tv Experts Discuss American and European Perspectives on Cybersecurity CSPAN October 26, 2021 9:47pm-10:48pm EDT
next, a discussion on cybersecurity from american and european perspectives at the center for which you can international studies. this is an hour. >> i work at csis and i worked on cybersecurity for a while. pardon me. today's agenda, we'll have opening remarks from isabella of -- she's the chair of the institute and the chair of the cyberattack program committee. this will then be followed that has john costello, chief of staff at the national cyber director. robert kosla, director in the prime minister's office in
poland's cybersecurity office. and sebastian burgemejster, partner at bw advisory. we will start with opening remarks for ten minutes or so. izabela, over to you. >> thank you. good morning to american friends and [inaudible] . it is good to be back to the u.s.. you may remember when the cybersec visited cisis in washington last time. in march 2019, before the call of covid-19 breakout, we had some plans to put together a joint onsite events. i truly hope that this soon will come back and that we can meet each other again in a
physical area. meanwhile, i am really happy to support this online exchange. i just finished an intervention during the international cybersecurity week in singapore. the same discussion basically took place. the first question was, what keeps the madame minister [inaudible] of communication awake at night? and she said protection of critical infrastructure. so we have very good topics to discuss today. and i think that the cooperation on cybersecurity management and security of critical infrastructure, on which our security and
prosperity relies is now vital, is vital to the spread of -- they are growing more sophisticated and critical infrastructure is particularly vulnerable. this threat is mainly driven on one side is a geopolitical issue and cyberspace has multiple actors. nation state actors but also cybercriminals. and on the other side by advancements in the process of digitization, soon to be the implementation of more and more pollution on emerging technologies. these technologies have been
widening cybersecurity gaps and this will accelerate as we will move forward into legitimate [inaudible] . the cybersec forum has been advocating the need for enhanced cybersecurity and physical cooperation and collaboration between so-called like-minded countries. i am glad that as we speak we can see new developments. last week, the eu trace and technology council [inaudible] , which has not specifically mention cybersecurity collaboration. impacting cybersecurity. we considered a very good development. but at the same time we hear from the white house --
[inaudible] but the process of building the cooperation, which brings together 30 countries, and cooperations improving collaboration. and cryptocurrency engaging on these issues, it is now advancing. the u.s. is also building a coalition of nations to advocate for investment in subsets of technology and to better secure supply chains. it is over this discussion we are having today. and there will be -- and i hope that there will be many eu countries in this cooperation on cyber crime and law enforcement collaboration. despite this important and good development, the cooperation on
cybersecurity is particularly between the u.s. and eu eu is very much needed now. i will concentrate on for possible dimensions of such collaboration. the first is au, u.s., private sector collaboration level. and last but not least, nato level. the u.s. has already focused its attention on recognition and they also have history of cybersecurity. and this collaboration is not practical. we need, as much as possible, to develop cooperation between
eu and u.s. countries. maybe as an example, the development of the u.s., japan, india and australia. building a long-standing collaboration on cybersecurity allowing new efforts to -- the resilience against cyber threats. by doing this together, bringing expertise, the nation's drive domestic and international -- . another specific example of such an enhanced collaboration was a month ago with u.s. declaration on the partnership for challenges including cybersecurity cooperation for a
new era with three agreements that will expand cybersecurity corporation with respect to the financial sector military engagement and capacity. there's a lot of expertise to be shared and it is a lot of expertise to be shared with the central europe region. the message from the central eastern european region, is that first it is also exposed to cyber and sabotage attacks -- their collaboration and the specific initiative. it can be good done together with the u.s., and the strategic partner of this geopolitically important region. the aim should be to build resilience and security of the infrastructure.
-- in the future. since the initiative development of structure there is a hands on collaboration and invest in cybersecurity. in the latest report there was presented couple of recommendations on in the region. many of them are related to -- protection. and it's on our website. then, the private sector role in terms of collaboration to protect and to secure infrastructure. hear let's concentrate a bit more on the forum. the forum has become a place where we innovate and create solutions
against adversarial action. last year the forum established from the polish minister of digital affairs. it is gathering today more than 14 cybersecurity -- cutting edge solutions for security of industrial systems. and since involvement of the private sector is crucial for cybersecurity and for the creation of cybersecurity risk frameworks for critical infrastructure, there is great potential for the neutral beneficial collaboration between american well as european companies in this case of critical infrastructure
protection. last but not least, another platform of cooperation, critical infrastructure is now nato. -- allied collaboration includes increasing resilience of infrastructure. and enhancing our shared security. the military using civilian infrastructure, including these processes and others. airports, networks and efficient transport of troops and equipment. a significant element in our resilience and nato's joint defense as well as its capacity to build.
nato should also manage both risks and opportunity of emerging technology computing in active critical infrastructure so -- this can be done in the north atlantic. and innovate in a framework of collaboration which you can develop. in a nato summit, some unique areas. nato and allies. will maintain enhanced purity of physical infrastructure. supply side and communication networks. so we can aim at strategic partnerships between the u.s. and the eu, and form mutual benefit. maybe i can also talk about
what president joe biden said. he said a whole transport policy is needed. he's committed to maintaining cybersecurity by enhancing infrastructure against cyberattacks. so i will prioritize that in a way. this is the whole of allied effort. and we need to work together. on critical assets and infrastructure. thank you so much and i'm looking forward to the discussion and practical steps to enhance this operation between european and western governments. thank you so much. >> thank you.
that was great and perfect timing. we are now going to go to our panel of experts. what i will do is ask questions and they can respond briefly and we will have a conversation about critical infrastructure. let me start. maybe you could give your views on what sustainability means. do you want to start? >> certainly. thanks for having me. my first engagement is a newly established position in the u.s. government. i am happy to talk about critical infrastructure protection.
it's composed of a number of different components. at the baseline level, it's the basic security of the system to begin with, whether that's technical or whether it's a functional component. i think more broadly, resilience is the ability of any system to quickly respond and continue functionality, regardless of a disruption of a perfectly resilient system.
ultimately, it's one that can very quickly continue functionality. >> great, thank you. robert, let me ask you the same question. when you think about it from your position, what is resilience? >> i cannot address the resilience aspect. a strategy should be implemented by 2024. this is related to cybersecurity.
my major concern is about the infrastructure itself. i'm talking about resilience. we prefer directly at the national level e to focus on protecting essential services. you may ask how they refer to critical services. what i actually see is anne -- a relationship between critical infrastructure and digital.
it's about how to maintain and how to protect infrastructure. >> thank you. reyou work with a lot of companies. what's your perspective? >> thank you. i'd prefer to use a different word than resilience. the enterprise few as the way the company could adapt to the new situation and quite easily use the capability to respond
to the memory of every major incident. there is no such thing as linear thinking. when i'm working with my clients and i see a lot of suppliers, vendors, partners claudette, it's based on the complete security of the ecosystem. that's why i'm looking at it as a matter of protection against a risk or a threat.
>> thank you. those are all good answers. it raises a question and this program will be re-broadcast to a broader audience. what's critical infrastructure in the digital age? what's critical infrastructure now? how do you define it? >> i can give you a textbook answer. it's a straight-up policy and textbook definition. i think he hit on it in his opening remarks. it's the critical services that underpin the functioning of society and the function of the
state as well. i think the idea has expanded over time, largely due to the fact that it's connected to technology. the original definition of critical infrastructure from the late 90s we were talking about strict critical services and communication and cyber related services were a part of that, but as this has become a technical strategy to underpin everything, it becomes something separate, something that's substantively to be
looked at on its own. you have done an interesting job and how you categorize critical infrastructure, rather than having categories of critical infrastructure, and i think we are getting to a place where things like energy, water, etc require special attention. there is a number of ways to describe it claudette. >> [interpreter] [interpreter] overall, i think we are finding that society will continue to grow based on technology and vulnerability as services have. gotten more and more dependent
what's critical infrastructure. if all infrastructure is in the cloud, what's the critical infrastructure? it would be part of the critical services, but infrastructure will be critical. >> the services based on the infrastructure, and we have to protect the services, and then protect the infrastructure. >> great, thank you. sebastian, let me pick up on something you said earlier. you use the word fragile, which i like.
i think both sectors are better than they were a decade ago. but we still have crucial vulnerabilities. where are we on critical infrastructure? i know that's a complicated question. for a general audience, where are we and how are we doing? do you want to start, john? >> certainly. in certain sectors, i think we are doing quite. well -- the finance sector is doing well. energy is getting there. overall, they are doing well and there has been a lot of attention paid to the gas sector and transportation at large. they are starting to make
progress on, but the ceos are very much paying attention and regulators are paying attention as well. water is a sector that's particular really, simply by how it is governed, without a protocol. as far as our adversaries ability to disrupt, that could be a positive. we have something similar with election security, which is to do with the content that guides those behaviors. it is a certainty which has
gone a lot of attention from congress and the administration. as a general matter, the vulnerability is simply the technology and services we use. i think there's been a lot of attention towards creating more secure services, more secure products overtime to create some type of transparency with consumers, but we can't get around the fact that it's being passed too critical infrastructure that do not have the capital know-how or the capacity to take on and properly manage that. some of the biggest interest the u.s. has to deal with from a government perspective, and there is no getting around that
the systems that we use are still vulnerable. that may be an extension of just an endemic problem to technology itself. i don't think anyone will argue with that. it's something we need to manage. the last point, i don't want to take up too much time for my colleagues here -- my last point is just understanding risk itself has gotten far, far better over the last few decades. it has got more connected as technology has become more suffused with everything. it is getting harder and harder to understand how functions and services interact. and how they potentially cause cascading failures. or how they can be passing risk on to others. and unfortunately, i think for government everywhere, we are figuring out how that works before the defenders are for a variety of reasons. i'm sure we can get into those. this is why a lot of
governments are dealing with cybersecurity and resilience in critical infrastructure protection in general. it tends to look reactionary. we can diagnose that, interrogate that a little bit. but it is often because we don't realize that there is a particular pathway of scaled threat to a scaled risk. and it materializes in some way. i say that in and of itself, beyond being vulnerable are a lot. there is enduring vulnerability. i know folks across the government who are just trying to get answers on this. so i yield my time. >> thank you, mister chairman. robert, i saw you nodding your head at various points. what is your view on this question? >> yeah, i agree with john. we identify into dependencies between different sectors. and the potential impact on other sectors. based on direct implementation we identify seven major sectors. of course after many years of
implementation both in the polish sector and in european countries, it's clear that it's not the fullest right now. what's more, sectors like communication -- the way that the european union designed the system is actually full of silos covering different sectors. and without knowing what is going on in the specific sector, and how it impacts one sector and how that sector impacts another sector. we really have the into dependencies identified. for national cybersecurity. and actually identify the dependencies. this is how we implement at the national level.
one part of innovation's development of the systems. national cyber security platforms. and the system actually collects the information from regional systems. and it improves the situational awareness. what's more, we incorporate the dynamics and risk assessment tools. so we can dynamically see that an attack against the banking sector or the energy sector, what's the potential impact on other sectors? and these are the most critical resources. so this fragility, we should map the impact with a new approach. this has been done by poland, to assign additional entities. so until now, we talked about essential entities.
so services being essential. we extended this and we talk right now about important entities. and fill the gap and identify other sectors and subsectors, for instance. media what our essential media? and what is the impact on other sectors? this is something that i believe should be an ongoing process. in from the u.s. and europe to devise in 12th most affective paths. >> social media was on my list. i was going to ask you all. you don't have to answer. does it count as a critical infrastructure? i think some people would say yes. more importantly, before i turn to sebastian burgemejster on to interdependency. i don't think we realized the problems with being siloed. i spoken to electric companies,
water. it was a telecoms company that made to develop their services. so interdependency among critical infrastructures is probably a point worth exploring. but sebastian burgemejster, let me get your take. >> thank you. and what is my experience cooperating with critical infrastructure companies or critical services companies? would i would say, first of all. is the difference in maturity. the financial system, energy, the energy sector and financial sectors are much more mature than, for example, the transport sector or the health sector. in poland, for example, i don't think they will attack one hospital.
the adversaries will focus on more critical systems. so they will focus on the energy sector or the financial sector. or any other sector or companies which are major, which have major impacts on the state level. so i understand why maturity is different. but i also see in almost every sector is that the companies do not really manage so that a supply chain attack will be quite easy from the adversary point of view. they even sometimes do not understand that there is only
two or three suppliers in one sector for the critical software. like i tps software or software for managing cost details and so on. i think it is important from a systemic point of view to understand that the attack not on just one hospital but on a service provider will accept much more impacts then attacking one or two companies. this it is a case for a multi vendor attack. or like the solar winds attack. the attack will focus on the companies that have much more impact on other companies. on the federal and state level. >> great, thank you. so since you all brought it up in some way, one of the debates
here is the balance between mandatory requirements versus security and critical infrastructure. and a voluntary approach. an example to help start this was the colonial pipeline. the gas or fuel company. it was under voluntary standards. and some people came away from that saying are voluntary standards enough? maybe we can rephrase the question a little bit by asking, how do we best incentivize the private sector? and i will just put a caveat in here. i have been doing this for about ten years. so if you say some of the information sharing or something, then we will press the buzzer. so let's talk about how you incentivize the private sector. isabella, i know you are still online. so if you want to jump in please go ahead.
john, one of the best incentives. regulation is an incentive but it is not necessarily the best. john? >> i think that is the question that governments have to wrestle with in my opinion. critical infrastructure is not a monolith. i think another a number -- the financial sector has numerous regulatory overseers. and my sense is that for a number of factors we have reached the limits of voluntary standards. and public and private collaboration. and i think the u.s. needs to explore what mandatory requirements look like. and congress is currently
considering a number of measures. in my mind it's a bare bones requirement. because it goes without saying that when you inform the government about what you notice, after that is the question of what you are doing about it. and in the future. and you can benefit from being able to share that information across sectors. and it's almost certainly similarly targeted. we get down to brass tacks about critical infrastructure, protection standards themselves. on the electric industry, putting our foot on them. and i have seen that being effective in some degree. but i know that -- i don't think anyone is focused on how we get beyond a checklist approach. i certainly don't have a fully
mature thought on the matter. but i know it is something that the u.s. government is looking at and congress is considering. on how we explore that balance. and with respect to these spaces -- and a very mature sector like water, is an incredibly mature sector like finance. because there is sufficient capital to invest in cybersecurity. as well as the risk being externalized, through financial loss, like fraud. so how do we realign that? i know that may not be a satisfying answer. but i agree with you that it is something that the u.s. government needs to look at. but overall i think we have hit
the limit on a number of sectors on with a purely voluntary approach can achieve. >> robert, what is the situation? then i will come to bob here for a minute. >> so we went first to a voluntary approach for many years. we know very well that it doesn't work effectively. and so we developed the situation around colonial pipeline. and an immediate call with other colleagues. we explore the cyber situation. and focused on voluntary to mandatory. so first we knew it didn't work. and then we knew that penalties were needed. and we use needs another regulations. but when we move to mandatory
approach, you have to provide support. you cannot only penalize and request, there can be now enough proposals. so we adopted a similar approach. and common development by government and standards and recommendations through documents, through publications. so we developed and published many documents covering this. covering cybersecurity requirements but we asked about how you incentivize, okay? and start to collaborate. between public and private sector. because what we saw was a
declaration. and there was nothing behind. i know what i'm talking about because i was doing this with the polish government for ten years and then 15 years. for the company. so i know both types. and when we are doing with the business and commercial side, was only the prerogative of the government. and in many cases, there was a lot of answers, already developed. but the answers were not used by the government, because some supported corruption. i think it's important to really benefit. in 2019, the program had five
major areas. it's about-ing increased cybersecurity awareness and building programs based on materials. secondly, it's about identification in sustainable ways. the third is about security. it's considerations across the sector to develop practices. fourth is about certification and how to work within that.
we are working to increase resiliency. we have very good practices in the program coming from a real partnership. >> thank you. let me know before we turn to sebastian if we have questions. it's about how things are working. sebastian, if you could close us out on how to incentivize this. >> first of all, the private
it's about the cybersecurity of the company our day. they have to become external error within the government or the authorities to verify if those requirements are met, not only on her paper, but in the real situation. or i know a lot of companies that have brought in procedures, but at a technical level, there is completely no security. we are trying to create a baseline >> thank you.
one of my new requests is how would we actually implement and how would we operate? it's easy to come up with recommendations. cybersecurity is good. we should all have great ideas. let me turn to some of the collaborative international efforts. one of the things that's developed is how do we strengthen u.s. operations. it's important to get like-minded nations in line. do you want to start? >> i think engagement is another thing we are doing. the biden administration is certainly trying to advance
that. one thing we need to make sure of is the u.s. involvement in nato and all allied countries work towards a framework for sharing information. we know that there is a resilience. i think that is certainly a major issue. i think we have to continue to make sure that we have a strong enough perspective with a legal attaché.
i think what we've seen over the last few years is, as we continue to be vulnerable to threat actors, we are seeing the asymmetry arise in the disruptive power of cyber criminals. colonial pipeline is exhibit a of that. i think it is a common concern in the european union and the united states. before we move on, i want to circle back around any. voluntary information sharing is the foundation that needs to be maintained, much like robert said. that needs to be a prerequisite. accountability is what we need to be trying to reach to make
sure companies think of accountability as a positive thing. i'm sorry to circle back. >> great. robert, let me ask you about this question of u.s. european collaboration. what would you do? >> i think we already have this in the report. we have certification and our argument has to do with relations in the u.s..
the outcomes to create the foundation. i think it's a case by case basis as well. we could just talk about the colonial pipeline, but there's many other situations. worked working to mitigate the manipulation of micro software. the solution for microsoft would probably be it. just a week ago, we had another round of discussions, but in
the most action to recover the critical service. it's about recovery operations. i think just creating and demonstrating and understanding the economic goals within this working group it is a good driver for development. >> thank you, robert. that's a very valuable point. we've got about four minutes
left. we've gotten a lot of questions, some of which we've covered, but i would like your views on u.s. cooperation. >> i think what's important in all cooperation is also trying to involve the private sector, because there is a big difference from the point of view of people who are really in it. the involvement of the private sector is crucial for the corporation. it's about understanding the
certification standards on the eu and u.s. side. from the private sector perspective, creating these kinds of standards in the eu or u.s. will be as difficult as can be. so using the same horse similar methods or even working at the national level will help businesses to provide services. >> thank you. we need to remember, the internet itself was only commercialized. if you are going to measure the
horn in the crucial part, it might not even be a decade ago. it's a very new problem. we've talked about three things that might help-y, vehicles for cooperation internationally. we've talked about incentives in the private sector and how to blend measures, and we've also highlighted the point that while everyone is doing quite well, there's still a lot of room to improve. we didn't get a chance to talk. only one person brought up russia. but foreign actors are all good topics for discussion. let me thank sebastian and isabella for what has been a very useful discussion.