The NATO Council of Canada would like to thank David Jones, Forum Europe, and NATO’s Public Diplomacy Division for their work in organizing the Conference “NATO: A Credible Security Provider?” The key themes of the conference included strengthening NATO’s security and defence capabilities, the security situation in Ukraine, and cybersecurity. The Conference programme can be found online here: http://eu-ems.com/agenda.asp?event_id=236&page_id=2041
Jenny Yang: You mentioned the opacity of cyberspace and in the media, there has been scaremongering and misinformation. What are the most common public misconceptions about cybersecurity, you’d like to draw attention to?
David Jones: It’s a difficult question because the level of ignorance is so high that most people don’t realize what the threat genuinely is. Perhaps one of the main misconceptions is that what everybody wants to do is to get after your credit card data—that it’s the financial asset and financial loss, which is always the one that’s being targeted. But it just isn’t. And one example of that, I guess, is that on the black market, the current rate for credit card is about the same as the current rate of Facebook account and password. And the reason for that is if the bad guys are going to use your Facebook account, then, because, as you know, your Facebook login can be used to login into many other systems as well, so they haven’t just got access to Facebook, but they got access to potentially lots of other things as well. But also, if they can get into your Facebook account, they can introduce malware that can open up many other perspective things as well. So the probable answer to that question really is the assumption that it’s always the financial data, which is the target.
JY: You also mentioned in your presentation the idea of a Moody’s-based ratings agency but for countries and security. How would that work?
DJ: We’ve been working with this for such a long time. What we wanted to do was find a way in which, in particular, you couldn’t give absolute figures, but you could give relative figures, so we wanted to talk about the way in which certain countries could have a degree of preparedness for cyber. And the kind of things that would be – would be something like, we’ve got a good infrastructure, which has got a natural secure border for the internet, if you like; and in the UK, of course, we have a significant resource in GHQ (Government Headquarters) which looks after a lot of things that can come over the wall, to some extent, for certain companies. So you could see the way in which companies could have five or six basic things that they would need to do. All the well-developed countries would have those things. But they might have them in different degrees, which would mean they are better or worse prepared than somebody else. So the real idea about it was that you could give relative differences between countries. What every country would want to do is to raise that position.
JY: You could quantify it?
DJ: That’s right. But the issue is quantification. Because if you look at what’s said in the Economist magazines’ quality of life index, where it talks about the rule of law, crime rate, education, birth rate, number of children who died before the age of nine months, pollution, I think it got ten metrics, all of which literally got a value. So it’s a very objective way of using an index, and it comes to two decimal points.
JY: What are the metrics that you would suggest?
DJ: This is the problem. Because of the opaque nature of cyber, what would you pick? And you can’t even go off and pick ‘What is the likelihood that an individual will be a victim of cyber-theft’. Because if the cyber-theft is, let’s say, someone penetrating your Facebook account, you probably don’t know that this happened.
And that’s the problem that we’ve got in the whole project, which is that you could construct a wonderful model, but fundamentally it’s all down to what you can measure.
JY: And is this related to your project with Airbus?
JY: Is there anything that you would like to tell readers in Canada about your new project or anything that you would like to draw attention to?
DJ: One thing that’s been interesting for us is when we look at different nations’ states, is the degree in which they’ve got strategy in place that starts to prepare for cyber-threats. So a good example is the UK, in particular, which published a good solid strategy with a good budget behind it. The US published the strategy at about the same time, and it’s literally very thin, it’s a very light document, it doesn’t have the weight behind it (I’ve not looked at the Canadian work), but again, in the UK, what we’ve done well, is that the work has been attributed to a government minister who has got the authority of the prime minister to go off and implement that. So again, one of the things that I think is very relevant here is the way in which cyber is a cross-portfolio issue. Cyber is relevant for defense, home affairs (what we call Home Office in the UK), business (because of the property loss), the Exchequer (responsible for tax and the welfare system) and health. So the difficulty is, if you have a budget for cyber, which minister do you attribute it to, because it crosscuts all of them? A lot of the work we’ve done has been looking at the government’s work at the very high level and find the way in which individuals have got a crosscutting portfolio to deliver their authority. And it’s likely that that part of the research is actually more valuable, because putting a subjective measure and metric is almost impossible.
JY: Nowadays how would you balance security with the openness of the Internet. Or would you say it’s a false dichotomy?
DJ: Yes. That’s a good question. Most people, if you actually ask them, would they prefer to have protection from terrorist threat and if that cost liberty of their data, most people would say yes to that. When you got to put a balance in place, it’s probably in favour of protecting the nation state, protecting the assets, even if you know that government has access to your data. That’s generally what we found in the research anyway. And that was the 70 percent of the UK population that feel that’s something they are prepared to live with.
JY: In the post-Stuxnet era, what would a cyber-war look like?
DJ: I don’t know. It could look like an attack on the health care systems. So what you might choose to do is to breach health care systems. You might choose to change blood types on records. Essentially, that’s terrorism, but on a state scale. You might choose to attack the energy systems of a country, water purification, sewage control, traffic management, air traffic control (so aircraft fall from the sky) – it’ll be different from any kind of conventional warfare.
JY: And what’s NATO’s role in all this. Is it just promoting best practices?
DJ: NATO’s role is to fall asleep and ignore it all. NATO are miles away, absolutely miles away.
JY: And how could they improve, what would you suggest?
DJ: The only way in which they can really improve is that the top authorities of the NATO, the secretary-generals within NATO take personal responsibility for it. That’s the only thing that they don’t have.
JY: What does that mean to take personal responsibility?
DJ: The individuals at the very top of NATO choose to say: ‘we’re making cyber-threat our number one concern. Above Ukraine, above Syria and Iraq, above Boko Haram and Egypt and all of those things’.
JY: And would that mean giving it more funding?
DJ: Yes, it needs to have funding, visibility, better coordination.
JY: And would you list a government that’s setting a good example at all.
DJ: No, because there aren’t any. In the US, they are probably the closest there. But mainly that’s because of the threat they found of intellectual property theft from China. That’s mainly why. And President Obama gave speeches and they’re pushing legislation through in the US. So they’re doing most, but they’re not doing enough.
JY: There was one panelist who compared this to an arms race. Would you say that’s accurate? For example, in China they have an elite hacking team and I’m sure the US has their own.
DJ: Absolutely. It is an arms race. But the difference is, that if you have a helicopter, then the procuring process takes three years. Designing, building a helicopter takes another ten years. And then eventually you start to use it. Whereas in the cyber domain, these weapons are designed to change within months.