I recently had the pleasure of interviewing my good friend Chris Blask, Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), about the Evolution of Industrial Control System Information Sharing.
In the article, Blask discusses what he sees as improved efforts to break down information silos between government and the private sector.
That’s the whole purpose of ICS-ISAC, to bring together the stakeholders for the purpose of sharing knowledge about risks, threats and current best practices to better protect our shared critical infrastructure.
In our discussions Blask suggested that we consider publishing a paper he recently authored with David Alley, the Senior Advisor for Itex Solutions in Sana’a, Yemen.
The article examines how ongoing developments are enabling the nation of Yemen to flourish in the international community though cybersecurity infrastructure improvements and corresponding workforce development projects.
This is an excellent writeup ona subject that would otherwise enjoy little or no attention outside of a very small community of security professionals, and it is with great pleasure that we present the following work.
* * *
Sixty thousand years ago, a small group crossed the shallow Red Sea at the Bab Al-Mandeb and began the human emigration from Africa into Yemen, leading to the spread of mankind around the world. This first “Out of Africa” tribe flourished in this new land and gave rise to all other tribes throughout the Arabian Peninsula, Asia, Europe and the Americas.
At the interfaces of these tribes, an exchange of information allowed each tribe to judge the trustworthiness of the others. Where neighboring tribes consistently honored commitments, the trade of goods and ideas flowed. When trust was broken, trade soured and violence loomed.
Today, a new form of tribe, the cyber tribe, has spread around the world in a matter of decades versus the millennia necessary for the original tribes to populate the world. Cyber tribes include states, corporations, international bodies, ethnic communities, religious groups, non-governmental organizations, criminal gangs and other non-state actors.
Indeed, any group of like-minded individuals can form or dissolve a cyber tribe in a matter of minutes. The central component being a shared interest that the tribe pursues collectively in cyberspace, which may or may not have any relation to events in the physical world.
Relations in cyberspace are often described using the vocabulary of interstate relations; however, this terminology is often insufficient as cyberspace is normally free of physical limitations imposed by geography or legal limitations imposed by treaties and the rule of law.
The complex interaction of cyber groupings, or cyber tribes, is further complicated by the notion that individuals can belong to multiple tribes simultaneously and affiliations can change instantaneously.
Interactions in cyberspace are much more reminiscent of Hobbes’ “State of Nature” than a society governed by complex legal institutions that provide safe space for collective action.
While some may call for an immediate implementation of legal frameworks to regulate cyberspace, this is unlikely to happen within the foreseeable future. The current weaponization of cyberspace – illustrated by the Stuxnet attack against the Iranian nuclear facility at Natanz; the Shamoon attack against the Armaco oil facilities in Saudi Arabia; and another Shamoon attack against the Ras Gas natural gas facilities in Qatar – will cause states desiring to exploit this capability to demur on such frameworks.
In the cyber era, the world’s cyber tribes are distributed around the globe and measure the distance between themselves using the metrics of trust rather than geography. Today, in cyber terms, Japan lies close by America’s shores yet far from China, while Saudi Arabia shares a border with France but is separated by a broad and challenging cyber ocean from Yemen.
The poor tiny African nation of Djibouti is a major transit hub for digital communications between Asia and Europe. Just across the Bab Al Mandeb, Yemen is accelerating its connectivity with the rest of the world.
In Yemen’s capital Sana’a, the Old City has been encircled by strong high walls for a thousand years. The Bab al-Yemen (Yemen Gate), securing the entrance of those walls since antiquity, has provided assurances near and far that commerce and culture could flow safely, protected by the rule of law and custom, in and out of this portal. The Bab al-Yemen was a symbol of security and trustworthiness that allowed Sana’a to engage in trade and growth for centuries.
Today, nations of the world communicate trustworthiness and the security of their markets to neighbors through displays of strength no differently than the gates of ancient cities communicated a similar message. A primary form of this display in the cyber age is a national CERT (Computer/Cyber Emergency Readiness/Response Team).
A well-founded CERT lets other cyber tribes know that rule of law is respected within a nation’s cyber realm and that their interests will be respected. Economic, human and intellectual capital in the modern world follow routes defined by these cyber gates and the harbors of stability they protect, just as trade has done since the dawn of civilization.
The CERT Coordination Center (CERT/CC) was established in November 1988 at Carnegie Mellon University in response to the first Internet-distributed malware (the Morris Worm). Since then, it has acted continuously to provide a clear signal that the American cyber tribe took seriously its responsibility to enable other cyber tribes to engage without undue concern for their security. CERT/CC has become the model for nations wishing to demonstrate their own cyber stability and trustworthiness.
National CERTs have been established in forty eight countries according to the Forum of Incident Response and Security Teams (FIRST). An additional one hundred and fifty eight FIRST members represent CERTs from law enforcement, business and academia. Modern cyber tribes who lack the symbolism and function of a CERT can find themselves bypassed by the routes of international commerce as wary traders seek other tribes who can be trusted.
Yemen does not currently have a national center – or even a body that is formally tasked and resourced to undertake such responsibilities – to provide those assurances of trustworthiness. As Yemen stands at the threshold of a new era, the Bab al-Yemen provides a tangible signpost pointing to the nation’s future.
Yemen needs to establish a Bab al-Yemen on its cyber frontier to attract the merchants and academics of the world to partake in the exchange of value its burgeoning population can offer. It is in the interest of the international community to assist Yemen in its endeavor to integrate itself into the collective cybersecurity framework as a part of the strategic effort to prevent the country from becoming a haven for cybercrime and cyberterrorism.
In November 2012, we met with national business, education and government leaders in Sana’a to discuss the establishment of a Yemen CERT (Y-CERT). These leaders expressed support for the creation of the center without delay. Lawmakers also voiced a willingness to push cyber legal frameworks to the forefront, as Yemen currently has no cyber law on its books.
This enthusiasm among the nation’s leadership provides an opportunity for the international community to offer the support and guidance necessary to help Yemen become a role model for other developing nations in the area of cybersecurity.
By establishing Y-CERT, Yemen achieves more than entry into the global cyber community. It provides an epicenter around which its youth can build high-value careers, addressing a key concern among internal and external stakeholders for increased employment opportunities.
Y-CERT will provide Yemeni companies opportunities to develop cybersecurity businesses and staff them with skilled local talent, and a safe haven for cyber businesses to flourish. Both of these outcomes will contribute to the economic stability that is desperately needed to buttress a tenuous political transition.
The leadership of Sana’a University graciously provided a forum to present a lecture on the opportunity Yemen has to enhance both its internal stability as well as its international standing through the development of cybersecurity skills and structures. Establishing Y-CERT was highlighted as a central component in providing the foundation for stability and economic opportunity the country’s youth demand.
Over four hundred students and faculty spent two and a half hours in the session and dozens stayed afterwards to learn how they could participate. These students and their professors can provide the skills to operate Y-CERT and perform associated research.
U.S. interests in the region are predicated on regional stability within and among states. Today, Yemen teeters on the cusp of a successful transition on the one hand and failed-statehood on the other. For scant investment of human or financial capital, the United States and the international community have the opportunity to forward their policy goals through the implementation of a strong cyber defense. Encouraging greater cyber cooperation between Yemen and its immediate neighbors could lower tensions and mistrust. All sides could benefit from such a positive development in their regional relations.
The U.S. administration should support groups in Yemen who are willing to build the country’s digital Bab al-Yemen. American resources in the public and private sectors can easily be vectored to provide the technical, organizational and financial support to establish Yemen’s center of excellence in cybersecurity by sharing skills and knowledge gained during the creation of similar capabilities in the United States.
Working with partners such as Saudi Arabia, Qatar and the United Arab Emirates (UAE) who have already created national CERTs, the United States can leverage existing regional interests to accelerate Yemen’s ability to actively participate in the global cyber economy as a verifiably trusted actor.
Qatar’s Q-CERT stands poised with highly developed tools and Arabic language training which can be used to build a world-class center. The UAE, with its GCC-leading cyber infrastructure, CERT-AE, and a National Cyber Security Agency is exceptionally well- equipped to assist in cyber defense.
By providing support for a Yemeni center, the United States increases its ability to achieve its policy goals of improving the Yemen’s accountability to regional and global trading partners; creating new economic opportunities; and mitigating the risks of a rogue cyber tribe.
American policy goals are further enhanced by supporting cybersecurity workforce development capabilities. More than half of the Yemeni population is under the age of 15. This young population is rapidly becoming familiar with the world of electronic communications. Cell phone usage has exploded and Internet connectivity is increasing exponentially.
Enabling Yemen’s youth to find productive roles in society through the development of high-value/high-demand cybersecurity skills helps reduce the risk of instability related to their economic disenfranchisement.
Improving the communications infrastructure of the nation may also encourage Yemen’s youth to remain in the country by enabling them to export their skills without having to migrate to richer nations. As Yemeni graduates and workers find it possible to build careers at home, the risk of brain-drain is reduced while needed capital is brought into the country.
International businesses and governments should be encouraged to help build the fiber and wireless networks an educated workforce will need to apply their skills to the task of creating domestic job opportunities. With a modern infrastructure, Yemen’s youth will be more likely to develop their career opportunities in-country as opposed to being forced to leave to and pursue education and careers elsewhere.
Building trust among cyber tribes benefits all members of the global collective. America and the international community are currently presented with the opportunity to invest in the stability of a critical cyber tribe in a critical geographic region. Providing this small amount of investment in the future of Yemen presents the possibility of global economic and geopolitical returns of significant reward. Failing to do so could contribute to the country’s further economic marginalization.
The risks of instability in Yemen caused by cybercrime and cyberterrorism are real. Several recent events poignantly highlight these risks. Tele-Yemen, one of Yemen’s leading telecommunications companies and its only international gateway, was hacked in the summer of 2012.
This cybercrime resulted in over $20 million of lost revenue that would have accrued to the government. For this amount of money, Y-CERT could have been built and manned many times over. Also in the summer of 2012, Yemen’s Central Bank suffered numerous Distributed Denial of Service attacks and its websites have been infected numerous times with malware such at the Zeus Trojan botnet.
The Zeus Trojan specifically focuses on financial institutions around the world with the aim of stealing money from banks. In 2010, according to the F.B.I., over $70 million was stolen from banks in the United States using the Zeus Trojan.
Yemen can ill-afford a similar loss. In November 2012, a suspected Al-Qaeda in the Arabian Peninsula (AQAP) operative was arrested after phone call intercepts revealed that he was planning to conduct a cyber-attack on Yemen’s oil infrastructure in retaliation for the government’s attacks against AQAP.
As Yemen depends on the oil sector for nearly 70% of its revenue, a successful attack on this industry would be incredibly destabilizing for its fragile economy. For these reasons, establishing Y-CERT should be at the top of the list of priorities for the Yemeni government and the international community.
As Yemen faces the converging challenges of food insecurity, water scarcity, oil depletion, economic decline and political instability, cybersecurity can be seen a relative newcomer to the list of national challenges. Nevertheless, cybersecurity must be addressed now in the form of Y-CERT in order to mitigate the risks of cybercrime, cyberterrorism, and further economic deterioration.
Indeed, a robust cybersecurity infrastructure in Yemen could provide a springboard for the country to address some of these challenges by employing Yemenis to address these cybersecurity issues while accruing valuable ancillary benefits such as increased educational and employment opportunities for its people.
Now is the time for the cyber tribes of the world to work with the people of Yemen to lay the foundation for the nation.
Title image courtesy of ShutterStock