NIST Cybersecurity Framework is changing – what does it mean for supply chain cybersecurity?

NIST released a public draft of a widely used Cybersecurity Framework.
At first glance, from a supply chain point of view, you might think that the changes are purely cosmetic and mainly come down to rearrangements.
However, a closer inspection reveals the emergence of several new elements and quite a few important rewording.
Although most of the changes will not surprise those who have been dealing with the topic of supply chain for a long time, it’s worth spending a bit of time analysing them.
Here comes a few observations:

1. The Cybersecurity Supply Chain Risk Management category has been moved from Identify Function to the newly established Govern Function.

With the general reorganization of the NIST Framework, this change makes a lot of sense. Managing Supply Chain risks is strategic and must be integrated with the overall cybersecurity risk management strategy, expectations, roles and responsibilities and policy.
Also, it is worth to read the supply chain recommendations in the context of other changes introduced in the Govern Function. Organizational leadership responsibility for cybersecurity risks, allocation of adequate resources, communication must extend to supply chain topics.
Bravo NIST.

2. The Cybersecurity Supply Chain Risk Management category has gained a couple of completely new subcategories.

Yes, for many of us, those new additions are not new at all. Many mature organizations execute them already. But for those who are starting with a supply chain topic they are super important. Also, come of those updates illustrate also some larger trends in the industry.
Let’s look at some examples.

• Subcategory GV.SC – 4 speaks about the identification and prioritization of suppliers by criticality. Well, of course. How else does one want to achieve resiliency, have well-working IRPs, implement risk commensurate mitigation strategies and many others?
  (*some could argue that this element was present in the previous ID.SC-2 but now it is more visible and important).
  Bravo NIST

• Subcategory GV.SC-06 underlines that the due diligence process is performed BEFORE entering into a formal relationship. For some obvious, yet for others… Who would like to marry a person after the first date?
  Bravo NIST

• Subcategory GV.SC-09 speaks about monitoring the security practices throughout the technology product and service lifecycle. Well, yes – these are ongoing activities. Life changes and threats are evolving. Supply chain protection can’t be a point-in-time activity.
  Bravo NIST

• Subcategory GV.SC-10 – supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement.
  Again, how many of you remember to make sure that ALL info assets are revoked after terminating cooperation, or make sure that potential connectivity has been shot down?
  Bravo NIST, however, I would extend this subcategory to cover overarching exit strategies.
  
  3. Some previously existing subcategories belonging to the Cybersecurity Supply Chain Risk Management category have been reworded.
  
  Sometimes those small tweaks can be overlooked, but they change a lot. Let me give you some examples:

• Former subcategory ID.SC-1 spoke about cyber supply chain risk management processes. Now NIST goes even further and underlines that we should have in place an entire supply chain risk management program, strategy, objectives and policies. Yeap, supply chain protection is a strategic, whole-of-organization effort.
  
• GV.SC-08 concentrates on the cooperation with your partners expands previously existing recommendations on the planning phase (not only response, and recovery activities). That is important. At least your critical (now you see why their identification is so important!) third parties should be strategically involved in the end-to-end process.
  
  4. Some changes in the remaining functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) has been introduced and they are important for the supply chain efforts.

It is worth analysing the entire framework. For instance new subcategory ID.AM-04 underlines the need of maintaining inventories of services provided by suppliers. Well, Log4J and other incidents proved painfully that there will be no successful protection without understanding what we have and where does it come from. And this is more difficult then you might think. And not everyone remembers about it.

Okay. These are only selected elements from the updated framework that deserve our attention. One thing is clear to me: all those changes, smaller and bigger, prove that the supply chain topic (once considered niche) is maturing and gaining more and more traction.

Supply Chain Cyber Risk Management in the financial sector

Basic assumptions

• Supply chain brings both cybersecurity challenges for individual entities but also systemic risks (see below)
• The scope of the risk mgmt programme should be broad and cover external providers (products with their components, services, connections etc.) as well as intra-group entities
• Risk-oriented actions should be always risk-based and proportionate (think of the 3rd party…n-party risk profile, their role, impact and threat landscape). 

1. Governance: 

• Senior management should be ultimately responsible and accountable for overseeing and implementing the supply chain cyber risks management programme (this must be seen as a strategic effort covering the entire life cycle of the relationship with external party; defining risk appetite should sit at the heart of the effort, without clearly indicated roles and responsibilities not much will be done). 

2. Risk Management Process

• The process must address all the stages/elements of the relationship life cycle (think of it from the selection phase to termination of the relationship)
• Third parties, their services, and products (including their components – SBOM!) should be identified, inventoried and constantly updated. (Don’t forget about yours third parties subcntractors).
• Criticality of the various elements of the supply chain must be identified for all those above (different criteria could apply: access to data and its criticality, connectivity, and the sensitivity of the assets hosted). 
• Suppliers must be risk assessed BEFORE entering a business relationship (not easy, I know, but neccesary to understand vulnerabilities and introduce risk treatement actions).
• Effectiveness of that process remains a challenge (wanna exchange opinion on that?)
• Onboarding risk assessment should be followed by continuous monitoring (shap shot of the security posture is not enough).
• Common assessments remain the Holy Grail of the industry 
• Security Exhibits comprising e.g. T&C regarding risk MGM, required controls, legal obligations, performance standards, audit rights, reporting obligations, tests, joint exercises, subcontracting, termination rules, consequences of material changes etc. is a must.
• Changes in the criticality and risk level should be continuously monitored 
• Metrics-driven decisions are much needed 

3. Incident response

• Incidents response plans should be established, agreed upon and exercised, tested – yes – sometimes jointly with the partner.

4. Contingency Planning and Exit strategies 

• Be prepared for the ‘supply chain divorce’. 
• Exit plans should be tested 

5. Monitoring for potential systemic risks 

• Some suppliers may bring systemic risks to the entire sector – resiliency strategy tells us to pay attention to concentration and compound risks.
• Potential single points of failure should be carefully recognized and mitigated

6. Cross-sectoral coordination

• Financial sector depends on other sectors – yes, people should talk to each other

7. Third Parties to the Financial Sector

• Suppliers delivering to the critical sector, like the financial industry, should be aware of their increased responsibilities. 

How China is swaying the world’s digital agenda

After a drawn-out stage of denial comes the moment when the West is starting to see the problem and slowly getting to prepare an answer. The strategy is still a “piecemeal” one, lacking a distinct, holistic vision, at least at this stage. Consolidating actions among the allies and determination in furthering their ends will decide whether a constructive and effective response to China’s offensive will be prepared. But before the ways out, first a few examples to illustrate the problem and the process of China gaining in recent years one technological foothold after another in the global arena.

• Artificial intelligence

A few days ago the world heard the news that the US had changed its mind and decided to take part in a project spearheaded by G7 leaders, called Global Partnership on AI (GPAI) – to work within the group which focuses on AI advances. Initially, the US refused to join, using the innovation-kills-regulation argument among others. Wrong-way to think about it for a few reasons: 1) just because you’re not taking part in the debate doesn’t mean its results won’t be binding for you; 2) it’s better to be able to shape the world than to live in a reality others created.

Why has this text started with the example of an initiative that China is not central to? Because the initial American lack of commitment to GPAI exemplifies a larger problem that affects many actions by Western countries: shaping the international processes ineffectively, staying a step behind instead of stepping up to the plate. Meanwhile China, by deploying the polar opposite strategy – of strong involvement – has begun to preside over the discussion and shape the key digital debates. The US reversing the decision concerning GPAI is worth considering in this wider context actually. This move tries to cut losses after earlier poor decisions of even mistakes.

In January 2019, the US officially withdrew from UNESCO. Meanwhile, this organisation, traditionally seen as centred on culture and international heritage issues, has started to work hard on AI. The Ad Hoc Expert Group was set up, its aim to draw up recommendations regarding ethical AI development guidelines. Even though this very process is at present mostly in the hands of traditional US allies (namely Japan), it should not be overlooked that after the US withdrawal China is starting to play an ever-growing role in the whole of UNESCO. There is no ruling out that soon this country is going to make its voice heard in this debate as well.

Another organisation where important AI-related decisions are taken is ITU – International Telecommunication Union. It is the space where such matters as facial recognition technology are being debated. ITU findings have worldwide significance. They influence standards, technology solutions (mainly in the telecommunication and radiocommunication markets), while the entities whose proposals are accepted come to occupy an important role in the whole global value chain as they reap immense profits and increase their clout. And it is precisely in ITU where the role of China is very much visible already and goes beyond the AI debate (as will be discussed below)

• 5G

Once the initial shock for the West has passed, when the stakeholders found out how much China had pushed for supremacy in 5G, they began to seek answers. The US started to play the leading political role in this respect. Initial attempts zeroed in on particular spots – e.g. on bilateral agreements (signing memorandums with Czech Republic, Romania, Latvia, Estonia, Poland) that aimed to limit the influence Chinese technologies might have. The US also inspired more organised processes (Prague 5G Security Conference policy recommendations). Right now we are seeing brave efforts to forge a coalition of democratic countries set to work on developing their own 5G technologies (the D10 Group proposed by the British, to be joined by the US). Evermore determined actions are well illustrated by the decision to limit semiconductor access (that I commented on here).

Although the answer by the West, mostly the US, seems firm now, it again comes late and is reactive. China has not only been able to reign supreme in the market for developing critical digital technologies, but also to secure a lot of influence over the organisations which are responsible for standardisation and discussions over the direction of future measures. Again, ITU turns out to be the key element of this strategy. China is very effective in acting in the halls of this organisation as it puts many proposals and technology solutions on the table, strongly shaping the discussion. Their clout is being built step by step; choosing ITU Secretary-General, Mr Houlin Zhao, already in his second term, was a major moment here. Notably, as the incumbent he didn’t even have a challenger. Although the Secretary’s leadership position is very important and visible, in terms of agency Chinese efforts to fill the middle rungs of UN bureaucracy are equally vital. Overly passive actions by the West illustrate the problem pointed to earlier – not fighting for key positions, ineffective process shaping.

All the while, China is skilfully carrying on, moving beyond the 5G topic, painting a picture of new breakthrough solutions. The flagship proposal, the New IP initiative, has the potential to revamp the architecture of the whole Internet.

• Cybercrime and actions in cyberspace

Another area that shows the West to be on the defensive is the regulatory framework process for cyberspace activity. One instance is the December 2019 vote in favour of the Russian resolution that opens the door for an expert committee to work on laying the groundwork for a global anti-cybercrime treaty. Attempts to begin drafting the treaty already took place years ago, yet they were effectively blocked by Western countries so far. This time the Russia-led coalition supported by China and many developing countries touted success. The process was set in motion and may clear the way for decisions that promote authoritarian solutions related to controlling cyberspace users’ activity.

The cybercrime-fighting resolution is not the only success that the China-Russia bloc has enjoyed. Another one is effectually moving for starting the UN Open-Ended Working Group (OEWG), which tackles the topics of countries’ responsible cyberspace behaviour norms. The process goes alongside (and many see it as going against) the work of the so-called Group of Governmental Experts. In the past, this Group made numerous important decisions regarding both norms, trust-building measures and international law application to cyberspace activity. OEWG is but another stage of effective action by a phalanx of states headed by the China-Russia duo.

Whither cyberspace?

After years of apathy and downplaying the expanding China’s influence over international institutions, Western countries can no longer remain on the defensive. Walking out of crucial processes (as happened e.g. in the UNESCO case) is de facto yielding. Such actions should not take place, since they will determine the (un)importance of the West (and Western values) in the future global order.

On the contrary, processes need to be actively shaped, coalitions both long-term and ad-hoc need to be built to influence the decisions on new technologies. The latest initiative by Estonia in its UN Security Council presidency is a commendable example. In fact in all of UN nine important elections for chairs of specialised agencies and funds are slated before the end of 2021. It’s a fine opportunity for Western countries’ coalition to act successfully. The recent EU activity for data strategy also seem very promising (I wrote more about that here).

The linchpin is not only the mobilisation and construction of a united front between “traditional” allies. A step forward needs to be made and cooperation with developing countries needs to be strengthened, the countries that more and more often find themselves in China’s or Russia’s sphere of influence, and with their ballots and backing help these two become more ensconced in international organisations. Drawing developing countries in has to not only be based on compelling arguments but also be backed by offers of tangible material and technological support. The outcomes that the West wants to achieve should also take these countries’ proposals and viewpoints into account. This is going to defang the main claim by China, currently posing as the defender of the inclusive world digitisation model.

To sum up, we have reached the moment when the West needs to wake up from its diplomatic slumber. Besides rebuilding its technological potential, it needs to regain the presence and agency in international institutions and organisations. The time for half-measures and negligence is over. Either the West goes all out, or it fails.

* Another element of the strategy is to form one’s own institutions, platforms and forums – but that is a topic for a whole ‘nother text.

Jak Chiny wpływają na cyfrową agendę świata

Po trwającej długi czas fazie wypierania rzeczywistości, nadchodzi moment gdy Zachód zaczyna dostrzegać problem i powoli przygotowywać odpowiedź. Wciąż jednak jest to strategia „szarpana”, której, przynajmniej w tej fazie, brakuje wyraźnej, holistycznej wizji. Konsolidacja działań między sojusznikami i  determinacja w realizacji celów zadecyduje o tym czy uda się przygotować konstruktywną i skuteczną odpowiedź na ofensywę Chin. Zanim jednak o postulatach, wpierw kilka przykładów pokazujących problem i to jak w ostatnich latach Chiny zdobywają kolejne technologiczne przyczółki na arenie międzynarodowej.

• Sztuczna inteligencja

Kilka dni temu, świat obiegła informacja o tym, że USA zmieniły zdanie i zdecydowały się wziąć udział w zainicjowanym przez liderów G7 procesie zwanym Global Partnership on AI (GPAI) – pracach grupy zajmującej się kwestiami rozwoju sztucznej inteligencji (AI). Na początku USA odmawiały współpracy, używając m.in. argumentu o tym, że regulacje zabijają innowacje. Myślenie błędne z kilku powodów: 1) to że nie weźmiesz udziału w debacie, nie znaczy że jej rezultaty nie będą cię obowiązywać; 2) lepiej móc kształtować świat, niż żyć rzeczywistości wykreowanej przez innych.  

Dlaczego tekst ten rozpoczyna przykład, który nie odnosi się do inicjatywy w której kluczowe są Chiny? Ponieważ początkowy brak zaangażowania USA w GPAI jest egzemplifikacją szerszego problemu dotyczącego wielu działań państw Zachodu: oddawania pola innym, mało skutecznego kształtowania międzynarodowych procesów, bycia często o krok za innymi. Tymczasem Chiny stosując strategię dokładnie odwrotną – silnego zaangażowania – zaczęli przewodniczyć dyskusji i kształtować kluczowe debaty cyfrowe. Zmianę decyzji USA w stosunku do GPAI warto rozpatrywać właśnie w takim szerszym kontekście. Jest to ruch próbujący mitygować straty po wcześniejszych wątpliwych decyzjach, a nawet błędach.

W styczniu 2019 USA oficjalnie wycofały się z UNESCO. Tymczasem, organizacja ta, tradycyjnie łączona z kwestiami kultury, dziedzictwa międzynarodowego, zaczęła mocno pracować nad AI. Powołana została do życia grupa Ad Hoc Expert Group mająca za zadanie wpracować rekomendacje dotyczące wskazówek etycznego rozwoju AI. Chodź w chwili obecnej ten konkretny proces jest silnie kształtowany przez tradycyjnych sojuszników USA (konkretnie Japonię), należy dostrzec fakt, że Chiny po ustąpieniu USA zaczynają odgrywać coraz silniejszą rolę w całym UNESCO. Nie jest zatem wykluczone, że wkrótce ich głos wybrzmi także w tej debacie.

Inną organizacją gdzie zapadają ważne decyzje związane z AI jest ITU – International Telecommunication Union. Na jej forum toczy się choćby debata nt. technologii rozpoznawania twarzy. Rezultaty prac ITU mają znaczenie globalne. Wpływają na standardy, rozwiązania technologiczne (przede wszystkim  rynku telekomunikacyjnego i radiokomunikacyjnego), a podmioty których propozycja jest przyjęta zajmują ważną rolę w całym, globalnym łańcuchu wartości, czerpiąc ogromne zyski i powiększając wpływy. I właśnie w ITU rola Chin jest już bardzo widoczna i wychodzi także poza debatę o AI (o czym poniżej).

• 5G

Po początkowym szoku jaki przeżył Zachód, kiedy zorientowano się jak silnie Chiny zaczęły dominować w technologii 5G, zaczęto szukać odpowiedzi. Wiodącą polityczną rolę w tym zakresie zaczęły odgrywać USA. Początkowe próby koncentrowały się na działaniach punktowych – np. na bilateralnych uzgodnieniach (podpisywanie memorandum z Czechami, Rumunią, Łotwą, Estonią, Polską) mających na celu ograniczyć wpływy chińskich technologii. USA inspirowały także bardziej zorganizowane procesy (rekomendacje wypracowane podczas Prague 5G Security Conference). Teraz obserwujemy odważne próby tworzenia koalicji państw demokratycznych mających pracować nad rozwojem własnych technologii 5G (proponowana przez Brytyjczyków, z udziałem USA tzw. Grupa D10). Coraz bardziej zdeterminowane działania dobrze ilustruje także decyzja dotycząca ograniczenia dostępu do półprzewodników (komentowana przeze mnie tutaj).

Choć odpowiedź Zachodu, głównie USA, wydaje się teraz być stanowcza, znów przychodzi spóźniona i jest reaktywna. Chiny nie tylko były w stanie mocno zdominować rynek rozwoju krytycznych technologii cyfrowych, ale jeszcze uzyskały duży wpływ na organizacje zajmujące się standaryzacją i dyskusją nad kierunkami przyszłych działań. Ponownie, to ITU jest kluczowym elementem strategii. Chiny bardzo skutecznie działają na forum tej organizacji, zgłaszając wiele propozycji, rozwiązań technologicznych, mocno kształtując dyskusję. Wpływ budowany jest sukcesywnie, a jego ważnym momentem było wybranie na Sekretarza Generalnego Pana Houlin Zahao, który obecnie sprawuje już drugą kadencję. Warto zauważyć, że przy reelekcji nie miał nawet kontrkandydata. Choć czołowa funkcja Sekretarza jest bardzo istotna i widoczna, z punktu widzenia sprawczości, równie ważne jest obsadzanie przez Chińczyków wielu pozycji na średnich szczeblach biurokracji w ONZ. Zbyt bierne działanie Zachodu jest ilustracją wcześniej wskazanego problemu – odpuszczania kluczowych stanowisk, mało skutecznego kształtowania procesów.

Tymczasem Chiny bardzo umiejętnie działają dalej, wychodząc poza temat 5G, proponując kolejne przełomowe rozwiązania. Flagowa jest propozycja the New IP Initiative mająca potencjał na zmianę architektury całego Internetu.

• Cyberprzestępczość i działania w cyberprzestrzeni

Innym obszarem pokazującym, że Zachód jest w defensywie są procesy dotyczące regulacji działań prowadzonych w cyberprzestrzeni. Ilustracją jest przegłosowanie na forum ONZ w grudniu 2019 rosyjskiej rezolucji otwierającej drzwi do prac komitetu ekspertów, który ma za zadanie rozpatrzyć stworzenie globalnego traktatu przeciwko cyberprzestępczości. Próby rozpoczęcia prac nad traktatem miały już miejsce lata wcześniej, natomiast do tej pory były skutecznie blokowane przez państwa Zachodu. Tym razem koalicja pod przewodnictwem Rosji, wspierana przez Chiny i wiele krajów rozwijających odniosła sukces. Proces został uruchomiony i może otworzyć drogę do decyzji promujących autorytarne rozwiązania związane z kontrolą działań użytkowników cyberprzestrzeni.

Rezolucja w sprawie zwalczania cyberprzestępczości nie jest jedynym sukcesem, jaki udało się osiągnąć blokowi chińsko-rosyjskiemu. Innym jest choćby doprowadzenie do uruchomienia na forum ONZ prac grupy zwanej  Open-Ended Working Group (OEWG), która zajmuje się tematami dotyczącymi norm odpowiedzialnego zachowania państw w cyberprzestrzeni. Jest to proces, prowadzony równolegle (przez wielu widziany jako kontrodpowiedź) do prac tak zwanej Group of Governmental Experts. Grupa ta w przeszłości podejmowała wiele istotnych decyzji dotyczących zarówno norm, środków budowy zaufania, jak też aplikowania prawa międzynarodowego do działań w cyberprzestrzeni. OEWG jest kolejnym etapem skutecznego działania frontu państw prowadzonych przez chińsko-rosyjski duet.

Co dalej

Po latach apatii i lekceważenia poszerzającego się wpływu Chin na forach instytucji międzynarodowych, państwa Zachodu nie mogą dłużej pozostawać w defensywie. Wycofywanie się z kluczowych procesów (jak to było np. w przypadku UNESCO) jest de facto oddawaniem pola. Takie działania nie powinny mieć miejsca, zdeterminuje to bowiem pozycję Zachodu (i zachodnich wartości) w przyszłym globalnym porządku.

Przeciwnie, należy aktywnie kształtować procesy, budować koalicje zarówno długotrwałe jak i punktowe które pozwolą wpływać na decyzje dotyczące nowych technologii. Ostatnia inicjatywa Estonii w ramach prezydencji w Radzie Bezpieczeństwa ONZ jest godnym pochwały przykładem. Zresztą, w samym ONZ przed końcem 2021 roku odbędzie się 9 ważnych wyborów na szefów wyspecjalizowanych agencji oraz funduszy. To dobra okazja  do skutecznego działania koalicji państw Zachodu. Ostatnie działania UE w kontekście strategii dot. danych, również są bardzo obiecujące (więcej o tym napisałam tutaj).

Kluczem do sukcesu będzie nie tylko mobilizacja i budowanie wspólnego frontu między „tradycyjnymi” sojusznikami. Należy zrobić krok dalej i poszerzać współprace z państwami rozwijającymi się, które coraz częściej znajdują się w orbicie wpływu Chin i Rosji a swoimi głosami, wsparciem, pozwalają zdobywać wpływ w organizacjach międzynarodowych. Przyciąganie państw rozwijających musi opierać się nie tylko na solidnych argumentach, ale także musi być wzmocnione konkretną ofertą wsparcia materialnego i technologicznego. Decyzje proponowane przez Zachód powinny także uwzględniać propozycje i punkt widzenia tych krajów. Wytrąci to z rąk argument Chinom, które aktualnie pozują na obrońcę inkluzywnego modelu cyfryzacji świata.

Podsumowując, doszliśmy do momentu gdy Zachód musi obudzić się z dyplomatycznego snu. Poza odbudową potencjału technologicznego musi odzyskać obecność i sprawczość w instytucjach i organizacjach międzynarodowych. Skończył się czas półśrodków i zaniedbań. Albo Zachód zadziała skutecznie, albo przegra.

*innym elementem strategii jest tworzenie własnych instytucji, platform – ale to już temat na inny tekst.

The new U.S. chip rules – a game-changer in the 5G landscape?

On May 15^th the Trump administration announced a new ruling which aims to cut off Huawei Technology’s access to the semiconductors produced by global chipmakers. It “requires foreign manufacturers using U.S. chipmaking gear (e.g. Taiwan’s TSMC – the author’s remark) to get a license before being allowed to sell semiconductors to Huawei”.

The U.S. Commerce Department’s unprecedented move has the potential to significantly impact the outcomes of the 5G rivalry that has been heating the international community for months. It is very likely that (especially in the short term) Huawei may not be able to buy (for sure may not be able to develop) an alternative to US-related technologies. That can cripple their 5G-related business strategy, as well as influence the international stage in general. Here are a few points how:

• In the context of the US-China rivalry: it will surely lead to a huge escalation of tensions, including very likely Chinese retaliatory actions. It is clear now that the 5G competition is not simply a security-oriented dispute but also a critical battle for global technological dominance. China will not let go easily.

• Globally, especially in the EU, the situation can bring changes in the strategy on how to build 5G systems. The sofar-undecided EU Member States – like France or Germany –  might gain an important argument against following the Chinese option. Until now, many EU countries seemed to be waiting for the development of the events: on the one hand being pushed by the US to exclude Chinese companies, on the other, being afraid to risk economic relations with Chinese partners. The U.S. chip ruling has a chance to influence the EU 5G decisions and impact the general negotiation posture of the EU towards China. The threat that China won’t be able to deliver technology can serve as a reasonable argument on why the EU players may want to choose a different business option. It also can refute an often-cited argument that Huawei is able to provide partners with fast and cheap solutions.
  In the context of the united EU approach, Germany will play a central role. This country will soon lead the rotating EU Council Presidency and will also host a high-level meeting with China later this year. The German choice of strategy will have a pivotal meaning for the entire Union.
• In the long run, China will try to build its own capabilities in the chips industry (which may really not be that simple). In the short term, the country will look for new coalitions to produce and replace the US-affiliated semiconductors. Some actions have been undertaken in this context already. But this will only exacerbate the global tech rivalry, as the U.S. will push even stronger on partner states to pick sides in the strategic competition.  
• It seems that the decision regarding the semiconductors can be seen as a victory of so-called “China hawks” in the U.S. government. But muscular policy regarding China must come with a more positive, constructive proposal for the U.S. potential partners. If Washington wants to be a credible partner, it should come with an appealing strategy to support (technologically, strategically, economically) those who will follow with its strategic interests. The U.S. seem to have the tools to do that, as well as the motive.
  The U.S. National Strategy to Secure 5G recently pledged to “promote responsible global development and deployment of the 5G infrastructure”. Soon the administration should propose a concrete action plan that will articulate what it means in practice. This plan can be used to support foreign partners to get access to the equipment and services needed to develop their digital infrastructure.
  Engagement on the global scene can help the U.S. to push forward another agenda point: the promotion of the open and interoperable architecture in the 5G ecosystem. Looking at some recent moves – announcement of the Open RAN Policy Coalition and introduction of the bill that provides $750 million (!) to support the deployment and use of Open RAN 5G Networks – it may be assumed that the U.S. administration has made its mind and will push this strategy also among its allies. This is a move that might not change the status quo immediately but has a chance to secure the U.S. position in the years to come.
  Europe should pay attention to these processes, as it may bring simultaneously some potential challenges and opportunities for concrete European companies and for the EU tech & industrial policy as a whole.

CYBERSEC panel on Technology Alliances Response to Geopolitical Tensions

While the international community, scholars, business and political leaders discuss possible shapes of the post-virus world order, while we are observing the first signs of revolution in the architecture of the global supply chain, while key institutions debate the role of values and fundamental rights in the time of the pandemic, new technologies stand at the heart of those discussions.
A panel discussion entitled: Technology Alliances Response to Geopolitical Tensions which took place during the 3rd edition of the CYBERSEC Forum provides interesting insights into tech-related geopolitical implications of the COVID-19 pandemic.
The full debate can be seen here:

Speakers:
Joanna Świątkowska – Assistant Professor, AGH University of Science and Technology and AGH Cybersecurity Center
Marta Poślad – Director, CEE Government Affairs, Google
Baroness Pauline Neville-Jones – Member, UK House of Lords, Former Minister of State for Security and Counter Terrorism of the UK
Ambassador Robert L. Strayer – Deputy Assistant Secretary for Cyber and International Communications and Information Policy, U.S. Department of State
Sir Julian King – Former Commissioner for the Security Union (2016-2019), European Commission
Wiktor Staniecki – Head of Cyber Sector, Security Policy Division, European External Action Service

Join the CYBERSEC session on tech and geopolitics

CYBERSEC Brussels 2020 will cover a wide range of crucial topics related to digitalization. One of them will be a panel entitled TECHNOLOGY ALLIANCES: RESPONSE TO GEOPOLITICAL TENSIONS. The tone of the debate will be set of course by the current challenges related to the COVID pandemic – a game changer in the geopolitical theater.

What will be discussed during the panel:

• Predictions related to the post-COVID global architecture of tech supply chains
• The impact of new technologies on the geopolitics of the new, upcoming world order
• The role of tech companies on the geopolitical chessboard
• The European strategic digital autonomy and digital diplomacy in the shadow of a worldwide pandemic
• The race between “authoritarian” vs “democratic” digitalization

The session will gather top-notch experts from various fields:

• Marta Poślad – Director, CEE Government Affairs, Google
• Baroness Pauline Neville-Jones – Member, UK House of Lords, Former Minister of State for Security and Counter Terrorism of the UK
• Ambassador Robert L. Strayer – Deputy Assistant Secretary for Cyber and International Communications and Information Policy, U.S. Department of State
• Sir Julian King – Former Commissioner for the Security Union (2016-2019), European Commission
• Wiktor Staniecki – Head of Cyber Sector, Security Policy Division, European External Action Service

As a moderator of the session, I warmly welcome everyone to participate online in the debate. Date and time of the panel: 24 March 2020, 10:00 – 11:00 (Brussels time)

Register now to join us live and take part in Q&A: https://cybersecforum.eu/en/brussels/registration/

Tackling cybercrime to unleash developing countries’ digital potential

My paper for @p4pcommission, Oxford’s @BlavatnikSchool, deep-dives into cybercrime problems in developing countries. You should have a look and here is why:

In the last 15 years, the demography of internet users has changed dramatically: in 2000, developed countries represented 82% of the world’s internet users; by 2017, developing countries were the biggest group of internet users (73%).

That significantly impacts the global cybercrime scene. I elaborate on why developing countries are especially susceptible to cybercrime. I focus on:

• Technology-related security shortages
• Human factor
• Insufficient strategic solutions
• Digitalisation of financial services

In order to tackle the challenges, I suggest applying “digital pragmatism”, an approach that:

• supports the implementation of ‘secure by design’ decisions and actions, at both the technical level and the strategic level
• advocates for application of new technologies in order to strategically address the problem
• requires better situational awareness of both the threats & the opportunities related to digitalisation, which allows for the implementation of targeted & efficient solutions
• calls for more co-ordinated and more effective international efforts to deal with cybercrime
  
  https://pathwayscommission.bsg.ox.ac.uk/node/299

Harmonised approach to cybersecurity – The holy grail of the European Union?

Harmonisation is a driving approach in the EU 🇪🇺But is it feasible, given the 28 different institutional structures… twitter.com/i/web/status/1…—
EU Cyber Direct (@EUCyberDirect) December 16, 2019

About trust-building tools in cyberspace

I encourage you to take a look at my article published in “Miedzy wiedzą a władzą. Bezpieczeństwo w erze informacji” by Piotr Bajor and Artur Gruszczak (eds.) [publication only in Polish]

Hostile actions conducted in cyberspace constitute a new, serious factor which might lead to an escalation of conflicts. It can have very negative consequences from the point of view of security. My article aims at analizing the mechanisms that can increase the stability of cyberspace and considers the implementation of these instruments.

• 

•