an adaptive wideband delphi method to study state cyber ... defence... · mendations for...

IEEE TRANSACTIONS ON

EMERGING TOPICS

IN COMPUTING

Received 1 September 2014; revised 30 December 2014; accepted 1 January 2015.Date of publication 00 xxxx 0000; date of current version 00 xxxx 0000.

Digital Object Identifier 10.1109/TETC.2015.2389661

An Adaptive Wideband Delphi Method toStudy State Cyber-Defence Requirements

YUDHISTIRA NUGRAHA1, (Student Member, IEEE), IAN BROWN2,AND ASHWIN SASONGKO SASTROSUBROTO3

1Centre for Doctoral Training in Cyber Security, Department of Computer Science, University of Oxford, Oxford OX1 3QD, U.K.2Oxford Internet Institute, Oxford OX1 3JS, U.K.

3Indonesian Institute of Sciences, Bandung 40135, IndonesiaCORRESPONDING AUTHOR: Y. NUGRAHA ([email protected])

This work was supported in part by the Indonesian Ministry of Communications and Information Technology under the Directorate ofInformation Security and the Agency for Research and Human Resource Development, and the first author was supported in

part by the Indonesia Endowment Fund for Education Scholarship.

ABSTRACT Edward Snowden’s revelations of the extensive global communications surveillance activitiesof foreign intelligence services have led countries such as Indonesia to take concrete steps to enhanceprotective information security for classified data and communications. This paper develops the widebandDelphi method to study the Indonesian Government’s requirements for cyber-defence in response to reportedsecret intelligence collection by the Australian Signals Directorate. It provides a clearer understandingof the issues that influence Indonesian policymakers’ views on the mitigation of foreign surveillance.We developed and conducted an adaptive wideband Delphi study with senior Indonesian officials, with groupdiscussions and individual sessions to explore how to mitigate the surveillance activities of the Five Eyes(the U.S.–U.K.–Canada–Australia–New Zealand) intelligence alliance. We used the U.S. National SecurityAgency framework of the three elements of defence in depth (people, operations, and technology), in combi-nation with governance and legal remedies, as an analytical framework. We identified twenty-five mitigationcontrols to deal with the priority concerns of policymakers, which were divided into a five-defence in depthelements. We discuss the key requirements for protecting against foreign surveillance to be taken into accountin state cyber-defence frameworks and suggest effective mitigation controls for safeguarding and protectingstates’ national interests.

INDEX TERMS State self-defence, defence in depth, adaptive wideband Delphi, foreign surveillance,national interests, information security, requirements.

I. INTRODUCTIONEdward Snowden’s revelations have created unprece-dented public awareness of the global communicationssurveillance practices of the five-nation UKUSA alliance(the U.S.-U.K.-Canada-Australia-New Zealand) [8]. Othersovereign states are responding by developing their capac-ity to protect classified information, as well as to conductsurveillance.

Factors found to affect state perceptions of cyber-defenceneeds have been explored in several studies. [24] high-lights the need for a state self-defence framework to dealwith threats and attacks in cyberspace such as distributionof malicious software, unauthorised remote intrusions, and

Denial of Service attacks. In addition, theU.S. NSA considersfive categories of attacks: passive, active, close-in, insider,and distribution attacks [2]. These categories of attacks canseriously harm an asset in relation to information securityproperties such as confidentiality, integrity, and availability.Several recent attempts have been made to protect and

safeguard classified information against NSA surveillanceprograms such as PRISM, Tempora, Upstream, Phone Col-lection, Xkeyscore, and Stateroom [5], [7], [12], [15]. It isdifficult to detect and avoid these type of attacks. Therefore,we have considered reasonable efforts to mitigate globalcommunications surveillance activities through developingeffective controls as state cyber-defence requirements.

VOLUME X, NO. X, XXXX 2015

2168-6750 ⌦ 2015 IEEE. Translations and content mining are permitted for academic research only.Personal use is also permitted, but republication/redistribution requires IEEE permission.

See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. 1


EMERGING TOPICS

IN COMPUTING Nugraha et al.: Adaptive Wideband Delphi Method

A number of researchers have suggested that local dataclouds, data protection laws, decentralised Internet services,and investment in security professionals and intelligenceexperts are potential mitigations that should be considered bygovernments [5], [7], [12], [15].

The research to date has tended to focus on anticipatoryself-defence in cyberspace against active cyber-attacks [16],rather than passive attacks such as surveillance, wiretappingand Internet traffic analysis. However, recent studies exploredrequirements from the Brazilian and German governmentsagainst such attacks [5], [21]. These governments have beenleading critics of the Five Eyes’ activities.

This study investigates the Indonesian government’srequirements for state self-defence in response to thecase of Australian surveillance of Indonesia. These areanalysed in a framework which considers five primaryelements - people, operations, technology, governance, andlegal remedies.

Indonesia is an interesting case study as a non-aligned,large emerging economy. A quarter of Indonesia’s popula-tion is currently online with GDP around IDR 9.084 trillion(around USD 753.99 billion) [40]. However, the numberis increasing rapidly. According to the Indonesian InternetService Provider Association (APJII), the number of Indone-sian Internet users will increase from 71.19 million in2013 to 139 million by 2015 [41].

We investigated these requirements using an AdaptiveWideband Delphi Study to gather information from keynational stakeholders. This was based on the WidebandDelphi method, in combination with the Delphi study devel-oped at RAND Corporation [6], [11], [13].

We identified twenty-five key requirements from all pan-ellists for state self-defence, in the five-defence in depththemes:1) People:

a) Awareness, Training and Education;b) Information Security Commitments;c) Non-Disclosure Agreements;d) Proof of Security Clearance;e) Local Experts Requirement.

2) Operations:a) Trustworthy Systems Certification;b) Registration of Authorised Software;c) Registration of Authorised Hardware;d) Incident Response Management;e) Security Continuous Monitoring.

3) Technology:a) System and Communications Protection;b) National Cryptographic Standards;c) Local Applications Platform;d) National Infrastructures Platform;e) Control of International Traffic.

4) Governance:a) Independent Review Agency;b) Risk Management Process;c) Information Security Baseline;

d) Impact of Potential Threats;e) Domestic Hosting and Domains.

5) Legal Remedies:a) Information Security Agreement;b) Regulation of Data Protection;c) Data Centre Localisation;d) Lawful Interception Capability;e) Code of Ethics and Conduct in Bilateral Cooperation

Treaties.Indonesian policymakers’ preferences for state self-

defence requirements to mitigate foreign surveillance oftenmatched the security control sets from ISO/IEC 27001Requirements - Information Security Management Sys-tem [14], NIST Special Publication 800-53 on Security andPrivacy Controls [27], and 20 Critical Security Controls [29].Every state must build their own state cyber defence

requirements against foreign intelligence services. Therefore,such a model can be built on by less developed countries,which have fewer resources to address the technical com-plexity, policies, and activities needed to build confidence andmanage vulnerabilities and threats inherent in cyberspace.The remainder of this article is structured as follows:

Section II describes background and related work to positioncontributions of this work. Section III explains our researchmethodology. Section IV provides a analytical frameworkfor state self-defence requirements. Section V presents theresults, followed by an analysis and discussion of their limi-tations. Finally, Section VI concludes the paper.

II. BACKGROUND AND RELATED WORKIn this section we provide a brief review of a Delphi approachto develop an understanding of the requirements for state self-defence against communications surveillance by extremelysophisticated opponents, using Indonesia as a case study. Thiseffort can illuminate possible solutions for other countries tostrengthen national security and protect against foreign intel-ligence services in general. We then review the requirementsfor state self-defence in cyberspace against active and passiveattacks. This section also includes a detailed description of thecyber defence framework that we used in this study.

A. DELPHI APPROACH TO DEVELOP STRATEGYThe Delphi method was first developed at RAND Cor-poration in the 1950s as part of a military defenceproject [11], [25]. This method moderates the influence ofdominant individuals and follows a rigorous sequence ofsteps for decision making in the context of policy formu-lation [11]. All features of the Delphi procedures such asanonymity, iteration and controlled feedback, and statisticalgroup response are used to elicit and refine group estima-tion and consensus [11], [25]. It avoids direct conflict ofthe participating experts due to the absence of face-to-facecommunication [28].A variety of adapted Delphi methods are widely used to

assess specific problems based on a number of situations [28].For example, if the participants are distributed across

2 VOLUME X, NO. X, XXXX 2015

Nugraha et al.: Adaptive Wideband Delphi Method


EMERGING TOPICS

IN COMPUTING

different locations, the experts can participate by connectingvia a custom website [18] or email [25].

The wideband Delphi method involves greater interactionand more communication between participants than the clas-sic Delphi approach [33]. Group discussion occurs betweenrounds in which participants explain their statements andopinions [6]. Potter and Sakry’s variant requires further groupdiscussion to revise estimates and achieve consensus. Aniterative process terminates when no participants want torevise the collective estimation [32].

Traditional Delphi studies avoid face-to-face meetings inorder to elicit genuine opinions and anonymous input. How-ever, the wideband Delphi estimation panel discussion stagecan clarify the major issues when ‘‘judgmental information isindispensable’’ [28], and is used to seek all requirements as‘‘informed judgement’’ [39].

However, there are certain problemswith the use of Delphi.There is less control over the period from securing workschedules of policymakers and experts when conducting face-to-face meetings. Every country has a different culture andwork behaviour. In addition, policymakers and experts mustconsider the context of policy formulation is of paramountimportance. Therefore, researchers need to give potentialparticipants a clear understanding of the problem descriptionand the Delphi steps before the study begins. At least oneresearcher should be well-known by potential participationsand have contacts with the participating policymakers andexperts.

Due to the uncertainty inherent in the question with spe-cific culture and work behaviour of Indonesia, we createdan adaptive Delphi method based on the Delphi techniqueand the wideband Delphi approach. This method is one ofthe more practical ways of eliciting requirements for stateself-defence by using appropriate features of Delphi such asanonymous individual feedback, controlled feedback, groupresponses with face to face meetings for eliciting and refiningthe converged requirements. The final step of thismethod is toobtain reviews and an initial approval from the policymakers.

B. RELATED WORKThere is not yet an international consensus on the definitionof state self-defence in cyberspace. Article 51 of the UnitedNations Charter indicates that every state has the right ofself-defence and collective self-defence against attacks [17].The issue of how to protect a state from such cyber-attacksincluding global communications surveillance has not beenresolved. Thus, in this article, state self-defence refers tocontinuous efforts to safeguard and protect state sovereignty,national territory, and the nation’s safety against all type ofthreats.1

1The definition of state self-defence is adopted from the Indonesian LawNumber 3 of 2002 on State Defence, in terms of how to protect a state againstcyber threats such as foreign intelligence services, industrial espionage,organised cybercrime groups and non-state actors.

1) SELF DEFENCE AGAINST ACTIVE ATTACKSMany countries regard cyberspace as a new theatre ofwar [13]. As a result, nations need to look beyond article 51of the UN Charter. It has been suggested that it is importantto maintain the rights of state self-defence as applied tothreats in cyberspace, as on other domains such as land,sea, and air [23].Kesan and Hayes analyse state self-defence rights to

protect critical national infrastructure (CNI) located withintheir jurisdiction [24]. They draw on extensive range ofsources to assess whether ‘‘mitigative counterstriking capa-bilities’’ can be implemented effectively in cyberspace forprotecting CNI. They propose a legal framework that wouldallow the use of active self-defence in cyberspace in orderto reduce and mitigate risks from the current and immediatethreats against CNI.Todd investigated the control of armed attacks in

cyberspace [35]. He argues that a state still cannot legiti-mately act in self-defence without violating another state’ssovereignty. He suggests that under the current law, the victimstate should send requests to another country as well as coop-erate with other countries in gathering information, becausecyber attacks that come from another country may have beencarried out by a ‘hopping’ route-pattern through several othercountries.Graham points out that the requirements such as neces-

sity and proportionality limit the use of self-defence tech-niques. Therefore, policymakers need to pay attention to theimplementation of self-defence measures from both legal andpolicy perspectives [19].This view is supported by Caulkins, who examined devel-

oping proactive tools to combat new and emerging threatsin cyberspace [10]. He made a set of strategic recom-mendations for establishing a proactive self-defence policy:ratify cyber-related legislation, develop a robust architec-ture for proactive cyber security, design disruption tolerantnetworks (DTN), conduct security training and education inthe cyber realm, and to provide funding for cyber activities.He suggests the use of both reactive and proactive tools sothat the governments have capabilities to protect CNI againstcyber-attacks.In the same vein, Guiora proposed a new approach

to preventive self-defence against non-state actors [20].He considers anticipatory operational measures that canbe implemented against cyber threats as well as com-bating future threats. It offers some important insightinto the requirements for state self-defence. However,further work would be needed to develop a self-defenceframework.Gill and Paul were more concerned with legal frameworks

governing the exercise of anticipatory self-defence [16]. Theyargue that anticipatory self-defence may be carried out inresponse to an imminent cyber armed attack irrespectiveof whether the attack is performed by a state, or non-stateactors, with or without much greater state involvement. Theyestablish a framework for the right of self-defence within the

VOLUME X, NO. X, XXXX 2015 3


EMERGING TOPICS


current provisions of the UN Charter and customary inter-national law. The findings can be used in state self-defenceto identify, which requirements should be addressed to meetnational interests.

2) SELF DEFENCE AGAINST PASSIVE ATTACKSFollowing the leaked documents supplied byEdward Snowden, a considerable amount of literaturehas been published on state responses to communicationssurveillance activities. Some requirements for stateself-defence against threats of global communicationssurveillance have been identified.

For example, standard cryptographic protocols can be afeasible control against ‘built-in wiretapping capabilities’ forpreserving privacy [12]. In the same vein, it seems clearthat centralised Internet services play an important role insupporting the current surveillance practices. It has thenbeen proposed that the development of global Internet ser-vices such as cloud services should be based on open-sourceplatforms and decentralised services-configuration [12].

Similarly, Brown elaborated requirements in relation toprivacy-protective standards for surveillance, including datasharing privacy agreements, state-state negotiations overintelligence sharing, and human rights protections [7].

Moreover, some policy practices from the Braziliangovernment and the German government have been out-lined by Bauman, et al. such as the creation of local dataclouds, development of surveillance capabilities, investmentin security professionals and intelligence experts, and in theBrazilian case, attempts to develop domestic content as wellas international Internet connectivity beyond the scope ofthe U.S. Internet infrastructure [5].

In addition, it has been shown that effective legal frame-works must be in place to regulate state access to data so thatindividual citizens can trust government [34].3) FEATURES OF A STATE SELF DEFENCE FRAMEWORKIt is up to each state to determine to what extent it willprotect national security and privacy in cyberspace and howto pursue this end. This study focuses on global communica-tions surveillance as a passive attack that is operated by theFive Eyes nations’ signals intelligence (SIGINT) operationalplatforms [3]. The NSA considers passive attacks as a classwhich includes monitoring of communications, decryptingencrypted information, Internet traffic analysis, and captureof authentication information that can lead to disclosure ofinformation without user consent [2].

The ITU Plenipotentiary Conference in Resolution 130stated that every state has sovereign rights for the pur-pose of national defence, national security, content, andcybercrime [36]. In other words, a state is responsiblefor developing a set of requirements for state self-defencebased on the state’s national interests. However, developingthe requirements for state self-defence to mitigate foreignsurveillance activities is likely to be a complex processthat requires a balanced perspective from different areas ofexpertise.

States can manage and mitigate threats and risks fromcommunications surveillance through the implementationof a defence in depth strategy. The NSA Frameworkidentifies three primary elements in achieving informationassurance, which are people, operations and technology [1].The Trusted Information Sharing Network (TISN) introducedanother additional element, which is governance in orderto oversee the implementation of people, operations, andtechnology [26]. The Lukasik-Goodman-Rutkowski (LGR)framework defines mandatory cyber security activities, bothlegal and other actions such as ‘‘measures for protection,measures for threat detection, measures for thwarting, inves-tigation and measure initiation, and legal remedies’’ [30].The ITU Global Cybersecurity Agenda (GCA) also estab-lished a framework within the development of national cybersecurity strategy into five pillars, which are (1) legal mea-sures, (2) technical and procedural measures, (3) organisa-tional structures, (4) capacity building, and (5) internationalcooperation [37].This paper used the integration of the five primary ele-

ments, which are people, operations, technology, governance,and legal remedies.III. RESEARCH DESIGNWe used an adaptive wideband Delphi study to enable thesurveying of multiple panellists from key national Indonesianstakeholders through face-to-face qualitative stages such aspanel discussions to clarify the major issues of global com-munications surveillance, along with anonymous individualfeedback to gather genuine requirements to mitigate suchrisks.Since the motivation and experience of the participants

directly affects the quality of findings, particular attentionwas paid to the selection of panellists. To achieve a widerange of stakeholders, four relevant categories of panellists,with valuable knowledge about requirements for state self-defence, were chosen: government officials and military offi-cers, academics, industries and practitioners.Three industry panellists were from telecommunications

providers whose network infrastructure have been reported tobe compromised according to Edward Snowden’s revelations.The rest of the industry panellists come from Indonesia’sInternet Service Provider Association. Practitioners wereconsultants who are working in the field of informationsecurity.Panellists were chosen according the following the selec-

tion criteria: 1) work experience and background, 2) a self-critical attitude, 3) involvement in policy-making process,and 4) a visible interest in the research topic, in order toachieve meaningful results and keep the failure rate as lowas possible [22].The panels were formed based on expertise and back-

ground experience. We invited 20 panellists2 consisting ofeight government officials; four academics; four panellists

2The information given will be anonymised and for additional informa-tion, please contact the corresponding author.




EMERGING TOPICS

IN COMPUTING

from telecommunication operators and the Internet ServiceProvider Association; and four panellists from informationsecurity practitioners. In this case, the size of the panel wouldnot have an effect on the findings; thus there is no requirementto meet the size of a panel of experts [31]. However, itis important to consider other characteristics of panels tohave qualified and appropriate panellists to discuss the majorissues and propose the solutions.

Based on the wideband Delphi steps, we conducted threeface to face meetings as follows:1) Kick-off meeting during first round.2) Panel discussion during second round.

a) Panel 1(Government officials and Military Officers).b) Panel 2 (Academics).c) Panel 3 (Industries).d) Panel 4 (Practitioners).

3) Final meeting during third round.We also adapted the features of the Delphi approach to

make separate panel discussions for the second round togather specific group responses, because these panels perhapswould have different positions that related to participants’affiliations.

We then further asked each panel to identify specific andreasonable requirements. Finally, consolidated requirementsfrom each panel were summarised and combined to obtainconvergence requirements.

This design also allowsmaking the comparison of differentframes of mind from panellists. We asked each panellistrespectively to describe their opinions in relation to state self-defence requirements. We then asked each panel to makeconsolidated requirements.A. DATA COLLECTION METHODData collection took place in seven stages as follows,as shown in figure 1:1) Panel selections;2) Kick-off meeting;3) First individual feedback;4) Panel discussion;5) Convergence results;6) Second individual feedback;7) Consolidated meeting.In the first step, we selected a moderator and formed four

panels of experts with three to seven members [31]. We alsoasked the policymakers to advise on the potential panellists.We then selected the panellists based on their confirmation.

The second step was the kick-off meeting where we deliv-ered a presentation and provided related documents to thepanellists. We then asked all panellists to create a generallist of requirements and discuss the major issues that relatedto cyber defence requirements. We asked each panellist togive their opinions individually, followed by comments anddiscussions on a general list of requirements.

For the third step, after themeeting, we asked each panellistto review and revise the requirements based on the results.Then, each panellist sent an individual anonymous feed-back statement for the requirements for state self-defence by

FIGURE 1. Adaptive wideband delphi framework.

e-mail [25]. In this case, only the researchers know the indi-vidual feedbacks behind the investigation of cyber defencerequirements [38].The fourth step was the panel discussion, in which

each panel discussed a general list of requirements andstated requirements for state self-defence derived from theprevious steps. This second round typically results in a nar-rowing of the list of requirements through group discussion,pointing to some clarification and asking each panellist tosharpen their requirements specifically in relation to mitiga-tion of foreign surveillance.In the fifth step, we summarised the results, and asked each

panellist to individually review and revise the requirements inthe form of anonymous individual feedback. All individualfeedback was conducted anonymously through email, andonly the researchers knew who proposed and generated thoserequirements.The final step was a meeting to review the requirements for

state self-defence with all panels along with senior Indone-sian policymakers. This third round summarised a list ofrequirements to be reviewed, andwas approved by Indonesianpolicymakers.



EMERGING TOPICS


FIGURE 2. Mitigation approach for foreign surveillance,[modified from [4]].

IV. ANALYTICAL FRAMEWORKWe adopted the general defence in depth schema in [4] withmodifications in relation to mitigation approaches for passivethreats and attacks such as foreign surveillance activities, asshown in figure 2. The study defined fundamental require-ments as mitigation controls for each of the five-part defencein depth elements based on states’ national interests. Themultiple elements of defence help ensure that the likelihoodcan be mitigated or at least the attacks slowed down [4].

TABLE 1. Threat model for communications surveillance.

We then examine the threats of communicationssurveillance as a real-life case shown in Table 1. Weadopted the table from the OCTAVE Allegro Method

FIGURE 3. A Five-Defence in Depth Elements.

TABLE 2. Defence in depth framework.

(Operationally Critical Threat, Asset, and VulnerabilityEvaluation) [9].We introduced an information assurance model for the

requirements of state cyber defence that can help mitigateforeign intelligence surveillance, as shown in figure 3. Wethen provide details of this framework in Table 2.Defence against the threat model we provided requires the

integration of the five primary elements-people, operations,technology, governance, and legal remedies.

V. RESULTS AND ANALYSISThis section presents the results of our adaptive widebandDelphi study. We give an overview of the results. We thenpresent analysis and discussion for each element.




EMERGING TOPICS

IN COMPUTING

FIGURE 4. Distributed requirements statements for state selfdefence.

Our participants determined twenty-five primaryrequirements for state self-defence. Each panellist statedrequirements based on their perception of the state’s nationalinterests.

Figure 4 shows that the first round identified thirty-fivegeneral requirements. The second round, panel discussions,found agreement on twenty-six requirements from eachpanel. In the third round, the twenty-five requirementswere proposed by panellists and reviewed by Indonesianpolicymakers.

Some considerations that one or two panels assessed tobe more worthy of attention were not selected by others.For example, the top-ranked requirements for the governmentpanel were ‘security awareness’. Other panels also listedthis. However, not all panels selected the same items forrequirements. This supports the methodology of elicitingrequirements from multiple stakeholders because it enablesmore comprehensive coverage.

It is difficult to create a list of requirements statementsacross multiple stakeholder settings. However, the studyencouraged each panellist to identify the requirement state-ments based on their expertise and experiences in order toavoid situational requirements. We then asked panellists todiscuss and consolidate the requirements in common as con-verged requirements.

The major types of selected requirements were almost thesame for each round because the levels of consistency on therequirements were moderately strong within the three-roundDelphi. We then focused on the set of twenty-five require-ments that were proposed by all four panels alongside aninitial approval from senior officials.

It is apparent in Table 8 that there are some novel con-cepts of Indonesian requirements for state self-defence,while other requirements are also addressed in the secu-rity control sets in ISO/IEC 27001 [14], NIST SpecialPublication 800-53 [27], and 20 Critical SecurityControls [29].

The list of the twenty-five requirements is a combina-tion statement from all panellists, divided into the fivedefence in depth elements of People, Operations, Technology,Governance, and Legal Remedies. Each requirement iswritten as a constraint on how a state might operatefor self-defence. In fact, the terminology for this studyfollows the general format ‘The Government of Indonesiamust’ [4].

A. PEOPLEIn case of the People element, we asked panellists to indicatethe requirements that represented the appropriate control forpersonnel security roles and responsibilities.In this section, five common requirements are described

that are intended to improve the depth of security roles andresponsibilities for internal and external stakeholders, bydeveloping security culture and mind-set. The requirementsfocus on management commitment for information securityand personnel security including security awareness.

TABLE 3. Risk and requirement of people element.

1) RESULTSWe determined the requirements in relation to Peopleas follows:1) Awareness, Training and Education (ATE);2) Information Security Commitment (ISC);3) Non-Disclosure Agreement (NDA);4) Proof of Security Clearance (PSC);5) Local Experts Requirement (LER).We summarise the details of these requirements

in Table 3.



EMERGING TOPICS


2) ANALYSIS AND DISCUSSIONThe panellists indicated that the weakest elements are humancapacity building in terms of security awareness. Specifically,awareness for those people who have access to the organisa-tion’s information assets is the biggest challenge. In responseto this, the government should enhance security awarenessprograms including developing security culture, behavioursand security mind-set.

People factors are an important source of cyber securityrisks generated by individual employees and contractors, andthird party users. In this case the most important risk factoris lack of user awareness. If combined with other risks suchas lack of leadership, lack of rules and compliance, insiderthreats and involvement of foreign experts create the numberof potential national threat points of entry.We summarise riskassociated with the requirements in Table 3.

It is obvious that some requirements map ontoother security standards such as ISO/IEC 27001 [14],NIST SP 800-53 [27] and 20 Critical Security Controls [29].Most of them cover these requirements except in terms oflocal experts requirements. A summary of related controls inrelation to these requirements is in Table 8.

B. OPERATIONSFor the Operations element, we asked panellists to discussoperational actions to improve the depth of security mech-anisms for critical infrastructures. The majority preferencewas to establish a security incident response team and securitycontinuous monitoring. The other requirements focus on allthe activities required to sustain an organisation’s securityposture on a day-to-day basis, and are used to ensure thecontinuous security stance of the organisation.

1) RESULTSWe found the requirements in relation to Operationsas follows:1) Trustworthy Systems Certification (TSC);2) Registration of Authorised Software (RAS);3) Registration of Authorised Hardware (RAH);4) Incident Response Management(IRM);5) Security Continuous Monitoring (SCM).We summarise the details of these requirements in Table 4.

2) ANALYSIS AND DISCUSSIONIt is clear that the policymakers want to build a trusted andresilient cyber environment against threats and attacks incyberspace through certification and assessment in relationto system components. The preference for state self-defencerequirements was evident even though there was a degree offlexibility in relation to the priority requirements in which thisshould be implemented.

From a cybersecurity risk perspective, lack of secu-rity operations are often exploited by adversaries. Exam-ples include installing backdoors in hardware and software.In addition, known weaknesses and zero-day vulnerabilitiescan be exploited by adversaries. Therefore, the policymakersshould make reasonable efforts to assure that the hardware

TABLE 4. Risk and requirement of operations element.

and software must pass the security evaluation and be certi-fied by local authorities.In this case the most important risk factor is the lack

of trustworthy systems used for critical national infrastruc-ture. As a result, if combined with other risks such aszero-day attacks and discontinuous controls and monitoring,it can lead to a period of time in which security breaches andattacks are much more common in critical national infras-tructure. We summarise risk associated with the requirementsin Table 4.The findings clearly highlight that the existing security

controls mostly cover these selected requirements, except onerequirement in relation to Trustworthy Systems Certification.Details of related controls are listed in Table 8.

C. TECHNOLOGYIn this section, we describe five requirements identified bypanellists that are intended to improve the depth of technicalcontrols to protect critical information infrastructure.A variety of perspectives were expressed. The panellists

stated it was important to strengthen national capabilities inthe development of appropriate technologies to reduce risksrelated to foreign surveillance. For example, panellists statedthat paying attention to security and privacy must be in placeto protect and secure the classified information by means ofcryptographic controls and utilising national secure networksand devices provided by National Crypto Agency.

1) RESULTSWe found the requirements in relation to Technologyas follows:




EMERGING TOPICS

IN COMPUTING

1) System and Communications Protection (SCP);2) National Cryptographic Standards (NCS);3) Local Applications Platform (LAP);4) National Infrastructures Platform (NIP);5) Control of International Traffic (CIT).We then summarised the detailed of these requirements

in Table 5.

TABLE 5. Risk and requirement of technology element.

2) ANALYSIS AND DISCUSSIONThe panellists were clear about the requirement for theestablishment of national capabilities, especially to strengthencritical information infrastructure security and resilience.

In the Indonesian case, attempts to employ national infras-tructure such as the construction of a ‘Palapa Ring Project’,Fibre Optic Backbone Infrastructure as well as to expandnational gateway for Internet connectivity within nationalborder are consistent with the idea of safeguarding andprotecting state security and privacy against communica-tions surveillance. Indonesia’s domestic Internet connectivityis highly dependent on international backbones. Zero-dayexploits exist for platforms and reduced control of informa-tion flows creates a number of potential national risks againstglobal communications surveillance. In addition, the numberof potential threats outside the jurisdiction have grown dueto the degree of control over the Internet by the UKUSAalliance. We summarise risk associated with the requirementsin Table 5.

Interestingly, the existing standards only cover two of theidentified requirements, in relation to system and commu-nication protection, and cryptographic control. The otherthree requirements seem to be novel requirements for thegovernment in order to mitigate foreign surveillance activi-ties. Related controls are reported in Table 8.

D. GOVERNANCEWe asked panellists to discuss governance frameworks tomitigate foreign surveillance. We identified five governancerequirements intended to provide oversight and coordinationof people, operations and technology, related to organisa-tional structure, baseline information security implementa-tion, risk management process, determination of threat level,and use of domestic hosting and domain names.

1) RESULTSWe found the requirements in relation to Governance asfollows:1) Agency of Independent Review (AIR);2) Risk Management Process (RMP);3) Information Security Baseline (ISB);4) Impact of Potential Threats (IPT);5) Domestic Hosting and Domains (DHD).We summarise the details of these requirements

in Table 6.

TABLE 6. Risk and requirement of governance element.

2) ANALYSIS AND DISCUSSIONThe development of National Hosting and Domains such asa national email service and national hosting would allowIndonesian citizens to keep their data within areas of nationaljurisdiction. In this way, Indonesian authorities take reason-able efforts to keep the citizen’s data out of the reach offoreign companies. These efforts also take positions beyondthe domination of the U.S. global infrastructure networksand services. One interesting result is that panellists stated



EMERGING TOPICS


a preference for the use of Indonesia’s national Top LevelDomain (.id).

With regard to state self-defence, there are several riskscenarios that need to be addressed. Without a national secu-rity risk assessment and determination of national threatlevels, information security policy and standards may notadequately cover the requirements of state self-defence. Thebest approach that the government can take is to man-age and mitigate threats and risks against communicationssurveillance. It seems that managing risks can identifyand respond against potential national threats and existingvulnerabilities.

Another important risk factor is a lack of a culture of trustthat can lead to a risk of over-control. If combined with otherrisks such as lack of compliance to security baseline, lackof clarity around escalation procedures, it creates a numberof vulnerabilities. Therefore, state self-defence governancerequires very detailed and rigid requirements with numeroussecurity controls designed to cover the governance element inrelation to state cyber-defence requirements. We summariserisk associated with the requirements in Table 6.

We found that some security controls such asISO-27001 and NIST SP800-53 fit these requirements,except the Critical Security Controls. One novel requirementwas encouraging national domain names usage. Therefore,there is no related security controls placed in relation to thisrequirement. A summary of appropriate controls is containedin Table 8.

E. LEGAL REMEDIESWe asked panellists to discuss legal remedies. We identifiedfive legal requirements intended to improve the depth oflegal remedies for internal and external persons. The majoritypreference was to include information security agreement,regulation of data protection, data centre localisation, lawfulintercept capability and laws, and develop a Bilateral Code ofEthics and Conduct, which will likely map out future proto-cols over electronic surveillance and intelligence gathering.The requirements focus on contractual service agreements,due diligence obligations to the national legal framework, andlawful interception capabilities.

1) RESULTSWe found the requirements in relation to Legal Remedies asfollows:1) Information Security Agreement (ISA);2) Regulation of Data Protection (RDP);3) Data Centre Localisation (DCL);4) Lawful Interception Capability (LIC);5) Code of Ethics and Conduct (CEC).Detailed requirements in Legal Remedies are summarised

in Table 7.

2) ANALYSIS AND DISCUSSIONAn effective legal and regulatory environment must be inplace to encourage good information security practice as well

TABLE 7. Risk and requirement of legal remedies.

as to establish resilience requirements to support delivery ofcritical information protection.Legal remedies, in conjunction with a data localisation

requirement, is part of protecting and safeguarding nationalinterests. In addition, the availability of information securityagreements between Indonesian organisations and foreignentities must be in place for the organisation in relation tocritical national infrastructure sectors such as public services,defence, energy, and telecommunications. We summariserisks associated with the requirements in Table 7.It seems clear that every state must build their own best

capacity to protect national interests against foreign intelli-gence services as well as to conduct surveillance activities insupport of its own interests. However, it is important to bearin mind that such intelligence agencies also have an impor-tant role in safeguarding and protecting the state’s nationalinterests such as protecting national security, ensuring theeconomic well being of the state, and preventing seriouscrime. Therefore, initial efforts have been made by thegovernment to address the current surveillance programmesof the foreign intelligence services, such as data protec-tion regulation, information security agreements, data centrelocalisation and a Bilateral Code of Ethics and Conduct,which will map out future protocols over electronic commu-nications surveillance.We identified that only ISO-27001 and NIST SP800-53

cover these requirements and none from Critical Securitycontrols fit these requirements, except control 17 data pro-tection. A summary of related controls is listed in Table 8.




EMERGING TOPICS

IN COMPUTING

TABLE 8. Mapping requirements for other security controls sets.

In summary, the requirements identified by participantsfor mitigation of foreign surveillance activities were clear.Many of these are common to other scenarios, and have beenidentified in information security best practice. A mappingto three different cyber security standards is summarised inTable 8.

This study found twenty-five Indonesian requirements forstate self-defence to mitigate foreign surveillance activities.The requirements provide a series of significant notions of thenational interest. In this case, As stated in the preamble of the1945 constitution of the Republic of Indonesia, Indonesia’snational aspirations aim as follows3:1) To protect the whole people of Indonesia and the entire

homeland of Indonesia (NI1).2) To advance general prosperity (NI2).3) To develop the nation’s intellectual life (NI3).4) To contribute to the implementation of a world order

(NI4).In addition, the implementation of state cyber defencerequirements may result in better means of mitigation offoreign surveillance activities and increased public trustin cyber security and privacy practices. The governmentacknowledged that concrete steps are needed to meet and

3These four goals are in accordance with Indonesia’s national interests(NI).

implement these main requirements. Encouraging in thisregard is the observation that some governmental institutionshave already started implementing some requirements asdescribed in the state self-defence framework. It is inevitablethat the implementation of improvements will take time andmay differ in details between organisations.The outcome of the state cyber-defence requirements study

may be helpful to identify those requirements in nationalsecurity risk assessment that will potentially influence policy-makers’ views on the mitigation of foreign surveillance. Theemphases placed on these requirements were prominent toextend that panellists referred to them as ‘basic’ requirementsfor state self-defence.Beyond these requirements, it is difficult to order the

remaining factors universally across all four panels withmuch statistical confidence. The panellists were also askedto rate requirements statements on a sliding scale of ‘impor-tance’. In doing so, panellists were allowed to state the samerequirements. These results were not useful for ranking pur-poses, but did help to classify some requirements according totheir relative importance. Using this scale, three factors stoodout as receiving a high rating from all panels: (1) SecurityAwareness, (2) Regulation on Lawful Interception, and (3)Strong Leadership.Given the importance attributed to these requirements,

there is certainly justification for further research to deter-mine the means by which governments can ensure thoserequirements can be implemented effectively in order tomitigate foreign surveillance activities.

VI. CONCLUSIONWe have described a variant of the wideband Delphi esti-mation and traditional Delphi study, adapted to understandpolicymakers’ requirements for state cyber-defence againstforeign intelligence surveillance. The variant includes threerounds of the Delphi technique in order to achieve conver-gence among experts, along with review and approval frompolicymakers. Testing this method with the Indonesian gov-ernment, we found that further rounds would have yieldeddiminishing returns, particularly in terms of panellist partici-pation.Our Indonesian government, industry and academic expert

participants identified mitigation controls in relation to thefive-defence in depth elements: people, operations, technol-ogy, governance and legal remedies.The People element is a current weakness in Indonesia.

Creating a security mind-set and a culture of cyber secu-rity awareness within the organisations are the biggest chal-lenges. If ‘‘people are the weakest link’’ and ‘‘security isonly as good as its weakest link’’ [42], it means the gov-ernment must better prepare society for information secu-rity. This is due to the fact that people may also be thegreatest strength when organisations are able to develop aculture of cyber security. Therefore, it is important to pro-mote ethical behaviour and employee vigilance against cyberthreats.



EMERGING TOPICS


Our participants identified operational measures thatshould be taken to protect critical information,including a formal definition of national critical informationinfrastructures. It is somewhat surprising that participants didnot present a consensus definition, which may be due to theabsence of a national cyber security strategy. We suggestthat the government should develop standards and incidenthandling capabilities to deal with the threats discussed.

Security mechanisms are needed to protect critical infor-mation infrastructures that may impact state sovereignty, andpeople’s safety, prosperity, and well-being. The location andpotential path of classified information must be understood inorder to implement technical measures. This allows varioustechnical controls to be implemented to protect critical infor-mation in layers.

A lack of strong leadership including governance andcoordination exists due to ambiguity concerning sharedresponsibilities. The government should establish and main-tain an information security governance framework to over-come this.

Finally, even though Indonesia has passed a numberof laws addressing information security (the Telecommu-nications Law Number 36 of 1999, the Information andElectronic Transactions Law Number 11 of 2008, and theGovernment Regulation on the Operation of Electronic Sys-tems and Transactions Number 82 of 2012), Indonesia isparticularly weak in legal measures, especially lawful inter-ception capabilities. A considerable effort has been made tocreate the Bill concerning Lawful Interception, though it hasbeen a controversial addition to the laws because it containsprovisions that can harm human rights and privacy in commu-nications. The government can carry out lawful interceptionto protect and safeguard the state’s national interests as wellas to prevent crime in accordance with the laws. Therefore,strong regulation is an essential part to protect the countryfrom threats and indeed part of strong defence.

The question remains whether the requirements identifiedcan be implemented effectively to mitigate passive communi-cations surveillance. A controlled assessment in the areas ofpeople, operations, technology, governance, and legal reme-dies for defence in depth will be required to implement theselected requirements. Responsible stakeholders will needto be identified, and the requirements linked with exam-ple control references such as existing regulation, standards,guidelines, and practices.

In future investigations, it might be possible to furtherdevelop our variant Delphi approach to investigate to whatextent governments can protect national security and privacyin cyberspace, and to examine the fundamental and essentialelements of sovereignty in cyberspace.

ACKNOWLEDGMENTMany thanks to Andrew Martin and Frederick Wamala fortheir helpful comments on a draft of this paper. The authorswould like to thank the anonymous panellists for their par-ticipations in this study. The views expressed on this paper

are those of the authors and do not reflect the official policyor position of the Government of Indonesia. Any errors,of course, remain our own responsibility.

REFERENCES[1] Defense in Depth, National Security Agency, Fort Meade, MD, USA.[2] Information Assurance Technical Framework, National Security Agency,

Fort Meade, MD, USA, 2000.[3] Signals Intelligence, National Security Agency, Fort Meade, MD, USA,

2009.[4] E. Amoroso, Cyber Attacks: Protecting National Infrastructure.

Amsterdam, The Netherlands: Elsevier, 2012.[5] Z. Bauman et al., ‘‘After Snowden: Rethinking the impact of surveillance,’’

Int. Political Sociol., vol. 8, no. 2, pp. 121–144, 2014.[6] B. W. Boehm, Software Engineering Economics. London, U.K.: Prentice-

Hall, 1981.[7] I. Brown, ‘‘The feasibility of transatlantic privacy-protective standards for

surveillance,’’ Int. J. Law Inf. Technol., 2014, pp. 1–18, Sep. 2014.[8] D. Campbell, ‘‘Interception 2000: Development of surveillance technology

and risk of abuse of economic information,’’ Director General Res. Eur.Parliament, Luxembourg, Tech. Rep. PE 168.184, Oct. 1999.

[9] R. A. Caralli, J. F. Stevens, L. R. Young, and W. R. Wilson, ‘‘Introducingoctave allegro: Improving the information security risk assessment pro-cess,’’ Softw. Eng. Inst., DTIC, Carnegie Mellon Univ., Pittsburgh, PA,USA, Tech. Rep. CMU/SEI-2007-TR-012, 2007.

[10] B. D. Caulkins, ‘‘Proactive self defense in cyberspace,’’ DTIC,U.S. Army War College, PA, USA, Tech. Rep. No. 0704-0188, 2009.

[11] N. C. Dalkey, B. B. Brown, and S. Cochran, The Delphi Method: AnExperimental Study of Group Opinion, vol. 3. Santa Monica, CA, USA:RAND Corp., 1969.

[12] J. Feigenbaum and J. Koenig, ‘‘On the feasibility of a technologicalresponse to the surveillance morass,’’ in Proc. 22nd Int. Workshop Secur.Protocols, Cambridge, U.K., 2014, pp. 239–252.

[13] National Cyber Security Strategies in the World, European Union Agencyfor Network and Information Security, Brussels, Belgium, 2013.

[14] Information Technology—Security Techniques—Information SecurityManagement Systems—Requirements, Standard ISO/IEC 27001:2013,2013.

[15] M. Gidda. (2013). Edward Snowden and the NSA Files—Timeline, The Guardian, London, U.K. [Online]. Available: http://www.theguardian.com /world / 2013 / jun / 23 /edward-snowden-nsa-files-timeline

[16] T. D. Gill and P. A. Ducheine, ‘‘Anticipatory self-defense in the cybercontext,’’ Int. Law Studies (U.S. Naval War College), vol. 89, pp. 438–471,2013.

[17] M. J. Glennon, ‘‘Fog of law: Self-defense, inherence, and incoherence inarticle 51 of the United Nations charter,’’ Harvard J. Law Public Policy,vol. 25, pp. 539–558, 2001.

[18] T. Gordon and A. Pease, ‘‘RT Delphi: An efficient, ‘round-less’ almost realtime Delphi method,’’ Technol. Forecasting Social Change, vol. 73, no. 4,pp. 321–333, May 2006.

[19] D. E. Graham, ‘‘Cyber threats and the law of war,’’ J. Nat. Secur. LawPolicy, vol. 4, pp. 87–102, 2010.

[20] A. N. Guiora, ‘‘Self-defense—From the wild west to 9/11: Who, what,when,’’ Cornell Int. Law J., vol. 41, no. 3, p. 631, Aug. 2008.

[21] J. F. Hill, ‘‘The growth of data localization post-Snowden: Analysis andrecommendations for U.S. policymakers and business leaders,’’ in Proc.Hague Inst. Global Justice, Conf. Future Cyber Governance, 2014, vol. 2,no. 3, pp. 1–41.

[22] S. Hoermann, M. Aust, M. Schermann, and H. Krcmar, ‘‘Comparing risksin individual software development and standard software implementationprojects: A Delphi study,’’ in Proc. 45th Hawaii Int. Conf. Syst. Sci.(HICSS), Jan. 2012, pp. 4884–4893.

[23] International Strategy for Cyberspace: Prosperity, Security, and Opennessin a Networked World, White House, Washington, DC, USA, 2011.

[24] J. P. Kesan and C.M. Hayes, ‘‘Mitigative counterstriking: Self-defense anddeterrence in cyberspace,’’ Harvard J. Law Technol., vol. 25, no. 2, p. 429,2011.

[25] J. Landeta, ‘‘Current validity of the Delphi method in social sciences,’’Technol. Forecasting Soc. Change, vol. 73, no. 5, pp. 467–482, 2006.

[26] Defence in Depth, Trusted Information Sharing Network, ACT, Australia,2008.




EMERGING TOPICS

IN COMPUTING

[27] Security and Privacy Controls for Federal Information Systems andOrganizations, National Institute of Standards and Technology,Gaithersburg, MD, USA, 2013.

[28] C. Okoli and S. D. Pawlowski, ‘‘The Delphi method as a research tool: Anexample, design considerations and applications,’’ Inf. Manage., vol. 42,no. 1, pp. 15–29, 2004.

[29] Critical Security Controls for Effective Cyber Defense, Council onCyberSecurity, Arlington, VA, USA, 2009.

[30] A. M. Rutkowski, W. A. Foster, and S. E. Goodman, ‘‘Multilateral cybersolutions: Contemporary realities,’’ in Public Interest Rep., vol. 65, no. 1,pp. 12–18, 2012.

[31] R. Schmidt, K. Lyytinen, M. Keil, and P. Cule, ‘‘Identifying softwareproject risks: An international Delphi study,’’ J. Manage. Inf. Syst., vol. 17,no. 4, pp. 5–36, 2001.

[32] A. Stellman and J. Greene, Applied Software Project Management.Sebastopol, CA, USA: O’Reilly Media, Inc., 2005.

[33] M. G. Stochel, ‘‘Reliability and accuracy of the estimation process—Wideband Delphi vs. Wisdom of crowds,’’ in Proc. 35th Annu. Comput.Softw. Appl. Conf. (COMPSAC), Jul. 2011, pp. 350–359.

[34] N. Taylor, ‘‘To find the needle do you need the whole haystack? Globalsurveillance and principled regulation,’’ Int. J. Human Rights, vol. 18,no. 1, pp. 45–67, 2014.

[35] G. H. Todd, ‘‘Armed attack in cyberspace. Deterring asymmetric warfarewith an asymmetric definition,’’ AFL Rev., vol. 64, p. 65, Jun. 2009.

[36] Strengthening the Role of ITU in Building Confidence and Securityin the Use of Information and Communication Technologies,International Telecommunications Union, document Rec.RESOLUTION 130, 2010.

[37] F. Wamala, ITU National Cybersecurity Strategy Guide, InternationalTelecommunication Union, Sep. 2011.

[38] L. Williams, A. Meneely, and G. Shipley, ‘‘Protection poker: The newsoftware security ‘game,’’’ IEEE Security Privacy, vol. 8, no. 3,pp. 14–20, May/Jun. 2010.

[39] E. Ziglio, ‘‘The Delphi method and its contribution to decision-making,’’in Gazing Into the Oracle: The Delphi Method and Its Application toSocial Policy and Public Health. London, U.K.: Jessica Kingsley, 1996,pp. 3–33.

[40] Statistics Indonesia, Statistical Yearbook of Indonesia 2014. Jakarta,Indonesia: Central Agency on Statistics, 2014.

[41] Indonesia Internet Service Provider Association.(2013). Indonesia Internet Users. [Online]. Available:http://www.apjii.or.id/v2/read/page/halaman-data/9/statistik.html

[42] B. Schneier, Secrets & Lies: Digital Security in a Networked World. NewYork, NY, USA: Wiley, 2000.

YUDHISTIRA NUGRAHA (M’14) received theB.E. degree in telecommunications engineeringfrom Telkom University, Bandung, Indonesia,in 2003, and the master’s degree (Distinction)in information and communication technologyadvanced from the University of Wollongong,Wollongong, NSW, Australia, in 2009. He is cur-rently pursuing the D.Phil. degree (Oxford’s PhD)in cyber security with the Department of ComputerScience, Centre for Doctoral Training in Cyber

Security, University of Oxford, Oxford, U.K. He has been an Engineer,a Researcher, and an Assessor in the field of information technology andtelecommunications. He is a Certified ISMS Auditor and Certified EthicalHacker. He has served as the Head of Information Security RiskManagementwith the Directorate of Information Security, Ministry of Communicationsand Information Technology, Jakarta, Indonesia. His research interests arein the areas of information security and privacy, requirements engineering,and cyber governance. He is a member of the Association for ComputingMachinery, the Professional Evaluation and Certification Board, and theInstitute of Information Security Professionals.

IAN BROWN received the Ph.D. degree in com-puter science from University College London,London, U.K. He is currently an Associate Direc-tor of the Cyber Security Centre and a Professor ofInformation Security and Privacy with the OxfordInternet Institute, Oxford University, Oxford, U.K.His research is focused on surveillance, privacy-enhancing technologies, and Internet regulation.He is an ACM Distinguished Scientist and BCSChartered Fellow, and a member of the Infor-

mation Commissioner’s Technology Reference Panel. He has acted as anexpert witness for the English High Court, the U.K. Investigatory PowersTribunal, and the European Court of Human Rights, and given evidence tothe U.K., German, and European parliaments. Since 2014, he has been aKnowledge Exchange Fellowwith the Commonwealth Cybercrime Initiativeand the U.K. National Crime Agency.

ASHWIN SASONGKO SASTROSUBROTOreceived the B.E. degree in electrical engineer-ing from the Bandung Institute of Technology,Bandung, Indonesia, and the M.Sc. andPh.D. degrees in power electronics from AstonUniversity, Birmingham,U.K. He has served as theDirector General of Informatics Application withthe Ministry of Communications and InformationTechnology (MCIT). He served various positionswith the government as the Secretary General of

the MCIT, the Secretary to the Ministry of Research and Technology, theDeputy Minister with the State Ministry for Communication and Informa-tion, and the Vice Chairman of the Agency of Application and Assessment ofTechnology. He is currently a Senior Researcher with the Indonesian Instituteof Sciences and the Chairman of the Study Centre of Public Policy and ICTBusiness with Telkom University, Bandung. He is also a member of theNational ICT Council. His current interests are in electronic systems, ICTgovernance, and cyber security policy.


an adaptive wideband delphi method to study state cyber ... defence... · mendations for...

Documents