EU cybersecurity capacity building in the Mediterranean and the Middle East

Cyberthreats on the Rise The 2008 Report on the implementation of the European Security Strategy included “cybersecurity” for the first time among the priorities of the EU’s external action, stating that: “modern economies are heavily reliant on critical infrastructure including transport, communication and power supplies, but also the Internet.” If the EU Strategy for a Secure Information Society, adopted two years before, already addressed “cybercrime,” the proliferation of cyber-attacks “against private or government IT systems” gave the spread of cyber-capabilities a “new dimension, as a potential new economic, political and military weapon.” An EU Cybersecurity Strategy was adopted in 20132 followed, in 2016, by a first EU “Directive on Security of Network and Information Systems,” known as the “NIS Directive,” which harmonized the EU Member States’ legislations

Cybersecurity by executive order

This report explores the details of the Obama Administration\u27s executive order on cybersecurity, breaking down the challenges, criticisms, and successes of the effort to date, before offering clear lessons from the US experience that can be applied to the Australian context. Summary: On 12 February 2014 the United States National Institute of Standards & Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity, the flagship accomplishment of the Obama Administration’s 2013 cybersecurity Executive Order. Just weeks before the White House announced its executive order, the then Australian Prime Minister Julia Gillard made an equally exciting declaration introducing the Australian Cyber Security Centre (ACSC). One year on, the contrast between the two efforts is stark. The United States and Australia share a common interests in developing a robust partnership between the government and private sector to develop whole-of-system cybersecurity. To move beyond political optics, the ACSC must embrace existing best practices, commit to meaningful public-private partnerships, and set a pragmatic strategy moving forward. The Obama Administration’s efforts, while far from perfect, offer critical lessons that the Australian government can adopt and adapt to ensure that the ACSC is a successful endeavour and critical infrastructure cybersecurity is improved. This Strategic Insight report explores the details of the executive order, breaking down the challenges, criticisms, and successes of the effort to date, before offering clear lessons from the US experience that can be applied to the Australian context

Games for Cybersecurity Decision-making

Decision-makers are often confronted with cybersecurity challenges, which they may not fully comprehend but nonetheless need to critically address. Efficient preparation through cybersecurity games has become an invaluable tool to better prepare strategy and response to cyber incidents. Such games offer the potential for capacity building of decision-makers through a controlled environment, often presenting hypothetical scenarios that are designed to invoke discussion, while decision-making skills are put to the test. While games are acknowledged to be an effective method for such situations, many rely on technical capabilities to address these challenges. However, a key challenge is to understand the factors that influence cybersecurity decision-making. Further, game effectiveness for developing these skills is often not validated. This paper surveys cybersecurity games and compiles a data-set of 46 games to investigate how effective cybersecurity games are for assessing decision-making skills, and determines the state-of-the-art game. Through critical review and analysis of the data-set, a criteria to assess games for decision-making skills is presented. Furthermore, the criteria is applied to ten games, which determined Cyber 9/12 to be the state-of-the-art cybersecurity game for decision-making. The paper concludes with insights into how the assessment criteria can support the development of better decision-making skills through games

To pay or not: game theoretic models of ransomware

Ransomware is a type of malware that encrypts files and demands a ransom from victims. It can be viewed as a form of kidnapping in which the criminal takes control of the victim’s files with the objective of financial gain. In this article, we review and develop the game theoretic literature on kidnapping in order to gain insight on ransomware. The prior literature on kidnapping has largely focused on political or terrorist hostage taking. We demonstrate, however, that key models within the literature can be adapted to give critical new insight on ransomware. We primarily focus on two models. The first gives insight on the optimal ransom that criminals should charge. The second gives insight on the role of deterrence through preventative measures. A key insight from both models will be the importance of spillover effects across victims. We will argue that such spillovers point to the need for some level of outside intervention, by governments or otherwise, to tackle ransomware

CEPS Task Force on Artificial Intelligence and Cybersecurity Technology, Governance and Policy Challenges Task Force Evaluation of the HLEG Trustworthy AI Assessment List (Pilot Version). CEPS Task Force Report 22 January 2020

The Centre for European Policy Studies launched a Task Force on Artificial Intelligence (AI) and Cybersecurity in September 2019. The goal of this Task Force is to bring attention to the market, technical, ethical and governance challenges posed by the intersection of AI and cybersecurity, focusing both on AI for cybersecurity but also cybersecurity for AI. The Task Force is multi-stakeholder by design and composed of academics, industry players from various sectors, policymakers and civil society. The Task Force is currently discussing issues such as the state and evolution of the application of AI in cybersecurity and cybersecurity for AI; the debate on the role that AI could play in the dynamics between cyber attackers and defenders; the increasing need for sharing information on threats and how to deal with the vulnerabilities of AI-enabled systems; options for policy experimentation; and possible EU policy measures to ease the adoption of AI in cybersecurity in Europe. As part of such activities, this report aims at assessing the High-Level Expert Group (HLEG) on AI Ethics Guidelines for Trustworthy AI, presented on April 8, 2019. In particular, this report analyses and makes suggestions on the Trustworthy AI Assessment List (Pilot version), a non-exhaustive list aimed at helping the public and the private sector in operationalising Trustworthy AI. The list is composed of 131 items that are supposed to guide AI designers and developers throughout the process of design, development, and deployment of AI, although not intended as guidance to ensure compliance with the applicable laws. The list is in its piloting phase and is currently undergoing a revision that will be finalised in early 2020. This report would like to contribute to this revision by addressing in particular the interplay between AI and cybersecurity. This evaluation has been made according to specific criteria: whether and how the items of the Assessment List refer to existing legislation (e.g. GDPR, EU Charter of Fundamental Rights); whether they refer to moral principles (but not laws); whether they consider that AI attacks are fundamentally different from traditional cyberattacks; whether they are compatible with different risk levels; whether they are flexible enough in terms of clear/easy measurement, implementation by AI developers and SMEs; and overall, whether they are likely to create obstacles for the industry. The HLEG is a diverse group, with more than 50 members representing different stakeholders, such as think tanks, academia, EU Agencies, civil society, and industry, who were given the difficult task of producing a simple checklist for a complex issue. The public engagement exercise looks successful overall in that more than 450 stakeholders have signed in and are contributing to the process. The next sections of this report present the items listed by the HLEG followed by the analysis and suggestions raised by the Task Force (see list of the members of the Task Force in Annex 1)

Greater Washington Works: IT and Health Careers with Promise

The Greater Washington Workforce Development Collaborative, an initiative of The Community Foundation for the National Capital Region, has partnered with JPMorgan Chase & Co. to develop new a research report, Greater Washington Works: IT and Health Careers with Promise, released today. The report focuses on how our region can address the skills gap and lift more of our neighbors out of poverty through careers in IT and Healthcare.With over 70% of net new jobs requiring post-secondary education and training, the Washington regional economy continues to be highly knowledge-based. Local employers, however, face challenges in finding skilled workers. Nearly 800,000 individuals in our region have no education past high school, highlighting a skills gap that has the potential to undermine our region's global economic competitiveness.Further, while it is encouraging that our regional unemployment rate has improved to pre-Great Recession levels, many of our neighbors are still struggling to make ends meet. Our region can count 100,000 additional residents living below the Federal poverty level since 2009. African American or Latino workers in the region are three times more likely to earn an income below the poverty level. Addressing our region's race, ethnicity, and gender-based income inequality is a critical challenge for our region to tackle if we want to ensure that all in our region have a fair shot for prosperity

Cybervandalism or Digital Act of War? America\u27s Muddled Approach to Cyber Incidents Will Not Deter More Crises

If experts say a malicious [cyber] code \u27 has similar effects to a physical bomb, \u27 and that code actually causes a stunning breach of global internet stability, is it really accurate to call that event merely an instance of a cyber attack ? Moreover, can you really expect to deter state and non-state actors from employing such code and similarly hostile cyber methodologies if all they think that they are risking is being labeled as a cyber-vandal subject only to law enforcement measures? Or might they act differently if it were made clear to them that such activity is considered an armed attack \u27 against the United States and that they are in jeopardy of being on the receiving end of a forceful, law-of-war response by the most powerful military on the planet? Of course, if something really is just vandalism, the law enforcement paradigm, with its very limited response options, would suffice. But when malevolent cyber activity endangers the reliability of the internet in a world heavily dependent on a secure cyberspace, it is not merely vandalism. Rather, it is a national and international security threat that ought to be characterized and treated as such. Unfortunately, the United States\u27 current approach is too inscrutable and even contradictory to send an effective deterrence message to potential cyber actors. This needs to change