Opening Remarks Cyber Conference 2013

State Secretary for Defence, Eirik Øwre Thorshaug (Norwegian Labour Party)

Check against delivery

Your Excellencies. Distinguished Guests!

Introduction

Welcome to Norway. To Oslo. To an important conference.

(This country is privileged with it's vast outdoors, mountains and uncultivated grounds. Known to most of you. A nation seriously addicted to hiking or any other outdoor activity!

Why do I start figuratively underscoring freedom of movement - to introduce the Norwegian Approach to Cyber Defence.

A newcomer to Norway may be inclined to believe that all this common is totally unregulated. That there is an unlimited freedom of movement - much like in the cyber domain.

Not at all! – much is privately owned, governed by law, regulations and even supervised by different control bodies).

Today's programme addresses two main topics.

First; does Cyber challenge our perspective of warfare and state security, or is this nothing new?

Second; how do we address the challenge across borders, between sectors - and between military and civilan authorities, and with regard to the private sector.

The current Long Term Plan for the Defence Sector in Norway has cyber defence as one of its main priorities. Cyber is more important in security policy. We need - to better prevent, protect and prepare against an evolving cyber threat.

1) Better understanding and addressing the threat

Cyber attacks challenge us. They challenge societal safety by interrupting and disabling critical functions. Even though most events in recent years primarily represent a threat to information security. It may change into sabotage directed towards critical infrastructure.

Depending on the scope and degree of severity, cyber-attacks may even influence state security. Advanced hostile cyber operations could even challenge the military command and control systems.

The relatively low cost of developing and using malicious cyber tools, and the possibility of operating in secrecy has made the digital space an attractive arena.

2) International cooperation on regulating cyberspace by national and international law

Warfare in the cyberspace is high on the international agenda.

How do we deal with these new challenges from a legal perspective? Do the rules governing the use of military force also apply in the digital space?

Several countries are in early stages of assessing international law in the digital space. The MODs legal position in brief is that humanitarian law is in principle applicable to digital warfare. Digital weapons are not in themselves contrary to humanitarian law, as long as the distinction remains between protected civilian persons and objects on the one hand, and legitimate military targets on the other side. Despite the fact that digital warfare because of its uniqueness raises some complex legal issues, this does not mean that current law is inadequate. The establishment of new international legal instruments is therefore in our perspective neither necessary nor desirable.

3) Cooperation is the way forward

Network-enabled defence strengthens our ability to operate in the modern world. At the same time, it increases vulnerabilities. Hence, our use of technology must be followed by appropriate security measures. For the Norwegian Armed Forces, managing vulnerabilities is a prerequisite for any military operation. We will evolve to meet these challenges in cyber defence.

Failures in non-military systems may have negative consequences also for the defence sector. We will maintain our ability to prevent, detect, evaluate, defend against and recover normal functionality in the event of cyber-attacks. Threat assessments and risk analysis are necessary basis for this work. It must be a requirement for external providers of ICT[1] systems and services that the military is dependent on, to ensure that they are robust and reliable.

The Forming of The Norwegian Armed Forces Cyber Defence (CYDEF), hosting this conference - reflects our commitment to protect the Cyber domain. The main mission is clear: develop and operate military communications and hereby support operations both at home and abroad. The recruitment CYFOR does at events like "The Gathering" - is of vital importance for ensuring we have the know-how and leaders for keeping our communications secure, and our networks safe in the years ahead.

The Norwegian Computer Emergency Response Team (NorCERT) is an operational department within the National Security Authority (NSM). It coordinates the preventive security measures and responses against IT security breaches aimed at vital infrastructure in Norway. VDI, Varslingssystem for Digital Infrastruktur, is the Norwegian Alert and Early Warning System. It is a cooperation between the intelligence and security services in Norway and a private/public partnership. This is probably the world's first known national sensor network in such a context.

For 2013 the government have significantly increased the funding of the National Security Authority. In particular NorCERT (30 %). This is a good example of a structure for information sharing between relevant actors that enables early warning of cyber events and even attacks.

(Another example of cooperation is the annual published National threat assessment, newly presented jointly by MOJ and MOD. A product of cooperation between military intelligence and military and justice sector security authorities. A newly established joint analysis centre between the same central players illustrates a well-founded basis for cooperation).

One principle is valid for both nations and international organisations: Our cyber defences are only as strong as the weakest link in the chain. We urgently need to strengthen cooperation on how to defend against digital threats – within and between countries. This requires private, public, military and civilian effort – across national boundaries.

Both the military and civilian authorities need to be more aware and more prepared that the digital space is an area where it may be appropriate with military assistance in case of emergencies. If the civilian authorities ask for it of course.

Freedom of movement is important for successful military operations. This is valid also in cyberspace. Both nations and NATO need to be able to operate unhindered in cyberspace. NATO is an important facilitator for developing robust cyber defence capabilities and abilities across the Alliance.

NATO's work on cyber defence has been going on for many years. Already in the Prague summit in 2002 the Alliance agreed to "strengthen (our) capabilities to defend against cyber attacks". Ad a revised Policy on Cyber Defence was agreed in 2011. The policy is now followed by concrete steps to raise awareness, increase robustness, develop interoperable standards and ensure that NATO may operate unhindered despite the challenges in cyberspace.

(A recent example is that, together with Denmark, Canada, the Netherlands and Romania, we have engaged in a multinational project to develop capabilities to defend against cyber attacks (Multinational Cyber Defence Capability Development project, MN CD2)).

This is indeed what we need to do delivering on "Smart Defence".

Cooperation in the Cyber domain is affected by extensive research, conducted nationally by, among others, the National Defence Research Establishment as well as Norwegian Institute of International Affairs.

This research is an on-going effort, performed in cooperation with national actors, within the NATO Alliance or multilaterally within for instance Multinational Experiment as well as Nordic Defence Cooperation.

Conclusion

Freedom of movement in Norwegian mountains as well as within the cyber domain is regulated not only by law, but also by codes of conduct. Before entering the Norwegian wilderness, you are supposed to know the rules of The Mountain Code[2] (i.e. Leave word of your route, be weather-wise, Learn from the locals, Turn back in time; sensible retreat is no disgrace...)

I find similarly that rules of conduct in the Cyber domain should be promoted - I would like to thank the team in the MoD that has outlined them for this opening. A "cyber code of conduct" can be as follows; Ensure security in your own domain first, Coordinate across sectors, Confront the problem globally, Report lessons learned, Educate users and Promote innovation[3].

This is an arena promoting principles like these.

I would like to use this opportunity to thank Major General Sundseth and the Norwegian Atlantic Committee for hosting this conference.

Experienced personnell, and excellent speakers are gathered here today. Everything is in place for a day bringing about an enhanced understanding of the challenges facing us in the cyber domain.

I wish you all a fruitful conference.

[1] ICT – Information and Communication Technology (IKT-systemer på norsk)

[2] The Mountain Code, i.e. "Fjellvettreglene" in Norwegian

[3] Free quotation from principles of The Industry Botnet Group, a voluntary, industry-led US-based working group, http://www.industrybotnetgroup.org/principles/