAC) and role-based
access control (RBCA). One of the first models was the Bell & Lapadula multilevel
security model [21]. Another well known model is the Chinese Wall model [22],
according to which data is organised into three different levels.
The definition of security ontology is also an important area of research within the
security engineering community. Initial efforts to define a widely accepted security
ontology resulted in what is known as the Orange Book (US Department of Defense
Standard DOD 5200.58-STD). However, work towards this standard started in the late
1960s and was concluded by the late 1970s. Therefore important issues, raised by the
introduction of the Internet and the usage of information systems to almost every aspect
of our lives, have not been inserted into the standard. More recently, Kagal et al [23]
have developed an ontology, expressed in DAML+OIL, to represent security
information, trust and policies in multiagent systems, whereas Undercoffer and
Pinkston [24], after analysing over 4000 computer vulnerabilities and the
corresponding attack strategies employed to exploit them, have produced an ontology
for specifying a model of computer attacks. Bimrah et al. [25] have defined an
ontology to support trust modelling and have discussed how security is affected by
trust.
A number of works have been initiated in industrial environments. CLASP [26] is
an application security process that supports the consideration of security issues during
the software development lifecycle. CLASP introduces a number of activities that can
be integrated into a software development process to support security along with
indications on who (from a development team) is responsible for each of these
activities. The Microsoft Security Development Lifecycle (MS SDL) [27] aims to
reduce security vulnerabilities. SDL consists of best practices and tools that have been
successfully used to develop recent Microsoft products. The approach includes a
number of stages, such as education and awareness, project inception, cost analysis and
so on.
All of the works presented in this section have aided in increasing a general
understanding of the problem of developing secure software systems, and they have
provided some support towards a move in this direction. However, most of the existing
work primarily focuses on the technological aspects of security, and, in general, it
ignores the social dimension of security. It is important that security be considered
within the social context and any social issues, such as trust and the involvement of
humans, be taken into account [28]. In the next section, we briefly describe secure
Tropos, a methodology that considers the technical as well as social aspects of security
when developing a software system.
 H. Mouratidis / Secure Software Engineering 33

2. Secure Tropos

In this section, we present the Secure Tropos methodology [13], a security-aware

methodology that enables software engineering to take security issues into account
throughout a system’s development process. Due to page limitations, our description is
focused on the modelling language, some modelling diagrams and the development
steps of the methodology. Applications of the methodology to various case studies have
been presented in the literature [29] [30].
The Secure Tropos modelling language adopts a number of concepts from the i*
modelling framework [31]. The modelling language supports the creation of models
representing actors, their intentional goals (alongside the plans and resources required
to fulfil these goals), security constraints (alongside secure plans and resources
required to satisfy these constraints), and social and secure dependencies for defining
the dependencies of one actor to another. The language has also been extended to be
able to take threats and vulnerabilities, as well as trust, into consideration [25] [32].
In particular, the language defines the following concepts:
An actor [31] represents an entity that has intentionality and strategic goals within
a software system or within its organisational setting. An actor can be a (social) agent, a
position, or a role. Agents can be physical agents, such as a person, or software agents.
Software agents are defined as software having properties such as autonomy, social
ability, reactivity, and pro-activity. A role represents an abstract characterisation of the
behaviour of a social actor within some specialised context or domain of endeavour
[31]. A position represents a set of roles, typically played by one agent.
A hard-goal [31], represents a condition in the world that an actor would like to
achieve. In other words, goals represent an actor’s strategic interests. The language
differentiates the concept of a hard-goal (simply goal hereafter) from the concept of
soft-goal.
A soft-goal is used to capture non-functional requirements of the system, and
unlike a goal, it does not have clear criteria for deciding whether it is satisfied or not,
and therefore it is subject to interpretation [31]. For instance, an example of a soft-goal
is “the system should be scalable”.
A plan represents, on an abstract level, a way of doing something [33]. The
fulfilment of a plan can be a means for satisfying a goal, or for contributing towards the
fulfilment of a soft-goal. Different (alternative) plans, that actors might employ to
achieve their goals, are modelled. Therefore, developers can reason over which
different ways actors are able to achieve their goals and decide for the best possible
option or route to take.
A resource [33] represents a physical or informational entity that one of the actors
requires. The main concern when dealing with resources is whether the resource is
available and who is responsible for its delivery.
A dependency [31] between two actors is an indication that one actor depends on
another to attain some goal, execute a task, or deliver a resource. The dependant actor
is called the depender, and the actor who is depended upon is the dependee. The nature
of an agreement between dependee and depender is described by the type of
dependency and is referred to as dependum. Goal dependencies represent the
delegation of responsibility for fulfilling a goal. Soft-goal dependencies are similar to
goal dependencies, but their fulfilment cannot be defined precisely, whereas task
34 H. Mouratidis / Secure Software Engineering

dependencies are used in situations where the dependee is required to perform a given
activity. Resource dependencies require the dependee to provide a resource to the
depender. By depending on the dependee for the dependum, the depender is able to
achieve goals that it is otherwise unable to achieve independently, or not as easily or as
well. However, the depender becomes vulnerable, because if the dependee fails to
deliver the dependum, the depender is affected in their aim of reaching their goals.
A capability [33] represents the ability of an actor to define, choose and execute a
task for the fulfilment of a goal, given certain world conditions and in presence of a
specific event.
A security constraint [13] is defined as a restriction related to security issues,
such as privacy, integrity and availability, which can influence the analysis and design
of a software system under development by restricting some alternative design
solutions, by conflicting with some of the requirements of the system, or by refining
some of the system’s objectives. Security constraints, captured through a specialisation
of constraint, do not represent specific security protocol restrictions, which should not
be specified until the implementation of the system. However, they do contribute to a
higher level of abstraction, which allows for a generalised design that is free of models
biased toward particular implementation languages.
A secure dependency [13] introduces security constraint(s) that must be fulfilled
for a certain dependency to be satisfied. Both the depender and the dependee must
agree to the security constraint in order for the secure dependency to be valid. That
means the depender expects that the dependee will satisfy the security constraint(s) and
also that the dependee will make an effort to deliver the dependum by satisfying the
same security constraint(s). Secure Tropos defines three different types of secure
dependency. In a depender secure dependency, the depender depends on the dependee
and the depender introduces security constraint(s) for the dependency. In a dependee
secure dependency, the depender depends on the dependee and the dependee introduces
security constraint(s) for the dependency. In a double secure dependency, the depender
depends on the dependee and both the depender and the dependee introduce security
constraints for the dependency. Both must satisfy the security constraints introduced for
the secure dependency to be achieved.
The term secure entity [13] is used in Secure Tropos to represent a secure goal, a
secure task or a secure resource.
A secure goal [13] represents the strategic interests of an actor with respect to
security. Secure goals are mainly introduced in order to achieve possible security
constraints that are imposed on an actor or that otherwise exist in the system. However,
a secure goal does not specifically define how the security constraints can be achieved,
since alternatives can also be considered. The precise definition of how the secure goal
can be achieved is given by a secure task.
A secure plan [13] is defined as a plan that represents a particular way of
satisfying a secure goal.
A secure resource [13] can be defined as an informational entity that is related to
the security of the software system.
A secure capability [13] represents the ability of an actor/agent to achieve a secure
goal, carry out a secure task, and/or deliver a secure resource.
To support the analysis of security requirements using the concepts defined above,
secure Tropos defines a number of models. Detailed information regarding these
models is outside the aim of this paper. However, to facilitate a better understanding of
 H. Mouratidis / Secure Software Engineering 35

the methodology, we briefly describe one of the methodology’s models, the security
enhanced actor model. Readers interested in obtaining information for the other models
of the methodology may refer to references [29] [30]. The security-enhanced actor
model, models any secure dependencies and the appropriate security constraints
imposed on the network of actors. The meta-model for the security enhanced actor
model is shown in Figure 1.

Figure 1. Meta-model for Security Enhanced Actor Model

The secure Tropos process supports three main aims when considering security
issues throughout the development stages of a software system: (i) identify the security
requirements of the system; (ii) develop a design that meets the specified security
requirements; and (iii) validate the developed system with respect to security.
The first step of the methodology’s process aims to identify the security
requirements of the system. Security requirements are identified by employing
modelling processes such as security constraints, secure entities and secure capabilities
modelling. In particular, the security constraints imposed on the system and the
stakeholders are identified and secure entities, which guarantee the satisfaction of the
identified security constraints, are imposed on the actors of the system.
The second step in the process consists of identifying a design that satisfies the
security requirements of the system, as well as its functional requirements. To achieve
this, sub-components of the system are identified and then secure capabilities that
guarantee the satisfaction of the security entities identified during the previous step are
allocated to these sub-components. It ought to be noted that, in this stage, different
architectural styles might be used to satisfy the functional requirements of the system.
However, there should be an evaluation of how each of these architectural styles
satisfies the security requirements of the system.
36 H. Mouratidis / Secure Software Engineering

The third step of the process is the validation of the developed solution. The
Secure Tropos process allows for two types of validation. A model validation and
design validation. The model validation involves validating the developed models (for
example, the security enhanced actor model or the security enhanced goal model) with
the aid of a set of validation rules [13]. It is worth mentioning that the validation rules
are divided into two different categories, the inter-model rules and the outer model
rules. The first allow for the validation of each model individually, whereas the second
allowfor the consistency between the different developed models to be validated. The
inner model rules allow developers to validate the relationships between the
components of the different security-related models, such as the relationship between
the security features and the threats in the security reference diagram; to validate the
consistency between the same components that appear in more than one model, such as
a security constraint that appears in the actors’ model, as well as in the goal model; and
to validate the consistency when the delegation of components between actors takes
place.
The aim of the design validation is to check the developed solution against the
security policy of the system. A key feature of Secure Tropos that allows us to perform
such a validation is the fact that the same secure concepts are used throughout the
development stages. Moreover, the definition of these concepts allows us to provide a
direct mapping between them, and therefore to be able to validate whether the proposed
security solution satisfies the security policy.
It is of interest to note that the secure Tropos methodology has been employed in a
number of case studies [13] [29] [30] with positive results.

3. Secure Software Engineering: A discipline

3.1. Motivation

There are various reasons that motivate the establishment of a discipline on Secure
Software Engineering. In this section we identify and discuss four important reasons,
and we explain how these affect the development of secure software systems by
presenting real-life scenarios.
Independent solutions: Securing information systems raises a set of intertwined
issues in the relevant areas of research, such as security engineering and software
systems engineering. However, the research communities of these two areas of research
(and in fact the research communities from most of the areas involved) traditionally
work independently. On one hand, software systems engineering techniques and
methodologies do not consider security as an important issue, although they have
integrated concepts, such as reliability and performance, and they usually fail to
provide precise enough semantics to support the analysis and design of security
requirements and properties [10] [13]. On the other hand, security engineering research
has mainly produced formal and theoretical methods, which are difficult to understand
by non security experts and which, apart from security, only consider limited aspects of
the system.
Sharing of knowledge: As discussed in the previous section, a number of efforts
have been reported in the literature towards developing security mechanisms, and
 H. Mouratidis / Secure Software Engineering 37

methods, but these usually look at the problem from specific views and only for
specific purposes. this is primarily due to the fact that software systems and security
engineering communities mainly work separately. This separation not only creates a
void in the proposed solutions, but it also results in restricted sharing of existing
knowledge. Different research events organised by the two communities, different
research publications, and so on are rarely informed of what occurs in the forums of the
other. Even widely used textbooks mostly concentrate on one part of the problem,
either technical security issues or software engineering techniques, and, when they do,
they only contain very limited information about the integration of the security and
software systems engineering principles. The problem is worst when looking at the
integration of such work with other areas of research, such as social phenomena,
cognitive theories etc.
Custom solutions: In many cases, the inclusion of security on a system is driven
by existing custom technical solutions (e.g. security mechanisms) rather than the
system’s real security requirements. Basing the development of the security of a system
on specific security mechanisms, as opposed to the security requirements, prevents
different and sometimes better solutions from being considered and chosen to satisfy
the security requirements. As reported by Firesmith [34], requirements engineers do not
usually receive appropriate training in generating, analysing and specifying security
requirements. As a result, they often confuse them with security mechanisms, which are
used to fulfil the security requirements. Therefore, the engineers end up defining
architectures and constraints rather than true security requirements [34]. For instance,
imagine a system that requires identification and authentication. If the development of
the system is based on some specific solutions to these requirements, such as username
and password, then other solutions might be ignored, such as biometric identification
and authentication, which in some cases could better fulfil the initial security
requirements. Therefore, it is important that development be driven only by the security
requirements, as it happens with functional requirements, and not by the well-known
security solutions.
Lack of appropriate education: Professional training courses and university
curriculum should help towards solving the aforementioned problem. However,
unfortunately, they propagate it. Software engineering and security engineering
training, as well as curriculum development in universities adhere to the separation of
the two main research areas and also isolate students from other non-technical areas.
McDermott [16] argues that not all information systems practitioners are security
specialists neither do they fully understand mathematical security models. Moreover,
studies related to human behaviour and so on are never covered. This means that
software systems engineers are not well educated regarding the security issues that they
might be faced with during the development of software systems, and security
engineers are mostly not familiar with current practices and issues surrounding
software systems engineering. Furthermore, both only understand very little the aspects
of human behaviour and, therefore, have only a specific understanding of potential
social issues that might affect the security of a system.
38 H. Mouratidis / Secure Software Engineering

3.2. Foundations

We define Secure Software Engineering as the engineering discipline concerned with

the development of secure software systems. In particular, secure software engineering
is concerned with the unification of any area of research that can contribute to the
development of the knowledge (theoretical and practical), principles, practices as well
as the establishment of a research agenda regarding secure software systems
development. It is worth noting that we do not consider the definition above to be
absolute, but rather we expect it to be revised from time to time to indicate the maturity
and the progress the discipline makes, as is the case with most disciplines. As every
discipline aims to address a unique fundamental question, we propose that the first
question for secure software engineering can be formulated as “how are secure
software systems engineered?”. In answering such a question, many sub-questions need
to be formulated and answered. For example, what we mean by “secure software
systems” and “what is good security”. Usually, different researchers and practitioners
will answer such questions differently. However, it is imperative that common answers
are established for such fundamental issues, in order to provide a well-founded base on
which we will be able to base further research questions that will lead us ever closer to
answering the fundamental question of the discipline. Moreover, in answering such
questions, most likely global, general assumptions need to be made. We consider the
following three to be the general assumptions that need to be made for secure software
engineering: (1) the development of secure software systems is a complex issue that
involves technical as well as social challenges; (2) Processes, models, methodologies
and automated tools can be employed to assist in the development of secure software
systems; (3) Proper education of anyone involved in the development as well as in the
usage of software systems is needed to support the outputs of research addressing the
technical challenges and to compliment the social challenges.
Disciplines do not exist in isolation, but they are related to reference disciplines.
Reference disciplines are existing bodies of knowledge that help establish the new
discipline. By formally referencing disciplines, the contributions of existing knowledge
are recognised and a logical link to the new discipline is provided. Without this linkage,
researchers in existing disciplines may question the grounding theories of a new
discipline and dismiss its importance [35].
Secure software engineering builds upon the knowledge, theories and methods of
several existing disciplines including software engineering, security engineering, and
social sciences. The development of such techniques should be based on research
provided by the security engineering research community, such as attack testing, secure
design principles and security ontologies, complimented by research provided by the
software engineering community, such as requirements engineering techniques,
information systems development methodologies and modelling languages, and testing.
Moreover, theories from the social sciences should also be taken into account to ensure
that the human factor is appropriately considered.
We argue that an engineering discipline for secure information systems should be
based on the following principles: consider security from the early stages of the
information system development; separation of concepts; ensure quality of security
solution; consistency. Although some of these principles are not novel, and they are
 H. Mouratidis / Secure Software Engineering 39

based on related information systems and/or security engineering principles, the point
is that current approaches do not follow them.

Conclusion

This paper argues that the need to introduce a security focus through the entire software
development process, in order to support the development of the next generation of
secure software systems, is necessary. Such effort should bring the experience and
techniques from various current disciplines together, such as the software engineering,
security engineering and social studies disciplines, in a coherent and organised way. We
have also argued that security is not just a technical issue and we explain how the
consideration of security issues from the early stages of the development process leads
to the development of more secure software systems. The secure Tropos methodology
is briefly described and an attempt is made to define the foundations for a discipline for
secure software engineering. However, this is not an absolute attempt and the paper
aims to motivate a large scale effort towards the development of the discipline, which
will hopefully result into a more complete and detailed definition of the proposed
discipline.

References

[1] Saltzer, J., Schroeder, M.D., (1975). The Protection of information in computer systems, In the
Proceedings of the IEEE 63 (9), pp.1278-1308, September 1975.
[2] Chung, L., and Nixon, B., (1995) Dealing with Non-Functional Requirements: Three Experimental
Studies of a Process-Oriented Approach. In Proceedings of the 17th International Conference on
Software Engineering, Seattle- USA.
[3] Schneier, B., (2000). Secrets & Lies: Digital Security in a Networked World, John Wiley & Sons
[4] McGraw, G., Viega, J., (2001), Building Secure Software: How to Avoid Security Problems the Right
Way. Addison-Wesley.
[5] Anton, A.I., Earp, J.B., (2004) A requirements taxonomy for reducing web site privacy vulnerabilities,
Requirements Engineering, 9(3):169-185, 2004.
[6] Schumacher, M., Roedig, U., (2001). Security Engineering with Patterns, in the Proceedings of the 8th
Conference on Pattern Languages for Programs (PLoP), Illinois – USA
[7] Fernandez, E.B. (2004) A methodology for secure software design, Proceedings of the 2004
International Conference on Software Engineering Research and Practice (SERP'04), Las Vegas, NV,
June 21-24, 2004.
[8] Van Lamsweerde, A., Letier, E., (2000). Handling Obstacles in Goal-Oriented Requirements
Engineering, Transactions of Software Engineering, 26 (10): 978-1005
[9] Van Lamsweerde, A., (2004). Elaborating Security Requirements by Construction of Intentional Anti-
Models, Proceedings of the 26th International Conference on Software Engineering, Edinburgh, May,
ACM-IEEE, pp. 148-157
[10] Crook, R., Ince, D., Nuseibeh, B. (2003). Modelling Access Policies Using Roles in Requirements
Engineering, Information and Software Technology. 45(14):979-991, Elsevier
[11] Lin, L.C., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J., (2003). Analysing Security Threats and
Vulnerabilities Using Abuse Frames, Technical Report 2003/10, The Open University
[12] Liu, L., Yu, E., Mylopoulos, J., (2003). Security and Privacy Requirements Analysis within a Social
Setting, In Proceedings of the 11th International Requirements Engineering Conference, pp. 151-161,
IEEE Press.
40 H. Mouratidis / Secure Software Engineering

[13] Mouratidis, H. (2004). A security oriented approach in the development of multiagent systems: applied
to the management of the health and social care needs of older people in England, PhD thesis,
University of Sheffield.
[14] Mouratidis, H., Giorgini, P., Manson, G., (2004b). Using Security Attack Scenarios to Analyse Security
During Information Systems Design, in the Proceedings of the International Conference on Enterprise
Information Systems (ICEIS 2004),pp. 10-17, April, Porto-Portugal
[15] Mouratidis, H., Weiss, M., Giorgini, P., (2005c). Security patterns meet agent oriented software
engineering: a complementary solution for developing security information systems, Proceedings of the
24th International Conference on Conceptual Modelling (ER),Lecture Notes in Computer Science 3716,
pp. 225-240, Springer-Verlag.
[16] McDermott, J., Fox, C., (1999). Using Abuse Care Models for Security Requirements Analysis,
Proceedings of the 15th Annual Computer Security Applications Conference.
[17] Sindre, G., Opdahl, A.L., (2005). Eliciting security requirements with misuse cases, Requirements
Engineering, 10(1):34-44
[18] Alexander, I. (2003). Misuse Cases: Use cases with hostile intent. IEEE Software, 20, 58-66.
[19] Jürjens, J., (2004). Secure System Development with UML. Springer-Verlag.
[20] Lodderstedt, T., Basin, D., Doser, J., (2002). SecureUML: A UML-Based Modelling Language for
Model-Driven Security, in Proceedings of the UML’02, LNCS 2460, pp. 426-441, Springer-Verlag.
[21] Bell, D. E., LaPadula, L. J., (1976) Secure Computer Systems: Mathematical Foundations and Model.
The Mitre Corporation
[22] Brewer, D.F.C., Nash M.J. (1989),The Chinese Wall Security Policy, Proceedings of the IEEE
SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY, pp.206-214, 1-3 May1989, Oakland,
California. pp 206-14)
[23] Kagal, L., Finin, T., (2005). Modeling Conversation Policies using Permissions and Obligations, in
Developments in Agent Communication, Frank Dignum, Rogier van Eijk, Marc-Philippe Huget (Eds),
(Post-proceedings of the AAMAS Workshop on Agent Communication, Springer-Verlag, LNCS),
January, 2005.
[24] Undercoffer, J., Pinkston, J., (2002). Modelling Computer Attacks: A target-centric ontology for
intrusion-detection, proceedings of the CADIP research symposium, available at: http://
www.cs.umbc.edu/cadip/2002Symposium/
[25] Bimrah, K. K., Mouratidis, H., Preston, D. (2007) Trust Ontology for Information Systems
Development, Proceedings of the 16th International Conference on Information Systems Development
(ISD2007), Galway – Ireland.
[26] CLASP Project (2008), http://www.owasp.org/index.php/Category:OWASP_CLASP_Project, [Last
Accessed October 2008]
[27] Lipner, S. (2004), The Trustworthy Computing Security Development Lifecycle, In Proc. of the 20th
Annual Computer Security Applications Conference (ACSAC ‘04), CA, USA, 2004, IEEE CS Press,
pp. 2-13.
[28] Mouratidis, H., Giorgini, P. (2006). Integrating Security and Software Engineering: Advances and
Future Vision, IDEA Group Publishing, ISBN 1-59904-148-0.
[29] Mouratidis, H., Giorgini P., Manson, G., (2005). When Security meets Software Engineering: A case of
modelling secure information systems, Information Systems, Vol. 30, Issue 8, pp. 609-629, Elsevier.
[30] Mouratidis, H., Giorgini P., (2007), Secure Tropos: A Security-Oriented Extension of the Tropos
methodology, International Journal of Software Engineering and Knowledge Engineering (IJSEKE)
17(2) pp. 285-309, World Scientific.
[31] Yu, E., Modelling Strategic Relationships for Process Reengineering, Ph.D. Thesis. Dept. of Computer
Science, University of Toronto. 1995
[32] Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon N., (2008) Adapting
Secure Tropos for Security Risk Management during Early Phases of the Information Systems
Development, Proceedings 20th International Conference on Advanced Information Systems
Engineering (CAiSE’08), Montpellier, France
[33] Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perin, A., (2004). TROPOS: An Agent-
Oriented Software Development Methodology, Journal of Autonomous Agents and Multi-Agent
Systems. Kluwer Academic Publishers Volume 8, Issue 3, Pages 203 - 236.
[34] Firesmith D.G., (2003). Engineering security requirements, Journal of Object Technology, Vol 2., No. 1,
ETH Swiss Federal Institute of Technology
[35] Liles, D.H., Johnson, M.E., Meade, L.M., Underdown, D.R., (1995), Enterprise Engineering: A
discipline?, Proceedings of the Society for Enterprise Engineering Conference, June.
 Section 1.2
Current Methods Applied to Security
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 43
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-43

A Fuzzy Approach to Security Codes:

Cryptography Between Technological
Evolution and Human Perception
Serena LISI
C.S.S.I. - Centre for Strategic and International Studies, University of Florence

Abstract. Cryptography may be considered a science in fieri; it is constantly

evolving and being updated, in order to adapt to today’s fast-changing scenarios.
This paper underlines the coexistence of two different approaches to the theory of
codes and protection of confidential information; the first and largely diffused
approach emphasises technology (i.e. a scientific approach) and the second
emphasises human perception (i.e. a cultural, allegorical, non-conventional
approach). The two different approaches are gradually merging together to create a
new integrated and fuzzy approach, which resembles those theories of systems and
political science developed by Burt Kosko during the late 1990s to present. In
order to accept the aforementioned fuzzy approach, we need to accept a specific
definition of the word cryptography, here intended as the theory and technique
used to create secret codes, either in written form (encryption) or in visual form/
jargon (steganography).

Keywords. cryptography, encryption, steganography, entropy, fuzzy theories,

integrated approach, language evolution, asymmetrical war, allegories.

Cryptography may be considered a science in fieri; it is constantly evolving and being

updated, in order to adapt to today’s fast-changing scenarios. But, what is cryptography
exactly? There are several accepted answers to such a question, each is true, depending
on the point of view taken. Just to give an idea of this multiplicity, both of the
following definitions1 refer to cryptography. They are the most well-known and it is
worth noting how different they are, since they seem to describe two opposite
situations:
Definition one: secret writing, which can not be read by those
who do not know the specific device used during its development.
It can be developed through invisible writing, conventional
writing, cyphers.
Definition two: an ensemble of theories and techniques (manual,
mechanical, electronic, digital and so on), which create a secret
code, either through encryption (using a key) or through
steganography (using visual devices or jargon codes).
The approach promoted in this paper requires that the second definition be
accepted, wherein cryptography is considered to be a theory and technique used to

1I have obtained these definitions by making a comparative analysis of the following texts: Dizionario della
Lingua Italiana “Devoto-Oli”, ed. 2008, Dizionario della Lingua Italiana “Il Gabrielli”, Ed 1999, The Oxford
English Dictionary, Ed. 2000, Simon Singh, “Codici e segreti”, Bur Saggi, Milano 1999 [1], [2], [3], [4]
44 S. Lisi / A Fuzzy Approach to Security Codes

obtain secret written or visual/jargon codes with the aim of protecting confidential
information.
Following the aforementioned definition, we can turn our attention to the
coexistence of two different approaches commonly used to protect information. The
first emphasises the importance of technology, supporting mathematical theories such
as the theory of prime numbers (Fermat’s theorem or quantum theory, which also
involves physics) [5] [6]. The second approach emphasises cultural, allegorical, and
non-conventional human perception, and involves technical and linguistic
steganography [4]. In several works, two macro-classes of techniques are presented, i.e.
those developed from, and based on, mathematics and physics and those developed
using approaches linked to human perception. In both macro-classes, the techniques are
gradually reaching their maximum level of innovation in comparison to their usability.
On one hand, the most important steps in the evolution of the first class of
techniques are as follows2:
• Vigenere’s polialphabetic code (26 alphabets)
• Enigma during the second World War
• Asymmetrical key codes developed during the 1970s
• Usage of the theory of prime numbers (Fermat’s theorem) has been
increasingly used in innovative applications for security.
These steps can be considered to be milestones or turning points in encryption systems
[7]. Probably, the third step (with Diffie-Hellman) can be considered the most
important when speaking of the marginal productivity of an encryption system. Today,
the theory of prime numbers (Fermat’s theorem) has been increasingly used in
innovative applications for security. According to various physicists3, the next turning
point will be the application of quantum cryptography. This is quite probable, given
that the studies on the issue are on-going and, with them, their usage and derived
applications. But, for the moment, quantum cryptography is still too expensive to be
considered as a mass solution device.
On the other hand, we can see how steganography [4] has maintained the same
principles it has always had; its aim is to hide the message through the application of
either visual devices or jargon codes, blanks, grids and so on. The point is that, today,
several technological devices are now involved in such a process. Digital imaging,
watermarking, blanks and so on need technology to be developed further. For this
reason, the present situation can be described as follows:

2 This refers to the modern and contemporary era. Several other important steps were introduced and used in

ancient times (e.g. Caesar Cipher, the so-called “Lakedaimon Scytale”) [4]

3 The interest rose up in the 1980s, with Bennett & Brassard’s theories and was developed through Eckert’s
study on entagled photons, Today, entanglement is the key-work for quantum theories [8]
 S. Lisi / A Fuzzy Approach to Security Codes 45

Figure 1. Description of the two main approaches to confidential information encoding

The result is a complex, integrated system resembling the evolution in

communication: lexicon, symbols, tools, media. Communication is the mirror of
society. And, as we know, society is afraid of several present day threats. First and
foremost, terrorism and Al Quaeda, the symbol of asymmetrical war/threats. These
threats are considered to be asymmetrical for the strategies and system of values used4 ,
but also for communication, which develops towards a “New Middle Ages Era”, that is
made up of symbols, metaphors, allegories 5. The complex, integrated system
represented below is an attempt to respond to such a threat and to keep up with it, on
one hand, by protecting our encoding systems and, on the other hand, by understanding
the non-conventional, allegorical language codes that are being used.

4 For example, the usage of shahada (death for faith, martyrdom) in a Western Post-heroic Era.

5 An example of the evolution of such a message:

This is an encrypted message itself and usually doesn’t need any other additional code/encryption.
46 S. Lisi / A Fuzzy Approach to Security Codes

Figure 2. Graph representing the evolution of confidential information protection in response to

asymmetrical threats.

This approach also brings computational matter to light. Today we speak of

quantum cryptography as a possible further step for encoding methods. The fact is that
data processing, obtained by using quantum sources, can not currently be compared to
what the human brain is able to produce, since the human brain involves a number of
computational operators (neurons) superior to the number of operators used in quantum
cryptography (the number is 1026)6 . This an important indicator of a contemporary
trend; researchers are trying to free science from traditional hermeneutics, which leads
to hermeneutic circles (i.e. closed logical paths)7 , in order to work with hermeneutic
spirals (i.e. fuzzy logic8). Fuzzy logic implies the usage of continuous variables instead
of discrete variables. It applies the following principle: using a continuous variable
implies that we can take and use any value within the variable range [9]. The same can

6 From a discussion on languages and complexity with Prof. Dr. F.T. Arecchi, University of Florence.

7 An example of an hermeneutic circle (meant as a limited perspective view) is Euclide’s theories regarding

the sameness of triangles: if two triangles can be overlapped so that they coincide, then they are equal to each
other. The movement should be a rigid movement (i.e. moving polygons without altering their shapes), This
is true, but it is a limited concept, since it just involves the mere shape of a polygon.

8 Fuzzy logic is a type of logic that comprehends more than the classical two “truth values” (true or false).

Therefore, it is considered to be a multi-valued rather than a classical two-valued logic and is generally used
to handle situations that are approximate rather than specific. An example of its use is highlighted by an
experiment that is being conducted in Japan, where human rail conductors have been replaced with robots
that are able, through the use of applied fuzzy logic, to conduct trains on determined tracks.
 S. Lisi / A Fuzzy Approach to Security Codes 47

be done using a fuzzy approach to cryptography; any combination of methods is

possible in the attempt to obtain successful usage.
The same principle may be applied to several other issues related to cryptography.
The most common methods of encoding, indeed, work as protection for a message
made up of words. This means working either with entire works or, more frequently, on
letters. Words are made up of a periodic repetition of letters or sound groups,
depending on the different languages that are used. For example, in the Italian
language, we can see a very large usage of vowels such as “a” and “e”. On the contrary,
in the German language there is a very frequent repetition of consonant groups such as
“ch” and “sch”. In addition, it is possible to notice that a relevant number of
peculiarities exist in, and are particular to, each language, from verbal inflected forms
to the alphabets themselves9. Considering such peculiarities and the repetition scheme
(if applicable) of letters in each alphabet, we can assert that each language has its own
grade of entropy, both for the language itself (the combination of letters/sound) and for
the cultural system of symbols. The grade of entropy of each language depends on an
objective factor, which is the structure of the language10 , and on a subjective factor,
which is the cultural system of values.
Therefore, it is possible to identify which languages are “high entropy” and which
are “low entropy”. Encoding and decoding high entropy languages will be more
difficult, since it will take longer11.
Researchers are working on the issue. A relevant result in the field is the study on
connections between codes, languages and the human brain by Professor Patrice
Pognan12. His research aims at obtaining a new type of language elaborator that will be
able to pay attention to the statistic distribution of specific key points in each idiom
(i.e. word endings, repetition of vowels and so on). This study is a very important step
towards the effective integration of approaches, since it pays attention to linguistic
peculiarities. In the future, we will have to work very diligently on the connection that
exists between such peculiarities and allegorical languages, which represent (from
today on) one of the most important asymmetrical, non-conventional forms of
communication, which are frequently used in asymmetrical conflicts. A simple example
can be supplied by a drawing adapted from a well-known Sufi comic strip, and is
explained below13:

9 E.g. Hiragana an Katakana alphabets in the Japanese language: the first is made of ideograms, the second is
a syllabic alphabet, which expresses sounds.

10 This factor is recognised in all theories and has been quite often studied

11 As also shown in a personal experiment in the INOA (Istituto Nazionale di Ottica Applicata – National
Institute of Applied Optics, University of Florence). A CO2 laser sends the same message translated in several
languages. Receiving it will take as long as the entropy level is high.

12Patrice Pognan teaches at the Institute of Formal and Applied Linguistics, Faculty of Mathematics and
Physics, Prague and at the INALCO, Paris. He has also been a professor of Military Strategy in France. His
contribution to the subject at the 2007 Flairs Conference, Key West, Florida, USA is notable. Another
important work of his is “Analyse morphosyntaxique automatique du discours scientifique tchèque” [10]

13 This is a sequence built on autograph blue ink calligrams inspired by a famous picture, also included in
“L’alfabeto Arabo (Arabic alphabet)”, Gabriele Mandel, Ed. Mondadori. The illustration above is just a
harmless example, but it explains the situation very well, since it demonstrates how allegories can be used as
real codes when the system of reference is different.
48 S. Lisi / A Fuzzy Approach to Security Codes

Figure 3. Drawing illustrating an allegorical, multilevel, non-conventional form of communication

(God’s) lover launches an arrow towards a lion (passion). The lion avoids the
arrow, which strikes the eye of the beloved person (the one who should understand
religious message) [11].
This is just an artistic example (comic strip) of the great power and grade of
complexity allegories can have. We will have very difficult task ahead of us in this
post-Wassenaar Arrangement era14 . For a true comprehension of cryptographic matters,

14 The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and
Technologies, of 1996, replaced the Coordinating Committee for Multilateral Export Controls (COCOM). It
was a turning point since it included cryptography and other similar devices in the number of dual-use
devices that were subject to export controls. It was also combined with several privacy laws.
 S. Lisi / A Fuzzy Approach to Security Codes 49

indeed, we should start thinking of languages themselves as “dual-use devices”15 . We

should believe in HumInt (Human Intelligence) capabilities, since language is a
collection of symbols and a code itself. The two pictures below try to explain this
process. Below is a figure that is inspired by essays and studies taken from Scientific
American and one of its partner networks [12, 31] and demonstrates how a message is
understood at different levels [13]:

Figure 4. Diagram of brain comprehension on multiple levels

As we can see, through Fibonacci’s theories (look at the pentagon) and other non-
computational associations, the human brain is capable of elaborating highly complex
messages, which can only be fully understood thanks to human operators, as shown in
this last figure below, which summarises the major points made in Pognan’s studies on
language comprehension [9].

15 Dual-use devices are goods or technologies that can be used both for common (daily life) purposes and for
strategic or military purposes, and therefore for either peaceful or military aims.
50 S. Lisi / A Fuzzy Approach to Security Codes

Figure 5. Break-down of language constructs and communication

Hermeneutic semantic areas could very well be the future of cryptography.

References 16

[1] Dizionario della Lingua Italiana “Devoto-Oli”, Mondatori – Dizionari e Grammatiche, ed. 2008
[2] Dizionario della Lingua Italiana “Il Gabrielli”, Gruppo Editoriale Mondadori Ed 1989
[3] The Oxford English Dictionary, Oxford University Press, Ed. 2000
[4] Simon Singh, “Codici e segreti”, Bur Saggi, Milano 1999
[5] A.D.Aczel, “L’enigma di Fermat”, Net, Trento, 2003
[6] Moro, Giovanni. “Il codice dei numeri interi: l’ultimo teorema di Fermat”. Rivista Marittima, 1986.
[7] Fondazione Ugo Bordoni, “Crittografia - pubblicazioni”, 1992
[8] A.D.Aczel, “Entanglement, il più grande mistero della fisica”, Rizzoli, Bergamo 2004
[9] Bart Kosko, “Il fuzzy-pensiero. Teoria e applicazioni della logica fuzzy”, Baldini e Castoldi , Milano
2002
[10] Patrice Pognan, “Analyse morphosyntaxique automatique du discours scientifique tchèque”, Dunod,
Association Jean-Favard pour le développement de la linguistique quantitative, Paris 1975
[11] Gabriele Mandel Khân, “L’alfabeto arabo”, Mondadori, Milano 2000
[12] Scientific American: January 2005 "Best kept secrets" by Gary Stix (pp.65-69); October 1980 "The
Causes of Color" by Kurt Nassau (pp.106-123); October 1977 "Fundamental Particles with Charm" by
Roy F. Schwitters, "The Solution of the Four-color-map Problem" by Kenneth Appel and Wolfgang
Haken, "Hallucinations" by Ronald K. Siegel (pp. 56-70, 108-121, 132-140); October 1976 "White-
light Holograms" byemmett N. Leith (pp.80-95); April 1976 "Subjective Contours" by Gaetano
Kanizsa (pp.48-52); June 1975 "Electron-Positron Annihilation and the New Particles" by Sidney
D.Dell and "Visual Motion Perception" by Gunnar Johansson (pp. 50-62, 76-88), http://
dericbownds.net/ last visited July 2009 – Scientific American Partner Network
[13] Nicholas Falletta, “Il libro dei paradossi. Una raccolta di rompicapi avvincenti e figure impossibili”,
Longanesi & c., Milano 2002

16 References [14] to [30] are those sources which were used as general references throughout this paper,
which is an elaboration of the arguments presented by these on “cryptography”.
 S. Lisi / A Fuzzy Approach to Security Codes 51

[14] Paul Forman, “Fisici a Weimar. La cultura di Weimar, la causalità e la teoria dei quanti.” A cura di Tito
Tonietti, CRT (PT) 2002
[15] Igor Shparlinski, “Number Theoretic Methods in Cryptology. Complexity lower bounds”. Birchhäuser,
Boston, Basel, Berlin 1999
[16] Paolo Facchi, Saverio Pascazio, “La regola d’oro di fermi”, Bibliopolis Trecase (NA) 1949
[17] C.J. Snijders, “La sezione aurea. Arte, natura, architettura e musica”, Muzzio Scienza PD 2000,
translated from “Die Golden Snede”, 1969 Driehoek, Amsterdam
[18] Fritjof Capra, “Il tao della fisica”, Gli Adelphi N/1989 ried. 1999
[19] Fondazione Ugo Bordoni, “Primo simposio nazionale su stato e prospettive della ricerca crittografica in
Italia - ATTI”, Roma 30-31 ottobre 1987
[20] A.D.Aczel, “L’equazione di Dio”, Net Trento 2003
[21] Ludwig von Bertalanffy, “Teoria generale dei sistemi. Fondamenti, sviluppo, applicazioni”, Oscar
Saggi, Milano 2004
[22] Vito A. Martini, “Grammatica araba”, Istituto Editoriale Cisalpino-Goliardica, Milano 1976
[23] Ghani Alani, “Calligraphie arabe”, Editino Fleurus, Paris 2001
[24] Len Walsh, “Read Japanese today”, Tuttle, Rutland, Vermont & Tokyo, Japan 1969, new ed. 1999
[25] Wolfgang Hadamitzky, Mark Spahn “Kanji & Kana, a handbook of the Japanese writing system”,Tuttle
Language Library, Rutland, Vermont & Tokyo, 1999
[26] Lawrence Washington “Elliptic Curves: Number Theory and Cryptography”, Chapman & Hall/CRC
2003
[27] Jonathan Katz and Yehuda Lindell “ Introduction to Modern Cryptography”, CRC Press 2007
[28] John R. Pierce, ”Elettronica quantistica. Transistor, maser, laser”. BMS Zanichelli 1968
[29] http://www.epfl.ch/, last visited 01/2009
[30] http://www.lci.det.unifi.it, last visited 10/11/2008
[31] http://www.peds.ufl.edu, last visited July 2009
52 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-52

Cryptography and Security: Evolutionary

Information Theory and Prime Numbers
Genetics
Gerardo IOVANE
DIIMA, University of Salerno, Italy
iovane@diima.unisa.it

Abstract. In this paper we will consider Evolutionary Information Theory, and pay
specific attention to the application of prime numbers to cyber security and
cryptography. Indeed, we will demonstrate that the sequence of prime numbers is
deterministic, and not stochastic, as we have believed for several centuries. This
implies that much attention must be directed toward the new scenario that has been
formed of cryptosystems, encryption and ciphering in order to prevent cyber
attacks and protect Critical Network Infrastructures.

1. Introduction

Behind the new cyber warfare threats it is possible to find computer evolutionism and
the genetics of prime numbers. The former will bring the International Community to
face these threats at a systemic level, whereas the virtual and physical spaces will no
longer be uncoupled, as it happens today, and it will be possible to control wireless
instruments through a notebook or an organiser from a distance of thousands
kilometres.
To know more about this topic, it is useful to trace the history of the Information
Era using a key-word for each epochal change: i) use; ii) interaction; iii)
communication, iv) immersion; v) immersive shared reality; vi) control. In Information
Technology, the term “use” indicates the birth of that very same technology. In other
words, the computer replaces all the operations of office automation, hence providing a
single integrated mean which can easily and rapidly offer all one needs for the daily
activities of any given structure, be it a basic family structure or a complex structure
typical of governments and large companies.
Over the years, the use of the computer and Internet has been refined to offer the
user newer ways with which to improve interaction. This means that it is now possible
to solve the problem which emerged in the 1980s, when technologies reached one of
their limits, that of running the risk of being boring. Although people continue to
experiment new and more engaging forms of interaction with the computer, their
primary need to communicate with other people and share data, information, strategies
and goals persists. In fact, the 1990s saw the spread of technologies that were linked to
communication, internet and the web. In the last decade of the 1900s, virtual reality
virtual left its technological incubator, and those research environments that aimed at
providing different instruments for the most various fields, from Defence to medicine,
transportation, entertainment, etc.
Now what can we say about the present? It is clear that immersive information
technologies, such as virtual reality, and communication technologies, namely the web,
 G. Iovane / Cryptography and Security 53

are merging into each other to create new ICT forms. Indeed, in this field of research it
is already possible to see new forms of organisation that no longer use the NET (such
as InterNET and others) but rather use a new form or GRID, as do the so-called VO
(Virtual Organisation) and VN (Virtual Network). The GRIDS represent the next step
in net technology. This is because in the web you not only find information, but also
services (the so-called web-services). The web is no longer simply a web of computers
and their peripherals, but it is now comprised of meshes of electronic devices such as
the electronic equipment in a lab; an oscilloscope; the washing machine; the video
camera that monitors your sleeping child; and the rain sensor that activates the rolling
shutters of your porch where the laundry has been hung out to dry.
If this is what is happening now, in the present, what must we control in the near
future to make better use of these instruments? What might we predict about the remote
future? After the phase of ‘shared immersive reality’, we will enter into an era of
control of IT and our new technologies. In other words, what we now call virtual reality
and what we know to be our physical reality will merge and become one single action
field; it must not come as a surprise that our children will be able to command their IT
teacher’s ABS car from a distance, using remote wireless RFID (Radio Frequency
Identification) technologies directly from their organiser in order to take revenge for a
bad mark. But what would happen in the event that this technology was not used for
pseudo-recreational goals, such as was illustrated in the example above, but rather for
actions in contrast or reaction to governments that have not provided what has been
requested? It is clear that these types of terrorist actions would be completely out of
control. As a result, it is necessary that we study and analyse the limits of the control
theory in order to guarantee its intrinsic security on a global level, that is, on a
systematic level.
The genetics of primality, on the other hand, is able to reveal a potential and
intrinsic weakness of the security systems with which most of the technological
equipment for coding and preserving information has been built over the last few
decades. More specifically, it has been discovered that the sequence of prime numbers
is not random. Even the total knowledge of the structure of prime numbers has lead us
to meaningful questions regarding the weakness of the generation of numerical security
keys, which are based on prime numbers.
At this point it is possible to make an analogy. In the near future, we will need to
use new forms of prevention to contrast a cyber terrorism that is as linked to current
forms of cyber terrorism as much as 15th century artists were associated to the great art
of Leonardo Da Vinci, the former being amateurs and inaccurate, the latter being the
symbol of perfection and geniality able to combine art and science in works that have
no equal in human history.
It is necessary that we respond to the evolution that is taking place within the field
of cybertechnology, and it is particularly necessary that we address issues of cyber
terrorism and the forms it will take in the near future. For this to be effective, the
reaction must be synergic. In other words, it must not be the result of isolated scientific,
technological, political or social solutions, but rather it ought to be part of a texture
which manifests its complexity through a perfection and harmony that is typical of
even the most basic and fundamental level, DNA. Like the fingers of a hand, the
political, social, scientific and technological spheres will have to work together.
54 G. Iovane / Cryptography and Security

2. Genetics of Prime Numbers: A New Era of Cryptography

In this section, we will consider some results in the context of prime number
generation. Indeed, we will see that the prime sequence follows a scheme that is
deterministic rather than stochastic. The generation of prime numbers, their
distribution, and the knowledge of a possible deterministic scheme for discovering new
primes have all been relevant questions in mathematics over the last two centuries.
[1-9] The knowledge of prime numbers is relevant not only in mathematics but also in
other fields, such as information and communication technology and information
security.
In Prime Numbers Distribution: the Solution comes from Dynamical Processes
and Genetic Algorithms, Chaos, Solitons and Fractals (herein after [10]), we built a
new approach based on dynamical processes and genetic algorithm, while in The set of
prime numbers: Symmetries and supersymmetries of selection rules and asymptotic
behaviours, Chaos, Solitons and Fractals, (herein after [11]), we analysed the analytic
properties of prime numbers. We then considered the selection rules in order to obtain
two pure sets of primes, which contained all prime numbers with the exception of the
first two (i.e. 2,3), since they are the basis on which the genetic of primes is obtained.
Moreover, we studied the symmetries and supersymmetries of the selection rules.
Asymptotic behaviour was considered in The Set of Primes: Towards an Optimized
Algorithm, Prime Generation and Validation, and asymptotic consequences (herein
after [12]). Therein, we moved closer towards finding an optimised algorithm to
generate primes, whose computational complexity was C(n)O(n). In addition, a pre-
computed algorithm was also considered for which the computational complexity
proved to be C(n) O(1). In The set of prime numbers: Multiscale Analysis and
Numeric Accelerators (herein after [13]), we performed a multiscale analysis,
demonstrating that prime numbers clearly manifest themselves beautifully on different
scales. In other words, prime numbers at a fixed scale generate new primes at the next
scale. Indeed, by fixing the prime numbers at a fixed interval, they become the seeds
for primes in the following intervals.
In this work, starting from the multi-scale analysis in [13], we demonstrate that
prime numbers live on the vertices of a multifractal polygon. The change in resolution
and the number of sides of the polygon are initially mediated by the first prime
numbers, and more generally speaking, progress by the sequence of primes themselves.
As has been known for quite some time, a number of efficient algorithms have
been discovered (for details see bibliographic references [14-20]). The algorithms of
Rabin, and Solovay and Strassen are randomised. In addition, the algorithm of
Adleman et al. requires (slightly) super-polynomial time, while the algorithm of Miller
is in P only under an unproved number-theoretic hypothesis. A relevant contribution
was given by Agrawal, Kayal and Saxena in 2004 [14]. While in [10] and [11], we
demonstrated that the sequence of primes is not random, in [12] we considered a first
attempt towards an optimised sieve. It is in [12] that we have developed a multi-scale
procedure in order to facilitate the search for prime numbers and reduce the amount of
time to look for them. This procedure is a process that is the equivalent to walking on a
prism whose first basis is an hexagon. Step by step, this structure becomes a
multifractal polygon. The third dimension of the polygon is a discrete parameter, k,
which is used to generate classes of primes. It is important to emphasise that in our
approach we build a multifractal structure so as to obtain a deterministic process for
generating primes and not to simply describe the apparent randomness of the prime
sequence. It also appears that our vision generalises the procedure shown in Prime
sieves using binary quadratic forms, Mathematics of Computation, [20], where the
 G. Iovane / Cryptography and Security 55

authors only consider the first and the second level of the fractal and multiresolution
decomposition.
This paper also presents a way to generate trees that are based on specific
diagrams. In other words, just as physicist, Richard Feynman, introduced his specific
diagrams to describe processes in terms of particle paths within the context of QFT
(Quantum Field Theory), here, we can introduce specific diagrams for describing the
process of prime generation and so, control the decomposition level of the multifractal
that is initiated by the hexagon to generate primes. The result is an interesting approach
to create a numeric accelerator capable of discovering prime numbers that move along
the branches of the tree structure.

3 Multiscale Analysis

In [11], we proved that we can write a closed formula for the sequence of prime
numbers:

with

To obtain increasingly better computational performances, we can point out that

this representation can be seen as the first step of a multiscale approach. Indeed, it is
important to emphasis that the choice of the number 6 is connected to the fact that 6 is
the product of the first two primes, i.e.6=23.
We can iterate this approach, obtaining 30=235, 210=2357 and so on. In
other words, we can realise different partitions of the set of positive integer numbers,
N, in terms of 30k- ,210k- (with  specific prime number) and so on. It is both trivial
and relevant at the same time to observe that this multiscale approach reduces the
number of candidates which are composites and so, also identifies which numbers are
not primes, since it reduces the the time and resources dedicated to the research
regarding prime numbers. This happens since each prime number can be written as:

where the new prime pij is written in terms of the product of other primes, pj, multiplied
by a positive integer, k, minus a prime, pi, that is smaller than pij and obtained in the
previous step of the computational recursive procedure.
By using the graph theory, or the tree analysis, we can see that at the first level we
have two classes or sets of candidates to primality, that is, the 6k- , while at the second
level, we have 8 classes (in other words, 30k- , where =1,7,11,13,17,19,23). At the
56 G. Iovane / Cryptography and Security

third level, there are 48 classes of candidates and so on (see the following table 1 and
Figure 1).

Table 1: Results in a multiresolution context regarding prime number candidates

Figure 1. Prime number candidates and the tree structure

Conclusions and Perspective

Starting from the results presented in this work on multiscale analysis, it is possible to
demonstrate that prime numbers are found on the vertices of a multifractal polygon.
Both the change of resolution and the number of sides of the polygon are initially
mediated by the first prime numbers and, more generally, proceed according to the
sequence of primes themselves.
 G. Iovane / Cryptography and Security 57

The proposed procedure is a process that is equivalent to a walk on a prism, whose

first basis is an hexagon. Step by step this structure becomes a multifractal polygon.
The third dimension of the polygon is a discrete parameter, k, which is used to generate
classes of primes, as shown above. Thanks to our approach, it is possible to realise a
multifractal algorithm to obtain a deterministic process for generating primes, and not
to simply describe the apparent randomness of the prime sequence. This creates an
opportunity to generate trees based on specific diagrams. In other words, similarly to
Richard Feynman’s introduction of his specific diagrams to describe particles and
interaction processes in the QFT (Quantum Field Theory), here we can introduce
specific diagrams for describing the process of primes. It is an interesting approach to
realise a numeric accelerator able to discover prime numbers that moving along the
branches of a tree structure. If it is true that the work opens relevant and new questions
regarding Information Security based on primality, it is also true that it gives a way to
implement a new mechanism that is based on a key exchange protocol, which in turn is
founded on pure multifractal sets or mixed multifractals, with biometric watermarkers,
for example.
Just as the DNA of prime numbers has been discovered today, in few years we
could have the Genetic Engineering of prime numbers. This means that in a few years
time we could have the capability to realise ever more accurate and rapid algorithms to
generate numeric keys to crack code and data encryptions.
Therefore, it is relevant to find solutions to this problem and define new strategies
to prevent and combat cyberterrorist attacks. These solutions, once again, will not only
be technological or scientific, but also political and social. If they are not found, the
progress of knowledge could itself become a Trojan horse and defeat us.

References

[1] E.Bombieri, Problems of the Millennium: the Riemann hypothesis, CLAY, 2000.
[2] A.Granville, Harald Cramér and the distribution of prime numbers, Lecture presented on 24th
September 1993 at the Cramér Symposium in Stockholm.
[3] M. Du Sautoy, The music of the primes, RCS Libri, Milano 2003.
[4] A.Connes, Trace formula in non-commutative geometry and the zeros of the Riemann zeta function,
Selecta Math. (NS) 5, 29-106, 1999.
[5] G.H.Hardy, Divergent Series, Oxford Univ. Press, Ch.II, 23-26, 1949.
[6] H.L.Montgomery, Distribution of the zeros of the Riemann Zeta Function, Proc.Int.Conf.Math.
Vancouver, Vol.I, 379-381, 1974.
[7] A.M.Odlyzko, Supercomputers and the Riemann Zeta Function, Supercomputing 89: Supercomputing
Structures and Computations, Proc. 4-th Int.Conf. on Supercomputing, L.P.Kartashev and S.I.
Kartashev (eds.), International Supercomputing Institute, 348-352, 1989.
[8] Z.Rudnik and P.Sarnak, Zero of principal L-Functions and random matrix theory, Duke Math.Jou. 82,
269-322, 1996.
[9] A.Selberg, On the zeros of Riemann’s zeta-function, Der Kong.Norske Vidensk.Selsk.Forhand. 15,
59-62, 1942.
[10] G.Iovane, Prime Numbers Distribution: the Solution comes from Dynamical Processes and Genetic
Algorithms, Chaos, Solitons and Fractals, 37, 1, 23-42, 2008.
[11] G.Iovane, The set of prime numbers: Symmetries and supersymmetries of selection rules and
asymptotic behaviours, Chaos, Solitons and Fractals, 37, 4, 950-961, 2008.
[12] G.Iovane, The Set of Primes: Towards an Optimized Algorithm, Prime Generation and Validation, and
asymptotic consequences, in press, Chaos, Solitons and Fractals, 2008.
[13] G.Iovane, The set of prime numbers: Multiscale Analysis and Numeric Accelerators, in press, Chaos,
Solitons and Fractals, 2008.
[14] M.Agrawal, N.Kayal and N.Saxena, PRIMES is in P, Annals of Mathematics, 160, 781-793, 2004.
[15] M.Agrawal and S.Biswas, Primality and Identity Testing via Chinese Remaindering, Journal of the
ACM, 50, 4, 429-443, 2003.
[16] G.L.Miller, Riemann's hypothesis and tests for primality, Journal Comput.Syst.Sci., 13, 300-317, 1976.
58 G. Iovane / Cryptography and Security

[17] M.O.Rabin, Probabilistic algorithm for testing primality, Journal Number Theory, 12, 128-138, 1980.
[18] R.Solovay and V.Strassen, A fast Monte-Carlo test for primality, SIAM Journal Comput., 6, 84-86,
1977.
[19] L.M.Adleman, C.Pomerance, and R.S.Rumely, On distinguishing prime numbers from composite
numbers, Annals of Mathematics, 117, 173-206, 1983.
[20] A. O. L. Atkin, D. J. Bernstein. Prime sieves using binary quadratic forms, Mathematics of
Computation 73, 246, 1023-1030, 2004.
Modelling Cyber Security: Approaches, Methodology, Strategies 59
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-59

A Note on Public-key Cryptosystems and

Their Underlying Mathematical Problems
Dario A.M. SGOBBI, Guglielmo MORGARI
Italian Navy

Abstract. While the classic symmetric encryption systems require a single key for
both encryption and decryption, public-key systems are based on the existence of
two distinct keys, one private and one public, and on the concept that, while the
private key is never transmitted over any channel, and is therefore known only by
its owner, the public key is made publicly known. Public-key systems are thus
extremely useful in open network scenarios, where not all users are known in
advance, or where it is simply impractical to establish a secure channel with any of
them over which to exchange symmetric keys for the ensuing communications
protection. Asymmetric systems are very interesting from a mathematical point of
view, since they are based on one-way trapdoor functions, which are invertible
functions that are “easy” to compute in one direction and “difficult” to compute in
the opposite direction, with the additional condition of being “easy” to compute in
that direction if additional information (the trap) is available.

Introduction

The need to protect communications has historically been associated with military and
government contexts. Although they were at times very ingenious, the techniques that
were used to protect communications were more an art than a science and were known
only within restricted circles of specialists.
Only in the last 30 years, has the need for data protection become more and more
evident in many fields of our everyday life, like mobile communications, e-commerce,
and ATM machines.
Due to these new applications, we observe on one hand the development of new
cryptographic mechanisms, and on the other a diffusion of knowledge tending towards
open research (academic) communities. This has led cryptography to be based on
stronger formal mathematical foundations.
Unfortunately, despite this progress, this does not mean that we are now able to
build systems with absolute and mathematically provable security, since many building
blocks of modern cryptography are still based on unproved mathematical assumptions.
Moreover, the same mathematical knowledge available to cryptographers is obviously
also available to cryptanalysts. However, we now have a common framework to better
assess our mathematical model through the use of formal tools and therefore are able to
avoid repeating the same mistakes in new and different contexts.
Prior to the 1970s, communications protection basically consisted of encrypting
and hiding messages. The former is obtained using cryptographic measures in the
attempt to make messages unintelligible to possible interceptors, while the latter uses
steganographic methods in order to make the messages difficult to detect. These
techniques are therefore complementary and both should be used whenever possible. In
the following, however, we will focus only on cryptography.
It was in the 1970s that the use of cryptography has experienced a remarkable
expansion. This is because applications in military fields, and even more so in
60 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems

commercial fields, require security mechanisms to ensure data integrity that go well
beyond simple encryption, such as digital signatures. This increase in the use of
cryptography is basically due to the introduction of a new class of cryptographic
primitives, called asymmetric or public-key algorithms. In fact, the conceptual meaning
and the foreseeable practical impact of the new paradigm were so extensive that the
authors of the seminal paper about public-key cryptography gave it the title “New
Directions in Cryptography” [1].
While the classic symmetric encryption systems require a single key for both
encryption and decryption, public-key systems are based on the existence of two
distinct keys, one private and one public, and on the concept that, while the private key
is never transmitted over any channel, and is therefore known only by its owner, the
public key is made publicly known. This feature makes public-key systems very
versatile and theoretically suitable not only for encryption but even more so for
authentication and key management.
Public-key systems are thus extremely useful in open network scenarios, where not
all users are known in advance, or where it is simply impractical to establish a secure
channel with any of them over which to exchange symmetric keys for the ensuing
communications protection.
On the other hand, public-key systems are very slow and are therefore seldom used
alone. More often than not, they are part of an hybrid system, in which they are used to
determine a session key, which is then used to protect a single communication through
symmetric key algorithms.
In some situations, asymmetric systems are not used at all, either because of their
poor efficiency (for example in constrained environments) or because of the specific
scenario (in military or diplomatic networks, due to their strictly hierarchical nature,
entirely symmetric systems often represent the best solution).
Asymmetric systems are very interesting from a mathematical point of view, since
they are based on one-way trapdoor functions, which are invertible functions that are
“easy” to compute in one direction and “difficult” to compute in the opposite direction,
with the additional condition of being “easy” to compute in that direction if additional
information (the trap) is available. This additional information represents the private
key, which must be “difficult” to obtain from the knowledge of the public key only. For
practical purposes, hereinafter, by “easy” and “difficult” we mean computationally
feasible and unfeasible. The notions of complexity theory that we will introduce below
are the basis for the quantitative measure and formal tools for handling these concepts.
The aim of this paper is to briefly present a possible classification of the various
cryptographic techniques and their goals, paying special attention to public-key
systems and their underlying mathematical problems. The paper is organised as
follows: Section one is devoted to presenting some complexity theory elements which
will be used in the following analysis. The second section will list the goals of modern
cryptography and the techniques applied to fulfil these goals. The last section will
discuss the two most widely used public-key systems (RSA, and Diffie-Hellman) from
a complexity theory perspective.

1. Elements of Complexity Theory

The exact computation of efficiency, normally expressed in terms of required

elementary operations, is usually not of much interest. What is of interest, however, is
its behaviour as the problem increases in size, in other words the scalability of the
algorithm. Indeed it is clear that for “small” problems, virtually any meaningful
 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems 61

algorithm terminates in an acceptable amount of time, but quite often, in cryptography

it is much more useful to study what happens when the problem size grows to include
values actually used in practice.
By size we normally mean the number of digits required to define the parameter
chosen to characterise the problem. For instance, if we consider algorithms dealing
with natural numbers, the size of a number is their logarithm. Because we are interested
in the behaviour complexity as the size increases, the base of the logarithm is irrelevant
since the expressions resulting from different choices are linked by simple
multiplicative constants.
In practice, it is interesting to distinguish between polynomial and exponential
algorithms. Polynomial algorithms are those whose complexity may be expressed in
polynomial terms with respect to the problem size. All non-polynomial algorithms are
called exponential (a more precise classification is possible but for our purposes
distinction in these two big classes is enough).
Roughly speaking, we can say that as the size grows, the complexity of polynomial
algorithms grows steadily, while that of the exponential algorithms grows very quickly.
Therefore, polynomial and exponential are often seen as synonyms of feasible and
unfeasible, respectively.
The notation commonly used in this field is the so called big O. Although more
formal definitions exist, here we can say that a function C(n) is O(f(n) ) if at most it
grows like (a constant multiple of) f as n increases. For example, given a function
C(n)=2n3+3n2-n+4, we can say C(n)=O(n3), since constants and low order terms do not
matter when we consider asymptotic behaviour. For example, if n is the size of a
problem and C=O(n2) is the complexity of an algorithm that solves the problem, we say
that such an algorithm is polynomial and thus practical. On the contrary, an algorithm
with a complexity C=O(en) is exponential and therefore, as soon as n increases, it
becomes rapidly impractical.
A common mistake in the evaluation of the complexity of an algorithm is a
misunderstanding regarding the meaning of problem size. Let us now take for example
the simple problem of searching for a prime factor in a given integer number, N, and
the algorithm, which consists in dividing N for every integer smaller than N. The
complexity of the algorithm is clearly O(N) = O(N1/2), and the algorithm is therefore
polynomial in N. However, the size of the problem is not N, it is n = log N and the
resulting complexity is O(N1/2) = O(en/2), which is clearly exponential in n.
As previously mentioned, the complexity of the algorithm can refer to several
parameters, the most useful being time and space (memory occupation). Quite often,
algorithms can be reshaped in order to find a trade-off between different parameters,
but it is important to realise that if an algorithm is exponential with regard to any of
them, then it is impractical.
From a practical perspective, let us consider a sample function with complexity
C=O(2n). In the table below, we first assume that this complexity refers to time and that
the elementary operation considered takes 1 μsec (second column). We then assume
that the complexity refers to memory and that the elementary memory unit is made of a
single atom (third column). While very effective for small values of n, the algorithm
quickly becomes totally impractical as n increases (first column). The table spans from
small values to common values used today in cryptography, like n=128 or n=256, and
shows the tremendous amount of time and space required as n increases. This very
clearly demonstrates the practical meaning of exponential algorithms.
62 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems

Table 1. Sample Function with Complexity C=O(2n)

n time atoms
2 4 microseconds 4
5 32 microseconds 32
10 1 second 1024
20 17 minutes 107
40 34 years 1.1*1012
80 3.8*1013 years (>1011 years, believed 1.2*1024
age of the universe)
128 1.1*1028 years 3.4*1038
256 3.7*1067 years 1.2*1077(~1077,
believed number of
atoms of the
universe)

The reason for which complexity theory is so important in cryptography is that in

any kind of cryptographic keyed primitive, the evaluation of the complexity of a given
attack allows us to understand whether that attack is concretely possible and, in the
eventuality that it is not, to evaluate the corresponding security margin. Often, in
practice, it is enough to state that a given system is computationally secure; this means
that the complexity of the supposedly ideal attack is greater than the resources any
attacker could ever procure.
A more formal approach is to prove that a system is provably secure, meaning that
breaking the system is equivalent to solving a mathematical problem, which is known
to be computationally intractable. This approach is often followed with the application
of asymmetric systems, but unfortunately the intractability of the underlying
mathematical problems has, to date, been just conjectured.
It is of course clear that, in theory, a system can always be broken by an attacker
with unlimited resources, simply by systematically trying all possible solutions until
the right one appears. The only remarkable exception is the OTP (One Time Pad)
encryption (as described in any text on cryptography, see [2]). This is the only
unconditionally secure system (i.e. the attacker has no way of identifying or
recognising the correct solution), which is, however, of extremely rare practical use
because of its heavy management complexity.
Furthermore, in asymmetric systems, the evaluation of complexity is relevant not
only for evaluating the cryptographic robustness of an algorithm, but also for the
construction of the algorithm itself. The algorithm used for the choice of secure
parameters can in fact be quite complex. In this regard, we will analyse in some depth
the very interesting problem of determining whether a given integer is prime or
composite.

2. Cryptographic Goals and Mechanisms

In the current digital era, not only is data interception even easier than in the past, but
the modification of data in transit or the creation of fake data can also be very simple
 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems 63

tasks. Consequently, it is necessary to clearly define the threats and countermeasures in

a modern cryptography language.
A possible classification defines 4 goals for modern cryptography.

Table 2. Classification from Modern Cryptography defining four goals

Confidentiality The message can be understood only by the intended

recipient
Integrity The message has not been tampered with
Authenticity The message was actually sent by the declared sender.
For certain hypothesis, it is also referred to as “digital
signature”
Non repudiation The sender cannot deny having sent it

Cryptographic applications today vary from the most well-known, such as secure
transactions on the Internet, to the most surprising,such as mental poker (a way to
remotely play a fair game without any need of a trusted third party) [3]. However,
basically all of them can be modelled according to the previous classification.
These goals can be accomplished by using a number of cryptographic primitives.
As we will see, the same goals can be reached by the use of different primitives or their
combination, and, in fact, primitives can be consistently classified in many different
ways. One of the possible high-level classifications defines three classes: unkeyed
primitives, symmetric key primitives, asymmetric key primitives. Using this
classification, we can give the following overview of the primary tools of modern
cryptography.

3. Unkeyed Primitives

The main primitives in this class are random sequences and hash functions. These
primitives are keyless, however, since they are building blocks for many cryptographic
operations, they satisfy strict requirements.
The generation of random sequences, for example, is of paramount importance in
the production of cryptographic parameters, since poor generation can significantly
reduce the complexity of an exhaustive search attack on these parameters. They must
therefore satisfy extremely stringent cryptographic constraints, which are usually not
required for standard random generators.
Hash functions are well known primitives that take an input (message) of variable
length and produce a fixed length output. Analogously to random generators, when
used in cryptographic applications, hash functions must satisfy extra requirements, the
first of which is the (practical) impossibility of finding two messages with the same
hash. Consequently, the obtained value represents an unambiguous digest of a given
message and can, therefore, be used to guarantee the integrity of the message from
unintentional data corruption.
64 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems

4. Symmetric Key Primitives

These primitives are based on sharing a secret key between two users. They provide
tools for message encryption, sender authentication, and data integrity.
As encryption primitives, they fall in one of two categories: block ciphers and
stream ciphers. While from the security point of view there is no general reason to
prefer one class over the other, the distinction is sometimes relevant with regard to their
implementation. Block ciphers are, in fact, considered to be more versatile.
Furthermore, standard schemes exist to convert block ciphers into to stream ciphers
(Output Feedback Mode, Counter Mode [4]) when needed. Among a wide set of
available symmetric ciphers, the currently most used is certainly the AES (Advanced
Encryption Standard [5]).
MAC (Message Authentication Codes) functions are essentially keyed hash
functions and thus can be used to guarantee not only data integrity but also data origin
(authentication); since the secret key is shared only between the sender and the
receiver, when the latter verifies the correct value of the MAC he also has proof of the
sender identity. Note however that this does not allow for non repudiation, since both
sender and receiver can later claim that a given message was produced by the other
party.
Native MAC functions exist, but it is common to use schemes based on other
primitives in practice; for example, see HMAC [6] and CMAC [7] to convert unkeyed
hash functions and block ciphers to MAC.

5. Asymmetric Key Primitives

As previously explained, public-key schemes rely on couples of values, private and

public, which are linked by a specific mathematical relationship, which makes it
(practically) impossible to derive one from the other (it is for this reason that these
schemes are often referred to as asymmetric cryptography). This feature allows the
public key to be widely disseminated to every user, while the corresponding private key
is kept secret by the user him/herself (this user is the only “owner” of the private key).
It is important to be aware that the public key can be transmitted over any insecure
channel, but only as far as passive interception is considered. It is mandatory to protect
the key value against active interception, which could modify its value. Different
solutions exist for this risk (either at the infrastructure level, like PKI, or through an
auxiliary channel with some form of authentication, like voice recognition). In this
paper, we are not interested in exploring them, we simply assume that the public key is
distributed unmodified.
Public-key systems are so versatile that when properly used, it is possible to obtain
the four cryptographic goals mentioned above. Apart from confidentiality, integrity and
authentication (digital signature), it is in fact also possible to obtain non-repudiation
since the private key is specific to each user and does not have to be shared with
anyone else.
From a mathematical point of view, the key asymmetry is typically based on
problems from number theory, which are believed to be difficult to solve. Nevertheless
their difficulty has not been formally proven yet. There are two problems used in
practice to construct strong public-key cryptosystems: Integer Factorisation Problem
(IFP) and Discrete Logarithm Problem (DLP). Other problems have been proposed, but
they are of little interest either because they are insecure (like Knapsack problem based
 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems 65

cryptosystems [8]) or because they are extremely inefficient with regard to speed or
public key size (like the McEliece cryptosystem [9]).

6. RSA, Diffie-Hellman

In this section, we briefly analyse the mathematical problems underlying the two most
used public-key cryptosystems (RSA and Diffie-Hellman) and especially focus on the
complexity issues.

6.1. RSA

This algorithm [10] allows the implementation of both encryption and digital signature.
Without going into detail, we recall from a mathematical point of view that its security
is strictly linked to the problem of integer factorisation (IFP) [11], since operations are
performed with modulus, which is an integer, N, where N is equal to the product of two
primes of adequate size (N=pq, the size of p and q being today typically in the range
[1024, 4096] bits). While the modulus N is part of the public key, and is therefore
known to anyone, the primes p and q are not public and allow for the private key to be
computed. It is clear then that solving IFP means breaking RSA, but it is interesting to
note that, in principle, RSA could be broken in some other way, even if this occurrence
appears to be quite unlikely. The conclusion is that IFP and RSA are not theoretically
equivalent problems and RSA may in fact be easier (a very recent result [12] however
provides strong evidence that equivalence may actually hold true, even if formal proof
is still missing. It is interesting to note that another public-key system exists, that is
attributable to Rabin [13], which can be proven to be as difficult to crack as IFP and in
this sense may be considered to be stronger than RSA but, due to its decryption
complexity, it has never gained widespread practical use).
As of today, no efficient algorithm to solve IFP has been discovered. More
precisely, no polynomial time algorithms are known, since the most efficient is the
General Number Field Sieve [14], which, for a small constant c (n, as usual, is the
number of bits representing the integer to be factored), has the complexity
.
Another number theory problem related to RSA is the primality problem (PP), i.e.
to determine if a given integer is prime or composite. Each RSA user must in fact
choose a different modulus N and therefore a different couple of primes (p, q). As a
consequence, it is important to have algorithms to quickly and affordably determine the
primality of a number of any reasonable size. Fortunately, this problem has been solved
both in theory and in practice.
Extremely efficient primality tests have been known for a long time, and have been
widely used in practice. Their only drawback is that they are probabilistic rather than
deterministic. This means that the outcomes they provide may be wrong. This
apparently surprising feature is actually of no practical concern, since the probability of
error can be mathematically computed (upper-bounded) and made as small as is
desired. The most commonly used probabilistic algorithms are the Soloway-Strassen
[15] and the Miller-Rabin [16]. Both algorithms consist of k iterations of a basic round,
k being an integer number chosen by the user. Computational complexity and error
probability can be easily determined, according to the value of k. For example, the
Miller Rabin test with k iterations has a computational complexity O(k*n3) and an error
probability (4)-k, while the Soloway Strassen test with k iterations has a computational
66 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems

complexity O(k*n3) and an error probability (2)-k (n being the number of bits of the
tested integer). It is clear that with moderately small values of k, the resulting
algorithms are very efficient and the probability of error is so low as to be totally
negligible.
From a theoretical point of view, several deterministic algorithms to solve PP have
been known for a long time. Some of them are trivial and others are more complex, but
all of them have either exponential complexity or polynomial complexity that is based
on some unproved mathematical assumption (typically the Riemann hypothesis). In
2002, three Indian researchers [17], for the very first time, found an algorithm that was
at the same time deterministic, polynomial and unconditional (i.e. not based on any
conjecture). The theoretical interest for their algorithm, later improved by other
researchers, is enormous, but from a practical perspective, their result is totally useless
since the resulting complexity (O(n12) in the original version and O(n6) in an improved
variant) cannot compete with that of probabilistic algorithms.

6.2. Diffie-Hellman

This protocol allows a secret key to be generated between two users without any prior
agreement being made. The security of the scheme is based on the Discrete Logarithm
Problem (DLP) in a cyclic group. The protocol was originally formulated to work in
the cyclic group of natural numbers where the modulus is prime (of proper size, say 
1024 bits), but recently it has become more and more common to use a cyclic subgroup
of specific elliptic curves defined over Galois fields. This choice allows for much faster
implementation and shorter parameters (including public keys), while keeping the
security level the same. Independently of the domain in which computations are carried
out, the underlying problem is the DLP. As for IFP, there are currently no algorithms
working in polynomial time. As of today, the most efficient algorithm to solve DLP is
the Index Calculus Algorithm [18].
Similar to the RSA case, the Diffie-Hellman cryptosystem has no formal proof of
equivalence with the underlying hard problem. While it is clear that solving DLP would
break Diffie-Hellman, it is still unknown whether the opposite is also true, despite
some evidence that this may be the case [19].

7. Relations between IDP, DLP and PP.

IDP and DLP share some interesting features. With regard to size, when we consider
DLP for natural numbers, the size of the used modulus for IDP and for DLP is the same
for an equivalent security level (>= 1024 bits for today’s computation power). With
regard to security, both of them are believed to be intractable, but there is no formal
proof for this.
However, it is interesting to observe that solving DLP would lead to the solution of
IDP [20], while there is no evidence of the opposite.
The third considered problem, PP (Primality Problem), is evidently linked to IDP.
While solving IDP (factoring a number) immediately solves PP, the opposite is not true
at all. Determining the primality of a number is by far easier than finding its factors and
actually provides no way to do it. With regard to asymmetric algorithms, this means
that improving the existing primality tests (either deterministic or probabilistic) does
not lead to any threat to public-key systems like RSA or Diffie-Hellman.
 D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems 67

Conclusions

In this paper we have presented a short overview of the main tools available in modern
cryptography, with special emphasis on the most used public-key algorithms (RSA,
Diffie-Hellman) and their related mathematical problems. These problems have been
considered principally from a complexity theory point of view, since their complexity
has an impact on their efficiency (primality problem) and on their security
(factorisation problem, discrete logarithm problem). Furthermore, links between the
different problems have been described and discussed.

References

[1] W. Diffie, M.E.Hellman, New Directions in Cryptography IEEE Transactions on Information Theory,
vol. IT-22, Nov 1976, pp 644-654
[2] J.Menezes, P.Van Oorschot, S.A.Vanstone, Handbook of Applied Cryptography ,CRC Press, 1996
[3] A. Shamir, R. Rivest, and L. Adleman, Mental Poker, Technical Report LCS/TR-125, Massachusetts
Institute of Technology, April 1979.
[4] Recommendation for Block Cipher Modes of Operation. Methods and Techniques. NIST Special
Publication 800-38A, 2001 Edition
[5] Advanced Encryption Standard (AES), FIPS PUB 197, November 2001
[6] The Keyed Hash Message Authentication Code (HMAC), FIPS PUB 198, March 2002
[7] Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Nist
Special Publication 800-38B, May 2005
[8] The rise and fall of knapsack cryptosystems, C.Pomerance editor, Cryptology and Computation Number
Theory, volume 42 of Procedings of Symposia in Applied Mathematics, 75-88, American Mathematical
Society, 1990
[9] R.J.McEliece, A public key cryptosystem based on algebraic coding theory, DSN progress report 42-44,
Jet Propulsion Laboratory, Pasadena, 1978
[10] A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communications of the
ACM, v.21,n.2, Febr1978, 120-126
[11] Richard P. Brent, Recent Progress and Prospects for Integer Factorisation Algorithms, Computing and
Combinatorics", 2000, pp.3-22
[12] D.Aggarwal, U.Maurer, Breaking RSA Generically is Equivalent to Factoring, at eprint.iacr.org/
2080/260
[13] T. Rabin, Digitalized signatures and public key functions as intractable as factorization, MIT/LCS/
TR-212, MIT Laboratory for Computer Science, 1979
[14] Arjen K. Lenstra and H. W. Lenstra, The development of the number field sieve, Jr. (eds.). Lecture
Notes in Math. (1993) 1554. Springer-Verlag.
[15] R.M.Solovay and V.Strassen (1977) A fast Monte-Carlo test for primality, SIAM Journal on
Computing 6 (1): 84–85.
[16] G.L.Miller, Riemann's hypothesis and tests for primality , Journal of Computer and System Sciences,
13 (1976)
[17] M.Agrawal, N.Kayal, N.Saxena, PRIMES is in P, Annals of Mathematics 160 (2004), no. 2, pp. 781–
793.
[18] O.Schirokauer, D.Weber, T.Denny, The effectiveness of the index calculus method, 2006, Algorithmic
Number Theory, Lecture Notes in Computer Science, vol 1122/1996
[19] U.Maurer, Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete
Algorithms, Crypto94, Lecture Notes In Computer Science; vol. 839
[20] E,Bach, Discrete logarithm and factoring, Report no. UCB/CSD 84/186, Comp. Sc. Division (EECS),
University of California, Berkeley, June 1984
68 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-68

Intrusion in a Mission Critical Network: A

Tutorial on Intrusion Detection Systems
and Intrusion Prevention Systems
Dario A.M. SGOBBI, Marco PAGGIO
Italian Navy

Abstract. Both Intrusion Detection Systems (IDS) and Intrusion Prevention

Systems (IPS) are technologies that will help to enhance the security environment
of private sector companies and government agencies. These technologies provide
visibility and also offer many other benefits related to the network monitoring
activity. The IDS and IPS provide the real time monitoring of network activity,
while contemporaneously consenting for the relevant information to be stored in
order to perform data analysis and/or reporting at a later date. In the decision-
making process, visibility has an important role since it allows a security policy,
based on quantifiable real world data, to be envisaged. The Intrusion Detection
technologies, and, specifically, the host-based and network-based technologies, are
divided into two categories depending on which technique is used to detect
security events. The first is the Anomaly-Based technology, which is based upon
behaviour, and the second is the Signature-Based technology, which is based upon
knowledge. IPS and IDS technologies are only two of the many resources that can
be deployed to increase visibility and control in a complex and critical network
infrastructure. With these two technologies, the network will have a perimeter and
core defence that can combat zero day attacks and counter existing threats, as well
as being able to render activity in the internal network visible and be capable of
providing forensic analyses.

Introduction

Security is the process of maintaining an acceptable level of perceived risk. As Dr.

Mitch Kabay wrote in 1998, “Security is a process, not an end state” or as Bruce
Schneier wrote, “security is a process, not a product”.
The security process revolves around four steps: assessment, protection, detection
and response.
 D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network 69

• Assessment: Is the preparation phase for the other three steps. Stated as a
separate action, it deals with policies, procedures, regulations and other
managerial duties.
• Protection: Is the application of countermeasures that aims at reducing
possible compromising events.
• Detection : Is the intrusion identification process, for which intrusion is
intended as policy violation or computer security incidents.
• Response : Is the process that validates the findings of the detection phase
and takes steps to remediate intrusions. Response activities include “patch and
proceed” as well as “pursue and prosecute”.

1. Concepts Related to Risk

Risk is the possibility of suffering harm or loss. Risk is a measure of the existing threat
to an asset. The asset is anything of value, which in the security context could refer to
information, hardware or intellectual property. Risk is frequently expressed in terms of
a risk equation, where:

RISK = THREAT x VULNERABILITY x ASSET VALUE

• Threat: A party having capabilities and intentions to exploit the vulnerability

of an asset. The Federal Bureau of Investigation (FBI) categorises threats into
“Structured Threats” and “Unstructured Threats”.
• The “Structured threats” are foes with formal methodology and a defined
target. They include economic spies, organised criminals, terrorists,
foreign intelligence agencies, etc.
• The “Unstructured threats” do not have methodology; their action is more
likely compromising their victims out of intellectual curiosity.
70 D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network

Unstructured threats include crackers, malware without a defined target

and malicious insiders who abuse their status.
• Vulnerability: The weakness in an asset that could become the object of
exploitation. Vulnerabilities may be introduced into assets through poor
design, implementation or containment. Poor design is the responsibility of
the asset designer. A firm producing buggy codes will create weak products,
and possible attackers will be able to take advantage of any architectural
weakness in the software. Implementation, i.e. deployment and configuration,
is the responsibility of customers (or their consultant), who deploy a given
product, and it is not the responsibility of the manufacturers. Containment
refers to the ability to reach beyond the intended use of the product. A good
software product should perform its intended function and no more.
• Asset value: The value of the asset is the amount of time and resources that
would be necessary for its substitution or to restore it to its former state. The
value of an asset may also refer to the organisation’s reputation or the public’s
trust in the organisation.

2. Detection

Both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are
technologies that will help to enhance the security environment of private sector
companies and government agencies.
These technologies provide visibility and also offer many other benefits related to
the network monitoring activity. The IDS and IPS provide the real time monitoring of
network activity, while contemporaneously consenting for the relevant information to
be stored in order to perform data analysis and/or reporting at a later date. In the
decision-making process, visibility has an important role since it allows a security
policy, based on quantifiable real world data, to be envisaged.
Another main aspect that ought to be kept in mind, is network control; IPS
technology provides active network control capability. Control is the key to
enforcement and makes it possible to enforce compliance with security policy.

3. Intrusion Detection Systems (IDS)

Intrusion detection is the art of individuating an inappropriate, incorrect or anomalous

activity on a network. IDS may be used to determine an unauthorised intrusion of a
computer network or a server.
Intrusion Detection technologies include the following:

• Host-based Intrusion detection systems (HIDS). In this solution, data from

each host are used to detect signs of intrusion. The HIDS alert the
administrator in the presence of a violation of the pre-set rules.
• Network Based Intrusion Detection Systems (NDIS). In network based IDS,
the correlation between the implementation data and several host or network
traffic patterns permit signs of intrusion to be detected.
• Security Information Management (SIM). This kind of solution has the ability
to correlate data and multiple sources (log file, IDS, network management,
 D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network 71

routers log etc.) in order to produce a comprehensive representation of

intrusion activity within a network.

Basically, the Intrusion Detection technologies, and, specifically, the host-based

and network-based technologies, are divided into two categories depending on which
technique is used to detect security events. The first is the Anomaly-Based technology,
which is based upon behaviour, and the second is the Signature-Based technology,
which is based upon knowledge.

4. Anomaly-Based IDS

Anomaly-based IDS, also known as behaviour-based IDS, apply various forms of logic
in order to detect security events. Such applications try to establish what a “normal”
profile for system or network behaviour is, and successively individuates any
deviations from this profile. A profile is generally established through a modelling
process that has been incorporated into the IDS. To a significant extent, this means that
all behaviour-based IDS systems apply “normalisation” theory to event detection in
spite of the differences in which a base profile is developed.
In anomaly-based IDS, the following logic may be implemented:

 Statistical anomaly-based. In this solution, initial behaviour profiles are

generated, but additional statistics are gathered and compared to the initial
profiles. As the amount of data variations between the original and current
profiles increases, the IDS can fine tune the initial profile accordingly. This
means that the IDS is learning from its environment.
 Predictive pattern generation. This kind of technology feeds information on
past security events into the context for current event analysis, and based on
the aforementioned past security events, defines patterns that may represent
malicious activity, while at the same time performing some statistical analysis
in order to eliminate false positives or false negatives.
 Mean and standard deviation model. In this case, the IDS use profiles that
model the behaviour of users, applications, systems or networks based on
previous events. So, for example, in a network, if a service that gains access
50 times a day undergoes a change in its behaviour, a threshold will be crossed
and generate the alert.
 Time series modelling. The time series modelling system uses time criteria to
develop a profile for normal user, application, network and system behaviour
and then flags events that exceed the time-based profile.
Collectively, these techniques result in behaviour-based IDS solutions that have the
ability to model normal user, application, system or network behaviour and to report
events that fall outside the “normalised” profile as security events. Behaviour IDS
solutions are generally considered to be more proficient than signature-based solutions
in detecting unknown or new forms of attack activity. This solution is also considered
to be more effective for detecting privilege abuse and other forms of user application
activity that are more difficult to detect with signature-based, vulnerability-focused
IDS.
72 D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network

5. Signature-based IDS

This kind of IDS system uses predefined attack signatures to detect security events and
report anomalous behaviour. The signature definitions may represent known system or
network vulnerabilities or known patterns of malicious activity. Normally, the vendor
provides automatic updates to the signature database and the administrator may define
or edit the signature. Of course, this kind of technology is less suitable for identifying
new or unknown attacks.
In signature-based IDS, the following logic is implemented:
 State transition analysis. This system works by establishing a series of states
that represent attack activities. These states are, for example, reconnaissance,
mapping, penetration, etc. Detection involves assessing the system or the
network activity against these states that have been defined through the use of
signatures.
 Model-based reasoning. These techniques are more closely representative of
behaviour-based IDS but are administrator driven. This kind of IDS generally
uses some form of predicting logic to determine which patterns of activity to
search for and in which resources to search; the IDS keeps accumulating this
information until an alert threshold is reached and then an alert is generated.
The main difference between the two technologies is that signature-based detection
exploits known signatures that describe malicious activities, whereas anomaly-based
detection considers all “non-normal” activities as malicious.
Signature-based IDS is currently more widely implemented than behaviour-based
IDS, since it is perceived to be easier to adapt to a specific system or network
environment and its known vulnerabilities.

6. IDS Implementation Remarks

One of the main concepts in the deployment of IDS is that this is a useful tool for
capturing information and providing visibility in a network. For critical infrastructures
that have an added need for full visibility, it is common to install IDS devices in all the
primary network points in order to provide visibility internally as well as externally.
This kind of deployment provides the data needed to track down potential internal
threats as well as those posed to the network from the outside.
Another concern about IDS deployment is the performance factor. Today, IDS
solutions have come a long way in design and use of high performance components
that help ensure the greatest amount of data capture. In any case, even with the higher
performance components, it is well known that current IDS implementation has the
tendency to drop packets, due to the high throughput of today’s high bandwidth
network devices. Performance is one of the primary key issues in IDS deployments.
Encrypted traffic is another point to bare in mind, since IDS do not currently have
the ability to decrypt packets, thus blinding the security administrators as to what is
coming into and going out of a mission critical network. The use of VPN and other
encrypted data streams do increase the need to get solutions like IPS to the perimeter.
 D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network 73

7. Intrusion Prevention Systems (IPS)

Combining the blocking capability of a firewall together with the deep packet
inspection of the IDS, we obtain a new obstruction: Intrusion Prevention Systems. Still
today there are many definitions for IPS and many views on what the requirements for
IPS implementation should be. Some people suggest that IPS is the evolution of IDS
and that IDS is a technology that will eventually disappear. There are companies that
are combining multiple technologies to enable organisations to improve the level of
protection of their networks through a combination of passive network discovery,
behavioural profiling, and integrated vulnerability analysis to deliver the benefit of real
time network profiling.
In many cases, the argument is that the decision to deploy IDS or IPS technology
much resembles that of the chicken and the egg.
As organisations start to realise the potential savings associated with preventing
downtime caused by the almost weekly worm or virus attacks, they will be more
inclined to adopt measures like IPS.
IPS and IDS technologies can and should be able live together. IPS technology
must be placed at the perimeter of the network, to help prevent zero day attacks such as
worms or viruses, using anomaly-based rules as well as signature-based inspection. The
adoption of IPS at the ingress/egress points of an organisation’s network will help
ensure that both new and previously identified threats are dropped at the perimeter.
Therefore, IPS deployment along the outer portion of the network will provide the
preventive measures and control needed to contrast new and existing threats, while
including IDS on the inside of the critical network nodes will provide visibility and
confirmation of inside activity.
IPS and IDS technologies are only two of the many resources that can be deployed
to increase visibility and control in a complex and critical network infrastructure.
In fact, an exhaustive approach to the topic of security, which is beyond the target
of this paper, should take the concept of Defence in Depth into account. The Defence in
Depth approach has been presented in many papers and books. The underlying idea of
this approach is to provide multiple levels of security. The idea behind the Defence in
Depth approach aims at defending a system against any particular attack by using
several, varying methods. It is a layering tactic, conceived of by the National security
Agency (NSA) as a comprehensive approach to information and electronic security.

Conclusion

Winning the challenge of security and service availability is a priority for mission
critical networks that provide real-time services like Voice over IP and other strategic
services. Choosing the appropriate security architecture solution is the most important
target for mission critical networks. The use of both the discussed technologies, IDS
and IPS, will positively influence an organisational security posture. IPS at the border
of the network will increase the visibility and the control of intrusions and attacks. IDS
systems, used to monitor the internal network, will provide the least intrusive method
for identifying possible internal threats. With these two technologies, the network will
have a perimeter and core defence that can combat zero day attacks and counter
existing threats, as well as being able to render activity in the internal network visible
and be capable of providing forensic analyses.
74 D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network

References

[1] Honeypot and Honeynet resources, www.honeypots.net

[2] Stephen Northcutt, Judy Novak. An Analyst's Handbook, - Network Intrusion Detection, New Riders
Publishing 2002)
[3] Richard Bejtlich, Extrusion Detection, Addison-Wesley Professional, 2005
[4] NSA, Defense in Depth, A practical strategy for achieving Information Assurance in today’s highly
networked environments, NSA website www.nsa.gov
Modelling Cyber Security: Approaches, Methodology, Strategies 75
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-75

A World-Wide Financial Infrastructure to

Confront Cyber Terrorism
Dr. Paolo CAMPOBASSO
UniCredit Group

Abstract. Considering that one of the most dynamic and attractive segments of the
commercial world is the financial sector, it naturally becomes a favourite target for
information warfare, due to the direct impact an attack on this sector could have on
economic stability. Our reliance on infrastructures that support the use of
information is subject both to being used for violence itself or to being the target
of violent acts; industries such as broadcasting, or banks, stock markets, and
telecommunication companies are dependant on technologies and a disruption of
their systems can potentially cause serious harm to basic societal interests. All
corporate leaders must be aware of the diversity of potential attacks and should
plan and implement measures to defend their organisations. In order to assure
secure information exchange between business partners, it is mandatory that all
involved parties secure their business environments by implementing the
appropriate security measures. There is need for international response wherein the
authorities and organisations alike use military expertise as consultancy or
knowledge transfer in order to establish appropriate frameworks.

In today’s world, we are becoming more dependent on communications and

information technologies than ever before. Accurate and timely information provides
competitive advantage; information systems technology makes our lives more efficient;
telecommunication systems and computers have global reach and support economic
infrastructures; information systems networks integrate economies, cultures and
societies. The growing reliance of our society on cyber technologies has increased our
exposure to dangerous sources of information warfare threats. The effect of any
disruption, manipulation or sabotage of these networked infrastructures goes far
beyond the directly attacked systems. We already perceive that information warfare has
moved beyond the military dimension – it has already begun to threaten the
commercial world as well. Considering that one of the most dynamic and attractive
segments of the commercial world is the financial sector, it naturally becomes a
favourite target for information warfare, due to the direct impact an attack on this
sector could have on economic stability. Our reliance on infrastructures that support the
use of information is subject both to being used for violence itself or to being the target
of violent acts; industries such as broadcasting, or banks, stock markets, and
telecommunication companies are dependant on technologies and a disruption of their
systems can potentially cause serious harm to basic societal interests.
Banking and financial services industries in general, can be both the target of
violence or can be indirectly used as a form of support for an act violence. On one
hand, banks have to defend themselves by defending their infrastructures against cyber-
attacks and on the other to defend others by avoiding to become a mechanism that
supports the perpetrators of violence. The frequency of international terrorist acts are
usually proportionate to the financing that terrorists are able to obtain. It is critical that
suspicious transactions are appropriately monitored and law enforcement is put in place
to target the financial sponsors of terrorist activities. Otherwise, financial institutions
can innocently fund terrorist groups through transfers of funds that are believed to be
76 P. Campobasso / A World-Wide Financial Infrastructure to Confront Cyber Terrorism

perfectly legitimate and, in this way, a financial organisation can unknowingly become
the technical support for violence.
Banking and financial services industries are key components in maintaining and
integrating economies, and, in turn, information technology is the heart of these
industries’ operations the moment that the vast majority of all financial transactions are
made electronically. In this interconnected world, the organisations that provide
financial services are not the only ones that must implement measures against
organised crime and cyber threats. All corporate leaders must be aware of the diversity
of potential attacks - including organised crime, high-tech espionage, or cyber-attacks
that have been organised by individuals (hackers) or by groups that have been
sponsored by nation-states or even by business competitors – and should plan and
implement measures to defend their organisations. Nevertheless, corporate leaders must
be aware that in the context of a networked environment, the security of their
organisation depends on the security of others.
As mentioned earlier, in an interconnected world such as the one we have today, in
order to assure secure information exchange between business partners, it is mandatory
that all involved parties secure their business environments by implementing the
appropriate security measures. We all know that in security, through propagation, a
weak link in the chain can be exploited and used to compromise the information that
transits that chain.
Unfortunately, today it is not an exaggeration if we say that every organisation is
faced with the threat of cyber attacks. Therefore, regardless whether the threat level an
organisation might be faced with is high or low, it always needs to be taken seriously.
Building company defences will not always be enough to reduce threats. Often, more
extensive cooperation is required in order to provide a more consistent and effective
response to cyber threats.
In order to build a reliable defence system against cyber threats, three directions
should be considered:
-building solid corporate governance for the organisation
-joint approach of organisations against similar threats
• cooperation for response against cyber threats
• common prevention programs
-world-wide cooperation
• there is need for international response which should include those
countries that are currently safe havens for cyber-criminals; international
cooperation between authorities against cyber-criminals will improve the
capabilities of neutralising sources from which the attacks originate;
• using military expertise as consultancy or knowledge transfer in order to
establish appropriate frameworks for conducting cyber warfare both
offensively (aggressive defence) and defensively; in this respect
collaboration protocols should be established with governments that can
in this way better support the private and public sectors in setting up such
frameworks;
As is clearly illustrated above, the measures to be taken are not only local but also
regional and global. For example, because cyber crime and cyber terrorism are a trans-
national phenomenon, legal enforcement cannot be effective as long as it remains on an
exclusively local or regional level. This is particularly critical for large corporations
operating in foreign countries, which are subject to various national legal restrictions
that could possibly impact the overall protection strategy of the corporation itself.
 P. Campobasso / A World-Wide Financial Infrastructure to Confront Cyber Terrorism 77

Extended cooperation is also required to fight cyber-terrorism. Regarding cyber-

terrorism, some experts consider cyber-terrorism to be almost a myth, others consider it
an imminent threat. On the internet we can find evidence that cyber terrorist groups
exist and are active. Unfortunately, through web sites, it is possible for such
organisations to reach public audience. In a direct quote, Raphael F. Perl stated: “There
are websites regularly visited by tens of thousands of persons where prominent terrorist
literature is made available and terrorist acts glorified. There are websites through
which “leaders” interact directly with their supporters, creating social bonds and
maintaining virtual communities, all of which can be later exploited to mobilise
support. There are websites hosting virtual training camps as well as online manuals on
how to assemble an explosive belt for instance or to create an explosive with every day
life materials” [1] Without a public audience, terrorism is limited. We all know that
terrorists are media dependent and the internet is used as a means to reach large
audiences. The size of the audience determines the amplitude of the impact terrorist
actions can produce on a given population. Through the media and especially the
internet, terrorists are able to reach a global audience. This global reach via the internet
enables terrorists to disseminate potential target intelligence amongst members in near
real time. Therefore, we must be aware of these new potential capabilities terrorists
have: Ignorance is not an option against cyber-terrorism.
Because a cyber-terrorist attack starts with a cyber-attack, regardless our
perception of cyber-terrorism, we must defend our organisations against cyber-threats
by identifying and eliminating vulnerabilities and defending ourselves against possible
cyber-attacks. Nevertheless, we should not play the role of appeaser – “An appeaser is
one who feeds a crocodile, hoping it will eat him last.”1 The civilian/business world has
no experience in fighting cyber-terrorism and for this reason military knowledge in
cyber warfare ought to be shared with governments and the private and public sector in
order to improve overall defensive capabilities.
The global information infrastructure is the new supply chain for terrorist
organisations. Despite the efforts that the security industry has made in R&D, this
infrastructure remains vulnerable to cyber threats. What we need today is the awareness
that we have to secure ourselves, that our security also depends on others and that the
knowledge of threats and security expertise must be shared. Only through active
participation can we create an environment that reduces the risks of cyber threats,
including the risks of cyber terrorism.
Another aspect of information security that must be considered on a global basis
regards security breaches and reporting. Currently, efforts to collect and disseminate
information regarding security breaches are fragmented. One of the most important
aspects in developing a culture of security is to improve the knowledge of the problem.
This improvement can be achieved by increasing information diversity which is
directly affected because the collection of security breaches is fragmented. For
instance, establishing a centralised reporting structure, such as a Global Information
Security Centre or World Information Security Centre, would create a database of
aggregated information that could be shared in a unified format and be available to
governments and organisations world-wide. This source of information is extremely
valuable for an organisation to prepare its measures against cyber-attacks.
The complexity of the business world, and the threats it is faced with, makes it
clear that the military, law enforcement and the private sector must work even more
closely together than they are today, since none of these parties is likely to have full
and comprehensive knowledge of all security aspects and all of the different types of

1 Sir Winston Churchill, Reader’s Digest, December, 1954

78 P. Campobasso / A World-Wide Financial Infrastructure to Confront Cyber Terrorism

security threats that the various actors must deal with today. Without a full picture and
a joint approach, we limit our response capabilities in the face of cyber crimes.
UniCredit is sensible to these issues and actively promotes cooperation with national
and international actors; it aims at exchanging knowledge and expertise, to improve
overall awareness and response capability to crimes. Like possibly other large players,
Unicredit is already active in this area of cyber defence, and practical returns are
expressed in terms of improved awareness, prevention capabilities, and loss reduction.
Through the implementation of a security model based on international standards and
best practices, having reliable AML in place, along with anti-fraud mechanisms, being
concerned with permanently improving its prevention levels, detection and response
capabilities, Unicredit Group achieves excellent results in minimising losses.

References

[1] Raphael F. Perl, Head of the OSCE Action against Terrorism Unit. April 2008. Remarks on ” Terrorist
Use of the Internet” at the Second International Forum on Information Security.
[2] Sir Winston Churchill, Reader’s Digest, December, 1954.
[3] Nain D., Donaghy N., Goodman S. The International Landscape of Cyber Security. In:Straub D,
Goodman S, Baskerville R (ed) Information Security: Policy, Processes, and Practices. M.E.Sharpe,
New York. 2008.
[4] INTERPOL Information Technology Crime. 2008. http://www.interpol.int/Public/TechnologyCrime/
default.asp.
[5] INTERPOL Information Technology Crime. IT security and crime prevention methods. 2008. http://
www.interpol.int/Public/TechnologyCrime/CrimePrev/ITSecurity.asp
[6] Creating a Safer Information Society by Improving the Security of Information Infrastructures and
Combating Computer-related Crime. Communication from the Commission to the Council, the
European Parliament, the Economic and Social Committee and the Committee of the Regions. 2000.
http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!
DocNumber&lg=en&type_doc=COMfinal&an_doc=2000&nu_doc=890
[7] CORDIS ICT Challenge 1: Pervasive and Trusted Network and Service Infrastructures. Information and
Communication Technologies. 2008. http://cordis.europa.eu/fp7/ict/programme/challenge1_en.html.
[8] Countering the Use of the Internet for Terrorist Purposes, Decision No. 7/06. Organization for Security
and Co-operation in Europe. 2006. http://www.osce.org/documents/mcs/2006/12/22559_en.pdf
[9] Cyber threat on the rise as terrorists recruit computer specialists, says OSCE expert. Secretariat –
Action against Terrorism Unit. Organization for Security and Co-operation in Europe Press Release.
April 10, 2008. http://www.osce.org/atu/item_1_30591.html.
[10] Security, Trust, and Data protection. ISSS (ICT). European Committee for Standardization. 2008. http://
www.cen.eu/cenorm/sectors/sectors/isss/activity/securitytrustdpp.asp
[11] Cyber Security. Inter-American Committee Against Terrorism. Organization of American States. 2006.
http://www.cicte.oas.org/Rev/En/Programs/CyberSecurity.asp
[12] Resolution: Date and Venue of the Ninth Regular Session of the Inter-American Committee against
Terrorism. CICTE/RES. 1/08 Cyber Security. Inter-American Committee Against Terrorism.
Organization of American States. March 7, 2008. http://www.cicte.oas.org/Rev/En/Documents/
Resolutions.asp
[13] Best Practices in Security Governance. Aberdeen Group, USA. 2005.
[14] Allen, Julia. Governing for Enterprise Security. Carnegie Mellon University, USA. 2005.
[15] Privacy Framework Principles and Criteria, USA and Canada. American Institute of Certified Public
Accountants/Canadian Institute of Chartered Accountants. 2005.
[16] Hallawell, Arabella. Gartner Global Security and Privacy Best Practices. Gartner Analyst Reports,
USA. 2004. www.csoonline.com/analyst/report2332.html
[17] Microsoft Windows Malicious Software Removal Tool disinfections by category, 2H05-2H07
[18] CSI Computer Crime and Security Survey Report. 2008.
[19] IBM Internet Security Systems X-Force Report. 2007.
Modelling Cyber Security: Approaches, Methodology, Strategies 79
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-79

A Pragmatic and Foolproof Approach for

Connecting Critical/Industrial Networks to
External Less Secure Networks
Esti PESHIN
CEO, Waterfall Security Solutions Ltd.
info@waterfall-security.com

Abstract. Critical Networks monitor and control the most valuable assets of
national and homeland security and usually refer to operational, real-time
networks. Ecosystems involving Critical Networks, on the other hand, often
include inter-connections with external, Less Secure Networks.
There is a constantly increasing demand to connect Critical Networks to Less
Secure Networks or ecosystems in order to enable more business processes and
improve business continuity and day to day operations.
This paper describes three models of ecosystems that involve Critical Networks
and Less Secure Networks, in which the role of the Critical Network differs within
each of the proposed ecosystems:
1. Production/DCS (Data Control System) Network - An Industrial (Critical)
Network (for example, an oil refinery) which is monitored by a Business
Network within the organisation.
2. Remote Infrastructure Management – Assets (for example, data centres)
within a Critical Network that are monitored by a third party support centre
(for example, equipment vendors).
3. Lawful Interception – A Critical Network that monitors assets within
External Networks (for example, Service Providers, Telecomm Operators).
This paper analyses the IT Security threats inherent to the above ecosystem
models. It describes the pros and cons of the existing IT Security approaches for
mitigating these threats, and presents a novel pragmatic approach that can
completely eliminate these risks, while maintaining the business processes that
require inter-connectivity.

Keywords. Unidirectional connectivity, Waterfall, One Way Link, Critical

National Infrastructures (CNI), Critical Infrastructures Protection (CIP), Critical
Networks, SCADA, Lawful interception (LI), hacking, cyber attacks, segregation
topology, Remote Infrastructure Management (RIM), Secure Manual Uplink
(SMU)
80 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks

Introduction

Critical National Infrastructure (CNI) is a term used by governments to describe assets

that are essential for the country’s society and economy to function. Electricity
generation, gas and oil production, telecommunications, water supply, food production
and distribution, public health, transportation, financial services and security services
are those facilities which are most commonly associated with the term. Governments
employ a Critical Infrastructures Protection (CIP) concept to address their preparedness
and response capabilities to serious incidents involving CNIs.
Naturally, CNIs are tempting high-profile targets for hostile and terror-related
activities. In recent years, cyber-terror, cyber-crime and cyber-warfare are the new
emerging threats for Critical Networks, which are the heart and soul of Critical
National Infrastructures. These threats are here to stay, and thus, Critical Networks’
operators must adapt to this situation by adopting new mind-sets and implementing
modern methods, technologies and solutions to mitigate and eliminate the potential
damage of an attack.
One of the most vulnerable points of Critical Networks are their connections to
external less secure networks, whether they are in the organisation itself (e.g. the
organisation's business network), a public network (e.g. the internet), or a third-party
network.
By reviewing just a few of the numerous articles and reports recently published in
the electronic and written media, one can observe the security and operational risks that
these threats entail:

Cyber Terror
“CIA Confirms Cyber Attack Caused Multi-City Power Outage: We have
information that cyber attacks have been used to disrupt power equipment in several
regions outside the United States. In at least one case, the disruption caused a power
outage affecting multiple cities. We do not know who executed these attacks or why, but
all involved intrusions through the Internet.”
(SANS Organization - January 18, 2008 - www.sans.org/newsletters/newsbites/
newsbites.php?vol=10&issue=5&rss=Y)

Cyber Crime
“Federal prosecutors have charged 11 people with stealing more than 41
million credit and debit card numbers, cracking what officials said on Tuesday
appeared to be the largest hacking and identity theft ring ever exposed. … Once the
thieves identified technical weaknesses in the networks, they installed so-called sniffer
programs, obtained from collaborators overseas.”
(New York Times – 5 August 2008)

Cyber Warfare
“While Russia and Estonia are embroiled in their worst dispute since the
collapse of the Soviet Union, a row that erupted at the end of last month over the
Estonians' removal of the Bronze Soldier Soviet war memorial in central Tallinn, the
country has been subjected to a barrage of cyber warfare, disabling the websites of
government ministries, political parties, newspapers, banks, and companies.”
(The Guardian, May 17, 2007)

For obvious IT security reasons, it would be best to completely segregate Critical

Networks from any external Less Secure Networks. Yet, typically, Critical Networks
 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks 81

are part of ecosystems that interconnect multiple networks of varying ownership, and
varying levels of control and security. This interconnection to external Less Secure
Networks is essential for the operation of the Critical Network and the Critical National
Infrastructure.
This article provides a detailed description of models of ecosystems that involve
Critical Networks, the IT security threats inherent to the ecosystems, and the pros and
cons of the existing IT security approaches for mitigating those threats.
The article will further present a novel pragmatic approach that completely and
eternally eliminates the risks, without reducing the functionalities and services of the
Critical Network within the ecosystem.

1. Typical Ecosystems Involving Critical Networks

1.1. Production/DCS Network

A production/DCS network is commonly located within a Supervisory Control and

Data Acquisition (SCADA) system. It consists of a Control Centre, which is
connected to sensors, actuators and controllers that monitor elements and processes
within the system.
The Control Centre (a.k.a. Master) is typically a large and complex network, which
includes vast information storage capability as well as analysis and display capabilities.
The control centre is usually operated around the clock and is required to provide a
constant real-time view of the production line status.
Production/DCS networks are commonly interconnected with an organisation’s
Business Network. It is through this last that updates are sent to different functionaries
within the organisation and, sometimes, to external ones (for example, a power plant
that is required to provide real-time updates to large customers about the production
status and faults). The Business Network, in turn, is also typically connected to the
Internet.

Figure 1. Typical DCS network topology

82 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks

1.2. Remote Infrastructure Management (RIM)

Remote Infrastructure Management (RIM) is the remote support and management of

various IT services that are related to infrastructure support from third-party global
sites. The service includes health-monitoring, support, administration, maintenance,
troubleshooting, and performance enhancement of networks and network elements,
such as data centres, communication equipment, production equipment and more.
Organisations tend to favour RIM, since it reduces costs and increases
productivity. Some equipment vendors are offering attractive SLA (Service Level
Agreements) packages that are based on RIM, and some are not even inclined to offer
long term SLAs without RIM.
However, RIM intrinsically requires an interconnection to exist between the
monitored equipment and the third-party support/monitoring centre. The same remote
centre usually monitors many pieces of equipment within a set of different networks.

Figure 2. Typical Remote Infrastructure Management (RIM) topology

If a Critical Network includes remotely monitored equipment, it consequently

becomes part of an ecosystem that involves the third-party Monitoring Network and
ALL of the additional networks that are connected to the same Monitoring Network.
The different networks that are part of this ecosystem are not controlled by the
same organisation. Hence, an organisation agreeing to have the equipment within its
Critical Network remotely monitored, in fact, exposes its Critical Network to external
networks that may or may not be less secure than its own Critical Network, and, in any
case, that are not under its control.

1.3. Lawful Interception

Lawful interception (LI) is the process by which Law Enforcement Agencies (LEAs)
and Security Organisations legally obtain real-time communication intercepts from the
communications of suspects and criminals. In particular, this involves interconnecting
the Critical Network at the LEA facility, where the information is gathered and
analysed, to the Service Provider’s networks, from where the information is obtained.
 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks 83

Interconnection is mandatory, since it is the only way in which the LEA can obtain
the necessary information in real-time.

Figure 3. Typical Remote Infrastructure Management (RIM) topology

It is not uncommon for a single LEA network to be connected to multiple Service

Provider sites that differ in ownership and in their security level. As a result, an
ecosystem may be formed with the LEA network at its base, where various service
providers are linked together. These last each have their own security provisions and
concerns.

1.4. Ecosystems with External Connections

As mentioned above, external connections from/to Critical Networks are a necessity,

because they enable the network to meet its business and operational demands.
The main reasons why a Critical Network is required to have external connections
are:
• Sending updated information and system alerts to a Business Network – an
intra-organisation ecosystem.
• Sending monitoring information from the Critical Network to equipment
vendors or system integrators (for example, for Remote Infrastructure
Management) – an ecosystem where the Critical Network is a node.
• Monitoring third-party networks/assets via a Critical Network (for example,
for Lawful Interception) – an ecosystem where the Critical Network is the
root.
The vast majority (if not all) of the external connections are IP-based, usually over
LAN or WAN. This is true even for partially IP-based Industrial Networks.
84 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks

1.5. Why Are External Connections a Major Risk?

- Because an attacker will first try the path with the best cost/performance ratio!

Let's assume, for the sake of simplicity that a criminal or terrorist entity wants to
penetrate an electric plant's Production/DCS Industrial network.
Scenario I: The entity tries to hack into the plant's Industrial network via one of
the sensors or controllers, or even by tapping into the medium network (which can
be wireless) – a physical-access attack.
Scenario II: The entity tries to hack into the Industrial network via a connection
that the network has to a third-party over the internet – an online attack.

Both scenarios are theoretically feasible, but:

Scenario I requires that:

1. The attacker have physical access to a network element, or be geographically
close to the network.
2. The attacker have preliminary inside information regarding the specific
network elements, with specific and wide detail level (which sensor/controller,
of which vendor/model/version/etc...).
3. The attacker have a deep understanding of Industrial networks (for example,
SCADA protocols).
4. The attacker have proprietary tools, sometimes hardware-based, to facilitate
the attack.
On the other hand, Scenario II is possible with:
1. No need for physical proximity to the Industrial network; it can even be done
remotely.
2. Minimal (sometimes no) preliminary information requirements of the specific
Industrial network (for example, SCADA protocol). The entity only needs
information about the external connection.
3. Minimal, even superficial, knowledge about Industrial networks.
4. An wide variety of available "off-the-shelf" hacking tools and techniques that
is accompanied by a large and easily accessible knowledge base and know-
how about the vulnerabilities and exploitable weaknesses of IT infrastructures,
network appliances, servers and applications.
This means that in terms of efforts, costs, complexity and technical expertise, it is
much more cost effective to successfully execute a scenario II type attack – hack the
Critical Network via an (IP) external connection.
 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks 85

2. A Secure Solution for External Connectivity

2.1. Why Not Deploy Standard IT-Security Solutions?

Considering the sensitivity of Critical Networks, the potential damage that could be
caused by an attack, and the high levels motivation that exist to attack them, a solution
for protecting the external connections should provide ultimate security while having
little or no effect on the business and operational requirements.
Standard IT security solutions and technologies such as firewalls, content filters
and intrusion detection and prevention (IDP) systems, while good enough for most
organisations and users, are not sufficient for securing external connections to Critical
Networks.
Firewalls are circumvented on a daily basis, content filters are bypassed, and IDP
systems detect mainly known attacks. There is an abundance of security patches and
software updates being produced and installed on a daily basis, which only keep the
security products up-to-date for yesterday's attacks and vulnerabilities.
As for Critical Networks, standard IT security measures are insufficient, primarily
because they are:
• Software-based and running over and operating system  subject to bugs,
software vulnerabilities and online hacking and penetration
• Configurable – many security products are partially configured or configured
poorly
• Partial – none of which provides, by design, 100% security
To emphasise the extent of the risks, below is a risk-analysis table detailing the
probability and severity of security threats in the three types of ecosystems that are
protected by software-based security solutions.
86 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks

2.2. Risk Analysis – Ecosystem protected Standard IT Security solutions

Table 1. Risk Analysis – Ecosystems protected by standard IT Security solutions

Threat Description Severity (1-5 highest) Probability
(1-5 highest)
Production/ RIM LI
DCS
Online access to CN 5 4 3 3
(Critical Network) from
Online Data leakage Internet via the EN
(External Network)
Access to CN after 5 4 4 4
Physical Data leakage gaining physical access
(EN) to the EN site and
accessing the EN
Access to CN after 5 1 1 1
Physical Data leakage gaining physical access
(CN)
to the CN site
Compromise of CN 5 4 3 3
Online attack from Internet via the
EN
Compromise of CN 5 2 4 4
Physical-access attack after gaining physical
(EN) access to the EN site
and accessing the EN
Compromise of CN 5 1 1 1
Physical-access attack after gaining physical
(CN)
access to the CN site
Compromise of a EN 5 N/A N/A 3
site after gaining access
(online or physical) to
Interlinking (EN to EN) another EN site,
connected to the same
CN
Compromise of a CN 5 N/A 3 3
site after gaining access
(online or physical) to
Interlinking (CN to CN)another CN site,
connected to the same
EN

2.3. Securing Critical Networks via Unidirectional Connectivity

Since the importance and sensitivity of Critical Networks is beyond question, a Critical
Network ought to be secured in the best way possible. Hence, imposing a segregation
topology seems to be the most obvious choice because it would leave the Critical
Network physically isolated from the External Networks while still enabling the
business processes to continue to function.
Implementing the connection of External Networks from or to the Critical Network
via real-time physical unidirectional gateways, allows the complete and eternal
mitigation of all the above mentioned IT security threats, while maintaining the
business processes within the ecosystem.
 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks 87

2.4. Waterfall One Way TM

The Waterfall One Way TM technology is today’s leading physical unidirectional

gateway, and allows data transfer to be transmitted from a Transmitting Network to a
Receiving Network for which no return channel exists.
The Waterfall One Way TM product consists of two elements – a TX Component
and an RX Component. Each element includes a unique hardware design that
guarantees unidirectional data transfer.
The TX and RX Components are connected via a single fibre optic cable. This is
the only connection between the two components of the Waterfall One-WayTM product.

Figure 4. Waterfall One Way TM - Core

Each component has a standard Ethernet (RJ45) socket connecting it to the

respective network (via a NIC supporting 100Mbps).
On each of the networks, a dedicated server runs Waterfall’s software, which
manages the hardware and provides standard interfaces to third-party applications and
protocols.
The following information can be transferred via Waterfall:
• UDP Packets
• Files (for example, Local / Remote File-Server / FTP / S/W updates / SMTP)
• Streams (for example, RTP, RTSP, UDP, TCP)
• Messaging Queues (for example, Websphere MQ)
• SNMP traps and applications (for example, CA SIM)
• SCADA and process control (for example, OSISoft PI, Modbus, OPC, DNP3)
88 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks

Figure 5. Waterfall One Way TM - Technological Overview

2.5. Securing Ecosystems Involving Critical Networks

We will now detail how the three models of ecosystems we previously described can be
secured using physical unidirectional gateways.

2.5.1. Production/DCS Network

Information from the Critical Network is replicated in real-time to the business
network, via a physical unidirectional gateway. The fact that the unidirectional gateway
is physically unidirectional, without exception, eliminates any possibility for the data
entry from the business network to pass over into the Critical Network. All types of
online attacks are completely blocked from the external side (the RX side of the
Waterfall One-Way TM). Consequently, any possibility of data leakage is absolutely
mitigated.
 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks 89

Figure 6. Production/DCS Network Topology - with a unidirectional gateway

2.5.2. Remote Infrastructure Management (RIM)

System logs and events are sent in real time from the monitored asset within the
Critical Network to the third-party remote maintenance/support centre, via a physical
unidirectional gateway.
When the need arises for the maintenance/support centre to access the monitored
asset (e.g., for troubleshooting), a Secure Manual Uplink (SMU) is manually activated
on the Critical Network side. The activated uplink, which can be either synchronous or
a-synchronous, allows commands to be sent to the monitored asset from the
maintenance/support centre. Because the uplink is manually activated, it also must be
deactivated when it is no longer required. However, for security reasons, the uplink has
a built-in clock and time limit that shuts down the link automatically after a predefined
interval.

Figure 7. Production Remote Infrastructure Management (RIM) topology - with a unidirectional gateway
90 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks

2.5.3. Lawful Interception (LI)

In order to effectively secure a Lawful Interception topology, the LEA network should
be segregated from the SP network(s), by implementing physical unidirectional
gateways for the outgoing and the incoming connections. To further increase the
security level of the LEA network, an internal segregation must be implemented
between the “HI-1” (outgoing) and “HI-2/3” (outgoing) environments within the LEA
network. The segregation is achieved by implementing another physical unidirectional
gateway from the “HI-1” environment, which enables the transfer of “HI-1”
information and other operationally required data to the “HI-2/3” side.

Figure 8: Lawful Interception (LI) Topology - with unidirectional gateways

2.6. A Pragmatic and Effective Solution - Risk Analysis

To emphasise the value of deploying physical unidirectional gateways, below is a risk-

analysis table, detailing the probability and severity of security threats in the three
types of ecosystems that are protected by physical unidirectional gateways, such as
Waterfall One-Way TM.
 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks 91

Table 2. Risk Analysis – Ecosystems protected by physical unidirectional gateways

Threat Description Severity (1-5 highest) Probability
(1-5 highest)
Production/ RIM LI
DCS
Online access to CN 5 0 0 0
(Critical Network) from
Online Data leakage Internet via the EN
(External Network)
Access to CN after 5 0 0 0
Physical Data leakage gaining physical access
(EN) to the EN site and
accessing the EN
Access to CN after 5 1 1 1
Physical Data leakage gaining physical access
(CN)
to the CN site
Compromise of CN 5 0 0 0
Online attack from Internet via the
EN
Compromise of CN 5 0 0 0
Physical-access attack after gaining physical
(EN) access to the EN site
and accessing the EN
Compromise of CN 5 1 1 1
Physical-access attack after gaining physical
(CN)
access to the CN site
Compromise of a EN 5 N/A N/A 0
site after gaining access
(online or physical) to
Interlinking (EN to EN) another EN site,
connected to the same
CN
Compromise of a CN 5 N/A 0 0
site after gaining access
(online or physical) to
Interlinking (CN to CN)another CN site,
connected to the same
EN
92 E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks

3. Summary

Critical Networks are the heart and soul of Critical National Infrastructures, which in
turn are high-end and attractive targets for cyber-terror and cyber-attacks.
Based on the potential damage that can be caused by a cyber attack on Critical
Networks, and taking into consideration the relatively low cost and simplicity of such
attacks, Critical National Infrastructures must secure their Critical Networks in order to
protect their assets.
There are a multitude of vulnerabilities and weak points in Critical Networks,
some of which require costly and complex solutions to protect or strengthen. However,
the entry points, which are the most likely to be exploited – the connections to External
Networks – can be fully and sufficiently protected using physical unidirectional
gateways. These last are a relatively simple and cost-effective solution that completely
eliminates the IT Security risks originating from connections to external Less Secure
Networks.
Modelling Cyber Security: Approaches, Methodology, Strategies 93
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-93

A Cyber Security Approach for Smart

Meters at ERDF
Pascal SITBONa
a EDF R&D, 1 avenue du Général de Gaulle, 92141 Clamart
pascal.sitbon@edf.fr

Abstract. In this article, we discuss the cyber security approach taken by ERDF
(Electricité Réseau Distribution France) as a preliminary step in its smart meters
deployment project. First, we focus on the emerging risks introduced by the new
technologies and their usages. Then, we explain how and why we have to define
high-level security objectives independently of the technical solutions, and
conclude by emphasising the committed involvement needed from the whole
metering community and supply-chain in order to achieve these objectives.
Keywords. Security, smart metering, SCADA, risk management, security
objectives

1. A Fast-changing Metering Context

Cyber-security for industrial systems has recently been gaining a lot of attention, due to
the fact that such systems are getting more complex, interdependent, and
interconnected. Particular attention is given to Critical Infrastructure Protection such as
energy, transportation, telecommunications, or water, which are all monitored and
controlled by industrial systems. This is also the case for the electricity distribution
network.
A metering system is a central part of such an electric grid. In addition to
measuring electricity consumption, its role is to deliver electricity to end users,
including critical users such as hospitals or emergency services. It handles and
processes sensitive commercial and technical data, such as nominative information and
consumption data, or remote control meter commands such as electric power
modification.
ERDF, the main distribution subsidiary of EDF in France, is currently identifying
requirements for its pilot project of 300,000 smart metering points for its domestic
users in order to prepare for the potential general deployment in France of the system.
The system would enable a wide range of new services to be offered to the consumer
and new management capabilities made available to power utilities.
The metering world is changing dramatically due to its steadily growing reliance
on information technologies. This implies that there is a clear need for a more global
approach to cyber security. The challenge to balance the cost/benefit ratio, must take
the specifics of metering and the whole spectrum of the associated risks into account.
In this equation, the sheer number of meters, which have been distributed on a national
scale, has to be underlined; each euro spent is multiplied by tens of millions. The long
life span of such systems, typically 20 years, is another structuring fact, especially for
risk characterisation and security level continuity.
The metering system is very complex and consists of many different players
(solution providers, integrators, public regulators, meters builders, etc.). Complexity is
an anathema for security: it usually takes too long and costs too much money to protect
94 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF

complex systems. Consequently, it is harder to achieve a balanced cost-benefit ratio.

Last but not least, potential attackers can easily access metering systems because of
their widespread distribution throughout the country, creating many entry points and
targets.

2. The Risk Management Process

The security process aims at managing risks in accordance with the company’s
objectives. Since total security is not attainable, this means that our limited resources
have to be used efficiently and with purpose. Risk management is the process that helps
us to protect our critical assets and operations with proportional, coherent, and
verifiable measures, thus a balanced cost/benefit ratio. This process is a crucial tool in
the decision-making process; it allows us to conscientiously make trade-offs, state our
security posture, and choose the appropriate measures.
Security, like trust or assurance, could (and should) add real value to a company’s
image and inspires confidence in stakeholders..
Since security is not a static state that is present or not present, we ought to define
security levels as a continuous cycle that constantly changes over time. Without a
proactive approach to security, the levels of security would rapidly decrease over the
lifetime of the system.
Products and technologies alone cannot solve security problems; they can only
provide security when used efficiently, through consistent and thoroughly defined
processes. We can mention two such processes:
 the business continuity planning process, which defines how to recover after a
disruption or disaster and how to restore the critical functions in order to keep
the business going,
 the incident management process, which describes how to log, record, and
resolve security incidents, including legal aspects and evidence management.
It is certain that security incidents will occur; we just don’t know when they
will take place. Therefore, we must anticipate how such incidents will be
handled.
System design phases should cover technical and functional aspects, but also non-
technical ones, right from the start, that include considerations regarding people (e.g.,
responsibilities or organisational issues) and process dimensions.
In addition, new technologies come with new risks. Attackers are creative people;
they are constantly finding new ways to abuse the system. Moreover, as
aforementioned, because access to the meters is relatively easy, part of the system
providing security is located in the potential attackers’ hands, making it more
complicated to globally render the system less vulnerable.
There is a wide spectrum of threats that ranges anywhere from fraud and
competitors to cyber-terrorism. Malicious actions, such as the remote shutdown of
numerous meters, could lead to an economic disturbance, distrust within the society,
and even safety issues. The risks may be roughly classified as follows:
 Classical petty offenders, who are more concerned with lowering the bill and
stealing money, modify consumption indexes, tariffs to their own benefit.
There are no damages to the system apart from financial ones (easy physical
access);
 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 95

 Organised crime targets consumption data, in order to alter or sell it. These
kinds of threat agents could also try to distribute or sell “cheat boxes” on the
Internet in order to automate fraud. The automatic collection of consumption
profiles of many users or particular users (VIP, etc.) could be interesting for
organised crime;
 Cyber-terrorism could have major impacts on the electric distribution network
and could lead to the disruption of electrical power to strategic areas,
impacting the economy and compromising safety.
There are already a few examples of cyber-attacks on metering systems, including
one that targeted the AMM (Advanced Metre Management) system of ENEL in Italy.
The method to change the tariff rate on the meter without paying the fee, of course, was
published on the Internet (cf. Fig. 1). ENEL has successfully responded to this threat,
but all actors in energy distribution are now warned that the cyber-threat is very real
and should be taken into account.

Figure 1. Publication on the Internet of the ENEL AMM systems vulnerability.

We cannot avoid these threats, nor can we eliminate all of the risks definitively.
What we can do is reduce the risks to an acceptable level. The approach we’ve used is
based on well-known best practices, like Common Criteria (ISO 15408) and EBIOS
(Expression des Besoins et Identification des Objectifs de Sécurité). EBIOS is a
method for risk management used in numerous big projects in different sectors, for
example by the French Atomic Energy Commission and the Council of the European
Union. EBIOS was designed by French DCSSI (Information System Security Central
Direction, a dependant of the French government).
Our approach includes:
 Statement of security needs (according to the context), metering processes,
and challenges
 Threat and risk analysis
 Security objective definitions, according to the threats and assumptions. Those
objectives form the security policy of the Automated Metering System.
96 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF

The global security approach is described in Fig. 2. The environmental security is

considered to be external to the AMM project and shares common requisites regarding
the Business Recovery Process and the security of operating systems and data centres.
The security strategy is of course decided at the top-management level. The
organisational security measures are central to the overall level of security that can be
achieved; for example the specific safety procedure used to handle a request to open a
new account is an intrinsic part of the overall level of security.

Figure 2. Global security approach

The risk management process used for the AMM system is composed by a three-
step approach that is illustrated in Fig.3:
 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 97

Figure 3. ERDF AMM system risk management process

In the following section, we will develop the steps:

 Step 0 – Define the context and perimeters
 Step 1 – State/Identify the sensitivities to threats of the assets that need
protection – “some of my assets need protection”
 Step 2 – Study the threats in the environment –“there are threats to my assets”
 Step 3 – State the security objectives – “I set my security objectives without
specifying the technical solutions”
 Step 4 – Determining the security requirements

2.1. Step 0 – Define the context and perimeter

Figure 4. Step 0 – Define the context and perimeter

98 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF

Objectives:
 Sum up the technical, business, regulatory context
 Identify essential elements, functions and information, which constitute the
added value of the information system
 Essential elements are linked to a set of entities of various types: hardware,
software, networks, organisations, human resources and sites
ERDF example:
 Target: AMM Information system
 Context: business, regulatory, technical, etc.
 Essential elements:
o Detection of low voltage incidents,
o Supervision of the communication chain,
o Local actions on the meter, etc.
 Entities:
o Hardware: meters, concentrators, servers, etc.
o Software: firmwares, applications, etc.
o Sites: MV/LV transformers, meter’s sites, etc.

2.2. Step 1 – State the sensitivities to threats of the assets that need protection

Figure 5. Step 1 – state the sensitivities to threats of the assets that need protection

Objectives:
 The sensitivity of each essential element to threats must be expressed
 Expression is based on various security criteria such as availability, integrity
and confidentiality
 If this sensitivity is not covered, there will be an impact on the organisation

ERDF example:
We begin by focusing on critical assets that would need protection. This step
involves interviews with the individuals that are responsible for each business process.
The covered topics include the description of the business process and the security
sensitivity of the process. The level of sensitivity is broken down using criteria such as
CIA (Confidentiality, Integrity, and Availability) and an additional criterion which is
Accountability (proof of responsibility for an action). In this analysis, we focused on
the potential impact a malevolent action would have.

The ERDF case is composed of 8 business processes and 20 essential elements.

 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 99

Example: essential element “detection of low voltage incident”

 Availability: High
 Integrity: High
 Confidentiality: Low
 Accountability: Low
In this example, we state that it is important to obtain the right information on time
when detecting a low voltage incident. But it doesn’t really matter who sends the
information, nor is it important that the information be kept secret.

2.3. Step 2 – Study the threats in the environment – “there are threats to my assets”

Figure 6. Step 2 – Study the threats environment

Objectives:
 Identify main threat agents
 Identify the vulnerabilities of the components
 Identify the attack methods and scenarios
ERDF example:
There are 688 vulnerabilities defined in the EBIOS method. We adapt the method
to suit our needs.
For example, according to the “no authenticity guaranteed” attack method, we
have vulnerabilities, such as “use resource without accountability” or “no
authentication of source or destination”.
These threats to the identified assets are categorised before performing a risk
analysis: the probability (likelihood of the risk) and impact (consequence if the risk
occurs) of attacks are evaluated in order to define risk levels. It is then stated what the
acceptable level of risk is (cf. step 3).

2.4. Step 3 – State the security objectives

Figure 7. Step 3 – State the security objectives

100 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF

Objectives:
 Determine how the essential elements can be affected by the threat agents
(risk)
 Threat agents can affect the essential elements by using a given attack
method to exploit their vulnerabilities
 The security objectives mainly consist in shielding any vulnerabilities from
the entities that represent what are considered to be the existing risks
ERDF example:
Our goal is to state our security objectives without specifying the technical
solutions. These objectives constitute the long-term security policy.
In order to illustrate the methodology, two macroscopic security objectives have
been identified for ERDF future Smart Meters System:
 Protection of critical orders (authenticity, integrity and non-repudiation).
Critical orders, such as changing the electrical power subscription or targeted
curtailment, should definitely be secured by using strong security mechanisms
(with regard to the identified threats and attack scenarios):
• to authenticate the sender,
• to verify that there is no unwanted modification, and
• to make the sender responsible for his actions.
 “Evolution”. Keeping in mind that the metering system components will need
to be upgraded during their long life, the ability to upgrade these components’
firmware, software, or application has to be an essential and inherent feature
of the system. Since new security functionalities could also become useful in
the future, the upgrade could be used to integrate those new functionalities.
This upgrade process itself ought to be secured!

2.5. Step 4 – Determining the security requirements

Figure 8. Step 4 – Determining the security requirements

Objectives:
 Specify the required security functionalities
 Demonstrate that the security objectives are perfectly covered by these
functional requirements
 Specify assurance requirements to allow the required level of confidence to
be obtained and then demonstrated
 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 101

ERDF example:
We want to state our security objectives without specifying the technical solutions.
These objectives constitute the long-term security policy and should reduce all possible
risks.

Figure 9. Security objectives and risk coverage presentation

Figure 10. An example of the results of our approach

102 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF

3. Discussion of the Risk Management Method

Security objectives must not depend on technologies. For example, if classical telecom
lines are used instead of mobile phone communications, or any other wide area
network technology, for technical reasons, security objectives should remain the same.
If the data is confidential when transmitted through the lines, the same data is of course
still confidential when transmitted over other media.
Those objectives have to be stated clearly, even if there is not an adequate
technological answer to fulfil them today. Long-term objectives must be addressed; a
new technology or product could appear from one moment to the next and be the
answer to our needs.
We only state our security objectives and what we believe to be an acceptable level
of risk. The technical requirements and solutions to achieve our security policy are
handled by the solution providers.
When accomplishing the security objectives, one should never forget that the
security chain is only as secure as the weakest link. Each link has to be taken into
account; this includes operators performing actions on the Information System, local
and wide area networks, meters, etc. Tightening security measures can happen on
different levels, including technical, human (education, training, and awareness), and
procedural levels. In fact, it is crucial that none of these dimensions should be
forgotten.

Figure 11. Modelization the AMM system

As illustrated in Fig. 11, all components have to be considered, from smart meters
to the metering Information System, including network communications. The risks that
an attack could occur for every element of the chain, from equipment to data or orders
through the supervisory and operation centre.
All actors, from constructors to public regulators, have an important role to play in
ensuring the cyber-security of the supply chain in metering systems.
 P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF 103

Conclusion

Security objectives should be clearly stated, without specifying any technical solution,
in order to protect our critical assets against thoroughly identified risks. Options should
be kept open, in order to leave opportunities for future potential evolutions. The
management support is essential throughout the whole process. All of this work has to
be done before the metering system is designed. More generally, all metering actors,
utilities, regulators, solution providers, manufacturers, and integrators, will have to be
involved in a global security approach that allows for experience and knowledge
sharing. The earlier this is done, the better.

References

[1] EBIOS – Expression of Needs and Identification of Security Objectives http://www.ssi.gouv.fr/en/

confidence/ebiospresentation.html
[2] “Cyber security approach for smart meters at ERDF”, Metering International magazine, issue 4, pp
90-91, 2007
This page intentionally left blank
 Section 2
Understanding Terrorism and Its Interaction
with Critical Infrastructures
This page intentionally left blank
 Section 2.1
Facing Terrorist Attacks and Attacks
to Critical Infrastructures
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 109
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-109

Al-Qaeda: Its Global Marketing Strategy

Anat HOCHBERG-MAROM1
Tel Aviv University, Israel

Abstract. This study presents a new and unique perspective -- the marketing
perspective -- to analyse and increase our understanding of the global terror
phenomenon. Based on a quantitative-statistical content analysis of the
statements of Al-Qaeda's leaders, I examined how a global terror organisation,
such as Al-Qaeda, markets itself using the international media and the Internet
between the years 2000-2008.
The findings reinforce the idea that Al-Qaeda's leaders consciously adopt a
nihilistic-destructive approach and aim to destroy the "other" world, which it
views as a world that is not a "pure" and "authentic" Islam, from its point of
view. They encourage the willingness to kill and to die in the name of God and
emphasise that the Jihad activists are their primary agents for cultivating and
distributing the "martyrdom culture". Furthermore, Al-Qaeda and its partners
utilise the Internet not only to intensify its power and radicalise the strength of
the Jihadi image, but also to empower its worldwide strategic threat. By
knowing "our enemy" and its uncompromising ideology and strategy, we can
actively help to confront Al-Qaeda today, with counter-marketing-warfare and
undermine its discourse.

Keywords. Marketing perspective, content analysis, Internet, Al-Qaeda, Jihad,

threat, counter-marketing-warfare

Introduction

This study presents a new and unique perspective, the marketing perspective, for
analysing and increasing our understanding of the global terror phenomenon. Although
radical movements have been previously perceived as irrational ideological zealots by
the West, my results demonstrate that Al-Qaeda currently acts as a rational actor, and
thus can be examined using rational models and theories [1]. Therefore, once we have
rationalised the actions of Al-Qaeda, we can improve our comprehension of how to
counteract the global jihad group and reduce its influence and worldwide threat by
employing marketing warfare tactics.
Al-Qaeda leaders and supporters, who strive to influence "the hearts and minds" of
the Muslim population around the world, use the resources of the Internet to promote
and distribute its vision, ideology and policy, as well as its militant messages and
values. Motivated by militant ideology, their objective is to position a powerful image
of the organisation and its actions into the “awareness” of the public opinion, and
thereby, influence the worldwide political and communications agenda.
Marketing, in essence, deals with and concentrates on influencing public opinion
[2]; for militant organisations such as Al-Qaeda, efforts to persuade and convince the
masses can be "translated"/modelled into marketing terms and tools. An example of

1I am grateful for the Netvision Institute for Internet Studies (NIIS). I am particularly grateful to Prof. Shaul
Mishal and to Prof. Alex Mintz, and for the comments made here by Prof. Niv Ahituv.
Address correspondence to Anat Hochberg-Marom, Tel Aviv University, Israel. E-mail:
anathoch.mr@gmail.com
110 A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy

this is the use of a destructive approach and coercion tactics to distribute and promote
their vision, policy etc.
There is no doubt that for the global jihadists, the Internet is an important tool to
be implemented as a form of "soft power"; Al-Qaeda and its partners utilise the cyber
arena in the "war of ideas" in order to inflame millions of readers and viewers, and
transform a large number of them into militants and even suicide bombers [3]. How
does Al-Qaeda promote and distribute Global Jihad on the Internet, so that it becomes
so very attractive to the masses (including non-religious and non-Muslim people all
over the world)?
While most studies deal with defence strategies that are designed to block potential
cyber attacks, my research presents a totally different approach and methodology to
analyse and confront the global terror phenomenon. In the research, I conducted a
quantitative-statistical content analysis of the statements made by Al-Qaeda's leaders,
using DVD/video recordings (containing approximately 3,500 minutes of airtime) that
have been released over the international media channels and the Internet between
2000 and 2008. By implementing a universal marketing model2 on Al-Qaeda
recordings, and by analysing Bin Laden's and Zawahiri's statements, I was able to
thoroughly examine their ideology and strategy as well as the patterns of their actions.
My aim was to reveal some practical insights. The results are briefly described below.

1. What "Products" Does Al-Qaeda Market?

Empirical results strengthen the common view that the Jihad is perceived by Al-Qaeda
as the highest religious value (rated 41%) and described by Bin Laden and Zawahiri as
the political objective and military tool used to advance and distribute its perception of
the world. "Ummah", in Arabic, literally means a "nation" but can also mean a
"universal community"; this, in Al-Qaeda's view, is a global Islamic civilisation.
However, this concept surprisingly has the lowest frequency among favourable
religious values, with a rating of only 25%. This is the opposite result to what we had
anticipated. In fact, we would have expected that for Al-Qaeda leaders, who often
claim to defend Islam from Western hegemony, a universal value would be the primary
tool for consolidating and intensifying the unity and solidarity among worldwide
Muslim populations.
In addition, Bin Laden and Zawahiri do not mention any political program for
constructing a nation based on any specific model. This is a clear indication that the
leaders of Al-Qaeda are selling an image rather than a concrete ‘product’ and are
exploiting the hopes, desires and weaknesses of people as a means to another end’.
From a marketing perspective, we can generally infer that, although they call for
building a universal caliph, their "constructivist" approach is implemented by negative
orientation and coercion tactics; this includes killing anyone who is perceived to be an
"infidel" or "apostate" from their perspective, including their Muslim "brothers" who
do not adhere to their "pure" Islam. Furthermore, the above findings reinforce the idea
that Al-Qaeda's leaders are not only motivated by a non-constructivist approach, but
they also consciously adopt a nihilistic-destructive approach, aiming to cause political-
social anarchy and impose a "pure" and "authentic" Islam.

2 The Marketing model is known by the abbreviation "4P's". It argues that marketing strategy is determined

by four attributes: Product, Price, Promotion and Place. McCarthy, E. Jerome: Basic Marketing, Irvin
Homewood, IL. 1960; Kotler, Philip and Andreasen R. Alan, Strategic marketing for nonprofit organizations,
Pearson/Prentice Hall, Upper Saddle River, NJ, 2003
 A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy 111

2. What is the "Price" of Cost-effectiveness for a Global Terrorist Organisation

such as Al-Qaeda?

Empirical findings reinforce the idea that, for Al-Qaeda, participation in Jihad and self-
sacrifice (i.e., committing suicide) is a matter of strength that stems from having a
strong faith and devotion, as opposed to the Western claim, that it is a matter of
weakness and a "nothing-to-lose" position. "Price" for Al-Qaeda followers/supporters,
is framed by the willingness to sacrifice the present comfortable life and lifestyle
(including family, social connections, status at work, wealth etc.) for the "hereafter"
and the collective virtue.
It is interesting to note that in their statements, Bin Laden and Zawahiri, who use
religious and psychological incentives to encourage sacrifice, emphasise the need to
have a strong "belief-in-God" and a great sense of power; they glorify personal
characteristics such as determination, courage, decisiveness and above all, the
willingness to kill and to die for the sake of God, contrary to the "desire-for-pleasure",
as is perceived to be common in the West, for the sake of the individual.
From this perspective, it is reasonable to infer that Jihad appeals to young people
around the world, who want to express their courage and leadership no matter what
religion, nationality or language background they come from. Furthermore, by its
aggressive-destructive approach, Jihad inspires and empowers young people to act and
to take risks. In this way, when they are given the chance to actively participate in a
cause or feel they have some control over their destiny, they consequently feel that they
have fulfilled their sense of power and desire for eternal life as a martyr/"shaheed".

3. How Does a Global Terrorist Organisation Promote its "Products"?

On-line D'awa/education for Al-Qaeda is the most popular form of promotion used
(rated 55%) to clarify and glorify the advantages achieved from adherence to religious
values. Bin Laden and Zawahiri strive to influence the perceptions, opinions and
beliefs of Muslims. They do this by using different rhetorical devices and wording that
combine political rhetoric as well as Islamic symbols and narratives to describe the
"crisis of values" of Islam and the urgent need to act [4]. While they rationally and
emotionally apply different messages to differing target audiences, they arouse and
reinforce feelings such as hate, humility and fear that are diverted towards fuelling an
active Jihad (both physical and virtual) against the West.
Moreover, it is important to remember that the term Jihad is perceived differently
by the West than by Al-Qaeda and extremist Muslim groups. In the West, Jihad is
understood and narrowly perceived to be a “holy war”. For Al-Qaeda’s leaders,
however, Jihad is a total and eternal military struggle that is identified with the victory
of the spiritual over the materialistic and, therefore, a victory of Islam over the West.
Utilising Western virtual capabilities against Western values, on-line D'awa
enables Al-Qaeda to intensify its power and radicalise the strength of the "Jihadi"
image, not only for those who participate in the virtual "war of ideas", but also for the
worldwide population outside the net.
More importantly, in the absence of regulation and control, the cyber arena enables
the development of an independent Global Jihad discourse that is characterised by a
contextual meaning and identity. Thus, we can infer that the significance of the on-line
D'awa for Al-Qaeda is not only the empowerment of its activity and status, but also its
worldwide strategic threat. Furthermore, in my opinion, in the Internet era, Jihad has
became a popular "global trademark" that no longer depends on any specific
112 A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy

organisation or leader (such as Al-Qaeda and Bin Laden respectively), and therefore it
is more dangerous, as opposed to the common perception in Western discourse on the
subject.

4. How Does a Global Terrorist Organisation Distribute its Messages and Values
("Place")?

The next question that I examined was: "who are the agents that practically distribute
non-tangible assets, such as the Global Jihad of Al-Qaeda"? In a religious collectivist
society, such as Islam, it is accepted that religious scholars are the mediators between
the holy and the worldly. They are the main channels through which religious values
and messages are distributed. However, Bin Laden and Zawahiri, who tend to resist
religious authority (i.e., the institutional 'Ulema'), have developed an alternative
distribution channel, namely, independent religious scholars. These last assume
responsibility for distributing Al-Qaeda’s ideology and perceptions.
Nonetheless, based on empirical evidence, Al-Qaeda leaders emphasise that the
Jihad activists (rated 61%, which is the highest rating) are their primary agents used to
cultivate and distribute the "martyrdom culture", and who also use terror activity to
impose their "true" Islam. From an Al-Qaeda point of view and as derived from a
religious decree (i.e., "tawhid"/the "oneness" of God), Jihad activists are perceived as
the most faithful believers, who are obligated to distribute the global Islamic message.
Moreover, since they are the expression of such strong faith and total fidelity to God,
the Jihad activists are glorified as the ideal model for "Jihad activity", and because of
this, they are willing and determined to sacrifice their lives to the cause.
From this perspective, we can currently deduce that, in the eyes of Bin Laden and
Zawahiri, extremist young Muslims are considered to be militant "weapons" against the
West and its supporters (who are perceived to be "infidels") and not the peaceful future
generation. Therefore, based on the above as well as on other empirical findings, there
is strong evidence that Al-Qaeda is not aspiring to construct and consolidate the
Muslim world, but is motivated by a militant-nihilist approach with the intent to
destroy the "other" world that, from its point of view, is not Islamic.

Conclusion

By knowing "our enemy" and its uncompromising ideology and strategy, we can
actively help to confront Al-Qaeda today by applying techniques of counter-
marketing-warfare in order to undermine its discourse; when appealing to young
Muslims in particular, we ought to emphasise the importance of choosing a peaceful
and constructivist approach to life rather than destructiveness and darkness.
Through the proactive use of the internet, and more specifically with tools of
promotion, the West, and in particular Europe, can counteract Al-Qaeda's attractiveness
and positively influence "the hearts and minds" of the future Muslim generation.
Particular attention should be dedicated to the Muslim citizens of Europe.
 A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy 113

References

[1] Walid Phares, The War of Ideas: Jihad against democracy, Palgrave Macmillan, New York, 2007.
[2] Philip Kotler, Kevin Lane Keller, Marketing Management, Pearson/Prentice Hall, Upper Saddle River,
NJ ; London, 2009; Alen R. Andreasen, Philip Kotler, Strategic marketing for nonprofit organizations,
Prentice Hall, Upper Saddle River, N.J, 2003
[3] Walid Phares, The War of Ideas: Jihad against democracy, Palgrave Macmillan, New York, 2007;
Reuven Paz, "Reading Their Lips: The Credibility of Jihadi Web Sites as ‘Soft Power’ in the War of the
Minds" PRISM Series of Special Dispatches on Global Jihad, vol. 5/5 (2007) at: http://www.e-
prism.org/images/PRISM_no_5_vol_5_-Reading_Their_Lips_-_Dec07.pdf
[4] Oliver Roy, Globalized Islam: the search for a new Ummah, Columbia University Press, New York,
2004; Rohan Gunaratna, Inside Al Qaeda: global network of terror, Columbia University Press, New
York 2002; Gilles Kepel, The war of Muslim minds: Islam and the West, Belknap Press of Harvard
University Press, Cambridge, Mass, 2004; Marc Sageman, Understanding terror networks, University
of Pennsylvania Press, Philadelphia, 2004
114 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-114

A New Paradigm for Countering Jihadism

Antonio Guido MONNO
Colonel, Carabinieri Corps
Expert in Asian History and Institutions - Trieste University

Abstract The complex relationship that exists between Islam and the Western
world makes it necessary to enlist an increasing number of people who are capable
of understanding these two cultures and of mediating between them. The Islamic
world, in all its variety and diversity, becomes even more complex when it enters
the West through immigration, where immigrants no longer have a purely
superficial physical contact with the Western world, as was the case throughout the
whole of the colonial period, but live within it. It is often the case that the products
of both societies do not integrate, but tend to dis-integrate, not knowing to which
world they belong. People using religious symbolism to pursue political ideas,
opting for terrorism as their means of struggle, are able to exploit this sense of
searching for an identity. This type of exploitation avails itself of the multiplier
effect of the virtual world to bolster support; but without an adequate
counterweight, this can cause damage which, while not irreparable, can impair our
complex societies. This paper takes a fresh approach to counter this phenomenon
which could prove to be extremely effective when contrasting this quest to enlist
support.

Keywords. Web; Terrorism; Islam; Salafism; Recruitment; Propaganda;

Immigration.

Introduction

Contemporary conflicts, whatever their nature, are not only being fought out in the real
world, but also in the virtual world, for operational, logistical and “marketing”
purposes, particularly, in the latter case, through a propaganda mechanism which can
lead to recruitment and indoctrination.
The potential the Internet offers for achieving these aims initially seemed to be
fairly limited. Wiktorowicz,1 for example, maintained that before people took part in
acts of violence they had to undergo a long process of “socialisation”; Sageman wrote
that:
“for the type of allegiance that the jihad demands, there is no evidence that
the Internet is persuasive enough by itself”.2
While the opinions voiced only a few years ago were well-founded, and to a large
extent are still valid today, they obviously could not take into account the degree to
which the Internet is now able to contract time and space.
There are, however, a number of scholars who believe that the important part that
the Internet plays in recruitment is bound to increase.

1Wiktorowicz, Quintan, “Joining the Cause: Al-Muhajiroun and Radical Islam”. Department of International
Studies, Rhodes College at http://www.yale.edu/polisci/info/conferences/Islamic%20Radicalism/papers/
wiktorowicz-paper.doc
2 Sageman Marc, Understanding Terror Networks, University of Pennsylvania Press, Philadelphia, 2004.
 A.G. Monno / A New Paradigm for Countering Jihadism 115

In his book, “On Intelligence”,3 Robert Steele predicted that there would be greater
recourse to open sources in which the Internet would play a paramount role in the
optimum management of Intelligence.
Neumann has written that:
“….it would be a mistake to brush aside or ignore these instances of self-
recruitment merely because they do not fit with long established views about
group dynamics and the importance of social bonds. It is easy to forget how
quickly the Internet has evolved, and it may well be the case, therefore, that
widely held assumptions will have to be reassessed as the new medium
continues to change the way in which we communicate”. 4
In operational terms, the November 2008 Lashkar-i-toiba terrorist operation, carried
out in Mumbai, demonstrated the essential role of the Internet and modern technology.
But apart from the operational applications, I would like to focus my attention on
the phases of both the enlistment of support and of recruitment – particularly in the
Western world – by the organisations that draw their inspiration from so called jihadist
theories, and on an innovative potential means of combating them, which as far as I
know has never been tried.
In a special report published in March 2004, by the “United States Institute of Peace”
entitled “www.terror.net: How Modern Terrorism Uses the Internet”, Gabriel
Weizmann examined the various possibilities provided by the virtual world that would
be able to be exploited by all organisations, many of which are considered to be
terrorist groups, to attain their ends.
These possibilities consist above all of:
 Spreading their ideology and view of society and the world to attract support;
 Challenging ideologies and policies at odds with their own;
 Recruiting people in several stages initially by merely attracting people
interested in or feeling sympathy towards an idea or ideal, and gradually
leading to all-out active involvement;
 Extolling its actions and consequently building up myths and decrying
everything done by the adversary.
Using the Internet, these groups put forward what Professor Anat Hochberg-
Marom has called “the marketing perspective” and, following standard marketing
practice, most of their activities are performed in virtual mode.
The Western mind often underestimates the importance of the modern mass media
and propaganda in the Islamic world, despite daily events that demonstrate the
contrary.
Khomeini’s revolution, whose ideas were propagated above all through sermons
distributed on audiocassettes, as well as images broadcast on al Manar (Hezbollah's
TV network) or al Aqsa TV (Hamas’s network), and videos broadcast over the Internet
on sites linked to the jihadist world, show that the Islamic world has certainly not
remained aloof from modernisation or using the most common communications tools.
Anyone who thinks that the style of these messages lacks communicative effectiveness
would fall into what Edward Said denounced as “Orientalism” – the wholly Western
capacity to apply thought patterns that might work well, albeit not even everywhere,
for the average Western culture and are considered to be superior, without taking into

3 Robert Steele, On Intelligence: Spies and Secrecy in an Open World (AFCEA, 2000).

4 Peter R. Neumann, Joining Al Qaeda - Jihadist Recruitment In Europe, Adelphi Paper 399, Routledge for
the International Institute for Strategic Studies, London 2008.
116 A.G. Monno / A New Paradigm for Countering Jihadism

account the fact that the vast majority of the world’s population has other cultural
archetypes.

1. The Reality of the Islamic World and its Relations with the West

1.1. The Islamic World

Although due account must be taken of the fact that democracy, as it is understood in
the West, is certainly not part of the tradition of most countries in the Islamic world,
one might raise the issue of the responsibilities of the colonial and imperial powers in
this regard. But this would fall outside the scope of this paper.
It is important to remember that only one in five of the almost one and a half
billion Muslims in the world live in regions that the West views as typically Islamic,
that is to say, in places from which the message of Muhammad was propagated; most
Muslims live in Asia and Africa, while many millions have now settled in the Western
world.
From the ethnic, social and religious points of view, the Muslim world is not
monolithic. In addition to the well-known difference between Shi'ites and Sunnis, there
are also numerous other distinctions within both these branches of Islam.
The difference between the Twelver and the Fivers Shi'as, the presence of the
Isma’ili sects, from which the noted Hashshashin originated within the Shi'ite world, to
mention but a few, and the numerous differences amongst the Sunnis, including those
of the four leading legal schools, each of which is linked to a cultural and ideological
archetype and present in different areas of the Sunni world, underlie the complexity of
this subject.
Furthermore, the message of Muhammad envisaging the establishment of a new
society united by new bonds of solidarity – the Ummah – intended to replace the
previously existing tribal ties never came into being in practice, except within the
Islamic imaginary. Even the much-lauded period under the leadership of the “Rightly
Guided Caliphs”, or the al-Khulafa ar rashidun, the first four caliphs, successors of
Muhammad, should be viewed with a certain detachment, considering that three of
these caliphs died violent deaths which, if nothing else, suggests a certain degree of
internal strife.
For Muslims, Islam is a unicum in which it is meaningless to try to distinguish
between the legal and the moral spheres, both of which have their origins in the Sharia,
the path revealed by God, whose founding pillars are the Qur’an and the Sunnah of the
Prophet.
Not having a priestly class as a mediating authority between man and God, which
Muslims consider to be a direct relationship, no-one has ever been seen as the
depositary of the orthodox interpretation of Islamic truth.
In Islam, those the Western world equates with its concept of clergy are, in reality,
interpreters, responsible for safeguarding the dogma, rituals and law of Islam, and for
making decisions regarding the lawfulness of new ideas and theories. Due to the
extreme complexity of the revealed language, over time the roles of the ulama and the
fuqaha, or religious scholars and experts in sharia law in general and in fiqh in
particular came into being. 5 As Khaleed Mohammed has put it, “Even for native Arabic
speakers, the Qur’an is a difficult document. Its archaic language and verse structure

5It is important to note that fiqh, may be considered a part of Islamic jurisprudence in that it complements
sharia law. Given its nature, fiqh has developed and evolved over time.
 A.G. Monno / A New Paradigm for Countering Jihadism 117

are difficult hurdles to cross”[6]. This function, of interpreting and safeguarding, has
been of enormous importance throughout the Islamic world, legitimising, de facto, the
role of these ulama and, fuqaha as leaders of the various communities in return for
protection and patronage.
It should be recalled that the greatest peril that the Islamic community can face is
fitna, the splitting of the community. According to traditional Islamic teaching, it is
preferable to accept the lesser evil of an usurper as the leader of the community than to
permit internecine strife within the community In time this results in the acquiescence
of the people to the status quo.
Language is another factor which helps to increase the structural diversity of the
various Islamic communities.
Contrary to what is sometimes thought, although classical Arabic was the language
used for revealing the Qur'an, which must be maintained and memorised in that
language, it does not perform any other bonding functions to hold the Islamic world
together. For example, it is impossible for Muslims from Pakistan, Albania, Indonesia
and Nigeria to hold a conversation because of a lack of widespread familiarity with
spoken classical Arabic.

1.2. The Islamic World in the West

One can therefore well imagine what happens when all this is transferred to the
Western world, where millions of Muslims live as members of religious and ethnic
minorities, initially stemming from a colonial past and subsequently from immigration
and globalisation.
According to classical Islamic theory, living in the lands known as dar al harb
(house of war) or at most dar al hudna or dar al suhl (house of the truce) is a negative
condition for Muslims. This condition may, in principle, be considered temporary,
because it is impossible in such places to fully deploy the Islamic identity, which
entails membership to the ummah (the Islamic community).
Over the years, in order to preserve and not lose their customs and traditions and
not to feel dispossessed, the Islamic communities in the West have had to adjust to their
situation by looking to their places of origin as benchmarks.
Since these communities have never really been accepted into the Western world,
they have become inward-looking in order to survive.
The Muslim presence in Western Europe, which was rare until the dawn of the
19th-century, began to gain ground in the colonial period. The First World War led to a
sharp increase in the Muslim population because of the need for labour, in addition to
their use in the instrument of war as such. Some 72,000 Muslim colonials died for
France, and between 45,000 and 75,000 died for Britain. By the end of 1918, there
were officially 59,088 North Africans living in France. By 1929, this number had
increased to 69,800 and 102,000 by 1931. In the United Kingdom, there were between
10,000 and 20,000, in addition to several hundred converts7.
In both these Western countries, which were driving forces of Western colonialism,
the Muslim identity was defended through such sufi orders as the Alawiya, and through
the penetration of the two leading schools of thought already present in India, the
Barelwi and the Deobandi, which propagated different ideas but shared the need to
come to terms with a situation in which the Islamic religion had ceased to be dominant

6 http://www.meforum.org/717/assessing-english-translations-of-the-quran

7 Clayer Nathalie & Germain Eric editors: Islam in inter-war Europe;- Hurst publisher; London (UK); 2008
118 A.G. Monno / A New Paradigm for Countering Jihadism

and had become a minority faith. These schools were therefore committed, with
differing perspectives, to preserving the Islamic identity.
The Second World War not only made use of the colonies’ military personnel,
labour force and resources, but it also brought the war, the ideologies and the armies
into the Muslim world, from Africa to Asia, with great loss of life; one-half of the
Indian forces used by the United Kingdom in the Second World War came from one
region of India alone, the Punjab, which was overwhelmingly Muslim.
In a purely personal note, I should like at this point to recall the sense of
community that one experiences in seeing Christians from Britain, New Zealand, South
Africa and Australia, Muslims from India and Jews, who fought with the Jewish
Brigade, resting together in the British Military Cemetery at Camerlona (Ravenna-
Italy).
In the post-war period, political ideologies and a heightened self-awareness in the
colonial world, driven by veterans such as the Algerian ben Bella, eventually led to the
collapse of the European colonial powers, which were embroiled in conflicts in which
the resources of the immigrants and appeals to Islam as a compacting force played no
small part.
From that moment onwards, the Islamic presence in the Western world was made
up not only of immigrants as cheap labour, but also of political refugees and migrants
living abroad to study and to take up highly skilled occupations.
But perhaps the most important change was in the attitudes of the migrants
themselves, who were no longer interested in returning to their original homeland, but
wanted to lead a new life in a new place that was extraneous to their culture of origin.
It was in this environment that the second- and third-generation Muslims have
grown up, for whom the integration – or, rather, the conflict prevention – policies
implemented until then in Western countries appeared to have failed, just as the United
States’ ‘melting pot’ concept no longer seemed to be relevant to current needs.
The perceptions and feelings of second- or third-generation Muslims in the
Western world have been highlighted by several of their writers, and in this connection
I would recall the description made by Hanif Kureish in his book, “The word and the
bomb”.
Not being fully accepted due to the colour of their skin or their allegiance to
another religion, which was viewed as a threat to the local modus vivendi, they feel
uprooted from the social fabric and they identify with, and idealise, the other half of
themselves that is linked to their distant origins and homeland and which often bears
little resemblance to reality, while at the same time fully satisfys some internal
aspiration.
Oliver Roy has written that, “Neofundamentalism has gained ground among
rootless Muslim youth, particularly among second- and third- generation migrants in
the West. Even if only a small minority is involved, the phenomenon feeds new forms of
radicalization, among them support for al Qaeda, but also a new sectarian
communitarian discourse, advocating multiculturalism as a means of rejecting
integration into western society. These Muslims do not identify with any given nation-
state, and are more concerned with imposing Islamic norms among Muslims societies
and minorities and fighting to reconstruct a universal Muslim community, or ummah”. 8
The younger generations are having to carve out an identity of their own for
themselves, as both citizens of states that belong to the Western world and as followers
of the Muslim faith, the latter experienced in a world that is alien to the social fabric of

8 Oliver Roy; Globalized Islam -Columbia University Press- New York- 2004-pag. 2.
 A.G. Monno / A New Paradigm for Countering Jihadism 119

the life, daily experiences and codes of conduct that constitute the very essence of
Islamic culture and in which a common language becomes the bonding agent.
I am speaking, here, of an Islamic faith and experience lived through the customs
that have been handed down within the family, with precepts, traditions and customs
that are often thought to be Islamic while, in reality, they are features of the culture of
the place from which the family originated, and where the disassociation between the
two worlds can be extremely pernicious.
This by no means applies only to the Islamic world transplanted into the West, in
which two worlds are in a state of conflict within one and the same individual. It is a
phenomenon that has also emerged recently within the Islamic world itself.
Antonio Giustozzi 9 has written that: “Gul (Imran Gul, programme director of the
Sustainable Participation Development Program, an NGO based in Banu, just outside
North Waziristan) believes that the tribal system is in crisis and that it can no longer
provide peace, income, a sense of purpose, a social network to the local youth, who
then turn to radical movements (collectively known as the Pakistani Taliban) as the
only outlet where they can express their frustration and earn the prestige once offered
by the tribal system”.

1.3. The New Islamic Thinking

This quest for an identity has obviously paved the way for the emergence of a new
class of preachers, imams, leaders of mosques that follow the new Islamic ideologies
which are seeking a new dimension of Islam and Islamic culture, which have originated
with such thinkers and intellectuals as Muhammad Abdu, Rashid Rida and Gamal al
Din al Afghani.
This new ideology reinterprets Islam, not along the lines of the past – which had
led to the decline of Islam as a unicum of din and dawla, State and faith, in which the
concept of watan (nation) had acquired primacy over the concept of ummah
(community in the broadest sense of the term) – but by seeking to “modernise” the
Islamic world through the use of the modern media detached from the Western culture
that is usually linked to them.
It is, therefore, a case of a revival of the Islamic world in a Western context with
rapidly evolving ideologies and programmes, while remaining fiercely attached to
basic elements related to its security in terms of resources and the economy.
The development of this way of thinking has given rise to numerous schools of
thought, such as those developed by the Muslim Brotherhood and by such ideologues
as Hassan al Banna, Sayyd Qutb and Abu ala al Mawdudi, who are considered to be the
masterminds behind the modern extremist movements.
These are the innovative driving forces advocating a revisitation of Islam through a
doctrine called Salafiyya. This doctrine is based on the premise that it is only by
returning to the original Islam, the Islam of the Salaf 10 or “Companions of the
Prophet”, that all problems can be solved relying on one simple certainty: a doctrine
that had made it possible for a small community caught between two empires, animated
solely by total devotion and submission to the one God, to create a new “empire” by
destroying the other two had demonstrated de facto its soundness, and in their eyes,

9 Antonio Giustozzi; Koran, Kalashnikov and laptop – The neo-Taliban insurgency in Afghanistan- Hurst &

Company- London- 2007.

10A term meaning predecessors, applied to the ideology that seeks to recreate a lifestyle and world based on
the practices of the earliest Muslims.
120 A.G. Monno / A New Paradigm for Countering Jihadism

was, confirmed by divine support. This soundness was only compromised

subsequently, due to later changes to its original essence. A return to the original
sources is therefore the only answer.
Other theories have stemmed from this mindset, including those involving the
concepts, which, in the Western world, we mistakenly call ‘jihadism’.
While most of those modern preachers that attract large numbers of Western
Muslims in search of an identity are the exporters of such ideas, it nevertheless remains
the case that not all salafitic ideas support terrorism as a means of struggle.
Furthermore, amongst the latter, some advocate combating “the near enemy” –
namely, the regimes in the Islamic world – and others “the far enemy”, namely, the
Western countries, which support the Islamic regimes.
Erecting a new doctrinal system that is based on an ideal view of the past raises
numerous issues regarding the foundations on which the system is to be built.
For the ideal reconstruction of a perfect society, the salafite movement relies on
two essential pillars, the Qur'an and the Sunnah of the Prophet.
The problem, however, is deciding who is to interpret the Qur'an and who is to
decide which events and sayings of the Prophet are true. In particular, it is not a
foregone conclusion that the new preachers acknowledge the codes of traditional deeds
and sayings, which are commonly accepted by the classical theory of Islamic
knowledge.
And while this applies to that area of the world in which Islam is the cultural faith
to which the vast majority of the population claims allegiance, it applies to an even
greater degree in the Western world where, as we have already seen, the linguistic
knowledge of the parents and grandparents has gradually been lost, making it
impossible to even refer to a body of classical knowledge.

2. The Importance of the Web

This leads us to an analysis of what the cyber-world can signify today in the Islamic
cultural faith.
Most of the modern Islamic websites, or rather the sites dealing with issues of
relevance to Islamic culture and the Islamic faith, are located in various places in the
Western world, and the language they normally use is English.
As a result, in a world without specific cultural and religious familiarity with the
Muslim world, the website managers, like the preachers in the mosques mentioned
earlier, are able to insert their own ideas and pass them off as being part of traditional
Islam.
Confirmation of this can be found in two articles published in the “Middle East
Quarterly”11 entitled:
 Assessing English translations of the Quran; 12
 Beheading in the name of Islam.13

11 http://www.meforum.org/meq/issues

12 http://www.meforum.org/717/assessing-english-translations-of-the-quran

13 http://www.meforum.org/713/beheading-in-the-name-of-Islam
 A.G. Monno / A New Paradigm for Countering Jihadism 121

These two articles demonstrate that traditional Islamic knowledge, that is to say,
the knowledge of the ulama and the fuqaha, has been manipulated and tailored to suit
the ideas of one or more groups and used by these groups to achieve their own ends.
Khaleed Mohammed, the author of the first of these two articles, offers an in-depth
examination of the English translations of the Qur'an, and shows how they have been
monopolised and sponsored by the present Saudi dynasty, with the aim of ensuring the
greatest possible diffusion worldwide. Suffice it to say, the English translation of the
Qur'an by Mohammed Asad14 has been banned in Saudi Arabia. The author himself has
written that, “Indicative of the desire and drive of Saudi Arabia to impose a Salafi
interpretation upon the Muslim world, the kingdom has banned Muhammad’s work
over some creedal issues. Because the Saudi government subsidizes the publication and
distribution of so many translations, the ban has in effect made Asad’s translation both
expensive and difficult to obtain. Nevertheless, it remains one of the best translations
available both in terms of its comprehensible English and generally knowledgeable
annotations”. It is relevant to note that Asad was a member of the Libyan Senussya
resistance against the Italian occupation, a Mujahideen ante litteram, and yet, because
his translation does not fit in with a one-sided and monopoly-oriented reading of Islam,
his version has been censored.
The author of the second article, Timothy R. Furnish, in his analysis of
decapitation in Islamic theology, notes that everything that has been publicised and
advocated as rooted in Islamic theology by the so called “jihadist” groups - such as al
Tawhid wa al Jihad, whose leader was abu Mus’ab al-Zarqawi - is by no means
consistent with the tenets of classical Islamic theology.
Zarqawi has said that he would “accept comments from ulema regarding whether
his killing operations are permitted or forbidden according to Islam – provided that the
ulema are not connected to a regime and are offering opinions out of personal
conviction and not to please their rulers”. 15
It is interesting to note in this regard that one Islamic website linked to “jihadist”
doctrine16 makes reference to “The Book of Jihad” by Abi Zakaryya Al Dimashqi Al
Dumyati, also known as Nahaas (who died in 1411), to subvert the well-known and
established classical doctrine regarding jihad.
This site claims that the difference between the “greater” and the “lesser jihad”,
which is an important element in official Muslim doctrine and is considered to date
back to the great authors of the past, did not in fact exist at all. When arguing the
reasons why this hadith did not exist, the site obviously refers to ibn Tamiyya and a
series of ulama who also recorded some of the hadith of the Prophet, namely those
supporting war as the only possible interpretation or meaning of jihad. The site
exclusively referred to these as the sole means of understanding the meaning of jihad,
adding that the other version “had never been reported by any scholar as having
anything to do with the hadith”. This collection of hadith and this theory of jihad tend

14 Born Leopold Weiss, in July 1900, in what was then Austro-Hungarian Lwów in the Austro-Hungarian

Empire, was a Jew who (in 1926) converted to Islam, thus changing his name to Mohamed Asad. During
World War II, he was imprisoned by the British in a camp for enemy aliens (because of his Austrian
nationality) while his father was interned by the Nazis for being Jewish. In 1949, Asad joined the Pakistan
Foreign Ministry as head of the Middle East Division and, in 1952, went to New York as Pakistan’s
representative to the United Nations.

15
Al-Zarqawi Associate, Al-Zarqawi Unconnected to Al-Qa'ida, Seeks to Expand Fighting to Entire Region,
Middle East Media Research Institute (MEMRI), Sept. 23, 2004.

16 http://www.masterplanstewardship.org/ConstantContact/PDF/Mashari_Book_of_Jihad.pdf
122 A.G. Monno / A New Paradigm for Countering Jihadism

to look only at those deeds performed by the Prophet which support this interpretation
of the doctrine. Although I am not saying that the website deliberately ignored other
deeds, it certainly did not attempt to search for them, and when doubts arose – as often
happens with events and issues needing interpretation – it was only logical to offer an
interpretation that supported its particular views.
It is no coincidence that the author the site refers to was one of the main sources
from which Bin Laden’s mentor, Sheikh Azzam, drew.
This might seem to suggest that the Internet only propagates messages connected
with the type of Islamic doctrine that, in the West, is defined as “fundamentalist” – a
term that was originally coined to identify theories connected with Christianity, and
which therefore has no corresponding meaning in the Islamic cultural language. But
this is not the case.
As I have already pointed out, Salafi doctrine comprises numerous schools of
thought, including those which the Western world deems jihadist. These last, however,
are certainly not the only ones, as Gilles Kepel has pointed out in his book, “The War
for Muslim Minds”.
The aim of the radical preachers is obviously to recruit followers and get them to
adopt their ideas, and thus lead them to commit actions using terrorism as the primary
means to achieve their purposes.
Although it has not yet been possible to profile the so-called ‘jihadist’ terrorists
living in the Western world, the analysis carried out by Marc Sageman, in his
“Leaderless Jihad”, is particularly interesting in that it topples a number of the myths
connected with the reasons underlying the support that certain ideas attract – such as
poverty, immaturity, ignorance, sexual frustration and so on – and, instead emphasises
the importance the criterion of justice has, which far outweighs the concept of
democracy and that of brotherhood, both of which lead people to subscribe to certain
ideas.

3. A New Perspective for Countering These Ideas

A number of specific considerations can be drawn from the aforesaid.

Most modern preachers, or imams, which advocate these so-called ‘jihadist’
doctrines, do not have a background in the classical fields of knowledge or of Koranic
scholarship.
Their doctrinal construction is formulated using principles and religious symbols
to push forward a political idea.
Those who adopt this political view, are driven above all by sentiments of justice
and equity. Once this path has been taken, it becomes increasingly more difficult to
escape or renounce their commitment due to the powerful sense of group membership
that is created and made all the more solid by shared experiences and by the progress
made together.
If the political idea is underpinned by religious concepts, which extend beyond
earthly experiences through the construction of myths that make it possible for the
individual to achieve the long-awaited recognition by a society which, until that
moment had ignored him, and, above all, if the ultimate purpose is the establishment by
a supernatural reality of a better and more just society, it becomes easy to follow the
pathway indicated by the spiritual guide.
The question of how can we counter these efforts must be asked and answered.
As I have already said, reality is very different from what our imagination or fears
suggest.
 A.G. Monno / A New Paradigm for Countering Jihadism 123

It is important to emphasize that the majority of Muslims and followers of Islam

are not extremists or fundamentalists. However, many do not attach no importance to
the Western desire for a longer consumerist life of ease and comfort. Furthermore there
is a small percentage who are extremists and who, through such virtual activities on the
internet described above and the ensuing consequences in the real world, are capable of
causing extremely serious damage to our complex and delicately balanced Western
societies. This in turn only aids in heightening a sense of mutual alienation. Below, I
will suggest how I believe this problem could be faced and which approach will be the
most effective through a proposed model.
The key to the model, which I wish to propose as a means of countering so called
Islamist-type terrorism, is to acquire as thorough and accurate a cultural understanding
of the Islamic world and society as possible, in order to be able to use it to challenge
the cultural vulnerability of the “jihadist imams”.
The Internet is the cyber-world where everyone has the right to speak out, a place
where there are no controls and where information is often sacrificed to speed, but also
where it is possible to apply Popperian falsification theories - if there is a public
wishing to learn.
It would help to break that unchallenged chain of thought in doctrinal terms, if an
alternative network of scholars, sociologists and political commentators from the
Islamic world could be established - with cyberspace users from both cultures - to
interact and monitor discussions and trends.
As far as we know, scholars and experts on the Islamic world have so far only been
asked to supply their expertise for study and consultancy purposes, but not to act
directly and actively in the field of counterintelligence to destroy or dent the validity of
certain ideas and the foundations on which they have been based.
Only an expert or a person with a solid understanding of the Islamic world might
competently navigate the world of what we have come to know as “fundamentalist”
ideas.
A fresh reading “The Great Arab Conquests”17 by Sir John Bagot Glubb, better
known as Glubb Pasha, the last British Commander of the Arab Legion in the Kingdom
of Jordan, is enlightening in this regard. With his profound understanding of the Arab
world, he was able to grasp the way the Bedouins fought and to adapt it to the
circumstances of modern warfare. He succeeded in reconstructing the reasons for the
victorious expansion of the Muslim armies, as they conquered the Arab lands following
the death of Muhammad, and in exploiting them for his own military campaigns.
One might ask how a scholar of the Islamic world could understand when a group
starts professing the pathways of what is known as jihadist Salafism.
The logical train of “jihadist” thought follows the canons of the life of
Muhammad. The first step of which was to erect a new society through the Hijra, a
society based on the canons of the structure put in place by Muhammad at Medina
following his migration from Mecca.
The hijra is an historical period that has been seriously underestimated by those
Westerners who are not experts on the Islamic world. It marked a break with the past
and total dedication to a new society from which a new faith could be propagated.
The whole construction of the jihadist movement is based on the observance of
what is written in the Qur'an and in the Sunnah, as evidenced from the emergence and
development of such movements. They advocate jihad against infidels, no longer
meant as solely those who profess a faith other than Islam, but as anyone who professes
or lives according to a different cultural code, thereby again taking up the concept of

17 John Bagot Glubb, The Great Arab Conquests, J.B.G. Ltd, Hodder & Stoughton, 1963.
124 A.G. Monno / A New Paradigm for Countering Jihadism

jahilyya and takfir, ignorance and apostasy, revisited in a modern form by the Egyptian
ideologist Sayyd Qutb. All of this is obviously viewed one-sidedly, for there is no judge
to issue a ruling and no common agreement on what is right and what is wrong, apart
from whatever it is that the members of the group want. The structure, the military
activities and the organisation are based on patterns borrowed from an ideal and
idealised past, as one clearly sees from the statements issued in the wake of every
terrorist attack.
Who, then, is better equipped to penetrate and change the indoctrination and the
quest for support by the “jihadist” preachers than an expert who is thoroughly familiar
with the Islamic world?
Who, better than an expert, can learn and understand when a virtual ummah is
being created on the Internet, in which to grow a new community, but above all, can
perceive in which direction the movement is heading, whether it be towards an area
characterised by da’wa, preaching, through which to carry out a social revolution based
on the construction of a critical mass within society, or towards the jihad, namely, a
militant approach, by declaring war against the political leaders of nations forming part
of the Islamic world who fail to observe the precepts and the contents of sharia law?
What I have said above only gives a slight indication of the complexity of this
subject area to anyone who is not a scholar or expert on the Islamic world because it is
impossible to address such complex issues using superficial knowledge and inaccurate
information-gathering tools, particularly on the part of members of the security
services.

Conclusions

Penetrating a system such as the cyber world of Islamic fundamentalist movements,

engaging in dialogue on forums, instilling doubts about absolute truths, implementing a
Popperian falsification process against unshakable truths, speaking the same language,
sharing the same doubts, reasoning using the same methodologies: all of these could
constitute a new instrument for countering fundamentalism.
Success might perhaps be achieved by involving people who know how to
interpret the signals of worrying deviations and attitudes in intelligence-gathering and
operational programmes, not only as “advisers” but as part of the security agencies,
using their knowledge to counter theories with no doctrinal basis on blogs and forums,
sowing doubt about what the “real truths” might be. People who understand the
feelings, frustrations and sensitivities of people who are unable to feel fully part of one
of the various worlds to which they belong, together with people seeking to defend
Western civilisation by eschewing all forms of racism, deliberate or otherwise, or lack
of understanding, building a “bridge theory” starting from the virtual world and
expanding outwards to the real world, including prisons that are all too often neglected.

References

[1]John Bagot Glubb, The Great Arab Conquests, J.B.G. Ltd. Hodder & Stoughton, 1963.
[2]Marc Sageman, Leaderless Jihad, University of Pennsylvania Press, Philadelphia, 2008.
[3]Gilles Kepel, The War for Muslim Minds, The Belknap Press of Harvard University Press, Cambridge and
London, 2004.
[4]Montasser al-Zayat, The road to al Qaeda, Pluto Press, London, 2004,
[5]Peter R. Neumann, Joining al Qaeda, Adelphi Paper 399, Routlege for The International Institute for
Strategic Studies.
Modelling Cyber Security: Approaches, Methodology, Strategies 125
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-125

Modelling Deterrence in Cyberia*

Claudio CIOFFI-REVILLA1
Center for Social Complexity, George Mason University

Abstract. Deterrence is an ancient strategy (as early as the 4th millennium BCE)
based on defence and retaliation to prevent undesirable behaviour from a potential
attacker. Specifically, deterrence—both classical and cyber-related—is based on a
potential attacker perceiving an unacceptable cost and consequently refraining
from attack. Similarly to nuclear deterrence, cyber-deterrence may be an effective
strategy against foreign governmental attackers, who might refrain from attacking
for fear of retaliation. However, cyber-deterrence may not be as effective against
individual terrorist hackers or clandestine organisations that have a high propensity
towards risks or simply believe they can attack with impunity. This paper outlines
some solutions to the fundamental challenge of modelling deterrence in Cyberia
and discusses theoretical and policy implications based on computational social
science.
Keywords. Deterrence, infrastructure protection, cyber security, cyber attacks,
cyber warfare

Introduction

Challenges and opportunities posed by the rise and evolution of the Internet and related
IT systems—“Cyberia”, for short—have called into question traditional policies and
national security priorities. [1, 2, 3] When faced with threats, deterrence is often
invoked as the natural and logical policy to design and implement. However, deterrence
is an ancient strategy (applied as early as the 4th millennium BCE) based on defence
and retaliation to prevent undesirable behaviour from a potential attacker. More
specifically, as a well-defined form of social power relation, deterrence—both the
classical version that began in Mesopotamia and the more recent cyber-related
adaptation—is always based on a potential attacker perceiving an unacceptable cost
and consequently refraining from attack. [4, 5] As a consequence, cyber-deterrence
may be an effective strategy against foreign governmental attackers, assuming all the
necessary requirements are met (i.e., credibility of capability and credibility of intent,
each of which has its own component requirements). As with nuclear deterrence
between states, state attackers may refrain from attacking for fear of retaliation.
However, cyber-deterrence may not be as effective against individual actors (e.g.,
terrorist hackers) or clandestine organisations that have a high propensity towards risks

* This chapter was presented at the NATO Advanced Research Workshop (ARW) on Operational Network
Intelligence: Today and Tomorrow, L'Arsenale, Venice, Italy, 6–7 February, 2009. I am grateful to S.
Numrich, M. Zalesny, and A. Vespignani for comments and discussion on an earlier version of this paper.
Many thanks to Professor Umberto Gori for the invitation to participate in the NATO ARW as well as for
comments received by workshop participants, especially M. Agazzi, N. Ahituv, M. Arditti, A. Gazzini, G.
Grasso, .A. Hochberg-Marom, G. Iovane, E. Peshin, P. Rapalino, U. Rapetto, F. Sanfelice di Monteforte, E.
Tikk, and A. Vidali. The author is solely responsible for the views expressed in this chapter.
1 Corresponding Author: Prof. Claudio Cioffi-Revilla, Director, Center for Social Complexity, George Mason
University, 4400 University Drive, MSN 6B2, Fairfax, Virginia 22030 (near Washington DC), USA. E-mail:
ccioffi@gmu.edu URL: http://socialcomplexity.gmu.edu
126 C. Cioffi-Revilla / Modelling Deterrence in Cyberia

or simply believe they can attack with impunity. This chapter frames the problem of
deterrence in cyberspace in terms of the classical theory of deterrence and uses such a
framework to gain some insights into the problems and solutions to modelling
deterrence in Cyberia.

1. Elements of Deterrence

Modelling and the simulation of deterrence in a cyber-security context [6, 7]

necessitates the clear understanding of deterrence in the classic, conventional context
and the viable identification of relevant IT systems at risk including their increasingly
complex operating environment. Deterrence is a passive form of power relation or
strategy, for the preventive use of power between two actors—the potential attacker
and defender—whereby a potential attacker refrains from attacking the defender for
fear that the defender will retaliate with unacceptable consequences or that the very
cost of attack will be too high, due to the effective defences. Accordingly, the main
purpose of deterrence is to prevent a form of behaviour on the part of a potential
attacker, by threatening the attacker with some punishment that carries sufficient
severity in terms of consequences—either by attacking or by subsequent retaliation or
prosecution. Crucially, deterrence works when a potential attacker does not act as a
result of the communicated threat.
By contrast, compellence is an active form of power relation whereby an actor
seeks to induce a given form of behaviour on the part of another actor [8]. The attempts
of the US and other members of The Quartet to get Israel and Palestine to reach
permanent peace in the Middle East is a form of compellence, as is the US attempt to
obtain a viable government of national unity between rival domestic factions in Iraq.
Compellence is therefore about inducing behaviour that has not yet manifested,
whereas deterrence is about preventing some undesirable future behaviour.
Accordingly, compellence works when desirable behaviour does occur as a result of a
threat or inducement (carrots or sticks, respectively).
A parallel analysis based on positive incentives (“carrots”), rather than just threats
(“sticks”), is necessary for a complete theory of deterrence and compellence. Carrots
and sticks may be part of both forms of power.
Like most national security strategies, deterrence is not a modern invention. As a
form of power relation, deterrence has ancient origins going back several thousands of
years (it was practised in the Near East by ca. 3500 BCE), thus significantly pre-dating
the modern world and even the nuclear deterrence context, where it became prominent
during the Cold War between the United States and the USSR. [9] Moreover, the social
and behavioural science of deterrence has provided no reason to anticipate its demise.
[10]
Formally, the basic strategy of deterrence consists in making a threat that takes on
the following form: “If you do X, we will do Y to you (or punish you with consequence
Y).” X is some undesirable form of behaviour that a defender seeks to prevent, and Y is
some consequential punishment/response that is deemed unacceptable by the potential
attacker. (In terms of incentives, a defender may also deny some valuable benefit to a
potential attacker, wherein Y is a form of bribe.) Deterrence theory is one of the most
mathematically elaborate areas of social science. It is based on probability theory,
decision theory, and game theory and the foundations of deterrence theory are
probabilistic in nature. [11]
Accordingly, as a subjective perception, the credibility of deterrence is critical; it
depends not only on the credibility of capabilities (to effectively carry out the threat)
 C. Cioffi-Revilla / Modelling Deterrence in Cyberia 127

but also the credibility of intentions (or willingness to retaliate). In the theory (and
practice) of deterrence as a strategy to ensure security, both forms of credibility are
viewed as necessary conditions. In practice, each type of credibility is ensured by
multiple means. These include diverse systems that guarantee a high degree of
reliability in the delivery of punishment and multiple signals and organisational
arrangements ensuring an elevated level of credibility with respect to willingness.
Thus, while the foundations of deterrence require serialisation (as in a supply chain),
the implementation of deterrence is based on parallelisation in order to ensure and
communicate sufficiently high levels of credibility in terms of both capability and
willingness. [12]
Redundancy plays a critical role in deterrence theory and practice, because many
of the basic systems and processes involved with deterrence have a serialised structure
that by nature will degrade overall performance. Redundancy, however, has costs that
are both material and organisational. [13] Examples of deterrence redundancy include:
1. For credibility of capability: Develop multiple systems to inflict devastating
retaliation and ensure efficient defences.
2. For credibility of intent: Communicate resolve to employ retaliation through
multiple signals that minimise or eliminate uncertainty.
3. For defensive fortifications: Establish effective and efficient defensive
systems capable of withstanding potential attack. (An additional valuable
feature of defensive security systems is that they fail by drift and in isolated
modes, rather than catastrophically or in interactive ways.)
In addition to retaliation, deterrence also relies on defence or fortification, which
takes on numerous forms: layered defences, choke points, overlapping fields of fire,
observation detection, baffled entries, etc. (For the classic study of deterrence and
defence see [14].) The overall purpose of defence is to lower the base probability of the
attacker’s success, which can positively interact with the credibility of the defender’s
deterrence. (A mighty or impenetrable defender might also be—in the mind of a
potential attacker—a merciless retaliator.) Therefore, in the implementation of
deterrence, defence is just as important as retaliation and it is a feature that should not
be overlooked within the complex context of cyber-deterrence.
When deterrence fails, two additional considerations are mitigation (what can be
done in advance of an attack to lessen the effects of undeterred attack) and prosecution
(how can the perpetrators be found and brought to justice). Both types of preparatory
issues acquire special significance in the cyber context. Unfortunately, only scant
attention is paid to both, especially the latter.

2. Cyber-deterrence

Within the specific context of cyberspace [6]—a world fundamentally different from
the one in which deterrence originated among Sumerian city-states several thousand of
years ago [9]—a deterrence strategy by the government would seek to prevent attacks
to the nation’s IT infrastructure and related systems by threatening unacceptable
retaliation to potential attackers [15]. Given such requirements, the following two
classes of questions immediately emerge as fundamentally important in the cyber
context:
128 C. Cioffi-Revilla / Modelling Deterrence in Cyberia

1. Concerning potential attackers: What punishment would be sufficient to deter

potential cyber attackers? What do potential cyber attackers fear most? What
would they fear enough to deter them from even planning such attacks?
2. Concerning the defender: Does a nation and its allies have—or can it develop
and maintain in the future—both the necessary will and capability to inflict
such punishments on potential cyber attackers? How would such a posture be
developed within the extant framework of capabilities and other elements of
national power? Which communication strategies would maximise the
defender’s deterrence?
These questions suggest that there is an even more fundamental underlying
question: Is deterrence a viable strategy for ensuring the cyber-security of a nation?
Given the fundamentally different worlds of conventional security and cyber-security, a
positive answer to this question is not preordained. After all, deterrence was invented in
the age of Mesopotamia, thousands of years before the age of the Internet. Deterrence
theory can help discover answers; the former questions pertain to the subjective
decision-making process of a potential attacker, whereas the latter pertain to the
national strategic planning of governments.
In terms of a potential cyber adversary, it matters greatly whether such an actor is
(1) an individual, (2) a non-governmental organisation (such as a terrorist group or
criminal organisation), or (3) a governmental actor. Deterrence thresholds—i.e., the
modalities and levels of what constitutes effective punishment—will vary qualitatively
and quantitatively depending on which type of potential attackers the actors happen to
be. Deterring an individual al-Qaeda extremist acting alone poses a very a different
challenge from deterring a cyber-attack by the Red Army cyber-warfare organisation of
the PRC. [16]
In turn, both of these cases differ substantially from the case of deterring cyber
threats that originate from criminal networks that are active in one or more policy
domains (e.g., narcotics, terrorism, money laundering, trafficking in persons, or other
illicit areas). Such groups have a tendency to create illegal welfare policies and
institutions that provide public goods in competition with the official state government.
[17] The implications are numerous and complicated and are distinct from the other
two aforementioned cases. For example, deterring such groups almost always involves
a much longer time span and may require coordination across numerous jurisdictions or
agencies. This is because such “horizontal polities” [18] are often capable of mobilising
significant capabilities on the basis of which they are able to launch and support cyber
campaigns.
Non-state actors, on the other hand, also need to cope with significant
vulnerabilities that derive from the fact that they lack legitimacy and at least in some
areas must operate in a covert way. For example, operational security always poses
many challenges, especially when it must operate under governmental surveillance.
General concepts and principles of systems security apply to the analysis of this type of
threat as well as to others. [19]
The table below suggests some significant features associated with each type of
potential cyber-attacker in terms of distinct capabilities and vulnerabilities. Other
features may suggest additional attributes and dynamics for computational modelling
and simulation.
 C. Cioffi-Revilla / Modelling Deterrence in Cyberia 129

Table 1. Characteristics of types of cyber-attackers as a function of capability and vulnerability.

Potential attacker Capabilities Vulnerabilities
Governmental Major cyberwarfare resources; state IT infrastructure and other national
sanction assets (e.g., financial and industrial
infrastructure)
Non-governmental Significant cyber-warfare resources; Clandestine requirements; financial
organizational strengths; potentially and logistical constraints.
transnational Greed, likely, financial.
Individual Potentially high talent and skill; Clandestine requirements; must
limited cyber-warfare resources maintain high opsec; pride,
boasting, egotism

More specifically, the requirements of deterrence also vary according to which

potential attackers must be faced (unlike the case of classical deterrence), with
targeting posing arguably the greatest challenge due to the clandestine and formal
nature of the two opposite scenarios (individual and governmental, respectively). Such
requirements suggest different, albeit coordinated capabilities for dealing with the full
spectrum of potential attackers. In computational modelling terms, such scenarios also
correspond to different ontologies, each with its own relevant actors and dynamics. The
contemporary theory and practice of deterrence has yet to identify the specifics of such
ontologies with specific reference to Cyberia.
Computational social science has made several key innovations in advancing our
understanding of deterrence in Cyberia:
1. Agent-based models of attacks in cyberspace (e.g., K. De Jong and C. Hunt’s
work described in [7]) have demonstrated the viability of multi-agent systems
and evolutionary computation (genetic algorithms) applications;
2. Social network analysis (SNA) of terrorist groups and related organisations
(including network analysis of the physical internet and WWW) has similarly
demonstrated that systematic analysis can lead to new insights [20];
3. Complexity-theoretic and power-law analysis of conflict [21] could be applied
to the analysis of CERT and related event data; and
4. Visualisation analytics and related computational methods for automated
information extraction are also ripe for applications to cyberspace. [22]
Finally, cyber-deterrence must pay attention to the nature of punishments by
retaliation, in addition to the architecture of cyber-defences. Retaliatory punishment
capable of credibly deterring a foreign government may be meaningless in the case of
an individual attacker, such as a clandestine hacker with the necessary knowledge and
skill (including, for instance but not exclusively, an insider). Moreover, a viable policy
of cyber-deterrence should emphasise exemplary punishment in order to deter future
attacks. At present, however, relatively little publicity is given to instances of
successful prosecution of cyber crimes, let alone deliberately public displays of
prosecutions and retribution—unlike other forms of crime and terrorism where
sentenced culprits are made public for all to see. Within legal boundaries, much more
could be done to highlight the prosecution of cybercrime and cyber-attacks on all
scales, from individual to state-sponsored.
130 C. Cioffi-Revilla / Modelling Deterrence in Cyberia

Summary

From a national strategy perspective, the reliability or even the very feasibility of
deterrence as a viable strategy for cyber-security seems dependent on the character of
the threatening actor or potential attacker. For some potential attackers, such as
national governments, deterrence would seem quite viable against cyber attacks: If you
attack our cyber infrastructure, we will retaliate accordingly with unacceptable damage
to your assets (which may or may not include the attacker’s cyber assets; population or
other assets may be as effective, albeit possibly disproportionate). For other potential
attackers, such as individuals or clandestine organisations, deterrence is a far more
problematic strategy that may be sub-optimal and inefficient—even dangerous—for
ensuring the nation’s cyber-security. Against such actors it may be advisable to adopt
more active preventive strategies, given the difficulty or even impossibility to
implement viable retaliation. Overall, the value of a deterrence strategy for ensuring
cyber-security seems to decline with the decrease in the formal organisational level of
the potential attacker, ranging from effective (against a foreign government) to
ineffective (against a resourceful individual hacker).

References

[1] J. Arquilla, and D. Ronfeldt, eds., Networks and Netwars, RAND Corporation, Santa Monica,
California, 2001.
[2] D. Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, McGraw-Hill, New York, 2003.
[3] G. Weimann, Terror on the Internet: The New Arena, the New Challenge, United States Institute of
Peace, Washington, DC, 2006.
[4] J. Knopf. Three Items in One: Deterrence as Concept, Research Program, and Political Issue, Annual
Convention of the International Studies Association, San Francisco, CA, March 26-29, 2008.
[5] J. Knopf, The Fourth Wave in Deterrence Theory: A Critical Appraisal, Annual Meeting of the
American Political Science Association, Boston, MA, August 28-31, 2008.
[6] Threat Working Group of the CSIS Commission on Cybersecurity for the 44th Presidency, Threats
Posed by the Internet, Center for Strategic and International Studies, Washington, DC, 2008.
[7] M. Lawlor, Virtual Hackers Help Take a Byte Out of Cybercrime, SIGNAL Magazine, February 2004.
[8] T.C. Schelling, Arms and Influence, Yale University Press, New Haven, Connecticut, 1966.
[9] C. Cioffi-Revilla, Origins and Age of Deterence, Cross-Cultural Research 33 (1999), 239–264.
[10] F.C. Zagare, and D.M. Kilgour, Perfect Deterrence, Cambridge University Press, 2000.
[11] C. Cioffi-Revilla, A probability model of credibility: Analyzing strategic nuclear deterrence systems.
Journal of Conflict Resolution 27 (1983), 73–108.
[12] C. Cioffi-Revilla, Politics and Uncertainty: Theory, Models and Applications, Cambridge University
Press, 1998.
[13] C.L. Streeter, Redundancy in Social Systems: Implications for Warning and Evacuation Planning,
International Journal of Mass Emergencies and Disasters 9 (1991), 167–182.
[14] G.H. Snyder, Deterrence by denial and punishment, Woodrow Wilson School of Public and
International Affairs, Center of International Studies, Princeton University, 1959.
[15] J.A. Lewis, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on
Cybersecurity for the 44th President, Center for Strategic and International Studies, Washington, DC,
2008.
[16] J. Fritz, How China will use cyber warfare to leapfrog in military competitiveness, Culture Mandala 8
(2008), 28–80.
[17] M. Mousseau, and D.Y. Mousseau, How the Evolution of Markets Reduces the Risk of Civil War, 4th
Annual General Conference of the European Consortium for Political Research (ECPR), University of
Pisa, Italy, 6-7 September 2007.
[18] Y.H. Ferguson, and R.W. Mansbach, Polities: Authority, Identities, and Change, University of South
Carolina Press, Columbia, South Carolina, 1996.
[19] B. Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Springer, 2006.
[20] M. Tsvetovat, and K. Carley, Structural Knowledge and Success of Anti-Terrorist Activity: The
Downside of Structural Equivalence, Journal of Social Structure 6 (2, 2005), online.
 C. Cioffi-Revilla / Modelling Deterrence in Cyberia 131

[21] C. Cioffi-Revilla, and P.P. Romero, Modeling Uncertainty in Adversary Behavior: Attacks in Diyala
Province, Iraq, 2002-2006, Studies in Conflict & Terrorism 32 (2009), 253–276.
[22] J.J. Thomas, and K.A. Cook, eds., 2005. Illuminating the Path, IEEE Computer Society, Los Alamitos,
CA, 2005.
132 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-132

The Cutting Edge of Cyber Network

Development - A Paradigm to Translate and
Predict the Network Strategies of Avant-
garde Cyber Criminals
Dott. Maurizio AGAZZI
Intelligence & Security Expert, Robur S.p.A

Abstract. Human beings are experiencing new paradigms, such as collective

intelligence, that contribute to levels of knowledge enhancement and information
sharing unimaginable prior to the existence of the Internet. Nevertheless, these
new paradigms are equally interesting for cyber-terrorist groups and for organised
crime. This work intends to analyse this new paradigm, which avant-garde cyber
networks, since they gain vitality from the web’s complexity, also happen to use to
express their developing dimension. This work focuses on the characterising
aspect of advanced cyber criminal networks: the fast and broad movements along
temporary trajectories. Mutation is an implicit aspect of their development, given
that the Internet itself is constantly changing, together with interconnections that
are enriched by collective experience.

Keywords. Collective Intelligence, Social Engineering technique, WEB2.0.,Web-

Forums, Cyber Crime Community, Encryption, Illegal Underground Economy,
Malware, Malicious Application, Distributed-Denial-Of-Services, Peer-To-Peer,
Botnets, Rootkits, Rustock.

Introduction

Economic growth is related to the innovation capability of industrialised countries,

which, along with it, are able to create profitability and wealth and to spread those
democratic values which have been culturally transmitted to us. The fast pace of the
innovation age we are experiencing is induced by Information and Communication
Technology which has vastly increased knowledge, and has thus lead to the solution of
complex problems. Human beings are experiencing new paradigms, such as collective
intelligence (think of phenomena like WIKI1 or the Human Genome Project 2), in which
a vast quantity of data and information is shared through Internet platforms. This
enhances knowledge thanks to the free participation of thousands, sometimes millions,
of individuals, who share their talent and their knowledge with the community. The
talents of the net-generation3 have generated competitive advantage of some interest.
This generation, from a business point of view, has been able to make use of the

1 www.wikipedia.org
2 www.geonomics.energy.gov
3 Net-generation is a term that has been applied to the generation that has had access to Internet throughout
its adolescence and, thus, is not only aware of the web is also computer literate. This is a recent phenomenon
of this last decade.
 M. Agazzi / The Cutting Edge of Cyber Network Development 133

growing complexity of the Internet (think of the creators of Facebook), the Internet’s
latest evolution with WEB2.04 (an example of which is the success of platforms like
Facebook, MySpace, Google, Wikipedia, Wikidocs, Linkedin, YouTube, Linux,
SecondeLife, Human-Genome-Project etc. etc.), and with virtual computing.
This acceleration creates a fast-paced movement (for example Linux is created and
made possible by the community of programmers who contribute to the construction of
this open source operating system), which produces evident technological progress
within the spheres of nanotechnology, biotechnology, and grid-computing. This has a
marked effect on molecular sciences, on the study of materials, mechanics and others.
Scientists pose questions that are stimulated by these new emerging paradigms in
an attempt to understand whether humankind could undergo significant changes, and
therefore bring about further evolution in humankind. The question that naturally arises
is: what has drastically changed our cultural habitat in this historical moment? We may
dare say Internet, the worldwide interconnection.

1. Emerging Paradigms

In Stephen Jay Gould’s theory of evolution, otherwise known as “Punctuated

Equilibrium” (which, consequently, disposes the “Modern Synthesis”), evolution is
above all a story of dramatic migrations, drifting populations, operations and
substitutions within species that have often been caused by sudden and strong climate,
geographical, and geological changes etc...In nature, form appears to tend towards
stability, while mutation is often caused by drastic changes brought about in the habitat
or environment. It is, therefore, natural for the science community to question whether
or not global interconnection may be considered to be a drastic change for humankind
or not. In the eventuality that it were, this change would signify an equally powerful
cultural change that no one at present is able to clearly comprehend. We know that
paradigms do not claim to predict future events, however, they allow extremely
complex problems to be simplified into models, which in turn are understood and
analysed with greater ease by the human brain. Moore’s well-known Law, for which
the progress of computational capacity grows at an exponential rate compared to the
costs for the development of new processors, when declined, becomes the doubling of
computational capacity every 18 months at a fixed cost. Already from the mid-
seventies, this demonstrated the entity of the technological progress that we would
have experienced over the last thirty years; hence, the paradigm is still of great
effectiveness.
Evolutionary processes, as scientists know, are open systems that not only feed
themselves within their habitat, but draw upon it for their options of diversification. So,
if we accept the idea of global interconnection as a drastic change in habitat, tell-tale
signs of some sort of avant-garde cyber-crime activity should already be visible in
cyberspace. The movement on the Internet is referred to as surfing. In this movement,
made of temporary trajectories, it is hard to be fully aware of the progress of avant-
garde activity. For the authors of such activity, meaning takes the form of bitstreams,
but it is the movement itself that is important; this movement is propelled by the
websites that are visited, for which a thrust is received from each transit. Were we to

4 WEB2.0 is a term used for the more heterogeneous components such as the mashup applications of Google-
Map that replaced the old Internet architecture in use around 2000. It is also characterized by sociological
aspects, like communities that come together through Internet portals, such as Facebook, that are called
community platforms.
134 M. Agazzi / The Cutting Edge of Cyber Network Development

focus all of our attention on these movements, avant-garde activity would then become
visible. With the aid of readily available technology and the global diffusion of the net
and bandwidth, the forefront of cyber activity is rapidly evolving within this growing
complexity and is undergoing a transformation.

1.1. Illegal Underground Economy

According to recent studies, the illegal underground economy5 related to cyber-crime

activities is sufficiently developed, the value of which is estimated at $276 million for
the period that goes from July ‘07 to June ‘08. The underground economy has identical
characteristics to those of the free market; supply and demand meet on the basis of
quotations that are related to the availability and needs of the global market. Publicity
in this market is located on web-based forums or web-blogs. These popular social-
networking instruments are used by the cyber-crime community for trading goods and
services. In the mean time, the servers of these platforms are located in countries in
which the governments of these states have difficulty in contrasting these cyber-crime
activities, or in which the regulations are simply less restrictive.
The Goods and Services offered on web-forums are mainly the following:
 Malicious application.
 Phishing generator toolkit.
 Account cracker.
 Password recovery tools.
 Encryption and Compression utilities.
 Mobile viruses.
 Credit Card generator and Checker.
 Cracker proxy toolkit.
 Credit Card Information.
 Financial Accounts.
 Spam and phishing information.
 Withdrawal service.
 Identity theft information.
 Server accounts.
 Compromised Computers.
 Website accounts.
In the past, hackers mostly sought fame through sensational and visible actions.
Nowadays, hackers have every interest in remaining in the shadows and anonymous,
because they are a link in cyber-crime activity, supplying the lucrative illegal market
with malwares. These malwares are sold at market price on web-forums. Cyber-
criminals, with war-driving and exploiting actions, use these malwares to fraudulently
access systems and on-line transaction processes in order to obtain credit card codes.
This is especially true for weakly protected wireless networks, where sniffers are
employed to capture data at the time of transmission 6 and subsequently shift it over to
remote servers. Investigations conducted by the U.S. authorities uncovered a criminal
network that stored data on servers located in Latvia and the Ukraine. This criminal

5 Symanatec, Symantec Report on the Underground Economy, of July 07- June 08, www.symantec.com,
2008.

6 http://nytimes.com/2008/08/12/technology/12theft.html?pagewanted=2&_r=1
 M. Agazzi / The Cutting Edge of Cyber Network Development 135

organisation cloned new ATM cards that were provided by Chinese contacts,
whereupon the cloned cards were subsequently introduced into the North American
market7. It is possible to note that the economic mechanisms inherent to the
underground economy have transformed the ‘species’ of cyber-criminals, forcing them
to highly specialise in order to survive. In other words, the specialisation undertaken by
cyber-criminals is required in order to maintain control over the growing complexity of
the web, and allows them to secure a greater advantage from their own abilities. Those
who create malicious applications do not expose themselves to open use on the field,
but rather hold the source code and each time they are asked for a malicious code, they
introduce slight variations in the code itself. Since research and development
investments are expensive, they limit themselves to selling the application on the
network at market price. One exception are the malwares, which allow the introduction
of backdoors on the grids of the processors. Because they serve specific purposes, such
as the gathering of precise forms of information that include on-line account codes or
other highly profitable data, the malwares tend to follow direct-marketing channels and
do not have an official quotation.

1.2. Cyber Crime Community and Social Networking Instruments: Their Avant-garde
Cyber Network Strategy

The actions that this illegal business takes to publicise or advertise their activities are
channelled through topics that are posted on web-forums and that employ either a
multi-channel or thematic strategy to contact buyers and inform them of the different
categories of goods and services offered; this procedure helps to promote goods and
services worldwide. Cyber-crime communities populate web-based forums using self-
defining strategies thanks to the options that manage the account registration of
members and the private messaging on such forums. The aforementioned topics re-call
other forums on which illegal goods and services are traded. Payments are often made
with on-line accounts or through the exchange of goods and services. The administrator
has a prime role in creating the forum and setting the basic access rules for the different
user groups: administrator, moderator and member. The administrator is usually also
one of the moderators. His role consists in administering the server; building
classifications for goods and services, which are fitted into sub-forums; and checking
on the security policies that govern the forum. When a new forum is set up, the
administrator also creates a moderator, whose role is to keep the forum going through
communication strategies typical of its specific market, including the possibility of
deleting or correcting inconsistent topics and of creating new sub-forums for the new
thematic channels.
The forum members have the possibility to write topics and, once the forum is
running, can vote for the most interesting topics on the basis of pre-set regulations. The
moderator’s role is assigned to the author of the most voted topics. This gives the cyber
criminals sufficient reason to register on the forum repeatedly under different nick-
names in order to drive his nomination as moderator. Since goods and services have a
variable quotation and can become outdated, the oldest topics are automatically
deleted. On the other hand, when the community’s attention is focused on certain goods
on sale, then the topics are repeated over and over with the same message so that the

7 Symaatec, Symantec Report on the Underground Economy, of July 07- June 08, www.symantec.com,
November 2008
136 M. Agazzi / The Cutting Edge of Cyber Network Development

search-engine within the web-forums will list topics on which the article that is being
promoted will appear.
The administrator changes nick-name often to avoid authority tracking activities.
When the forum server itself is bought in the underground economy, the administrator
appears at the moment of launch, only then to then disappear whilst the forum
moderators’ role is elective within the community, according to the principles that
regulate the basic settings. The web-forum can also remain active on the server for a
limited time, sometimes a few months, before it gets exported to a different server.
These movements are facilitated by the wideband available and are especially used to
elude authority control. Access to the community is possible after registering a nick-
name, a brief self-description, and an avatar; if this isn’t convincing, the administrator
denies access to the forum. Registration can also be completely automatic and it is left
to the moderators to deny future access, if the applicant’s credentials are not
convincing; the web system is able to discredit a registration instantly. Forums also
have filters that block access to IP addresses that are considered unsafe which then
place them on blacklists. The access of new visitors to the forum triggers an on-line
alert system that is visible to the community. Some forums use mash-up technologies
with geo-defining applications, which are able to visualise the on-line users’ ISP
position on a world map; this is so that the community can take the necessary
countermeasures to elude police control.
Since malware production can be costly, it is possible to trade specific components
which, once assembled, give the desired result. On the net, the same nick-name can buy
malware software components and then sell malicious applications that have been
assembled with the final code and supplied with directions. The most dangerous
malwares are the polymorphic type; not only is the code assembled in steps, and often
encrypted, the malware is also able to transform its structure. The malware code
encryption makes it difficult for anti-virus systems to recognise the malware. The
malware code encryption is composed with the use of encryption tool-kits that are
traded on the black market. In other words, the underground economy offers the entire
supply-chain access to goods and services at market value, be they from the production
to the final assembly of malwares of all sorts, (and that are intended for fraudulent use
by cyber-criminals), to directions for hacking techniques on how to black out the
source (personal IP), generate spam, and also take on a false identity. These techniques
underlie the distributed-denial-of-services (DDoS) attacks, for it is easier to take action
in a chaotic situation. These attacks are created by dangerous malwares, botnets8;
Estonian and Georgian banks, in fact, were their victims in April 2007.
The leading edge of the virtual world transmits/leads the transformation. With this
last, the criminal network expands and techniques simultaneously improve. Proximal
networks make use of temporary trajectories and affect the outer digital realities of the
real economy. The U.S. authorities reported that cyber-crime activity paid Russian
criminal groups over $150 million in 2006; through the use of phishing techniques,
credit cards were stolen using servers located in North America and the cards were
subsequently cloned in a Russian factory,
Occasionally, such techniques rely on databases containing identity-related data.
These databases can be bought on the forum (identity theft information is sold in lots,
just as credit card codes are) depending on the scale economy of the market and also
because the percentage of faulty data causes rejects or discards that in turn cause

8 Cisco, Cisco 2008, Annual Security Report,, www.cisco.com, 2008, p.10, Botnets consist of thousands of

malware-compromised computers. Those who control the botnets can rent out the processing power and
bandwidth available to these computers, or use it themselves.
 M. Agazzi / The Cutting Edge of Cyber Network Development 137

irreplaceable gaps. The U.S. authorities have related these specific crimes to the
Russian Business Network (RBN). The RBN’s servers are believed to be responsible
for the diffusion of malicious codes like the MPack exploit toolkit 9 and the Peacomm
Trojan virus botnet, (this last through the Internet Relay Chat). It is evident that the the
avant-garde cyber criminals are plumbing our depths, our virtual spaces, our digital
routes, on which we have built financial structures, research centres, economic
development, and power and control structures, in search of an Achilles’ heel.

1.3. Botnets: The Nervous Disorder of Web2.0

WEB2.0 represents a technological development with an obviously positive influence

on the various economic sectors. It is based on collaboration and co-development and
its multi-level structure relies on reusable components. These characteristics guarantee
high productivity levels, which translates into cost containment throughout the
lifecycle of the software applications. WEB2.0 applications have high interoperability
characteristics; independent of the hardware platform and the operating system in use,
these applications are usable by any browser. Information and Communication
Technology plays off of these platforms to develop new business enterprise platforms,
through which it is possible to produce, promote and commercialise the use of the
software as a service (SAAS). However, cyber-criminals have also adopted this
reference model to amplify the threats on the web, and have gained strength from the
illegal underground economy. Modern on-line threats combine different elements, such
as malwares, botnets, spam and social-engineering techniques10.
The greatest threat today comes from malicious botnet applications, like Mailer
Reactor, Kraken or variations of Asprox. This is due to the fact that the attack spreads
like a swarm, in an adaptable and intelligent way, and has the characteristics of the
Peer-to-Peer net (P2P). Therefore, the attack automatically synchronises with
thousands of other malware servers, which in turn send hundreds of thousands of spam
over the web. At this point, cyber-criminals have entire control not only over the band
but also the computational power for which the Distributed Denial of Services (DDOS)
is the devastating effect. An example of the damage suffered may be given by Estonia
in 2007. All of these elements lead to the strong deterioration of the transmission band
available for the Internet and often thwart investments made for the introduction of
bandwidth11 in the net infrastructure.
Ironically, the father of cybernetics, Norbert Wiener12, during his research at the
MIT in the 1940s, had understood certain feedback processes that lie within complex
systems. Together with other MIT scientists, he formulated the fascinating theory

9 www.symantec.com

10 Cisco, Cisco 2008, - Annual Security Report, www.cisco.com, 2008, p.3.

11 The financial loss is also caused by servers that when under DOS attack are not able to satisfy on-line user

requests. Enterprises lose thousands of transactions per hour since the services under attack are no longer
available. During these attacks, keylog softwares are installed on the computers to transmit identity, banking
access codes, and credit card codes to remote servers.

12FloConway, Jim Siegelman, Dark Hero of the Information Age – In Search of Norbert Wiener the Father of
Cybernetics, Perseus Books Group, 2004
138 M. Agazzi / The Cutting Edge of Cyber Network Development

wherein complex systems are conditioned by feedback13 that is received from the
ecosystem it interacts with. He had especially highlighted the dangers of a negative
random motion, which he called “nervous disorder”, which occurs when non-linear
systems are carried past their limits. One step that could be taken against cyber crime
would be to be able to identify the location from which the infection first originated by
following the initial signs of “nervous disorder”. Unfortunately, this is much like
looking for a needle in a haystack! What are we really supposed to be looking for?
Today, the web is a highly complex system, and so non-linear. Swarms of malwares are
able to cross peripheral digital borders without even leaving a trace (just think of the
failure of British intelligence during the Second World War, when the launch pads for
the V2 missiles weren’t recognised despite having previously been photographed by
aviators).

1.4. Emerging Questions in the Domain of Complex Systems

Norbert Wiener had imagined problems with feedback. His research was followed first
by the work of Pitt and McCalloch at MIT and then by Hopfield’s research. Hopfield
discovered the so-called “Hopfield nets” model, which was published in 1980 and
became the basis for the development of the Artificial Neural Network (NN).
Hopfield’s model is the point of departure for many real-time and near-real-time
applications based on artificial intelligence that have been intended for commercial use.
The question that could be asked is whether a real-time system based on the Artificial
Neural Network model (NN), fed by key-indicators (automatically sent by intelligent
agents located on the server), would be effective in identifying attacks right from the
initial stages. Were this the case, appropriate steps to neutralise the attacks could be
taken in almost real-time, either by taking action on the network’s peer-to-peer nodes
or by up-dating the servers’ anti-virus systems. Clearly, this presumes some form of
supranational coordination, which, from my point of view, continues to be an ongoing
issue.
The difficulties encountered by the authorities in the fight against cyber-crime
activities are also due to the fact that State laws have jurisdiction only within domestic
borders, whilst cyber-crimes move on worldwide trajectories. Since malware code is
generally encrypted14 and is spread thanks to a peer-to-peer mode, months may go by
before a new malicious application is identified. In these conditions, even authority
control is deceived because the patterns containing malwares cannot be recognised at
an early stage.
However, credit institutions and banks with on-line accounts have or are in the
process of adopting data mining systems to track down unauthorised use, promptly
informing the client when unusual on-line payments are made. As a matter of fact,
nothing else is done and, in most cases, crimes go unpunished. It is highly unlikely that
the majority of crimes have ever come to light, and in the few cases that one has, they
have never, or rarely, been rendered public. Cyber crimes occur especially when the net
is not sufficiently protected or when the firewalls and anti-virus systems are out of date.
This lack in technology creates the ideal conditions for cyber-criminals not only to
successfully install backdoors on the net processors, but also allows them to be able to

13Pitt and McCulloch worked on this idea, then Hopfield defined a model known as “Hopfield’s net” which,
when further developed, became the basis for the realization of important commercial applications.

14 The malware root-kit Rustock used RC4e

 M. Agazzi / The Cutting Edge of Cyber Network Development 139

conduct industrial espionage and delete their traces. This ability to cover their traces,
the malfunction of the processors is easily attributed to chance.
This demonstrates how important the introduction of encryption truly is. Not only
would it protect databases that store identity information and credit card and bank data,
it would also protect sensitive data in general, especially archives of strategic interest to
organisations. However, encryption is costly; because it requires extra computational
resources, and therefore requires a considerable level of investment. In relation to the
quantity of code to be modified, however, not all software is able to run with an
encryption for storage in the Input/Output level. This is particularly true for projects
that have incorporated Product Lifecycle Management software, which are often used
in R&D. Over the life span of high-tech products, or in old Enterprise Resources
Planning Solutions, further software updates would be required. At this point we can
relate to what Niklaus Wirth, inventor of the famous program languages modula,
pascal and algol, in January 1997, during the conference “Software: Quality or
Quantity, that is the question”, stated what he defined as Reiser’s Law “Software is
getting slower more quickly than hardware getting faster”.

Conclusion

In conclusion, the post-industrial epoch is characterised by the use man has made of
computer science. The technological progress we are experiencing in different areas, is
part of the well-being we are used to and, therefore, based on the good use man has
made of global interconnection over the past decade. The digital age is the new habitat;
it is a drastic change, that with it brings transformations within each field that are yet to
be fully analysed. However, the changes that are taking place have lead to an evolution/
transformation of cyber-crime groups. The avant-garde of cyber criminals in
cyberspace gains strength from coming in contact with the proximal networks with
their temporary trajectories, and, once this has been accomplished, the transformation
may be considered complete.

References

[1] Flo Conway, Jim Siegelman, Dark Hero of the Information Age – In Search of Norbert Wiener the
Father of Cybernetics, Perseus Books Group, 2004.
[2] Ray Kurzweil, The Singularity is Near: When Humans Transcend Biology, Viking Press, 2005.
[3] Don Tapscott, Anthony D. Williams, WIKINOMICS-How Mass Collaboration Changes Everything,
Portfolio, 2006.
[4] Niklaus Wirth, Software Quality or Quantity, That is the question, Managing Software – Quality –
Engineering Success, WWW.INFOGEM.CH/Taungen/1997/Niklaus_Wirth.pdf, Jannuary 27, 1997.
[5] Symantec, Symantec Report on the Underground Economy of July 07-June 08, www.symantec.com,
November 2008.
[6] Cisco, Annual Security Report, www.cisco.com, 2008.
[7] Sophos, NAC 2.0: A new model for a more secure future, www.sophos.com, July 2008.
[8] Sophos, Sophos Threat Report July 2008, www.sophos.com, 2008.
140 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-140

Protecting Critical Infrastructures from

Cyber Attacks Involving Malware
Y. ELOVICI and A. SHABTAI
Deutsche Telekom Laboratories at Ben-Gurion University,
and the Department of Information System Engineering, Ben-Gurion University

Abstract. Protecting Critical Information Infrastructures (CIIs) from attacks

originating from the Internet is a great withstanding challenge. This article
describes the challenges in protecting CII from malware and suggests three
approaches. The first approach suggests purifying malicious traffic on public NSP/
ISP networks in order to minimise the risk that innocent users, unbeknownst to
them, will be exploited and used by the perpetrators as launch pads for attacks on
CIIs. The second approach focuses on overlay networks established between CIs,
where communication between CIs is mapped to underlying physical networks
and the most critical routers are pinpointed, thereby enabling the cost/effective
deployment of malware filtering devices. Finally, the third approach focuses on
detecting hidden botnets, which often serve as a launch pad for Distributed Denial
of Service (DDoS) attacks on CIIs.

Keywords. Cyber-security, Malware, Critical Information Infrastructure

Introduction

The everyday life of citizens in modern societies relies on the critical services provided
by a variety of entities, including among others: power stations, stationary/cellular
telecom providers, public utility companies, banks, healthcare providers, food
manufacturers, transportation, and education systems. All modern Critical
Infrastructures (CI) rely on Information and Communication Technologies (ICT) for
their ongoing operations, control, and monitoring activities, as well as for interactions
involving data exchange with their peer CIs [1-4].
In many cases, CIs sub-contract Network Service Providers (NSP) to dispatch their
transactions. Consequently, CIs depend upon the availability and performance of NSP
backbones and are prone to malicious attacks. Dependence or interdependence between
CIs, or within various divisions of a CI, creates another significant risk, where the
failure of one critical CI, resulting from a malicious attack or communication failure,
can result in horrendous cascading effects that hamper dependent stations in the same
or other CIs [5]. Nowadays, terrorists and the agencies of rival governments can easily
create new malware in order to attack CIs [6]. Following the announcement of newly
discovered vulnerabilities, a new malware may be developed, tested and then launched
towards the critical networks [7].
As a case in point, during April 27, 2007, officials in Estonia relocated the "Bronze
Soldier," a Soviet-era war memorial commemorating an unknown Russian who died
fighting the Nazis. The move incited rioting by ethnic Russians and the blockading of
the Estonian Embassy in Moscow. The event also marked the beginning of a large and
sustained distributed denial-of-service attack on several Estonian national Web sites,
including those of government ministries and the prime minister's Reform Party. Often,
 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware 141

these attacks are conducted in the initial stages of conventional wars to achieve a
strategic advantage in command, communication, and control capabilities 1.
Critical Information Infrastructure Protection (CIIP) from attacks originating on
the Internet is a great withstanding challenge; improving CII security by disconnecting
them from other networks is often in direct contradiction with the open and
interoperable nature of modern web-based platforms and applications. In many
instances, CII are attacked via the computers of innocent home users that have been
compromised by attackers. Industry reports suggest that individual users receive
malware mainly from the Internet [8]. In fact, an online safety survey conducted by
America Online and the National Cyber Security Alliance (NCSA), revealed that 81%
of the respondents were found to be lacking recently-updated anti-virus software, a
properly-configured firewall, and/or spyware protection. In the same survey, 74% of
the respondents claimed to use the Internet for “sensitive” transactions from their home
computers, including among others banking, stock trading, and reviewing personal
medical information [8].
Numerous tools are available nowadays to address different facets of the
aforementioned challenges [9-11]. Anti-virus, -Spyware and -Adware utilities focus on
a host-based protection of end user devices. Intrusion Detection/Prevention Systems
(IDS/IPS) and firewalls focus on tackling malware at the core and edges of ISP/NSP
and enterprise networks. Penetration tests are often used to evaluate how robust CII are
and their compliance with security criteria and guidelines [12].
One of the major loopholes in these technological solutions in relation to malware
is that they are mostly based on the signatures (either content or behavioural) of known
malwares. This limitation is very critical the moment that new attacks are based on new
malware (unknown to the detection systems) that are able to compromise distributed
networks with thousands of computers in a matter of minutes. Moreover, the
exploitation of newly discovered vulnerabilities is discovered every day. They are
being used by attackers to develop new malware that in many cases is capable of
compromising the existing systems without being detected until a software patch has
been released or a new signature has been released. This situation, therefore, calls for
employing maximum automation and minimising the response time of all security
technology used to tackle new unknown malware.
This article describes three alternative approaches to harden and secure the
networks used by CI and boost their immunity against malicious attacks. The first
approach proposes to purify malicious traffic on public NSP/ISP networks in order to
minimise the risk that innocent users will be unwittingly exploited and used by
perpetrators as launch pads for attacks on CIIs (section 1). The second approach
focuses on overlay networks established between CIs, where communication patterns
between CI are mapped to underlying physical networks and the most critical routers
are pinpointed, thereby enabling the cost effective deployment of malware filtering
devices (section 2). Lastly, the third approach focuses on detecting hidden botnets,
which often serve as a launch pad for Distributed Denial of Service (DDoS) attacks on
CIIs (section 3). Concluding remarks are described in section 4.

1. Cleaning the Traffic of Network Service Providers

Enterprises and ISPs serving private customers are connected to the Internet through
Network Service Providers (NSP). Nevertheless, traffic flowing through the NSP

1 http://news.zdnet.com/2100-1009_22-152212.html
142 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware

infrastructure usually has not been purified from malware, in the same quality as the
clean drinking water that we receive nowadays from public water supply companies.
Moreover, it is estimated that only 15% of the Internet users are protected with an
updated anti-virus [1], and therefore end users can not be relied upon to protect
themselves from being unknowingly exploited as launch pads for attacks against CIIs.
As a result, terrorists and/or governments can easily attack CIs through innocent user
hosts without detection.
Detection of malware by NSPs on their core networks provides a better economy
of scale because NSPs are more likely to posses the resources to handle unknown
malware and thus, are more likely able to prevent thousands of end users from being
infected and later used to launch DDoS attacks. Such a centralised approach provides
very fast and effective detection. Figure 1 describes this centralised NSP-oriented
approach, which is comprised of three main phases [13]: first, it removes known
malware by standard signature-based IPS filtering devices (a); then, it assembles
executable files from observed traffic (b); next, these files are forwarded for back-end
analysis by an ensemble of detection plug-ins capable of detecting new malware based
on similarity to known malware (c). Finally, in the event a new malware is detected by
the ensemble of plug-ins, the signatures are published and updated instantaneously on
all IPS filtering devices (d).

a) Signature-based filtering of known malware

Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware 143

b) Monitoring traffic and retrieval of suspected files for inspection

c) Analysis of suspected files using various detection techniques

144 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware

d) Generating signature of newly detected malware and announcing it to IPS filters

Figure 1. NSP-Level Malware Purification

The aforementioned centralised approach will provide cleaner traffic to

unprotected home and business users and reduce the number of Internet users that can
be used to launch cyber-terror attacks. Another important benefit is the reduced
network traffic, since malware creates additional traffic that will be eliminated. As
customers of the NSP infrastructure, CIs will therefore be more protected from cyber-
terror attacks.

2. Cleaning the Traffic of the CI Overlay Network

Critical Infrastructures communicate with each other over the public web and their
communication patterns form an Inter-CI overlay network. Overlay networks [14] can
be used to model both attack propagation channels as well as legitimate data exchange.
Knowledge of extant overlay networks is useful for network security personnel in fine-
tuning security appliance deployment according to the expected communication
patterns that are determined by application usage. Acquiring the structure of overlay
networks, however, is a challenging task due to the absence of information on "who
communicates with whom".
Therefore, there is a need to protect the overlay network formed by CI, and this
can be achieved by securing either the overlay network or the underlying NSP network
or both. A conceptual diagram of the overlay network and the underlying NSP network
with Distributed Intrusion Detection Systems (DNIDS) is depicted in Figure 3.
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware 145

a) CI Overlay network

b) Launching attacks exploiting the inter-CI overlay network

Figure 2. Inter-CI Overlay Network

146 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware

Figure 3. Distributed Network Intrusion Detection System

Deployment of DNIDS filtering appliances can be accomplished by employing

different metrics which are calculated for the vertices (i.e., routers) on the overlay or
NSP networks. The group-betweenness [15] centrality measure can be used to rank the
number of shortest paths passing through each node and can be used to find the optimal
deployment as depicted in Figure 4.
Figure 4 exemplifies the importance of incorporating the overlay network formed
by CIs when looking for the central NSP nodes that are being used by the CIs. When
taking the overlay network into account, a different optimal deployment, that is, the
NSP routers that are most critical for CI operations (i.e., R6) are not necessary those
most critical for the operation of the public-domain NSP network.
 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware 147

a) R6 is a central node based on the overlay network

b) R5 is the central node when the overlay network is not taken into account

Figure 4. Pinpointing the Central Node (with and without taking into account the overlay network)
148 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware

The aforementioned overlay approach will provide cleaner traffic for CIs in a cost/
effective fashion. Like the centralised approach, it will reduce the number of Internet
users connected to the overlay network that can be used for launching cyber-terror
attacks. As customers of the NSP infrastructure, CIs will therefore be better protected
from cyber attacks.

3. Detection of Botnets

The underlying idea of this approach is to closely monitor computers, servers, and
other computerised devices that are being used by CIs, and identify computers that
have been unknowingly infected with malware, which can be later used by the attacker
to launch DDoS attacks. Whenever an infected computer is detected by a backend
analysis system, the user is guided on how to remove the relevant malware, or the
infected computer is disconnected from the network.

Figure 5 (a) depicts the first stage, where measurements of system- and application-
level features from the monitored computer are extracted by a distributed agent and
forwarded to the backend system for deeper analysis by an ensemble of plug-ins. The
voting of various plug-ins are meshed into a single diagnosis regarding the status of the
monitored computer – infected/non-infected. Figure 5 (b) and (c) depict the possible
outcomes after meshing the recommendations from the ensemble of plug-ins.

a) Extracting and Forwarding Agent Measurements

 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware 149

b) Backend system concludes that the computer is clean

c) Backend system concludes that the computer is infected

Figure 5. Analysis of Collected Measurements and Notification

The aforementioned distributed approach will allow detecting CI computers that

are being infected by a malware that may be a part of a botnet.
150 Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware

4. Limitations and Future Research

We presented three complementary approaches to strengthen CI security. Each

approach focused on a different facet of the CII protection challenge in terms of
centralisation versus distribution. In section 2 we presented a completely centralised
approach that focused on public-domain NSP infrastructure and provided economies-
of-scale in shielding large audiences of users. In section 3, we focused on the privately-
regulated networks interconnecting CIIs, and finally in section 4 we focused on the
protection of CI from botnets.
Nevertheless, these three generic approaches ought to be elaborated in order to
address enduring challenges such as: handling encrypted/polymorphic malware;
developing novel and more precise methods to detect botnets from measurements on
various platforms; and finally, ensuring an optimal (cost/effective) deployment on the
premises of both NSP/ISP and critical infrastructure.

References

[1] T. G. Lewis, Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation
(Hardcover), Wiley, Hoboken, New Jersey, 2006.
[2] R. Radvanovsky, Critical Infrastructure: Homeland Security and Emergency Preparedness, CRC Press,
Boca Raton, Florida, 2006.
[3] U. S Government Accountability Office, Critical Infrastructure Protection, 2008. Available from:
http://www.gao.gov/new.items/d081157t.pdf
[4] S. Flynn, The Edge of Disaster: Rebuilding a Resilient Nation, Random House, New York, 2007.
[5] M Amin, Toward self-healing energy infrastructure systems, Computer Applications in Power, IEEE,
14 (1), (2001), 20-28.
[6] L Janczewski, A. M. Colarik, Managerial Guide for Handling Cyber-Terrorism and Information
Warfare, Idea-Group, 2005.
[7] C. Wilson, Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress,
CRS Report for Congress, 2008.
[8] NCSA Study, http://www.staysafeonline.info/pdf/safety_study_2005.pdf.
[9] Symantec Internet Security Threat Report (January-June 2004), www.symantec.com.
[10] The Danger of Spyware, Symantec Security Response. www.symantec.com, June 2003.
[11] Symantec 2006 Security Report. www.symantec.com.
[12] J. S. Tiller, The Ethical Hack: A Framework for Business Value Penetration Testing, CRC Press, Boca
Raton, Florida, 2003
[13] Y. Elovici, A. Shabtai, R. Moskovitch, G. Tahan, C. Glezer, Applying Machine Learning techniques for
detection of malicious code in network traffic, The 30th Annual German Conference on Artificial
Intelligence (KI-2007), Springer, LNCS 4667, 44-50, Osnabrueck, Germany, September 10-13, 2007.
[14] SP Gorman, L. Schintler, R. Kulkarni, and R. Stough. The revenge of distance: Vulnerability analysis of
critical information infrastructure. Journal of Contingencies and Crisis Management, (2004), 12:48-63.
[15] L. C. Freeman. Centrality in social networks conceptual clarification. Social Networks, 1 (1979),
215-239.
 Section 2.2
Police and Military Force Operations
and Approaches
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 153
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-153

Protecting Critical Information

Infrastructures: Domestic Experience and
Competencies of the Postal and
Communication Service of the Italian
National Police
Domenico VULPIANIa and Sergio STARO b
a Director,
Postal and Communication Police Service
b Head of the section for International Relations, the Postal and Communication

Service

Abstract. The Postal and Communications Police Service is the central agency of
the Italian National Police that has been entrusted with the prevention of and
response to the various and multiple forms of cyber crime; approximately 2000
officers are located throughout the Italian territory. The protection of national
critical information infrastructures (hereafter C.I.I.) that support and operate the
vital points of the community has recently been added to its competences. The
possibility that the security of a countrymay be compromised by cyber attacks on
C.I.I. of terrorist or criminal nature , represents a real threat that is presently felt at
both the national and international level. In Italy, in particular, a twofold solution
had to be reached; firstly, the prevention of and response to any type of cyber
crimes against C.I.I. computer systems and networks; secondly, the exclusive
assignment of this task to a specialized agency. In fact, art. 7 bis of Law 155 of
31.07.2005 states that the exclusive competence of protecting the critical
information infrastructures of national relevance is devolved upon the Postal and
Communications Police Service. Following the enactment of the Minister of the
Interior's Decree on 09.01.2008, a National Cyber Crime Centre for the Protection
of Critical Information Infrastructures (Italian acronym, CNAIPIC) was instituted
within the Postal and Communications Police Service. This Centre is equipped
with high technology resources and staffed with highly skilled personnel, and will
be the sole office in charge of the prevention of and response to cybercrimes
(common crimes, organized crime and terrorism) targeting national critical
information infrastructures that have institutional functions or provide operating or
controlling services strategic to the security and prosperity of the country.

Keywords. Critical Information Infrastructures, Postal and Communication

Service of the Italian National Police, CNAIPIC, CNCPO, On-line Police Station

Introduction

The information society we live in relies essentially on computer science. In fact, all
the processes necessary to its operation are created and managed by means of
electronic tools and information networks.
Those processes whose suspension could cause the disruption of the normal course
of life in a country are considered to be critical. These processes are characterised by an
increasing level interdependence and interconnection, and therefore the companies and
154 D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures

institutions that own the systems and networks related to those services are considered
to be critical information infrastructures.
The possibility that the security of everyday life in a country may be compromised
by attacks on critical infrastructures, whether of terrorist or criminal nature, is now a
real threat.
This scenario necessitates that a tangible and effective logic in the way governance
is applied take all possible threats and attacks on a system’s security and its related
interests and values into account. The origin of attack may come from common crimes,
organised crime, or terrorist and subversive criminal phenomena.
The threat, endangerment, or destruction of such a technological system including
the illegal removal of data and information utilised by the system, in order to gain an
immediate profit (regardless of their intrinsic value), or using them improperly for
other purposes, today represent the criminal conducts that expose the security and
prosperity of the social system as a whole to the greatest dangers.
Just as with the advances in technology, the approach to security has undergone a
radical change.
With this regard, the approach employed by the Postal and Communications Police
Service (hereinafter referred to as PCPS), by virtue of its particular skill in preventing
and combating cybercrime, designed to achieve two fundamental objectives:
• the protection of "technological infrastructures", which, on the network, have
a strategic importance for the security and prosperity of a country;
• the protection of network "users" and the assets they entrust every day to
information infrastructures, with particular reference to crimes relating to the
exploitation of children, identity theft and internet fraud.

1. The Protection of National Critical Information Infrastructures

Essential services to a country (waters; electricity; gas; transportation, including roads,

railways and air) are now provided via telecommunication networks, whose
interconnection is a formidable tool that ensure shigh standards of quality in the supply
of and access to services.
The other side of the coin, however, reveals a context where the cascade effect is
the main danger. A criminal or terrorist attack, intended to hit a single node of the
infrastructure network, has the potential to reset the whole system to zero.
This issue has been in the spotlight of the world community for some years: in
several institutional forums on international cooperation (EU, G8, etc.) several
initiatives for the analysis and in-depth examination of the problem are currently being
adopted and carried out, and efforts are being made to establish the definition of shared
operational models.
In Italy, art. 7 bis of Law 155 of 31 July 2005, concerning "Urgent measures to
counter international terrorism" exclusively devolves the task to protect the cyber
 D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures 155

systems of the critical infrastructures of national interest to the PCPS, by virtue of their
special skill 1.
For that reason, a National Cyber Crime Centre for the Protection of Critical
Information Infrastructures (CNAIPIC)2 has been established within the PCPS; this is a
type of privileged emergency service that, through exclusive and secure connections,
shall receive and transmit information and data relevant to the prevention of and
response to cyber threats and attacks on the systems of national critical infrastructures.
The Minister of the Interior3 , by means of a decree, has also taken measures to
identify the national critical infrastructures that would benefit from the protection
services provided by the CNAIPIC. Furthermore, the Department of Public Security
has and continues to promote, together with public and private bodies that provide
services considered essential for our nation, a number of agreements designed to
establish shared protocols for staff training and actions to take in the eventuality that
computer incidents occur. The Department works in close cooperation, through the
exchange of information, with other bodies involved in the protection of critical
infrastructures at the national and international level.
The CNAIPIC can also make use of particularly effective investigative tools,
typically used in the fight against terrorism, such as undercover investigations on the
internet and the preventive interception of internet and computer communications4.
As a matter of fact, in 2008 the CNAIPIC has:
• detected 228 cyber attacks on national critical information infrastructures;
• monitored 4712 websites;
• submitted 851 reports concerning the attacks or threats detected;
• and, finally, started 64 investigations on this phenomenon.

2. The Protection of Internet Users: The National Centre for Combating Child
Pornography Online (CNCPO) and the On-line Police Station (Commissariato
Virtuale)

Traditional forms of crime have evolved into and expanded to incorporate the concept
of computer crime and computer related crime. These are namely criminal phenomena,
where information and communication technology plays a leading role within the legal

1 Art. 7 bis, paragraph 1, of Law 155 of 31.07.2005, which has converted the L.D. 144 of 27.07.2005 with

amendments, states as follows: "…being understood the competencies of information and security services,
set forth in articles 4 and 6 of Law 801 of 24.10.1977, the agency of the Ministry of the Interior in charge of
the security and regularity of telecommunication services shall also provide the protection of critical
information infrastructures of national interest, identified by decree of the Minister of Interior, through
privileged connections regulated by means of appropriate agreements with the owners of the infrastructures
concerned".

2 Art 2 of the Minister of Interior's Decree dated 9 January 2008

3 Art. 1 of the Minister of Interior's Decree dated 9 January 2008

4 Art. 7 bis, paragraph 2, of the aforementioned Law 155 of 31.07.2005 states as follows: "For the purposes

referred to in paragraph 1 and for the prevention of and response to terrorist activities and activities
encouraging terrorism carried out by means of computer tools, the police officers serving with the agency
indicated in paragraph 1 may perform the activities set forth in art. 4, paragraphs 1 and 2 of L.D. 374 of
18.10.2001, converted with amendments by Law 438 of 15.12.2001, and those set forth in art. 226 of the
implementing, coordinative and transitional provisions of the Code of Penal Procedure, described in L.D.
271 of 28.07.1989, also upon request or in cooperation with the law enforcement agencies therein".
156 D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures

system, both as the legally acknowledged and protected target of the illegal action and
as the tool used to commit the offence.
In the background of this new criminal scenario, some known individuals of the
Italian crime and terrorism panoramas, such as Totò Riina, Raffaele Cutolo, Morucci
and Renato Curcio, can rightly be replaced – in the people's imagination - by go-ahead
computer experts who, although very young and in low-structured organisations, have
the same ambitions and determination of their predecessors.
It is necessary to take into account the extent of the Internet population,
represented by millions of users, to get an idea of how serious the criminal impact
might be on the so-called "global village".
According to data provided by ISTAT (Italian Statistics Institute), the use of
computers and the internet by young people has exponentially increased in all age
groups, and about 70% of 14-year-olds use them on a daily basis. This figure, although
encouraging and satisfying in some respects, for the obvious positive impact on the
social and cultural growth of our children, in others requires us to raise the security
threshold to ensure that they and, more generally, the weakest individuals of our
society, do not become victims of cyber criminals while surfing the net.
Online child pornography, internet fraud, hacking activities, distribution of
malicious codes, creditcard cloning, release of original works in violation of copyright
laws, spamming, and phishing are all new crimes that threaten the community and the
assets related thereto.
In order to counter such a widely diffused criminal phenomenon, an equally
comprehensive strategy is necessary.
For each of the aforementioned offences, not to mention the many others, the
PCPS conducts various activities of cybercrime prevention and response. It does this
with a staff of approximately 2,000 operatives that are divided into specialised units
distributed across the country (20 regional departments and 76 provincial sections) and
coordinated by the headquarters in Rome (the Service).
The protagonists of this new approach are the National Centre for Combating
Child Pornography Online (CNCPO) and the On-line Police Station (Commissariato
Virtuale).
These two functional units within the PCPS are responsible for monitoring
criminal phenomena that, just as for terminal patients, are “treated” through constant
specific response actions.
The CNCPO was established by Law 38 of 6 February 2006, concerning
"Provisions on combating the sexual exploitation of children and child pornography
 D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures 157

even through the Internet". 5 It contains several regulatory provisions aimed at

increasing the capacity to prevent and combat the hateful scourge that is the sexual
exploitation of minors. Firstly, it creates the possibility to arrest (optionally) the
suspect, not only in the case an exchange of child pornography material takes place, but
also for the mere possession of that material.
Among the functions of the Centre is the compilation and update of a blacklist, i.e.
a list of internet addresses leading to child pornography contents. The consequent
requirement is for Internet Service Providers to implement it on their systems in order
to prevent their users from accessing those contents 6. Currently, the blacklist contains
444 sites.
Presently, ISPs also have the obligation to report to the Centre all companies or
entities that, for any reason whatsoever, disseminate child pornography over their
communication networks7 .
Equally important is the relationship with the Bank of Italy for the identification,
tracing and suspension of financial transactions related to online material produced by
means of the sexual abuse of minors 8.
The establishment of the aforesaid Centre represents the acknowledgement of the
effectiveness with which, in the last few years, the PCPS was able to use the regulatory
and technological instruments at its disposal to carry out both the daily and systematic
monitoring of the internet, in order to study the continuous evolution of paedophile

5 In fact, art. 19 of the above mentioned Law 38 of 06.02.2006 provides that, after art. 14 of Law 269 of

03.08.1998 on "Provisions against the exploitation of prostitution, pornography, and sexual tourism to the
detriment of children, as new forms of slavery", is added to art. 14 bis, entitled "National Centre for
Combating Child Pornography on the Internet", which states:
"1) A National Centre for Combating Child Pornography on the Internet, hereinafter referred to as the
"Centre", is established within the agency of the Ministry of Interior indicated in paragraph 2 of art. 14, with
the task of gathering all reports, also coming from foreign law enforcement agencies and from private and
public bodies involved in the fight against child pornography, relating to websites disseminating, by means of
the internet and other communication networks, material resulting from the sexual exploitation of children,
as well as the operators and the possible beneficiaries of payments. All police officers are obliged to transmit
these reports. Without prejudice to the actions and determinations of the J.A., in case of positive feedback the
website reported, as well as the names of any possible operator and beneficiary of payments, shall be
included on a list to be continuously updated.
2) The Centre takes advantage of the existing human, financial and instrumental resources. The constitution
and the operation of the Centre should not bring about new or increased burdens on the State budget.
3) The Centre shall notify the Presidency of the Council of Ministers - Department for equal opportunities –
of all information and statistics relating to child pornography on the Internet, useful for the preparation of
the National Plan for the prevention of and response to paedophilia and the annual report referred to in art.
17, paragraph I".

6 This procedure is governed by art. 14 quater of Law 269 of 03.08.1998, as introduced by the above

mentioned art. 19 of Law 38/06.

7 This obligation is set forth in. art. 14 ter of Law 269 of 03.08.1998, also introduced by the above mentioned

art. 19 of Law 38/06.

8 The procedures in question are governed by art. 14 quinquies of Law 269 of 03.08.1998, also introduced by

the above mentioned art. 19 of Law 38/06.

158 D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures

websites and their users, and a constant response activity using exclusive undercover
techniques9.
Over the past six years, in fact, through complex investigations conducted by
police officers specialised in computer science, electronics, telecommunications and
psychology, 4450 subjects have been identified and reported to the J.A., and 238 have
been arrested.
In our country 177 child pornography websites have been discovered and
inhibited, while 10,977 more sites with the same contents, whose servers were located
abroad and unreachable by the Italian justice system, were reported to the competent
foreign law enforcement agencies.
From the operational-investigative point of view, the growth of cybercrime has
required a review of the strategies used to fight this phenomenon, thus highlighting the
need for forms of closer cooperation among police agencies in the world, and the need
for shared technological tools of investigation.
Essentially, in order to achieve more satisfying results we need to institute some
excellent but not homogeneous investigative approaches, and adopt more coordinated,
accurate and harmonised strategies, all the while respecting the autonomy of each
single State.
The indispensable requirements for this change to take place are:
• Standardised international regulations;
• shared course of action;
• real-time constant exchange of data and information;
• and, above all, common software using the same "language".
In our country, the attention of the law making authority given to cybercrime has
always been punctual and effective. As a matter of fact, the Italian law framework has
been integrated with regulations in line with the evolution of this criminal phenomenon
since 199310 - the year when law provisions intended to punish cybercrimes were
introduced in our legal system.
At international level, with the ratification of the Convention on Cybercrime11 in
Budapest on 23 November 2001, Italy came to the forefront in the prevention of and
response to cybercrime.
As for the shared investigative software, an important role can be played by private
industries; in particular, Microsoft developed the Child Exploitation Tracking System
(CETS) following the suggestions and indications of various law enforcement agencies,
including the Italian police force. This has created an international police network to

9 In fact, art. 14 paragraph 2 of Law 269 of 03.08.1998 states: "As part of the tasks pertaining to
telecommunication policing, as defined by the decree referred to in art. 1, paragraph 15 of Law 249 of
31.07.1997, the agency of the Ministry of the Interior entrusted with the security and regularity of
telecommunication services shall perform, upon reasoned request of the J.A., the activities necessary to
respond to the crimes, referred to in art. 600-bis, par. 1, art. 600-ter, par. 1, 2 and 3, and art. 600-quinquies
of the Penal Code, committed through the use of computer systems, or telematic means of communications or
telecommunication networks publicly available. For this purpose, the personnel in charge can use covert
data even to activate websites, implement and run communication areas or exchange on networks or systems,
or to participate therein. The above mentioned specialised personnel performs for the same purpose the
activities described in paragraph 1 also via the internet".

10Law 547 of 23.12.1993 concerning "Amendments and additions to the Penal Code and Penal Procedure
Code regulations on Cybercrime".

11 Law 48 of 18.03.2008 "Ratification and implementation of the Council of Europe Convention on

Cybercrime, signed in Budapest on 23.11.2001, and national rules of procedure". At international level, Italy
is in the forefront in the prevention of and response to cybercrime.
 D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures 159

counter paedophile networks. Relying on their national experiences, cybercops should

be closely cooperating and communicating to one another, using the same language and
the most advanced investigation "protocols", which are a result of the various courses
of action taken in each respective country.
Still, in terms of strategies to combat cybercrime, with child pornography online
representing its most hateful form, it is important to stress the need for more and more
effective forms of collaboration between institutions and civil society.
The creation of the Police Station online within the PCPS was an important step
forward. This is a web portal that offers the "surfing citizens" a wide range of services:
areas for an in-depth view of cybercrime regulations, chat lines and interactive forums
to discuss issues related to cybercrime, opportunities for web users to report an offence
or simply inform the Postal and Communication Police about criminal events they have
been victims or witnesses of.
From 15 February 2006 to 10 March 2009, the portal of the Police Station online
(www.commissariatodips.it) was visited by 1,281,774 people in Italy, 183,246
European users and 85,062 web surfers from the rest of the world.
These cybernauts have submitted 36,067 requests for information and reports
mainly relating to 33,906 cases of phishing, child pornography, hacking and e-
commerce.
The Department of Public Security is intentioned to further develop this site, which
is particularly appreciated by users for its innovative quality when compared to the
traditional forms of the relationship between the citizens and thepolice.
In fact, with the online Police Station, citizens feel like they are "protagonists" in
the defence of their own interests and safety, and not only passive "targets" of the
criminal threat.

References

[1] S. AMORE,.V. STANCA, S. STARO, I crimini informatici: Dottrina, Giurisprudenza e Casi Pratici di
Indagine, Halley editrice, Macerata, 2006.
160 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-160

Fighting Terrorism in Cyberspace

Colonel t.ISSMI Giovanni CATALDO
Head of the Organized Crime Office of Carabinieri General HQ - Rome

Abstract. The theme of the discussion is very topical due to the fundamental role
that cybernetics and data transmission play in our everyday life. Often, each
technological innovation brings, along with the benefits, risks for society at large.
The Carabinieri are working in today’s global scenario, sure that the only effective
way to fight terrorism is through the concerted coordinated and cooperative efforts
of all possible resources, in the areas of intelligence and investigations, where the
control of the territory, both real and virtual, plays a pivotal role.

Keywords. Cyber-crime, international terrorism, internal subversive organisations,

control of virtual territory, virtual sanctuary.

Introduction

I would like to thank Professor Gori for giving me the opportunity to illustrate in this
prestigious setting the efforts of the Italian Carabinieri Corps in the fight against
terrorism in Cyberspace.
The theme of today’s discussion is very topical due to the fundamental role that
cybernetics and data transmission play in our everyday life. Frequently, each and every
technological innovation not only brings with it, but also risks for society at large. The
threat which comes from the illicit use of the Internet does not stop at the most obvious
effects of “cyber-crime”, such as tele-fraud and the presence of child pornographic sites
on the net. The potential power offered by internet has been used, in fact, by terrorist
groups of different natures, means and ideology, to various ends: to obtain visibility, to
maintain high levels of intimidating pressure through the media, to organise activities,
to search for information, and to recruit new members. These strategies have been
confirmed and demonstrate the rising use of the web by internal subversive and
international organisations, to plan and make attacks, to pass documents between
members and to sustain public “campaigns”.

1. Internal Subversive Groups

Analysis of extremist projects revealed a steady increase in the use of Information and
Communication Technology by the Marxist-Leninist Italian organisation, “the Red
Brigades” and by the pro-anarchist wing of internal subversive groups.
The Red Brigades of the Combatant Communist Party (B.R.-P.C.C.) claimed
responsibility for the murder of Marco BIAGI (killed on March 19, 2002 in Bologna),
in an e-mail sent from a mobile telephone to several hundred addresses.
The Federazione Anarchica Informale (FAI), or The Informal Anarchist
Federation, an informal militant team may be the most dangerous group in Italy. From
the first terrorist attacks that took place in Bologna, Italy at the home of the former
President of the European Commission, Romano Prodi, in December 2003, the Internet
was used as a means of communication between the local members of the group to
 G. Cataldo / Fighting Terrorism in Cyberspace 161

spread its plans and organise the attack. Thanks to Internet, the group, was able to
organise a well-ordered structure.

2. International Terrorism

For international terrorism, the web has become of crucial importance in maintaining
contact and giving orders to the cells situated in different locations across the globe.
During Operation “Tracia”, which was conducted against a Kurdish organisation
(DHK-PC) active in Turkey, the Carabinieri Corps was able to demonstrate that the
operational cells, one of which was located in Italy, used internet to exchange
encrypted and camouflaged files. It was necessary to analyse the encryption program in
order to isolate parts of the code key, after which an attack (the so called ‘brute force’)
to recover the password was carried out. The internet was also used to disseminate
proclamations taking responsibility for the attacks; these were sent from Perugia, Italy
to a newspaper editor in Turkey.
The investigation that was opened after the terrorist attack in Nasiriya verified that
the internet was also used by the terrorists in charge of this criminal act. Many open
sources, in particular websites that specialised in Islamic terrorism, had given out
information on the presence of an Abu Musab Al Zarqawi file entitled “Winds of
Victory” that was circulating on the internet. The video, produced by the “Section for
Propaganda” of the “Jamaa al Tawhid wal Jihad” (Monotheism and Holy War Group)
explained the religious ritual that was adopted by the “martyrs” to prepare themselves
for suicide missions targeting the American and Coalition Forces in Iraq. On one hand,
the document publicised the operational capacity of the organisation and encouraged
the inflow of mujahiddin to Iraq. On the other hand, through the violence and brutality
of the message, the document was intended as a warning to its enemies. At the same
time, the movie explained the religious rituals that were celebrated by “shahid” before
their suicide missions against the civilian or military targets selected by the
organisation. Actions in the various scenes reflected the preparation of the attacks, the
moments that preceded them, the distance covered by the “shahid” up to destination
and the explosion at the target object of the attack.
Among the terrorist acts listed in the movie, we found the attack to the military
base “Maestrale” on 12 November 2003, and the one against the headquarters of the
UN in Baghdad on 19 August 2003.
The multitude of possibilities that cyberspace offers are exploited by international
terrorist groups that use the web as a means to asymmetrically spread conflict from its
traditional, physical battleground to the virtual territory of cyberspace.
The Net has proven to be an efficient instrument for communication, recruitment,
financing and training. These groups frequently take advantage of the so-called “deep-
web”1, in other words, the use of compressed files that are not normally detectable with
the usual search engines and whose the access is limited to users who possess the
relevant keywords and knowledge of the specific information pathways.
We need not forget, in fact, that for terrorism to develop on an international scale,
the media are an essential element. Frequently, the very act of media reporting is
exploited as a form of propaganda by terrorist groups, in that by covering events, the
media are able to rapidly reach an unlimited number of people, thus publicising the
success or failure of an attack, or simply allowing the terrorists to see the effect that

1 “Deep web” is used to avoid normal checks or controls and is based upon compressed and hidden files. Log
in is limited, and it is necessary to know passwords or specific paths to access the information.
162 G. Cataldo / Fighting Terrorism in Cyberspace

their actions have had. In this way, the traditional media, such as television and radio,
are among the tools that, if used to influence the public (in this case, a passive
spectator), do not guarantee interaction with the structure. On the contrary, the Internet
can be the point of interactive convergence for militants, who gather on the web in a
"virtual sanctuary", which enables them to communicate without high risks and find
training and indoctrination manuals. Therefore, the internet can easily be used in
compliance with terrorist logic because it can be used to radicalise, to recruit and to
train activists.
Internet has become an essential tool, for the strategy of Al Qaeda in particular.
The strategy is to essentially engage the countries of the Western world in a “permanent
jihad”, or long term war, in multiple crises theatres, with the ultimate intention of
eroding the sense of security and destroy alliances in the targeted countries.
The Net perhaps represents the main tool with which Al Qaeda’s ideology can be
spread to achieve a sort of “jihad of the word”. It is the way through which a doctrinal,
psychological and terminological manipulation of the holy texts and tradition may be
used to motivate suicide attackers, the protagonists of the so-called “jihad of the
sword” against the West.
The interest of the Al Qaeda terrorist organisation in the media sector is confirmed
by the increasing quality in their audio and video products. These are often tailored to
the different people they are targeting, and present international events in such a was as
to demonstrate the supposed Western design to persecute the Islamic world.
The primary efforts made have been in the fields of propaganda and indoctrination.
They are aimed at the radicalization of the Islamic community in both countries of
Muslim faith and the West, and often specifically target young people. In addition,
European countries are also facing the threat of “home-grown” terrorism. What is
“home-grown” terrorism? “Home-grown” terrorism is a form of terrorism which
primarily involves “second generation” immigrants that, although perfectly integrated
into society and do not participate in fundamentalist groups, are driven by intimate and
personal convictions and religious pressures to act in the name of the Islamic ideal.
This form of terrorism recruits its members mostly within the heterogeneous
components of the virtual community that wish to partake in acts of violence and which
use the web to strengthen and reinforce their contacts and ties.
Through the use of the internet, fundamentalist terrorism has attempted to
influence public opinion and the political resolutions of governments, while conducting
kidnappings in theatres of crisis. In February 2006, the Net was used to direct protest
demonstrations in different Muslim countries against the publication of political
cartoons in some European newspapers, which were claimed to be blasphemous
towards the Islamic religion. 2 Recently, the notification of the eventual broadcast of an
anti-Koran video on the web was enough to cause apprehension and fear of possible
violent reactions.

3. Fighting Cyber-terrorism

Specialised units of the Carabinieri are engaged in the fight on cyber terrorism and are
trained to use the use of the latest telecommunication interception technology. This
monitoring activity made it possible to identify and locate internet sites where the
visitor is invited to join an “electronic jihad”. In other words, the attack and destruction

2 In Denmark, on February 12, 2008, three persons suspected of being involved in the organisation of the

attacks against the authors of the “blasphemous” cartoons were arrested.

 G. Cataldo / Fighting Terrorism in Cyberspace 163

of websites considered to spread messages that are offensive to Islam. This kind of
propaganda has the potential of becoming or developing into concrete actions of
information sabotage.
The info-investigative activities that were conducted by monitoring the net
revealed how the terrorist cells are composed and how they disseminate their lessons.
Documents have been uncovered regarding precise indications of the organisation of a
terrorist attack involving explosives, as well as the successful execution of ICT
exploits.
In the security system, no police force or an intelligence agency is exclusively in
charge of monitoring Internet sites containing terrorist contents. An active contribution
aimed at prevention is conducted by each police force and information agency within
their own competence.
Apart from the role played by the Judicial Authority in the investigation,
coordination in the prevention phase is managed by the Minister of the Interior, through
the National Authority for Public Security, which uses the Anti-terrorism Strategic
Analysis Committee.
In this commission, positive synergy is reached between the various institutions in
charge of developing action to fight terrorism. These actions are decided in weekly
joint meetings between The Central Director of the Prevention Police, The chief of the
II Division of the Carabinieri General Headquarters, delegates from the directors of
AISI3 and AISE4 (the two Italian intelligence services), a representative of the
Department of Penitentiary Administration and an officer of the General Headquarters
of the Guardia di Finanza (Anti-Fraud Force). During the meetings, particular attention
is paid to monitoring Jihadist sites.
While monitoring activities are carried out during the preventive and informative
police activities and before investigations, an internet site may be shut down only after
a judicial decision has been made. This can happen only once an investigation has
verified the presence of illicit contents on the site.
The use of internet by terrorist groups is considered a concrete threat for the
security of the European Union as well. Therefore, The European Office of the Police –
Europol, since 2006, has actuated a specific project, “Check the web”, in order to raise
the levels of police cooperation in this sector. The goal is to establish a form of
common elaboration and consequently a common approach to fight terrorism. The
Carabinieri actively take part in this project.
This is not a spontaneous initiative, but a decision that was taken in conformity to
the Force’s institutional objectives, which are to increase the levels of control over the
territory, in a virtual sense (like cyberspace), and increase investigative quality.
In this fight against terrorism, activities must be directed in such a way as to to
prevent the biased use of the web; the error of associating or mistaking the Islamic
world with terrorism must be avoided. In this type of struggle, we must acquire
familiarity with different agents and not only from the intelligence point of view, but
also a cultural one.
However, technology is not enough; human resources capable of fighting these
activities are essential and must be developed. for this reason, many specific courses of

3 AISI - Agenzia Informazioni e Sicurezza Interna, the Italian Internal Information and Security Agency
4 AISE - Agenzia Informazioni e Sicurezza Esterna, the Italian Foreign Information and Security Agency
164 G. Cataldo / Fighting Terrorism in Cyberspace

varying levels have been organised to learn the Arabic language and culture and
include internships in Qatar and Tunisia.
This is the perspective in which the Carabinieri are moving in today’s global
scenario, sure that the only effective way to fight terrorism must be accomplished
through the concerted, coordinated and cooperative efforts of all possible resources, in
the areas of intelligence and investigations, where the control of the territory, real and
virtual, plays a pivotal role.
Modelling Cyber Security: Approaches, Methodology, Strategies 165
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-165

Cyberspace Control: How to Avert a Cyber

World War
VADM (ret) Ferdinando SANFELICE di MONTEFORTE

Abstract. Just as with the air and maritime domain - namely those geostrategic
spaces where police authorities are unable to carry out law enforcement activities
independently without military assistance - cyberspace could also become the
object of military attention, from the moment that, like the other two, it is an
environment where adversarial activities can be carried out by state or state-
sponsored actors within the framework of international controversies among states.
Due to the fact that the military was the first public sector to take serious steps
toward ensuring adequate levels of security on its IT systems, and therefore holds
an advantage in this field, military participation in questions of cyber security at
the national and international levels could potentially be beneficial for all state
agencies concerned with security issues of this nature.

Introduction

The most recent Declaration on Alliance Security (DAS), issued by the NATO Heads
of State and Government, at the end of the Strasburg-Kehl summit in April 2009, has
inserted cyber attacks among the “new, increasingly global threats” which our nations
and the world are facing, together with terrorism, the proliferation of weapons of mass
destruction, and their means of delivery.
Some sceptics may remark that such a phrase is to take one step closer to a sort of
dangerous snowballing of the cyber security issue since the Estonian IT networks were
first attacked a few years ago. The fact that both commercial and state-owned nets were
hit hard, thus temporarily bringing not only these networks to their knees but also the
Nations themselves, has, quite understandably, deeply worried all NATO statesmen,
fearful of finding their own nations under similar stringencies, which could hit them in
particularly sensitive moments of their political or economic life. Thus, the DAS has
been drafted with the inclusion of this new, strong and almost bellicose wording on
cyber attacks.
These concerns, though, are further complicating a situation where – it is sad to
say – strategic mistakes, outlined below, have piled up to such an extent that the whole
problem may be likened to a Gordian knot, difficult to untangle without cutting it in
one straight and direct move.

1. The Historical Development of the Use of Cyberspace

It is fair to say that when the impulse to use the extensive resources, made available by
Automatic Data Processing within a network context, became incessant, the private and
public sectors decided to maximise the exploitation of these new possibilities. This
was, of course, natural for individuals, who found in the Internet a new and most
convenient way to communicate with others. This new impulse to use Internet as a
means of communication was especially motivated by the inherent limitations of the
classical mail system and the telephone (fixed or cellular).
166 F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War

This novelty was indeed extremely promising, also for profit-seeking corporations,
such as industries, banks, and contractors for a variety of reasons. Primarily it allowed
them to increase their efficiency, to simplify their structure, to hire less employees, as
well as achieve an easier and more effective customer-provider relationship.
It is worth mentioning, however, that both these kinds of actors, by adopting the
networked approach, were fully aware that there were naturally some risks that would
come with such a choice. The service was provided, in fact, by a number of
commercial firms, which operated within the free-market space. They were thus
exposed to the dangers that are linked to the possibility that someone could use
countermeasures to check and slow their success, as well as to try to exploit the new
facilities, for petty or major criminal purposes, at the customers’ expense.
Government bodies, throughout the world, were also quick to discover that these
new and revolutionary electronic tools were instrumental to aid in dramatically
enhancing their effectiveness. Unfortunately, due to both budget restrictions and an
inability/lack of determination to rapidly modernise their structures, many governments
decided to forego operational security and to walk along the slippery road of the
“Commercial Off-The-Shelf”(COTS) systems. Another reason for which governments
were hesitant to make the necessary investments was that these systems were
undergoing such significant improvements, every two-three years, that the
governmental procurement procedures would have never been able to keep pace with
the ongoing progress.
The predictable overall result of such widespread favour for these COTS systems,
by a multitude of entities, has been the consequent bonanza for spies, jammers, hackers
– namely those willing to undermine the credibility of existing networks – and all those
having a vested interest in muddling the cyber-waters, be they sponsored by other
states, or, being industrial corporations, individual adventurers and businessmen. All of
them have enjoyed the great advantage of being able to acquire the very same systems
of their intended victims on the market, and have therefore been able to study their
weaknesses and vulnerabilities in depth before acting at the chosen moment.

2. Cyber Security Measures, a General Context

As a consequence, cyberspace has become a virtual version of the Wild West. It is

worth bearing in mind that among the reasons for this is the global nature of the
phenomenon; the “bad guys” are diffuse in all parts of the world, the hardware and
software providers are multinational firms, and the multitude of offered services knows
no boundaries. The moment that no competent and official Authority exists with the
global range of action that these actors have, the rules of the game remain unclear to
everyone; when they exist, they either differ from state to state, or are not endorsed by
all. Lastly, there is no effective control on the international level, with the exception of
horizontal coordination among like-minded countries.
Essentially, Western governments realised that they had plunged head first into a
great predicament without a parachute. It was then that governments began to adopt
corrective measures, at least for their military instruments and top-level decision-
makers, to improve their degree of operational security. Similar actions have been
taken by some international organisations, with the very same rationale.
Cyber security is such a general and cross-agency requirement that a new thriving
business rapidly sprang up, in which the firms, that had been hired to increase the cyber
security levels of several governments, took their know-how and used it to benefit of
other customers, be they governmental, commercial or private citizens.
 F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War 167

It is fair to say that, in the field of cyber security, state actors avail themselves of
two technical approaches in particular. The first is to have a good encryption system
put in place. Encryption is coupled with the use of specially hardened computers (to
make them more resistant to external intrusion), and, in addition, those networks that
handle sensitive data and information are physically separated from the greater
network. Nevertheless, not everybody can implement this complicated and expensive
approach; many, therefore, will necessarily continue to rely on COTS computers that
are connected to and through the Internet, albeit with encryption devices, and will be
exposed to all of the related inconveniences and vulnerabilities that this entails, for
years to come. Encryption is not all that is required to protect networks, and Estonia
and Georgia are only the first two instances of what may happen to those states that do
not take more prudent measures, such as those described above.
But the case of these two countries has raised another serious problem, which is
fraught with potentially dangerous consequences. All hindrances to networked systems,
as well as all instances of unlawful use of the Internet, were up until this moment
considered to be law enforcement issues and, in many nations, fell under the
jurisdiction of the judiciary pillar and state police, who carried out criminal
investigations, often supported by Interpol structures, whenever required.

3. Cyber Security, the International Context and the Role of the Military

In the case of the cyber attacks on Estonia and Georgia, however, suspicions were
raised that the massive cyber attacks were part of another state’s reaction to events
within these countries that were undesired by that state. Should this suspicion be
confirmed beyond any reasonable doubt, this could imply that electronic warfare,
namely what has already been defined several years ago as “soft kill” activity, will have
found yet another domain for its application in the world of interstate conflicts and –
what is worse – any massive disruption of networks in a country may be attributed to
another states’ actions.
Therefore, how the cyber misfits can be kept under control beyond the criminal
investigation level, is an issue that must be considered in depth by governments, since
it has become an issue for national security on the whole. Fortunately, the possibility
exists to effectuate effective approaches that have already been used in similar cases.
Just as with the air and maritime domain - namely those geostrategic spaces where
police authorities are unable to carry out law enforcement activities independently
without military assistance - cyberspace could also become the object of military
attention, from the moment that, like the other two, it is an environment where
adversarial activities can be carried out by state or state-sponsored actors within the
framework of international controversies among states.
Due to the fact that the military was the first public sector to take serious steps
toward ensuring adequate levels of security on its IT systems, and therefore holds an
advantage in this field, military participation in questions of cyber security at the
national and international levels could potentially be beneficial for all state agencies
concerned with security issues of this nature.
Cyber space, though, is characterised by a specific problem, which is not as
relevant for the air and sea domains. In each nation, a number of firms have been used
for centuries to provide essential collective services, such as the electric companies.
Apart from causing losses and damages, the magnitude of which has already been
experienced during the periodic “black-outs” resulting from occasional events and
168 F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War

mistakes, any attack against such infrastructures could cause the Nation to enter into a
state of temporary chaos.
Setting this peculiarity aside, by going into depth and examining how the military
carries out its activities in the air and at sea, the multiple and varied approaches to
problems, as well as a form of labour division that the military employs, become
readily apparent and could conceivably be applied, as a template, to cases regarding
cyber security as well.
On one hand, surveillance, control and coordination are normally delegated to
international organisations, and NATO is often in the front row. On the other, every
state continues to independently carry out its own protection and enforcement
activities; each state maintains its sovereign rights and exclusive duties over its own
resources and assets and hoists its own flag on such, wherever they might be, as well as
over its own territorial air and maritime spaces. This activity is carried out in
coordination with others, where and when friendly relations exist between them.
Of course, bilateral or multilateral agreements among states improve this situation,
ensuring that the spaces belonging to smaller states enjoy a higher degree of protection
and control, which is exerted by larger and more powerful countries on their behalf,
and through a timely coordination with them.
Another complementary feature that is adopted to tackle the problems of the wide
international spaces, especially when fighting a mix of potential aggressions and
international organised crime, has been the inter-agency approach. This approach
mobilises special expertise, procuring great advantages for the concerned states. This is
particularly the case for drug enforcement in some regions, such as the Caribbean.
Nonetheless, to make a long history short, all attempts to collectively use the
global Navies/Air Forces, to say nothing of international police enforcement activities,
to protect global commercial trade/air traffic - as some nations are proposing - have
met, so far, with a flat refusal by all governments concerned. This attitude was apparent
already during the first Gulf War, and has been confirmed by the most recent decisions
taken in the counter-piracy activities off Somali waters. This approach has clearly led
to the formation of many gaps. especially in the maritime domain, where merchant
vessels harbouring flags of convenience have become the rule rather than the
exception, and these gaps have, for instance, only served to encouraged piracy to
flourish again.
To date, no change to the present state-centric approach to the air and maritime
domains is in view, and, most likely, there will be no exception in the approach chosen
to handle global threats related to cyberspace, as it has been defined by the NATO
Declaration on Alliance Security, in that virtual yet vital space.

4. Preliminary Considerations and Proposals

But let us make some preliminary considerations, which may be helpful to start
reflecting in depth on the cyber security issue.
First and foremost, even now it is almost impossible to catch another state in real
time while it still has the cyber “smoking gun” in its hand. Even if we don’t know all
there is to know on the recent cyber attacks, it is at least proper to assume that proxy
agents have been, and will be used in the future, by states willing to inflict this kind of
damage on others; these measures effectively hide the true culprits.
This sort of activity is seldom carried out independently of a serious dispute
among states. This basically means that there is an interval of time available, which
allows for some monitoring and preliminary damage-control actions to be prepared,
 F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War 169

during the initial stages of the crisis. It is worth asserting that self-defence against any
sort of cyber attack is a key responsibility for each state, which in some cases may
decide whether to extend these defence measures or not to the industries that are most
relevant to ensuring a state’s overall good function (i.e. critical infrastructures, such as
the electric companies, transportation, communication networks, water supply).
In addition, the fact that principals are generally not easy to detect means that any
justification for a timely and proportional retaliation using classic measures is difficult,
if not impractical, in that it could needlessly complicate international relations, along
with the risk that such actions meet with the disapproval of the public opinions
concerned.
Second, in our countries, civilian control over military activities is an unquestioned
rule, and rightly so. Cyber space, however, is far too specialised a domain to allow
swift political decisions, at least in our times, to be taken regarding retaliations.
Therefore, special decision-making support agencies, to be provided with politically
endorsed and clear terms of reference, need to be established in order to allow for these
cases to be handled effectively and efficiently.
Third, a monitoring system, capable of spotting state-sponsored cyber attacks has
to be put in place. Despite the increasing world trend to outsource, this monitoring
activity cannot easily be delegated to commercial firms; the risk that a provider may
“cry wolf” to disqualify a competitor would always loom over the decision-makers at
the political level were such outsourcing to be used. It must be noted that, to date, no
key activity has been outsourced by states that have in the past chosen to sign
outsourcing contracts with multi-national firms.
Last but not least, the high costs of any monitoring system may discourage several
countries from undertaking this sort of development on their own. It is fair to say,
therefore, that a convenient solution for many nations may be to delegate such a
monitoring activity to collective security organisations, such as is the case with NATO,
which has been given responsibility in the air domain for decades, and more recently in
some maritime areas. Incidentally, NATO expertise is already exploited whenever
states require assistance for cyber protection, thus benefiting all.
Research and development activities, whose aim is to enhance the security of
national activities of great public interest, are also most convenient when carried out
through multinational cooperative projects.
The cyber sector allows for many of these possibilities to be realised, within either
the NATO or the EU/EDA contexts. Even if it is a matter of policy, to chose one or the
other organisation, it is worth noting that while NATO has much expertise, the EU is
multi-disciplinary, and is therefore better equipped to handle the issues involving non-
military, state, or local agencies and key infrastructures in accordance with the wishes
of its Member States. All things considered, great potential for collaboration exists
between these two international organisations, provided the two structures are willing
to share their know-how.
The big question, though, concerns confrontational activities, such as retaliation.
Everybody should consider what the political implications of a collective response
would be, even were they to be “in kind” to adversarial acts that had been carried out
against a single state. As with the air and at sea, individual nations are the most
appropriate actors to carry out this sort of action, which cannot be considered
separately from other political factors.
170 F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War

Conclusion

To conclude, there are problems quite similar to what happens in the air and at sea in
the cyber dimension; therefore, the approach to manage, nay, to control this domain
could be the same, where individual countries decide to what extent their non-military
agencies and key infrastructures have to be protected, where cooperative developments
might be beneficial in finding valid solutions to carry out prevention by stepping up
security, and where international organisations could help by managing the monitoring
structures.
Nonetheless, any temptation to retaliate, be it in kind or not, is a serious decision,
where single governments must decide in isolation and be ready to carry the weight of
the responsibilities that come with their decisions, in that responsibility for unilateral
actions cannot be spread around even among friends.
By taking such a multifaceted approach, countries might be able to avoid being
mauled by others, be they other states or criminal organisations, and the Western
Community will avoid the risk of another “cyber-Serajevo”, which is a clear and
present danger that has to be prevented at any cost.
 Section 3
European Measures and Legal Aspects
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 173
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-173

The Role of Europe in Matching Today’s

Asymmetric Threats
Giancarlo GRASSO
Senior Adviser to the President of Finmeccanica

Abstract. If one Member States imposes rigourous security standards in relation to

a particular cross-border infrastructure, that infrastructure and the services it
provides will still be vulnerable if another Member State does not impose adequate
or similar measures of protection on its side of the border. Although each Member
State has the responsibility to protect the critical infrastructure present under its
jurisdiction, it is crucial for the security of the European Union to make sure that
the most important infrastructures that have an impact on two or more Member
States, or on a single Member State in the case that the critical infrastructure is
located in another Member State, are effectively protected and that individual
Member States are not rendered vulnerable because of the existence of lower
security standards in other Member States. In today’s context of new dangers, but
also new opportunities, the strong commitment demonstrated by Member States to
give the enlarged European Union the tools it needs to make a major contribution
to security efforts and stability within a context of well governed countries in and
around Europe and in the world is stronger than ever.

1. Security, the First Priority of the European Citizen

A possible definition of an asymmetric threat, reads 1:

“a broad and unpredictable spectrum of military, paramilitary, and
information operations, conducted by nations, organizations, or individuals
or by indigenous or surrogate forces under their control, specifically
targeting weaknesses and vulnerabilities within an enemy government or
armed force”.
In order to broaden this definition, the following consideration must be made: One
of the basic responsibilities of the European Union and it’s member state governments
is to ensure the security of its citizens. The Treaty of Lisbon2 states that Europe has to
be an area free of internal borders, based on the principles of transparency and
democratic control, of freedom, security and justice.
Therefore, whoever and whatever opposes all the above, has to be considered an
asymmetric threat having the objective to trigger asymmetric conflict. We Europeans
must defend ourselves, our values, principles and goals. We must develop the capacity
to act and react so that we may be regarded as a significant participant by our partners
in the international arena. To achieve this goal, close cooperation among countries and
international organisations has to be reinforced. However, there is a price that cannot
be expressed simply in monetary terms.

1“The Asymmetric Threat; M. L. Kolodzie, USMA; http://www.almc.army.mil/alog/issues/JulAug01/

MS628.htm;
2 for the Full text of the treaty: http://europa.eu/lisbon_treaty/full_text/index_en.htm
174 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats

2. Obtaining Security and Respecting Freedom and Privacy

Privacy is one of the most powerful fundamental ethical values in Western cultural
history. It organises a broad spectrum of knowledge and cultural practice, from politics
to law, from health to hygiene and sexuality, from family relations to commerce. Its
moral core, it is argued, has given rise social principles such as autonomy, integrity,
independence. These values form the foundation of today’s shared understanding of
human rights, citizenship and civic obligation and are at the core of the European civil
life. Closely related to the notion of privacy as inviolate, that which is personal is the
notion of privacy as intimacy. Ideas like love, friendship, loyalty and trust are only
possible in relation to some sort of assurance of privacy.

Directive 95/46/EC (on the protection of individuals with regard to the processing
of personal data and on the free movement of such data)3 was developed to harmonise
national provisions in this field and states:
“Member States shall protect the fundamental rights and freedom of natural
persons, and in particularly their right to privacy with respect to processing
of personal data”.
In this Directive, the classical concept of privacy is transformed into the notion of
organised information relative to a single person, i.e., the intimate knowledge of the
individual: personal data. The assumption that one has the right to control knowledge
about oneself no longer holds true. Personal data are no longer personal, but rather
transportable, commercial, marketable. At the same time, the EU Member States have
the responsibility to both protect the privacy of the European citizen and ensure their
security.
It may generally be conceived that security and privacy are in opposition. And it
may be said that there is a zero-sum game between the two, for which an increase in
security is ordinarily said to come only at the cost of a decrease in privacy and vice-
versa. European citizens, it is often suggested, enjoy less and less privacy as
technological developments allow an ever growing invasion of the private sphere.
This zero-sum approach to security and privacy is not mandatory. Technology is
capable of improving compliance with those principles that protect an individual’s
privacy. It could empower individuals, by giving them easier access to, and control
over, information that directly pertains to them. It would allow them to decide how,
when, and which parts of their personal data could be disclosed, and to whom and for
which uses.
The best protection for individuals is that their personal information is only
collected where it is considered to be essential. Privacy enhancing technologies (P.E.T.)
have traditionally been limited to “pseudo-denomination” tools: software and systems
that allow individuals to withhold their true identity, and only reveal it when absolutely
necessary.
Examples of a more extensive approach to privacy enhancing technologies
include:
 encrypted biometric access systems that allow the use of a fingerprint to
authenticate an individual’s identity, but do not retain the actual fingerprint;
 secure online access for individuals to access their own personal data in order
to be able to check accuracy and make amendments;

3 http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats 175

 software that allows browsers to automatically detect the privacy policy of

different websites and compares it to the preferences expressed by the user,
highlighting any incompatibilities; and
 ‘sticky’ electronic privacy policies that are attached to the information itself,
preventing it from being used in ways that are not compatible with the
aforementioned policy.
Furthermore, the technology should contain features that support the legal and
regulatory framework. This connection to technical features that support organisational
measures, will increase usability for security technology users, help them to comply
with their legal obligations, and, if designed the right way, fit into the organisational
processes that already exist within the user entity.

3. Security Needs a Coordinated and Cooperative Effort Among Member States:

From Interoperability to Network Centric Systems

As has been emphasised by Javier Solana, speaking of The Common Foreign and
Security Policy and European Security and Defence Policy 4:
“...we are stronger when we act together. Over recent years we have created
a number of different instruments, each of which has its own structure and
rationale”.
In the EU Security context, the NATO definition of “Force Interoperability”5 , calls
for :
“The ability of the forces of two or more nations to train, exercise and
operate effectively together in the execution of assigned missions and tasks”,
This definition could be expanded to include and incorporate the following
concept:
“The ability of the resources of one or more PMS and of one or more EU
Agency/Institution to train, exercise and operate effectively together in the
execution of the tasks/missions foreseen in an agreed Common Security
Capability Plan (CSCP)”.
NATO considers the defence against terrorism one of its primary tasks. The same
is true for the European Union. Twenty five of the twenty eight NATO Member States
are European or members of the European Union. To refuse to consolidate or align
efforts made in the Security domain of these two major global institutions, would not
make logistical sense, just as it would cause unacceptable levels of wasted time and
resources.
An example of such collaboration regards maritime surveillance, which is of the
highest importance in ensuring the safe use of the sea and in securing Europe's
maritime borders. The improvement and optimisation of maritime surveillance
activities, and interoperability at the European level, are important and crucial for
Europe to be able to properly and successfully handle the challenges and threats that

4 A SECURE EUROPE IN A BETTER WORLD - presented by Javier Solana, EUHR for CFSP - European
Council, Thessaloniki (Greece), June 20, 20003

5NATO NC3TA Volumes; V2-Technical Architecture Management, Chapter 2. NATO Interoperability

Constructs; http://194.7.80.153/website/book.asp?menuid=15&vs=0&page=volume2%2Fch02.html
176 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats

are related to many maritime activities including safety of navigation, marine pollution,
law enforcement, and overall security.
Surveillance activities are carried out by individual Member States, but most of the
activities and threats that they address are transnational in nature. Within most Member
States, surveillance activities concerning fishing, the environment, policing of the seas,
or immigration fall under the responsibility of several different enforcement agencies
that operate independently one from the other. This often results in the sub-optimal use
of scarce resources.
The EU Commission, therefore, advocated the need for a higher degree of
coordination on maritime surveillance by intensifying forms of cooperation within and
among the coast guards and other appropriate agencies of the Member States.
Although it would be a gradual process, developing an integrated network of
vessel tracking and e-navigation systems for European coastal waters and the high seas,
including satellite monitoring and long range identification and tracking (LRIT), would
provide an invaluable tool to public agencies.
Substantial progress along these lines is present in the EC Regulation No
863/2007, which establishes a mechanism that allows for rapid operational assistance
to be provided to a requesting Member State for a limited period of time when faced
with a situation of urgent and exceptional pressure. This would especially be the case
for situations occurring at the arrival at points of the external borders of large numbers
of third-country nationals attempting to illegally enter the territory of the Member State
requesting assistance. Aid would be provided in the form of Rapid Border Intervention
Teams (hereinafter referred to as teams). This Regulation also defines the tasks to be
performed and powers to be exercised by members of the teams during operations in a
Member State other than their own.
The threats that the EU is exposed to are shared with all of our closest partners.
International cooperation is a necessity and our objectives ought to be pursued through
both multilateral cooperation in international organisations and direct partnerships with
key actors. It is for this that the transatlantic relationship that exists between the
European Union and the United States is irreplaceable. By acting together, the EU and
the US form a formidable force for good in the world.

4. The EU Must Define a Security Standard for Strategic Infrastructures

The security of strategic infrastructure is only as strong as its weakest link. If one
Member States imposes rigourous security standards in relation to a particular cross-
border infrastructure, that infrastructure and the services it provides will still be
vulnerable if another Member State does not impose adequate or similar measures of
protection on its side of the border.
The interdependencies that exist between the various sectors do define an
environment where a particular event could readily have a cascading effect on other
sectors and areas of life, which are not immediately and obviously interconnected.
The existence of a multitude of levels of protection and standards across EU
Member States increases costs for businesses, which have to incur redundant security
investments depending on the jurisdictions under which they operate. Therefore, the
EU ought to define a security standard for strategic infrastructures to avoid unnecessary
inefficiencies in the allocation of resources.
The principle of subsidiarity may be invoked the moment the measures that need
to be undertaken cannot be effectively achieved by any single EU Member State and
must therefore be addressed at EU level.
 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats 177

Although each Member State has the responsibility to protect the critical
infrastructure present under its jurisdiction, it is crucial for the security of the European
Union to make sure that the most important infrastructures that have an impact on two
or more Member States, or on a single Member State in the case that the critical
infrastructure is located in another Member State, are effectively protected and that
individual Member States are not rendered vulnerable because of the existence of lower
security standards in other Member States.
The EU’s effort to protect critical infrastructure will soon turn to concrete
measures for Europe’s information and communication technologies (ICT) sector with
the release of a new policy paper6. The general aim of the document is to urge the 27
member nations to define a common set of response criteria regarding cyber-attacks
and, specifically, to align their national regulations.

5. Security, Along with Safety, Must be Embedded into Systems and Certified
with Proper Labelling

It is common understanding today that incorporating safety into the design process has
a positive impact on a company's safety, quality and productivity. Costs can be
lowered, task performance improved, and life-threatening work hazards reduced. Cost
benefits are maximised when applied at the earliest stages of development, but owners
will experience benefits when safety is considered at every stage in the project
continuum. Similar benefits could be associated to the introduction of security and
environmental criteria as early as possible into the product life cycle.
It is interesting to remember that the EU recently promoted a Safety Certification
and Authorisation Team (SafeCert Team)7, that has been given the task of dealing with
the harmonisation of decision-making criteria regarding the procedures for safety
certification of railway undertakings and the safety authorisation of infrastructure
managers.
The market for security solutions in Europe is is still highly fragmented and has a
long way to go before it matures. This hinders the industrial base of security
technology, preventing it from exploiting its overall potential and accessing market
opportunities more effectively. It is necessary to analyse not only the role that standards
play but also that of the process of standardisation in organising the market from both
the demand and the supply side. Thus far, most of the impetus has been focused on the
European Security Label, the basis of which is the final Communication from the
European Commission COM (2008)133, “Towards an increased contribution from
standardization to innovation in Europe, namely standardization” 8.
The aim of the Communication is:
 To contribute to the development of sustainable industrial policy.
 To unlock the potential of innovative markets.

6 “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and
resilience"; COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE
COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF
THE REGIONS on Critical Information Infrastructure Protection; http://ec.europa.eu/information_society/
policy/nis/docs/comm_ciip/comm_en.pdf

7 Assessment Criteria for Railway Undertakings and Infrastructure Managers

8 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0133:FIN:EN:PDF
178 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats

 To strengthen the position of European economy by more efficiently

capitalising on its knowledge base.
The EU expects standardisation to make an important contribution to the following
priority actions for innovation and competitiveness:
 Sustainable industrial policy: this aims at improving the energy and resource
efficiency of products, processes, and services and the competitiveness of
European industry. Standardisation is important in enabling the further
development of eco-innovation and environmental technologies.
 Lead markets: Standardisation is one of the key elements for the success of the
lead market initiative which aims to accelerate the emergence of innovative
market areas such as e-Health, sustainable construction, recycling and
renewable energy. A European lead position in developing globally accepted
standards would facilitate the growth of these markets both in Europe and
abroad.
 Public procurement: the appropriate use of standards in public procurement
may foster innovation, while providing administrations with the tools needed
to fulfil their tasks.
 The integration of ICT in industry and administrations: the potential to
improve the competitive position of the European economy through a more
efficient and effective use of ICT tools is important, and standards are
essential to realise this potential.
A strong role for Europe in international standardisation is also a a way to
capitalise on European leadership in new markets and to gain first-mover advantages in
global markets.
To further standards, a process is needed, such as conformity with standards
required by a EU Security Label, that will demonstrate that increased security and
quality as criteria for market access exist. The market needs basic criteria upon which
to base decision-making processes that regard the acquisition and implementation of
security products, services and their respective integration, and justify choice of
purchase by adopting recognised security principles.
The Security Label will create the confidence that security products and services
meet certain standards of quality and are suitable for the intended use, thus resulting in
risk management for the end users. In order to implement an European Security Label
Certification it is necessary that a co-ordinated accreditation process for testers,
auditors etc. be created that includes harmonisation criteria and encourages the relevant
organisations to apply. It must constitute a network that, where possible and
appropriate, uses existing competence.

6. Defence and Security Are Closely Interrelated

In contrast to the massive visible threat of the Cold War, none of the new threats of
today is purely military; nor can any be dealt with by relying on purely military means;
each threat requires a mixture of instruments. Their proliferation is contained not only
by controlling exports, but they are also handled by applying multiple forms of
political, economic and other pressures. A key element in fighting the proliferation of
new threats is to contemporaneously tackle the underlying political causes of the
threats themselves.
 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats 179

Dealing with terrorism, for instance, requires a mixture of intelligence, police,

judicial, military and other means that include communications and economic
endeavours. Where military forces often have the task of implementing security
measures on foreign soil, and frequently in failed states, in which military instruments
may be needed to restore order, humanitarian aid is used to tackle the immediate crisis
and to relieve civilian victims. Regional conflicts always need political solutions,
which are complimented by the military assets and effective policing that are generally
necessary for maintaining order in the post conflict phase. Economic instruments
(although not exclusively) serve in reconstruction efforts, and civilian crisis
management activities help restore civil government.
The European Union is a global actor, ready to share the responsibility of ensuring
global security. With the adoption of the European Security Strategy in December 2003
by the European Council9, it affirmed the role it wants to play in the world, supporting
an international order based on effective multilateralism within the UN.
In today’s context of new dangers, but also new opportunities, the strong
commitment demonstrated by Member States to give the enlarged European Union the
tools it needs to make a major contribution to security efforts and stability within a
context of well governed countries in and around Europe and in the world is stronger
than ever.
The EU has the civilian and military framework needed to face the multifaceted
nature of the actual asymmetric threats. Member States have decided to commit
themselves by 2010 to be able to respond with rapid and decisive action applying a
fully coherent approach to the whole spectrum of crisis management operations that are
covered by the Treaty on the European Union. This includes humanitarian and rescue
tasks, peace-keeping tasks, tasks of combat forces in crisis management, including
peacemaking. As indicated by the European Security Strategy this would also include
joint disarmament operations, the support for third countries in combating terrorism
and security sector reform.
This approach requires Member States to voluntarily transform their armed forces
by progressively developing an elevated degree of interoperability, at the technical,
procedural and conceptual levels. Without prejudice to the prerogatives of individual
Member States regarding defence matters, a co-ordinated and coherent development of
equipment compatibility, procedures, concepts, command arrangements and defence
planning is a primary objective. In this regard, the commonality of a shared security
culture should also be promoted. Interoperability must be considered within a broader
framework that includes military, civilian and civil-military aspects. The EU could
further strengthen the coordinated use of its civil and military capabilities
acknowledging that modern Crisis Management Operations typically require a
combination of multiple instruments. Synergies relevant to crisis management
capabilities should be identified and fully exploited between civilian and military
ESDP, the European Community, as well as third pillar actors (Police and Judicial
Cooperation), with the aim to maximise coherence in the field as well as at the
governing and administrative levels in Brussels. Issues, such as field security, training,
logistics and procurement should be taken into account.

9 http://www.consilium.europa.eu/uedocs/cmsUpload/78367.pdf
180 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats

7. Why Interconnection among European Agencies Operating in the Field of

Safety and Security is Necessary

A number of specialised and decentralised EU agencies have been established to

support the EU Member States and their citizens. These agencies are an answer to a
general trend toward the decentralisation and geographic redistribution of
administrative responsibility the need to cope with new tasks of a legal, technical and/
or scientific nature.
The available competence and experiences accrued in almost all areas pertinent to
the Safety/Security sector is impressive, and it forces one to consider what
opportunities exist for improving networking and interaction among the existing
resources and agencies. In fact, given the aforementioned advantages of incorporating
safety/security requirements in all phases of a process, the majority of the structures
that focus on safety issues could invariably expand on a technical level to address
security related issues.
Over the coming years, Europe will need to develop a commonly shared
capability-based planning process, and, possibly, a European Security Capability Plan.
In the meanwhile, public and private stake-holders alike, both at EU and national
levels, will need to proceed with the systematic identification of available and required
capabilities. In specific sectors, relevant agencies can play an important role. EDA and
FRONTEX could be seen as examples of good practice, which might be considered by
other agencies. The need of interconnecting all of these resources will therefore grow
in the forthcoming years and accelerate the transformation of existing Agencies from
stand alone entities to a system of systems.

8. ESRIF, the European Security Research & Innovation Forum

The European Security Research and Innovation Forum (ESRIF) was established in
September 2007, on the basis of a joint initiative of the European Commission and EU
Member States.
ESRIF is an informal group, set up jointly and co-owned by its stake-holders from
the demand and supply side of security technologies/solutions, as well as from civil
society. It thus includes independent representatives from industry, public and private
end-users, research establishments and universities, as well as non-governmental
organisations and EU organisations and entities. With this kind of composition and
approach, ESRIF hoped to overcome the boundaries and limitations inherent of a more
formal structure. ESRIF is the only large scale, high level, attempt of this kind in
Europe. It is also supported by FP7 (Seventh Framework Programme) Associated
Countries. ESRIF’s mandate is limited to advising on security research and innovation.
The primary reason for creating ESRIF was the need for:
 Coordination of the strategy and implementation of European and National
Security Research Funding Programmes;
 Taking a mid- and longer term perspective for civil security research in
Europe, going beyond pure research and also embracing innovation elements;
 Improving coordination between security policy and its implementation on the
one side and security research on the other, including the demand and supply
side of security technologies/solutions and considering the economic effects of
future civil security research
 G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats 181

 Addressing how action at European, national and regional levels can be

coordinated to better exploit the use of future capabilities and resources.
 Looking at coordination between civil and military security research.
 Encompassing societal aspects of security to gain a better understanding of
interdependencies and dynamics behind decisions, policies and programs by
the Union and their effects, to enhance the security of EU citizens.
ESRIF was given the task of developing a ”European Security Research and
Innovation Agenda”10 , a strategic roadmap for security research and related measures
that will bring greater coherence and efficiency to the sector, while promoting
innovation.
The hope was that an Agenda that studied these factors would create opportunities
for more coherent research programming and funding that would eventually lead to
better innovation. It was hoped that this would also stimulate the private sector to
invest funds in research strategic priorities, thereby complementing public investments.
Moreover, it corresponds to the general aim of building a true European Research Area,
notably by promoting greater coherence between investments in research and
development allocated at European, national and regional levels. This should ultimately
strengthen EU security and the EU security market and the competitiveness of the
private sector. ESRIF is now in the final stage of elaborating its Final Report and
therefore close to the end of its assigned task.

10 http://ec.europa.eu/enterprise/security/doc/border_control_workshop/k_giovanni_barontini.pdf
182 Modelling Cyber Security: Approaches, Methodology, Strategies
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-182

Information Sharing in the Context of

European Union Critical Information
Infrastructure Protection
Alessandro GAZZINI, Andrea RIGONI
Booz & Company
alessandro.gazzini@booz.com
andrea.rigoni@booz.com

Abstract. Effective anticipation and response to the characteristics of today’s

security threats require an effective information sharing (IS) component. The need
for IS and the relative benefits that come with it are evident to most security
stakeholders. Information sharing has become even more urgent as the extreme
adaptability of our adversaries and the relative rigidity of our current security
organisations, in both the public and private sectors, have become increasingly
clear. Many governments have already recently issued specific IS policies, stating
the objectives as well as launching operational initiatives. The European Union has
also introduced an IS objective within its more general program of critical
(information) infrastructure protection and has recently launched several research
and pilot instruments for IS solutions. Many challenges to develop successful IS
models still exist, particularly in the security environment. Most notably, there is a
tendency to dedicate excessive attention to technology concerns and solutions. A
successful IS model, however, needs to comprehend and incorporate a more
multidimensional strategic approach and focus on the concept of IS as a market
place value.

Keywords. Information Sharing, Cyber Security, Critical Information

Infrastructure Protection, Critical Infrastructure Protection, Security, IT security

1. Information Sharing: An Emerging Security Need for Reducing “Operational

Asymmetry”

In the commercial, government and military sectors of EU Member States, there has
been a significant impulse to increase interconnectivity and interoperability between
systems in order to enable and increase operational benefits. The nature of the ICT
(Information and Communication Technologies) market has also produced many
common ICT components, which consequently share common vulnerabilities. In areas,
such as critical national infrastructures, there is already a high degree of cross border
interconnection and interdependency between systems. The complexity and criticality
of these systems cannot be overemphasised.
The threat to these federated systems is growing. Terrorists and other disaffected
organisations and individuals have identified the dependence of EU countries upon
these systems and the potential impact a successful attack could have. However, while
these “systems of systems” are increasingly closely integrated horizontally, their
protection is all too often aligned vertically, within countries and within companies.
This misalignment presents enticing opportunities to attackers.
This is why Information Sharing (IS) has become a key component of modern
protection and is one of the main pillars of Intelligence. Information Sharing has gained
 A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection 183

in popularity after 9/11, and, today, it is at the centre of many National Security
Intelligence Strategies, as may be demonstrated by the growing policy initiatives, as
well as operational IS initiatives (i.e. Warp, Intellipedia, A-Spaces, etc…) including at
the European level (i.e. CIWIN, M3I, NEISAS, European Rapid Alert Platforms,
etc…).

Figure 1. Examples of Recent Information Sharing Policies

One of the primary reasons we believe this emerging attention on IS is well-placed

as a priority is due to the phenomenon of “operational asymmetry”. Fundamentally, our
adversaries have extremely adaptive “leaderless” operational models based on
flexibility, speed, knowledge exchange and strong (often ideological) motivational
drivers while our security organisational constructs both in the government and in the
private sector tend to be resource intensive, hierarchical, based on complex structures
and formalised processes, which create accountability (at times). but more often
generate slow and rigid systems and system response. This imbalance is particularly
evident in the cyber domain, where speed reigns and the attack mode is far more
successful by several orders of magnitude than any response or defence.
IS can be a vital resource in reducing some aspects of this operational imbalance
and in generating multiple benefits, but, most importantly, increasing speed and quality
of our capability to anticipate and react. The need is for vital knowledge to be spread
quickly, not to mention generated effectively, within the “mega-community” of public
and private security stakeholders.
184 A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection

Figure 2. Benefits of Information Sharing

Sharing information on security risks is clearly beneficial to both government and

industry. If a mechanism can exist through which one organisation is able to learn from
the experiences, mistakes, and successes of another, without fear of exposing its
vulnerabilities to national security, competitors and the media, then every participant
will be able to improve their level of resilience and safety.

2. The EU CIP Information Sharing Panorama

There are many initiatives and projects in Europe on Information Sharing, most of
them, however, are managed on a national level. Some exceptions are those systems
that interconnect operators in a specific sector (i.e., banks, air controls, adjacent Power
Transmission Operators, etc.), which are typically used for daily operations and not
specifically for Critical Infrastructure Protection (CIP).
According to an European Network and Information Security Agency (ENISA)
study 1, “EISAS – European Information Sharing and Alert System,” 13 Member States
do not have any known Information Sharing activity, 5 Member States have a dedicated
level of organisation, and the other 9 have some initiatives that are managed by non-
dedicated organisations. In the study, only two Member States are reported to have
organisations that are in charge of Information Sharing and that have Critical
Infrastructure Operators as their constituency. These numbers, though, do not
completely reflect reality; many other Member States are running information
exchanges that are facilitated by government organisations, where Critical
Infrastructure Operators meet regularly (for instance, the Information Exchanges
managed by CPNI in the United Kingdom, or the NICC in the Netherlands). These
initiatives are all very successful, primarily because of the importance that has been
given to the development of trust among all participants, including the government.

1 www.enisa.europa.eu/doc/pdf/studies/EISAS_finalreport.pdf
 A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection 185

Furthermore, EU Member States share the need to exchange information on an

international level, in particular for the protection of Critical Infrastructures (CI), where
many are interconnected or interdependent, or the impact of an attack on one CI in one
Member State could affect another CI in another Member State. This is why the
European Commission included the creation of Information Sharing Systems in the
European Critical Infrastructure Program.
An important aspect that should be always considered when discussing
International Information Sharing Systems, is that most of the time these services are
used by governments and national infrastructures to exchange notifications and
communications regarding new vulnerabilities, threats, incidents and good practices,
and, in most cases, this exchange assumes a relevance in respect to national security.
This is one of the main reasons why most Member States are promoting a federated
approach, both at a National and European level.
The most successful projects in Europe, such as the UK WARP (Warning, Advice
and Reporting Point), owe their success to this approach that, among the other things,
is able to address the specific requirements and needs of certain sectors.
The energy sector, for example, is considered among the most critical in Europe. In
particular, Transmission System Operators (TSOs) run the European Power Grid,
which provides electricity to all European citizens. TSOs form a strong and well-
connected community. Information Sharing is vital to these companies; a problem,
fault, incident or attack to any one operator could have disastrous impacts on all the
other operators. This is the reason why building “Shared Situational Awareness”
improves the overall resilience of the system. These companies are already exchanging
a lot of information, both at an operational and a strategic level. The exchange is based
on “peer to peer” relations, mainly because there is no single authority or organisation
that is in charge of regulation or coordination of the operators.
In 2004, the Commission issued a communication to the Council and the European
Parliament on “Critical Infrastructure Protection in the fight against terrorism
(20-10-2004)”2 . In this document, the Commission identified security management
and, in particular, risk management as the key area that needed to be addressed by a
European Program for Critical Infrastructure Protection that would be based on an all
hazard approach. The document also stated that the EPCIP would promote information
exchange (sharing), where the constraints of competition, liability and information
sensitivity can be balanced with the benefits of a more secure critical infrastructure.
When sector based standards do not exist, or where international norms have not yet
been established to support this sharing, the document goes on to state that the
standardisation of organisations should be approached with proposals for uniform
security and adapted standards for all of the various branches and sectors interested.
The importance of information sharing in supporting Critical Infrastructure
Protection (CIP) has been recognised for some time, and moves have been made
toward developing European information sharing initiatives through both the 2002 and
2005 e-Europe Action Plans 3. These plans have respectively focused on stimulating
public-private cooperation regarding the dependability of information infrastructures
(including the development of early warning systems) and on the establishment of the
European Network and Information Security Agency (ENISA). ENISA is assigned,

2 10679/2/04 REV 2, no. 19 http://www.consilium.europa.eu/uedocs/cmsUpload/EU_17.18-6.pdf

3 COM(2002) 263 final 28.5.2002 - eEurope 2005: An information society for all - http://ec.europa.eu/
information_society/eeurope/2002/news_library/documents/eeurope2005/eeurope2005_en.pdf
186 A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection

amongst other things, the task of fostering and enhancing cooperation between relevant
stakeholders, information gathering, the exchange of best practices and the
establishment of synergy between public and private sector initiatives.

Figure 3. Examples of IS initiatives in the EU

ENISA has been active in raising awareness of the need for information sharing
and has produced many studies in this area, in particular, the EISAS – European
Information Sharing and Alert System Feasibility Study 2006/7. Although this
feasibility study focused on the citizen and small to medium enterprise, there are
aspects of the study which also relate to CIP, government and large enterprise
communities, such as the need to adopt a standardised approach to information sharing.
Furthermore, on 30 March 2009, European Commission Directorate General
Information Society and Media (DG INFSO) issued a Communication 4 that announces
the launch of a policy initiative to Protect Critical Information Infrastructures in
Europe. The initiative focuses on the following five areas:
 Preparedness and prevention: to ensure preparedness, by defining a baseline
of capabilities and services of national/governmental Computer Emergency
Response Teams, creating a European Public-Private Partnership for
Resilience and a European Forum of Member States to share information,
good policy and operational practices.
 Detection and response: to provide adequate early warning mechanisms, by
supporting the development and deployment of a European Information
Sharing and Alert System, reaching out to citizens and SMEs, and being based
on national and private sector information and alert sharing systems.
 Mitigation and recovery: to reinforce EU defence mechanisms for CII via
the development of national contingency plans by Member States and the
organisation of regular security incident response and disaster recovery
exercises for large scale networking in a move to stimulate stronger pan-

4 http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm
 A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection 187

European coordination, as well as strengthening the cooperation between

national/governmental Computer Emergency Response Teams.
 Cooperation on international and EU levels: to promote EU priorities
internationally by driving a Europe-wide debate involving all relevant public
and private stakeholders, to define EU priorities for the long term resilience
and stability of the Internet by working with Member States to define
guidelines for the resilience and stability of the Internet and by working on a
roadmap to promote principles and guidelines at the global level, possibly
leveraging strategic cooperation with third countries.
 Criteria for the ICT sector: to support future implementation of EPCIP, by
continuing to develop, in cooperation with Member States and all relevant
stakeholders, the criteria to identify the European critical infrastructures in the
ICT sector.
In the Action Plan of the Communication (par. 5.2)5, Information Sharing is
mentioned as one of the key elements of a successful Critical Information
Infrastructure Protection strategy.
In 2006, the European Commission presented a program6 to foster and support
Information Sharing in Europe, including the provision of a software platform called
CIWIN - Critical Infrastructure Warning Information Network, now in pilot phase.
Furthermore, Commissioner Jacques Barrot, Directorate General Justice Liberty and
Security, recently proposed new legislation7 to enable European Union Countries to
share information regarding critical infrastructure protection. This proposal is expected
to be discussed at the next Justice and Home Affairs council in Luxemburg, 4th and 5th
of June 2009.
During the presentation, a EU policy review and key projects will be made, the
main goals of Information Sharing will be presented, together with the direct and
indirect benefits to the stakeholders, and will show the importance of quality in relation
to extension of the community and the quantity of Information exchanged.

3. Designing a successful IS system

While we all basically agree on what the benefits of IS are, we are a little less sure
about how to actually build a successful model. Too often the discussions are quickly
oriented towards aspects related to the IT systems, appropriate tools and protocols etc.
This is not to imply that technology is a minor concern, but simply to highlight that it
tends to become a dominant topic.
As a matter of fact, many technological challenges still remain. Despite the many
good examples of Information Sharing, progress towards making these virtual
platforms universal is hampered by the lack of a common language and framework. For
communication to occur between people, there is more to the equation than merely

5 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF - COM(2009) 149

final 30.3.09

615041/08 31.10.08 proposal for a council decision on a Critical Infrastructure Warning Information
Network (CIWIN) - http://register.consilium.europa.eu/servlet/driver?lang=EN&ssf=DATE_DOCUMENT
+DESC&fc=REGAISEN&srm=25&md=400&typ=Simple&cmsid=638&ff_TITRE=&ff_FT_TEXT=CIWIN
&ff_SOUS_COTE_MATIERE=&dd_DATE_REUNION=&srs=26&rc=37&nr=119&page=Detail

7 IP/08/1586 27/10/2008 http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/1586

188 A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection

choosing a specific vocabulary from native languages such as English or Italian. When
speaking of communication involving computers, it is also more than choosing a
standard based on the XML framework.
What has been missing in the past is a management messaging standard that
describes a set of requirements on how these should be used. One good example of a
requirement for a management messaging standard is the need to have a common
understanding of how shared information can be distributed virtually. The Traffic Light
Protocol (TLP) is a specific example in use by many organisations, which takes the
sensitive nature of some types of information into account. It is important that the TLP
be recognised and understood in communications involving people and computers,
where both must follow the agreed rules for information distribution. It is also
important to recognise that the TLP may be just one example of good practice.
In designing an IS system, we suggest that along with the IT complexities, one
should equally focus attention on other key dimensions, which ultimately will
determine the success of the IS system. A successful model must consider at least 5
macro areas:
 Value Exchange - the essence of any IS environment.
 Policy and Organisation – the structure, rules and process.
 Technology – the IT solution.
 Culture – the willingness to participate.
 Economic – the resources.

Figure 4. Booz & Co IS framework

As a final comment we would like to add that trust is an essential element in

information sharing and it should be built as a two way system. The recipient of
information must trust the source, in particular, that the information received is truly
coming from the person it purports to come from, is not malicious or misleading, and
that it is also relevant. The source must also trust the recipient, in particular, that the
information received will only be used or distributed according to previously
established agreements and parameters. Without this two way trust, meaningful
information sharing is impossible.
Modelling Cyber Security: Approaches, Methodology, Strategies 189
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-189

Defining Critical Information Infrastructure

in the Context of Cyber Threats: The
Privacy Perspective
Eneken TIKK1
Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia
Head of the Legal Task Team
eneken.tikk@ccdcoe.org

Abstract. While the two organisations, the EU and NATO, share interest in the
field of Critical Infrastructure Information (“CII”) protection, and while the
interests of these organisations have developed significant overlaps, personal data
protection in the EU legal framework may become a factor that could hinder the
creation of effective cyber defence, unless timely and duly attended to by the
interested nations and entities. This article will provide insight into personal data
protection issues that relate to the exchange of information concerning cyber
incidents and, based on considerations pertinent to national approaches, it will
provide guidance on how to minimise the related legal risks that come with cyber
incident management.

Introduction

About a year ago, NATO adopted two documents that will shape the way cyber
incidents of concern to (inter)national security will be managed. 2 The cooperative
aspect of managing cyber incidents of relevance for NATO will require national
regulatory action in regard to defining the critical information infrastructure and
providing a proper legal basis for information exchange between NATO and its
member states.
Cyber incidents may range anywhere from simple deviations from internal security
regulations to criminal acts, acts of cyber terrorism, and even warfare. The
investigation and management of such incidents is based on sharing and comparing
traffic data and server logs, including IP addresses. Countries subject to both the EU

1 Eneken Tikk works as the Legal Advisor to the NATO Cooperative Cyber Defence Centre of Excellence
(“CCD COE”) and is currently the Research Fellow for the Center for Infrastructure Protection of the
George Mason University Law School.

2NATO Cyber Defence Concept (MC, 13 March 2008), based on the NATO Cyber Defence Policy (NAC, 20
December 2007).
190 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats

and NATO organisational framework of cyber defence3 will face difficulties

transferring such data to NATO or another member state’s national authorities since the
legal view governing EU data protection institutions categorises IP addresses and logs
as personal data.
The EU legal framework on data privacy thus creates obstacles to processing cyber
incident data for the purpose of cooperative cyber defence management. While there
are legally safe ways to secure evidence and manage cyber incidents, recent trends in
EU member states require that more attention be paid to these issues on the national
regulatory level.
This article will provide insight into personal data protection issues that relate to
the exchange of information concerning cyber incidents and, based on considerations
pertinent to national approaches, it will provide guidance on how to minimise the
related legal risks that come with cyber incident management.

1. The Benefit of Sharing Information

During 2007 and 2008, the CCD COE legal team analysed the legal aspects of five
major cyber incidents – Estonia, Radio Free Europe in Prague, Lithuania, Georgia, and
Burma4.
The Estonian cyber incident that occurred in early 2007 was a landmark case,
where publicly sharing information about the cyber attacks turned out to benefit the
government in its efforts to defend itself against its invisible enemy. Since then, major
IT security think tanks and international media channels keep a column on cyber
incidents of international concern.
There is an increasing amount of information available about politically motivated
and government-targeted cyber incidents. The management of cross-border cyber
incidents and conflicts, however, requires extensive and detailed information-sharing
among governmental entities and also among these last and the entities responsible for
the information infrastructure, which are often privately owned. This kind of
cooperation is inevitable between nations and international organisations.
The data of interest comprises not only details about the course of action and
background of the incidents but also real-time reporting on targets and, most
importantly, details of the server logs, which make it possible to differentiate the good
traffic from the bad, block hostile IP addresses, and trace the origin of the attacks.
With cyber defence developments in NATO, sharing information on cyber
incidents will form an essential part of the national cyber security agenda. The study of

3 While there is no internationally accepted legal definition of cyber threats (one of the key reasons for

difficulties related to the implementation of personal data protection rules), the concerns of cyber security
involve stakeholders such as international organisations, governments, the private sector and IT infrastructure
providers, as well as home users. The incidents that may affect the functioning of a society’s critical
infrastructure may initially occur as simple human error and the deviation from internal information security
regulations, or they may turn out to be intentional, often politically motivated, criminal activities or
coordinated and well-targeted attacks that support other hostile activities towards the entity or nation in
question. Therefore, the term “cyber defence” is to be understood to cover the prevention of and potential
responses to different types and levels of cyber threats.

4 These papers are available on www.ccdcoe.org.

 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats 191

recent cyber incidents shows that the nature of the information infrastructure5 in
conjunction with the territoriality principle6 make it difficult for a nation, when acting
alone, to defend itself against cross-border cyber attacks.
NATO has developed a mechanism to assist nations in case of severe cyber attacks,
but the implementation of the relevant provisions of the Cyber Defense Policy and
Cyber Defense Concept requires structured and well-coordinated information sharing
on those aspects that demonstrate the relevance the said cyber incidents have for
NATO.
In order to meet the criteria for receiving help from rapid reaction teams,
consulting or any other type of assistance, the nation must satisfy a burden of proof of
the relevance of the conflict for NATO. This can only be done after a thorough analysis
of the underlying facts about the nature, extent and sources of the incident has been
completed.
In summary, effective defence relies on cooperation, and effective cooperation
needs precision in terms of facts of the incidents. Effective measures of defence depend
on accuracy of information and in order to achieve prosecution, the evidence must be
able to indicate the source of the attacks.
Estonia is one of the countries that is both a NATO nation and an EU member
state. In the context of cyber security there is an increase in the interrelation of the
activities and areas of concern for these two major and influential organisations;
sharing information on cyber incidents is just one of them.

2. EU vs. NATO: The Cyber Security Agenda

A sustainable information society and trusted environment for e-commerce and

information society services has been a key concern for the EU over the past decades.

5 The nature of the information infrastructure can be best explained by the rationale that was employed in
developing the Internet. It was designed as a response to national security concerns to provide a
communications network that would work even if some of the sites were physically destroyed. If the most
direct route was not available, routers would direct traffic around the network via alternate routes.

6 The contemporary legal framework adheres to the concept of sovereignty, which is granted to the nations on
the basis of the physical dimensions of their air, land and sea territory. While few other arrangements exist
(the common understanding of governing high seas and space), so far no general agreement has been
concluded with respect to the governance and control of the Internet. Therefore, conduct on the Internet can
only partly and conditionally be subjected to a nation’s jurisdiction.
192 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats

The EU is known for its wide-reaching and effective information society regulation7 ,
which is reflected in the national legal systems of not only EU member states but also
EEA countries and others. 8
NATO is known as a security and defence organisation, which focuses on issues
that in practical terms remain beyond the scope of the applicability of the EU law. The
“security” paradigm has been changing over the past couple of decades, expanding the
focus of defence interests beyond kinetic and symmetric threats to include issues such
as terrorism, electronic warfare and critical infrastructure protection.
Thus, in the past few years, the interests of these organisations have developed
significant overlaps. This is especially the case since NATO has begun to look more
into the cyber attacks and has recognised that not only cyber incidents against military
targets but also those directed against national governmental and possibly private
critical infrastructure functions may affect (inter)national security, thus deserving the
interest of this military organisation. It is due to this interest that a common playing
field has emerged for the two organisations.
While the two organisations share interest in the field of Critical Infrastructure
Information (“CII”) protection, personal data protection in the EU legal framework
may become a factor that could hinder the creation of effective cyber defence, unless
timely and duly attended to by the interested nations and entities.
There seems to be some inconsistency in the application of the Directive 95/46/EC
(herein after referred to as ‘the Directive’ or ‘the ‘Personal Data Protection Directive’)
by the Member States. These differences in interpretation and application of the
Directive are particularly evident when looking at the approach taken by Germany in
comparison with Sweden. These two cases will be discussed below. The dominant view
held by the EU data protection authorities, however, requires that information sharing

7 Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common
regulatory framework for electronic communications networks and services (Framework Directive), OJ L
108, 24/04/2002 pp. 0033-0050; and four specific Directives: Directive 2002/20/EC of the European
Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks
and services (Authorisation Directive), Directive 2002/19/EC of the European Parliament and of the Council
of 7 March 2002 on access to, and interconnection of, electronic communications networks and associated
facilities (Access Directive), Directive 2002/22/EC of the European Parliament and of the Council of 7
March 2002 on universal service and users' rights relating to electronic communications networks and
services (Universal Service Directive), Directive 97/66/EC of the European Parliament and of the Council of
15 December 1997 concerning the processing of personal data and the protection of privacy in the
telecommunications sector).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data (Personal
Data Protection Directive); OJ L 281, 23/11/1995 p. 31; Directive 2002/58/EC of the European Parliament
and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy
in the electronic communications sector (Directive on privacy and electronic communications); OJ L 201,
31/07/2002 pp. 0037 – 0047.
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects
of information society services, in particular electronic commerce, in the Internal Market ('Directive on
electronic commerce'), OJ L 178 , 17/07/2000 pp. 0001–0016.
Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for
electronic signatures was published in the Official Journal of the European Communities; OJ L 13,
19/01/2000, p. 12.
Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of
public sector information; OJ L 345, 31/12/2003 pp. 0090–0096.

8 Currently, personal data can flow between the 27 EU member states and three EEA member countries

(Norway, Liechtenstein and Iceland) and to Switzerland, Canada, Argentina, Guernsey, and the Isle of Man.
An exception is granted to the US Department of Commerce under the Safe Harbor Privacy Principles, and
the transfer of Air Passenger Name Records to the United States Bureau of Customs and Border Protection.
 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats 193

regarding cyber incidents be supported by specific legal provision under the national
law of each Member State.

3. EU Data Protection Agenda and Reflections on Member States

Systematic data protection in Europe dates to the aftermath of the Second World War
and arises from the need to face the threat that people could be potentially mistreated
based on an abuse/misuse of personal data available to the state. 9 Essentially, the EU
data protection regulatory framework is based on the prohibition of processing personal
data and has issued different exceptions that allow the data to be processed under a set
of personal data protection principles and restrictions.
Directive 95/46/EC serves as the basis for personal data protection legal acts in
nearly 30 advanced information societies. Personal data are defined as "any
information relating to an identified or identifiable natural person ("data subject"); an
identifiable person is one who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;" (art. 2 a).
This definition is intended to be extensive. Data are "personal data" when someone
is able to link the information to a person, even if the person holding the data cannot
make this link themselves. Some examples of "personal data" are: address, credit card
number, bank statements, criminal record, etc.
Recently, EU data protection supervisor, Peter Hustinx, shared his opinion on IP
addresses as personal data, pointing out that IP addresses are also protected under data
protection laws. Speaking to ZDNet at an RSA information security conference in
London, he said that a person does not have to be identifiable by name in order for
details of computer usage to be protected. Companies that gather addresses that might
or might not be personal data should just treat them all as personal. When companies
are unsure whether information, such as activity or server logs or a record of Internet
protocol (IP) addresses, are personal data or not, they should treat it all as personal
data. 10

9 In 1939, the German authorities conducted a census to register German Jews and those who were half
Jewish with the Reichssicherheitshauptamt. While the authorities claimed that personal data, such as
religious inclination and nationality, were confidential, a national registry was created on the basis of those
data to point out which citizens had a Jewish parent or grandparent. Similar registries were created and
updated in Poland and compared to the data of the 1933 census. After the census, the German citizens were
listed in the Reichskartei as Aryans or non-Aryans and their fate for the purposes of the Second World War
was determined by the Nazi authorities controlling those registries.
In this context, the statistical data was put to the service of the governing regime. Extremely high regard to
population policy transformed normally quantitative data about people into a qualitative and psychological
basis of reigning. Although statistical in nature, this information relied on the penetration of private and
public lives, recording and categorising such data, and last but not least, subdivision of the data.
The census based on religion and nationality were not the only listed categories of information. In 1935, the
authorities created the labour registry, in 1936 the health registry, in 1939 the population registry, and in 1944
the personal identification number system. From 1934 on, those with hereditary illnesses were registered. By
the beginning of the war, the authorities had a clear picture of family planning, land inheritance and health
status of the population. These statistics were put to service by and under the control of the authorities.

10 Michael, James. EU DP Supervisor says IP addresses are protected. Privacy Laws and Business
International Newsletter, December 2008, issue 96, page 9.
194 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats

In the event personal data is treated, any processing 11 of such data falls under the
jurisdiction of the Directive unless it has otherwise been provided for under national
law.
In the context of information exchange regarding cyber attacks, one of the more
important provisions of the EU Data Protection Directive in the context of exchange of
information about cyber attacks is Article 25, which prohibits the transfer of personal
data to third countries.12 In principle, the transfer of personal data to countries outside
of the EU requires the European Commission to assess the specific personal data
protection regulations and practices of the country concerned.
Since cyber threats have affected different countries, the national courts have the
task of providing guidance on how to deal with those threats in the context of personal
data privacy concerns. Interestingly, the views and approaches to the balance between
privacy and security expressed by the various national courts indicate not only a
difference of position and approach from country to country, but it also highlights the
existing challenge of finding a balance for the application of the directive itself.
In a verdict of 27 February 200813 , the Bundesverfassungsgericht (German
Constitutional Court, henceforth “BVerfG) ruled that from the right to personal self-
determination comes an individual’s right to security and integrity of information
systems (Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität
informationstechnischer Systeme). The essence of this ruling reflects Germany’s well-
established guarantees of personal privacy, privacy of communications, and protection
of personal data, and it emphasises the duty to refrain from violating the privacy of the
user without a proper basis in applicable law.
The court emphasised that covert infiltration in information systems resulting in
the surveillance of a person’s use of that system is only allowed when there is
a) effective evidence, b) a real threat, c) a legally protected value, and d) where the
authority for such interference is clearly provided for in the law. This effectively
provides a relevant authority with a checklist of legal criteria/conditions that must be
met in order to carry out a surveillance procedure. The court specified that threats to
the fundamental institutions or existence of the state itself would indeed be a category
that could justify such interference, indicating, inter alia, that under certain
circumstances surveillance can be justified as a pre-emptive measure. In addition to the
factual and legal necessity outlined above, and as part of the legal basis of authority
requirement (element d) also referenced above, resorting to such measures in Germany
would usually also require a court order as a prerequisite.

11 Under Article 2 (b) of the Directive, processing personal data ('processing') shall mean any operation or set

of operations which is performed upon personal data, whether or not by automatic means, such as collection,
recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or
destruction.

12 The Member States shall provide that the transfer to a third country of personal data, which are undergoing

processing or are intended for processing after transfer, may take place only if, without prejudice to
compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third
country in question ensures an adequate level of protection,
The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the
circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration
shall be given to the nature of the data, the purpose and duration of the proposed processing operation or
operations, the country of origin and country of final destination, the rules of law, both general and sectorial,
in force in the third country in question and the professional rules and security measures which are complied
with in that country.

13 http://www.bverfg.de/entscheidungen/rs20080227_1bvr037007.html
 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats 195

BVerfG represents a cautious approach to how and to what degree the authority of
the state has over private communications and in particular the surveillance of such
communications.
As such, the judgement in Germany is in counter position to recent developments
under Swedish law, where a bill was passed in June 2008 that allowed for monitoring
of all emails, text messages and phone calls for the purpose of national security.14 This
legal instrument received widespread public criticism for excessively restricting civil
liberties, violating integrity and creating a "big brother" state. According to the law, the
state institution given the authority for surveillance, FRA (Försvarets radioanstalt, the
Swedish National Defence Radio Establishment) – unlike the police – would not be
required to seek a court order to commence surveillance15; however, the Swedish Data
Inspection Authority would supervise the activities of the FRA, and a collective board
would be instituted to decide on surveillance in specific cases.16
The UK Information Commissioner's Office (ICO) has issued a statement that
isolated IP addresses do not constitute personal data, but become personal data if they
are used to create a profile on an individual or when in the hands of an ISP. According
to the ICO’s reasoning, it is difficult to use IP addresses to build up personalised
profiles. Many IP addresses, particularly those allocated to individuals, are 'dynamic'.
This means that each time a user connects to their internet service provider (ISP), they
are given an IP address, and this will be different each time. So if it is only the ISP who
can link the IP address to an individual it is difficult to see how the Act can cover
collecting dynamic IP addresses without any other identifying or distinguishing
information. Some IP addresses are 'static', and these are different. Like some cookies,
they can be linked to a particular computer, which may then be linked to an individual
user. Where a link is established and profiles are created based on static IP addresses,
the addresses and the profiles would be personal information and covered by the Act.
However, it is not easy to distinguish between dynamic and static IP addresses, so there
is limited scope for using them for personalised profiling. 17
The ICO approach is a purpose-based approach, where the applicability of the
Directive would depend on whether processing the data is intended to justify the aim of
the Directive itself or not. However, in light of personal data protection regulation in
the EU and the numerous rulings of the European Court of Justice and the European
Court of Human Rights, the focus of the Directive may have shifted towards a German
school of interpretation.
Furthermore, the EU data protection authorities have recently supported a rather
protective approach towards personal data protection. Thus, the personal data
protection regulation under the First Pillar may have a cooling effect on the
implementation of measures regarding Third Pillar concerns and more generally, affect
the way that the world manages cyber incidents.

4. Balancing Privacy and Cyber Security

14 ‘Signal Surveillance Act’, Lag (2008:717) om signalspaning i försvarsunderrättelseverksamhet

15 'Yes' to surveillance law. The Local, June 18, 2008. <http://www.thelocal.se/12534.html>

16Thelenius-Wanler, Emma. Riksdagen röstade igenom FRA-lag. Dagens Nyheter, June 18, 2008. <http://
www.dn.se/DNet/jsp/polopoly.jsp?d=147&a=795317>

17 http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/

collecting_personal_information_from_websites_v1.0.pdf .
196 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats

In the hierarchy of fundamental rights, the right to privacy has traditionally been
considered one of the most significant, coming right after the “vital” rights to life,
health, and freedom. 18 As long as there are security concerns regarding these legally
protected values, creating exceptions from the Directive may be seen as a matter for
national regulation.19
But contemporary cyber incidents are often difficult to legally categorise. The
Estonian cyber incident, often referred to as Cyber War 1.0, did not really result in loss
of life or freedom, but rather portrayed a novel set of threats that does not readily fit
into the existing perception of threat. Similarly, nobody was killed or injured in
Georgia as a result of DDoS attacks against government and media websites.
Modern information societies have become greatly dependent on information
infrastructure and consequently may not only be vulnerable in “traditional” ways but
also in the context of accuracy, reliability and security of information, not to mention
those ways that could restrict the freedom of information and speech. These threats are
not readily justified exceptions from the area of application of the Data Protection
Directive. As a matter of fact, these threats do not fall within the focus of the law of
armed conflicts or criminal law in the field of IT, either. 20
Therefore, in order to create legal certainty for processing data about cyber
incidents, the concept of cyber threat as well as the components of cyber incident
management, such as transmitters and recipients of data and the nature, purpose and
possible legal effect of data processing, need to be defined under the national
regulatory framework.
Otherwise, different opinions regarding the applicability of the personal data
protection framework may hamper legal proceedings related to cyber incident
management and create even more inconsistency in implementing the measures created
for this complex and sophisticated legal area.

5. National Self-Help Remedies for Personal Data Protection Risks

Under the circumstances, where the extent of cyber security exceptions under the EU
Personal Data Protection Directive is unclear, the nations are in a position to consider
additional regulatory steps to reduce the risk of personal data privacy invasion and to
support the interaction between national CERTs, the private sector, the government and
international entities dealing with cyber defence.
These include: clearly indicating and better defining the area of applicability of the
national personal data protection regulation; defining the elements of critical
infrastructure that, if attacked or otherwise disabled by electronic means, would be part
of a member state’s request for assistance to NATO; and using other, possibly

18 Vital interests of the data subject or a third person are a legitimate basis for processing personal data
without additional consent requirements under Article 8 (2) c.

19 According to Article 3 (2), this Directive shall not apply to the processing of personal data in the course of
an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of
the Treaty on the European Union and in any case to processing operations concerning public security,
defence, State security (including the economic well-being of the State when the processing operation relates
to State security matters) and the activities of the State in areas of criminal law.

20LOAC was drafted with kinetic and bloody wars in mind, whereas most of the criminal law pertaining to
IT incidents has the economic effect of IT criminality in the background.
 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats 197

technical, economic, policy etc. measures in order to shape society’s tolerance and
general understanding of cyber security.

5.1. Making a Provision Concerning the Area of Applicability of the EU Personal Data
Protection Regulation in the Field of Cyber Security

As indicated by the BVerfG, the elements necessary to design the national view of
cyber security clearly ought to provide for the aforementioned conditions of
a) effective evidence of, b) a real threat against, c) a legally protected value, and d) the
authority for interference.
In other words, the exceptions to the national data protection regulation have to be
tied to national threat assessment procedures and legally accepted means of cyber
deterrence. Last but not least, the authority must give clear indications that allow for
the immediacy of a threat to be determined.

5.2. Defining Critical Infrastructure (Relevant to Cyber Security)

Defining the components of national information architecture, that are not only critical
for the State to function correctly but also to preserve national security, will render the
institutions that are part of the information flow transparent in case of a cyber incident
of concern to national security. This will, on the one hand, establish the framework for
the potential focus regarding personal data processing and thereby serve as part of the
legal basis for data processing.
On the other hand, defining the components that are critical to national, and
possibly international security, will outline what the potential threat assessment and
risk management criteria are for the institutions involved. For example, under the
Directive 95/46/EC, the private sector is under obligation to provide the data subject
with a comprehensive understanding of the potential uses of the data available about
him or her. The definition of CII elements will help to determine and define additional
legal measures such as audit obligations, threat assessment and reporting measures or
potential restrictions to terms of use of critical information systems.

5.3. Defining the Procedure for the Exchange of Information Regarding Cyber
Incidents

There are a number of persons involved in gathering accurate and consistent data on
cyber incidents. Provided that the addressee of the information about the incident is
NATO Cyber Defence Management Authority, the information will be readily
accessible to potentially all NATO nations. The information will be provided by a
designated national authority that, under most circumstances, is not in the position to
directly gather data, but will be enabled to use different sources, such as national
CERTs, components of the CII under attack and ISPs. Last but not least, information
may be directly or indirectly collected from the data subjects.
In order to minimise the risk that the information and details of the incident are not
misused, the potential chain of information ought to be defined so as to create a correct
legal basis for processing such details.
198 E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats

5.4. Engaging Soft Law and Self-regulatory Means to Enhance National Cyber Defence
Capability

The law in the field of cyber defence and cyber security is evolving and is, to a great
extent, dependent on political (and popular) views on the issue. It is important therefore
that all legal measures be communicated to the general public from the moment that
such regulation could necessitate a reduction in the sphere of privacy and anonymity of
the data subject in order to ensure national cyber security. Laws regarding privacy may
very well need an element of public dialogue to better support the activities of the
cyber defence authorities and law enforcement agencies and to increase the
understanding and cooperation of these last with the data protection authorities.
Creating an understanding between all stakeholders of the information society is a
task that no government is capable of implementing on their own. Consequently, a
global approach to the development of national cyber security policies and strategies
must be taken that incorporate not only international concerns but also the interests of
the private sector and the habits of individual consumers in the information society.

Conclusions and a Way Forward

The ideas presented above, which take a generalised look at national approaches into
account, aim at identifying more effective cyber defence policies and strategies. As
international cyber security concerns evolve, more constructive and sophisticated
cooperation is needed between the EU and NATO, and potentially other international
organisations, to ensure that any loose ends in the defence measures adopted are kept
under control and resolved.
As countries build their national cyber defence framework, they face the privacy
vs. security test. It is not only about choosing between the approaches of Germany and
Sweden, which find themselves on either end of the privacy vs. security spectrum, but
it is also a question of taking the factors of cyber threats unique to each nation and
balancing them with the international cyber security agenda and concerns.
Recognising and defining CII as an aspect of cyber threats of national/NATO
relevance will serve to facilitate the management of cyber incidents by enabling a
model and procedures to be created that are capable of addressing the incidents and any
information connected to them.
In defining how personal data ought to be processed for cyber security purposes,
two courses of action must be considered and pursued - transparency and visibility for
the data subjects and a systematic approach to be taken by the authorities to manage
cyber conflicts.
National Data Protection Authorities will play an important role in reconsidering
national approaches to data processing as they take aspects of cyber defence into
account. In developing their views on the implementation of the EU Directive, they
may need to rethink the essence and aims of personal data protection in Europe and,
thus, reshape the landscape of personal privacy.
Modelling Cyber Security: Approaches, Methodology, Strategies 199
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.
doi:10.3233/978-1-60750-074-2-199

Crimen Ex Machina: A Legal Approach

Prof. IVO PAPARELA
PhD, University of Dubrovnik

Abstract. Appropriate laws and efficient judiciary and law enforcement agencies
that are not corrupt, are the first line of defence against cyber aggression. Due to
the border-less nature of the internet and activity on the internet, it is also clear that
criminal laissez faire (in other words, a “crime friendly” legal system) in one
country jeopardises anti-crime efforts in many others. An efficient legal system is,
in and of itself, a form of “antivirus” and adds value to all of the existing technical
anti-virus solutions; it is also the only anti-virus that criminals and terrorists alike
are afraid of. But is the legislation of the NATO countries and other countries,
particularly Eastern European Countries (hereinafter, EE), on cyber criminality,
adequate and capable of supporting law enforcement agencies in their fight against
cyber criminals?
Keywords. criminal code, cyber criminality, Croatia, East European Countries,
cyber war, cyber army

Introductory Remarks

Is the legislation of the NATO countries and other countries, particularly Eastern
European Countries (hereinafter, EE), on cyber criminality, adequate and capable of
supporting law enforcement agencies in their fight against cyber criminals? Are the law
enforcement agencies, in NATO countries and in other EE countries, sufficiently
supported politically and juridically to be able to cope with cyber “warriors” regardless
of the motives of these attackers? If yes, then this article is of no consequence. If not,
what happens next? These questions need an answer, an honest one and not simply a
politically correct one! In the interest of common security and welfare of the citizens,
these questions must be given an answer.

At the same time, we are perfectly aware of how much the business world needs
“virtual” shares in order to carry out ordinary operations on the stock exchange.
Therefore, the challenges that legislators, internet users, policemen and criminals face
once they start using their computer become readily understandable.

In other words, having appropriate laws (1), both ius and lex, in place and efficient
judiciary and law enforcement agencies that are not corrupt, are the first line of defence
against cyber aggression. This is the strategic defence structure of every democratic
country. Readers know that law and order are the basis of any free society and that
“chaotic freedoms” (such as free license) are the enemies of freedom and human
dignity.

It is evident that the cyber world has many elements of “chaotic freedoms”. In these
last few years, policing of the web has appeared even to politicians to be a necessity. As
a result, in most countries, legislation regarding socially unacceptable activities on the
web has been promulgated. A legal analysis of cyber space, although necessary in and
of itself, also helps those in the field to better understand, from a technical viewpoint,
200 I. Paparela / Crimen Ex Machina: A Legal Approach

how their work fits into the social and security dimensions of cyberspace, be they
within country boundaries or the international arena.
Efforts made by police forces in this field, like elsewhere, can be neutralised or
rendered ineffectual by inadequate laws and corrupt judges. Due to the border-less
nature of the internet and activity on the internet, it is also clear that criminal laissez
faire (in other words, a “crime friendly” legal system) in one country jeopardises anti-
crime efforts in many others.

The juridical approach to face cyber criminality focuses on the human element, which
is essential to the question of cyber regulation. In other words, the juridical approach
focuses on human behaviour as it uses a “machine”. An efficient legal system is, in and
of itself, a form of “antivirus” and adds value to all of the existing technical anti-virus
solutions; it is also the only anti-virus that criminals and terrorists alike are afraid of.

This paper is product of an embryo of research “in situ”;

The conclusions are provisory.

1. A brief comparative overview of legislation on cyber activities

Cyberspace is simultaneously: a) big business; b) a work tool; c) a source of

information; d) a space for social activities, including recreation ; e) a field for criminal
activities, including terrorism; f) a weapon of mass destruction; g) a battlefield sui
generis.

Each one of these aspects has its own legal rules that regulate how they function within
a given context and circumstances. All users are expected to respect those rules. Legal
systems are put in place to “make life difficult” for those who would infringe upon the
rules. Those who abuse the internet and its rules, however, can be very dangerous
because of the effects that they can have not only in the virtual world but also in the
real world.
In this section, national legislation on cyber activities will be briefly presented and
emphasis will be placed on the improvements that would need to be made in each of
the presented legislation.

Recently, Western countries have found that legally policing the Internet is a public
interest. (Russia, China, and Arab countries police their cyber space efficiently).

Most Eastern European countries (EE) have some form of basic “cyber legislation” in
place. However, they may still be considered to be “numerical paradises”, the Balkan
countries among them. The reasons for which are: that criminality, in general,
flourishes better there than in other parts of Europe; the existing legislation is
incomplete nor is it properly enforced.

Criminal codes in Croatia and Slovenia have articles that directly deal with cyber
criminality (2). Serbia and other countries also have similar legislation (3). Neither
Penal Code nor Code of Criminal Procedures in the EE countries discourage people
from committing illegal acts in general and ipso facto on the Internet (4). Punishments
are frequently lenient (5). In fact, this author currently knows of only four cases of
criminal activities that have gone before the courts in Croatia for which the sentences
have been lenient. In other EE countries judicial policy is about the same!
 I. Paparela / Crimen Ex Machina: A Legal Approach 201

Legislation in EE countries is based on the Convention of the Council of Europe on

Cyber Criminality (Budapest 2001). Neither the various national legislation in EE
countries nor the Convention itself are adapted to suit the reality of cyber criminality
today. The reasons are that both the Criminal Code (CC) and Code of Criminal
Procedures (CCP) are crime friendly in general. Another reason has to do with the
difficulty of finding a juridical definition of cyber criminality that is satisfactory for
everybody. Moreover, there is a general lack of political will to impose criminal
legislation necessary to face the presently high levels of criminality.
From the interviews held with prosecutors in various Balkan countries, the impression
that was clearly transmitted was that cyber criminality is the least of their worries.
First, they do not fully understand cyber technology. Second, “ordinary criminality is
their priority. Third, they do not care much about cyber or other criminality to begin
with.
Police departments have better knowledge of the subject, but policemen are
discouraged by the laxity of the judiciary. What is more, the police finds itself under
the political pressure!
Yearly meetings between the Ministers of the interior, the chiefs of police, and state
prosecutors of the Balkan countries has had the tangible result of ensuring that only the
small fish, or petty criminals, are imprisoned more frequently than before.
In the near future, it would be necessary to introduce a provision in the CCP that the
defendant bear the onus probandi if he is charged for financial or cyber offences. That
would be an excellent anti-virus for all.

2. Cyber criminality as a part of general criminality

Both criminals and terrorists need money more than cell phones or computers. For
this reason they look for safe places, like Balkan countries (6), so that they can carry on
with business in total impunity. In order to do this, however, the criminals need new
identities and passports to fit that identity. They also need lawyers, public notaries,
court experts and accounting auditors, who will assist then in various procedures
regarding trade documents, corporate registration and other “business activities”. Thus,
the visible part of the business hides the illegal aspects.
One might ask where the computer is in all of this? The following is a real life example
from Croatia:
The real estate records of the whole country may be found on the Internet. This enables
everybody to see the land or house and the name of its owner; the latter is usually a
normal citizen. Crooks, who need to legalise dirty money or want real estate for
speculation purposes, pay the police for a new identity superimposed on the name of
the innocent owner, after which, they buy and sell under the new identity. The public
notary asks no questions and the business is done. When the owner discovers his
tragedy and asks the police for help, the police officer simply tells him that his
department does not investigate real estate disputes and that he has to go to the court,
which is competent ratione loci. In other words, the owner is told to go see the judge
who is in contact with crooks and who “legalised” this operation. The result for the
honest man is evident.
Several thousand of such operations have taken place all over the area and represent
tens of millions of euro and large profits for criminals. Many Russian and Serbian
criminals have Croatian passports.
202 I. Paparela / Crimen Ex Machina: A Legal Approach

This is clearly the combination of organised crime assisted by criminality within

institutions and an application of NEC 1. It is often difficult to say whether the
institutions are a subsidiary of crime or whether crime in these countries is a subsidiary
of governmental bodies. Furthermore, most of the judges and prosecutors in Croatia
have been appointed before 1990. The vast majority of them have secret police files
and have been in contact with the political police prior to the declaration of
independent Croatia. Those files have been sold to the criminals by police officers, who
either joined the “private sector” after 1990, or have been corrupted by criminals or by
their former colleagues in the “private sector”. Some of the supreme court judges have
been involved in political trials during that period of time and do not want that the
public opinion and their children to discover how they behaved as judges before 1990.
This means that these judges can be easily blackmailed by criminals at any time. This
explains the many “procedural” errors that occur when criminals of high calibre are
judged. Errors are often made intentionally, so that defence lawyers have no difficulty
obtaining “not guilty” verdicts.

From what has been said above, it is evident that criminals, in general, and cyber
criminals, in particular, are free, and indeed have a relatively free range of action, in EE
& Balkan countries.
This has implications on the NATO area of interest, because it is from those countries
that cyber attacks can be launched to strike targets anywhere in the world. Some of
these countries are EU and NATO members, which implies that their citizens can move
freely within the entire EU area. Many people in EE countries are jobless or want to get
rich quickly, like their leaders have done. Those are normal, everyday citizens that have
no criminal past or criminal connections. Criminals on the other hand have been able to
steal their names and addresses and have started to use them for their drug businesses,
on a one shot basis.
The same techniques are often used in illegal cyber activities. For example, students are
offered free computers or laptops. Those laptops are then used for the dissemination of
pornography or any other criminal purposes, more often than not without knowledge of
the student.
The standard abuse of the stock market and other forms of criminal banking is kept
secret and no one wanted to speak of it to this author. Bearing in mind that Bosnia is a
poor country and that in this poor country banking density has almost reached the same
proportions as in Geneva, it is left to the readers to draw their own conclusions.
New draconian legislation is needed: fragenti fidem non est fides servanda!

3. Computer as a WMD

Several issues are presented here.

Imagine that a group of “illuminated”, spoiled or manipulated young people have
intercontinental missiles in their hands. Now, imagine that the Serbian mafia has the
same thing.
A computer can have devastating effects on the infrastructure of a country with
generated costs (direct or indirect) comparable to those of a warhead. (7)

1 NEC (Network Enabled Capabilities) are a less radical concept than Network Centric Warfare and aim at
merging the existing systems and platforms in an effective communication network. In the text, this concept
is used allegorically.
 I. Paparela / Crimen Ex Machina: A Legal Approach 203

This implies how important it is that each and every government seriously polices its
territory as well as its cyber space. If the police and judiciary in such a country,
however, are corrupted, assistance to the authorities of a country that has been attacked
is not guaranteed or it is misleading. How evidence is handled and administered is
absolutely crucial, but within states where high levels of corruption exist this is next to
impossible.
When an aggression is actually committed by a government, questions of international
law are also raised. This requires the re-examination of military doctrine.
There are, more or less three possibilities of attack: Virtual vs. Virtual; Virtual vs. Real;
Real vs. Virtual. Within this context it might be of some interest to read old soviet (yes
soviet) military authors once again (8). Virtual reality is the sixth dimension of military
operations: Ground, sea, underwater, air, cosmos, and cyber space. This then goes back
to ground operations if and when dominance is the purpose of the war.
Rethinking cyber war is a challenge, because one has to deal differently with concepts
of time and space in the cyber reality and link them with the parallel concepts of
ordinary, physical reality. Cyber space may be simultaneously considered to be an
independent entity in its own right or an element, sine qua non, in any operation that
takes place within the other five aforementioned dimensions. This is why the Russian
military speaks (9) of informaticeske vojsk (cyber army), informaticeska vojna (cyber
war) and realna virtualna vojna (real virtual war) and they quote American authors,
Marcus Ranum and Bruce Schneider (10).
Top commanders must react more quickly than platoon commanders in this new and
rapidly shifting environment. They must have the reflexes of a water polo goal keeper.
The initial phase of a war (nacalni period vojni) follows the same political logic, but
radically changes the technology that is used. This is another point of concern and
would be an important research subject.
One can imagine the legal implications when governments start to think about the non-
proliferation of cyber technologies, or about the reduction of cyber forces.
Intelligence agencies, which work in cyber space, need to have a lot of knowledge,
experience and wisdom. Mathematical modelling is necessary and helpful, but the
results depend on initial inputs, which are arbitrary. Thus, human intelligence
(agenturnaja razvedka) factor remains as important as ever.

En guise de conclusion

The answer to the two questions that are asked at the very beginning of this paper is
clearly, no.
The intention of this paper was to highlight the importance of the laws, which protect
free nations of totalitarian threats. Security is not divisible. Even if it were divisible it
would have prohibitive costs. EE countries are the weak link in the security chain, for
many reasons, but above all because of the corruption that runs through their
government agencies.
Public opinion in the West is also a liability for defence and security organisations, and
it is not favourable to the proposal of a legally based control over Internet activity; this
shows the effects of brain washing on the populations and youth. Various “gurus”,
Madonna, Beatles and other starlets, have more credibility than heads of security
services in the eyes of public opinion. But this same public opinion requires protection
when their bank accounts or credit cards are lost or stolen. Do they not believe that
“Hannibal is ante portas”? In reality, why should they? Have they any example in
society?
204 I. Paparela / Crimen Ex Machina: A Legal Approach

NOTES

1) Good laws are not always appropriate.

2) Croatian Criminal Code www.Zakoni.hr
3) Serbian CC www.Serbia.gov.rs
4) So art. 223 §1 Croatian CC
5) In Slovenia & Croatia maximum penalty is five years. Practically, this means
two years for good behaviour in jail.
6) see Xavier Raufer in Revue Défense Nationale 12/2008
7) see Cybercriminalité à la cyberguerre Revue Défense Nationale 5/2008
8) see Isserson in Voprosy strategii I oprativnovo iskustva Gosizdat 1963 /
Moskva
9) Gen. Anatoly Nogovicnii Deputy Chief of General staff in ”Vzgljad”
25/2/2009
10) See Vzgljad 25/12/2007
Modelling Cyber Security: Approaches, Methodology, Strategies 205
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.

Curricula Vitae of the Authors

Maurizio AGAZZI
Company Director of Information and Communication Technology for the ROBUR
S.p.A Group.

Niv AHITUV
Marko and Lucie Chaoul Chair for Research in Information Evaluation and the
Academic Director of Netvision Institute of Internet Studies at Tel Aviv University.

Paolo CAMPOBASSO
Senior Vice President of UniCredit Group.

Giovanni CATALDO
Chief of the Section on Terrorism in the Organised Crime Office at the Carabinieri
General Headquarters.

Claudio CIOFFI-REVILLA
Professor of Computational Social Science and Founding Director of the Center for
Social Complexity at George Mason University, Jefferson Science Fellow at National
Academy of Science.

Yuval ELOVICI
Director of the Deutsche Telekom Laboratories at Ben-Gurion University and Senior
lecturer at the Department of Information Systems Engineering, Ben-Gurion
University.

Alessandro GAZZINI
Principal at Booz & Company. He leads Booz’s Risk, Resilience and Information
Assurance related activities for the European Union and Middle Eastern markets.

Umberto GORI
Full Professor (r) of International Relations and Strategic Studies, University of
Florence. Professor at the Naval Academy and Air Force College. President of CSSI.
Director of ISPRI. President of the Scientific Committee, Master in Intelligence and
Security, Link Campus University of Malta.

Giancarlo GRASSO
Senior Advisor to the Chairman and CEO of Finmeccanica S.p.A., Chief of the Italian
Delegation at N.I.A.G., Deputy Chairman of ESRIF, and Chairman of the ASD
Security Commission.

Anat HOCHBERG-MAROM
Department of Political Science, Faculty of Social Science at Tel Aviv University.
206 Curricula Vitae of the Authors

Gerardo IOVANE
Associate Professor in Mathematics Analysis at the University of Salerno, National
Scientific Expert at NATO (Research and Technology Agency), and Scientific Expert
at the Ministry of University and Scientific Research (MIUR).

Serena LISI
Centre of Strategic and International Studies (CSSI), University of Florence.

Antonio Guido MONNO

Colonel of the Carabinieri, Udine Regional Headquarters and former Branch Chief of
Counter-Intelligence and Security in Afsouth - NATO (Allied Forces of Southern
Europe).

Guglielmo MORGARI
Crypto team leader at TELSY Elettronica e Telecomunicazioni S.p.A. His current
technical interests are encryption algorithms with a main focus on the development and
cryptanalysis of stream ciphers; security protocols; cryptographic primitives
implementation on general purpose and dedicated hardware.

Haris MOURATIDIS
Principal Lecturer in Secure Systems and Software Development at the School of
Computing, Information Technology and Engineering (CITE) at the University of East
London, where he is also the Field Leader for the Secure Systems and Software
Development Field.

Marco PAGGIO
Project leader and technical Director at TELSY Elettronica e Telecomunicazioni S.p.A.
and member of IEEE.

Esti PESHIN
Former Chief Executive Officer, Waterfall Security Solutions Ltd.

Ivo PAPARELA
Full professor at the University of Dubrovnik. His current research is focused on the
legal and economic aspects of stock markets in South-Eastern Europe and on corporate
accounting laws and standards.

Andrea RIGONI
Booz and Company.

Ferdinando SAN FELICE DI MONTEFORTE

Former Italian Military Representative to the NATO and EU Military Committees.

Dario Maria SGOBBI

Director of the Navy Cryptographic Center (CDR) and is also involved in resolving all
of the Italian Navy INFOSEC technical issues.
 Curricula Vitae of the Authors 207

Asaf SHABATAI
Deutsche Telekom Laboratories at Ben Gurion University.

Pascal SITBON
Expert Researcher and Project Manager on Industrial Control Systems, Cybersecurity
at EDF (Electricité de France).

Sergio STARO
Deputy Questore of the Italian National Police, Senior Police Officer of the Computer
Crime Unit and Head of the International Relations Section of the Postal and
Communications Police Service.

Eneken TIKK
Head of the Legal Task Team of the Cooperative Cyber Defence Centre of Excellence
(CCD COE), Estonia.

Ari VIDALI
CEO of ENVISAGE Technologies Corp. (USA). Founder of iFORCES (the Institute
For Operational Readiness and Continuous Education in Security). Consultant for the
Federal Government, Homeland Security, Emergency Management, Military, Law
Enforcement, First Responder, Higher Education and Medical industries.

Domenico VULPIANI
Superior director of the Italian State Police. Since 2001, he has been the Director of the
Postal and Communications Police Service, which objective is to protect
communications and counter postal, computer and cyber crime.
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 209
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.

LIST OF PARTICIPANTS
NATO ARW - Operational Network Intelligence: Today and
Tomorrow

AGAZZI Maurizio Robur SpA

AHITUV Niv NIIS, Netvision Institute for Internet
Studies,
ANCORA Massimo Italian Army
ARDITTI Michel CESIC, Cercle d’Étude de Sécurité
Industrielle & Commerciale
BERNARDI Romolo Finmeccanica
BLITZBLAU Shai University of Tel Aviv
BOBYLEV Nikolai Technische Universitat Berlin
BOLOGNA Enrico Italian Defence General Staff
BOZZO Luciano CSSI, University Centre for Strategic and
International Studies
CAMPOBASSO Paolo Unicredit Group Holding
CANTARELLA Alfonso Confindustria
CATALDO Giovanni Carabinieri Corps
CELEBI Erdogan Center of Excellence Defence against
Terrorism
CHAINESE Flavio Italian Army
CIOFFI-REVILLA Claudio The Centre of Social Complexity,
G. Mason University
COLBY Fifolle ISPRI, Institute of Forecasting
Studies
CUDA SOMMERFELD Renate ISPRI, Institute of Forecasting
Studies
DELL’ACQUA Francesca NATO
DI CECCO Vittorio Emanuele Defence General Staff
DIAMANTI Tiziano Italian Army
ELOVICI Yuval Deutsche Telekom Laboratories
FERILLI Mauro Italian Army
GAZZINI Alessandro Booz & Company
GORI Umberto CSSI, University Centre for Strategic and
International Studies
GRASSO Giancarlo Finmeccanica
GRIGORYAN Arsen Yerevan State University
GRILLO Bardhyl University Scanderberg of Tirana
HAKOPIAN Christina Yerevan State University
HANAFI Menouar University of Oran
HOCHBERG-MAROM Anat Tel Aviv University
210 List of Participants. NATO ARW – Operational Network Intelligence: Today and Tomorrow

IOVANE Gerardo University of Salerno

JONGMAN Albert J. Dutch Ministry of Defense
KASKA Kadri Cooperative Cyber Defence Centre of
Excellence
KAVUNENKO Lidiya National Academy of Science of
Ukraina
LEZZI Paolo Maglan Group
LISI Serena CSSI, University Centre for Strategic and
International Studies
LOMBARDINI Gualtiero Generale Agricola s.n.c.
LUCATTELLI Giancarlo Finmeccanica
MALTAGLIATI Ilaria CSSI, University Centre for Strategic and
International Studies
MANDARINO Lorenzo Antonio Starpur S.r.L.
MARCHAL Jacqueline ISPRI, Institute of Forecasting
Studies
MONNO Guido Carabinieri Corps
MORETTO Gianluca Italian Army
MORIGGI Cedrick Generali Insurance Group
MOURATIDIS Haris University of London
NTOKO Alexander ITU, International
Telecommunication Union
PAGGIO Marco TELSY, Elettronica e
Telecomunicazioni S.p.A
PAPARELLA Ivo University of Dubrovnik and Paris
PESHIN Esti Waterfall Security Solutions
PETRUCCELLI Anna Maria CSSI, University Centre for Strategic and
International Studies
PODDA Stefano Unicredit Group
RAHAV Reut Maglan Group
RAMACCIOTTI Stefano Italian Defence General Staff
RAMOINO Pier Paolo Italian Navy
RAPETTO Umberto Italian Financial Police
REBORA Antonio Ansaldo Ricerche (Finmeccanica)
ROTARU Victor Unicredit Group
SANFELICE di MONTEFORTE Ferdinando Italian Navy
SGOBBI Dario Maria Italian Navy
SITBON Pascal EDF, Electricité de France
SOMMA Catello Italian Defence CERT
STARO Sergio Italian State Police
STOPPONI Pietro ISPRI, Institute of Forecasting
Studies
TIKK Eneken Cyber Defence Task Force
TONINI Pietro Finmeccanica
TUNCEL Gonca Dokuz Eylul University
UDOVYK Oleg National Institute for Strategic
Studies
VARDANIAN Trahel Gerasim Yerevan State University
VARDANIAN Vahram Yerevan State University
 List of Participants. NATO ARW – Operational Network Intelligence: Today and Tomorrow 211

VIDALI Ari Envisage Technology Corporation

VITAGLIANO Davide Italian Army
WYLIE Margot CSSI, University Centre for Strategic and
International Studies
ZAPPELLI Maurizio Italian Army
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies 213
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.

Subject Index
allegories 43 immigration 114
Al-Qaeda 109 information security 5
asymmetrical war 43 information sharing 182
authentication 11 infrastructure protection 125
biometrics 11 integrated approach 43
botnets 132 internal subversive organisations 160
CNAIPIC 153 international terrorism 160
CNCPO 153 Internet 109
collective intelligence 132 Islam 114
content analysis 109 IT security 182
control of virtual territory 160 Jihad 109
counter-marketing-warfare 109 language evolution 43
criminal code 199 lawful interception (LI) 79
critical information malicious application 132
infrastructure(s) 140, 153 malware 132, 140
critical information infrastructure marketing perspective 109
protection 182 one way link 79
critical infrastructure(s) on-line Police Station 153
protection (CIP) 79, 182 open information society 5
critical national infrastructures peer-to-peer 132
(CNI) 79 postal and communication service
critical networks 79 of the Italian National Police 153
Croatia 199 privacy 5
cryptography 43 privacy of an organisation 5
cyber army 199 propaganda 114
cyber attacks 79, 125 recruitment 114
cyber-crime 160 remote infrastructure management
cyber crime community 132 (RIM) 79
cyber criminality 199 risk management 93
cyber security 11, 125, 140, 182 rootkits 132
cyber war 199 rustock 132
cyber warfare 125 Salafism 114
deterrence 125 SCADA 79, 93
distributed-denial-of-services 132 secure manual uplink (SMU) 79
East European Countries 199 security 11, 93, 182
encryption 43, 132 security objectives 93
entropy 43 segregation topology 79
fuzzy theories 43 smart metering 93
hacking 79 social engineering technique 132
human-computer interaction 11 steganography 43
illegal underground economy 132 terrorism 114
214

threat 109 waterfall 79

unidirectional connectivity 79 web 114
usability 11 WEB2.0 132
virtual sanctuary 160 web-forums 132
Modelling Cyber Security: Approaches, Methodology, Strategies 215
U. Gori (Ed.)
IOS Press, 2009
© 2009 The authors and IOS Press. All rights reserved.

Author Index
Agazzi, M. 132 Mouratidis, H. 29
Ahituv, N. 5 Paggio, M. 68
Campobasso, P. 75 Paparela, I. 199
Cataldo, G. 160 Peshin, E. 79
Cioffi-Revilla, C. 125 Rigoni, A. 182
Elovici, Y. 140 Sanfelice di Monteforte, F. 165
Gazzini, A. 182 Sgobbi, D.A.M. 59, 68
Gori, U. vii Shabtai, A. 140
Grasso, G. 173 Sitbon, P. 93
Hochberg-Marom, A. 109 Staro, S. 153
Iovane, G. 52 Tikk, E. 189
Lisi, S. 43 Vidali, A. 11
Monno, A.G. 114 Vulpiani, D. 153
Morgari, G. 59
This page intentionally left blank