ROBERT HAVAS VP Strategy and Business Development Security

Chairman of EOS(European Organisation for Security

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

01.06.2011 BUDAPEST

2© 2010 CASSIDIAN - All rights reserved Page

Title / Name

Date

The cyberdefence capability in Europe: the rationaleof the mutualisation

• Cyberattacks target citizen, critical infrastructures, government networks and IT, defence forces

• Cyberdefence has therefore tight connection with sovereignty, blurring limits between security and defence

• Speed of reaction should be very high: addressing cyber-threats and answering to cyber-incidents require the creation of a rapid reaction force, where “speed” is the operational word.

• For these reasons,a top down centralised National or European approach is not feasible: each organisation has to put in place its own defence and deterrence system, sometimes also proceed to counterattacks(CERT‘s), the drawback being a fragmented approach.

• Nevertheless, the concentration, at National level and/or European level, of expertise and tools, at disposal of everybody, is a must: from here comes the idea of Cyber Centers

3© 2010 CASSIDIAN - All rights reserved Page

Title / Name

Date

The European Cyber Center

• Great countries can afford to build these centers, gathering experts and tools(example of ANSSI in France, now with extended competences and increased budget)

• Smaller countries can not all afford it, by lack of the critical mass: the only way remaining is the mutualisation at EU level and/or NATO level

• There are two practical ways to mutualise intelligence, expertise and tools:

1. Under a NATO umbrella2. Under a EU umbrella The two ways may be different from mission and law enforcement

point of view, but having more than one center helps to pool intelligence and expertise

4© 2010 CASSIDIAN - All rights reserved Page

Title / Name

Date

The missions of a EU Cyber Center

• In practice both implementations will coexist, the multiplicity of competences and missions will not allow to choose one or the other exclusively

• Mutualisation, through a EU Cyber Center, will concern all the MS’s, even those having implemented their own National capabilities

• On top of that, a trans-atlantic cooperation may be activated

• Smaller countries such as Hungary should play this kind of card, not neglecting nevertheless to keep some expertise at National level, to be able to take profit out of the EU Cyber Center and be able to interact with.

5© 2010 CASSIDIAN - All rights reserved Page

Title / Name

Date

What can this center not be ?

1. A cyberdefence capability: this center will not be the target of cyberattacks

2. A cyber counterattack capability, at least at the beginning, later on it could assist any MS on its request

• What could be the missions of such a center ?

1. Security incidents are of multiple natures; victims are not willing to share their experiences, but their attitude is slowly changing ;it is important to address the standardisation of the incident descriptions in order to elaborate common defence strategies

2. A forensics capability: attacks and incidents are more an more sophisticated and heterogeneous, a common forensics toolbox could be of big help for the experts of the different MS’s

6© 2010 CASSIDIAN - All rights reserved Page

Title / Name

Date

3. Cyber incident taxonomy elaboration and associated conformity tools

Exchange of information and experience sharing is essential for:

• improving the information systems resilience by sharing the most important information concerning alerts,

• sharing the analysis efforts and conclusions concerning the impact grade of a new vulnerability.

• To allow for a rapid sharing of critical information between experts, a common taxonomy has to be implemented

• 4. Cyber Security Open Source Intelligence :

Open source intelligence tools should focus on the cyber security threats in order to detect early on suspicious activities

5. A Cyber Defence training capability

In order to get the appropriate behaviour in case of a cyberattack, IT operators have to get appropriate training and share experiences