Cybersecurity evolves rapidly both in technology and policy terms. Countries and organisations struggle with the pace of change. Analysing particular strategies is not only useful but also interesting, as it may often constitute a form of a litmus test.
On the one hand, strategies show where we, the countries, (or, generally “we”) may be heading. On the other, they indicate the relative maturity of a particular country or organisation (be that public, private, or international). Recently, I made a related assessment for France, and another interesting take may be the one of Luxembourg, a small European country. Luxembourg is heavily investing in new technologies, including digital. In fact, the strategy makes it clear: “cybersecurity has become a factor of economic attractiveness. It represents a competitive advantage”. This point makes Luxembourg quite similar to Estonia, but it is not the aim today to list the differences between those two countries, but to focus on the interesting points in Luxembourg’s cybersecurity strategy.
First of all, it is the third such a strategy. This immediately highlights the maturity of the topic, and how seriously it’s being treated. The strategy is maintained and updated.
European countries are now struggling with implementation of a so-called NIS directive of the European Union, which, among others, requires the adoption of strategies. Some fare better than others. But it is very refreshing to see a document made by a country that is serious about the subject matter, rather than waiting for other bodies (such as the European Union) to come up with a regulatory incentive.
This assessment will be a technology policy one. I will focus on the most interesting parts. In each part, I include my concerns - but mostly in form of comments, rather than finding issues with a generally interesting document.
Responsible disclosure
Luxembourg will enact a state-supported “responsible disclosure” process.
“A model of “responsible disclosure”, allowing the disclosure of a detected computer vulnerability, while giving the parties concerned a deadline to correct the vulnerability prior to its disclosure, will be implemented in Luxembourg. This could be of interest, especially in the field of academic and private research: the development of a work environment with specific rules to increase legal certainty for the benefit of researchers in the field of information security.“
The text says it all. It is not only about increasing the security posture, but also about protecting security (and hopefully privacy) researchers. Making it clear and unambiguous is very good. It is, after all, an official document. This point makes Luxembourg an interesting place to base security activities.
Concerns
However, among the possible issues may be the term “responsible disclosure” itself, as if another approach could be irresponsible. Perhaps changing the name to make it less morally-charged would be a good idea. There may be a debate here on the advantage of using neutral language, as “managed disclosure”, or even simply “disclosure process”.
There is also no mention of Luxembourg stance on the international level. Too often, discussions around “security research” are seen as controversial.
Code Disassembly and Identifying Vulnerabilities
Quite uniquely and remarkably, Luxembourg plans to pass special provisions explicitly allowing the “reverse engineering” of software, as well as penetration testing. Clarifying this positive approach to security research is important, and even more so considering the atmosphere where security research is still too often being seen as something suspicious (not even considering using the term “dual-use” here).
However, I believe the provision should be understood, and could be made, in a broader context, including privacy research (In 2017, the UK considered to criminalise part of privacy research, but fortunately this policy has been reversed)
Furthermore, Luxembourg will also make it clear that CERT will have the power to mass-scan entire country infrastructure to identify vulnerable devices (the Strategy explicitly mentions Heartbleed as an example). This is particularly good as it allows reaching a rapid “security posture” of most of the (externally visible) infrastructure.
Concerns
Like previously, no mention to a stance on the international level is made.
Develop standards for critical infrastructure
Critical infrastructure is recently pretty much in the spotlight. The strategy is correct here: “The application of information security policies will be recommended to critical IT infrastructure“. Offering to help operators with the choice of the right risk assessment methodologies and frameworks is a good idea. Some may not be resourced enough to do it on their own. And we’re entering quite risky times.
National DDoS Defence?
When a service is overloaded with traffic, the effect is often loss of availability. With DDoS attacks reaching high throughput, reaching even the Tb/s region, (not only via hacked routers, webcams, toasters, or memcached servers), the stakes are ever higher. This is also of special importance for countries putting high stakes in digital technologies. Estonia already experienced concerted DDoS effort once, back in 2007, this led to interesting developments in public policy on an international level (including by the activity of the former Estonian president Toomas Hendrik Ilves).
But back on the technical track. When it comes to the protection, Luxembourg plans to rely on service providers, but it will also consider the option of creating a “national scrubbing centre”, tasked with the filtering of bogus traffic, in case the capabilities of local operators would prove to be insufficient.
Concerns
The wording may be concerning. The Strategy speaks of “filtering of illegal communications”. While DDoS attacks may be illegal (and while protection is about filtering of flood traffic), many data transfers may be legitimate. With DDoS we’re speaking about infrastructures and rerouting via Border Gateway Protocol. But in general, extra care needs to be made when using terms such as “communication filtering”. Filtering infrastructures may be good but may also be repurposed easily. Whenever “filtering” is used, eyes should open.
Summary
This strategy contains some very interesting proposals. Most of the choices follow the previous explicit definition and identification of broader country goals (put stakes in digital technology). Strategies accommodating the broader picture and goals work best. Otherwise they risk ending up staying on the paper, shelved. In the case of Luxembourg, I believe this particular risk is low. But the strategy itself is also very specific, oriented on the protection of business and public institutions. It does not address all points of interest that may relate to “cyber”.
The whole strategy can be found here.
Did you like this analysis? Feel free to reach out: me@lukaszolejnik.com