Cyber security and professional hacking is an issue that's recently been at the forefront of international news. The furore over the case of US whistleblower Edward Snowden has rocketed the issue up the political agenda.
A Parliament Magazine roundtable discussion on cybersecurity, jointly organised with telecoms giant Huawei, came amid ongoing discussion on the European commission's directive for network and information security which was published in February this year. The draft legislation was accompanied by a cybersecurity strategy that contains non-legislative measures on a broad range of issues.
The current scale of the problem can be gauged by the fact that security experts estimate that in the UK alone there are about 50 million cyber attacks each year, a number believed to be growing rapidly all of the time.
A sensible compromise
The discussion, held ion the European parliament, heard that nowadays there are more and more opportunities for cyber criminals to exploit, with cybercriminals and cybercrime networks becoming increasingly sophisticated. Event co-host and UK Conservative MEP Malcolm Harbour, who kicked off the discussion, said that cybercrime is one of the fastest growing forms of crime and the issue had been "rising rapidly" up the political agenda in recent times. It was for this reason, he said, that there is an urgent need for increased cooperation between the EU and member states. Harbour, who chairs parliament's internal market and consumer protection (IMCO) committee, expressed optimism that parliament, including his own committee, would be able to reach a "sensible compromise" on the commission's legislative proposals.
Incidents, malicious activities and misuse
Another keynote speaker during the 90-minute session was German EPP deputy and fellow IMCO committee member Andreas Schwab, who has been responsible for authoring a parliamentary report on the commission's draft law. Schwab began by conceding that his report's conclusion would be "more modest" than the commission's original proposals, which generally seek to ensure that cyberspace be protected from "incidents, malicious activities and misuse". The MEP also stressed that while the directive obliges operators to take action to deter a cyber attack, it covers only those companies which are engaged in what he called 'critical infrastructure'. The discussion continued with a direct appeal from Leo Sun, who heads the Brussels office of Huawei. Describing the whole issue of cybersecurity as "very, very sensitive" and something which had attracted a "lot of recent attention", he said there was an urgent need to raise awareness of the related risks of cybercrime to the wider public. He said, "When it comes to cybersecurity, there is a lot at stake and that is why it is all about building trust. This is something all of us, including governments, must get involved with. Tackling cybercrime requires a great deal of competence and expertise and there's a need to invest much more time and energy in raising awareness of the whole issue."
A matter of trust
With more than one million people worldwide becoming cybercrime victims each day, there was a need to have the correct operational tools and capabilities, it was argued. The principle contribution came from David Francis, a veteran in the ICT industry, who is currently Huawei's chief cybersecurity officer in the UK. Stressing the "vital" importance of having a dialogue on the subject, Francis, who started his career as an engineer with British Telecom, agreed with his Huawei at that trust-building was an "essential" ingredient in any approach to dealing with cybercrime. Cybercrimes, he pointed out, are high-profit and low-risk and criminals often exploit the anonymity of website domains. Cybercrime, said Francis, knows no borders and the global reach of the internet underlines the "absolute critical importance" of international cooperation in combating it.
In a wide-ranging presentation, he explained what protecting privacy and security entails from a technology vendor's point of view. But he also admitted that in an inter-connected world, it was "impossible" to stop all cybercrime, adding, "Yes, we will be cyber attacked. Indeed, we are on a daily basis, and the threat is growing. There are, quite simply, more bad guys out there than good guys. We must plan for the worst outcome. Cyber criminals are increasingly adept at gaining undetected access and maintaining a persistent, low-profile and long-term presence in IT environments." Francis, who is widely experienced with cybersecurity challenges, added, "All parts of an organisation are potentially weak spots and must be given adequate attention when it comes to protective measures." He admitted that cybersecurity issues had, in the past, amounted to no more than an "afterthought", but that this was increasingly something that must become a "core" element of any company's policy. It was for this reason, he told an audience of MEPs, industry experts and other stakeholders, that Huawei now insist that all the companies it deals with sign a 'cybersecurity agreement' from the outset.
People, policy and procedure
Whether it is the food chain or a nuclear facility that is targeted by cybercrime, he said that usually the biggest risk usually comes from one source: people. That was why, he argued, it was so important to check the background and qualifications of those working in the industry. "At Huawei, for example, we go to some lengths to ensure employees are 'clean'. We also try to motivate our employees to learn proactively to improve the relevant knowledge and skills." He went on, "We have to adopt a 'built-in' approach and rigorously implement, or develop, global best practice and processes on cybersecurity."
Francis underlined the importance of the "people, policy and procedure" mantra, "not just for our company but throughout the industry". While cybercrime necessitates a "global response to a global problem", he added, "Local regulators also have a key role to play here in raising standards. However, this must not be done at the expense of stifling local industry." His comments met with approval from UKIP deputy Roger Helmer who was among the invited guests at a packed event. Helmer said, "It is obvious to anyone that the ICT industry is dependent on the global supply chain and that this is not a problem that can be solved by a single country or the EU alone. It demands a global approach and, personally, I have no problem with that at all." Another British MEP, Sarah Ludford, a member of the ALDE group, also returned to the "trust issue", saying there was a need to "know who is doing what", particularly in light of the Edward Snowden row.