Transcription
VOLUME 4 (2018) ISSUE 3STRATEGIC PERSPECTIVES ON CYBERSECURITY MANAGEMENT AND PUBLIC POLICIESANALYSES POLICY REVIEWS OPINIONS
Barbara Sztokfisz, Marta PrzywałaCYBERSEC Project ManagersDr Joanna ŚwiątkowskaCYBERSEC Programme Director and Senior Research FellowVolume 4 (2018), Issue 3, page reference
VOLUME 4 (2018) ISSUE 3EDITORIALBARBARA SZTOKFISZMARTA PRZYWAŁAResearch Fellows of the Kosciuszko InstituteCYBERSEC Project ManagersChief Editors of the European Cybersecuirty JournalDear Reader,We are happy to hand over to you this special issue of the European Cybersecurity Journal that coincides with the EuropeanCybersecurity Forum – CYBERSEC taking place in Krakow for the fourth time.The leitmotiv of CYBERSEC 2018 is building and searching for trust in cyberspace – an obvious yet still underestimated goal.Emerging disruptive technologies show trust must be part of systems and processes, but this is a different kind of trust thatis customarily placed in traditional actors who use these technologies. As digital transformation can only succeed in a safecyberspace, a pursuit to strengthen mutual trust is needed more than ever. Kofi Annan, ‘a man of peace in a world of war’, whois present in our thoughts these days, once said: ‘More than ever before in human history, we share a common destiny. Wecan master it only if we face it together.’ The same rule applies to this brand new reality of our civilization – the cyber reality.The information management in a multi-stakeholder environment requires cooperation, compliance and accountability. Theinternational community has an important role in building the culture of trust and the architecture of cybersecurity in variousareas: public, military, business, and education. It should ring alarm bells particularly where the norms of state behaviourand confidence-building measures are not developed. The cybersecurity is, first and foremost, a shared responsibility.These questions, among others, will be discussed at CYBESEC 2018, while the present European Cybersecurity Journal willcomplement them with expert insights.What is important is that the international community should make the new cyber reality inclusive. To quote again the greatmind of the turn-of-the-century, ‘young people should be at the forefront of global change and innovation. Empowered, theycan be key agents for development and peace.’ Therefore, to satisfy this need, CYBERSEC and the European CybersecurityJournal will introduce you to Young Leaders who, embracing a new perspective, are able to look ahead in an unconventionalway. In the next issues, we will present a series of articles by winners of the contest for ambitious and visionary students fromthe world’s most renowned academic institutions. However, before reading them, meet them on the conference stage!Enjoy CYBERSEC 2018 and the read!3
CONTENTS6Interview with Antonio Missiroli9Interview with John FrankChanging the Status Quo – Increasing Trustof the Cloud with Continuous Assurance14Daniele Catteddu23Error 404: Drone Not FoundSmartphones as Unmanned Aerial Vehicle Ground Control Stations:an overview of cyber-related vulnerabilities34Quantum technologies and standardization38Between cyber and physical worlds: secure endpoint devicesas the key interface for a Blended Reality futureGinevra FontanaTomasz MazurGiulia Pastorella, Simon Shiu
44Information Sharing for the Mitigation of Hostile Activity inCyberspace: Comparing Two Nascent Models (Part 1)51Can a public tender be a threat to IT infrastructuresin public institutions?57Protecting today against the threats of tomorrow62INDUSTRY’S INITIATIVE TO INCREASE RESILIENCE OF CYBERSPACE:THE CYBERSECURITY TECH ACCORDDeborah Housen-CourielPaweł SawickiLothar Renner
EUROPEANCYBERSECURITY journalOutcomes fromthe 2018 NATO Summitin BrusselsThank you, Dr Missiroli, for finding time for this interviewInterview with Dr Antonio Missiroliin July this year?in which we would like to talk about the recent NATOSummit in Brussels. It drew attention of the publicopinion in several aspects, but few payed attention to thecybersecurity issues that were raised. What did NATOaccomplish with respect to cyber policy during the summitAntonio Missiroli: As cyber threats to the securityof the Alliance become more frequent, complex anddestructive, strengthening cyber defences is a toppriority for NATO. At their Summit in July 2018, Allies tookthe next steps in enhancing their defences in the cyberdomain. Recognising cyber’s contribution to NATO’s overalldeterrence and defence, they agreed on how to integratesovereign cyber effects, provided voluntarily by Allies, intothe Alliance’s operations and missions. Allies also agreedto establish a new Cyberspace Operations Centre.NATO leaders remain determined to employ the full rangeof capabilities, including cyber, to deter, defend againstand counter the full spectrum of cyber threats, includingthose conducted as part of a hybrid campaign. To this end,Allies also re-committed to the national delivery of theCyber Defence Pledge, which is central to enhancing cyberresilience and raising the costs of a cyber attack.The decisions taken by Allies at the recentBrussels Summit continue to reinforce thisapproach in order to ensure that NATO remainsfit for purpose in the digital era.DR. ANTONIO MISSIROLIis the Assistant Secretary General for Emerging SecurityChallenges. Prior to joining NATO, Dr. Antonio Missiroli wasthe Director of the European Union Institute for SecurityStudies (EUISS) in Paris (2012-17). Previously, he wasAdviser at the Bureau of European Policy Advisers (BEPA)of the European Commission (2010-2012); Directorof Studies at the European Policy Centre in Brussels(2005-2010), and Senior Research Fellow at the W/EUInstitute for Security Studies in Paris (1998-2005). He was alsoHead of European Studies at CeSPI in Rome (1994-97) anda Visiting Fellow at St Antony’s College, Oxford (1996-97).As well as being a professional journalist, he has also taughtat Bath and Trento as well as Boston University, SAIS/JohnsHopkins, at the College of Europe (Bruges) and Sciences Po(Paris). Dr. Missiroli holds a PhD degree in ContemporaryHistory from the Scuola Normale Superiore (Pisa) anda Master’s degree in International Public Policy fromSAIS/Johns Hopkins University.6Finally, Allies re-affirmed their commitment to actin accordance with international law, as well as their supportfor a norm based, predictable and secure cyberspace,underscoring the need to further develop partnerships,including partnerships with the industry and academia.Over the years, NATO’s approach to cyber defence hasevolved in a measured and responsible manner in responseto the cyber threat landscape. The decisions taken by Alliesat the recent Brussels Summit continue to reinforce thisapproach in order to ensure that NATO remains fit forpurpose in the digital era.
VOLUME 4 (2018) ISSUE 3National developments concerning the Cyber DefenceOne of the most concrete cyber initiatives associatedPledge engagements were assessed for the first timewith this year’s summit is the new NATO Cyberwith regard to set criteria. The outcomes are classified;Operations Centre, which NATO defence ministershowever, could you still present the general trends andagreed to create last year. The Centre will be a partthe overall performance of the Allies? How has the generalof the outline design for the adapted NATO Commandattitude to cyber defence changed? Can we consider theStructure. What does the creation of this institutionfirst test for NATO cyber commitments passed?mean exactly, and how will it integrate national cybercapabilities into NATO missions? Given that cyberWhat has become obvious in the two years since the Cybercapabilities differ from conventional ones, could youDefence Pledge was made is how cyber defence is nowclarify what the integration means in this context? Whatfirmly on the Alliance’s radar. This was one of the goals of thewill be the mechanism to integrate voluntary nationalPledge—to raise awareness about the need to invest in cybercyber contributions into the military planning process?defence in order to strengthen national infrastructures andnetworks. The Cyber Defence Pledge and annual reportingNATO is setting up a new Cyberspace Operations Centre,have allowed us to draw attention to the topic to generatein Mons, Belgium, to provide situational awarenesssustained commitment. Judging from the evidence provided,and coordination of NATO operational activity withinwe can see that all Allies have made progress, especially withcyberspace. This is a major new component of the adaptedregard to policies and strategies and establishing or reviewingNATO Command Structure. It is part of our work to makenational organisational structures. For example, some nationssure NATO is as effective in cyberspace as we are on land,are now on their third or fourth national cyber securityin the air and at sea.strategy, and we are witnessing a trend of establishingcyber commands – military organisations able to supportMore specifically, the Cyberspace Operations Centreoperations in cyberspace. These structures will be importantforms a dedicated and centralised entity with the NATOas more Allies recognise that, alongside NATO’s own agendaCommand Structure. It functions as NATO’s theatre-to operate in cyberspace, their militaries will need to havecomponent command for cyberspace and the primarythe right capabilities to be able to take advantage of thecoordination point for NATO’s cyberspace operationalcyberspace domain.activities, including the provision of operational cyberspacesituational awareness to NATO commanders, as well as theNonetheless, challenges remain. Allies report that securingintegration of cyber defence into planning and operations.funding remains very important. Allies continue to grapplewith the issues of the recruitment and retention of cyberThe Cyberspace Operations Centre, in its role as a coordinator,defence experts. Training is also a vital and perennial issuewill also help integrate Allies’ national cyber effects into ourthat requires sustained attention.operations and missions. Allies will nonetheless retain fullcontrol over those capabilities. It is important to highlightIn conclusion, it is important to recall that the Cyber Defencethat this does not change NATO’s mandate. NATOPledge is deliberately open ended, because the threatremains a defensive Alliance, and acts in accordance withlandscape changes, so Allies will always need to be doinginternational law. The Cyberspace Operations Centre willmore. The Cyber Defence Pledge thus has an importantbe an important contribution to NATO’s cyber defencesrole to play in helping to change perceptions on how cyberand to our overall deterrence and defence. We expect thedefence should be addressed in a sustainable fashion.Centre to become operational next year.It is important to recall that the Cyber DefencePledge is deliberately open ended, because thethreat landscape changes, so Allies will alwaysneed to be doing more.How can NATO respond to cyber-enabled informationoperations and how can the Alliance be effectiveagainst such threats? What is its operational capacityin cyberspace?7
EUROPEANCYBERSECURITY journalNATO will defend all Allies against any threat: in cyberspace,The very essence of NATO is anchored in the notion thatas well as on land, in the air or at sea. Cyber attacks aremore can be achieved when working together. The Brusselsincreasingly used as a tool in the arsenal of hybrid warfare,Summit highlighted the progress in recent years on enhancingand so improving our cyber defences forms an importantcooperation between NATO and the European Union,part of NATO’s work on countering hybrid warfare.including in the area of cyber defence. Continued cooperationto address evolving security challenges and to strengthenNATO’s IT infrastructure and centralised protection coverscapabilities was further welcomed.over 60 different locations, from the political headquartersin Brussels, through military commands, to the sitesOver the last years, we have taken steps to intensify ourof NATO missions and operations. A 200-strong cybercooperation on cyber defence with the European Union,team defends NATO’s networks around the clock. Thisnotably in the areas of information exchange, training,team prevents intrusions, detects, analyses and sharesresearch and exercises. Real-time information exchangeinformation and conducts computer forensics, vulnerabilitybetween the incident responses teams of NATO andassessments and post-incident analysis. NATO also hasthe EU continues to take place through a Technicalcyber defence rapid reaction teams on standby to reinforceArrangement on Cyber Defence, concluded in 2016. Thisthe defences of NATO networks or to help Allies cope withArrangement facilitates cooperation at the operational anda cyber attack.tactical level between cyber defence experts. As far as theexercises are concerned, we were pleased that last year,NATO and Allies exchange information about cyber threatsthe cyber defence staff from the EU were for the first timein real-time, including through a dedicated Malwaremade full participants in NATO’s Cyber Coalition exercise,Information Sharing Platform. NATO also invests in training,and NATO experts were recently involved for the first timeeducation and exercises which bolster the skills of nationalin the Cyber Europe 2018 exercise.cyber practitioners. Deepening partnerships with othercountries, international organisations as well as withindustry and academia represent an important elementof NATO’s approach to cyber defence. For example, ourThe very essence of NATO is anchored in thenotion that more can be achieved whenworking together.continuous interaction with the industry helps providerapid notice and mitigation of cyber attacks against NATOAs cyber policies and approaches continue to evolve on bothand NATO Allies. During the WannaCry incident in Maysides of Brussels, we are continuing to seek opportunities2017, we quickly reached out to Allies and our industryto deepen our engagement with the EU in a spiritpartners. The information we exchanged was critical forof complementarity and non duplication. Moving forward,getting the most up-to-date picture of a rapidly evolvingwe will be looking increasingly at how our respectiveand complex situation.organisations are equipped to manage and respondto potential cyber crises, particularly given that manyWhile much progress has been achieved to bolster NATOactivities in cyberspace ‘fall below the threshold’, so that weand Allied cyber defences, there remains more to be donecan share the best practices and improve readiness.in view of the rapidly evolving cyber threat landscape.The Brussels summit was an opportunity to followup on EU-NATO cooperation. The two organisationssigned a new joint declaration that focuses, amongothers, on cyber security and hybrid threats. Whatare the new elements that it introduces in comparisonto the previous declaration? How can it enhance thecooperation between the EU and NATO?8Questions by Marta Przywała
VOLUME 4 (2018) ISSUE 3Interview withJohn FrankHow can private companies contribute to theenhancement of stability and security of cyberspace?How can they cooperate with governments?John Frank: Cyberspace is largely owned and operatedby the private sector, and government cyber offensespose dangerous risks to stability and security. Technologycompanies are often the first line of defense and responseto online assaults by nation-states or other actors. Weneed multi-stakeholder action to change governmentbehaviour and to improve cyber defense and resilience.We are determined to reduce nation-state cyber assaultson civilians through multi-stakeholder action. The WannaCryand NotPetya attacks in 2017 were launched by nationstates. They were highly destructive and indiscriminatelydamaged businesses and citizens around the world. Eachcaused billions of Euros in damages. But no country hascalled the assaults a violation of international law.We need multi-stakeholder action to changegovernment behaviour and to improve cyberdefense and resilience.Governments need to adopt binding international normsfor responsible behavior in cyberspace. We commendJOHN FRANKexisting efforts such as the UNGGE process and theis Microsoft's Vice President, EU Government Affairs.In this role, John leads Microsoft’s government affairsteams in Brussels and European national capitals on EUissues. John was previously Vice President, Deputy GeneralCounsel and Chief of Staff for Microsoft President and ChiefLegal Officer Brad Smith based at Microsoft’s corporateheadquarters in Redmond Washington. In this role, hemanaged several teams including the Law Enforcementand National Security team, the Industry Affairs group,Corporate, Competition Law and Privacy Complianceteams and the department’s technology and businessoperations team. For his first eight years at Microsoft, Johnwas based at Microsoft’s European headquarters in Paris.Initially he was responsible for the legal and regulatoryissues involved in the launch of the Microsoft Network(now MSN).From 1996 to 2002, Mr. Frank led Microsoft’sLegal and Corporate Affairs group for Europe, Middle Eastand Africa focusing on issues including privacy, security,consumer protection and antitrust. Mr. Frank began thecompany’s European Government Affairs program, whichfocused on advocacy on software and online policy issues.Prior to joining Microsoft, John Frank practiced law in SanFrancisco with Skadden, Arps, Slate, Meagher & Flom. Mr.Frank received his A.B. degree from the Woodrow WilsonSchool of Public and International Affairs at PrincetonUniversity and his J.D. from Columbia Law School.Global Commission on the Stability of Cyberspace. Butwe believe the most effective solution will require a newinternational agreement – a Digital Geneva Convention –to protect civilians on the internet in peace and in armedconflicts. This would build on existing international law,establishing clear limits for the permissible use of offensivecapabilities in cyberspace. We recognize that incrementalsteps by governments, the private sector and civil societytowards a set of digital peace principles can strengthen theeffectiveness of norms of behavior and support diplomaticleadership in this area.Microsoft and other technology companies also haveresponsibilities to protect and defend our customers.As a company, we are constantly enhancing our securitymeasures by leveraging advanced analytics and AI –but we are also taking steps as an industry. Earlier thisyear we joined over 30 other companies in signing9
EUROPEANCYBERSECURITY journalthe Cybersecurity Tech Accord that pledges to protectThis year the US Congress passed The Clarifying Lawfulcustomers, oppose nation-state attacks on innocent citizensOverseas Use of Data Act, the so-called CLOUD Act.and enterprises, and partner with each other to enhanceDo you think this particular piece of regulation maycybersecurity. And the initiative has been growing since.significantly help overcome obstacles related to evidenceaccess? What do you think about how cooperation withNo single government or company can solve a problem of thisEuropean entities should look in this matter?scale. But with concrete commitments from private and publicorganizations alike, we can reduce the risks, increase resilienceMicrosoft has advocated for new international agreementsand keep citizens safe, both on- and offline.to reform the process by which law enforcement officialsgather digital evidence and investigate crimes. We believethat the adoption of the CLOUD Act was an important stepforward in this regard.The CLOUD Act preserves the right of cloud serviceproviders to challenge search warrants when thereis a conflict of laws. But even more importantly, it createsa framework that can provide robust privacy protectionswhile enabling law enforcement agencies to access datain each other’s countries.However, this is not the end of the road. Governmentsneed to move forward quickly in putting new internationalagreements in place. We believe that these agreementsshould be principle-based. That is why we recentlyannounced six bedrock principles to drive our advocacyas governments reform their laws and pursue internationalagreements that regulate cross-border access to data.Governments need to move forward quicklyin putting new international agreements in place.We believe that these agreements shouldbe principle-based.These principles are:We recognize that incrementalsteps by governments, the privatesector and civil society towardsa set of digital peace principles canstrengthen the effectiveness of normsof behavior and support diplomaticleadership in this area.101.a universal right to notice;2.prior independent judicial authorization of lawenforcement demands for data;3.a detailed legal process and ability to challengesuch demands;4.mechanisms to resolve conflicts with third-countries;5.the right for enterprises to receive law enforcementrequests directly; and6.transparency.
VOLUME 4 (2018) ISSUE 3Users have the right to be protected by their own nation’sWe strongly welcome the call for the Three Seas Initiativelaws. The principles we are articulating represent baselineto expand its digital remit. We believe that regionalminimum requirements that should govern law enforcementgovernments, local digital businesses and global playersaccess to data. Their applications may vary, but the underlyingsuch as Microsoft can address both needs, opportunitiesfoundation of check-and-balances, accountability andand challenges in the region when working all together.transparency should remain the bedrock of any futureAnd cybersecurity deserves special focus. Exchanging bestagreements on this issue of vital international importance.practices on cybersecurity to strengthen the region’s cyberresilience, pioneering joint research on artificial intelligence,During the 4th edition of the European Cybersecurityor fostering digital transformation for the region’s businessesForum, we will discuss the concept of Digital Three Seas– these are all key to ensuring the Three Seas members can– in a nutshell, the idea is that we should aim to buildthrive and grow on the world stage.stronger digital cooperation among countries thatcooperate under the umbrella of the Three Seas initiative.Questions by Dr Joanna ŚwiątkowskaHow can companies like Microsoft contribute to that?The Three Seas initiative can help improve economicdevelopment and integration across borders. We believedigital strategies can create greater North–South economicconnections within the Three Seas Group.National governments have been slower than Europeanenterprises to embrace digital transformation in their coremissions. The Three Seas Group can aspire to build on eachother’s advances deploying advanced digital solutions forproviding governmental services to their citizens. Similardigital solutions across the region will make it simpler forbusinesses to expand from their home country within theThree Seas Group.The Three Seas initiative can help improveeconomic development and integration acrossborders. We believe digital strategies can creategreater North–South economic connectionswithin the Three Seas Group.Digital transformation is reshaping the competitive dynamicsfor companies in every country. We are committedto helping ensure that every country within the Three SeasInitiative can reap the benefits of digitization. We workacross the region assisting public and private organizationsin implementing cloud solutions that improve productivityand efficiency, as well supporting start-ups and equippingyoung people with the digital skills they need to succeedin the workplace of the future.11
ADVANCING CYBERSECURITYAROUND THE WORLD
EUROPEANCYBERSECURITY journalANALYSISChanging the Status Quo – Increasing Trustof the Cloud with Continuous AssuranceDANIELE CATTEDDU, CHIEF TECHNOLOGY OFFICER,CLOUD SECURITY ALLIANCEDaniele Catteddu is an information security and risk management practitioner, technologies expert and privacyevangelist with over 15 of experience. He worked in several senior roles both in the private and public sector.Currently, he is the Chief Technology Officer, at Cloud Security Alliance, where he is responsible to drive theadoption of the organization technology strategy. He identifies technology trends, global policies and evolvingsocial behavior and their impact on information security and on CSA’s activities. Mr Catteddu is the co-founderand director of the CSA Open Certification Framework / STAR Program.Introduction: The long tail of cloud computingvia reducing their IT cost and gaining agility by empoweringtheir developers to create new added value services. In theCloud computing is the present and the future of IT; in theresearch field, large institutions1 like CERN, ESA, EMBLspace of less than 10 years it has gained a tremendous leveland many others fully rely on large scale supercomputersof penetration. Today, the vast majority of organisationsto complete analyses and experiments that are changing(Columbus, 2018) like Google and individuals with Internetthe history of biology, astrophysics, quantum physics, andaccess use cloud computing in some shape or form. Severalmechanics. The list could go on and on, encompassing anyrenowned analysts concur that this growth trend will onlyaspect of our lives from healthcare to entertainment.continue (Columbus, 2017).In today’s world, essentially every business sector makesuse of cloud services. Governments are making their ‘cloudfirst’ (GOV.UK, 2017; Kundra, 2011; NEA, 2017; MDEC,2018) policy a strategic priority for the modernisationof the public administration, improvement of eGov services,In today’s world, essentially every businesssector makes use of cloud services. Governmentsare making their ‘cloud first’ policy a strategicpriority for the modernisation of the publicadministration, improvement of eGov services,and the leverage of ‘open data’.and the leverage of ‘open data’. The financial sectorinstitutions are adopting the cloud to gain competitiveness141 Europe’s Leading Public-Private Partnership for Cloud,http://www.helix-nebula.eu
VOLUME 4 (2018) ISSUE 3As it often happens when dealing with technology,For instance, it is undeniable that the cloud has broughtand in consideration of the pervasiveness of the cloud,a loss of direct control over the ICT infrastructure. Unlesscybersecurity has a critical role to play.you are a cloud infrastructure provider (i.e. IaaS), you willnot have direct access to server, storage and networkThis paper will discuss some of the key aspects relatedcomponents; instead, you will rely on someone else doingto security, privacy, governance and compliance and willthe job for you. The most immediate consequence of thatpropose a new approach and ideas for the cloud securityis that there is a deterioration of the level of visibility overand privacy.the network and security events and that a cloud userneeds to rely on a trusted relationship with his/her cloudCloud security and privacyservice provider (CSP) in order to compensate such lossof data. This of course implies that the CSP has to provideIn 2009, the European Cyber Security Agency, ENISA,the customer with enough information to govern his/herpublished a paper entitled ‘Cloud Computing Riskbusiness and demonstrate responsibility and accountabilityAssessment: Benefits, risks and recommendations fortoward their customers, business partners and regulators.information security’ (2009), a study in which a groupSuch a new approach to governance based on indirectof experts investigated the risks and opportunities of cloudcontrol over the infrastructure demands new strategiescomputing from the cybersecurity stand point. The resultsand tactics to acquire the information needed to manageof the analysis were clear; despite some obvious concernsthe relationships with CSPs; it demands an increased focusrelated to the loss of direct control and governance, cloudon contract terms, SLAs, service documentation and,computing could bring along a higher level of securityof course, audits and third party certifications.compared to an on-premise IT infrastructure.It is also undeniable that both CSPs and cloud users areUnfortunately, due to the lack of education and awarenessheavily impacted by the fragmentation and complexityabout the cloud model and its underlying technologies,of the global legal framework. While the cloud is a globalsecurity and privacy have been perceived as the numberscale phenomenon that relies on the possibility to applyone barrier to a large scale adoption of the cloud, especiallythe same practices across the board, the nationalin Europe and Asia. Some technologists and policygovernments have to look after the national interestsmakers depicted the cloud as a bubble that was boundand these two perspectives are not necessarily aligned.to explode under the pressure of ungovernability, a lackFor many years we have witnessed the campaignsof standardisation and transparency, and the complexityof some European policy makers against USA-basedof the global legal and regulatory framework. They wereCSPs as a consequence of the (in)famous Patriot Actwrong in absolute terms since the cloud is still here and(2001)2 and FISA (1978)3, and requests to keep datawill be with us at least up until quantum computers willon the European soil. During the pre-GDPR era, we haveforce the next IT revolution. That said, most of the risksdiscussed the diversity, if not the incompatibility of thethey perceived were real, and it is the duty of all clouddifferent Data Protection laws, both within the Europeanstakeholders to help address them.Union and at a global level. In general, it is clear that CSPsare under incredible pressure to comply with severalUnfortunately, due to t
of the European Commission (2010-2012); Director of Studies at the European Policy Centre in Brussels (2005-2010), and Senior Research Fellow at the W/EU Institute for Security Studies in Paris (1998-2005). He was also Head of European Studies at CeSPI in Rome (1994-97) and a Visiting Fellow at St Antony's College, Oxford (1996-97).
