Strategic Cyber Security Situational Awareness

Next Article

The Challenge of Countering Hybrid Threats

Today’s leaders and decision-makers need efficient strategic cyber situation awareness to secure sensitive data, sustain fundamental operations of society, and protect national infrastructure. The cyber security approach requires a right measured cyber threat intelligence, real time cyber-attack detection and especially the ability to cyber-attack early warning.

Text by: Martti Lehto, Professor in Cyber Security, University of Jyväskylä 

There are a wide range of Internet threats and attacks from viruses and worms, to distributed denial of service (DDoS) attacks and data theft and data manipulation and critical infrastructure paralysis. Many proactive techniques have been proposed to deal with these threats. All these techniques pursue the same goal - preventing attackers from reaching their objectives.

There are different systems for a proactive approach against cyber security threats. Those are carried out through the early detection of potential malicious action of a system, evaluating the scope of malicious action, and using or proposing suitable response against any kind of detectable security event.

SIGNIFICANCE OF CRITICAL INFRASTRUCTURES

Securing the continuity of critical infrastructure operation and rapid recovery from incidents are particularly vital in order to minimise the knock-on effects of service outages on society’s functions. The forming and maintenance of cyber security situational awareness at different levels of responsibility of critical infrastructure operation and making the decisions needed in each individual situation play a key role in continuity management. The complex interdependencies of critical infrastructures necessitate extensive situational awareness with broad coverage regarding the national cyber security situation and the factors affecting it.

Timely decision-making by the Government and the authorities can be supported by producing the strategic situational picture of cyber security needed to manage the securing of society’s vital functions. The situational picture system is used for the management of different incidents and emergencies, data collection and analysis, communications, decision-making, and leadership.

The strength of organizations’ situation awareness is the possibility to learn about threats directly from the own operating network or partners and the use of announcements of the National Cyber Security Centre. On the other hand, overall situation awareness is often based on scattered data, and obtaining situation awareness of the entire operating network is challenging. Real-time situation awareness of IT assets and operational technology (OT) is also challenging.

EU PERSPECTIVE

The EU lacks collective strategic situational awareness of cyber threats. This is because national authorities do not systematically gather and share information - such as that available from the private sector - which could help assess the state of cybersecurity in the EU.

The latest EU cybersecurity strategy (16.12.2020) emphasizes the importance of the situation awareness and early warnings on cybersecurity incidents to authorities and all interested stakeholders. To this end, the EU Commission proposes to build a network of Security Operations Centres (SOC) across the EU, and to support the improvement of existing centres and the establishment of new ones. Through sustained cooperation, this network will provide warnings on cybersecurity incidents, including the Joint Cyber Unit. A Joint Cyber Unit would serve as a virtual and physical platform for cooperation for the different cybersecurity communities in the EU, with a focus on operational and technical coordination against major cross border cyber incidents and threats.

CHALLENGES OF THE CURRENT STATE IN FINLAND

Based on the research in 2017 in Finland the situational picture of the cyber environment is fragmented, and any understanding of it as a whole is based on information shared between the authorities, the private sector, researchers and experts.

A situational picture that would cover all national cyber environment actors is not being put together and analysed, and capability for making decisions is lacking.

Lack of powers prevents the creation of efficient observation capability and thus a cyber security situational picture needed for effective management. While different actors have systems built for their own use, shared national situational awareness that could be used both at the strategic and operative level is lacking. The current operating model is sufficient for managing minor cyber-attacks, but situational awareness and understanding are inadequate for thwarting complex and extensive attacks.

The structure for maintaining situational awareness was improved as the strategy was formulated, but it continues to have shortcomings at the practical level. Yet unresolved questions are associated with maintaining a shared situational picture, including who needs what information, on what cycle it is needed, and what type of information is required. From the perspective of improving cyber security preparedness, we must be able to trust that information will flow during incidents and that the actors will know how to respond to it as indicated by their duties.

In terms of the strategic-level situational picture, the fact that private sector actors do not generally bring the violations or data break-ins observed by them to the attention of the authorities is problematic. The reason for this frequently is the confidentiality of data and risks to reputation. Due to the complexity of the cyber environment, an ability to analyse all observations would be vital, as events in the cyber environment can only be understood through an analysed big picture.

ANALYSIS OF THE CURRENT STATE OF CYBER SECURITY SITUATIONAL AWARENESS

The different parties involved in developing national situational awareness should be able to improve their operations through more effective technical methods, strengthen network-based operation and focus on utilising artificial intelligence methods in shared use.

The most significant organisations associated with the functional capacity of Finnish society have developed a relatively good ability to observe the situational picture for the part of technical capabilities. Their ability to do so is also improved by networking within their sectors and partly also more extensively, which is supported by good cooperation between the authorities and the private sector. The significance of situational awareness shaped by different organisations’ situational pictures (situational picture and its analysis) for the management of entire national cyber security is crucial.

The response to national incidents consists of the techniques used by different organisations, procedures developed for responding to incidents, and the observation data of different trust networks. This fragmented ability to observe the organisation-specific situational picture and the data reserves it entails could also be used in the analysis phase of large-scale incident management. Preconditions for this arrangement would include the strategic cyber security situational awareness, the creation of joint operating models and an arrangement based on voluntary exchange of information. A joint data warehouse would enable the further processing of information to analyse a large-scale incident. The required analysis capabilities could be implemented as a network (virtual analysis).

CONCLUSION

Due to the increasing attack surfaces on IT / OT and critical infrastructure systems and limited, national cyber capabilities, the number of service disruptions and cyber-attacks against essential systems and networks is constantly rising. Therefore, strategic cyber situational awareness is absolutely essential.

The different parties involved in developing national situational awareness must be able to improve their operations through more effective technical methods, strengthen network-based operation and focus on utilising technical methods in shared use.

Efficient cybersecurity for networked complex critical infrastructures of nation is a challenging task. In this task, strategic cybersecurity situational awareness is a cornerstone to ensure that all systems vital to society are protected in a meaningful way. However, strategic cybersecurity situational awareness can be built in various ways. Several artificial intelligence-based monitoring and analyzing techniques can be applied. The usage of situational awareness varies from short-term operational to long-term strategic decision making.

The national strategic cyber-policy, appropriate legislation, and its suitability to improve strategic situational awareness are key criteria and imperative for national resilience.

Martti Lehto, Professor in Cyber Security University of Jyväskylä 

Martti has over 30 years of experience mainly as developer and leader of C4ISR Systems in Finnish Defence Force and Air Force. I’m PhD (Military Sciences) and working as a Professor (Cyber Security) in the Faculty of Information Technology at the University of Jyväskylä. I’m also Adjunct professor in National Defence University in Air and Cyber Warfare. My research interest is Cyber Security and Cyber Defence.

Specialties: Cyber Defence and Security, Air Power and Cyber Security, C4ISR Systems, Military materiel procurement, Systems Thinking 

Research mentioned in the article is made in the University of Jyväskylä: Lehto M., Limnéll J., Kokkomäki T., Pöyhönen J., Salminen M. Strategic leadership of cyber security in Finland, Publications of the Government´s analysis, assessment and research activities 28/2018