'Monitor' Vol.1 Issue 1 by SIRS Consultancy Ltd

MONITOR SECURITY INTELLIGENCE RESILIENCE STRATEGY

RELAUNCH EDITION

EDITORIAL Dear Reader,

Editor : SIRS Consultancy Ltd. info@sirsconsultancy.com monitor@sirsconsultancy.org.uk Company Website : www.sirsconsultancy.com Twitter : @SIRSconsultancy Thanks to our contributors : John Palser Luigi Castellani Warren Dym Marika N. Josephides Stephen Blank Dan Solomon Images in this publication may be under copyright. Copyright © SIRS Consultancy Ltd. No part of this publication may be reproduced copied or transmitted in any form or by any means stored in any information storage or retrieval systems without the publishers express permission. Although every effort is made to ensure the accuracy and reliability of the material published. SIRS Consultancy can accept no responsibility.

Welcome to the first edition of the re-launched ’Monitor’ magazine and the return by SIRS Consultancy Ltd to the publication of a regular journal devoted to the widest possible range of security and resilience issues. We hope that this, in addition to the larger projects on which the company is currently working, will help to generate increased awareness of relevant matters including security threats, terrorism and counter-terrorism, intelligence, policing, geopolitics, current military issues, and also resilience efforts to meet both malicious and non-malicious threats. This first issue of the new ‘Monitor’ certainly aims to meet this requirement, containing as it does articles focusing on a variety of areas. These include European energy resilience, cyber security since the emergence of Stuxnet, ongoing tensions between Japan and China, cyber resilience planning and practice, the security of Heathrow Airport and how local communities should aim to prepare for the impact of natural hazards, such as flooding. Additionally, this edition of ‘Monitor’ features an in-depth review of an excellent new book on cyber security, Cybersecurity and Cyberwar: What Everyone Needs to Know, by P.W. Singer and Allan Friedman. The articles featured in ‘Monitor’ are all written by experts in relevant fields, who come from a variety of professional backgrounds. ‘Monitor’ aims to appeal to both established specialists in the fields that the magazine covers, and also to members of the wider public who may be interested in the issues under scrutiny. In today’s uncertain world, we believe that an awareness of security and resilience issues must spread beyond those who already have significant work experience in relevant fields. Security and resilience matters of all types could potentially have an impact on individuals throughout society, and it is with this in mind that ‘Monitor’ is being re-launched. We hope that you find ‘Monitor’ both interesting and informative, and that you will continue to read the magazine as it progresses and develops.

CONTENTS 4 SIRS : AN INTRODUCTION 5

HEATHROW : THE ETERNAL TARGET BY : JOHN PALSER

RESILIENCE : BACK TO THE PAST BY : LUIGI CASTELLANI

RESILIENCE 13 ENERGY RUSSIA, UKRAINE, AND THE PROSPECT OF ANOTHER GAS WAR BY : WARREN DYM REVIEW 17 BOOK CYBERSECURITY AND CYBERWAR: WHAT EVERYONE NEEDS TO KNOW DOESN’T KILL YOU” 23 “WHAT CYBER RESILIENCE AND THREAT BY : MARIKA N. JOSEPHIDES 28

JAPAN RESPONDS TO MULTIPLE SECURITY CHALLENGES BY : STEPHEN BLANK

34 CYBER RESILIENCE : THE NEVER-ENDING STRUGGLE BY : DAN SOLOMON Images in this publication are not original to SIRS Consultancy Ltd.

SIRS : AN INTRODUCTION SIRS Consultancy Ltd is a UK-based company, created in early 2011, which focuses primarily on the research and analysis of current intelligence, security, geopolitical and resilience issues. Since its establishment, SIRS has created and maintained a proven track record of providing accurate and timely insights concerning current and emerging security matters. During its initial year of operation, SIRS was the first company to create and publish as comprehensive report, titled ‘National Security Risks: Immediate Challenges Before Summer 2012’, which focused on the whole range of security threats and resilience issues that Britain faced prior to the 2012 Olympic and Paralympic Games. The Parliamentary launch of this major report, in conjunction with cross-party political entities such as the All-Party Parliamentary Group on Specialist Security and the House of Commons Home Affairs Committee, allowed SIRS to forge its initial links with the UK political community, which still continue. Furthermore, several recommendations made in this report were included on the British Army’s intranet as training material. SIRS was able to further capitalise on the success of its first major project by producing ‘Summer 2012 Threats: The Final 10 Weeks’ in May 2012. This focused on and explored the security and threat picture faced by Britain during the last two months before the 2012 Olympic Games, and served to provide an update and expand upon the conclusions of ‘National Security Threats: Immediate Challenges Before Summer 2012’. Furthermore, ‘Summer 2012 Threats: The Final 10 Weeks’ generated significant interest in SIRS as a company, and resulted in SIRS staff being interviewed by mainstream media outlets including BBC News Channel, Sky News, BBC Radio London, BBC Radio Five Live and ABC Radio Australia. SIRS’ increasing relationship with media outlets has provided the company with significant and valuable experience in media liaison, and in supplying the media with concise and relevant analyses of current security and intelligence issues. Aside from its larger projects, SIRS Consultancy personnel have also written or contributed to articles on numerous relevant issues. These have included concerns as diverse as Islamist terrorism in the Maghreb and Sahel regions of Africa, cyber security, emergency response communications, ‘lone wolf’ terrorism and also the prospects for future peace and stability in Afghanistan. Furthermore, SIRS has also carried out extensive research to support projects by external clients. These projects have focussed on matters including the threat posed by al-Shabaab, piracy in the Indian Ocean, Mediterranean maritime security, and the size of the European Union’s state and private sector intelligence communities. As a result of the range of different projects that SIRS has worked on during the three years, the company’s personnel are highly flexible and adaptable in their approach to their work, and are able to work alone or in groups on projects of any size. Throughout 2012, SIRS Consultancy published the initial version of ‘Monitor’ magazine. As with the re-launched ‘Monitor’, this magazine featured articles covering as diverse a range of relevant security and intelligence matters as possible. Contributors to the original ‘Monitor’ came from a wide variety of professional backgrounds including private sector security analysis, academia, the military and law enforcement. ‘Monitor’s’ scope in terms of content was global, with individual sections examining security or intelligence issues affecting particular countries, regions or continents, with other sections looking at more universal matters such as the technology of security, physical security, and lessons that can be learned from effective or ineffective responses to major incidents, such as terrorist attacks or ‘active shooter’ situations. Our aim is for the re-launched ‘Monitor’ magazine to be just as broad, if not broader, in the scope of its outlook and content. The original ‘Monitor’ ended its run in October 2012. This was due to significant staff changes as SIRS Consultancy, together with the emergence of new, large scale company projects which otherwise occupied the majority of SIRS’ personnel. Also, SIRS staff have, since the end of ‘Monitor’s’ original run, been working on their own independent projects concerning current security and intelligence issues, and furthermore have used the interim period to undergo relevant training in areas such as advanced intelligence analysis, source evaluation and the use of open-source research tools. These new skills will allow SIRS Consultancy’s staff to widen their professional remit and improve the level of service that the company can provide to clients. SIRS as a company is therefore more capable than ever.

Heathrow : The Eternal Target BY John Palser

As a modern transport hub, London Heathrow Airport is vital to the United Kingdom's (UK) economy and the country’s reputation around the world. The airport’s metrics provide a clear run-down of its significance: “total size of 1,227 hectares, two main runways, over 76,000 staff, 1,305 air movements daily, 86 airlines and 183 destinations served in 90 countries and average daily passenger numbers (both arriving and departing) of 190,100” (Heathrow Airport: Facts and Figures). With such expansive operations and passenger capacity, maintaining the airport's security is of paramount importance. But just what standards are currently being employed? More importantly, are they of a nature sufficient to counter the continuing terrorist threat to the UK? The scars of the 11 September 2001 terrorist attacks against the United States (US) (9/11) continue to run deep within the international commercial aviation sector. Much of the current capacity for operational judgement and planning is a direct result of that day and, mercifully, a duplicate attack has not yet materialised. However, while many airports around the world were forced to re-examine their security arrangements and admit their porosity, Heathrow was a facility acutely aware of terrorism. Admirable preventative measures, gained from experience, were being taken prior to 9/11. London has always represented a fertile breeding ground for terrorist and extremist groups holding both domestic and international agendas. As part of the critical national infrastructure with significant international links, Heathrow is the very definition of a prime target.

Plots involving the airport prior to 9/11 were directed both at the UK and against ‘proxy’ targets of foreign powers, such as national airlines. One such case occurred on 17 April 1986 when a Syrian intelligence official, Nezar Hindawi, coerced his fiancé into boarding an El-Al flight to Israel. At the gate “a vigilant security officer noticed that a supposedly empty bag was unexpectedly heavy, despite having been x-rayed. When stripped down, a blue plastic package was discovered containing an orange substance resembling Semtex. The passenger had passed through Heathrow security before being allowed to enter the transit lounge. However, El-Al ran their own security and was not content to depend on anyone else. The bomb was discovered and the lives of 374 people were ultimately saved” (Gurney 1993, 178). However, it is not only threats from within the airport that Heathrow security has had to contend with. In 1994, three attacks on Heathrow were orchestrated by the Irish Republican Army (IRA) from outside the perimeter fence. On 10 March, “a Nissan car was positioned in the car park of the Excelsior Hotel opposite Heathrow Airport. Three mortars were fired from its boot and landed close to the northern runway. Just after midnight on 11 March, the IRA struck again, sending four mortar shells toward the southern runway. A third attack on the morning of 13 March made a mockery of security, a timing device enabling the terrorists to bury the third launcher days before the attack” (Dillon 1994, 298). The immediate effect of 9/11 was a significant augmentation of security regardless of cost. This went hand-in-hand with the consideration of who held ultimate responsibility for such measures? Should Heathrow Airport, the UK Government and the security services form a collective or should the airlines be expected to bear the financial burden? A prime example of this was the case of the UK-based Smiths Group, “which saw annual revenue from its detection gear rise after 9/11 from about £130m to £574m – an indication of the costs that have been passed on to passengers. Aviation security is a matter of national security and state security. Businesses don't pay for police on the streets.

A SUCCESSFUL ATTACK ON HEATHROW WOULD DAMAGE THE UK'S INTERNATIONAL REPUTATION. (IMAGE © JOHN PALSER)

Heathrow : The Eternal Target BY john palser

Yet for some reason aviation is singled out to pay for security against threats that have nothing to do with aviation but more to do with powerful geopolitical forces” (‘The Guardian’, 7 September 2011). However, aside from a surge in investment for additional security equipment for screening passengers and luggage, and restrictions on certain items such as penknives and scissors, there was no real ‘overhaul’ of Heathrow’s security. Compared to the endemically lax security within major US airports, particularly the likes of Logan, Dulles and Newark from where the 9/11 flights had originated, Heathrow’s existing operations were admirable. The Metropolitan Police continued to provide security both in the terminals and on the perimeter roads, the British Airports Authority (BAA) and the Department for Transport worked to ensure high standards of border control and, as a result, passengers were able to undertake their journeys with minimal delay. It would be subsequent UK plots which would impact Heathrow’s security provisions much more indelibly. The parameters put in place after 9/11 were in no way a cure-all. Rather, they provoked a mutation in terrorist thinking and a re-imagining of tactical approach. An immediate example was the threat of a plane being shot down on take-off. Disaster was narrowly avoided when a missile attack on an Israeli airliner over Mombasa in 2002 came to naught. By 2005, Heathrow was in the cross hairs. British police “arrested Kazi Rahman. Undercover police and MI5 officers had negotiated with him for three months as he upped the stakes and offered more cash. His wish list included Man Portable Air Defence Systems (MANPADS), a shoulder launched surface-to-air missile. Several years earlier in 2003, police had discovered what seemed to be early plans to use such weapons around Heathrow’s perimeter fence. It looked like someone had flattened the ground in preparation for bringing them in. Heathrow’s dedicated patrols were stepped up, randomly checking places on the perimeters from which planes could be shot down” (Hayman 2009, 340). By far the most significant impact on Heathrow’s security came in 2006. In a case almost beyond imagining, “more than 4,000 people could have been killed if bombers had succeeded in blowing up ten flights from the UK to America – a death toll worse than 11 September 2001. Deputy Commissioner of the Metropolitan Police, Paul Stephenson, said ‘We are confident we have disrupted a plan by terrorists to cause untold death and destruction.

Put simply, this was intended to be mass murder on an unimaginable scale’. Hand baggage has now been banned from all UK airports. No liquid was allowed to be carried on board and passengers who did manage to fly were given clear plastic bags for their travel documents and wallets. It is thought the gang were plotted to conceal liquid explosives inside drink bottles and trigger the device with the flash from a disposable camera” (Metro, Article 1, 11 August 2006). This plot directly impinged on the travelling public's freedoms and on Heathrow’s procedures for monitoring individuals and their belongings. Even though the plot was a failure, the fallout was still significant in terms of general disruption. In monetary terms for example, “British Airways shares fell five per cent, wiping £200 million off the company’s value. Accountants Grant Thornton said the disruption could cost the whole economy at least £3.2 million for every hour of delay through lost productivity. An average three hour delay could lose Britain £10 million a day” (‘Metro’, Article 2, 11 August 2006). But fail it did and if one thing was aptly demonstrated, it was the importance of Heathrow’s on site security being supported by the covert actions of the police and security services in foiling potential attacks.

THE POLICE AND SECURITY SERVICES HAVE MANAGED TO PREVENT A NUMBER OF PLANNED ATTACKS. (IMAGE © JOHN PALSER)

Heathrow : The Eternal Target BY john palser

Had the plot succeeded, the levels of international criticism which would have been levelled at the UK can only be imagined. Conversely, public confidence in flying from Heathrow would also have been irreparably damaged. More than 9/11, the liquid bomb plot has continued to shape Heathrow’s security capability and significant technological additions. Within the airport, a prime example is “the Aurora Facial Imaging Recognition system, the most advanced to be used in a UK airport and approved for use at Heathrow following an 18-month trial by BAA and the UK Border Agency” (‘Evening Standard’, 20 July 2011). Externally, “Cambridge UK design house Plextek has had its advanced Blighter radar technology adopted by BAA to enhance perimeter security. The complete airport perimeter surveillance solution includes long-range day and night cameras and a network of high definition cameras, capable of quickly identifying and tracking intruders detected by the Blighter radar” (‘Business Weekly’, 30 May 2012). With regards to Heathrow Airport’s overall security strategy, most of the required key aspects of security are fulfilled: Passport control and passenger screening prior to entering the departure area are highly stringent; the presence of both armed and unarmed police is a reassurance to passengers as much as it is a deterrent to would be terrorists; the security equipment currently in use is of leading quality and a result of significant investment; and perimeter security is able to identify potential launch sites for missile attacks. Indeed, not since the three-day debacle of IRA bombardments in 1994 has a successful attack been perpetrated at Heathrow. However, that is not to say that terrorism has been nullified as a danger. There continues to be an assumption that a terrorist’s main aim is to get on board a flight and then launch an attack. However, there is very little to stop a suicide bomber from detonating a device anywhere in the airport prior to being searched at passport control. Within a group like Al-Qaeda’s modus operandi, this would fit perfectly with their stated aims (no-warning attack, killing innocent civilians, hitting an infrastructure target). This concept is not an alien one either, as was demonstrated in 2011 when “a Chechen militant detonated explosives in the international arrivals hall at Domodedovo Airport, 26 miles from Moscow city centre. 35 people died, including at least 8 foreigners and 180 were injured” (‘Metro’, 25 January 2011).

This attack made front page news around the world, with strong coverage assured by the choice of target and the fact that civilians of many nationalities lost their lives. With Heathrow’s status as one of the busiest airports in the world, a carbon-copy attack would produce exactly the same result. Even the armed police presence would not guard against this sort of attack. This links into the idea of pre-emptive intelligence, with plots being shut down well before the zero hour. However, there is again the assumption that an attack on Heathrow will always be attempted by the sort of terrorist cells involved in the 2006 plot. In fact, it would seem that there would be more to fear from a ‘lone wolf’ attack on a target such as Heathrow. This leads into a major issue lacking from Heathrow’s security: profiling. The use of profiling, whether on the streets to reduce crime or in an airport to prevent terrorism, is a concept that is mired in controversy. Some minorities see it as a form of stereotyping. Others see it simply as an anathema to the idea of civil liberties and of the individual being innocent until proven guilty. However, when used in the right way, profiling could represent a positive addition to the security apparatus at Heathrow. Terrorists may be able to use ingenuity to design devices that are easier to conceal and smuggle onto planes but they cannot mask basic human behaviour with guile. The Israeli national carrier El-Al is a perfect example. Their use of profiling has been a major success in countering terrorism. Some have criticised the fact that “its screening process is so time-consuming that passengers are required to arrive three hours before all flights and that passengers can be interrogated separately by three different screeners” (‘ABC News’, 1 October 2001), but one look at the airline's safety record demonstrates that it is largely a precision tool. With this in mind, it is heartening to see that future improvements in technology at Heathrow will include an element of profiling: “a three-channel passenger screening system will categorise people according to risk, then separate them into 'enhanced', 'normal' and the least risky, 'known traveller'. The new technology would rapidly screen passengers, depending on the channel they go through, to cover advanced X-ray, shoe scanning, full-body screening, liquid detection and electronic sniffing for traces of explosives” (‘Daily Mail’, 5 September 2011).

Heathrow : The Eternal Target BY john palser

HEATHROW IS A KEY COMPONENT OF THE UK'S CRITICAL NATIONAL INFRASTRUCTURE. (IMAGE © JOHN PALSER)

Another issue with Heathrow’s security is the lack of support from the major airlines. Indeed, who is ultimately accountable for the security of passengers? As the providers of airport facilities, should it be Heathrow? Or should it be up to the airlines, the companies who ultimately transport the public, to act as the guarantors of safety? In many instances where pressure has been put on airlines to cooperate more closely with airport authorities or where technological improvements have been offered, the results have been less that positive. Prior to 9/11, when toughened baggage containers were being discussed, the response was decidedly negative: “Virgin Atlantic said: ‘we feel that first and foremost our and airport’s resources should be focused on preventing suspect packages being taken on board in the first place’. Philip Baum, editor of Aviation Security magazine, said: ‘One hundred per cent screening of baggage does not mean one hundred percent of devices are detected. You are relying on human beings who are operating equipment’” (‘The Times’, 9 January 2001). The same was true when the feasibility of missile counter-measures on planes was discussed: “Regarding on board anti-missile systems, a British Airways source said: ‘We would never say never to this type of equipment but our view at the moment is that it belongs in the realm of highly sophisticated military planes’. BA would have to spend half its £1.4 billion cash reserves to install the devices. A Department for Transport source said:”‘While feasible, the system would be expensive and would not protect against all types of missiles. The best protection is good intelligence and security around an airport perimeter” (‘The Times’, 29 November 2002).

On the positive side, these examples demonstrate just why Heathrow has had to maintain its security: because of appalling pressure and a constant arbitration of responsibility by the airlines for passenger safety. The case needs to be stated more clearly that airlines have a duty of care to their customers. Ultimately, despite the utmost vigilance and best efforts of Heathrow officials, the airline is the last point of defence in stopping a plot from succeeding. In conclusion, the security measures in existence at Heathrow have been sufficient up to this point. Despite the post-9/11 upsurge in international terrorism, neither Heathrow nor the flights using it have been successfully attacked. However, terrorists are continually seeking to circumvent new security procedures. Heathrow cannot afford to stagnate and must be vigilant to new threats and parallel counter-measures, particularly in light of asymmetric warfare's continuing focus on the apparatus of civil aviation.

Resilience : Back to the Past BY Luigi Castellani

Resilience can be viewed as an effort to develop protective measures which confront and reduce the that can impact on and disrupt everyday life. Resilience is a very ancient concept and can be found in Greek myths. It is also linked to psychoanalysis in connection with the term ‘defence’, which is now defined as ‘active adaptability’ between risks and protective factors. In reality it is the lifestyle adopted by the farmers, shepherds and woodcutters of previous generations when faced with natural hazards, unaware that it was what we would today refer to as resilience. But how can we move from the concept of Civil Protection and Defence to that of actively adapting to prevailing environmental conditions that make resilience preparation a necessity? The outlook and perceptions of Italy’s Civil Protection planners do not help. In Italy only limited resources are allocated to preventative measures, whereas significant support is given to emergency response preparations. There are several factors that contribute to this situation. However, significant among these may be the fact that the Italian media often reports on emergencies with regard to the level of funding that has been allocated by local, regional or national politicians in order to mitigate the effects of the situation in question. It is likely that this, rather than the quiet and constant work of prevention that no one will notice or appreciate, even when the latter proves successful, will bring the politician(s) in question more votes during subsequent elections.

TESSINO TORRENT IN SPOLETO, UMBRIA (IMAGE © LUIGI CASTELLANI)

So the crux of the matter is the perception both of the risk and actions designed to prevent and mitigate it. This is why there is a need not only for a new politics, but especially a new awareness by citizens of their ‘habitat’, and the environmental risks that it faces. If we contemplate the seismic risk, in Italy only six percent of citizens live in homes that are adequately constructed. What about the others? They are often unaware of the risk to their home, but the worst is that they firmly believe that if an earthquake destroys their house, the Government will provide financial support for its reconstruction. It is essential to move away from relying too heavily on local government for the implementation of resilience measures. We have returned to the point at issue, namely that Civil Protection invests almost entirely in preparing for times of crisis in order to contain the effects of an incident or situation, instead of considering the environment as the frame within which we must learn to live. In a country like Italy, where the risk of seismic events is widespread, there is a need to work day-by-day to limit the effects of any significant seismic event, just as the farmer takes care of their land to avoid spending more assets in order to recover from any damage that it might suffer. In effect, the economic resources invested for emergency and reactivation efforts are significantly greater than those necessary to adapt to prevailing environmental risks and issues.

TESSINO TORRENT IN SPOLETO, UMBRIA (IMAGE © LUIGI CASTELLANI)

Resilience : Back to the Past BY Luigi Castellani

This is as true of preparations designed to mitigate the effects of flooding, as it is of measures which aim to limit the damage caused by seismic events. The territory in which we currently live is not ‘natural’, but formed by at least 35 centuries of steady human activity. This work of farmers, shepherds and woodcutters started to disappear during the post-Second World War period. With it went the ‘know-how’, the historical memories and knowledge of how to adapt to environmental factors, which would previously have been handed on to future generations. At the same time city planning, an effort unworthy of this name, has only tried to appease the hunger for ‘modern’ houses, industrial areas and appropriate infrastructures for population growth by building new cities which do not consider the integrity of the surrounding environment. During periods of rapid economic growth the safety of new towns was not taken into account. Also, the fact that the safety of these towns was dependent upon the care and maintenance of the surrounding land was not considered. Without adequate flood prevention works, retaining structures and walls to channel rain water, together with a lack of ongoing forestry operations, neglected hills and mountains have started to subside and collapse. Furthermore, there are riverbeds unable to contain floods and debris. We need to return to a direct and widespread management of vulnerable territory by all citizens, not only by farmers and woodcutters. In order to prevent flooding and maintain the integrity of land in at-risk areas, the same level of care needs to be taken as during historical periods of more widespread and intensive agricultural maintenance. Historically, ploughing was one of the hardest rural tasks. As a result of ploughing, the land dried by the summer sun was deeply turned over. This was fundamental to renew the land cycle, and was repeated at different times of the year. Moreover, additional grooves were dug to ensure the flow of rain water into canals and to prevent the destruction of crops and damage to agricultural land through flooding.

TESSINO TORRENT IN SPOLETO, UMBRIA (IMAGE © LUIGI CASTELLANI)

Resilience : Back to the Past BY Luigi Castellani

Returning to the concept of territorial protection and resilience, how can we implement this idea in urban centres? Firstly, every citizen should directly supervise public works and infrastructure projects and secondly they should work to make their own home safe. The public could be persuaded to be active citizens through subsidies, tax breaks on real estate with an acceptable and certified level of safety and the related economic and commercial revaluation of the property, etc. So we can start talking about urban regeneration as resilience. This approach can be followed by bestowing funds and benefits to instill the concept that resources should be directed to ongoing efforts to ensure the safety of the citizens and not purely to the emergency response efforts. Since the first subject of sustainable urban regeneration must be the citizen, a civil and educational revolution would be needed to spread awareness of resilience and the importance of property, especially with regard to related taxes. Therefore, the citizen must know that buildings aren't everlasting and that the quality and safety of public spaces is a right. Clearly the use of official funds and / or benefits to strengthen private homes in order to increase the safety of properties to a sufficient standard, would involve assessments by technicians, engineers and local authorities in order to grant planning permission and ascertain if the planned work has met a minimum standard.

This is the concept of being an ‘active citizen’, working day-by-day to adjust to any hazards posed by the local environment, perceiving risks and learning to adapt; not through practical efforts, but instead by being an active observer, with a conscience sufficient to consider the security and common good of the local community. If we consider the operational role of local communities, there is the need to reorganise the function of the agencies that support Civil Protection efforts (fire brigades, police forces, local authorities, emergency services, etc) closer to planning, situation control, the research and assessment of risk scenarios and especially to the dissemination of advice and guidance. However Civil Protection would have the basic role of coordinating rescues and resolving the relevant situation. Civil Protection would also have the task of issuing weather warnings and reports and inspecting improvements made to private properties as part of wider resilience efforts. This latter role could entail the issuing of certificates confirming that improvements to private properties are of a sufficient standard. The essential task of the citizen is to be aware and ensure their own safety, which will lead to an increased level of local resilience. Obviously, the awareness of being an active citizen has a meaning as long as we talk in terms of natural hazards. It is quite different if we talk about industrial risk in peripheral metropolitan areas or in strongly industrialised areas. In this case, Italian law already allows citizens to participate in the initial planning of new buildings, whatever their end use is (infrastructures, residential districts, high-risk areas), and outline potential health and environmental concerns.

In October 2013 the XXVIII Congress of the National Institute of Urban Planning took place in Salerno. One of the main areas covered by the Congress was the ‘Ri.U.So.’ (Rigenerazione Urbana Sostenibile) project, which will focus on urban regeneration as a form of resilience.

FIELDS IN TREVI, UMBRIA. (IMAGE © LUIGI CASTELLANI)

Resilience : Back to the Past BY Luigi Castellani

This Plan for Sustainable Urban Regeneration – which follows the example of the National Energy Plan, and which sets objectives and outlines the relevant political, regulatory and financial instruments, has the following aims :

private buildings, reminding the Italian population that there are about 24 million people living in earthquake-prone areas and about six million people in areas at risk of flooding;

the issuing of certificates confirming that they have reached a minimum standard of construction and / or reinforcement in order to meet resilience challenges . To do this, the synergy between politics, technicians, business and finance isn’t enough but, as reiterated, there is a need for citizens to be aware of their local resilience needs and duties. The basic theory is that the future of our cities depends upon our ability, including as individuals, to facilitate their adjustment to the great current transformations. These include climate change, environmental, economic and social crises and also a finite amount of urban space. The citizen must understand that they are primarily responsible for their own security because without individual resilience there cannot be a collective resilience.

FIELDS IN TREVI, UMBRIA. (IMAGE © LUIGI CASTELLANI)

Energy Resilience :

Russia, Ukraine, and the Prospect of another Gas War BY WARREN DYM

On 1 January 2009 the Russian state gas company, withdrawing 20% of the European Union’s (EU) supply. Gazprom was embroiled in a pricing dispute with Naftogaz of Ukraine, which provides the largest gas transit route to the Balkans, Central Europe, and Western Europe. 80% of Russian gas exports to the EU passed through Ukraine at the time of the January 2009 disruption. By 2 January, Bulgaria, Hungary, Poland, Romania and Slovakia had already experienced shortages. By 7 January all Russian gas exports to the EU had stopped. Nations scrambled to enact emergency plans as temperatures dropped. The hardest hit region was South-Eastern Europe, where gas dependency on Gazprom could amount to 100%, and where the global economic downturn had undermined an already vulnerable energy sector. Some 700,000 apartments in Sarajevo, for example, lost heating, as suburban consumers turned to alternative fuels like wood, or found refuge with relatives and friends elsewhere. In Bulgaria, Greece, Moldova, Serbia and other regional nations, stored gas, fuel oil, hydroelectric power, liquefied natural gas (LNG), or emergency help from across borders all lessened the severity of the shortfall from Russia. Critical factors included water level and temperature—that it remained above freezing helped to avoid a humanitarian disaster, and freed water for for hydroelectric power—availability and cost of wood for household heating, availability and cost of fuel oil for utilities that could switch from gas, transport infrastructure for the distribution of fuel oil, reverse flow capability for the redistribution of gas supplies and energy agreements with neighbouring countries. Meanwhile, Central and Western European nations like Belgium, Germany and Italy, which have more diverse natural gas supplies, including LNG terminals, substantial domestic gas production and storage, and better overall energy resilience, adjusted easily to the Ukraine incident.

The stand-off ended on 20 January when, after mediation by the EU, Gazprom and Naftogaz signed a new purchase agreement, and gas flowed through Ukraine once again. But such a crisis may happen again. On 21 November, 2013, Ukrainian President Viktor Yanukovych, under pressure from Russian President Vladimir Putin, decided against signing a free-trade agreement with the EU. Putin had pressured Yanukovych in part by threatening higher gas prices and limited supplies. The Ukrainian people took to the streets in numbers not seen since the Orange Revolution of 2004, a major protest against the election of Viktor Yanukovych. The gas stoppage of 2009 should serve as a stark reminder of what Russia is capable of, and suggest policies and practices to help mitigate the effects of another potential gas stoppage.

A Continuing Threat

It is important to stress that Europe is not on the whole dependent on Russian gas. Two nations—Germany and Italy—together account for about 50% of the EU’s dependency. Europe has achieved remarkable energy diversification since the 1980s. The share of Russian gas imports within the EU’s overall gas consumption has declined from 30% in the early 1990s to 25% today, although the share of European imports more broadly (including non-EU nations) is higher. Advanced economies like Germany procure natural gas from Algeria, Nigeria, Norway and the Middle East, and can expect LNG from the United States in the near future, and possibly domestic production from shale. The share of total energy that imported gas provides (alongside domestic gas, coal, nuclear, hydropower, and renewables) may be relatively small for these countries, and may serve industry more than households. Nevertheless, Putin’s ability to use gas as a political bargaining chip in Russia’s near-abroad has improved since 2009. In December 2011, Gazprom acquired the remaining stake in Belarus’s gas transport company, Beltransgaz, which the Russian company did not already own.

Energy Resilience :

Russia, Ukraine, and the Prospect of another Gas War BY WARREN DYM

Russian companies had curtailed oil and gas supplies to Belarus in 2010 and 2011 over contract and pricing disputes. In 2010, Putin negotiated with Ukraine for an extension of Russia’s naval presence at Sevastopol on the Black Sea to 2042 by granting a ten-year discount on natural gas. Russia also offers cheap gas and debt relief to woo Ukraine into a customs union that privileges Russian interests, and eventually into a Eurasian economic union. Moldova is facing a similar choice. Russia opposes EU efforts toward energy market liberalisation and integration, including an Energy Community Treaty (ECT) for non-EU South-Eastern states like Moldova and Serbia. Russia’s counter-deal is familiar: renounce EU-oriented market reforms and enjoy price cuts on gas, together with debt relief. A Kremlin envoy explicitly mentioned the prospect of gas cuts to Moldova, as Russia banned Moldovan wine over supposed health concerns. Other gas dependent nations pay strikingly high prices, like Lithuania, which formally complained to the European Commission. A formal investigation of Gazprom’s dealings in Europe is now ongoing. In neighbouring Latvia, Russian energy concerns so dominate the political culture that one might speak of the ‘Gazpromization’ of politics there. Part of Russia’s energy strategy involves maintaining constructive relationships with rich European countries. Long-term bilateral contracts undermine efforts toward an integrated European energy market and infrastructure, and weaken the bargaining power of more dependent nations in Russia’s near-abroad. Long-term energy security for France, Germany and Italy makes them less vulnerable to insecurities elsewhere and less interested in integration. Gazprom recently consented to restructuring gas contracts with select European customers to reflect the spot price of gas, rather than fixed global oil prices, as customary. This serves Gazprom’s richer customers and, again, reduces the attractiveness for them of market integration. The Baltic States and Poland have been highly critical of these bilateral arrangements. One might also recall the challenges facing economic integration: Eurozone leader Germany, already facing widespread opposition to austerity measures

RUSSIAN GAS PIPELINES TO THE WEST BYPASS EASTERN EUROPE. THE NOW DEFUNCT NABUCCO WAS A WESTERN-BACKED ALTERNATIVE. (IMAGE © F. WILLIAM ENGDAHL)

imposed on economically weaker members like Greece and Spain, and enjoying relatively secure energy relations with Russia, might avoid similarly tying its energy security to the EU. Russia’s pipelines to Europe themselves have strategic significance. The Nord Stream line that began serving Germany directly from Western Siberia under the Baltic Sea in 2011 reduces the risk that Europe’s economic heartland will be adversely affected by another crisis in Russia’s near-abroad. This only makes using gas as a bargaining chip there more attractive to Russia. The Yamal-Europe pipeline that opened in the 1990s did not secure Europe as reliably as Nord Stream does since Yamal runs through Belarus, and pricing disputes flared between Gazprom and Beltransgaz before the Russian company completed its acquisition of the latter. Nord Stream also deliberately bypasses the Exclusive Economic Zones (EEZs) of Poland and the Baltic States, leaving them more dependent on the Yamal line. Poland is considering developing its domestic unconventional resources in part for these reasons. Finally, Russia’s proposed South Stream pipeline under the Black Sea would bring Russian gas to Central Europe via Italy, but it would cross Turkey’s EEZ, not Ukraine’s, thereby isolating Russia’s near abroad once again.

Energy Resilience :

Russia, Ukraine, and the Prospect of another Gas War BY WARREN DYM

PERCENT OF MISSING GAS SUPPLY BETWEEN 6 TO 20 JANUARY, 2009. RED = 75%, ORANGE = 50-75%, PINK = 25-50%, YELLOW = UNDER 25% (IMAGE © EUROPA.EU)

The Western-backed Trans-Anatolian Pipeline (TANAP) to bring Azeri gas toward Italy will compete with South Stream. Some argue that Russia seeks to influence Azerbaijan’s dealings with the West by offering attractive energy contracts and arms deals. Russian energy giants frequently own majority shares in Eastern Europe’s energy infrastructure. Once again, Gazprom acquired Beltransgaz of Belarus, including storage units and transit lines, after years of dispute. Ukraine’s struggle to retain independent control of its energy sector is one factor behind its quarrels with Gazprom. But turning to the Balkans, we find more overwhelming Russian control. Serbia’s ‘Security of Supply Statement’ of August, 2009, did not so much as mention the stand-off with Ukraine that occurred just months previously and that had a major impact on the Balkan nation. The statement merely cited South Stream as Serbia’s hedge against energy insecurity. Gazprom Neft runs Serbia’s oil industry and refineries, which means that in the event of a low level of gas supply from Gazprom, the sister company stands to win additional fuel oil sales to utilities—an obvious conflict of interest. Construction of South Stream recently began in Serbia, although Belgrade claimed in 2009 that “deliveries [were] to start in 2013.”

Emergency Planning

Eastern European nations possess unique energy portfolios, infrastructures, geological and demographic conditions, and membership or treaty obligations

(EU, ECT, INOGATE and the International Energy Agency, or IEA) with richer countries, not to mention with Russia. The EU has a number of energy security initiatives, including the Gas Security of Supply Directive and Gas Coordination Group, and an Early Warning Mechanism agreement with Russia. Energy resilience can therefore vary markedly. Responses to the January 2009 crisis, while they reveal some common concerns, illustrate distinctive strengths and challenges. For example, EU member Bulgaria had no LNG import terminal and limited domestic gas production. It imported almost all of its natural gas from Gazprom, much of it via Ukraine. Experiencing supply shortages as early as 2 January, the Bulgarian Government ordered major industrial consumers, especially two fertiliser companies, to close, as the national gas company negotiated for additional supply from offshore fields worked by a British company and increased imports from Greece. All export of alternative fuels, namely fuel oil, was stopped, and a nuclear plant (closed to meet EU mandates) was reopened. Substantial reserves were withdrawn from the national underground gas storage (UGS) facility at Chiren. Coal plants were put on line, including one lignite plant that had also failed to meet EU environmental standards and been closed. The largest oil refinery at Burgas, which is owned—not incidentally—by the Russian company, LukOil, possessed substantial fuel oil for utility companies capable of 15

Energy Resilience :

Russia, Ukraine, and the Prospect of another Gas War BY WARREN DYM

switching from gas, but logistics and infrastructure problems prevented distribution across the country. So while Russian gas accounts for 13.6% of Bulgaria’s total energy consumption today, overall dependency on Russia is much higher when one factors in oil. Bulgaria still lacks an LNG terminal on the Black Sea coast, but it is boosting domestic gas production and, like Serbia, expecting Russia’s South Stream. Similarly, Russian energy giants enjoy overwhelming control over Serbia’s oil and gas industry and infrastructure. Here too limited stocks of fuel oil proved impossible to distribute to utilities swiftly in January 2009, due to infrastructure and logistics challenges. But unlike Bulgaria, Serbia possesses no adequate domestic UGS. Belgrade district added a new boiler to serve that critical city, but the emergency import of 25,000 tons of fuel oil from Bosnia proved more decisive. The Serbian Government also arranged electricity imports from Hungary’s Magyar Olaj (MOL) and Germany’s E.ON. Such cross-border arrangements and additional reverse flow capabilities will prove critical for Serbia looking ahead and the national ‘Security of Supply Statement’ calls for a host of new interconnections. Otherwise, there was no official discussion of overdependence on Russia for gas and oil after the crisis in 2009, and Serbia’s National Anti-Monopoly Commission claimed that the issue fell beyond its mandate. The national (or rather, Russian) plan for Serbia remains, like Bulgaria, to wait for the South Stream pipeline. Serbia’s relative complacency in energy security planning after the 2009 crisis stands in marked contrast to the Slovak Republic. In line with EU requirements toward liberalisation Slovakia ‘unbundled’ its import, transmission, and distribution industries in 2006, so that one company cannot control energy flows from production to end users. Nevertheless, natural gas accounted for 27% of Slovakia’s total energy consumption in 2009, and the bulk came from Russia in accordance with a 20-year contract with Gazprom; and Slovakia was a transit nation for some 20% of the EU’s total natural gas, much of it from Ukraine. Therefore, after the crisis Slovakia invested heavily in infrastructure to improve the movement of gas from storage to consumers, and beefed up reverse flow capability from the Czech Republic.

According to the Energy Act (and largely in line with IEA membership prerequisites) all suppliers of energy within the country are required to maintain a supply standard for 30 days in the event of major weather events or supply disruptions. Companies are expected to draw from storage, domestic sources, or reach across borders. Slovakia’s national gas supply company, Slovenský Plynárenský Priemysel (SPP), which translates as ‘Slovak Gas Industry’, penned agreements with E.ON Ruhrgas of Germany and GDF Suez of France in order to diversify its import portfolio. Special regional centres are charged with announcing energy emergencies and managing the response. Transmission, distribution and storage companies are required to follow the centres’ directives. They include specific restrictions or cut-offs to different end users according to severity level ratings (i.e., household heating is a top priority). Otherwise, Slovakia’s utilities did not have a widespread ability to switch from gas to fuel oil, as in Bulgaria. Today, Slovakia depends on Russia for 63% of its natural gas, amounting to 20% of its overall energy portfolio, but the energy resilience of this EU and IEA member is relatively sound.

Policy Recommendations

The gas war between Russia and Ukraine in 2009 could have been much worse. Temperatures could have plummeted further, the stoppage could have been planned for a non-holiday period (when demand would have been higher), and it could have lasted longer than 19 days. All European nations, but especially Eastern European ones from the Baltic to the Balkans, should study the events of 2009 in order to develop better emergency plans. This brief overview would suggest the following policy recommendations: (continued on next page)

Energy Resilience :

Russia, Ukraine, and the Prospect of another Gas War BY WARREN DYM

and distribution plan.

tion and distribution plan.

fuel oil, gasoil, or coal, depending on what is most available.

nations should invest in interconnections and reverse flow capabilities to improve the strategic movement of supplies during emergencies.

energy security.

priority to vulnerable households are essential.

to emissions restrictions.

BOOK REVIEW :

Cybersecurity and Cyberwar: What Everyone Needs to Know by P.W. Singer and Allan Friedman, Oxford University Press, 2014 This in itself demonstrates the extent to which this book represents an in-depth attempt to understand as completely as possible the present cyber threat picture, and the measures which have been and could be utilised to ensure cyber security. The wide-ranging approach taken by the authors of this work allows them to discuss cyber security issues from the perspective of states, sub-state groups, the business community, and also how these interact with each other in cyberspace. Aside from the highly informative content of this book, and the authors’ excellent use of evidence to support arguments and introduce different perspectives, the book itself is written in a way that engages the reader, and makes what some may view as a ‘dry’ subject genuinely interesting.

The truly comprehensive scope of this excellent book with regard to current and emerging cyber security issues, puts a complete breakdown of its contents beyond the reach of this review.

The first main section of Cybersecurity and Cyberwar: What Everyone Needs to Know, titled ‘How It All Works’, it very well-structured and easily accessible. Containing as it does an explanation of how the Internet functions at a basic level, this section provides all those who use the Internet, but who may not understand its structure, with a solid introduction that is vital to comprehending much of what follows later in the book. Highlights from this first section are many and varied. When explaining how the Internet operates, it puts forward a simple yet concise and informative guide to

BOOK REVIEW :

Cybersecurity and Cyberwar: What Everyone Needs to Know by P.W. Singer and Allan Friedman, Oxford University Press, 2014 how its Domain Name System functions. This section also introduces the reader to major issues such as Internet governance, the authentication of individuals’ identity online and, crucially, the main threats that exist in cyberspace. The cyber security issues raised in this first section of the book include Advanced Persistent Threats, which are rapidly becoming a major concern within cyber security circles. The Wikileaks ‘Cablegate’ case is also well-covered with regard to the role that unauthorised disclosures can play in undermining cyber, organisational and national security. The book’s first section emphasises that the human factor is often overlooked with regard to cyber security. This approach strengthens the value of the book as a guide to cyber security as it recognises that cyber security as a concept rests as much on individuals as on the technology at their disposal. The second section of the book, ‘Why It Matters’, continues the authors’ excellent use of examples to introduce and explain the main issues surrounding cyber security. For instance, Singer and Friedman highlight the fact that different nation states have varying beliefs regarding what constitutes cyber security, and the need for a free flow of information via the Internet. The book points out that whilst politicians in the United States argue that access to international online news sources and social networks is a human right, countries such as China and Russia view the same free flow of information as an attempt to undermine the stability of the state, rather than a basic human right. By using this simple but powerful example, Singer and Friedman clearly demonstrate the inherent difficulty in defining cyber security as a concept at the international level, as different states can have conflicting beliefs regarding exactly what constitutes a cyber threat. This section of the book also tackles the vital issue of attribution with regard to cyber attacks and how hackers can remotely take control of computers and then use these machines to carry out cyber attacks. Although the authors of this book often focus primarily on technology, they never lose sight of how cyber security concerns could damage relations between states, For example, with regard to the issue of attribution,

Singer and Friedman argue that mutual suspicions concerning cyber security have increasingly “poisoned” US-Chinese relations. The authors then concede that, since many in the US assume that the Chinese state has a high level of control over its citizens, then it is logical to argue that most “insidious activities” launched using computers based in China were carried out with at least some knowledge on the part of the Chinese Government. However, it is then pointed out that this viewpoint, especially prevalent in the US, may persuade potential hackers to remotely capture and use computers in China in order to avoid detection, although it is further argued that this in itself may allow the Chinese Government to attempt to deny any cyber attacks that it has itself carried out. The fact that this example is given in a single paragraph demonstrates the ability of the authors of this work to concisely analyse a given issue in such a way that gives the reader a good understanding of what is at stake. ‘Why It Matters’ also contains a solid introduction to the issue of ‘hacktivism’ as a concept, together with an overview of who carries it out and why. The section includes a comprehensive yet concise analysis of ‘Anonymous’, including how it emerged, its modus operandi and what its motivations are. Whilst many assessments of hacktivism focus purely on its repercussions in cyberspace, Singer and Friedman also explore how such activity can lead to confrontation and potentially even fatalities in the non-cyber world. The authors cite a 2011 US Army War College report which recounts how Los Zetas, a drug cartel composed of former Mexican Army personnel, was targeted by Anonymous after its kidnapping of one of the latter’s members. Following a statement by Anonymous that it would post confidential information regarding Los Zetas online if its member was not released, the cartel hired experts to help it ‘reverse hack’ Anonymous, uncover personal details of some of its members, and threaten them with assassination. In citing this example, the authors of this book are addressing the potential real-world impact of hacktivism, something not always done by writers on cyber security, especially when examining interaction between sub-state actors. 18

BOOK REVIEW :

Cybersecurity and Cyberwar: What Everyone Needs to Know by P.W. Singer and Allan Friedman, Oxford University Press, 2014 This middle section of Cybersecurity and Cyberwar: What Everyone Needs to Know includes a straightforward yet informative introduction to the various types of cybercrime, which is both clear and easily understandable. Even for those of us who consider ourselves to be ‘cyber-savvy’, such a guide to potential online crimes should be and is most welcome. Cyber espionage is also covered in this section, with the example of ‘Operation Shady RAT’, which successfully penetrated 72 major targets across the globe, being used to demonstrate both the scale of cyber espionage and the range of actors that might be targeted. The authors of the book also adopt a more balanced view of the potential threat posed by cyber terrorism than some sections of the media. Singer and Friedman argue that whilst the threat of cyber terrorism in genuine, it perhaps poses less of a challenge than the media has previously reported. However, the authors do provide a detailed overview of how terrorist organisations use the Internet, especially with regard to spreading propaganda and recruiting new members. Also, the fact that a Taliban propaganda website was hosted by a server based in the US is used to demonstrate the ease with which terrorist groups are able to use the Internet because of its “virtual anonymity”.

Furthermore, this section also contains an informative overview of the Tor network, and the potential problems posed by it, especially with regard to criminal activity, such as the ‘Silk Road’ black market website. Crucially, the grey area of ‘patriotic hackers’ is also covered by this section of the book. An analysis of this emerging element of the cyber security landscape is most welcome as it demonstrates that individuals, non-state groups and national governments interact within the cyber realm. Singer and Friedman use the example of the ‘Estonian Cyberwar’ of 2007, during which members of Nashi, a pro-Putin Russian youth movement, carried out cyber attacks against Estonia following the relocation of a Russian war memorial in Tallin. It is vital that this facet of the cyber security landscape is better understood, as the use of patriotic hackers can allow governments to carry out cyber attacks against rival states whilst being able to credibly deny that such an operation was officially sanctioned, thus complicating any potential response by the target state.

Aside from specific cyber threats, the book’s authors also discuss the Internet in relation to issues of foreign policy and human rights, and especially the need to balance security with the online freedom of expression. Singer and Friedman excellently demonstrate, using appropriate evidence, that online freedoms are shaped at a country level by national cultures and histories, and not simply by the type of government, i.e. democratic or authoritarian, that a nation state might have. One example that is used is the fact that whilst the UK and Thailand are both monarchies, it is illegal in the latter to defame the monarch.

The authors of this book also consider other recent and emerging cyber threats such as the Stuxnet computer worm and its successors, together with the ethical issues that the use of such weapons raises, how these weapons function and what damage they can cause. When considering Stuxnet and similar cyber weapons, the greatest service that this book provides is to clearly and accurately argue that such weapons represent a ‘game changer’ with regard to cyber security. The issue of how military alliances such as NATO, originally created to fight conventional, i.e. non-cyber wars, and which relies upon the concept of collective security, should react when one of its members is targeted by a cyber attack is also considered. A balanced assessment of this issue by those concerned is essential if NATO is to remain relevant, and this book can therefore only help to spur on such an appraisal.

This book correctly points out that such differences can present obstacles to the creation of international definitions of what level of free speech is permissible online.

This central section of Cybersecurity and Cyberwar: What Everyone Needs to Know also contains a very interesting overview of US Cyber Command and of the Chinese approach to cyber warfare.

BOOK REVIEW :

Cybersecurity and Cyberwar: What Everyone Needs to Know by P.W. Singer and Allan Friedman, Oxford University Press, 2014 This overview concludes with the proposal that the two sides are fairly evenly matched, having both similar capabilities and similar vulnerabilities. The connected issue of how states can deter cyber attacks on each other when attributing the origin of cyber attacks to a particular state or other actor is still problematic is also considered. As already noted, one of the main strengths of this book is the evidence used by its authors to support their conclusions. When examining whether cyber warfare favours the weak or the strong, Singer and Friedman note that in 2009, US troops in Iraq discovered that insurgents had used a cheap, commercially-available computer programme called ‘Skygrabber’ to hack into US surveillance drones and monitor their movements. This example, which clearly demonstrates the potentially ‘levelling’ effect that cyber attacks can have during a conflict between two otherwise asymmetrically-matched opponents, has been well chosen by the book’s authors. Despite the reality of cyber threats, Singer and Friedman do an excellent job in maintaining a balanced outlook whilst also making the reader aware of genuine concerns. They stress that weaker states and non-state groups most likely do not have the resources needed to carry out significant cyber attacks. However, they do concede that malware can be developed and deployed by a small group of experts, from the sub-state group level down to the level of the individual. They conclude that in this new “cyber arms race” multiple experts will more often than not be needed in order to successfully carry out cyber attacks, and that the idea of cyber attacks being carried out by a “single teenaged hacker in his parents’ basement” is often far from the truth. The third and final main section of the book, ‘What Can We Do?’ arguably takes a much wider look at cyber security. However, this does not mean that the section lacks the insight, accuracy or engaging style of the two previous chapters. The first main point that this section makes is that different types of resilience are needed in order to combat cyber security threats. Whereas cyber resilience planning to meet traditional threats, such as extreme weather events, relies primarily on redundancy capabilities which can be engaged in the event that parts of a

network are rendered inoperable, security against malicious cyber threats has to consider attackers who know what parts of a network to target, potentially including back-up systems. Furthermore, Singer and Friedman again correctly stress the human factor in cyber security and resilience, and how such efforts often hinge on the knowledge, professionalism and diligence of those individuals charged with implementing them. The use by the authors of this book of non-cyber examples to engage with the reader and explain how cyber security efforts could be implemented is prominent in this chapter. For instance, Singer and Friedman use the work of the US Center for Disease Control to explain how computer viruses and malware may be combated in the cyber world. Also, the authors use the example of how maritime piracy was successfully confronted by nation states during the so-called “Golden Age of Piracy”. They argue that maritime piracy was successfully countered through confronting the established markets, havens and criminal structures that allowed it to flourish and generate a profit for its perpetrators. Singer and Friedman propose that there are modern cyber equivalents of these factors, such as online black market trading websites and companies that tolerate malware, allow cyber crime to flourish in a similar manner to maritime piracy during its “Golden Age”. It is proposed that if such havens were removed, then committing criminal or malicious acts in cyberspace would become more difficult. By using the “Golden Age of Piracy” as a metaphor with which to engage with the reader, Singer and Friedman have chosen well, as this is a subject that has long been prevalent in popular culture. Aside from the role of organisations such as the International Telecommunications Union, this final section of the book also points out that, despite claims that due to its transnational nature, the Internet is beyond the reach of national governments, the systems that form the Internet are located within nation states. This is a vital point, as it demonstrates, contrary to what some believe, that governments are still able to significantly influence the operation of the Internet through the laws of individual nation states. 20

BOOK REVIEW :

Cybersecurity and Cyberwar: What Everyone Needs to Know by P.W. Singer and Allan Friedman, Oxford University Press, 2014 To borrow a phrase from the text, “...there is no non-sovereign, ‘free’ part of cyberspace”. This final chapter of the book also offers an interesting perspective on cyber security exercises. The authors argue that, despite mutual suspicion, joint US-Chinese cyber security exercises have the potential to reduce tensions between the two countries regarding activity in cyberspace. This viewpoint does not seem to have been widely reported or discussed in the media, meaning that this concept may be fresh and new to many readers. In short, this book is a genuine must-read for anyone interested in cyber security issues, regardless of their background or level of expertise. Singer and Friedman present a lucid, concise and highly informative breakdown of current cyber security matters and their implications at the global, state, corporate and individual levels. Aside from the highly informative arguments and evidence featured in this book, the style in which it is written allows it to appeal to both experts and newcomers to the subject of cyber security. We can say no more than this book is essential reading in the modern world.

We don't just Analyse, we are Operational.

Courses include: Close Protection HECPO / PSD Tactical Firearms Surveillance / Counter-Surveillance Theatre & Operational Readiness Operational Medical / FPOS Tactical Driving Intelligence Management & Analysis Risk Management Military Skill-sets (by request & enquiry) **ALL SIA COURSES** Whatever your needs, Tell us what they are, we are here to help. bespoke service comprising of operationally skilled instructors from a vast database, so you can develop the relevant, professional, skill-sets you need. For more information & any queries please contact : jamesmac@sirsconsultancy.org.uk or phone : 07922 719235 More information will be available on this service for companies and the public from : www.sirsconsultancy.org.uk

“WHAT DOESN’T KILL YOU”

Cyber Resilience and Threat BY Marika N. Josephides

Toronto during the Northeast Blackout of 2003. Source: Camerafiend; obtained via Wikipedia.

Who turned out the lights?

14 August, 2003: a major failure of the electrical grid led to what became known as the 'Northeast Blackout', during which most of the North-Eastern United States (US) and Canada were plunged into darkness. Over fifty million people were left without power. Airports, railroads, oil refineries and factories had to close. Also, utilities such as gas and water did not have the pressure capacity to provide any services, resulting in inoperative petrol stations and putting the water supply at risk of contamination. Furthermore, where generators ran out of fuel, cellular communications were disrupted or taken down entirely. There was mass panic as well as reports of looting and violence, and emergency services could not respond in the face of such demand - that's if the calls got through. The Anderson Economic Group places the total economic loss for the United States at a mid-point estimate of $6.4 billion. The entire ordeal lasted barely two days. Two weeks later, the same thing happened in London, albeit on a much smaller scale. A failure in the National Grid disrupted 60% of the London Underground network at the peak of the rush-hour. 1,800 trains and 250,000

people were affected. This power failure lasted around forty minutes. Both of these cases prompted extensive inquiries and investigations. The close timing of the blackouts understandably raised questions of possible malicious intent, and the prospect that they had been terrorist attacks was not ruled out. It was eventually determined that in both cases the fault lay in a mixture of human error and faulty equipment. One of the trigger culprits in the Northeast Blackout, as the media enjoyed pointing out at the time, was an intrepid tree. Whatever the reasons for the blackouts, the results of the relevant factors would lead anyone to ponder on the fragility of modern civilisation and the interconnectedness of its critical infrastructure. What prompted the Northeast and London blackouts were innocent mistakes.

The Cyber Threat Picture Today

Innocent mistakes such as the above examples, however, do not preclude the possibility that malicious cyber-attacks by state and sub-state actors could achieve the same results. A blackout of sustained duration - even if it were restricted to one branch of infrastructure - could assist or supplement a military or physical attack.

“WHAT DOESN’T KILL YOU”

Cyber Resilience and Threat BY MARIKA N. JOSEPHIDES

Over ten years on from the Northeast and London blackouts of 2003, we have seen this concept of a combined strike implemented during Operation 'Orchard', carried out in 2007. During this operation, Syria's sophisticated air defence system was blinded, allowing the Israeli Air Force to execute an attack on a nascent undeclared nuclear reactor site. The cyber element was integral to the operation as a whole. This is an illustration of former Director of the CIA (2009-2011) and US Secretary of Defence (2011-2013) Leon Panetta's much quoted "cyber Pearl Harbor" scenario. Similarly, the oft-chronicled Stuxnet worm which took down yet another nuclear site in Natanz, Iran, put Advanced Persistent Threats (APTs) firmly on the cyber security map. This is not to say that malicious cyber activity has to be military in nature. It has recently been revealed that Finland's Ministry of Foreign Affairs (MFA) experienced cyber infiltration into systems with external connections. It has been confirmed that no sensitive internal data was compromised, but some diplomatic communications may have been extracted. The attack was an APT that had been in the relevant system for up to four years, and there is no lack of skill in MFA cyber security. This highlights the nature of cyber-espionage in general stealthy, often undetectable, and impossible when it comes to attribution. It is sufficient that only a small vulnerability in the system is exploited. Yet another cyber security threat is exemplified by the theft of £1.3 million from Barclays Bank in April 2013. In this successful case of cyber theft, all it took was a small, organised criminal network to send a man into a London branch of Barclays under the pretence of being an IT contractor. He attached a 'keyboard video mouse' switch with a 3G router to one of the computers. The criminal organisation could then remotely transfer funds to bank accounts at their leisure. Fortunately, the group was rounded up and the funds were restored. And of course, one cannot speak of cases of cyber theft without mentioning the huge breach of the Sony PlayStation Network in 2011, in which about 100 million user accounts were compromised, causing concern regarding identity fraud, which one cannot trace. The possible expenses to Sony from the data theft were estimated at $171 million, but no money was actually stolen in the breach. The information heist was perpetrated by a 19-year-old hacker living in his parents' house, and was done 'for the lulz'.

All of the above cases, and many more far too numerous to outline here, underscore the scope of the cyber threat in a wide variety of sectors, by any number of actors, from a large number of attack vectors and for numerous reasons. Though cyberspace and all its stakeholders are global, it is helpful to examine the issue further from the perspective of a developed country with a cyber strategy of its own – the United Kingdom (UK). This way we can come to an assessment of mitigation, prevention and policy against a worse-case scenario in a country that publicly aims to be as prepared as possible. The Internet alone accounts for 6% of UK GDP. This does not include transactions that are facilitated by or are a by-product of the Internet through advertising. The Internet has enabled 21% of GDP growth across developed countries during the period 2005-2010. If the Internet were a consolidated 'sector' it would dwarf both utilities and agriculture. Critical infrastructure and related processes are almost entirely managed by forms of SCADA ('Supervisory Control and Data Acquisition') technology. They are controlled remotely by computers and communications networks. These processes include oil and gas pipelines, water distribution, the electrical grid and railway operations and signalling. A 2011 report by McAfee, an American-based computer security software company, found that nearly two-thirds of critical infrastructure companies, public and private, stated that they regularly find malware with the potential to sabotage their systems. Evidently, attacks that aim to cause levels of disruption comparable to the Northeast Blackout - be it with a Denial-of-Service (DOS) or an APT attack, or something elseare not beyond the pale of attacker ambition or possibility. Cyber resilience has therefore become a priority.

Bouncing Back: Cyber Resilience

The World Economic Forum defines cyber resilience as "the ability of systems and organisations to withstand cyber events, measured by the combination of mean time to failure and mean time of recovery." This breaks down to two factors: prevention and mitigation. If this seems like a defensive reactive concept, it is. 24

“WHAT DOESN’T KILL YOU”

Cyber Resilience and Threat BY MARIKA N. JOSEPHIDES

It evokes past US Secretary of Defence (under Gerald Ford 1975-1977 and George W. Bush 2001-2006) Donald Rumsfeld's 'unknown unknowns' - but the blurring of online boundaries makes it so. The interconnectivity between individuals, organisations and the state inherently increases the risk of unpredictable shocks to the entire system, and this is exacerbated by the advent of cloud computing. Prevention and mitigation with a clear emphasis on the human element would therefore be a realistic and effective focus. This is the policy approach taken by the UK. The National Security Strategy places "hostile attacks upon UK cyberspace by other states and large scale cyber crime" as a Tier One threat - putting it at the highest priority level stressing "risk and resilience" in the face of "new systems of influence." It is consonant with the UK Cyber Security Strategy (UKCSS), the second objective of which is to make the UK "more resilient to cyber attack and better able to protect our interests in cyberspace." It makes the point that all networked systems are potentially vulnerable and that these vulnerabilities can appear anywhere within the information lifecycle. The appropriate response is thus determined to be one utilising risk-based measures. UKCSS adopts a holistic approach that aims to establish compliance norms, support and coordinate with businesses large or small in relation to both the public and the private sector, and inform the public as to how to stay safe online. The UK Government put in place a £650 million, four-year National Cyber Security Programme (NCSP) in order to facilitate this. The Office of Cyber Security and the UK Cyber Security Operations Centre (CSOC) were opened to improve detection of cyber security threats. The most capital-intensive initiative of the NCSP was funding to the UK intelligence community in aggregate, constituting £157 million of NCSP money see breakdown (see Figure 1). The Centre for the Protection of National Infrastructure (CPNI) intensified its approach and coordination against threats from cyberspace. The National Cyber Crime Unit (NCCU) was also conceived to operate as part of the National Crime Agency (NCA). It is too early to comment on this development as the latter organisation is so new, but the NCCU is intended to provide a co-ordinated national response to cybercrime.

This could also be seen as a shift of intent as well as capability - the NCA has executive powers, which include the power of arrest. To reiterate, huge emphasis has been put on public-private partnerships and industry-led standards. The Department of Business, Innovation and Skills is one of the major Government leads in the UKCSS. This is due to the vulnerability of businesses, for which the profit motive sometimes interferes with choices in cyber security. Small and medium enterprises in particular are vulnerable in this respect. In 2012, 60% of those surveyed had suffered a malware attack. A 2012 PricewaterhouseCoopers survey found that 93% of large corporations and 76% of small businesses had experienced a cyber security breach that year. And of course, the UK’s system of quasi-privatisation means that large sections of the critical national infrastructure belong to private businesses. The cynical may declare that most of this strategy amounts to a grandiose awareness campaign. Our rebuttal would be that the global and mostly asymmetric nature of the threat means that absolute prevention is impossible, and in a situation where the entire chain is only as strong as its weakest link, widespread awareness and action is absolutely necessary. Government Communications Headquarters (GCHQ), the UK's provider of signals intelligence and information assurance, estimates that on balance, 80% of attacks are preventable by "simple best practice." This could be something as simple as remembering to log out, updating anti-virus software, or confirming the identity of a contractor, which would, incidentally, have prevented the Barclays theft of April 2013. On the world stage, the UK ratified the 2001 Budapest Convention on Cybercrime in 2011, the same year that the Strategy was consolidated. Questions were raised regarding the practical usefulness of this initiative, the argument being that it would be ineffective without the involvement of Russia and China, from where a disproportionate number of attacks originate.

“WHAT DOESN’T KILL YOU”

Cyber Resilience and Threat BY MARIKA N. JOSEPHIDES

Figure 1 - National Cyber Security Programme Expenditure Breakdown 2012. Source: Cabinet Office, www.gov.uk

Practical Solutions: Prevent and Mitigate

We shall turn next to the further ways through which the cyber threat can be managed. A totally secure chain all down the line of stakeholders cannot be guaranteed, for the aforementioned reasons, but it can be helped by various measures. Businesses can and should implement contingency and response plans to mitigate the effect of attacks, especially in sensitive industries. Law firms, for example, are in possession of valuable information that is of particular interest to hackers, such as client data and intellectual property material. Yet only 35% of surveyed law firms had cyber response plans in place, and only 9% have produced cost estimates relating to cyber attacks, as opposed to 26% of businesses in other sectors, according to a Hildebrandt Institute survey of 2013. This indicates a more general theme in how businesses generally relate to cyber issues. Apart from the aforementioned profit motive considerations, there is also the unfortunate fact that sometimes functionality and security are a trade-off. Cyber issues can also seem obscure to people who are not 'computer literate’, and this is equated with irrelevance by the human ego. Additionally, internal security and confidentiality breaches not related to cyber matters have been a more traditional concern, particularly in law firms. There is no lack of structural and institutional prevention and mitigation measures businesses can take, if resources allow it (which is often the issue which halts these initiatives at their inception in conference rooms).

IT security audits can be performed; specialised employee training can be conducted; security liability insurance can be purchased; and of course response plans no matter how rudimentary are better than no plan, even if they simply establish a team that can be contacted or assemble a chain of command to deal with these matters. Deloitte recommends a 'graceful degradation' approach against DOS attacks, which are the most common type. 'Graceful degradation' is a method of pre-emptive planning, using a pre-defined set of responses that allow systems to continue operating sub-optimally. Essentially this just means that the firm in question, having established 'configurations' of system failure, would know how to continue working while these configurations are compromised, from the detection of the vector, up until recovery. Market-Wide Exercises (MWEs) are also a viable route, pertinent to industries considered part of the critical national infrastructure. MWEs are stress tests involving a wide range of relevant parties. A major MWE, named 'Operation Waking Shark II' - a sequel to 2011’s ‘Waking Shark’ took place in the London financial sector (obviously a hugely desirable target) on 12 November 2013. It was co-ordinated by the Bank of England, the Treasury, and the Financial Conduct Authority. As well as GCHQ, the CPNI, and the CSOC, employees across 87 firms were involved. These included banks, exchanges, hedge funds, brokers, and asset managers. Reports on the exercise’s conclusions have not yet been released at the time of writing, but Waking Shark 2011, set against the backdrop of the London Olympic and Paralympic Games, successfully highlighted vulnerabilities to be improved upon, largely concerning co-ordination among services, particularly (worryingly) CHAPS (Clearing House Automated Payment System) transactions, the latter of which facilitate same-day transfers and are used all around the UK for business and personal purposes, as well as in mortgage advances. Firms were promisingly effective at maintaining the provision of services. While such tests are valuable in finding where the weak spots are, criticism has been levelled at their infrequency and lack of focus on accidental breaches and fraud. Of course, they are also lacking in the element of surprise. Additionally, a more sophisticated, subversive attack will evade immediate detection, and may not even be correctly identified until significant damage is done. 26

“WHAT DOESN’T KILL YOU”

Cyber Resilience and Threat

BY MARIKA N. JOSEPHIDES We have already discussed the importance of the human To a certain extent the threat may have an element of the element in cyber security. All it can take is somebody self-fulfilling prophecy, and we may not be facing a forgetting to log out. For this, all that can be done is to scenario worthy of a blockbuster action film. But the advise people to exercise caution, a lack of which - to convergence of our physical and virtual worlds makes this reiterate - leads to 80% of attacks, as posited by GCHQ. a cause of concern - a DOS attack on a hospital, for examUnfortunately common sense is not so common. Another ple, could cost lives. Losing control of our online identity suggestion is the implementation of biometric authentiis akin to losing control of our lives. And a 'proxy server' cation; this is a burgeoning field. war will most definitely contribute to international tensions offline.

The Bottom Line : So What?

Defence Secretary Philip Hammond confirmed in September 2013 that the UK was "developing a full spectrum cyber capability, including a strike capability." This move confounded the world - what purpose would this announcement serve? China, Israel, Russia and the US had all kept quiet about their cyber activity (at least officially) despite said activity being obvious. At best, the UK was losing its claim to the 'moral high ground'. At worst, it is tempting fate - 'for the lulz' hackers have been motivated to action by much less. (For example: when the CEO of HBGary Federal, a computer security firm, threatened that he could unmask hacktivist collective Anonymous, they completely destroyed the company’s data, accessed and published sensitive e-mails, and defaced the company's website) Alternatively, it could just be a politically expedient move to emphasise the importance of cyber initiatives. In any case, concern has been expressed elsewhere in the UK Government. Director of GCHQ Ian Lobban's assessment is that the threat is most prominently from state and state-affiliated actors who have improved the speed at which they can proceed from reconnaissance to activity. The ramifications on the military from the entwinement of military capability and the defence industry are also an issue, and it is at industry level that technological advances are compromised. On this front, more stringent measures in manufacturing and supply chain management could be used, such as better vetting of personnel.

Awesome Face/Epic Smiley is a ubiquitous meme, often used to convey either disapproval, or that one has acted 'for the lulz.' (Source: The Internet - Inattributable)

In many ways, the response to the cyber threat mitigation and prevention - is analogous to dealing with 'traditional' forms of terrorism in this age of uncertainty. Indeed, the Irish Republican Army message addressed to the Thatcher Government after the Brighton Bombing in 1984 is entirely relevant to the subject of our discussion: "Remember we only have to be lucky once. You have to be lucky always."

In the final analysis, there may be too much worrying going on. Experts think it extremely unlikely that the whole Internet and major systems would or could all be taken out at once, due to the decentralised way these networks operate.

Japan Responds to Multiple Security Challenges BY STEPHEN BLANK

Due to the inglorious legacy of the lost generation (the lost opportunities in economics after 1990 where Japan’s economy stagnated and its governments became progressively weaker) Japan now confronts multiple and possibly increasingly difficult security challenges. After 1990 Japan experienced underperforming governments, its economy stagnated, and the linkage between weak governments and economic performance is not coincidental. In 2011 the Fukushima earthquake and related nuclear meltdown generated a profound internal shock and crisis. Meanwhile the spectacular rise of China brought a major rival into being and the United States’ (US) power declined due to profligate economic policies and an unprecedented level of strategic incompetence from US governments. Thus Japan did not escape the global economic crisis which has existed since 2008 and also faces profound demographic challenges as its birth rate remains far under the population level of 2.1 children per family that is the established replacement rate while Japan is also not welcoming to immigrants who could fill the gap. This set of socio-political-economic challenges has only encouraged both North Korea and China, if not Russia, to attempt to take advantage of Japan’s perceived decline and/or weakness, the former through claims to the East China Sea and what appears to be a constant game of sabre-rattling and psychological warfare involving the threat of force while North Korea’s increased missile capability and nuclear arsenal clearly represent threats to Japan. Meanwhile Russia regularly sends aircraft into Japanese airspace even as it negotiates normalisation and other accords with Japan. To an outside observer it seems clear, therefore, that to address these internal and external issues Japan needs to generate a robust invigorated government that could tackle both its economic malaise and the multiplying military threats to its security. From a national security standpoint both the domestic reforms and Prime Minister Shinzo Abe’s foreign and defence policies are inseparable parts of a single programme of action. Geoeconomics and geostrategy march hand in hand in Abe’s programme.

PRIME MINISTER SHINZO ABE (IMAGE SOURCE : WIKIMEDIA COMMONS)

But economic reform is not confined to Japan. Japan must diversify its exports lest it become too dependent on the Chinese market. Japan received a real shock when China, during the period 2010-2011, started restricting the sale of crucial “rare earth” minerals that are vital to Japan. However, by going abroad in response to China’s artificial increase of prices, Japan successfully elicited other countries’ production of rare earths to the point where prices have declined 60% since 2011. Essentially the market broke the Chinese monopoly. Likewise, during his travels, Abe is accompanied by large business delegations to promote exports of nuclear reactors, other infrastructural items, and arms. Abe’s expansionary currency policy lowers the Yen’s price abroad leading to more exports. 28

Japan Responds to Multiple Security Challenges BY STEPHEN BLANK

In a concurrent example the Abe Government has made clear its intention to revise the Japanese Constitution. While this initiative would include revisions of Article 9 on Japan’s army being used only for self-defence instead of the collective defence that the Japanese Government prefers, such significant reforms are by no means only confined to the defence sector. Meanwhile, within that sector, Abe has also enacted legislation creating a Japanese equivalent to the US National Security Council. The revived nationalism inherent within Abe’s programme will probably help him create a domestic consensus but it also creates significantly more tension with South Korea (ROK) and precludes effective military cooperation with the ROK because to Seoul it appears that Japan still cannot admit its history. This also adds fuel to the fire in China as it provides Beijing and domestic Chinese nationalist elements with both the means of inciting hostility towards against Japan and a way to pressure the Chinese Government to add nationalist emotionalism to the already substantial geostrategic rivalry with Japan.

Foreign Policy Challenges

Because domestic reform and the reduction of external security threats are linked, it is quite possible that the test of Abe’s success will come not just in the success of his economic reforms, but also in foreign and defence policy, where his government has been equally active and vigorous. Japan, like other Northeast and Southeast Asian states confronts what is arguably a deteriorating security situation. Many but by no means all of the forces responsible for this trend pertain to the rise of a seemingly increasingly belligerent China. As Dr. Corey Wallace, Professor of International Politics at the University of Auckland has recently written, “Strengthening economic cooperation and interdependence between nations in Northeast Asia from the late 1990s seems to have had little impact upon the persistence of diplomatic and security tensions in the region.” But we cannot forget about the North Korean threat. Whether or not North Korea plans another major weapons test, its missile and nuclear programmes continue apace and nothing to date has stopped them.

The Abe Government, by winning a decisive Parliamentary election in 2013, can already provide strong and steady government until 2016. Moreover, Abe has promise such leadership and acted vigorously to regenerate the economy. He has already increased government spending and the money supply. Increased government spending also means a substantial rise in defence spending to augment Japan’s own military capabilities. But now Abe must enact genuine structural reform and thus confront the entrenched lobbies who benefit from the status quo but, by so doing, inhibit Japan’s growth and comprehensive national power. Indeed, not all observers are convinced that he is dong so or will do so, in which case they expect his reforms to enjoy only limited success. Moreover, the domestic situation in North Korea is clearly quite unstable given the execution of Kim Jong Un’s uncle and former mentor Jang Song Thaek on 12 December 2013 and the subsequent purge of his associates amid allegations of his attempting to mount a coup against his nephew. These allegations are unprecedented in that they publicly reveal dissent and division at the most senior levels of the Government of North Korea (DPRK) that can only add to the pervasive sense of unease and instability inherent in dealing with the DPRK. Adding to Japanese concerns is the fact, according to Wallace, that Japanese officials discern a lack of seriousness among their negotiating partners in stopping the expansion of North Korea’s nuclear and missile programmes that threaten Japan. These officials also believe that China is enabling and not restricting North Korea. As tensions with South Korea over rival histories and nationalisms frustrate bilateral cooperation between them and trilateral cooperation with the US, Japanese officials evidently perceive China as being unable or unwilling to restrain North Korea. At the same time, the Chinese threat is multi-dimensional, being both military and economic, as the rare earths episode and the continuing crises in both the East China and South China Seas indicate. Thus China presents an extraordinarily difficult series of challenges to Japan. Additionally, Japanese officials increasingly fear not just the obvious rise in Chinese capabilities and the threatening rhetoric of the People’s Liberation Army,

Japan Responds to Multiple Security Challenges BY STEPHEN BLANK

but also that the Chinese military may be under insufficient if not decreasing control by the civilian government. Recent events can tie these threat perceptions together and not only for Japan. Recent Chinese naval and foreign policy in both the South China Sea and the East China Sea—where Beijing is making visibly aggressive naval and other military-political gestures toward Japan and Southeast Asian states—can only aggravate both Japanese and Russian suspicions. Furthermore, the attitude of the Chinese naval media, if not the Chinese Government, is even more aggressive. At the end of Russo-Chinese naval exercises in July 2013, the Chinese fleet circumnavigated Japan for the first time angering both Russia and Japan who regarded the Sea of Japan as their sea. One Chinese naval report justified this visible effort to intimidate Japan, stating that “the Chinese Navy not only has a manifest right to accomplish a complete breakthrough of the so-called “first island chain,” but also an inescapable obligation to ensure national security.” This report then became even more belligerent about Japan and the US, but also no Russian could read this language with equanimity or complacency. The author stated that: “In terms of the relationship between naval capabilities and intentions the logic that China presents should be that it is in keeping with common sense that China is working hard to address the issue of capabilities and is not qualified yet to discuss its intentions. If anything, it is that more powerful martime force and its system of allies and minions that should take the initiative to explain their intentions to China because their capabilities are obviously making China nervous. China will interpret as malicious any move that ignores its security concerns or even any move that takes “island chains” which are based on an exceedingly arrogant concept for granted. The Chinese Navy is already capable of crossing the Soya Strait and any strait that passes through a so-called “island chain” on a regular basis. What it should address next is to complete the regularization of its presence. This is an irreversible trend. If someone does not like what he sees, he should adjust his focus, and do so quickly.”

This is not an isolated case. Rear Adm. Yang Yi recently wrote that China must have a navy stronger than that of Japan and that Japan must accept this. Allegedly China needs such a navy to prevail in an informatized local war, but he gave no reason why Japan or any other interested power should accept the emergence of a stronger Chinese Navy or worse, of its prevailing in conflicts with Japan or other powers, or its stated motive. We see similar attempts below in discussing the July 2013 joint naval exercise where Chinese analysts sought to co-opt Russia into China’s aggressively anti-Japanese policies. This kind of belligerent language, increasingly used not only in naval rhetoric but in actual Chinese policy statements and documents, is clearly a product of China’s internal political evolution. China’s unilateral and sudden announcement on 23 November 2013, of an Air Defence Identification Zone (ADIZ) and claim of sovereignty over Japanese, South Korean and Taiwanese airspace, is thus merely the latest in a long series of provocations.

Japan’s Response

Apart from the aforementioned domestic reforms designed to strengthen Japan’s own economic and defence capabilities, Japan has undertaken wide-ranging diplomatic, economic, and military moves to defend its interests and enhance its position with Australia, India, Russia, the US and Southeast Asia. The 2+2 talks with Russia in Tokyo in early November 2013 showed that both sides are searching for common ground, not only to normalise their relations but also to adapt to a dynamically transforming Asia. Thus the relevant military ministers agreed to coordinate anti-terrorism and anti-piracy activities, conduct a joint anti-terrorist naval exercise in the Gulf of Aden, and continue joint exchanges of information and exercises that could include their air forces. They will also hold joint exchanges on countering cyber attacks. Admittedly, Russia still fears that joint Japan-US missile defences could undermine the regional strategic military balance. However, both sides fully grasp that this joint missile defence system represents Tokyo’s insurance policy against growing Chinese and DPRK threats. Even if Russia, according to Foreign Minister Sergei Lavrov is generally never friends with someone against anyone 30

Japan Responds to Multiple Security Challenges BY STEPHEN BLANK

Not only have did both sides improved their mutual understanding of each other’s positions, but they have also showed that they will facilitate this ongoing rapprochement. Japanese Prime Minister, Shinzo Abe, met the Russian and Japanese ministers of foreign affairs and of defence and “lifted the barriers to Japanese business activities in Russia”, leading to a sharp increase in investments.

SHIPS OF JAPAN MARITIME SELF-DEFENSE FORCE (JMSDF). (IMAGE SOURCE : WIKIMEDIA COMMONS)

THE JAPAN MARITIME SELF-DEFENSE FORCE DESTROYER JDS KONGOU (DDG 173) (IMAGE SOURCE : WIKIMEDIA COMMONS)

else and will not denounce China, his statement also means that it is unlikely that Russia will support China against Japan. Indeed, Nikolai Patrushev, head of Russia’s Security Council, told Japanese officials that Russia will not take sides regarding the Senkaku Islands. China and Japan must solve this problem through mutual dialogue. Finally Japan and Russia agreed to "strengthen bilateral dialogue in a bid to expand cooperation in the fields of security and defence amid the rapidly changing security environment in the Asia-Pacific region." Clearly Moscow has retreated from support for China’s territorial claims. Thus both Japan and Russia, finding ample reason for moving forward, scheduled another round of 2+2 talks in spring 2014 in Moscow and did so without discussing the vexed issue of the Kurile Islands.

“Thus Tokyo seemingly agreed with Moscow’s call for the development of economic ties, disregarding problematical issues.” This does not mean that the Kurile Islands are off the table. While the Kurile Islands are hardly off the table; for now they do not occupy centre stage in the bilateral process and this creates space for the exploration of areas of mutual accommodation. Whether or not there actually are many new investments, it is clear that the rapprochement is being driven forward not only by Russia’s needs for investment in Russia generally and the Russian Far East in particular or by Japan’s increased need or secure, reliable energy sources, but also by a growing mutual apprehension of China’s increasingly aggressive tendencies. Japan also may be using its growing closeness to Russia to get Washington to pay more attention to its security needs even though it refused to commit itself to support Washington’s earlier plans regarding a proposed intervention by the US and its allies against Syria for in response to the use of chemical weapons in its civil war. Meanwhile the bilateral agreement to extend the 2+2 mechanism in order to develop means to cooperate and discuss Asian security together without dealing directly with the Kurile Islands represents both a Japanese concession to Russia and both sides’ apprehensions about China. Japanese experts now also discern a growing apprehension about China within Russian circles, particularly after the Chinese Navy brazenly circumnavigated the Soya Strait around Japan and the Sea of Okhotsk after the joint Russo-Chinese exercises of July 2013 and commercial Chinese vessels sailed through the Arctic Ocean. Such displays of power around Russia’s Pacific coast and its Arctic “treasure trove” antagonised Japan and alarmed Russian elites. Japan, according to most observers, including many Japanese and Chinese analysts, may be 31

Japan Responds to Multiple Security Challenges BY STEPHEN BLANK

trying to drive a wedge between Beijing and Moscow. While Chinese observers and experts deny this will happen; China’s official response is much more cautious and the Chinese government has argued that this Russo-Japanese rapprochement and cooperation should aim to strengthen regional peace and security. But this rapprochement clearly makes China unhappy. Japan’s engagement with the Association of Southeast Asian Nations (ASEAN) members also moves along parallel economic and defence tracks. Japan is both upgrading its foreign investments and overseas development assistance within ASEAN but its aspiration is to develop a collective defence capability. Japan’s growing rapprochement with ASEAN, Australia, and India all contribute to a heightened security presence in Southeast Asia and the South China Sea. Abe’s success in persuading Southeast Asian states to criticise China’s ADIZ and to promote “cooperation in ensuring over flights and civil aviation safety in accordance with the universally recognized principles of international law” (not least because they have good reason to expect a similar provocation in their region) demonstrated the success of Japan’s approach and predictably infuriated China. In fact the only area where Japan has failed to strengthen ties is in the crucial South Korean venue. Here it may take Washington’s ongoing mediation combined with Japanese domestic reforms that Abe, given his nationalist leanings, is uniquely positioned to implement, to facilitate the greater defence and security cooperation that both sides need. Lastly, Japan’s defence reforms, clearly directed against what Japan’s new security strategy overtly calls China’s aggressive military policies, complete the cycle of reform and add to Japan’s credibility as a partner throughout Asia and to Australia but most critically also with America. These reforms, beginning with a modest 0.8% increase in defence spending, will not give Japan an arsenal comparable to China’s which bristles with missiles and nuclear weapons. However, they will enable Japan to compete with an aggressive China at sea, in the air, and in cyberspace. Moreover Japan’s upgraded defence capabilities make it a stronger partner for the US and go far to enhance the vigor of the concurrent US rebalancing programme. Even though the new defence reforms add to Japan’s capability to defend its home islands and the

Senkakus, the Japanese Government did not, in its new document, call for the explicit revision of the Japanese Constitution though it clearly wants to do so. But the creation of a National Security Council testifies, as does China’s analogous move, to a broader conception of security and awareness of the need for a more coordinated, if not a whole of government approach, to the problem of enhancing security. In other words, the defence reforms make even more sense when seen, as noted above, in the light of the overall necessity to strengthen Japan’s capabilities for providing a broad range of solutions to problems now defined as being connected with security and for stronger governmental capabilities. As we suggested above, Japan’s domestic, foreign, and defence policies all aim to reinforce Japan’s domestic sources of strength whose foundations lie in the economy, and the country’s ability to defend its interests both on its own and together with other Asian partners. Ideally this partnership process would span the area from South Korea to India and include Australia and New Zealand, give Moscow an option other than China as Russia’s Asian partner, and function within the structure provided by the US alliance system as Washington also seeks to buttress security ties with these states. But it may also be observed as our final point that the construction of this network of defence and economic ties with major Asian actors could also serve to provide Japan with the means to defend its interests against China should the eternal Japanese nightmare of US “abandonment” or “defection” occur. The hedge against China may be explicit but the concern about a potentially retreating America is omnipresent, and not only in Japan. Should the United States either actually retreat or give the impression of retreating from its alliance commitments in Asia, that perception or reality could lead to a “nationalization of security” in East Asia. In that case America’s allies, like Japan would then have to shoulder much more of the security burden that they have until now given to Washington. Japan’s efforts to create regional partnerships can therefore be interpreted as representing not only an attempt to strengthen and even extend the US alliance system in Asia but also to provide a kind of fallback position if ties with the US weaken., Thus Japan’s reform campaign provides the US 32

Japan Responds to Multiple Security Challenges BY STEPHEN BLANK

PRIME MINISTER SHINZO ABE IN WASHINGTON DC, 2013 (IMAGE ÂŠ JOSHBERGLUND19)

with an enormous opportunity, but to maximise its advantage Washington too must rebuild its sources of strength. Should Washington fail to reinvigorate the bases of US power and the alliance system it now maintains in Asia, an unprecedented Sino-Japanese rivalry will probably rise in place of the US alliance system to compete for domination in Asia. This new configuration, should it arise, would reverse the shape of the previous rivalry of the 1930s because now China will be the dominant power and Japan the power at risk while in the 1930s it was Japan who menaced China. And we all know how that drama turned out.

LOGO DESIGN / BRANDING PROMOTIONAL DESIGN E : INFO@TRIO43.CO.UK W : WWW.TRIO43.CO.UK / BEHANCE.NET/TRIO43

Cyber Resilience: The Never-Ending Struggle BY Dan Solomon

The Changing Nature of Resilience

Resilience to targeted cyber attacks is different from other high-impact events like a conventional terrorist attack, a dirty bomb, a pandemic or an extreme weather event. Invariably, organisations are powerless to stop the latter, non-malicious threats, but they can and must plan and be prepared for a targeted cyber attack. Cyber threats now have the ability to generate far greater disruption and wider-ranging consequences than other high-impact incidents particularly in the hands of very capable adversaries whether they are hacktivists, terrorists, or state-sponsored actors. The concept of resilience to cyber attack is slowly changing from the outdated notion of data protection, but is taking time to extend beyond the protection of network infrastructure and applications. Cyber attack is a threat that the operators of critical national infrastructure have differing vulnerabilities to. Hence it is an operator-specific priority to be prepared. If resilience is considered to be the ability for systems and operators to recover after an event, then to an extent, their resilience depends on the ability to absorb and survive the consequences. However the nature of cyber threats, in particular APTs (Advanced Persistent Threats), means that a reactive approach to a breach is likely to result in increasingly serious implications and each organisation needs its own proactive measures to prevent attacks. Since the invention and deployment of APTs, notably Stuxnet (which was designed to attack the SCADA (supervisory control and data acquisition system) used to control the production of nuclear material at Natanz, in Iran), the world has faced and is facing the prospect of sophisticated cyber weapons that can destroy hardware and by-pass established defences. These advanced threats can cause the permanent inoperability of control and operating systems and destroy transformers, pumps, servers and almost any machine with a PLC (programmable logic controller). This is a new reality that operators urgently need to plan for, as the implications for the widespread exploitation of a single vulnerability could cause a protracted disruption to critical infrastructure with severe cascading effects to business and society.

This threat is real and present since the discovery of Stuxnet, as both Russia and Iran will have closely analysed Stuxnet and reengineered it, and there are realistic scenarios whereby both will have reason to use their own versions and pass them on to far less rational proxies. An honest assessment of how resilient operators really are to the loss of widespread operating capabilities and continuity highlights that the majority of firms are not able to recover fully and quickly. While the true nature of this vulnerability is highly confidential, it is commonly recognised in closed circles. The effects could be catastrophic as insufficient redundant capacity to maintain full-scale operations can be held in the vast majority of cases, and the replacement of hardware could take a considerable time. In the absence of a clear understanding of how to effectively protect an organisation, we have seen an overriding focus on business continuity planning at the expense of preventative security. This is starting to change, as operators are increasingly convinced that their business continuity planning is sound. Also, there have been increasing calls for investment in defensive measures at most cyber security conferences, as organisations have witnessed the effects of cyber security threats, or have been targeted. This re-balancing is more closely aligned with the profile of current and future threats that relegate a reactive approach to a dangerous or reckless posture, because the increasing complexity of the nature of the threat means that reactive measures are increasingly complex, prone to error, and as we have found in many cases, ineffective.

ANTI-AIRCRAFT GUNS GUARDING NATANZ NUCLEAR FACILITY, IRAN. (IMAGE ÂŠ HAMED SABER)

Cyber Resilience: The Never-Ending Struggle BY Dan Solomon

Reactive measure are particularly exposed when the discovery of a cyber breach is likely to occur long after the breach actually took place, and therefore the ‘damage is done’, as was apparent with the APT virus called Flame. This has consistently proven to be the case with e-espionage and many other types of exploits are designed to have an immediate impact, which leaves no time for reaction. So the concept of response-based resilience has proved ineffective in defending against the threat. The advent of e-sabotage is based on attacks that will render hardware useless either by crashing hard drives or machine-level PLCs within an automated process control environment, or by increasing the voltage within central processing units. E-sabotage attacks may also aim to push hardware to its extreme performance, or conduct actions for which it was not designed, as well as the more obvious corrupting of internal program and data structures. For these scenarios the old concept of recovery and resilience that is being applied to cyber security is redundant, and organisations need to give greater emphasis to defence-based resilience, applying more advanced cyber defence concepts.

Post-Stuxnet Era Risk to Process Control Systems

The automation, control and operation of nearly all systems is long-established, and the common platform for delivering functionality, diagnostics, optimisation, and efficiency is now firmly system-based. The integration of these systems has heightened the risk posed by cyber threats by creating more interdependencies between systems, and therefore greater vulnerability when one element is attacked. The increased use of commercial off-the-shelf (COTS) systems equipment rather than more expensive bespoke systems is leading to the proliferation of standardised IT platforms with weak security commonalities, which has further increased the vulnerability of systems. Stuxnet ushered in a new era of complex cyber weapons that can exploit the weakness in a single COTS system, and the interconnectivity of different layered management, control and automation systems. It also introduced the prospect of a new generation of ‘conditioned’ malware: smart malware with a ‘learning mode’ that has multidisciplinary features and attack vectors, which would render most of the current static security, measures (firewalls, intrusion prevention systems, anti-virus, etc)

obsolete because security measures would require identification and prevention measures using newly-developed methods of malware behaviour analysis. One challenge faced by infrastructure operators is that they often lack the necessary expertise and awareness of security flaws in the legacy process control systems they operate. So while there are cost and operating efficiencies in connecting IT and these types of operating technology (OT) systems, this has also provided new avenues for intrusion to already insecure systems. Another challenge in the conjoining of IT and OT systems is the application of security practices and methods. The standard of security expected for IT systems is higher than those of OT systems, and IT security principles are difficult to apply to OT systems, which presents a problem for security managers. For example, there are dangers in conducting OT system security hygiene tasks that may trigger a shutdown of critical systems that were not designed to receive regular patches. Invariably, the OT systems are somewhat older than IT systems, in both software and hardware terms, and lack up-to-date security features or the ability to rapidly implement patches, upgrades and compatible anti-virus software, and were not designed with security as a prerequisite. This has heightened the level of cyber threat dramatically, and is driving concerns about the types of vulnerability inherent to both IT and OT systems, in recognising that cyber attacks can now perpetrate significant damage that was not previously considered to be within the realm of information assurance or network security.

Cyber Resilience: The Never-Ending Struggle BY Dan Solomon

effectively, which is characterising certain elements of investment in security systems and solutions. While these solutions go some way towards building a level of ‘preparedness’, they do not sufficiently address advanced cyber threats from the most capable adversaries whose intentions are evolving rapidly towards causing significant economic damage and threatening the continuity of societal and economic systems through attacks on vulnerable elements of critical infrastructure. 13TH ANNUAL CYBER DEFENSE EXERCISE (IMAGE © MIKE STRASSER)

The solution to this problem is complex and requires significant investment in almost every aspect of operators’ security and not just in advanced technical security measures.

Risk-informed investment?

For most operators, the threats of cyber attack ranked relatively low as drivers for security investment for many years, particularly while there prevailed a low threat awareness of the potential impacts of e-sabotage and e-espionage, and risk evaluation was deficient in supporting the evolution of cyber security. There is no doubt that this is currently changing with the emergence of more holistic consideration of security risk, not least because of the emergence of converged risk methodologies born from the higher profile threat attributed to cyber security, and the human elements that can undermine this. These include insider threats, human error, and human vulnerabilities to social engineering and subversion. Additionally, the more serious cyber threats from terrorism and state-sponsored actors are increasing, and are more likely to employ converged methods that exploit weaknesses in physical and staff security. It is suspected that the exploitation of staff at Natanz was responsible for the implanting of the Stuxnet virus. Nevertheless, we consistently find that many risk assessment methodologies are still somewhat deficient in being able to cater for the full spectrum of external threats and internal vulnerabilities. In a financial climate where there is a clear reluctance to invest aggressively in security, our own research has found that greater emphasis is being placed on mitigating higher probability risks, and the ability to react rapidly and enact contingency plans

The drive to increase protection of networks, and reinforce information assurance against external threats, has now achieved broader recognition where those systems have become an important enabler of economic growth and ‘cyber’ is now a business continuity imperative that requires dedicated assessment, planning and investment. However there is still a widening gap between defensive capabilities and the threats, as a mistaken belief that investment is best targeted at maintaining the ability to recover from a breach than to protect and defend continue to persist. However any regular reader of the relevant IT security press during 2013 will have seen more compelling studies that have shown that the cost of building defence against attack is lower than the impact + cost of recovery. All recent vendor threat studies have found that the sheer number of attacks is increasing. This fact alone has driven investment in cyber security, as more operators have developed first-hand experience of the risk. Moreover they have found that the financial impacts appear to be increasing, which has justified an increase in security investment. Furthermore, recent indications highlight that there has been a change in the nature of attacks, with a most alarming increase in attacks judged to be for industrial espionage rather than denial of service, and an increase in sophisticated attacks perpetrated by state-sponsored actors and their proxies. Finally the delicate geopolitical situation in the Middle East and specifically efforts by Iran to develop its nuclear weapons programme, counter the sanctions against it, and (with proxies) leverage the conflict in Syria, means that the threat has the potential to rise exponentially, particularly if the second phase of negotiations with Iran stall, or implementation of the first phase fails.

Cyber Resilience: The Never-Ending Struggle BY Dan Solomon

This has all fuelled an awareness that current protective measures might still not be adequate and will fail to keep up with the technical complexity of the attacks that organisations may face in the near future. Most operators of critical infrastructure reportedly expect a significant attack against their operations, though they have only limited awareness of the impact of such attacks and vulnerabilities that could make cyber attacks possible. It is this factor that still attracts most concern within cyber risk and undermines confidence in cyber resilience as an established reality.

A slow evolution

Cyber risk is still an evolving domain, not least because of the growing need for board-level personnel, stakeholders, and decision-makers to become more cyber ‘literate’ to the point of being able to objectively assess the risk. However this is still a distant objective, further complicated by a lack of appreciation of the types of threats that are evolving, and the full potential impact that they can have. The lack of objective assessment of high-impact low-probability events has led most boards to view sophisticated targeted cyber attacks as ‘black swans’, which is a consistently misused term to describe events that could not have been anticipated, but is applied to events that are simply low-probability. This is now changing to the extent that a plethora of scenarios have been developed to consider the possible impact of targeted cyber attacks. In trying to address more complex scenarios, organisations are slowly becoming more conscious of the direct and indirect implications for indemnity, liability, and charges of negligence resulting from disruption of service, loss of data integrity, and the resultant damage to reputation for the organisation.

One key challenge to developing effective defence is the complex nature of the threat. Few organisations admit to having the resources or skills to be able to identify the source of attacks, to develop predictive or warning mechanisms, or the countermeasures to more sophisticated and varied types of worms, viruses and other malware. In parallel, the allocation of budgetary funds to cyber security has been hampered by the perception of over-exaggerated threat at board level, and the trade-offs faced by organisations in identifying a cost-effective level of protection which is proportionate to the risks faced by an organisation or, at least, what the board perceives that risk to be. The net effect has been that the threat has evolved much more rapidly than the capabilities to counter it, and the gap is therefore likely to continue growing throughout 2014. The common failings combine the failure to implement existing and recognised best practise and, more specifically, the failure to use existing security technology.

A Pre-emptive Approach to ‘Resilience’

Our recent experience has shown that cyber security is more robust where both IT and physical security measures adoption rates have been highest, which indicates the effectiveness of a comprehensive approach in mitigating internal and external threats of intrusion. This has been more evident to us in industries that are under greatest threat and have experienced a breach, and in industries where the impact of a security breach could be potentially catastrophic, as these sectors have been quicker to recognise the threats. Furthermore, they have adopted an approach that combines a comprehensive method with regard to both physical and cyber security, as well as security processes and policy, and organisational processes for implementing policy and managing human factors. Therefore, evidence shows that the process of effective security is becoming increasingly complex in order to be effective, and it must now integrate different elements of the relevant organisation’s preparedness and planning into an overarching converged framework to include systems, processes, policy and management practices. The need for different physical and cyber security domains to collaborate challenges these functions to dovetail their capabilities effectively, and many firms struggle with coordinating security planning and incident response.

Cyber Resilience: The Never-Ending Struggle BY Dan Solomon

The essence of a pre-emptive approach to security and resilience is based upon developing both insight and foresight, and the adage that being forewarned is forearmed is always the justification for investing in intelligence and preparation as part of an advanced cyber defence strategy. Good management practise and preparedness really requires the ability to anticipate events long before they happen and the development of a planned response to each scenario. Hence a key element of advanced cyber defence is developing awareness of external and internal factors. This factor analysis of risk, should incorporate the monitoring of relevant intelligence, the mapping of assets and processes, and regular vulnerability scanning to enable the modelling of threats, data flow protection analysis and, ultimately, risk modelling.

PLC EQUIPMENT (IMAGE UNLICENSED)

As organisations rely heavily on well-developed business continuity plans they have tended to neglect the development and exercising of defensive and response capabilities against different advanced scenarios, which hampers their ability to handle the unexpected or unfamiliar aspects of the ‘next threat’. Napoleon once said “uncertainty is the essence of war, surprise its rule” and preparation for serious cyber threats, must be built on the assumption that there will be surprises, and that the relevant organisation’s response will have to tackle the unexpected. Organisations need to be informed and prepared for what they might face, and establish the processes and procedures to cope with a severe cyber event. Unfortunately, organisational preparedness tends to build heavily on hindsight, or focus on historical threats, irrespective of their evolution. Similarly, organisational awareness tends to dwell on the more familiar vulnerabilities, often because they have been previously targeted. Both point to a lack of insight; insight into what is within their threat landscape; insight into what the potential impacts could be on the organisation and insight into the pace of threat evolution.

This awareness should inform organisational preparedness in helping management to assess their risk posture, and define their risk tolerance. More importantly it should prioritise investment in the development and refining of both defensive and response capabilities. However, more than defining the requirements, the cyclical process for maintaining awareness of the evolving threat landscape should also drive managers to proactively review flaws in their plans and identify barriers to effective performance through regular vulnerability tests, and security exercises. So ‘defence’ needs to match the levels of innovation and sophistication that threat actors are introducing and preparedness requires a commitment to being proactive in the process of planning, testing and reviewing. This is central to organisational resilience. The process of simulating real-world threats and analysing the performance of security apparatus forensically to determine its strengths and weaknesses is a key platform of organisational preparedness and resilience, not only because ‘practice makes perfect’ but because it develops an organisational preoccupation with ‘what if’ scenarios, and the failure to deal with them effectively. This mind-set should counter any tendency to over-simplify plans and procedures, as the threats in question are becoming increasingly sophisticated. It should also feed a preoccupation with causes of security failure and their implications. An awareness of factors that can result in security failures is essential in combating the 38

Cyber Resilience: The Never-Ending Struggle BY Dan Solomon

complacency that can emerge amongst system operators. This attitude characterises ‘high-reliability’ teams that require a near-perfectly synchronised and effective performance on every occasion. In facing advanced threats, operators cannot afford for security measures to perform ineffectively and must be able to rely on an agile and well-prepared response. So how should organisations take the first step towards developing resilience? Preparation for a resilient posture needs overt leadership from the CEO and other C-level executives, and the management of future crises starts now, long before the crisis is apparent. Managers and leaders need to be informed and prepared for what they might face, and failure to prepare is a failure of management to protect the enterprise they are entrusted with. Cyber incidents could lead to severe impact outcomes and therefore should be a board-level concern, not least because it is the most challenging context in which managers need to respond effectively to crises, which will severely test their abilities. Invariably the commitment of resources to preparation are only forthcoming when there is clear awareness of the risk, and it is clear that this is most obvious where a severe breach has already occurred to escalate the issue. Organisations should first focus on developing an awareness of their vulnerabilities that will provide tangible evidence of breach implications, and test the efficacy of measures that they have in place to bring their situation into clear focus, and end any complacency and speculation about risk. They should then engage in a rigorous factor analysis of risk methodology that will inform their remediation programme. Dan Solomon is Director of Cyber Risk & security Services at Optimal Risk Management Ltd.

CONTRIBUTIONS FOR FUTURE EDITIONS OF ‘MONITOR’ WANTED We are currently looking for contributions for subsequent editions of ‘Monitor’, whether in terms of articles for inclusion or adverts for relevant companies, organisations or services. We would also be interested in the submission for review of upcoming or already-published books, academic papers, or other works covering areas of interest to the magazine and SIRS Consultancy as a company. Regardless of what sector your currently work in, or if you are looking for relevant employment, the publication of an article in future editions of ‘Monitor’ could help to strengthen your CV, increase your professional profile and improve your employability in the field(s) in question, due to the exposure that this would give you . Such a contribution would also allow the writer in question to demonstrate their research and analysis capabilities to a wide audience. Also, advertising via ‘Monitor’ could prove beneficial for companies and organisations looking to recruit personnel, or offer services which may be of interest to the readers of the magazine. As ‘Monitor’ will be promoted throughout the governmental, academic, business and private sector intelligence practitioner communities by a specialist defence marketing company, a wide audience for any contribution to the magazine, whether an article or an advert, can be expected. Submitting relevant publications for review would also allow these to be widely promoted.

If you are interested in contributing to future editions of ‘Monitor’ in any of the ways outlined, please email us at Monitor@sirsconsultancy.org.uk. We are looking forward to hearing from you.

Optimal Risk provides tailored security risk services aim to defend, and prepare for high-risk, and high-impact scenarios. From a broad spectrum of cyber threats ranging from theft and sabotage, to espionage and more, Optimal Risk provides integrated multi-domain support for physical and cyber risk, and lead the field in converged risk services.

IN CONJUNCTION WITH

One of the world’s largest online networks, SDP Networks helps businesses discover how to connect with customers, drive traffic, generate more brand awareness and increase sales. We support companies across a broad range of industries & markets. SDP Networks online directory provides an opportunity for companies to list on the directory for FREE as well as paid listings that featured on the SDP Networks Homepage and directory category pages. The key strength of SDP Networks is our large social & Business media network that comprising millions of targeted key professionals and decision making executives in specific market sectors. SDP Networks also have relationships with hundreds of media organizations and government agencies. Unlike some of our competitors providing the normal banner advertising, SDP Networks can rapidly distribute your marketing message, products, events or services through our vast social media network to highly targeted audience. We already have a strong international network in place. When you market your business with us, you’ll gain access to our worldwide community of over 1.5 million professionals. Each vertical will appeal to a specific audience, But use the same Web-‐based platform and Internet infrastructure. while reaping significant multiple networks from product vendors, packaged procurement, advertisers, related service providers, individual subscribers and other network participants. The primary goal of the Network is to attract and serve highly qualified customer leads, By wrapping these services with valuable industry content; best practices, product and service guides, subject matter experts, training and education programs – in a variety of Web-‐based formats – we are able to attract, aggregate and grow key buying audiences, building a consistent pipeline of commercial activity. www.sdp-networks.com