This is the speech Pieter De Crem, Minister of Defence for Belgium, gave at this week’s (JULY 9TH ) Cyber Defence and Network Security conference in London.
Chair, Excellences, Ladies and Gentlemen,
In one of his songs Mick Jagger sings that “We’re in the same boat on the same sea”. I like this metaphor in this particular context. Information and communication technologies have profoundly changed your and my lives, our world. We love the same worldwide web and we surf on it by using the same or similar software. Mobile systems enable us to do a major part of our office work also out of the office. Today, more than a third of the world population can easily communicate with each other, regardless of any physical distance. In a very short time, ICT have become the backbone of our knowledge economy.
Cyberspace facilitates trade and communication. It has an enormous social importance; it ensures free speech, facilitates education, research, technological innovations and it promotes the exchange of knowledge and ideas. Never before in the history of mankind have we shared so much information and knowledge on such a great scale. In light of these overwhelming advantages we are definitely not “stuck between a rock and a hard place” as in the song of the Rolling Stones, but being in the same boat on the same sea we should not forget about navigating and taking weather conditions into account.
All this knowledge and information constitutes a very attractive target for a wide variety of non-friendly actors: ranging from economic competitors and foreign intelligence services to criminals, terrorists, ‘hacktivists’, and so on. The anonymous nature of cyberspace makes it extremely hard to identify the people or groups that are behind cyber-attacks. Indeed, like so many other modern threats, cyber-threats have an asymmetric nature.
In recent years, the impact as well as the frequency and sophistication of cyber-attacks have increased exponentially. And, Ladies and Gentlemen, we must be aware of the fact that this is merely the beginning of a global trend that is and will remain a key challenge of this century.
[Assess the key international challenges for cooperation and coordination against cyber-attacks]
Cyber-threats disregard national borders; they thus require a strong international approach. In the past few years in particular, we have witnessed an enormous increase in international efforts in the domain of cyber-security. The awareness of the need to establish strong national cyber-policies and to enhance international cooperation in this domain is spreading more and more.
However, the opinions on the measures to be taken differ too often. As a consequence, the nature of the cyber-security capabilities that countries possess is often very different. Today, there are still no standards or benchmarks for such national cyber-security capabilities.
Moreover, there is no such thing as a clear overall picture of cyber-attacks. Most of the attacks are even never observed. Whenever an attack is identified, its discovery is often a very delicate issue and the attack is not always publicly disclosed or no information about it is being shared between nations. This brings us to the subject of national sovereignty, which is one of the biggest challenges in our fight for cyber-security. It’s obvious that a nation primarily protects its own national interests. It is therefore quite understandable that sharing sensitive information with other countries is not self-evident. Moreover, the security classification often used for such information complicates information sharing among countries even more.
Nevertheless, we need to overcome this challenge and aim to establish a strong transparency between Allies and partner countries. We need to share experiences and to create a stronger mutual assistance in the fight for cyber-security. Networks know no bounds; our approach must therefore also be borderless to the greatest possible extent.
At the Budapest Conference in October 2012, the High Representative of the European Union for Foreign Affairs and Security Policy, Lady Catherine Ashton, emphasized this once again by stating that, and I quote, “We have to step up our efforts in increasing cyber security capacity globally. To make sure we can do this, there is a need for new capacity building programs and also for communication of existing initiatives”. A statement which I fully subscribe, but how must we achieve this objective?
In my view, we must primarily focus on our common visions and problems in order to tackle the threat of cyber-attacks. This will allow us to increase the level of confidence among States. We must continue our efforts in finding a consensus, in a pragmatic way, by starting from what we have already agreed on so far. It is my belief that successful initiatives between two or more Countries can and will generate spill-over effects towards others.
A practical example of a confidence based initiative is MISP, which stands for Malware Information Sharing Platform. It originated as a cooperation project between Belgian actors, to exchange information about complex forms of intrusions in data systems. This successful project aroused the interest of NATO that developed a similar platform at its level. At this moment, the NATO platform is in an evaluation and testing phase and it will be proposed to the Member Nations later this year.
Starting from what we have in common, will enable us to further establish a common approach that must allow us to use cyberspace not only in a safe way, but, and I’d like to emphasize this point, to assure its free and open nature.
This means that we not only need to ensure a high level transparency. In our fight for cyber-security, we also need common standards and rules. Cyberspace has become an integral and important part of our everyday life. Its importance cannot possibly be overstated. There is a need for more legal clarity in this domain. Which measures do we expect States to take in order to prevent cyber-attacks originating from their own territory? What if a State launches a cyber-attack against another State? At what point can we regard such an event as a casus belli? How to respond to such an attack? What happens when a State doesn’t take action when an attack is launched by other actors, but from its own territory? And these are but a few examples. The challenges are enormous, but we have every reason to quickly create clarity in this domain.
Indeed, the growing importance of cyberspace generates also an equally strong potential for conflicts. And, of course, this whole discussion should always be held without losing sight of the balance between individual privacy, free use of internet and legitimate national and international interests. An important progress has already been made. We must continue our efforts in determining which of the existing rules and laws can also be applied to the domain of cyber-security. But simultaneously with this process, we need new and specific regulations that should evolve as fast as the domain itself. Real laws for a virtual world! If we can regulate the high seas, outer space and the Arctic, we can also regulate cyberspace.
Ladies and Gentlemen,
Besides a shared vision, a swift exchange of knowledge and information and the further development of a legal framework, we also need qualified people. The fight for cyber-security is not only about tools and legal issues; it is also about people with top-knowledge. We need enough highly skilled technical experts to handle the many challenges. A great amount of work can still be done in this domain. In order to achieve this, Nations must increase their investments in education and training, for it is an investment in the digital future of our society. But this also has to be considered in an international context. An initiative such as the NATO Cyber Defence Centre of Excellence, which was established in 2008 in the beautiful city of Tallinn, is but one fine example of a strong international initiative that improves cooperation among partner Nations.
Finally, strengthening international cooperation has an additional and very important consequence. We cannot ignore the context in which we find ourselves. The financial and economic crisis is still very much around. As Belgian Minister of Defence, I have witnessed, just as most of my colleagues, severe cutbacks in military expenditures.
However the development of new capacities is expensive, very expensive. Therefore, I put the concept of “Pooling & Sharing” on the European agenda under the Belgian Presidency of the European Union in 2010. A similar concept is used within NATO, called “Smart Defence”. These concepts promote a closer cooperation among armed forces of partner countries through pooling and sharing existing military capabilities and the joint acquisition of new capabilities. It is my conviction that this approach also offers numerous possibilities in our fight for cyber-security. Initiatives as commonly developing joint capabilities; ensuring a smooth exchange of data and information among partner countries and providing joint trainings and standards, are not only cost effective, but will increase our capabilities and enable participating countries to have capacities which they couldn’t establish or acquire on their individual account.
[Understand the role industry can play in partnerships with government and military and cyber security, including vulnerability and penetration testing]
It is clear that guaranteeing cyber-security not only needs a strong cooperation among governments. In order to tackle the cyber-threats in an efficient way, an interaction is needed between a wide variety of actors. The private sector as well as the academic community have a very important role to play on different levels.
As a concrete example of the importance of the private sector and academic community, I would like to mention two Belgian researchers, Joan Daemen and Vincent Rijmen. At the beginning of this century, they won the competition for the best method for symmetric encryption, organised by the American NIST institute. Their Rijndael-algoritm became the worldwide standard for encryption. Today, both men are still active, in the academic as well as in the private sector, and they continue to conduct research to secure digital information.
The industry must continue to develop safer ICT, and this, I would suggest, in close coordination with national governments. It can deliver better tools to protect those ICT and to detect cyber-attacks. And of course, it can deliver high level vulnerability and penetration testing services. Many government systems rely on standard commercial products of the software industry to protect their unclassified networks. The safer their products are, the safer the user is, ranging from private persons over industries to the government. The commercial value of offering better protected software should not be underestimated.
In this domain again, we witness the need for highly qualified personnel. Governments can play an important role by not only promoting research but also by ensuring quality education and high-level training and by stimulating high-tech projects. Indeed, one of the key conditions for creating a secure network is to know it better than anyone else. This involves continuous development, as well as a constant self-questioning. Whenever an attack should succeed, it is of utmost importance to detect it rapidly, in order to limit the damage.
On the other hand, it is a fact that a large part of each country’s national critical infrastructure is owned by the private sector. Obviously, a strong protection of such infrastructure is crucial. It needs to involve internet operators, network administrators, cloud providers, and various other business sectors. The private sector can make an enormous contribution to the national security by paying the necessary attention to the protection of its own capabilities. In this domain, the private sector faces the same challenges as national governments: the need for a clearly defined joint approach, transparency and common rules, the need for adequate resources and qualified personnel and the need to step up international cooperation.
Therefore, if we want to win the fight for cyber-security, both the private and the public sector have every reason to overcome their differences and to work closely together. In order to achieve this, both parties will have to concentrate on building mutual confidence, as well as on clearly defining the role and responsibilities of each player in the field. Each Nation should thus focus on establishing a good cooperation between the private and the public sector. Also in this domain, successful initiatives will, without any doubt, generate a spill-over effect and incite others to join. And in turn, this will open numerous opportunities to enhance bilateral and multilateral cooperation. Strengthening the partnerships between the private and public sector will lead to a win-win situation. It will ensure that the sum of their combined efforts will be more than the whole of the parts.
[Update on Belgium’s future priorities: a focus on improving intelligence sharing and advanced warnings on cyber-security threats across government and military]
Ladies and Gentlemen,
In Belgium we like good music, but we are not waiting for the Stones to roll over us. Public administrations, businesses as well as citizens are permanently exposed to cyber-attacks in Belgium. Mr Alain Winants, Head of our Civilian Intelligence Service, estimated the damage in our country at “1 to 3 billion euro per year”. It will therefore surprise no one that we’ve taken important steps to improve the security of our networks. But just as Rome wasn’t built in one day, optimal security will require more steps in the future.
In 2005, we have established BELNIS, Belgian Network Information Security, a discussion forum developed for consultation about information security. The Belgian Computer Emergency Response Team, CERT, was set up in 2009. The Belgian Cybercrime Centre of Excellence for training, research and education started its activities in 2011. But, as the Head of the cyber-security service of Belgian Defence said about a year ago: “This gives us a good orchestra. Now it’s time for a good conductor”.
Very recently, we’ve achieved a major breakthrough. On 21 December 2012, the Belgian government adopted an integrated national cyber-security strategy, aiming
1. at achieving a secure and reliable cyberspace with respect for the fundamental rights and values of a modern society;
2. at providing an optimal security and protection of critical infrastructure and government systems; and
3. at further developing its own cyber intelligence and cyber defence capabilities.
This national strategy must help us to keep the internet a reliable environment to work in with a balance between rights and freedoms. It must ensure that each player is well aware of his or her responsibilities and the dangers resulting from the use of cyberspace. This strategy provides us with a centralised and integrated approach; with a focus on the creation of a legal framework at the national level to start with; a permanent monitoring of the cyber threat; a strengthening of the protection against the disruption or abuse of computer systems; a reinforcement of the capacity to react to cyber-incidents and to tackle cyber-criminality; a close cooperation between the government, the private sector and the academic community; a focus on the expansion of expertise and knowledge; and last but not least, a strong cooperation with other nations. A central organ will coordinate all national and international cyber security actions of our Country. It will be the conductor of our orchestra.
Furthermore, Belgium is well aware of the transnational nature of cyber-attacks and will continue to focus on a close and permanent cooperation with its Allies and international organisations, including through exchanging critical technical information about cyber-attacks.
The Belgian Ministry of Defence will play an important role within this Cyber-Security strategy. Within the Belgian Defense community, we consider cyberspace, alongside air, land, sea and space, as a fifth dimension. Future military operations will all have a cyber-component. It is obvious that Belgian Defence will pay attention to the further development of a genuine cyber security capacity. We need to fully grasp the complexity of the cyber-threat, in order to be able to detect, prevent, and even counter cyber-attacks. In 2010, for example, we have passed an Act pertaining to the methods of intelligence collection by our security and intelligence services. This Act explicitly authorises the Military Intelligence Service to neutralize cyber-attacks against Defence networks and to identify the perpetrators. This law also confirms the possibility for the Belgian Armed Forces to launch its own cyber-attacks under applicable rules of international humanitarian law, so in particular in case of an armed conflict to which Belgium is a Party. Within Belgian Defence, an integrated approach must lead to decisive actions and an efficient use of the available resources in these times of austerity.
Chair, Excellences, Ladies and Gentlemen,
This brings me to my conclusion. Row, row, row your boat. We are all convinced of the benefits that ICT have to offer, but we are also clearly aware of the vulnerabilities that their use may imply. As the line between the real and the virtual world tends to blur more and more in the future, the constant attention to this issue is of paramount and permanent importance to us all. We should not sit back, relax and say: “merrily, merrily, merrily now”.
A lot of work has already been done. But in order to respond to this threat in a strong and unequivocal way, further steps should be taken. We need to continue to develop a joint approach and to overcome the issue of sovereignty; we need to ensure transparency and to further define international standards and regulations. We need to strengthen our cooperation with the private sector, as well as with allied Nations and we need to pay great attention to the education and training of qualified personnel.
It is an absolute honour to be present here as a guest speaker at this high-level meeting between experts originating from 24 countries from all over the world. The concept of cyber-defence merits more elaboration as it will remain forever ingrained in our vocabulary. This unique forum meets this need. It provides an exceptional platform to discuss new ideas and initiatives; to identify benchmarks, as well as to coordinate existing capabilities. I wish all of you a very fruitful, stimulating and productive conference. Thank you all for your kind attention.