Major Challenges in Structuring and Institutionalizing CERT-Communication Otto Hellwig (1, 2), Gerald Quirchmayr (2), Edith Huber (3), Gernot Goluch (1), Franz Vock (4), Bettina Pospisil (3) (1) SBA Research Vienna, Austria e-mail:
[email protected],
[email protected] (2) University of Vienna, Faculty of Computer Science Research Group Multimedia Information System Vienna, Austria e-mail:
[email protected] (3) Office for Research and International affairs Danube University Krems Krems, Austria orcid.org/0000-0003-3373-0870 e-mail:
[email protected],
[email protected] (4) Federal ICT Strategy Federal Chancellery, Bundeskanzleramt Vienna, Austria e-mail:
[email protected] Abstract—This paper describes an approach to the definition of requirements for CERT-Communication in a changing environment. CERTs play an outstanding role for the detection, analysis and mitigation of vulnerabilities, threats and cyber-attacks in a multistakeholder cyberspace on which society relies more and more. Furthermore CERTs are a very valuable backbone for national and regional (e.g. European Union) cyber strategies and their role is partly defined in national and European legislation. It can be difficult to bring these obligations in line with the current primarily informal communication channels of CERTs that rely on person to person trust. This paper is devoted to the question of which kind of communication requirements have to be fulfilled to best use and support the work of CERTs in this complex environment. CERT, CSIRT, communication models, NIS-Directive, Cyber Security, incident handling, information and knowledge sharing (key words)
I.
INTRODUCTION
Cyberspace is a main fundament for a well-functioning public and economic life worldwide. Services offered via the Internet are increasingly used by European users, but a recent special Eurobarometer report issued in 2014 shows that Europeans have high levels of concerns about cyber security and that these concerns have grown since 2013.[1] Countries worldwide and also in Europe increasingly see cyber risks as a national threat that could endanger their Critical Infrastructures and have therefore developed cyber security strategies to formulate the necessary measures for defense1. 1 https://www.enisa.europa.eu/activities/Resilience-andCIIP/national-cyber-security-strategies-ncsss, 10.3.2016
These new developments reserve an important role for CERTs but change the way in which especially national CERTs have to act and how they interact with other entities. This paper will analyze the impact of national and the European cyber strategies and how they influence the work and interaction of CERTs. The recently adopted NISDirective [2] plays an important role in this context and the way in which member states will implement it will have significant consequences on the interactions of CERTs. We will then focus on the communication needs of CERTs and how they have to be managed. The final chapter will give an outlook on what is needed in the future to guarantee that CERTs can fulfil their responsibilities and then derive what further work has to be done. II.
NEW RESPONSIBILITIES FOR CERTS IN A MULTISTAKEHOLDER CYBERSPACE
The first CERT, CERT/CC, was created 1988 as a response to a situation where the Internet in the US, mainly used by academia, was hit by the Internet-worm. It was an ad hoc decision that turned out to be a good approach since many CERTs were set up based on this model. When CERT/CC was created, an important factor was to establish an independent and trustworthy organization. Since then the use of the Internet has increased dramatically and the web can be considered as a Critical Infrastructure supporting our daily life. The number of CERTs is therefore growing worldwide. Their scopes get more and more diversified and the community they serve can be a nation, police or defense departments, academic organizations, private companies but also Critical Infrastructures. This means that their respective constituencies are diversified and can be in competition to each other or even pursuing incompatible interests.
CERTs operate with many other organisations to contribute to the security of the Internet. The figure below shows players interested in and active for cyber security. The IT-security goals of these organisations are different and this represents one difficulty for their cooperation.[3]
Figure 1. Cybersecurity Players in the Internet
One other interesting new dimension for the role of CERTs is how they will get involved in the reporting of cyber incidents. In the US the federal agencies are required to notify and consult with US-CERT regarding information security incidents involving their information and information systems.[4] In Europe the national CSIRTs might be involved in cyber incident reporting depending on the national implementation of the NIS Directive. III.
INTERNATIONAL PERSPECTIVES AND NORMATIVE GUIDELINES
CERTs play an important role when cyber-attacks disturb or disrupt Critical Infrastructures of a country. They have the necessary know-how to help mitigate those attacks and can play a coordinating role with other stakeholders. This situation was faced by Estonia in 2007 [5] and by Georgia in 2008 [6] and in both cases the national CERT (in Estonia) and the academic CERT (in Georgia) were deeply involved in mitigating the effects of the cyber-attacks. It is believed that in Estonia digital activists from the Russian diaspora were the perpetrators. It can be stated with certainty that in both cases politically motivated cyber-attacks were conducted. These attacks took place in the context of a conflict between nations. In the Estonian case Russia clearly opposed the relocation of a World War II memorial in Tallinn (e.g. statement of Russian Minister Lavrov 2 ), whereas Georgia and Russia had an armed conflict.[6] A more recent example is the conflict between Ukraine and Russia, where cyber incidents on both sides take place and are related to the conflicting situation.[7] A classic example of a state-sponsored cyber-attack is stuxnet, which clearly was a cyber-attack against a Critical Infrastructure. These examples raise some questions how the work of CERTs is concerned by these incidents and how they are involved. One point to discuss is the question which norms (legal and political) of cyber war apply to CERTs. The use of cyber-space as new (possible) battleground and relevant norms is debated in a number of fora. 2 www.themoscowtimes.com/sitemap/free/2007/1/article/lavrovlambasts-estonias-removal-of-war-memorial/199766.html, 24.1.16
NATO has defined a new Cyber Defense Policy and Action Plan in 2011. Enhancing cyber defense for all NATO members and reducing the vulnerabilities of national Critical Infrastructure are main goals of this strategy and this implies the involvement of incident response capabilities. NATO at its Wales Summit in September 2014 recognized also that international law applies in cyberspace ([8], para 72). At the level of the UN a Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security adopted in 2015 a consensus report where norms of responsible behavior in cyber-space are detailed.[9] This report states that cyber incidents are dramatically increasing, that states are developing cyber-weapons that are likely to be used in future conflicts and highlights the dangers stemming from attacks against Critical Infrastructure Systems. CERTs are explicitly mentioned and the experts recommend the following measures: The IT-Systems of national response teams (CERTs) should not be harmed. CERTs should not be engaged in malicious international activity. States should support and facilitate the functioning of and cooperation among such national response teams and other authorized bodies. States should assist in strengthening cooperative mechanisms with national computer emergency response teams and other authorized bodies. States should cooperate and exchange information to support each other. The compliance with the principles is voluntary and some countries would like as a next step legally binding norms. Another international organization devoted to security is the OSCE with an approach based on confidencebuilding measures to reduce the risks of conflict stemming from the use of information and communication technologies. OSCE tries to foster information exchange and prevent misunderstandings by making efforts to investigate the spectrum of co-operative measures as well as other processes and mechanisms that could enable participating states to reduce the risk of cyber conflict.[10] A set of Confidence-Building Measures (CBM), most of them on a voluntary basis, have been agreed in OSCE. Since there is no agreed terminology for cyber security relevant terms there is a risk of misunderstandings between states. One of the agreed CBMs is to provide a list of national ICT terminology with definitions. The “Global Cyber Definitions Database” provided by New America illustrates these divergences of definitions.3 A discussion document about the possibilities of using CBMs for global cyber security comes to the conclusion that “technical communities and the political/military communities remain blocked in an unhelpful way, given the complex, interrelated problems facing the cybersphere” and that it is urgent to use a multilateral cooperation and a multistakeholder process to reach a peaceful, safe, stable, and predictable cyberspace.[11] It is an interesting question to analyze which impacts these international cyber-conflicts and the discussion and 3
https://www.newamerica.org/cyber-global/cyber-definitions/, 26.3.16
definition of new mechanisms in international organizations like the UN and OSCE will have on the work of CERTs and especially on their communication behavior. The conflict between Russia and the Ukraine can be seen as a case study for the above mentioned consensus report of ITU. Chapter 15 (“The Ukraine Crisis as a Test for Proposed Norms”) of the publication “Cyber War in Perspective: Russian Aggression against Ukraine”[7] analyses the situation and comes to the conclusion that the parties involved did not comply with most of the proposed norms. The cyber operations that were detected can be seen as information war and are therefore not compliant with the code of conduct, cyber espionage was reported and the two national CERTs did not cooperate, although they both are members of the global CERT-platform FIRST (see section V). The article sees as a positive sign that there was no indication of destructive cyber-attacks against Critical Infrastructures. Meanwhile, a massive blackout due to cyber-attacks to the power grid took place in December 2015 in Ukraine.[12] The question of cyber security norms is not only debated in government led international fora but there are also contributions from other organizations. The EastWest Institute 4 organized the Global Cyberspace Cooperation Summit in New York City in 2015 with contributions from the private sector. Microsoft presented an article about “International Cybersecurity Norms, Reducing conflict in an Internet-dependent world”[13] with an analysis of the situation and the proposition of six cybersecurity norms for States. The report states that nation states operationalize cyberspace as a domain for conflict which escalates the already existing threat dramatically. Hostilities in cyberspace could lead to unintended disastrous consequences due to the global interconnection. International norms are necessary to preserve the security of cyberspace which is essential for the functioning of modern societies. The study distinguishes between norms for improving defense capacity of states and norms for limiting offensive operations. The sixth of the proposed norms states that: “States should assist private sector efforts to detect, contain, respond to, and recover from events in cyberspace.” This norm includes a ban for states to interfere with emergency response capabilities, namely CERTs. As in other proposals for international cybersecurity norms, CERTs and their capacities should be exempted of cyber-attack activities. There are clear signs that the use of cyberspace by states for military purposes is intensified. This increases the already existing cyber threats and the fears of cyber incidents. International cyber security norms are seen as a way to reduce this danger, and the development of incident response capabilities e.g. CERTs is one of the measures mentioned in the approaches under discussion. Effective communication of CERTs can possibly contribute to the de-escalation of conflicts and provide situation-oriented technical exchanges. The next chapter will deal with this topic. IV.
CERT COMMUNICATION NEEDS
The Internet is a global infrastructure and this implies that CERTs have to communicate to fulfil their duty of 4
http://cybersummit.info/, 26.3.2016
incident response. This is broadly recognized and since the communication also takes place in emergency situations it is important that CERTs can trust their communication partners. One possibility is to establish personal trust, but since it is not possible to personally know all CERT members worldwide, trust platforms and mechanisms have been introduced to manage this situation. There are global and regional platforms that were established with this objective. Actually FIRST 5 acts on a worldwide level, Trusted Introducer for Europe 6 , European Government CERTs group 7 for Government CERTs in Europe, APCERT 8 for the Asian Pacific Region and the Organization of The Islamic Cooperation – Computer Emergency Response Teams (OIC-CERT) 9 also offer platforms for trusted CERT communication. These organizations have different accreditation schemes that are applied when CERTs seek membership. Even though the formalities to become a member are very strict this does not mean that the member CERTs fully trust each other (see [14], page 57). This is in part due to the important number of member-CERTs but also to the fact that they work for organizations with diverging interests. FIRST, for example, has 345 member teams, as of 1st March 2016. Another form of cooperation are national CERT communication platforms that exist for instance in Germany 10 and Austria 11 . One event that illustrates the difficulty to regroup CERTs to serve the interest of a bigger community is the unsuccessful creation of a “European CERT” in 1990 that was meant to coordinate all national European CERTs but that did not continue to work since the interests of European CERTs are too inhomogeneous.[6, page 14] V.
COMMUNICATION ISSUES THAT NEED TO BE MANAGED
Since the first CERT, CERT/CC that was created to fulfil a coordinating role [16], CERTs have a tradition of communication that is also supported in the RFC 2350 [17], which represents a template to describe the activities of a CERT. Different guides are available to describe how to set up a CERT e.g. from ENISA [18] or the NIST publication Security Incident Handling Guide [19], where the communication part is also described extensively. It is an international strategy to establish a CSIRT in every country worldwide to have at least one national partner that can be contacted in case of a cyber incident. The G8 has stated in 2003 that “Countries should have emergency warning networks regarding cyber vulnerabilities, threats, and incidents” [20]. At the level of the International Telecommunications Union (ITU) of the United Nations member states are incited to build up their Cyber Incident capacities.12 5 www.first.org, accessed 1.3.2016 https://www.trusted-introducer.org, accessed 1.3.2016 7 http://www.egc-group.org, accessed 2.3.2016 8 http://www.apcert.org, accessed 1.3.2016 9 http://oic-cert.org/en, accessed 1.3.2016 10 https://www.cert-verbund.de, accessed 1.3.2016 11 https://www.onlinesicherheit.gv.at/nationale_sicherheitsinitiativen/ computer_emergency_response_teams/71372.html, 24.1.2016 12 www.itu.int/en/ITU-D/Cybersecurity/Pages/OrganizationalStructures.aspx, 26.3.16 6
According to publications the international cyber threat and cybercrime situation is getting worse (cf. ENISA Threat landscape [21]) and meanwhile Critical Infrastructures are targeted. Since Critical Infrastructures are essential for the viability of a state, these threats are seen as a menace to the national security. Nations therefore develop cyber security strategies to complement their security strategies. In these strategies national incident management and response (CERTs) play an important role. A recently published study compares National Cyber Security Strategies (NCSS) from 20 countries.[22] Most of these strategies were developed from 2008 onwards. The publication states that this is due to the emergence of more and more state-sponsored cyber-attacks, e.g. stuxnet. More than fifty countries have by now prepared publicly available NCSS and the aim of these strategies is to maintain a safe and resilient cyberspace. This goal is pursued with preventive, defensive but also offensive measures and approaches. Other main goals formulated in the NCSS are to secure Critical national Infrastructures and to raise awareness. Further objectives are the development or enhancement of cyber incident detection and response capacities (CERTs, CSIRTs), the promotion of publicprivate cooperation and the stimulation of international cooperation. The strategies have common starting points but their implementations vary significantly. The terms cyberspace and cybersecurity are defined differently, Critical Infrastructures comprise different sectors. The responsibilities for cyber security in governments are split up between several departments with one lead or coordinating organization. In France and Estonia a new body was created for this purpose. In the 20 countries analyzed, CERTs are established but their missions differ and special provisions for information sharing are only foreseen in a few countries. One example for this is the German Cyber strategy [23], stating in the chapter about “Stärkung der ITSicherheit in der öffentlichen Verwaltung“ (reinforcement of IT-security in the public administration) that the operative cooperation with the Federal States in Germany will be strengthened in the CERT-sector. The Austrian strategy [24] is more explicit for the role of CERTs. The document mentions that processes for the coordination of operative and political-strategic measures in the field of cyber security crisis management need to be developed (p. 10). This work will be engaged in a structure called “Cyber Sicherheit Steuerungsgruppe” (Cyber Security Steering Group) that has been created meanwhile and works with the participation from the Federal Ministries, the Federal States, the industry but also Critical Infrastructures. The role of the Austrian GovCERT will be strengthened. The Finnish Cyber security Strategy is clearly oriented towards defense. To reach the goals of a reliable cyber domain for Finland new organizational arrangements are set. A National Cyber Security Center (NCSC-FI) is created and the functions of CERT-FI are merged into this new organization.[25][26] A clear difference in the approach to Austria and Germany is that in the Finnish case the organizational setting of the national CERT is changed and that it is not only one player that is part of the
strategy but incorporated in the central organization responsible for the Finnish cyber security. Another new factor that will strongly influence the communication of European CERTs is the recently agreed NIS-directive [2]. This directive defines a set of European rules that will have to be translated into a national context. ENISA published meanwhile an analysis of the impact of the directive on European CERTs.[27] The overall new approach is that the role of CERTs, at least of national CERTs, is defined in a legally binding way. One interesting aspect is that not only the national CERTs might be concerned but all CERTs responsible for essential services and digital service providers as defined in Annex 2 and 3 of the NIS-directive. For the communication of European CERTs a CERT Network will be created, composed of representatives of the designated CERTs of the member states and CERT-EU 13 , with the Commission as observer and ENISA as Secretary and active support. However, there are no detailed provisions as to how the group will be organized and how the members will handle their tasks listed in the directive since there are no obligations for members to participate actively in the work or information exchange. This new orientation at European level and the communication platform for European CERTs could foster information sharing but its effects will have to be evaluated. As already mentioned the changes in the strategies and activities of cyber players are modifying communication possibilities of CERTs. VI.
NEW CHALLENGES FOR CERT-COMMUNICATION
CERTs have to communicate but there are strong inhibiting factors. A recent analysis of the Global Commission of Internet Governance [28] points at information sharing and trust deficits and analyses the obstacles: Commercialization of Cyberspace New threat domain (State actors are hoarding information about vulnerabilities and threats) Growth of the CSIRT Community Emergence of Cyber Regime Complex (constituencies with diverging interests) The commercialization of cyberspace refers not only to cybercrime actors seeking profit from their activities but also to zero-day exploits being bought by different actors. For Companies relying on commercial CERT-services it is important that the threats they face are quickly and quietly solved and these companies are usually not interested in information sharing. We already mentioned that the number of CSIRTs is steadily growing and have to follow the interests of the communities, organizations and states they serve. If these organizations were competing or even in conflict to each other, this would inhibit information sharing. The emergence of cyber regime complex confronts CERTs with new expectations not only from their constituency but also from other players involved in the design of cyber regime. The concept of cyberspace being a shared global resource in an open and collaborative environment is difficult to be maintained under these conditions. 13
http://cert.europa.eu, 10.3.2016
But there are also analyses that point to the fact that the security needs in cyberspace are denied and that ITsecurity is not properly addressed in technology development given the growing number of dramatic cyber incidents.[29] The author advocates that the gap between current and needed cyber security should be assessed and actions to close it should be engaged. Up to now the questions of cyber security are mainly dealt with in a reactive way which will not solve the existing problems. VII. OUTLOOK Considering the current communication situation of CERTs we have to accept that there are severe obstacles that have to be overcome. Consequently, we have to take the following facts into account: • CERTs need to communicate to fulfil their mandates • Supporting this communication is on the political agenda • There are several inhibiting factors • The new role that (national) CERTs play in national and international Cyber Security Strategies raises difficult questions about the support of national security interests versus the interest of global cyber security • The implementation of the NIS directive by the member states of the European Union will have a strong impact at least for national/government CERTs in Europe and can foresee a role for CERTs in the reporting of incidents in Critical Infrastructures The management of this situation cannot be adequately addressed by technical support measures alone, but needs a strategic approach. A possible way out of these difficulties could be to apply in analogy the model described in chapter 18 of the publication “Cyber War in Perspective: Russian Aggression against Ukraine”[7]. This chapter is titled “Strategic Defence in Cyberspace: Beyond Tools and Tactics and the author is Richard Bejtlich (The Brookings Institution)”. The author makes clear that technologydriven approaches have limitations especially when dealing with incidents that are not one-time but part of a campaign conducted by attackers that pursue specific goals in a persistent way. He advocates to use a strategic model that is not based on a technical approach but a strategic one (see figure below). If we apply this approach to the communication of CERTs, the first step would be to get a clear understanding of the policies and goals of the partners involved in the communication. This could be for instance the goal to minimize the effects of botnets and APTs to the constituency of the CERT. Starting from this goal the next step would be to identify strategies that help to reach the goal. One strategy could be to subscribe to services that publish IP addresses of compromised computers and IoCs (Indicators of Compromise), another to install sensors to detect bots and IoCs in the constituency. Operations and campaigns are dedicated to initiate and maintain the necessary communication channels. Only when all these questions are answered the issue of supporting tools becomes relevant and should be dealt with.
Figure 2. Adapted from Figure 1-1 in „Strategic Defence in Cyberspace: Beyond Tools and Tactics”[7]
Coming back to the different IT-security players in cyberspace the first step to realize a model for CERTCommunication would be to find out the policies and goals of those players to be able to determine with whom and in what respect a communication and cooperation is possible and desirable. The next step then is to define procedures that are able to focus on the different cooperation of stakeholders and actors in cyberspace to mitigate the existing and upcoming new threats. VIII. CONCLUSIONS Information exchange and the consolidation of knowledge management about cyber threats is crucial to securing cyberspace. Formal and informal communication of CERTs are both essential cornerstones in this respect. Requirements for the management of the communication of CERTs are currently formulated in a rather unprecise way or will have to be adapted to the national and EUlegislation. A differentiated analysis of cyber security goals and the means of the actors to achieve them has to be conducted. Based on this analysis the description of possibilities for information sharing, cooperation and joint actions is a core task that is of utmost urgency. An approach of “geometrie variable”[30] could be envisaged to allow for a flexible configuration of communication groups depending on the necessities arising in a given situation. This paper has tried to summarize considerations that can lead to new developments in the much needed elaboration of adapted procedures for a more formally organized cooperation between CERTs. Due to their high competence, their experience and their networks, CERTs would be an appealing solution for central information and coordination hubs at a European level. ACKNOWLEDGMENT This paper is based on the core results of the project CERT-Komm 114 and the basic research considerations for the project CERT-Komm 2 15 both supported and funded by the Austrian security research programme KIRAS of
14 15
http://www.kiras.at/gefoerderte-projekte/detail http://www.kiras.at/gefoerderte-projekte/detail
the Federal Ministry for Transport, Innovation and Technology (bmvit).
“International Cybersecurity Norms,” 2014. [14]
E. Huber, Ed., Sicherheit in Cyber-Netzwerken - Computer Emergency Response Teams und ihre Kommunikation. Wiesbaden: Springer, 2015.
[15]
Deloitte, “Feasibility study and preparatory activities for the implementation of a European Early Warning and Response System against cyber- attacks and disruptions,” 2013.
[16]
“DARPA ESTABLISHES COMPUTER EMERGENCY RESPONSE TEAM,” 1988. [Online]. Available: http://wwwuxsup.csx.cam.ac.uk/pub/doc/cert/CERT_Press_Release_8812 .
[17]
E. Brownlee, N. Guttman, “Request for Comments: 2350, Expectations for Computer Security Incident Response,” 1998.
[18]
ENISA, “A step-by-step approach on how to set up a CSIRT,” 2006.
[19]
P. Cichonski and K. Scarfone, “NIST Special Publication 80061 Revision 2. Computer Security Incident Handling Guide,” 2012.
[20]
G8, “G8 Principles for Protecting Critical Information Infrastructures,” 2003. [Online]. Available: http://www.cybersecuritycooperation.org/documents/G8_CIIP _Principles.pdf.
[21]
ENISA, “ENISA Threat Landscape 2015,” 2016.
[22]
N. Shafqat and A. Masood, “Comparative Analysis of Various National Cyber Security Strategies,” Int. J. Comput. Sci. Inf. Secur., vol. 14, no. 1, pp. 129–136, 2016.
[23]
Bundesministerium für Inneres, “Cyber-Sicherheitsstrategie für Deutschland,” Berlin, 2011.
[24]
Bundeskanzleramt, “Österreichische Strategie für Cyber Sicherheit,” 2013.
[25]
Secretariat of the Security and Defence Committee, “Finland ´ s Cyber security Strategy,” Helsinki, 2013.
[26]
Secretariat of the Security and Defence Committee, “Finland´s cyber security strategy; Background dossier,” Helsinki, 2013.
[27]
ENISA, “NIS Directive and national CSIRTs,” 2016.
[28]
S. Bradshaw, “Combatting Cyber Threats: CSIRTs and Fostering International Cooperation on Cybersecurity,” 2015.
[29]
M. Hathaway, “Leadership and Responsibility for Cybersecurity,” Georg. J. Int. Aff., no. Special Issue on International Engagement on Cyber: 2012, pp. 71–80, 2012.
[30]
T. Balzacq, “La politique européenne de voisinage, un complexe de sécurité à géométrie variable,” Cult. Conflits, vol. 66, pp. 31–59, 2007.
REFERENCES [1]
E. Commission, “Special Eurobarometer 423 cyber security,” 2015.
[2]
Council (European Union), “Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union - Political agreement,” Brussels, 2016.
[3]
[4]
Huber, Edith, Quirchmayr, Gerald and O. Hellwig, “Wissensaustausch und Vertrauen unter Computer Emergency Response Teams – eine europäische Herausforderung,” Datenschutz und Datensicherheit - DuD, vol. 40.3, 2016. US-CERT, “US-CERT Federal Incident Notification Guidelines,” 2015. [Online]. Available: https://www.uscert.gov/sites/default/files/publications/Federal_Incident_Notif ication_Guidelines.pdf. [Accessed: 15-Mar-2016].
[5]
S. Herzog, “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” J. Strateg. Secur., vol. 4, no. 2, pp. 49–60, 2011.
[6]
E. Tikk, K. Kaska, and L. Vihul, INTERNATIONAL CYBER INCIDENTS: Legal Considerations, vol. 1. Tallinn: Cooperative Cyber Defence Centre of Excellence (CCD COE), 2010.
[7] [8]
[9]
[10]
K. Geers, Ed., Cyber War in Perspective: Russian Aggression against Ukraine, NATO CCD C. Tallin, 2015. NATO, “Wales Summit Declaration,” 2014. [Online]. Available: http://www.nato.int/cps/en/natohq/official_texts_112964.htm# cyber. [Accessed: 24-Mar-2016]. “Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security,” 2015. DECISION No. 1202 OSCE CONFIDENCE-BUILDING MEASURES TO REDUCE THE RISKS OF CONFLICT STEMMING FROM THE USE OF INFORMATION AND COMMUNICATION TECHNOLOGIES. OSCE, 2016.
[11]
J. A. Lewis and G. Neuneck, “The Cyber Index,” 2013.
[12]
E-Isac, “Analysis of the Cyber Attack on the Ukrainian Power Grid,” Washington, 2016.
[13]
A. Mckay, J. Neutze, P. Nicholas, and K. Sullivan,
