Date post: | 24-Jun-2015 |
Category: |
Technology |
Upload: | microsoft |
View: | 87 times |
Download: | 0 times |
Cybersecurity MORE THAN A GOOD HEADLINE
Protect more
2 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
Contents
2 Introduction
3 What is ‘Cybersecurity’?
4 Thought model
5 Social, Economic, Political,
and IT Alignment
6 Strategies and Policies
8 ICT Infrastructure
10 National Projects
and Solutions
10 Engagement
12 Conclusion
Introduction
Hardly a week goes by without news of cyber-related attacks on both governments
and private companies. As a result, most governments today are looking to establish
some form of Cybersecurity strategy. However, talking to different stakeholders reveals
that the definition of Cybersecurity (or Cyberdefense) varies broadly and so do
the approaches from policy, process, people, and technology perspectives. This is
understandable since the Cybersecurity Agenda (or program) must be embedded
in a country’s existing legal framework, find cultural and social acceptance, and be
technically and economically feasible.
Many governments take an approach driven by the most recent incidents or news that
captured public attention; that is, they are looking for ways to implement short-term,
publicly visible actions that are often executed by a single government agency, such as
National Defense. This leads to different definitions of Cybersecurity and different
approaches to addressing it—all of which raises complexity within governments and
creates additional challenges regarding international cooperation. Moreover, when
governments change the initiative is often realigned, or worse, restarted without
taking experience into consideration. It may be moved from the civil side of the
organization to the military/defense side or vice-versa. This situation satisfies neither
the government nor the private sector—which plays a critical role in any Cybersecurity
initiative—and harms the prospects for a clear and focused approach.
On the other hand, examples exist wherein governments successfully focus on the
long-term success of a Cybersecurity strategy based on a sound risk-management
policy at a national level.
3 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
So what is the critical success factor that governments taking a long-term approach
have in common? Often they work toward a commonly defined cyber framework
that is accepted across all government agencies.
Successful governments also see Cybersecurity as an enabler of a well-run
Cybersecurity program—this being characterized by a close collaboration between
the private and the public sectors as well as within the governmental organizations.
Such an approach can enable new scenarios, attract investors, and provide the basis
for economic growth. An efficient Cybersecurity Agenda can act as an accelerator on
existing or planned IT investments or even industry investments and help to achieve
faster returns.
This paper offers food for thought regarding a model that could be used to structure
Cybersecurity initiatives and build a maturity model to ensure a long-term, sustainable
approach to a government’s Cybersecurity Agenda.
What is ‘Cybersecurity’?
There are plenty of definitions in the market trying to build the context for such
initiatives—and none of them are right or wrong. However, it is important to
understand what the concept of Cybersecurity means in this paper.
Often it is seen in the realm of classic security:
Ensure the confidentiality, integrity, and availability of critical government data
and systems.
This paper adopts a broader definition and includes the providers of the critical
national infrastructure as well. The 2009 Cyber Security Strategy of the United
Kingdom1 provides a very good description of Cybersecurity:
Citizens, business, and government can enjoy the full benefits of a safe, secure,
and resilient cyber space: working together, at home and overseas, to understand
and address the risks, to reduce the benefits to criminals and terrorists, and to seize
opportunities in cyber space to enhance the UK’s overall security and resilience.
This expansive vision includes areas such as Cybercrime as well.
1 http://www.cybersecuritymarket.com/wp-content/uploads/2009/06/css0906.pdf
4 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
Thought model
The model shown here offers a structure for considering a Cybersecurity initiative
within a government. It consists of five areas:
Alignment: The social and legal environment into which the agenda is embedded.
The Cybersecurity principles must be closely aligned with these fundamentals.
Strategies/Policies: Based on the governance environment, there should be
strategies and policies guiding the Cybersecurity agenda.
ICT Infrastructure: Protecting the critical national infrastructure (both government
owned and non-government owned) must be a key priority of every Cybersecurity
agenda.
National Projects and Solutions: On the foundation laid in the Alignment,
Strategies/Policies, and ICT Infrastructure levels, tangible solutions can be securely
delivered and operated.
Engagement: In addition to the more technical and process focus in infrastructure
and solutions, engagement targets the people and the various stakeholders. So
this area is mainly about collaboration and awareness.
Graphically it could be represented like this:
The following sections briefly touch on these different areas.
5 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
Social, Economic, Political, and IT Alignment
Any government activity must be based upon and fit the country’s current social,
legal, and political environment. The legal system plays a key role when it comes to
leveraging Cybersecurity to help to grow the economy. To become a trusted partner
of both investors and other governments, a country needs the capability to fight
Cybercrime and pursue criminals—not only within the country but on an international
level. This also implies a commonly accepted understanding of what Cybercrime entails
as well as multi-national assistance treaties.
Social norms and cultural trends must be included when building the behavioral norms.
A typical example is the balance between privacy and security; what is the socially
accepted level of individual privacy that will still allow law enforcement and intelligence
to fight crime and terrorism? What is the limit beyond which a society is no longer willing
to accept invasion into its privacy? There is no globally agreed-upon standard of what is
right or wrong, but a standard does exist within each social context.
Finally, the decisions a government makes must make economic sense and help create
a level economic playing field regarding national and international competition. The
private sector cost to help drive Cybersecurity in a national context should not inhibit
a company’s financial well-being; otherwise international competitiveness could be
negatively affected, which might lead to lengthy policy debates and resistance from
the private sector in the implementation of a coherent Cybersecurity Agenda.
Therefore, a well-targeted Cybersecurity Agenda must lay the foundation for a
country’s economic growth.
The Cybersecurity principles of a country should reflect and embrace these
influencing factors.
6 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
Strategies and Policies
Within the governance environment, a government must decide on its risk-based
strategy and policy structures.
Supply Chain Security
Understanding and analyzing the supply chain is an important step. After all, essential
services, processes, and functions are not monolithic entities but rather a composition
of integrated sub-components, services, processes, and functions. Each of these
subcomponents, in turn, is comprised of a supply chain. Understanding these complex
and interdependent chains not only assists in the analysis of threats, vulnerability,
and consequences, but also helps identify stakeholders and key providers that might
otherwise be overlooked.
The current government approach to securing the supply chain is to certify products
rather than the processes used to build the components that go into the products.
But the security of products must be built in from the beginning and a vendor must
ensure that its supply chain meets a certain minimum security standard. This is true for
any kind of development model—on-premises as well as in the cloud. It is critical for
vendors to follow stringent and repeatable processes to manage the risks in engineering
and development. Further, these processes should be transparent, up to a given point,
for customers. For certain applications self-attestation may be good enough—product
certification alone might not help to achieve the necessary goals. However, it is likely
that, where sensitive data is stored, a formal certification will be required.
Government Training
Addressing Cybersecurity topics and fighting Cybercrime requires governments to
acquire a new skill set. The training of government employees within their areas of
responsibility must be part of a joint effort between government and the private
sector. The relevant technical and threat knowledge is often within the private sector;
on the other hand, people in the private sector may require training similar to
government employees. Collaboration that helps grow the network in both sectors
is worth considering.
However, training entails a certain risk; people could become highly skilled in
Cybersecurity but then fail to gain appropriate employment. Their potential for
securing a good job in government or industry and the danger of them applying
their skills for criminal activities should be carefully managed when selecting
candidates for training.
7 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
In any case, a training strategy must address the constant need to keep training
material and know-how current and aligned to the latest developments in technology
and crime. Within the same context falls the need to recruit talented people, train
them, and retain them. Often, governments tend to build their capacity, and then lose
trained individuals to the private sector because they are unclear on how to grow
these highly specialized people within their organization.
Internal Government Collaboration
Many initiatives start with an effort to improve collaboration between the private and
public sectors. However, collaboration within the government and among its different
agencies can be as large a problem as collaboration with other organizations—if not
larger. Therefore, governments must define a clear strategy and clear policies to
address and improve this situation; these should be supported and implemented from
the top level of any governmental organization. Good practices in this area include
streamlining the various Cybersecurity efforts in one government agency with
sufficient funding and oversight. To be clear here, the bureaucratic problems far
outweigh the technical. Existing organizations with existing authorities must make
adjustments that are complex and hardly understood by politicians or societies.
Innovation
Cybersecurity is often seen as a measure to defend the country from Cyberattacks.
However, if a government is able to drive a sound and targeted Cybersecurity Agenda,
this can and will lay the foundation for growth of the country’s businesses and, therefore,
economic growth. A comprehensive Cybersecurity agenda should include a perspective
on economic growth and how to leverage the investments to accelerate this.
8 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
ICT Infrastructure
Government Infrastructure
Building a trusted and well-managed infrastructure is probably the best known and
yet most-neglected discipline in the entire model. Securing an infrastructure has long
been a challenge before the IT industry. However, few infrastructure operators run
their systems based on mature risk models—which are based not only on a gut feeling
but on sound statistical models.
Most Cyberattacks target well-known vulnerabilities on older and unpatched operating
systems and browser versions or systems that rely on weak administrator passwords
rather than using advanced techniques. Basic security precautions are missing; these
systems are typical “low-hanging fruit” for government implementation—and adversary
exploitation. It is surprising that many successful attacks are not really sophisticated but
rather straightforward, exploiting well-known, unpatched vulnerabilities.
Critical National Infrastructure
Protecting the critical national infrastructure is a key government goal—both in the
physical and the cyber worlds. In IT, this should be done in close collaboration with
the operators of the critical infrastructure as well as with key technology providers.
These protection measures must be based on a nation-wide risk-management process.
Experience shows that the private sector and the government often hold differing
views on risks. Private sector companies normally concern themselves with risks around
their business operations; governments consider risks to the well-being of the country
(even though governments must manage risks in their own infrastructure as well).
These are fundamentally different angles and often private sector companies have
a challenge making the transition. Therefore, governments and the operators of critical
national infrastructure (including key technology vendors and service operators) must
collaborate to establish a national risk management program; this will help them gain
a joint understanding of the risks faced by the economy and the nation state and drive
risk-mitigating activities. This collaboration is necessary because the critical
infrastructure providers likely have a deep understanding of their operational risks
since they run the infrastructure on a daily basis.
9 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
Identity
In today’s connected world, an individual might have different electronic identities
with varying levels of trust (e.g., self-subscription and anonymous email accounts vs.
verified, trustworthy identities for business-related transactions). Any measures taken
in the interest of security must be based on a trustworthy identity. There are multiple
and varied aspects to addressing the identity challenge for government employees,
citizens, and the supply chain:
There must be trusted identity providers in an ecosystem; this might be the
government, the postal services, the banks, or an Internet service provider,
depending on the culture of any given country. If the government tends to
change frequently, there might be limited trust, and a provider outside of
government could be the better choice. There will likely be more than one
provider depending on the trust level and the usage of an identity.
Identities should be able to federate. The term identity federation refers to
a concept whereby identities can be shared across multiple platforms and
organizations. Identities must be interoperable based on claims and standards;
it is critical to follow industry standards when implementing an identity
management system. Governments must be able to work with citizens, suppliers,
and other governments (often other government ministries within the same
country) in a trusted way—and this should enable ad hoc collaboration. No
lengthy process and/or technology should be required to make this happen.
Often there must be a fine balance between authentication and privacy. Do citizens
really want to use the same identity everywhere, which would make it much easier
to correlate different activities? The ability to use attribute claims (e.g., someone is
an employee of the government organization X) without revealing the true identity
should be built in to any identity strategy of a government.
Finally, trusted identities must be based on a process that can deliver enough certainty
to the electronic identity; an in-person proving process, or something equally as
stringent, is key.
10 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
National Projects and Solutions
With these measures in place, national projects and solutions can be operated within a
trusted and trustworthy environment. Because the solutions now provide real value for
the whole agenda/initiative, these will leverage the investments made in Cybersecurity.
This is true for solutions and projects in the government space, such as public safety,
defense, education, and health, and within basic government applications as well.
However, this approach is not limited to the government as such. It can and should be
extended to the private sector companies, as well as the sectors themselves—finance,
utilities, telecommunications, and others—which are part of the critical infrastructure.
Engagement
In addition to all of the technology and processes, there should be intense
engagement both internationally and with different communities within a country.
International Collaboration
A government must decide on a strategy for international collaboration on different
levels, such as within the various ministries—defense, intelligence, law enforcement,
and so forth. This might drive new approaches for collaboration since time is critical
in Cyberspace. Additionally, there must be a strategy on how to work with different
international organizations, such as the UN, Interpol, and others, and which
international frameworks to drive or to adopt (where they already exist).
Security Community
Many countries have a more or less active community of security researchers.
Engaging in smart collaboration with these researchers, based on mutual trust rather
than legislation and regulation, might help governments understand current and
future threats and would help align the defensive strategy for the public as well as
the private sector—as long as the security researchers are working within locally
and internationally acceptable boundaries.
People Awareness and Education
Whatever measures are taken within a government and the private sector, the end
user will always play a key role in any Cybersecurity initiative. This is true for the
average citizen, for the government employee, and for the operators of the critical
infrastructure as well as suppliers.
11 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
However, security considerations often stand between the end user and the most
efficient way of doing business or achieving a goal. Security personnel sometimes
forget that the cost/benefit equation of security for an end user tends to reach an
improper balance: the relatively high cost (of not being able to do something) and
low value. Many of the security measures implemented are for the protection of
the ecosystem much more than the protection of an individual user. Implementing
a Cybersecurity Agenda should be done from the viewpoint of the end user as well.
What is the benefit? If there is none, there must be a regulatory consequence (e.g.,
a PC is taken off the network and put in quarantine until brought into compliance)
or some other means of increasing an end user’s value in return for being compliant
and behaving in a secure way.
Situational Awareness
Situational awareness can be defined as “what you need to know not to be surprised.”
(Source: Jeannot, Kelly, & Thompson, 2003) Situational awareness probably cannot be
done by the government itself since so much of the information, data, and intelligence
is hosted in the private sector.
The government can act as a broker, turning information into intelligence and acting
as a central point of trust in a network, but often the private sector—be it the critical
infrastructure or the vendors—has detailed knowledge about what is happening on
the Internet. Therefore, the government plays a vital role bringing all of the
information together, and then redistributing the intelligence to the critical
infrastructure. These channels must be established early on and may even enable
a government to take a more proactive role in defending the network.
However, all of this intelligence is only useful insofar as the infrastructure can actively
protect itself once a threat is detected.
Incident Response
The incidents that most concern governments are those attacking the critical
infrastructure—and, by extension, attacking the well-being of society. Therefore,
it is important to engage with the operators of the critical infrastructure, as stated
in the fundamentals on critical infrastructure protection. There should be a constant
engagement between governments and the critical infrastructure stakeholders to
foster mutual trust since this is the basis for any efficient situational awareness and
incident response. This also holds true for engaging with any type of security
community such as security researchers.
12 CYBERSECURITY: MORE THAN A GOOD HEADLINE | OCTOBER 2011
Conclusion
Cybersecurity is included in many governments’ agendas and is on the minds of
numerous politicians and bureaucrats. To run a successful Cybersecurity Agenda or
program, a well-structured framework is critical—even if only certain parts of it will
be addressed in the near term; it should provide for oversight to ensure the right
priorities are established. This model can help any given country take the right
approach to creating a Cybersecurity Agenda since the approach itself must be
adapted to the relevant social, cultural, and economic priorities.
Further, governments should never run such an initiative themselves. Close collaboration
with the private sector and the international community—as well as within the
government itself—is absolutely necessary to achieve success in the cyberworld.
© 2011 Microsoft Corporation. All rights reserved.