© 2010 Deloitte Touche Tohmatsu
Security: Developing a Secure Cyberspace
2
Protecting the 5th Domain
• As with land, sea, air and space, a safe
Cyberspace is crucial for our societies.
Different Threats, Different Response
• Cyber criminals have differing
motivations…including protest, crime, espionage
or terrorism.
Non-Traditional Issues
• Affects our Economics, Politics, Psychology &
Technology.
National & Economic Security
• Response requires international coordination,
across industries and geographies.
Cyber Global Commons
• Need global dialogue resulting in an international
roadmap for Cyber.
Roadmap
• Actionable solutions for key Cyber issues by 2020.
© 2010 Deloitte Touche Tohmatsu
What is Cyber, what is Cybersecurity?
3
Cyber is:
• All around us
• Effecting virtually all
• Transport, finance,
medical, healthcare,
government, justice,
law & order, media,
education, military,
energy, industry,
culture etc.
Cybersecurity is about:
• Global Network
Threats
• National Security
• Economic Security
© 2010 Deloitte Touche Tohmatsu
The New Cyber Landscape
National & Economic Security
4
Cyber Threats…next STUXNET?
Cyber Opportunities
© 2010 Deloitte Touche Tohmatsu
The scale of Cyberspace is vast – and growing exponentially
• In 2008: 1.2 billion laptops and 3 billion
people connected to the Internet
• 2 trillion texts are sent per day worldwide
• 247 billion emails are sent per day (90%
spam)
• The U.S. is the 3rd largest country globally
with a population of 310 million people …
Facebook has more than 500 million active
users
• Currently, the most popular vector for
attacking users is through social
networking sites
• Average un-patched computer survival
time on the internet: 4 minutes
• By 2013 the Internet will be 4X larger
than in 2009
• Mobile data traffic will increase 66X
• By 2015, we expect 15 billion devices to
be connected to the Internet
5
© 2010 Deloitte Touche Tohmatsu
Cyberspace is borderless,
enforcement not
6
Some governments approach
Cyberspace as a sovereign
issue, leading to global
fragmentation
Shortage of multi-skilled
Cyber individuals creates a
discrepancy between threat
and response capability
Anonymity makes attribution
difficult
Key Cyber Issues
Lack of awareness of the
global scale of security
problem
Asymmetric problem that
make centralized response
challenging…massive attacks
able to be launched from the
desktop
Human behavior consistently
being exploited to defeat
technology-centric approach
to Cyber defense
Legislation does not keep
pace with technology change
The seams or handoffs
between networks or
organizations are vulnerable
targets
Systemic underreporting
and need for metrics
© 2010 Deloitte Touche Tohmatsu
Secure Cyber Environment: What is it?
“… everyone can live and work online with confidence and safety
• Networks seen as safe and reputable
• Intellectual property of businesses, universities and other institutions, which underpins a
knowledge economy, are better protected
• Citizens have greater confidence in public service transactionsSource: UK’s Digital Britain Report
... a secure, resilient and trusted electronic operating environment
• Citizens are aware of cyber risks, secure their computers and take steps to protect their
identities, privacy and finances online.
• Businesses operate secure and resilient information and communications technologies
to protect the integrity of their own operations and the identity and privacy of their
customers.
• Government ensures its information and communications technologies are secure and
resilient.Source: Australian Government’s cyber security policy
7
The risk-return tradeoff for cybercrime needs to be made unfavorable
© 2010 Deloitte Touche Tohmatsu
Fast Forward To 2020: We did it!
How did we get there, what did we do between now and 2020?
Questions:
Governance
How did we agree on a global coordinated approach and improve
cooperation and networks?
How did we agree on Cyber Treaties?
Legal
How did we address Cyber safe-havens (criminal, terror, etc)?
What did we do to have international bodies coordinate the necessary
steps (EU, UN, Europol, Interpol)?
Technical
How did we agree on technical standards?
Resources
How did we train enough Cyber Professionals?
Awareness
How did we create a self-financing public-private ecosystem that
works?
How did we restore confidence in cyberspace?
8
© 2010 Deloitte Touche Tohmatsu
Cyber Stakeholders: five levels
Current debate is not coordinated and focused on the middle three levels
9
United Nations
G 20
WTO
NATO
European Union
Central government
Agencies
GovCert’s
Military organizations
Healthcare organizations
Financial institutions
Citizens
Employees
Consumers
• UN Article 41 & 42
• ITU / ICANN / ISO / FIRST
•
• National Security Strategies
• NATO Article 5
• US Partner discussions
• Nation specific CERT’s
• China Internet Network
Information Center (CNNIC)
• US CYBERCOMMAND
• Australian Internet Security
Initiative
• Software developers
• Hardware developers
• Social media
Type Example
Global
Regional
National
Organizational
Individual
© 2010 Deloitte Touche Tohmatsu
Global Cyber Maturity Curve:
Collective action and milestones
Protecting cyberspace
Many governments understand that protecting cyberspace is critical to the economic and national
security of their countries. But unlike other domains of global relations, few rules govern
interactions in cyberspace.
Fast forward to 2020: A secure cyber environment
Imagine that, by the year 2020, we are operating in a secure cyber environment where the
challenges we are experiencing today have been addressed. How did we get here? What did we
do between 2010 and 2020?
This global cyber framework seeks to address some of these questions by proposing a maturity
curve model as a guide for the international community to work together better to solve cyber
security issues—such as addressing gaps in international law for pursuing criminals across
borders, sharing information, and collaborating on incident response. The framework describes
some of the steps that we believe may need to happen to develop a more secure cyberspace by
2020, addressing key areas like the following.
Governance
Governance for cyberspace includes global rules, treaties and protocols, similar to those in place
for national defense, trade, and human rights.
Legal
Much cyber crime is transnational, and fighting it may require an international legal framework.
Technical
The rapid introduction of new technologies and increasing interdependencies across technologies,
networks and applications underscores the need for tightening security for new technologies and
establishing worldwide standards for security. Many organizations (commercial and government)
may disagree.
Resources
The technology and managerial expertise of the workforce—including specialists who can address
diverse issues including legal, intellectual property, and diplomatic challenges—and the ―pipeline‖
of potential new talent will need to be increased, particularly with highly technical skill sets. In
addition, information sharing and research and development resources will need to be put into
place – and funded.
Awareness
Cyber security cannot be achieved through technology alone; it requires a cultural understanding
and a widespread willingness to demonstrate secure behaviors consistently.
Governance Legal Technical Resources Awareness
Global &
Regional
Organizatio
ns
• Establish a coordinating agency
• Develop an international policy
framework
• Coordinate international approach and
efforts on deterrence and incident
response
• Define global and regional
responsibilities and alignment
• Formulate a structure to enforce cyber
laws
• Define normative action in cyberspace
• Establish proactive and preemptive
cyber practices and protocols
• Address the privacy issues associated
with attribution
• Develop and establish technical
standards and guidelines for secure
products
• Form public-private partnerships
• Address the technical issues
associated with attribution
• Set qualification standards for cyber
security professionals
• Make funding arrangements
• Stimulate exchange of information
• Build commitment
• Promote development of capacities
• Sponsor cyber security programs
National
Governmen
ts
• Appoint a national coordinator and
prepare a strategy
• Incent (critical) industry security
• Enforce information sharing on
incidents
• Reexamine statutes governing
investigations
• Designate a privacy and liberties
official
• Create legal standards for securing
critical cyber infrastructure
• Improve market incentives for secure
and resilient hardware and software
products
• Establish standard certification metrics
• Incorporate education programs from
early education on to expand and train
workforce
• Expand on research and development
programs
• Conduct initiatives to attract people to
cyber security as a career
• Initiate public awareness and education
program for children, adults, elderly,
and others
• Initiate national helpdesk for companies
• Stimulate research and development
Private
sector &
industry
• Establish consultative structure to
agree on sector/industry standards
• Sector/industry agrees on legal
standards for services and products
• Sector/industry agree on security
standards for cyber security products
• Participate in national initiatives
• Retool existing workforce
• Stimulate industries to educate the
workforce, particularly in critical sectors
Attention areas
Governance
Legal
Technical
Resources
Awareness
Specialized
Ca
pa
bil
itie
s a
nd
att
rib
ute
s
governing body established to act as a coordinating authority on international cyber security
Supranational legal structure in place to enforce cyber security (by-) laws
anonymity and
attribution are defined,
harmonized and
implemented
Certification of resilient
systems defined for
key global
infrastructure
National awareness
program to educate
individuals from
childhood and
onward
Standardized education and specialized credentialing in place for cyber security specialists and workers
Coordination between
global response
centers for coordinated
response, exercises
and predictive research
Global workshops on
cyber policy,
economics and
technology
Leverage existing
global bodies for cyber
agenda setting
International cyber tribunal established
International protocol
for pre-coordinated
response across
industry / geography
for cyber security
incidents
Self-financing eco-system created to enhance public-private information sharing and cooperation
Enhanced standards
and guidelines for
built-in security,
including consumer
products
Normalized reporting
processes on cyber
attacks and
consequences
across public and
private sectors
Designation of critical
infrastructure, cyber
security coordinator
and national protection
plans
Specialized cyber
offices and liaisons
established at key
international
institutions
Member states
implementation of
national cyber
security strategy
International-accepted framework for normative action in cyber space and protocol for harmonized security and privacy
Military forces operate in accordance to defined cyber laws for deterrence and response
regulations to
determine common
principles
Legal reviews
of country laws &
Global law
―safe havens‖
enforcement
and intelligence
cooperation to
interdict cyber criminal
Global construct for
Global cyber fusion
center(s) share data
across commercial,
government and law
enforcement to
support predictive
analytics and
response
Level 1 Level 2 Level 3 Level 4 Level 5
‘1
9
‘1
2
‘1
3
‘1
5
‘1
7
‘2
0
© 2010 Deloitte Touche Tohmatsu
Key governance recommendations for a Cyber secure world
11
• Establish a coordinating agency
(World Cyber Organization?)
• Develop international policy
framework
• Coordinate international
approach and efforts on
deterrence and incident
response
• Define global and regional
responsibilities and alignment
• Appoint a national coordinator
and prepare a strategy
• Incent (critical) industry security
• Enforce information sharing on
incidents
• Establish consultative structure
to agree on sector / industry
standards
Level 5
Level 5
Level 1
2020
Governance
Legal
Technology
Resources
Awareness
Level 4
Level 2
Level 2
Level 3
Level 4
Global /
Regional
National
Organizational
Individual
2010
© 2010 Deloitte Touche Tohmatsu
Key legal recommendations for a Cyber secure world
12
• Formulate a structure to enforce
Cyber laws
• Define normative behavior in
Cyberspace
• Establish proactive and
preemptive cyber practices and
protocols
• Address the privacy issues
associated with attribution
• Reexamine statutes governing
investigations
• Designate a privacy and
liberties official
• Create legal standards for
securing critical Cyber
infrastructure
Level 1
Level 3
Level 1
Level 2
Level 3
Level 4
• Sector / Industry agrees on
legal standards for services /
product
Global / Regional
National
Organizational
Individual
2010
Governance
Legal
Technology
Resources
Awareness
2020
Level 2
Level 4
© 2010 Deloitte Touche Tohmatsu
Key technical recommendations for a Cyber secure world
13
• Develop and establish
technical standards and
guidelines for secure products
• Form public-private
partnerships
• Address the technical issues
associated with attribution
• Improve market incentives for
secure and resilient hardware
and software products
• Establish standard certification
metrics
• Sector / industry agree on
security standards for cyber
security products
• ISPs play active role in solving
spam and botnet issues
• Coordinate security around
seams and handoffs
Level 1
Level 2
Governance
Legal
Technology
Resources
Awareness
Level 1
Level 2
Level 1
Global / Regional
National
Organizational
Individual
2010
2020
Level 2
Level 1
Level 1
© 2010 Deloitte Touche Tohmatsu
Key resource recommendations for a Cyber secure world
14
• Incorporate education
programs to expand and train
workforce
• Expand on research and
development programs
• Participate in national
initiatives
• Retool existing workforce
Level 1
Level 2
Governance
Legal
Technology
Resources
Awareness
Level 2
Level 1
• Set qualification standards for
cyber security professionals
• Make finance arrangements
• Stimulate exchange of
information Level 3Global / Regional
National
Organizational
Individual
2010
2020
Level 1
Level 1
© 2010 Deloitte Touche Tohmatsu
Key awareness recommendations for a Cyber secure world
15
• Build commitment
• Promote development of
capacities
• Sponsor cyber security
programs
• Initiate public awareness and
education program for
children, adults, elderly, etc.
• Initiate national helpdesk for
companies
• Stimulate research and
development
• Stimulate industries to
educate the workforce,
particularly critical sectors
• Know the rules of the road
Level 1
Level 2
Governance
Legal
Technology
Resources
Awareness
Level 1
Level 2
Level 1
Level 3
Level 2
Global / Regional
National
Organizational
Individual
2010
2020
Level 1
© 2010 Deloitte Touche Tohmatsu
A holistic approach is required to address the
cybersecurity challenges
16
Governance
Compliance
Ethics
Intra-
government
Coordination
Laws &
Regulations
Reporting
Mission
Judicial
Legislative
Program / PMO
Programs &
Services
Programs &
Services
Development
Mission
Support
Acquisition
Assets
Finance
Human
Resources
Information
Technology
Public Relations
&
Communications
Strategy &
Planning
Enterprise Risk
Management
Operational
Planning
Performance
Management
Strategy, Policy
& Planning