Hybrid Cyber Warfare, dual risks? Cologne - 26/04/2017 ing. Giuseppe G. Zorzino ERMCP, CISA, CISM, CGEIT, CRISC, LA ISO27001
Bio Giuseppe Giovanni Zorzino Teacher and consultant of information security, currently I deal with cyberstrategies, security management systems, governance and organization information security, privacy, compliance and awareness. More than 35 years of experience in the IT industry which more than 15 on IT security. Italian Air Force Academy, Official (ret) of the Air Force Corps of Engineers. Cybersecurity coordinator of CESMA (Military Aeronautical Studies Center) "Giulio Douhet". Member of IT Security Committee of Engineer Council of Rome, as well as ISACA Rome Chapter and ISC2 Italian Chapter. Extensive educational activity at public authorities and SMEs. 2 patents. Active certifications: ERMCP, CISA, CISM, CGEIT, CRISC, Lead Auditor ISO 27001, Security+, CMMI appr, MCSASec 2003, Certificatore etico, IBM Cert Solution Architect, IBM_Cert_Specialist, 26/04/2017 Hybrid Cyber Warfare, dual risks? 2
CESMA Acronym of Centro Studi Militari Aeronautici Giulio Douhet, a non profit Think Tank of the Italian Air Force Association. Mission: to contribute to the diffusion of the Aerospace and Defence culture in Aerospace and Defence, both within Italy and internationally; to make studies, exchange ideas and discuss the trends of Defence and Aerospace, making a common space available to all Stakeholders (Air Force, Civil Aviation, Italian Space Agency, Air Component of the other Armed Forces, Industry, Academia, International and European Organizations) Vision: to be widely recognized, at the European and International level, as value providers for all the stakeholders and for the Italian nation. CESMA has organized and organize several workshops and lectures on UAVs, Space, History of the Italian Air Force, Military Ethics, Cyber, etc. www.cesmamil.org 26/04/2017 Hybrid Cyber Warfare, dual risks? 3
WG: "Cyber Hybrid Warfare and the aerospatial power: risks and opportunities" AGENDA Hybrid and Strategy Hybrid and Doctrine Hybrid and Satellite systems Hybrid and EW Hybrid and the NATO view Hybrid and Psychology Hybrid and Awareness Hybrid and Legal The work will be published in the next months, please ask to info@cesmamil.org 26/04/2017 Hybrid Cyber Warfare, dual risks? 4
Hybrid threats Hybrid is the new "buzzword" in the military field It is not obvious appearance of an asymmetric conflict No established doctrine, so there are no elements that allow a Commander to develop its campaign operations Exploitation of vulnerabilities on the target, using conventional and unconventional methods, to generate ambiguity to hinder decision-making processes generate surprise; seize the initiative; generate deception and ambiguity; avoid attribution of action; maximize deniability of responsibility for aggressive actions. 26/04/2017 Hybrid Cyber Warfare, dual risks? 5
Cyber threats Cyber threats resemble threats in the fifth dimension of warfare, as cyber warfare is often termed, and refer to a sustained campaign of concerted cyber operations against the IT (Sacha Bachman) Cyberspace is an enabler correlated with Air and Space, and not only It is an actual and concerning trend the use of cyber capabilities related with military of hybrid operations: the so-called "cyber dimension of Hybrid Warfare" Two perspectives: taking advantage of the opportunities of cyberspace as a domain for free, fast and effective communication use of cyberspace as an attack on warfare domain 26/04/2017 Hybrid Cyber Warfare, dual risks? 6
Risks military side Hybrid is the dark reflection of our comprehensive approach. We use a combination of military and non-military means to stabilize countries. Others use it to destabilize them. (Stoltenberg) http://www.nato.int/cps/en/natohq/opinions_118435.htm Hybrid Warfare as integration of tools, techniques, tactics, and procedures, conventional and un-conventional methods, use of regular forces and irregular, in a context of symmetrical and asymmetrical conflict, to gain strategic or tactical advantage, inflict damage and loss to the adversary, at minimal cost Un-conventional warfare = integration of various dimensions, not last the information dimension This is "Unrestricted warfare", "War beyond limits", as Chinese analysts indicate the integrated use of all the strength expressions of a nation 26/04/2017 Hybrid Cyber Warfare, dual risks? 7
Risks civilian side In June 2015 the European Council recalled the need to mobilize EU instruments to help counter hybrid threats. EU Commission - "Joint Framework on countering hybrid threats, a European Union response", Brussels, 6.4.2016 "While definitions of hybrid threats vary and need to remain flexible to respond to their evolving nature, the concept aims to capture the mixture of coercive and subversive activity, conventional and unconventional methods (i.e. diplomatic, military, economic, technological), which can be used in a coordinated manner by state or non-state actors to achieve specific objectives while remaining below the threshold of formally declared warfare." Many EU Member States face common threats, which can also target crossborder networks or infrastructures (SCADA) "How France's TV5 was almost destroyed by " "Cyberattack on a German steel-mill" Air Traffic control.. 26/04/2017 Hybrid Cyber Warfare, dual risks? 8
Opportunities Hybrid warfare strategy cooperation NATO with EU (Warsaw 2016) Threats reconnaissance National resilience of Critical Infrastructure and (Air) Defence Systems Rapid assessment and decision making National capabilities Fill the technology gaps with the industrial cooperation Improve application of IT standards (ISO27001, NIST Framework, ISO31000) Governance Threats management Consequence management No practical legal framework just to Tallinn Manual 2.0 Action 12: The Commission, in coordination with Member States, will work together with industry within the context of a contractual Public Private Partnership for cybersecurity, to develop and test technologies to better protect users and infrastructures against cyber aspects of hybrid threats. 26/04/2017 Hybrid Cyber Warfare, dual risks? 9
Questions? 26/04/2017 Hybrid Cyber Warfare, dual risks? 10