In this newsletter:

Partnering for Cyber Resilience Conference European Commission Vice-President endorses PCR New signatories The Grand Conference 2012, Amsterdam OAS Secretary-General meets with Forum USA Chairman Increased Cyber Awareness for Oil and Gas Sector Calendar Metrics Resources

Partnering for Cyber Resilience

Partnering for Cyber Resilience Conference

On 5 and 12 December 2012, Chief Executive Officers, public sector leaders and key advisers to the heads of the Annual Meeting delegations are set to determine the agenda and direction of the cyber-related discussions at the World Economic Forum's Annual Meeting 2013 in Davos-Klosters, Switzerland, and the future of the Partnering for Cyber Resilience (PCR) initiative.

The PCR conference will be held in Dublin, Ireland, on 5 December 2012 and in Washington, DC on 12 December 2012.

The agenda allows for extensive participant interaction, peer group learning and network strengthening. In the morning, participants will join one of two sessions, followed by a joint session in the afternoon. Please confirm your participation via asha@weforum.org.

November 2012

Agenda 09.00 - 09.30 Welcome and Introduction

09.30 - 12.00 Track 1: Private Sector: Development and Future of the Partnership Track 2: Public Sector: Sharing Best Practices and Experiences

12.00 - 13.15 Lunch

13.15 - 14.15 Keynote Panel Discussion

14.15 - 17.00 Pathways to Global Cyber Resilience: Public-Private and International Cooperation

17.00 - 18.30 Networking Reception

Partnering for Cyber Resilience November 2012 Newsletter

“These are not just a set of important principles, they are evidence of how we can work together as public and private sector leaders to raise awareness and build resilience. I’m fully committed to such Principles. In a hyper-connected world, we must contribute to a safe, shared digital environment.”

Neelie Kroes, Vice-President and Commissioner for the Digital Agenda, European Commission, thus expressed her support for the Partnering for Cyber Resilience initiative on October 16, 2012, at the first Grand Conference. ‘TGC2012’ was held to improve cyber resilience for critical infrastructures. Hosted by the Dutch Center for the Protection of National Infrastructure (CPNI) and supported by the World Economic Forum, the event sought to emphasize the importance of cyber resilience. The conference was moderated by Jan Bonjer, Chief Editor of Financieele Dagblad (the Dutch Financial Times). Speakers included Harry van Dorenmalen, Chairman, IBM Europe; Mikko Hypponen, Chief Research Officer, F-Secure; Mike Maddison, EMEA Cyber Security Leader, Deloitte; Derek O’Halloran, Head of IT Industry, World Economic Forum; Rod Beckstrom, former CEO of ICANN; Michel van Eeten, Professor, Delft University of Technology;

The Grand Conference 2012: New Partners and European Commission Endorsement for Partnering for Cyber Resilience Initiative

and Mark Dierikx, Director-General, Ministry of Economic Affairs, Agriculture and Innovation of the Netherlands. The objective of the conference was to raise awareness of C-level management and to emphasize resilience of organizations and critical infrastructure in particular. The event asked executives to show leadership and take action. In addition, it provided a way to build the network of C-level management on the topic of cyber resilience.

With a combination of talks, master classes and networking opportunities, the event provided a rich and immersive experience for participants. The day culminated in the closing ceremony where Royal KPN, Alliander and the Netherlands Organization for Applied Scientific Research (TNO) joined the Partnership by signing the Principles for Cyber Resilience.

Neelie Kroes, Vice-President and Commissioner for the Digital Agenda, European Commission, during The Grand Conference 2012, on October 16, 2012 in Amsterdam, The Netherlands.

Signing ceremony for the Partnership for Cyber Resilience during The Grand Conference 2012, on October 16, 2012 in Amsterdam, The Netherlands.

“Joining the Forum’s Partnering for Cyber Resilience is another demonstration of our organization’s commitment to promoting cyber security, not just in the region, but worldwide.”

José Miguel Insulza, Secretary-General, Organization of American

States (OAS), Washington DC

Growing the Partnership Reinforcing the support at the highest organizational levels, Jean-Pierre Rosso, Chairman, World Economic Forum USA, met with José Miguel Insulza, Secretary-General, Organization of American States (OAS) on 19 October 2012 to welcome the OAS to the Partnership and to discuss how their respective organizations can work together on this topic.

Through the Inter-American Committee against Terrorism (CICTE) of the Secretariat of Multidimensional Security (SMS), the OAS has worked extensively to raise cyber security awareness and capabilities, as well as to foster the growth of a regional community of cyber security stakeholders and collaborators. These efforts have entailed a broad range of activities, including technical training and capacity building courses, policy-level discussions, and cyber security exercises and simulations, as demonstrated during the visit.

Since the last edition of this newsletter, the Partnership has grown by another six members, bringing the total to 53. The new members are: Autoridad Nacional para la Innovación Gubernamental of Panama, the Azerbaijan Ministry of Information and Communication Technology, Prolexic, Royal KPN, Alliander and the Netherlands Organisation for Applied Scientific Research (TNO).

The new additions are split evenly across public and private sectors, which shows the ongoing interest across these sectors and continued interest and support from the public sector. The total number of countries represented has also risen to 20, while the national governments represented has risen to five.

Partnering for Cyber Resilience November 2012 Newsletter

José Miguel Insulza, Secretary-General, Organization of American States (OAS), meets with Jean-Pierre Rosso, Chairman, World Economic Forum USA before observing a cyber simulation demonstration at the OAS offices in Washington, DC, on 19 October 2012.

Taking real accountability, not lip service – this is what the ethos of Partnering for Cyber Resilience is all about.

What are the key actionable insights for leaders across all domains for 2013?

This is ensuring the right level of accountability for cyber risk is assigned within their organizations; again this refers directly to the ethos and principles of the PCR. This is the one common item that affects everyone from consumer to governments, nationally, internationally, globally. Even those people not connected to the Internet, for example in rural Africa or islands in the Philippines, can still be affected, as their local governments that hold their data can still be at risk.

Insights need to not only drive this accountability, but also ensure that it is clear these global leaders should also be asking the simple and basic questions. For example: What is our strategy for an online cyber attack? Do we have the right connections (both procedural and personal) to help us deal with an attack?

Additional insights (beyond cyber risk strategies), would be for leaders to ask their teams what are their strategies, company ethos and importantly policies towards mobility and BYOD (“Bring Your Own Device”, e.g. personal laptops, handheld devices like smartphones and tablets), security and privacy in the “cloud” (whatever their definition of “cloud” is), and how are they assuring their cyber and IT security risk programmes are supporting and driving shareholder value and reducing their risk profiles.

What should be the key priority for the Partnering for Cyber Resilience community in catalysing awareness, understanding and action in cyber security?

A recent headline in the Financial Times of London during 2012 read “Security tops boardroom agenda”, with the clear implication that stakeholders for information security straddle the whole organization, from IT to marketing, finance, supply chain and compliance. The critical point here is to ask – is that a true statement or is it lip service? Can the board adequately say (and ask yourselves this question) that if today they had to include a statement in their annual accounts along the lines of “we declare that we’re doing everything we should be doing to protect our infrastructure, applications, services and customers and employees data against known IT security and cyber risks”, would they feel comfortable doing this?

An iron law for security professionals that has stood the test of time is to focus security efforts on three key areas equally, namely: people, processes and technology. Undoubtedly it is the “people” element of this trio that gets neglected, and not surprisingly is often the source of the most damaging breaches.

Therefore to answer the question, World Economic Forum Members should think about the annual account statement and support, endorse and enforce creating a security culture from the top, right across the organization, and back it with strong internal, professionally driven communications campaigns that makes the difference.

Q&A with Ray Stanton, BT Group

Ray Stanton is Executive Vice-President of BT Advise (BT’s Professional Services Unit) at BT Global Services. In this role, he has responsibility for BT’s Professional Services globally. Stanton has worked in communications, information technology and security for more than 29 years. Prior to taking on his present role, he was Executive Global Head of BT’s Business Continuity, Security and Governance Capability Unit.

About BT

BT is one of the world’s leading communications services companies, providing networked IT services, including security and business continuity, to corporate and government customers around the world. A major part of BT’s activities is helping its customers manage and maintain resilient and secure networked IT infrastructures, offering a full portfolio of security consulting and managed services, including secure networking, business continuity, and identity and fraud management services.

Partnering for Cyber Resilience November 2012 Newsletter

Within BT, the main strands of our activities include links to the four objectives of the national strategy. We encourage volunteering and educating the citizen in cyber through, for example. the UK Cyber Security Challenge, and the Young Professional Network (YPN) Global Cyber Champions and Guardians.

Further, we should not forget the close collaboration between academia, government and the private sector where, again to quote a UK example, in 2012 the first of a network of university-based centres of excellence in cyber security was opened, with support and sponsorship from private sector organizations.

While I have used UK examples to demonstrate here, there are many initiatives happening globally. Another example is the Forum of Incident Response (FIRST) – www.first.org.

This is a fantastic global collaboration of all parties (from all sectors, industries and nations) on a not-for-profit basis, where Computer Emergency Response Teams (CERTs) work together to overcome, help, share information and respond in real time to threats and incidents. All in the good cause of collaboration and best practice – knowing their main aim is to support each other.

What is clear is that the threats will only increase, and the more we can collaborate with groups like FIRST, the easier it will be for us all. This is best practice in action; if your organization is not a member, I strongly urge you to become one and soon.

These are interconnected in very obvious ways, as much of our mobility and BYOD strategies will be enabled by the cloud, which itself is a platform that is becoming ubiquitous as its relative deployment costs continue to plummet. And certainly we are seeing advanced threats now being targeted increasingly at mobile and personal devices.

In terms of real definable, detail-actionable responses, at a basic level the same best practices apply; whatever the technology environment you use. Have good policies in place and enforce them. For example, use good password structures, change them frequently, do not use the same password for everything, have policies and practices in place to control what data is both passed onto and stored on devices, and how it is stored while it is there.

These are the actionable insights for leaders, through demonstrable visible leadership and defined outcomes.

What innovations for how the private and public sectors collaborate are emerging and working best?

The pressure of events has forced many national governments to develop cyber security strategies, in many cases in close collaboration with the major players in the private sector. If we take the example of the United Kingdom, the National Cyber Security Strategy has four objectives on crime/security, resilience, stability and skills, and certainly for private sector organizations to align with these strategies is proving very fruitful. This is visible and demonstrable collaboration.

“To manage risk effectively, you have to look at your business top to bottom, and from every angle. You need to put the right measures in place and not just pay them lip service.”

Ray Stanton, Executive Vice-

President, BT Advise

Partnering for Cyber Resilience November 2012 Newsletter

Calendar of Events 2012-2013 After the highly successful Grand Conference 2012, the next milestone events are scheduled for 5 December 2012 and 12 December 2012.

The PCR Conference 2012 will be held in Dublin and Washington, DC, respectively, and marks the first dedicated event for all PCR signatories and representatives from the public sector.

Outcomes from this two-day conference will be discussed at the World Economic Forum Annual Meeting 2013 in Davos-Klosters, Switzerland.

The calendar below shows a selection of opportunities for the Partnership to grow or develop guidelines for policy and law enforcement communities.

If you want to add your event to the calendar, please inform the team. The calendar is updated regularly and available for download here.

Main Events

Other Events

Activities

Editorial Calendar

CPNI Conference on National

Infrastructure Amsterdam,

16 Oct.

Partnering for Cyber Resilience

Conferences

Dublin, 5 Dec.

Washington, 12 Dec.

Annual Meeting

2013

Davos, 23-27 Jan.

ISF 23rd Annual World

Congress, Chicago, 4-6 Nov.

SCADA and Process Control System Security

Summit, Barcelona, 10-11 Dec.

October November December January

Completion of

interviews with public

sector

Newsletter 4: 17 Dec.

Release of Deloitte TMT

security study,

10 Dec.

February

Partnering for Cyber Resilience November 2012 Newsletter

Partners for Cyber Resilience

Is your logo incorrect or missing? Please tell the team.

Aviation & Travel

Automotive

Banking & Capital Markets

Agriculture, Food & Beverage

Insurance & Asset Management

Information Technology

Media, Entertainment & Information

Multi-Industry

Private Investors

Professional Services

Retail & Consumer Goods

Supply Chain & Transport

Telecommunications

Energy Utilities & Technology

Government & Not-for-Profit

Partnering for Cyber Resilience November 2012 Newsletter

Growing Cyber Awareness in the Oil and Gas Sector Arguably, the most widely reported breach was that of Saudi Aramco, Saudi Arabia’s national oil company. Saudi Aramco’s systems were breached by hackers who managed to plant a virus in the organization’s networks.

This month’s newsletter looks at the oil and gas sector that has recently seen a significant increase in cyber events. Based on research by CyberFactors, the Energy sector has seen a 45% average year-on-year increase in cyber breaches of since 2008.

The virus, dubbed Shamoon, was able to disable a network of about 30,000 workstations. Although production was said not to be impacted, the attack had a significant impact on the organization and made headlines in international media. Saudi Aramco was certainly no exception, after earlier attacks on Exxon, Shell, BP, Gazprom and Rosneft.

Lukoil was attacked in a separate cyber event, but all received attention from hacktivists Anonymous. The ‘Save the Arctic’ campaign was initiated to protest arctic drilling for natural resources.

A report published in 2011 stated that since 2009 a series of attacks dubbed ‘Night Dragon’ successfully infiltrated energy companies. The companies involved allegedly included Exxon, Shell, BP, Marathon Oil, ConocoPhilips and Baker Hughes.

Homeland Security Secretary Janet Napolitano noted on 31 October that after Hurricane Sandy wreaked havoc on the East Coast, people should look than no further than the damage caused by the massive storm to understand the need to boost the nation's cyber security protections.

The Hill reported: “One of the possible areas of attack, of course, is attacks on our nation's control systems – the control systems that operate our utilities, our water plants, our pipelines, our financial institutions,” Napolitano said. “If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities.”

Partnering for Cyber Resilience November 2012 Newsletter

Partnering for Cyber Resilience – Principles and Guidelines in Spanish In line with the global nature of the Partnership for Cyber Resilience, the World Economic Forum is currently developing Chinese and Japanese translations of the Principles for Cyber Resilience. This month the Partnering for Cyber Resilience team is pleased to announce the release of the Spanish-language version of the Partnering for Cyber Resilience – Principles & Guidelines document.

The principios y directrices are available for download using this link.

Cross-Industry Support

Gaining Global Reach

AT- Aviation &Travel; 2%

AU-Automotive; 2%

BK-Banking & Capital Markets; 13%

FB-Agriculture, Food & Beverage; 2%

IS-Insurance & Asset Management; 4%

IT-Information Technology; 28%

ME-Media, Entertainment & Information; 8%

MI-Multi Industry; 2%

NA-Not Applicable: Constituents; 15%

PI-Private Investors; 2%

PS-Professional Services; 4%

RC-Retail & Consumer Goods; 4%

SCT-Supply Chain & Transport; 2%

TC-Telecommunications; 9%

UT-Energy Utilities & Technology; 4%

USA; 36%

United Kingdom; 8%

United Arab Emirates; 2%

Uganda; 2% Turkey; 2%

Switzerland; 9%

Spain; 2% South Africa; 2%

Portugal; 2%

Panama; 2%

Mongolia; 2%

Mauritius; 2%

Netherlands; 6%

Jordan; 2%

Japan; 4%

India; 6%

France; 6% Colombia; 2% Canada; 2%

Partnering for Cyber Resilience November 2012 Newsletter

Contact:

Derek O’Halloran Head of IT Industry Tel.: +1 646 371 3757 E-mail: doh@weforum.org

Alex de Leeuw Project Manager Tel.: +1 347 882 5811 E-mail: adl@weforum.org

weforum.org/cyber

cyberresilience@weforum.org

The World Economic Forum is an independent international organization committed to improving the state of the world by engaging business, political, academic and other leaders of society to shape global, regional and industry agendas. Incorporated as a not-for-profit foundation in 1971 and headquartered in Geneva, Switzerland, the Forum is tied to no political, partisan or national interests.

Partnering for Cyber Resilience The Partnering for Cyber Resilience initiative seeks to build a community of private and public sector leaders who join forces to deal with the new risks and responsibilities of the hyperconnected world.

Together they support the Principles for Cyber Resilience, leading cyber risk management for their organizations, and with the public sector, for society as a whole.

Sincere thanks are extended to the experts who contributed their unique insights to this initiative.

We are also grateful for the commitment and support of Deloitte in their capacity as project adviser.

For the latest information on the Partnering for Cyber Resilience initiative, please visit: weforum.org/cyber