1

Cyber threats and

Intelligence
in Times of Crisis
 2

ESRIF – European Security Research

and Innovation Forum
ESRIF was supported by more than 600 experts, thus making it the only
large-scale, high level initiative of its kind in Europe.

Aspects of citizen security:

• Cyber and physical attacks against IP distribution centers resulting in
the paralysis of the Internet
• Remote control over systems that are of strategic importance (air
transport, water, energy)
• Internet as a medium for anonymous exchange of information on
criminal activities
• Data mining (open source or hacked) to find potential targets for
terrorist/informational attacks
• Anonymous access to the internet – cyber stalking, identity thefts
 3

Information and cybercrime in the context

of the financial and economic crisis
• Organized crime is the net winner of the crisis (“cash is king”)
• Authorities in severe financial distress which has several
implications:
▫ Lack of ability to attract/keep specialists (cyber warriors)
▫ Unable to keep up with investments demands
▫ Lack of funds for security culture
▫ Brain drain – in favor of the private sector or even organized crime
• Private companies:
▫ Unsatisfied employees – enemy within
▫ Facing competition (economic espionage)
▫ Increased vulnerabilities in the business environment, threats of
hostile takeovers, a.o.
 4

Criminal Criminal
Lone Ranger Friends Gangs Organizations

Multiplied Individual
gains losses

*Source: Cyber Threats - Mike Cote - Chairman and CEO – Secure Works
 5

Motives:
• Before 2000: Experimentation, ego, jokes
• 2000 - 2003: Political, social, or economic statements ("hacktivism")
• 2003 - 2005: All about the $$$, extortion and espionage
• 2005 to present: Organized large scale crime
Organizational
• Before 2000: Individuals
• 2000 - 2003: Small groups
• 2003 - 2005: Criminal gangs with a dozen or more members
• 2005 to present: Constellations of large groups working together in strategic alliances to dilute risk
and foster their industry
Economic Gain
• Before 2000: Personal satisfaction, perceived elevated status
• 2000 - 2003: A few hundred to a few thousand dollars for custom code, services, stolen credit card
numbers
• 2003 - 2005: A career, $10,000 to $100,000 per year in ransom, rental of botnets, stolen identities
• 2005 to present: $1+ million proven, tens or hundreds of millions
 6

Very real virtual threat*

• Since the spring of 2010 the United States and Russia, followed by six other
countries, have been attempting to negotiate a treaty on Internet security and
the restriction of the military use of the Internet. – divergence of opinions and
no tangible results
• any concept of cyber security must include the protection of vital infrastructure
(electricity, gas, fuel, transport, telecommunications, emergency networks, etc.),
which depend almost entirely on control and communication systems

• A cyber weapon can be designed or used anywhere, by anyone, with or without a

motive, such as a hacker, political or religious extremist, terrorist, cybercriminal,
discontented ex-employee, competitor, conflict state, ‘madman’, etc.
• A cyber weapon leaves very little time for anticipation, prevention, detection or
reaction due to the electronic speed of action conferred by its vectors, namely
the IT architectures and data transmission networks. How can we clearly assess
the situation and mount a response when the electricity is cut off ?

*) Can deterrence work in cyberspace ? Par Charles BWELE, Revue Defence Nationale le 13 juin
2010
 7

Cyber security and energy (I)*

• Fragility of energy infrastructures and the possibility of cascading failures
due to problems with control systems hardware or software
• Most developed countries depend upon three distinct grids to distribute
energy from where it is generated to where it is consumed: the electric
grid, a natural gas pipeline network, and a network of pipelines for
distribution of petroleum and petroleum products.  The flow of materials
through all of these grids or networks is controlled via generators,
switches, valves, compressors, odorizing stations, and pumps that utilize
various types of SCADA devices and software.
• Because most companies use the same computers and networks to control
internal operations and for contact with the outside world, the control
systems are vulnerable to any intruder who can penetrate a company’s
firewall (or to unintentional intrusions).  In addition, many systems have
multiple wireless points of access that an intruder can exploit.  Insider and
third-party engineer access is also always a concern.

*) Dr. Bruce Averill – Canvassing the Cyber Security Landscape 18 May, 2010
 8

Cyber security and energy (II)

•  The spectacular cyber piracy of a hydroelectric power station in Brazil highlighted
the danger of malware to vital infrastructure. A dozen Brazilian cities and their 60
million inhabitants were deprived of public transport, traffic lights,
telecommunications and even lifts for three days. Service stations, banks,
shopping centers and industrial sites by the thousand were completely paralyzed
or greatly hampered. 
• In 2008, a software update of a single office computer in the Baxley nuclear power
plant in Georgia and its subsequent reboot caused the nuclear reactor to “scram.”
• Management neglects the risks associated with control infrastructure!
• Energy markets can be manipulated by either rumors regarding, for example, an
attack on and closure of a major gas or oil pipeline, or direct manipulation of spot
market prices at power and gas exchanges.  Such manipulations could lead to
unexpected shortages in power or gas grids that cannot be resolved in time to
avoid disruptions.  This is not just a theoretical concern: over the past year or so,
criminals have manipulated the European carbon credit market, with losses
estimated at over 5 billion Euros.
 9

EOS - European Organisation for Security: White

paper on Infrastructure protection and resiliency
• Recommendation: Address the financial as well as
operational obstacles that prevent operators from
implementing security measures for their energy
infrastructures by setting up adequate incentives and
defining an acceptable – risk based - liability model.
• In 2004, there were 91 incidents on control systems from a
small reporting base of 15 companies. 67% of these attacks
came from outside the organisation, with 47% attacks
directed against companies in the energy sector.
• Terrorist groups already use Information Technologies
extensively to prepare their attacks.
 10

Conclusions from SDA - Security and Defence Agenda

Meetings
• 26 May 2010, SDA, Friends of Europe and EURISC – Policymaker’s
Dinner, “Is Europe's energy security policy a reality or an ambition?”
Other meetings:
• Europe has to do more to build up cyber defences, including increase
cooperation between member states and working with the US.
• Common exercises to plan for cyber emergencies, building on the
Cyber Storm exercises – US Dept. of Homeland Security and the EU
debut cyber war games in November 2010
• First pan-European exercise should improve coordinating with
member states and test cross border communication links and
procedures in times of emergency.
• US and EU to organize a joint trans-atlantic cyber storm exercise
• Build on retaliatory policy on cyber attacks. Cyber measures only or
other type of military measures ?
 11

Cyber security, key element of critical

infrastructure protection
• At a actor level, malevolent agents deploying activities
in the cyberspace can be grouped in four categories: 1.
state sponsored actors (most dangerous), ideological
and political extremists, 2. frustrated insiders, 3.
organized criminal agents, 4. individual criminal
agents
• Need for development of public private partnerships
for better information sharing
• State capabilities to address cyber threats (with global
and inclusive consequences) – issue of knowhow (“It’s
a geek’s world”)
 12

Threats perception*
State
Actors

INDUSTRIAL
CYBER WARFARE
ESPIONAGE
Economic National
Well being Security
CYBER
CYBER CRIME
TERRORISM

Non State
Actors
*) CRN Report – Zurich, August 2009
 13

SDA Security Jam – Proposal

• Create a European Intelligence Agency as an information broker for
complex and hybrid threats
• This agency should act as a clearing house or as a trusted information
broker that unravels complex hybrid threats for operational and
strategic planning
• Cyber security flagged as an area where EU and NATO need to boost
their intelligence
• Assessments and mapping of vulnerable targets – no physical and
logical separation between defence, infrastructures and commercial
interests
• Public private partnerships to keep up with the evolution of technology
• Agency to become a central node for collecting and disseminating
information to support EU opertions
 14

Dr. Liviu Muresan

Executive President
EURISC Foundation

PO BOX 2 – 101 Bucuresti 2, Romania

Tel.: 0040 21 212 21 02;
E-mail: eurisc@eurisc.org
Web: www.eurisc.org