Security through innovation - Cybersecurity sector as a driving force in the national economic development Wiesław Goździewicz, Cyprian Gutkowski ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Security through innovation Cybersecurity sector as a driving force in the national economic development Wiesław Goździewicz, Cyprian Gutkowski, Lior Tabansky, Robert Siudak Editor: Dominik Skokowski
Security through innovation. Cybersecurity sector as a driving force in the national economic development Wiesław Goździewicz, Cyprian Gutkowski, Lior Tabansky, Robert Siudak Editor: Dominik Skokowski
The views expressed in this publication are those of the authors and do not necessarily reflect any views held by the Kosciuszko Institute and the publication partners. They are published as a contribution to public debate. The authors are responsible for their own opinions and contributions and do not necessarily support all of the opinions made by the other authors in the report. Security through innovation. Cybersecurity sector as a driving force in the national economic development Wiesław Goździewicz, Cyprian Gutkowski, Lior Tabansky, Robert Siudak Editor: Dominik Skokowski © The Kosciuszko Institute 2017. All rights reserved. Short sections of text, not exceed two paragraphs, may be quoted in the original language without explicit permission provided that the source acknowledged. Icons from the Noun Project: European Union, Nato, Poland, Israel, Pirate by anbileru adaleru, Partnership, Internet, Organization, Product Research by Gregor Cresnar, Euro by Estelle Philibert, Mortar Board by PJ Souders, Programmer By Kid A, Successful Programmer by Gan Khoon Lay, Poland by Hea Poh Li Union Jack by Christian, Shield by Kimmi Studio, Partnership by Delwar Hossain, Handshake by Becris, Black Hat Hacker by Luis Prado, Global User by icon 54, Teamwork by Becris, arrow by Vladimir Belochkin, Shield by Creative Stall, PK. Translation & proofreading: Justyna Kruk The Kosciuszko Institute Ul. Feldmana 4/9-10 31-130 Kraków, Poland e-mail: ik@ik.org.pl Telephone: +48 126329724 ww.ik.org.pl ISBN 978-83-63712-26-6
Contents Executive summary........................................................................................................................................4 Between security and economy: the public sector as a driver of growth in the cybersecurity industry ― Cyprian Gutkowski.............................................................................9 Cyber defence and beyond: the role of the military in the national cybersecurity ― Wiesław Goździewicz.....................................................................19 Innovation made possible: government-business cooperation national case studies ― Lior Tabansky....................................................................................................29 From source code to export: advanced private ICT sector as a crucial part of the national cybersecurity ecosystem ― Robert Siudak...............................................................43 About Authors..............................................................................................................................................55
executive summary
Cybersecurity is not only about cost. If built properly, it may also generate revenue for the
country. A strong national cybersecurity sector does not only help protect the state, but it
can also be an important export commodity and a driver of economic growth.
est.
$240 bn
est.
$120 bn $3tn
2016 2021 2017
Global cybersecurity market1, 2 Cost of global cybercrime3
The national cybersecurity sector cannot thrive without an active involvement of the
government in both the civilian and the military domain. From a meticulously designed
and executed national cybersecurity strategy through adequate partnership mechanisms
to proper R&D programme, the government should support the cybersecurity industry
throughout this chain.
5.6
PLN bn5
PPP investments 112 ($1.4 bn)
0
are cheaper by
15-17
on average.
% 4
public-private partnerships focused on
cybersecurity5
(2009-2016)5
4 
There are countries which went down that road and they are already reaping the benefits of
the rapidly growing global cybersecurity market.
$3.75 bn $2 bn 100,000
revenue generated by Israel’s export jobs in
cyberecurity industry in 2015 of cyber products cybersecurity
(>1% GDP)7 from the UK8 sector8
Poland has the potential to join and profit from the exponential rise of this market. It has a
strong ICT sector, adept workforce, and a thriving academic community.
Polish universities
$ 8.5 bn Polish developers produce 30,000
Polish ICT are ranked 3rd ICT graduates
sector in 20169 best in the world.10 every year.11
Furthermore, Poland can benefit from its membership in the supranational organisations.
As a member of EU Poland can benefit from As a member of NATO Poland can utilise
European Comission’s plan to invest such mechanisms as
EUR 1.8 bn The NATO-Cyber Industry
by 2020 in cybersecurity industry.
Partnership
executive summary 5
Cyberspace and threats arising from it are here
to stay if we like it or not. It is up to us if we
decide to benefit from it or fall behind.
However, in order to fully embrace the opportunity, Poland must undertake action. The key
conclusions of the following report lead us to propose:
Developing public-private cooperation mechanisms
• adapting the existing public-private cooperation mechanisms to include cybersecurity-
oriented projects, e.g. the public-private partnership,
• seizing the existing opportunities for cooperation that stem from the Polish membership in
NATO and the EU,
• creating new mechanisms, especially for dealing with emergency situations such as large-
scale cyberattacks.
Developing military-industry cooperation mechanisms
• developing methods of cooperation between the military and the private sector in times of
war and peace,
• engaging skilled individuals for cyberdefence purposes,
• creating long-term partnerships between the Armed Forces and national ICT companies.
Devising a robust R&D programme
• providing grants,
• procuring R&D services from commercial partners,
• providing tax incentives for companies conducting R&D.
Developing markets
• boosting the domestic cybersecurity market by making the central administration and
state-owned enterprises more open to cooperation with national companies of all sizes,
• changing the legal framework to increase the competitiveness of national ICT companies
(including startups and SMEs) in public bids,
• helping national companies access foreign markets by preparing and executing a long-term
PR strategy to promote Poland as a cybersecurity centre of excellence.
6 
1. Abomhara M., Geir M. Køien. 2015. Cyber
Security and the Internet of Things: Vulnerabilities,
Threats, Intruders and Attacks, “Journal of Cyber
Security and Mobility” 2015, 4 (1),pp. 65–88;
Camhi J., Business Insider, BI Intelligence projects
34 billion devices will be connected by 2020,
2015, [online] www.businessinsider.com/
bi-intelligence-34-billion-connected-devices-
2020-2015-11?IR=T (access: 12/05/2017).
2. Intel Security, Net Losses: Estimating the Global
Cost of Cybercrime Economic impact of cybercrime
II, June 2014, [online] https://www.mcafee.com/
tw/resources/reports/rp-economic-impact-
cybercrime2.pdf (access: 12/05/2017).
3. Cybersecurity Ventures, 2016 Cybercrime
Report, [online] www.cybersecurityventures.
com/hackerpocalypse-cybercrime-
report-2016/ (access: 12/05/2017).
4. Value for Money Drivers in the Private
Finance Initiative, Arthur Andersen
and Enterprise LSE 2000
5. The Institute for Public-Private Partnerships,
PPP market analysis for the period
from 2009 to 31 December 2016.
6. OECD Portal, https://data.oecd.org/
rd/gross-domestic-spending-on-r-d.
htm (access: 12/05/2017)
7. Israel’s National Cyber Bureau data.
8. HM Government, The UK Cyber Security
Strategy 2011-2016: final report.
9. PMR, Rynek IT w Polsce 2016. Analiza rynku
i prognozy rozwoju na lata 2016-2021, 2016,
[online] www.pmrpublications.com/product/
Rynek-IT-w-Polsce-2016 (access: 12/05/2017).
10. HackerRank, Which Country Would Win
in the Programming Olympics?, 2017,
[online] www.blog.hackerrank.com/which-
country-would-win-in-the-programming-
olympics/ (access: 12/05/2017).
11. Dziennik Internautów Technologie, Polska
kształci za mało informatyków. Umiejętność
programowania najbardziej poszukiwaną
kompetencją na rynku pracy, 2015, [online]
www.di.com.pl/polska-ksztalci-za-malo-
informatykow-umiejetnosc-programowania-
najbardziej-poszukiwana-kompetencja-na-
rynku-pracy-53442 (access: 12/05/2017).
executive summary 7
8
Between security
and economy:
the public sector as
a driver of growth in the
cybersecurity industry
Cyprian Gutkowski
Secure cyberspace is one of the most serious challenges of the
modern world. It applies to all across the board, with no excep-
tion: the government and local administration, all the sectors
of the economy, the ordinary citizens, even those who do not
use a computer at all. The dynamics of the changes taking
place in cyberspace makes it necessary to draw special atten-
tion to the need for enhanced protection of data resources.
This protection should be structured and provide three basic
security components, i.e. confidentiality, integrity and avail-
ability (the so-called CIA triad).
Any cybersecurity assurance activities must comply with
the constitutional order established in accordance with the
principle of law and the resultant accountability and com-
petence of the relevant public authorities. We need to bear
in mind, however, that the mere engagement of the state in
creating systemic solutions and a legal framework to combat
cyberthreats is simply not enough. What is required is the
synergy between the state and the private sector. It is totally
unacceptable for the public administration to impose various
obligations and expectations on the private sector and at the
same time have no competencies facilitating effective col-
laboration in their implementation. Cyber exercises carried
out by the Cybersecurity Foundation - Cyber-EXE Polska,
92014 perfectly exemplify the problem. Building synergy
During the exercises, telecommunications through public-private
operators were required to report secu- partnership2
rity incidents to multiple authorities of the
state administration. Unfortunately, they One of the potential forms of effective
had trouble getting any support from these cooperation between the state and private
authorities to coordinate the crisis situation. 1
sector representatives is a public-private
For these reasons, it is necessary to build partnership (PPP). Although Poland has never
different models of cooperation between applied the mechanism to cybersecurity pro-
operators and public administration in cyber- jects, it has significant potential. From 2009
security as well as to develop good practices. to December 2016 a total of 112 contracts
Map of relationships and flow of information between the public
and the private sector during Cyber-EXE Poland exercises, 2014
VENDOR
ISP-1 UKE
Office of Electronic
Communications
ISP-2
GIODO
Inspector General
ISP-3 for Personal
Data Protection
ISP-4 POLICE
MAiC
ISP-5 The Ministry
of Administration
and Digitization
ISP-6
RCB
Government
ISP-7 Centre for Security
ABW
Internal Security Agency
10 worth PLN 5.6 billion (USD 1.4 billion) were The benefits of PPP
concluded under the public-private partner-
ship. Unfortunately, none of them represents
• Lower public spending
an example of cooperation to improve the
on investments, bringing
cybersecurity of the civil public sector. We
savings to the budget
can only presume that cybersecurity is an • Speeding up the
element of some of these undertakings at construction of public
best. The list of completed tasks includes utilities and the supply
projects related to the provision of broad- of related services
band Internet services. However, there
• Provision of higher
were only 13 projects like that, worth PLN
quality public services
1.9 billion (0.5 billion USD), which stands
for only 11.6% of all contracts. On the other • Greater competitiveness of
hand, this makes up 34% of all PPP funds. private capital in the public
However valuable and necessary from the service delivery sector
point of view of country digitization, this • Investment risk-sharing
initiative does not, strictly speaking, address between the public
the issue of security in Polish cyberspace. authority and the
private entrepreneur
By synergising the potential of the public
entity and its private partner, a public-private
• Additional growth prospects
partnership enables them to develop new
for private companies
infrastructures more effectively and effi-
ciently as well as to improve the standard
The benefits of
and efficiency of public service delivery. As
“ad hoc partnership”:
far as the public administration is concerned,
PPP in Poland is being implemented mainly • Flexibility in determining
by the local authorities who have managed the terms and conditions
to conclude 103 of 112 contracts (92%). as well as the formula
Conversely, the government administra- of cooperation
tion finalised only 5 contracts (4.5%) until • Smooth allocation of
the end of 2016. The dominant position of specialists in the event
local governments determines the present of a crisis situation
shape of the PPP mechanism. Local govern-
ments are interested in the implementation
• Cost-effectiveness
of tasks at the local level, whereas cyber- • The development of
security must be seen far more broadly. good practices
Between security and economy 11Employing the PPP mechanism in the field of communication technologies (ICT) simul-
cybersecurity could bring many benefits. First, taneously strengthens the arsenal of cyber
in contrast to typical privatisation of public criminals and expands the threat landscape
services, the PPP model leaves the responsi- itself. It is therefore impossible to enumerate
bility for the quality of service delivery with all cybersecurity-related aspects in an exhaus-
the public administration by only outsourcing tive list in a typical cooperation agreement
the actual execution of the task to private between the civil public sector and the private
entities. In the case of such a sensitive issue sector. Creating solutions that allow for
as the cybersecurity of state resources, this tapping into the pool of professionals in the
constitutes a key factor allowing the public private sector becomes particularly essential in
administration to retain the necessary degree the event of a sudden, isolated, yet extremely
of authority over the realization of a priva- dangerous incident jeopardising the country’s
tised public task. Second, the PPP investments critical infrastructure and requiring rapid
are cheaper by 15-17% on average.3 In addi- expert support for state human resources.
tion, implementation delays in PPP schemes
are less common compared to public projects
Private-sector
carried out by the public administration. They
wages in the area of
are also far more likely to stay on budget.4
cybersecurity are 20%
higher on average than
Beyond those in the public
strategic documents: flexible sector. The proposed
ad hoc public-private
forms of cooperation
partnership reduces
A public-private partnership on secure cyber- the identified pay gap,
space cannot be understood in purely statutory allowing private sector
terms, i.e. as cooperation between government professionals to gain
authorities and local governments (public unique experience.
administration) and private actors based on
long-term agreements made to develop infra-
structure components to enable the provision It is difficult for the public administration
of public services. This collaboration should to compete with the private sector for
result in establishing good practices, including highly skilled cybersecurity professionals.
the exchange of information and cooperation According to the SANS Institute, private-
with the business community in the event of a sector wages in this area are 20% higher
cyberthreat not provided for in agreements. on average than those in the public sector.5
After all, the innovation in information and Similarly, according to research by the
12 Central Statistical Office of Poland (GUS), IT designed to ensure the security of cyber-
professionals in state agencies earn about space of the Republic of Poland through
33% less than their counterparts in private the development of national ICT security
companies.6 The proposed ad hoc public- plans. NC Cyber acts as an early warning
private partnership reduces the identified pay centre which monitors and administers the
gap, allowing private sector professionals to reporting mode on network threats. The
gain unique experience and ensure that state centre also manages a hotline for reporting
resources have an optimal level of cyberse- harmful and illegal content. A number of
curity. A similar solution has been employed private security actors have acceded to the
in Estonia, where under the public-private agreement under NC Cyber, including Citi
partnership private sector volunteers are to Handlowy, Credit Agricole, mBank, PKO
support public administration personnel in BP, Raiffeisen Polbank, BZWBK, Orange,
the state of emergency. This is discussed in T-Mobile, Polkomtel, Energa, PSE S.A., Gaz-
greater detail in the next chapter. It needs System S.A., PERN S.A. and PKP Informatyka.
to be noted that a small country like Estonia
has spent EUR 16 million (USD 17.5 mil-
lion)7 on the implementation of its cyber-
Cybersecurity Forum
security strategy in the years 2014–2017. founded in December
Adapted to Polish circumstances, the ad 2016 at the Ministry
hoc public-private partnership could pro- of Digital Affairs is an
vide a significant help for the state in a time advisory body assigned
of crisis and protect the country’s critical to diagnose the needs
infrastructure from a sudden and dangerous and set priorities
incident. It is worth adding that Poland has for joint action by
also set up a similar structure “Polish Civil all stakeholders
Cyber Defense Association”, which gathers in the national
experts (ranked 3rd in 114 in Cyber Europe
cybersecurity system
2016 exercises) ready to serve the state.
The next convenient formula of public-private
Public-private cooperation: cooperation is the Cybersecurity Forum
Polish experience at the Ministry of Digital Affairs. Founded
in December 2016, this advisory body has
An interesting example of cooperation is been assigned to diagnose the needs and set
the National Cybersecurity Centre (NC priorities for joint action by all stakeholders
Cyber), launched as part of the Research and (within the framework of the so-called broad
Academic Computer Network (NASK) and public-private partnership) in the national
Between security and economy 13cybersecurity system. The Forum has also subsequently allows them to access public
established expert groups working on spe- services over the Internet. A similar coopera-
cific topics. One of them, namely NC Cyber tion model was used in the programme “Family
development team, is particularly interesting 500 plus” where the bank was held responsible
from the point of view of fostering coopera- for verifying the applicant and protecting
tion with the private sector. On the one hand, them against risks such as identity theft.
grouping strategic stakeholders will help gain
knowledge about what is expected of NC According to the Ministry of Family,
Cyber, and on the other hand, it will provide Labour and Social Policy, 20% of nearly
an opportunity to offer preferred means of 3 million applications for the pro-
information exchange and collaboration. gramme were submitted online,8 while
a total of 18 banks reported their readi-
Trusted Profile (Profil Zaufany) is another ness to participate in the project.9
example of successful cooperation between
the private sector and the public administra- Public-private cooperation
tion. The project initiated by the Ministry in light of the National
of Digital Affairs enables the use of the Cybersecurity Policy
Electronic Platform of Public Administration
Framework
Services (ePUAP) and gain electronic access
to public services. Electronic banking allows So far all cybersecurity activities undertaken
the citizens to obtain their individual Trusted by public and private sector entities and insti-
Profile, in other words get their identity con- tutions responsible for countering cybercrime
firmed by means of their bank account, which were largely dispersed, which contributed
to the low efficiency of the entire system.
Currently, in accordance with the National
The European Commission Cybersecurity Policy Framework of the
in collaboration with the Republic of Poland in the years 2017–2022,
European Cyber Security these actions are to be consolidated and
Organisation (ECSO) have harmonised. In this document, the govern-
launched the contractual ment responds to other challenges such as
public-private partnership investing in the expansion of industrial and
on cybersecurity. It aims technological cybersecurity resources by
to boost cybersecurity facilitating the development of enterprises,
investments in the EU, startups, and R&D centres that create innova-
which are expected to reach tive solutions for cybersecurity. All actions
for the development of national capacity and
EUR 1.8 billion by 2020.
competencies have been given the status of
14 strategic objectives. To date, the implemen- cybersecurity. It aims to boost cybersecurity
tation of these tasks has been viewed only investments in the EU, which are expected to
in technical terms or as a means necessary reach EUR 1.8 billion by 2020. This objec-
to execute tasks within the cooperation for tive is meant to be achieved by appropriately
innovation framework or a public-private allocating EUR 450 million of European
partnership. As it stands, the development funds available under the EU Research and
of domestic product and service resources, Innovation Programme “Horizon 2020”.
support for R&D and public-private coop- The contractual public-private partnership
eration have been deemed strategic assets, on cybersecurity brings together business
recognising that they can become Poland’s representatives (both large corporations and
national speciality and export commodity. SMEs), national, regional and local authori-
ties, and research and academic centres.
Another development programme under
completion is the Cyberpark Enigma which The partnership should also contribute to
envisages the recreation and enhancement consolidating the single digital market in
of competencies in the production of hard- the area of cybersecurity. At present, in
ware and software used by all industries. In accordance with the treaty-based order, the
addition, it has been appointed with the task primary functions of the state are aimed at
of acquiring new technologies to foster the maintaining public order and the protection
growth of domestic undertakings. According to of national security (also in cyberspace).
the National Cybersecurity Policy Framework The consequence of this state of affairs is
of the Republic of Poland 2017–2022, the various restrictions of free market free-
implementation of this programme will doms or competition, for instance a scant
not only strengthen Poland’s resilience to participation of companies in public pro-
cyberthreats, but it will also provide an impor- curement outside the country of origin of
tant stimulus for growth that will help Polish the company. This fragmentation of the EU
companies to compete in the European market market strengthens the dominance of non-
of specialized ICT products and services. European players (the U.S. and Asia). In view
of the above, a wide array of activities are
planned for the consolidation of the single
Public-private partnership: digital market in the field of cybersecurity,
European approach such as certification, validation (including
the entire ICT sector), marking (quality and
On 5 July, 2016, the European Commission security/privacy mark), and a set of common
in collaboration with the European Cyber specifications for tenders and regulation.
Security Organisation (ECSO) have launched
the contractual public-private partnership on
Between security and economy 15Good practices as an essential develop such a legal framework, entrusting
component of the national cybersecurity to only verified and reliable
cybersecurity ecosystem entities. The price should by no means be the
determining factor. Far more important are
It is necessary to develop and adhere to good the trust and confidence in the selection of
professional practices in public procure- the right partner to properly complete the
ment, tendering, or the selection of cyber assignment. Negligence or letting unauthor-
service subcontractors in large public institu- ized entities handle ICT security may in effect
tions like the Social Security Office (ZUS), put the security of the state in jeopardy.
the Inspector General for Personal Data
Protection (GIODO), the National Health Fund
(NFZ), etc., or other state-owned companies
of strategic importance. The state should
16 Sources:
1. All conclusions from the exercise can be found in the report Cyber-EXE Poland
2014, [online] https://www.cyberexepolska.pl/wp-content/uploads/2015/01/
CYBER-EXE2014_RAPORT-PL.pdf (access: 12/05/2017).
2. Based on the report by the Institute for Public-Private Partnerships, PPP
market analysis for the period from 2009 to 31 December 2016.
3. Value for Money Drivers in the Private Finance Initiative, Arthur Andersen and Enterprise LSE 2000)
4. Value for Money Drivers in the Private Finance Initiative, Arthur Andersen and Enterprise LSE 2000)
5. Cybrary-Choosing A Career in Cybersecurity: Public Sector or the Private Sector?,
2015, [online] https://www.cybrary.it/2015/11/choosing-a-career-in-
cybersecurity-public-sector-or-private-sector/ (access: 12/05/2017).
6. Radzięta S., Sektor publiczny oszczędza na informatykach, 2014, [online] http://wynagrodzenia.
pl/artykul/sektor-publiczny-oszczedza-na-informatykach. (access: 12/05/2017).
7. The Ministry of Economic Affairs and Communication Cyber Security Strategy 2014-2017
of Estonia, 2014, [online] https://www.enisa.europa.eu/topics/national-cyber-security-
strategies/ncss-map/Estonia_Cyber_security_Strategy.pdf, p. 13 (access: 12/05/2017).
8. Związek Banków Polskich – Raport NetB@nk, (Q3/2016), 2017, [online] https://zbp.pl/
wydarzenia/archiwum/konferencje-prasowe/2017/styczen/raport-netb-nk-polacy-maja-
juz-33-mln-rachunkow-bankowych-dostepnych-przez-internet (access: 12/05/2017).
9. Kancelaria Prezesa Rady Ministrów – Premier Beata Szydło: 18 banków dołącza do przyjaciół programu
„Rodzina 500 plus”, 2016, [online] https://www.premier.gov.pl/wydarzenia/aktualnosci/premier-
beata-szydlo-18-bankow-dolacza-do-przyjaciol-programu-rodzina-500.html (access: 12/05/2017).
Between security and economy 1718
Cyber defence and beyond:
the role of the military in
the national cybersecurity
Wiesław Goździewicz
Cybersecurity is a multi-faceted and cross-sectoral phenomenon
that requires the involvement of the various sectors – military,
civil, public and private – to counter all foreseeable threats.
It is also an area in which there is a possibility and a vital need
to engage with both the industrial sector and academia as the
potential suppliers of modern software and hardware solu-
tions. There are companies in the world specialised in providing
state customers with cyber tools, including the offensive ones.
As part of a more broadly understood concept of informa-
tion security, cybersecurity will interpenetrate other domains,
including the physical security of the network infrastructure.
Cybersecurity is not possible without ensuring secure com-
munications channels, including classified (secret) com-
munications, and properly secured ICT networks – both
confined, isolated from the Internet, and those connected to
the Internet. In the latter case, effective safeguards are par-
ticularly important, such as data diodes controlling the flow
of data between a protected network and the Internet.
Versatile cyber capabilities
Obviously, cyber defence capabilities must include passive
measures protecting military ICT infrastructure (or the part
of the civilian ICT infrastructure used for military purposes)
from unauthorized access or even hostile activities intended
19The resolutions of the two recent NATO summits
Warsaw 8-9 VI 2016
NATO SUMMITS
1. Cyberspace recognised as a fully-fled-
ged operational domain;
Newport 4-5 IX 2014 2. NATO members must build effective
1. Cyberattack can trigger Article 5 cyber defence capabilities;
of the Washington Treaty; 3. Cyber Defence Pledge;
2. International law applies to 4. Obligations under Article 3 of the
cyberspace; Washington Treaty include cyberspace.
3. Cyber operations must comply with
international law.
to disrupt military ICT systems. They must solutions for conducting information warfare [...]”
also comprise measures enabling the secure including “[taking over] control over network
and encrypted exchange of information devices [...] and [the disintegration of] com-
between authorised network users. It is munication nodes by deliberately changing their
in the interest of the Ministry of Defence operating parameters or deactivating selected
to ensure that the systems protecting the functions.” Further, we read that “[i]n order to
military network from unauthorized access take over components of the enemy’s network,
or attempts to break into these networks it is necessary to install software (malware)
as well as encryption algorithms are unique and electronic equipment either openly or
solutions, relying on commercial prod- covertly [...]” and, that “[...] creating one’s own
ucts to the minimum extent possible. military botnets [...]”was being predicted.2
The estimated value of this project was
Regardless of the domain, effective and robust over PLN 6.5 million (USD 1.7 million).
defence requires the availability of offen-
sive measures in order to run active defence Commercially developed malware FinFisher
operations and launch counter-attacks, or is said to be used by intelligence agencies
retaliatory “hacking” (“hacking-back”) of in several countries, allegedly including the
the opponents’ systems and, if necessary, Czech Republic and Slovakia.3 Furthermore,
to launch a pre-emptive cyberattack. the German secret services are believed
to have been using commercially deliv-
Poland admits more or less openly to ered malware R2D2 for several years.4
seeking offensive cyber capabilities.1 In
2013, the National Centre for Research and The Technical Modernisation Programme
Development in Poland announced a compe- (TMP) of the Polish Armed Forces for the
tition for “Developing software and hardware years 2017–2022 stipulates that the Polish
20 army will allocate 1% of the total TMP’s provides for the creation of conditions to
resources, which amounts to approximately facilitate the organisation and provision
PLN 1 billion (USD 0.3 billion) in total, to the of cybersecurity training, workshops and
development of its cyber capabilities in the research, as well as to intensify cross-sectoral
period 2017–2019, as well as throughout activities. In addition, given the mutual
the five-year period covered by the TMP. dependencies and connections (including
Although this figure looks impressive nomi- physical networks) between infrastructure
nally, it pales in comparison with the funds and ICT services, this document recognises
designed for other priority programmes, that the cooperation among public, private,
such as the modernisation of air defence, and academic sectors is essential to building
for which the Polish Ministry of National cybersecurity in a coordinated manner.6
Defence intends to allocate 14% of the
TMP’s value in the years 2017–2019, and a The French digital security strategy for-
total of 24% in the entire five-year period. mulates similar theses, but it goes a step
For the development of mechanised and further by suggesting, just like the present
armoured infantry, the Ministry is plan- study, that it is necessary to promote the
ning to allocate 14 and 20% respectively. 5
competitiveness of the domestic cyberse-
curity industrial and research sectors in
order to ensure national digital sovereignty.
Strengthening the military France is committed to fostering innova-
in cyberspace: cooperation tion and a research-friendly environment
and commercialisation by mobilising and coordinating all available
public and private resources to give French
Building effective cyber capabilities requires cybersecurity solutions competitive advan-
broad cooperation of the Ministry of Defence tage, which in effect will tangibly benefit
and the Armed Forces, both with national both the private sector and the state.7
and international partners. It is necessary
to establish mechanisms for coordina-
tion and the exchange of information with Possible directions for
civilian authorities and entities engaged military-industrial cooperation
in the country’s cyber defence, including
private sector, most notably the opera- The cooperation between public, private,
tors of critical infrastructure systems. and academic sectors may considerably
reduce the duration of research and devel-
The importance of such cooperation has been opment work, provided that appropriate
appreciated by many states. For example, information exchange and sharing mecha-
Estonia’s Cyber Security Strategy 2014–2017 nisms are created in the first place.
Cyber defence and beyond 21The NATO-Cyber Industry Partnership
NICP can serve as a model for cooperation with academia and the industrial sector.
The partnership is based on a legitimate assumption that close cooperation between
the contracting authority (NATO) and the supplier (the industry) is the key to stream-
lining cybersecurity solutions, while the inclusion of the academic sector in this coop-
eration will grant access to the latest achievements in science and technology.
The NICP brings together NATO institutions, national CERTs and industry rep-
resentatives of NATO Member States, including medium- and small-sized ICT
companies, as well as academic centres. Facing common cybersecurity threats and
challenges, all these actors share the belief that cooperation and exchange of infor-
mation, notably with regard to the latest R&D solutions developed by private busi-
ness and research centres, can significantly accelerate NATO’s efforts to develop
robust cyber defence capabilities.8
As part of the NICP framework, the NATO Communications and Information Agency
(NCIA) has created Information and Cyber Incident Coordination System (CIICS), the
development of which was contracted to the Rhea Group, the Belgian subsidiary of
the Canadian ADGA Group.9 With an annual budget of EUR 600 million (USD 657.3
million) for ICT infrastructure projects,10 the NCIA is planning to spend between
2016 and 2019 a total of about EUR 3 billion (USD 3.3 billion) on a variety of ICT
projects in support of command and control systems as well as satellite communica-
tions, air defence, and cyber defence systems.11
Within the NICP framework (see NICP Mutual benefits yielded by the coopera-
case study), such mechanisms function on tion among the military, industrial partners
the basis of Industry Partnership Agreements and academia are not to be underesti-
(IPAs) that the NCI Agency concludes mated, especially when this cooperation is
with the industrial sector. The Agency extended to include national entities. It will:
has entered into such agreements with
• enable domestic companies and aca-
FireEye or RSA Security, to name just a
demic centres to obtain R&D funding
few. The aim of the IPA is to allow for rapid to develop solutions requested
exchange of information on cyber threats by the Ministry of Defence.
in order to improve the situational aware-
ness of the parties to the agreement and to • allow for customising the solutions
strengthen the protection of their networks. being developed by the industry
22 Examples of cyber defence procurements include:
• The implementation of the NATO Computer Incident Response Capability
(NCIRC) Full Operational Capability (FOC); contract worth EUR 134,353.77 (USD
147,190.36) was awarded to SELEX Communications SpA;
• The implementation of the NCIRC interface at Ramstein missile defence unit;
contract worth EUR 411,173.64 (USD 450,458.50) was awarded to SELEX
Communications SpA;
• The installation of the Active Network Electronic Security System – ANWI ESS
for NCIRC; contract worth EUR 352,166.22 (USD 385,813.32) was awarded to
SELEX SpA;
• TrendMicro license renewal for NCIRC; contract worth EUR 101,481.02 (USD
111,176.84) was awarded to Insight Technology Solutions Belgium Inc.;
• McAffee license renewal for NCIRC; contract worth EUR 498,627.34 (USD
546,267.80) was awarded to UNI BUSINESS CENTRE B.V.;
• The central purchase of TEMPEST level B workstations; contract worth EUR
1,662,375.58 (USD 1,821,204.31) was awarded to Airbus Defence and Space AS;
• The purchase of communications and IT equipment for the NATO Force
Integration Units – NFIUs; contract worth EUR 2,762,779.00 (USD 3,026,743.82)
was awarded to Airbus Defence and Space AS;
• The purchase of cryptographic equipment for NATO’s communication infrastruc-
ture; contract worth EUR 941,334.89 (USD 1,031,273.06) was awarded to Thales
Norway AS.12
and academic sectors to the specific of the solutions to make the contracting
needs of the contracting authority. authority the sole recipient and user of the
• help increase the security of the source codes and solutions they create. The
designed solutions and systems. most important aspect here is to become less
dependent on widely available commercial
Relying on national entities in the industrial products that are often riddled with security
and academic sectors to develop cyber capaci- vulnerabilities, in some cases left there delib-
ties, particularly cryptanalytic and crypto- erately by the manufacturers, as was the case
graphic solutions, will help create truly secure with the RCS system purchased by the secret
products and services. This can be done by services in a number of countries, including
drafting the terms and conditions of the pro- the Polish Central Anti-Corruption Bureau.
curement in such a way as to oblige the author Authors of commercial solutions reluctantly
Cyber defence and beyond 23(if at all) grant their customers access to the
software source codes, and often sell them
as the so-called “black box” that allows for
no user modifications or enhancements. The
lack of access to source codes can effectively
render the identification and elimination of
potential security vulnerabilities impossible.
Recruiting cybersoldiers:
manpower shortage
It is impossible to think of building cyberse-
curity potential without harnessing national
human capital. The military structures will
“own” this human capital only to a limited
extent – the vast majority of cybersecurity
experts will be absorbed by the civil sector,
where the demand for these professionals is
virtually unlimited. It is therefore necessary
to create systemic solutions to either attract
professionals to state institutions, including
the military, or to put them under mobilisa-
tion assignment programmes to be deployed
in the event of a crisis or an armed conflict,
when strengthening the state’s defence
capabilities, including cyber military capabili-
ties, becomes absolutely critical. Examples
of such solutions can be found in France
where Cyber Civic Reserve (Reserve Citoyenne
Cyber)13 has been launched or in Estonia,
where the Cyber Defence Unit of the Estonian
Defence League has been incorporated into
the national defence system, giving the entire
Estonian Defence League the status analo-
gous to that accorded to the Armed Forces of
Estonia in the event of an armed conflict.14
24 Israel stands at the opposite extreme. To 8200, have often succeeded in commercial
date, its defence forces are based on general cybersecurity business. They remain allocated
conscription, which also includes women. Set to mobilisation assignment programmes, and
up to conduct cyber operations, Unit 8200 are regularly called up for reserve training
brings together experts being both profes- during which they can use their knowledge
sional soldiers and conscripts. When asked and experience gained both in military
about the human capital and the pay gap service and subsequent business activity.
between the officers and non-commissioned
officers and privates engaged in cyber opera- Certainly, such solutions will also require an
tions, the former head and architect of the appropriate training system to be created
unit, Brig. Gen. Danny Bren said that the main in order to enable these civilian special-
motivation behind the decision to remain on ists to phase in relatively smoothly and get
active duty in Unit 8200 is after all the desire accustomed to operating in hierarchical
to face the challenges the service offers.15 state structures. One of the possible solu-
tions is to announce volunteer “conscription”
The Israel Defense Forces scout universities of professionals to participate in military
for young candidates who have exceptional and civilian crisis management exercises
analytical skills and at the same time can work and trainings. Taking into account the salary
as true team players to serve in Unit 8200. ranges in the Polish Ministry of National
As part of the compulsory military service, Defence, it is quite safe to assume that in
instead of learning the drill, weapon handling most cases civilian specialist will not con-
or tactics, successful candidates undergo sider the financial incentive as the main
training in Unit 8200’s comfortable, air- factor when taking decision to engage in
conditioned facilities where they learn how activities to strengthen national cybersecu-
to collect intelligence, use state-of-the-art rity. In accordance with the provisions of the
electronic surveillance or data mining tech- Collective Labour Agreement for Employees
niques. The skills acquired in training have of Military Budgetary Sector Entities,17 the
also helped ex-8200 soldiers to succeed in the maximum salary of the Ministry civil service
commercial market. They are the master-
16
personnel is PLN 8000 gross (USD 2083.82).
minds behind establishing such companies However, it is highly unlikely that cybersecu-
as Check Point, CloudEndure, CyberReason, rity professionals will earn the highest salary
ICQ, LightCyber, the NSO Group, Palo Alto given the hierarchical structure of civilian
Networks, indeni, NICE, AudioCodes, Gilat, posts in the Ministry of National Defence.
outbrain, Leadspace, EZchip, Onavo, Singular,
CyberArk or Fortscale. The Israeli army has The emoluments for reservists who are called
heavily invested in its professionals who, up for military exercise do not look particularly
capitalising on the knowledge gained in Unit attractive either. The net salary for a 30-day
Cyber defence and beyond 25Net salary for a 30-day
exercise An option worth considering is to search for
specialists of the young generation who stand
PLN 2100 PLN 2512.50 out in various competitions or hackathons,
(USD 547) (USD 654.45) thus confirming their knowledge and skills that
may be useful from cybersecurity perspec-
tive. Increasing the number of such initiatives,
both nationally and internationally, is para-
mount to effectively address the problem.21
Private Master Corporal In order to maximally utilise the human
capital, without “pulling it out” of the work
Second Lieutenant Lieutenant Colonel environment, cooperation with cybersecurity
entrepreneurs willing to share their potential
to enhance the state’s cyber defence capabili-
ties should be considered. Such cooperation
could include participation in dedicated cyber
defence exercises. There have been cases of
PLN 3150 PLN 5600 entrusting private companies with conducting
security checks, including penetration tests
(USD 820,50) (USD 1458.68)
of the ICT systems owned by ministries of
defence. Another scenario to consider is to
exercise amounts to PLN 2100 (USD 547) utilise the potential of companies and entre-
for a private, PLN 2512.50 (USD 654.45) for preneurs associated in organisations similar
Master Corporal, and PLN 3150 (USD 820.50) to Polish Civil Cyber Defense Association,
for Second Lieutenant. Lieutenant Colonel of both by involving them in intersectoral and
the reserve can receive about PLN 5600 (USD interministerial cybersecurity exercises
1458.68) for a 30-day exercise, whereas his
18
and requesting them to conduct penetra-
German counterpart about EUR 3500 (USD tion tests or simulated cyberattacks on key
3834.40) plus extras for possessing qualifica- ICT systems. These entrepreneurs could be
tions and skills particularly useful for the army. engaged in developing effective methods
The salaries offered by the Polish Ministry and techniques to secure critical ICT systems
of National Defence are hardly competitive by tapping into their experience in repel-
compared to the private sector offerings, ling cyberattacks on their own systems.
which was repeatedly emphasized (also by the
representatives of the Polish government) at
the Polish Cybersecurity Forum in 201619 and
the European Cybersecurity Forum in 2015.20
26 Sources:
1. Doktryna cyberbezpieczeństwa Rzeczypospolitej Polskiej, National Security
Bureau, 22 January 2015, ISBN: 978-83-60846-25-4, p. 9.
2. Own translation, http://www.ncbir.pl/gfx/ncbir/pl/defaultopisy/575/6/1/polaczony.pdf, p. 42–46.
3. WikiLeaks ujawnia klientów rządowego szpiegowskiego oprogramowania FinFisher, 2014,
[online] https://niebezpiecznik.pl/post/wikileaks-ujawnia-klientow-rzadowego-
szpiegowskiego-oprogramowania-finfisher/?similarpost (access: 11/05/2017).
4. Niemiecka policja infekuje rządowym trojanem (R2D2), 2011,[online] https://niebezpiecznik.
pl/post/niemiecka-policja-infekuje-rzadowym-trojanem-r2d2/ (access: 11/05/2017).
5. Dmitruk T., Projekt nowego Planu Modernizacji Technicznej, 2016, [online] http://
dziennikzbrojny.pl/artykuly/art,2,4,10262,armie-swiata,wojsko-polskie,projekt-
nowego-planu-modernizacji-technicznej (access:11/05/2017).
6. Cyber Security Strategy 2014-2017, Estonian Ministry of Economic Affairs and Communication, p. 7.
7. French National Digital Security Strategy, Agence nationale de la sécurité des systèmes
d’information (ANSSI), 2015, [online] https://www.ssi.gouv.fr/uploads/2015/10/
strategie_nationale_securite_numerique_en.pdf, pp. 30-31 (access: 11/05/2017).
8. Who will be involved in the NATO Industry Cyber Partnership?, [online] http://www.
nicp.nato.int/nicp-stakeholders/index.html (access: 11/05/2017).
9. Tigner B., NATO tests cyber alerting tool, [online] http://www.nicp.nato.int/
nato-tests-cyber-alerting-tool/index-2.html (access: 11/05/2017).
10. Why bidding on NATO contracts can boost your bottom line, [online], http://tradecommissioner.
gc.ca/canadexport/157947.aspx?lang=eng (access: 11/05/2017).
11. NATO announces 3 billion EUR investment in defence technology, 2016, [online] https://www.ncia.nato.
int/NewsRoom/Pages/160726_Announcement_3billion_investments.aspx (access: 11/05/2017).
12. Based on the announcement of contract awards published at https://www.ncia.nato.
int/Industry/Pages/NCI-Agency-Procurement.aspx(access: 11/05/2017).
13. Réserve citoyenne cyber: une démarche originale, 2013, [online] http://www.
defense.gouv.fr/actualites/communaute-defense/reserve-citoyenne-cyber-
une-demarche-originale/(language)/fre-FR (access: 11/05/2017).
14. The Estonian Defence League Act, 2013, [online] https://www.riigiteataja.
ee/en/eli/525112013006/consolide (access: 11/05/2017).
15. Wulman S., IDF unveils new cyber defense HQ, 2016, [online] http://www.ynetnews.
com/articles/0,7340,L-4820035,00.html (access: 11/05/2017).
16. Tendler I., From The Israeli Army Unit 8200 Is Silicon Valley, 2015, [online] https://techcrunch.
com/2015/03/20/from-the-8200-to-silicon-valley/ (access: 11/05/2017).
17. http://www.wbe.wp.mil.pl/plik/file/akty/oslony/akt_199.pdf (access: 11/05/2017).
18. http://sandomierz.wku.wp.mil.pl/pl/7373.html (access: 11/05/2017).
19. CYBERSEC PL 2016 Rekomendacje, 2016, [online] https://cybersecforum.pl/files/2016/06/
rekomendacje_cspl2016_pl.pdf, (access: 11/05/2017), pp. 3-4, 10-11.
20. CYBERSEC 2015 Rekomendacje, 2015, [online] https://app.box.com/s/
o0nb9edtybgxqo9apkjxuium2m6vq9gy, (access: 11/05/2017), pp. 12, 16, 21.
21. Ibidem, p. 21.
Cyber defence and beyond 2728
Innovation made possible:
government-business
cooperation national
case studies
Lior tabansky
As the environment evolves at Moore’s Law speed (overall pro-
cessing power for computers doubles every two years), effective
cybersecurity requires innovation that transforms the current
practices and processes. Innovation generally arises from research
and development (R&D), which comprises:1
Innovation
BASIC OR FUNDAMENTAL RESEARCH
(science, creating new knowledge
with no specific application in view)
APPLIED RESEARCH
(new knowledge towards
a specific practical aim)
EXPERIMENTAL
DEVELOPMENT
(new products or
processes)
While the business sector performs the vast majority of
applied research and experimental development in ICT, aca-
demia engages predominantly in basic research. Innovation,
however, largely hinges upon the cooperation among all these
29R&D Intensity in OECD countries and other economies3
4 ISR
GERD as % of GDP
3
OECD
SGP
2
GBR
POL
1
2010 2011 2012 2013 2014 2015
actors: the government, business, and This chapter analyses three case studies
academia. Having originated in economics of Government-business Cooperation in
and management in the late 1980s, the Innovative National Cybersecurity Strategies:
National Innovation System (NIS) concept Israel, the UK, and Singapore. These three
allows us to analyse the entire range of countries are ranked among the top 10 in
stakeholders and interactions between innovation (5th, 8th, and 10th respectively),
them.2 A common proxy for innovation is to with Israel and the UK considered world
measure expenditure on R&D as a per- class powers, thus providing a useful ref-
centage of Gross Domestic Product (GDP). erence point for Poland ranked 25th.4
overall rank in the bloomberg innovation index 20154
1 2 3 4 5 6 7 8 9 10 11 12 13 25
l
rea pan any and Israe A n e m e k a
US wede apor gdo Franc mar anad stral
ia
land
Ko Ja erm Finl S n g i n e n C u Po
uth G S i
dK D A
So ite
Un
30 Israel:
How to Become
a World-Class Cyber
Power in 5 Years 250
cyber-security companies
Israel has emerged as one of the leading global cyber powers in 5
recent years.5 cyber-research centres
Since 2014, over 100 new cybersecurity companies have
sprouted up in Israel, with 78 of them attracting nearly
USD 400 million of investment in this period. At the gov-
ernment assembly held on 15 February 2015, the head of $3.5−$4bn
Israel National Cyber Bureau (INCB) stated that the Israeli Israeli’s cyber-security
cyber industry made record achievements in 2014. sales in 2015
• Approximately 30 early-stage cyber firms raised over
USD 200 million – a 40% increase over 2013.
• Eight Israeli cyber companies were pur-
chased by foreign investors for an overall sum
of approximately USD 700 million.6 20%
Global share of private-
Exports by Israeli companies in the cyber field were later esti- sector cyber investment
mated at approximately USD 3 billion in 2013, three times
greater than the United Kingdom’s. The Economist published that
the volume of Israeli cybersecurity exports rose to USD 6 bil-
lion in 2014, second only to the U.S., and three times higher than
the target the UK set for 2016.7 Israel currently attracts some
15–20% of global commercial cyber R&D investment. Counting 100%
3,100 to 4,200 active tech startups, this makes Tel Aviv rank fifth Rise in share of cyber
in the world for best startup cities, the first outside the U.S.8 investment
compared to 2014
government-business cooperation national case studies 31These are the Cyberspace Capabilities’10 accepted
results of the policy the National Cyber Initiative’s recom-
mendations, becoming Israel’s public
efforts, including the
National Cybersecurity Strategy.
government support
for the business sector Stressing the need to advance cyber
in the creation and R&D, the new Israel National Cyber
absorption of innovation. Bureau (INCB) was tasked with:
The National Cyber Initiative was the expert • promoting research and development in
committee which Prime Minister Netanyahu cyberspace;
tasked in 2010 with a review of cybersecurity • boosting the cyber industry in Israel (based
and Israel’s policy. The key question the com- on exports).
mittee scrutinised was how to incentivise and
develop cyber technology in Israel, so it ranks As of Q1 2017, five universities estab-
among the top five world leaders by 2015.9 lished Cyber Research Centres supported
by the INCB. Inaugurated in September
The bottom line of the recommenda- 2014, Tel Aviv University’s Blavatnik
tions made by 80 experts from all sec- Interdisciplinary Cyber Research Centre
tors working in 8 subcommittees for 6 (TAU ICRC) is the first institutionalised
months was to boost collaboration in the Israeli government-academia partner-
Israeli ecosystem involving the govern- ship in cyber-related research. The INCB
ment, defence, academia, and industry. funds nearly half of the research budget,
but the fund allocation is institutionally
The Government Resolution No. 3611 independent and guided by the standard
of August 7, 2011 ‘Advancing National academic criteria of research excellence.
To improve the defence of national infrastructures essential for maintaining a stable
and productive life in the State of Israel, and to strengthen those infrastructures
against cyberattack by advancing Israel’s status as a centre for the development
of information technologies while encouraging cooperation among academia,
industry, and the private sector, government ministries and special bodies.
The Government Resolution No. 3611 of August 7, 2011, Advancing
National Cyberspace Capabilities recommendation
32 The government refrains from commanding co-locating the government CERT, military
innovation processes. In addition to science intelligence and technology units, the Ben
and engineering, TAU ICRC also conducts Gurion University, and businesses. As part
policy research and public outreach. of the Be’er Sheva project, the government
provides infrastructure and incentives, such
The government via the INCB coordinates the as the refund of up to 20% of every cyber-
development of the cyber industry, with the related employee’s gross salary to commercial
main project being the establishment of an cybersecurity entities in order to attract
additional cybersecurity cluster in Be’er Sheva companies to set up their business there.11
33United Kingdom: Europe’s
Cybersecurity Frontrunner
The UK published its National Cyber • In critical national infrastructure protec-
Security Strategy in November 2011, just tion, government worked together with
after Israel did. 12
The UK Strategy addressed owners and operators, putting plans
economics, not only security, setting a target in place for managing cyber risks.13
of GBP 2 billion (USD 2.6 billion) cyber • Businesses of all shapes and sizes can
security exports to be reached by the end receive unprecedented levels of govern-
of 2016. In collaboration with industry, aca- ment-supported expert guidance and
demic and international partners, this 2011- training to help them manage their cyber
2016 Strategy achieved tangible progress. risks, such as the Cyber Essentials scheme.14
The UK Cyber Security Strategy 2011-2016: spending by thematic
areas of work
£8.1mn
£24.4mn £7.8mn National Sovereign capability to
£32.8mn detect and defeat high end threats
Law enforcement and comabting
£40.4mn
Cyber Crime
Support to full spectrum
£39.6mn
effects capability
Private sector engagement
and awareness
Improving and resilience
£61.1mn of the Public Sector Network
£441.8mn
Mainstreaming cyber throughout
£80.6mn Defence
Education and skills
Incident management/response
and trend analysis
£117.0mn
International engagement
and capacity building
Programme management,
coordination, and policy
34 You can also read
