Date post: | 23-Dec-2014 |
Category: |
Technology |
Upload: | c0c0n-international-cyber-security-and-policing-conference |
View: | 426 times |
Download: | 1 times |
InternationalTelecommunicationUnion
Why Government & Corporate Cyber Programmes are failing
Trivandrum, Kerala, India, 3-4 August 2012
Dr. Frederick Wamala, CISSP®
© Dr. Frederick Wamala, CISSP®
Disclaimer – One for the Lawyers
2
Opinions expressed here are mine. The view I express do not necessarily reflect those of any past or present employers and/or associates.
All trademarks are the properties of theirrespective owners.
© Dr. Frederick Wamala, CISSP®
Quotation – Cybercrime “In fact, in my opinion,
it's the greatest transfer of wealth in history ... McAfee estimates that $1 trillion was spent globally under remediation. And that's our future disappearing in front of us.”
3
– Gen. Keith Alexander, NSA/CYBERCOM
© Dr. Frederick Wamala, CISSP®
ITU Cybersecurity Strategy Guides
4
© Dr. Frederick Wamala, CISSP®
Cybersecurity Strategy Model
5
© Dr. Frederick Wamala, CISSP®
Cybersecurity Strategy Model
6
URL: http://www.itu.int/ITU-D/cyb/cybersecurity/strategies.html
© Dr. Frederick Wamala, CISSP®
Strategic Context
7
© Dr. Frederick Wamala, CISSP®
Critical Information Infrastructure (CII)
8
© Dr. Frederick Wamala, CISSP®
Privately-owned – Govt oversight?
9
© Dr. Frederick Wamala, CISSP® 10
© Dr. Frederick Wamala, CISSP®
Focus on attack methods not Sources
11
© Dr. Frederick Wamala, CISSP®
Threat Assessment
12
© Dr. Frederick Wamala, CISSP®
Incomplete Threat Assessments
Threat Sources and Threat Actors Capability
Level 1 – Opportunistic Level 5 – Extremely capable and well resourced
to carry out sophisticated attacks e.g. Flame
Motivation Level 0 – No interest in attacking a given
system Level 5 – An absolute priority of the actor to
breach the security of a given system. Use all means e.g. Detailed research, bribery, coercion,
13
© Dr. Frederick Wamala, CISSP®
Failure to understand “Cybersecurity Ends”
14
© Dr. Frederick Wamala, CISSP®
Cybersecurity “Intensity of Interest”
15
Cybersecurity is not JUST a technical issue Cyber attacks threat ‘vital’ interests of States
© Dr. Frederick Wamala, CISSP®
India – Impact on Diplomatic Affairs
“A portion of the recovered data included visa applications submitted to Indian diplomatic missions in Afghanistan. This data was voluntarily provided to the Indian missions by nationals of 13 countries as part of the regular visa application process.”
16
© Dr. Frederick Wamala, CISSP®
Gaps – Legal Measures
17
© Dr. Frederick Wamala, CISSP®
Cybercrime legislation coverage
Criminalisation Substantive criminal law e.g. Unauthorised
access to computer systems and networks Jurisdiction Procedure and law enforcement
investigative measures Electronic evidence Liability of internet service providers International cooperation
18
© Dr. Frederick Wamala, CISSP®
Convention on Cybercrime – 2001
19
Criminalization
Procedures
Jurisdiction
International Cooperation
Council of Europe Convention on Cybercrime
CriminalizationProceduresElectronic evidence
JurisdictionService Provider LiabilityInternational Cooperation
© Dr. Frederick Wamala, CISSP®
Commonwealth Legislation – 2002
20
Criminalization
Procedures
Electronic evidence
Jurisdiction
International Cooperation
Commonwealth Model Legislation
CriminalizationProceduresElectronic evidence
JurisdictionService Provider LiabilityInternational Cooperation
© Dr. Frederick Wamala, CISSP®
US – Joint Chief Lobby for Legislation
21
© Dr. Frederick Wamala, CISSP® 22
© Dr. Frederick Wamala, CISSP®
Technical and Procedural Measures
23
© Dr. Frederick Wamala, CISSP®
Reactive – Subversion of Products
24
© Dr. Frederick Wamala, CISSP®
UK – Capacity to certify products
25
© Dr. Frederick Wamala, CISSP®
India – Comprehensive Approach
26
© Dr. Frederick Wamala, CISSP®
Gaps – Organisational Structures
27
© Dr. Frederick Wamala, CISSP®
India – National Cybersecurity Strategy
28
MCIT/Departmental cybersecurity strategy Only CERT-In has a national cyber mandate Oversight: MCIT; Defence, Home Affairs, NSA
© Dr. Frederick Wamala, CISSP®
DHS vs. White House Czar mandates
29
© Dr. Frederick Wamala, CISSP®
US – NSA involvement questioned
30
© Dr. Frederick Wamala, CISSP®
Gaps – Capacity Building
31
© Dr. Frederick Wamala, CISSP®
Gaps – Cybersecurity Skills
“India is regarded as an IT superpower but its record on IT security is not too brilliant. ... It does not have the required number of experts and professionals in cyber security.”
32
– Dr. Arvind Gupta, IDSA, India, 27/06/2012
© Dr. Frederick Wamala, CISSP® 33
© Dr. Frederick Wamala, CISSP®
UK – Intelligence not retaining staff
34
© Dr. Frederick Wamala, CISSP®
Gaps – International Cooperation
35
© Dr. Frederick Wamala, CISSP®
Russia rejects Convention
36
© Dr. Frederick Wamala, CISSP®
Convention – Article 32
37
© Dr. Frederick Wamala, CISSP®
EU and US wreck UN Treaty
38
© Dr. Frederick Wamala, CISSP®
Conclusion
39
© Dr. Frederick Wamala, CISSP® 40
© Dr. Frederick Wamala, CISSP® 41
Questions? Dr. Frederick Wamala, CISSP® Cybersecurity Adviser
– Strategic and Technical
E-mail: [email protected] Twitter: @DrWamala