19.
H. Krüger-Brand, Archivierung von Patientenunterlagen: Arzt muss weg – Patientenakten weg?, Deutsches Ärzteblatt.
20.
DeepDotWeb, New Breach: Healthcare Insurer Database of 9.3 M Records Being Sold, Deep Dot Web, 2016.
21.
W. Ashford, “Ransomware makes up a quarter (and rising) of UK cyber attacks, finds research,” ComputerWeekly, 28 04 2016. [Online]. Available: http://www.computerweekly.com/news/450294545/Ransomware-makes-up-a-quarter-and-rising-of-UK-cyber-attacks-finds-research. [Accessed 01 08 2016].
22.
D. Borchers, “Ransomware-Virus legt Krankenhaus lahm,” heise online, 02 12 2016. [Online]. Available: http://www.heise.de/newsticker/meldung/Ransomware-Virus-legt-Krankenhaus-lahm-3100418.html. . [Accessed 01 08 2016].
23.
S. Gallagher, “Two more healthcare networks caught up in outbreak of hospital ransomware,” Ars Technica, 29 03 2016. [Online]. Available: http://arstechnica.com/security/2016/03/two-more-healthcare-networks-caught-up-in-outbreak-of-hospital-ransomware/. [Accessed 01 08 2016].
24.
M. Smith, “Kansas Heart Hospital hit with ransomware; attackers demand two ransoms,” Network World, 22 05 2016. [Online]. Available: http://www.networkworld.com/article/3073495/security/kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.html. . [Accessed 01 08 2016].
25.
C. Sánchez, “La seguridad en los hospitales españoles: tu salud y tus datos, ¿en peligro?,” eldiario.es, 09 09 2015. [Online]. Available: http://wwwleldiario.es/hojaderouter/seguridad/hospitales-sanidad-seguridat_informatica-ciberataques-datos-privacidad_0_427657312.html. [Accessed 01 08 2016].
26.
J. Carballo, “Les données de santé attirent les hackers,” Le Figaro, 13 02 2015. [Online]. Available: http://sante.lefigaro.fr/actualite/2015/02/13/23393-donnees-sante-attirent-hackers. [Accessed 01 08 2016].
27.
N. Devillier, “Piratage de données médicakes; la France n’est pas prête,” Rue89, 05 04 2016. [Online]. Available: http://rue89.nouvelobs.com/2016/04/05/piratage-donnees-medicales-france-nest-prete-263632. [Accessed 01 08 2016].
28.
FBI Cyber Division, Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusion for Financial Gain, FBI Cyber Division, 2014.
29.
D. Dissent, “655,000 patient records for sale on the dark net after hacking victims refuse extortion demands,” The Daily Dot, 27 01 2016. [Online]. Available: http://www.dailydot.com/layer8/655000-patient-records-dark-net/. [Accessed 03 08 2016].
30.
DeepDotWeb, New Breach: 655000 Healthcare Records (Patients) Being Sold, Deep Dot Web, 2016.
31.
D. Dissent, Lording it over the healthcare sector: health insurer database with 9.3 M entries up for sale, Office of Inadequate Security, 2016.
32.
H. Gierow, “Security: Ransomware-Bosse verdienen 90.000 US-Dollar pro Jahr,” golem.de, 06 03 2016. [Online]. Available: http://www.golem.de/news/security-ransomware-bosse-verdienen-90-000-us-dollar-pro-jahr-1606-121292.html. [Accessed 04 08 2016].
33.
J. Breithut, “Trojaner ‘Locky’: Erpresser-Software infiziert 17.000 deutsche Rechner an einem Tag,” SPIEGEL ONLINE, 19 02 2016. [Online]. Available: http://www.spiegel.de/netzwelt/gadgets/locky-17000-windows-rechner-in-deutschland-taeglich-infiziert-a-1078318.html. [Accessed 04 08 2016].
34.
S. Gallagher, “Patients diverted to other hospitals after ransomware locks down key software,” Ars Technica, 17 02 2016. [Online]. Available: http://arstechnica.com/security/2016/02/la-hospital-latest-victim-of-targeted-crypto-ransomware-attack/. [Accessed 04 08 2016].
35.
A. Blankstein, Eyes on celebrity records multiply, Los Angeles Times, 2008.
36.
M. Neil, “Celebrity Medical Files Breached at UCLA,” ABA Journal, 04 07 2008. [Online]. Available: http://www.abajournal.com/news/article/celebrity_medical_files_breached_at_ucla/. [Accessed 31 07 2016].
37.
A. Guerrilla, Tor’s Co-Creator: Your Medical Revords Have Bullseyes On Them, Deep Dot Web, 2016.
38.
D. Nield, “Google Fit vs. Apple Health: Who’s Winning the Race?,” Read-Write, 24 03 2015. [Online]. Available: http://readwrite.com/2015/03/24/google-fit-vs-apple-health/. [Accessed 03 08 2016].
Footnotes
1According to the OECD Privacy Guidelines: “any information relating to an identified or identifiable individual” [1].
2A honeypot in a network that is set up with the purpose to attract attackers and study their behavior and techniques.
© Springer-Verlag GmbH Germany 2018
Claudia Linnhoff-Popien, Ralf Schneider and Michael Zaddach (eds.)Digital Marketplaces Unleashedhttps://doi.org/10.1007/978-3-662-49275-8_79
79. Enabling Cyber Sovereignty: with Knowledge, Not with National Products
Christian Schläger1 , André Ebert2 , Andy Mattausch2 and Michael Beck2
(1)Giesecke & Devrient GmbH, Munich, Germany
(2)Ludwig-Maximilians-Universität München, Munich, Germany
Christian Schläger (Corresponding author)
Email: [email protected]
André Ebert
Email: [email protected]
Andy Mattausch
Email: [email protected]
Michael Beck
Email: [email protected]
79.1 Motivation and Problem Formulation
Today, Cyber Security and Cyber Risk are on every CIO’s agenda. As cyber risks threaten to destroy every CIO’s project or program, a company’s new business venture, the partaking in Industry 4.0 value chains, and digitalization strategy, they have made their way from being a purely CISO/ISO subject to the highest board levels. In fact, there is hardly a CFO or CEO who doesn’t want to be constantly informed about their company’s cyber risk footprint. Information Security risks (including IT security, data privacy, and Cyber risks) make up at least 20% of a global player’s top ten Op‐Risks overall1 and it is expected to grow.
The need to defend oneself against Cyber Threats is apparent. The question remains how best and most effectively. Historically (if by “Cyber” this term can be used at all), IT security (meaning security focusing on technical measures and tools, i. e. software) drew from lessons learned in the military and defense area. This led to approaches fueled by the idea that only national products and services could be used to defend oneself against the outside world. We subsume these initiatives under the term “Cyber Sovereignty”. The question of national cyber sovereignty is discussed frequently on panels, summits, and conferences, e. g. on the Munich Security Conference MSC on a panel discussion at the 2. International Cyber Security Conference 2016. National vendors emerge claiming to be 100% trustworthy as they develop and produce only in a national market2.
The number, the complexity, and the heterogeneity of cyber adversaries (including individuals, organizations, networks, and technologies) cannot be defeated by one nation or one community alone but needs to rely on the full potential of tools, software, services, organizations, knowledge, and people available to the modern company and its management. Attackers organize their skills and develop their technological arsenal globally – so why would an approach limited to national borders be more effective or efficient?
If national thinking can’t be the answer to Cyber risks – what can? In our view, Cyber Sovereignty must be based on knowledge, not on national boundaries. This knowledge in the increasingly complex world of cyber products and services must be created jointly and independently, and
must be easily available from a trusted source.
With the founding of the DCSO (Germany Cyber Security Organization – Deutsche Cyber Sicherheits‐Organisation3) four major DAX companies have founded a managed security service company that will provide best‐of‐breed services to the German industry and its value chain. A study from 2015, conducted among the founding members’ information security staff, showed that among the needed services “Proof of Concept Testing for Security Products” ranked top. Security professionals in all companies searched for a way to evaluate tools, products, and services in the area of information security or with considerable impact on information security. The DCSO team lead by security professionals from Allianz and researchers from the Ludwig Maximilian University Munich (LMU) developed a concept of evaluation that aims at giving its customers back Cyber Sovereignty. Besides evaluation products and services, the concept also generates knowledge about the right integration and usage of a product or service. We call this DCSO product “Product Evaluation and Integration” in short PEI.
Key principles of this PEI service are objectivity and independence, usable and customer focused results, completeness and timeliness, quality and transparency.
Customers have access to three distinct but connected sub‐services: 1.a cyber‐landscape ranking and classifying over 800 security products and services (or products and services with considerable impact on security)
2.a database of test results from the detailed evaluation of products and services – each done in a PoC (Proof of Concept)
3.an implementation guidance from our testers and administrators on tested products and services as a knowledge base when applying the product/the service
Basis for the testing is the foundation of a virtual enterprise, the so called “DCSO Blue Print SE”. This virtual company comprises the common core of the DCSO founding members and its advisory board. This company is “headed” by the PEI team and uses every security product or service in its own infrastructure.
To get usable and customer focused results that allow for a comparison of products and services, the DCSO Blue Print SE has comparable tools, software products, network designs and, very importantly, IT and security processes where a security product must show its value in connection with other tools and software and in well‐defined processes.
The evaluation of a product or service with the help of the DCSO Blue Print SE as well as with defined test procedures regarding the trustworthiness of the vendor, product functionalities, security testing (i. e. penetration testing), and the feedback from the DCSO community allow for a knowledgeable assessment of a product regardless of its national origin. Using the PEI service and its database, local and national companies can execute their Cyber Sovereignty in choosing deliberately and knowingly from a catalogue of products which promises the best merit to their security.
The capability to obtain such knowledge and decision making skills must be delegated to an objective and trustworthy entity. They cannot be generated alone in one company anymore as the number of PoCs, assessments, and evaluations outgrows the potential of any single IT Security department.
79.2 General Idea
79.2.1 Founding of DCSO
In early 2015, the CIOs of four major DAX companies decided to cooperate in depth in the area of cyber security and operational cyber security services. Their idea was supported by the German Ministry of the Interior. The general idea of “making Germany more secure” and building a service company “business for business” (b4b) was in line with several other initiatives from various players in the DAX community like the foundation of the CSSA (Cyber Security Sharing and Analytics association4) or the Digital Society Institute at the ESMT5.
Founders’ security experts were tasked with setting up the new company as a start‐up‐like business in Berlin and Munich focusing on building a service portfolio, adding value to existing security tools and processes. Besides the founding companies and the German Ministry of the Interior 25 DAX/MDAX companies and institutions are organized in an advisory board to steer the young company and develop its service portfolio further.
79.2.2 Community Approach – the General Idea to Gain Sovereignty
One corner stone of the DCSO is the greater idea of forming a user community to support each other in tackling a problem too big for one single player. This idea was already successfully implemented at CSSA.
The basic concept behind the traditional definition of sovereignty bases on the same idea: one community (i. e. a nation and its government) defines a trusted space in which solutions can be found that are not shared with adversaries. However, in the cyber world national boundaries have lost their meaning just as they already had in the business world for multinational companies. The new concept that is needed is based on the community approach. Cyber security fulfills all the needed criteria for forming a community among business players: 1.The problem is agnostic to their business, meaning all companies irrelevant of their industry face the same problem
2.The solution doesn’t hold potential for a strategic business advantage, meaning that the implementation of effective cyber defenses doesn’t directly lead to a competitive advantage but the lack thereof poses an immense risk
3.Players are heterogeneous enough to profit from sharing experiences and knowledge, meaning that among the DAX/MDAX companies security teams have specialized in different areas due to the lack of resources
4.The market has so far not developed a suitable or comparable solution that would be an alternative to forming a community
The other advantage of true sovereignty in a certain field lies in the trustworthiness of the solution. It is reckoned that within one’s chain of development and production one controls all relevant steps and thus the trustworthiness of the final solution. In cyber security and more generally in IT the pursuit of such sovereignty is extremely hard to realize. Interconnections, dependencies and R&D investments are too complex or high to enable one single nation to master all aspects alone. Nevertheless, cyber security depends on trustworthy components.
The solution to this challenge can also be found in the community approach. The setup of the PEI service at DCSO relies on intensive testing and evaluation of products to minimize the so‐called “bad apple” problem of integrating an unsecure security solution in one’s security architecture. Furthermore, the testing concentrates among other things on the trust aspect of the provider. Various information sources and numerous experiences and references can be combined to form a holistic picture of the service provider or manufacturer.
As the community consists of users and experts in the field of business security architectures sharing knowledge, experiences, and also text scenarios and test bed installations security products and services can be rated and evaluated according to their potential for integration. The potential for integration is defined by the PEI team as a product’s or service’s ability to integrate itself seamlessly in a commonly accepted blue print architecture. The idea behind this KPI is the reasoning that a product might be perfect on its own to solve a given problem but cannot deliver this value in combination with existing systems like SIEM, LogFile Repositories, IDS, firewalls, and especially existing processes (manual, semi‐automatic and automatic). For a CISO or a SOC Manager this capability cannot be underestimated. Our experiences show that a CISO would rather opt for the 2nd best product if well integrated than for the best single product on the market.
The PEI cyber security community’s USP lies mainly in the evaluation of integration. It is an essential piece of information about a security product or service.
Coming back to the general idea of founding a cyber security service provider from the industry for the industry and generating cyber security sovereignty, the PEI service and the closed community
of user companies and their knowledge is currently the best implementation known to the authors and the DCSO community. The successful combination of a service provider approach with the strength of the digital community approach in a closed environment gives its members cyber security sovereignty through knowledge sharing and closed group testing rather than using traditional national concepts.
79.3 Product Evaluation and Integration (PEI) as a Service
This section shortly describes the features and unique selling points of the PEI service. To this end, first, a general overview of the project idea and its core components is given. Subsequently, the particular sub‐services of the PEI service are discussed in a more technical way.
79.3.1 The PEI Services – a General Overview
The key idea of the PEI service is to provide a comprehensive and novel service for deeply investigating and analyzing IT security products, including both hardware and software solutions. Furthermore, the PEI service provides tools and the competence to identify suitable products fitting the current needs of its customers. The following three components are seen as the key drivers of the PEI service: 1.The PEI Landscape of Security Products
Digital Marketplaces Unleashed Page 120
