Critical Information Infrastructure Protection Perspective on Cloud Computing Services
CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
Presenter Dr Martin Koyabe (CTO)
Table of Content Session 1: Understanding CIIP & Challenges Session 2: Cloud Computing Today Session 3: CIIP Perspective of Cloud Computing Session 4: Cloud Computing CIIP Scenarios Session 5: Steps Towards a CI Protection Session 6: Cybersecurity Threat Horizon Session 7: Commonwealth Cybergovernance model
Session 1: Understanding CIIP & Challenges
Presenter Dr Martin Koyabe (CTO)
CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
Understanding CIIP
• Critical Resources
6
General definition
• Critical Infrastructure
• Critical Information Infrastructure
Inte
rdep
ende
ncie
s
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Resources
7
Water
Energy
Forests
Defined by some national governments to include:-
• Natural & environmental resources (water, energy, forests etc) • National monuments & icons, recognized nationally & internationally
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (1/3)
8
Airports
Power Grid
Roads
Defined by some national governments to include:-
• Nation’s public works, e.g. bridges, roads, airports, dams etc • Increasingly includes telecommunications, in particular major
national and international switches and connections
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (2/3)
9
“ the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Source: US Homeland Security
“ the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government.”
Source: UK Centre for the Protection of National Infrastructure (CPNI)
“ an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.”
Source: European Union (EU)
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (3/3)
10
“ those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defense and ensure national security.”
Source: The Australian, State & Territory Government
“ processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and Significant harm to public confidence.
Source: Government of Canada
“those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation”
Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
© Commonwealth Telecommunications Organisation | www.cto.int
What about developing countries?
11
Q) Does your country have a critical infrastructure framework?
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sectors (1/2)
12
• European Commission (EC) provides an indicative list of 11 critical sectors
Energy
ICT
Water
Food Health
Financial
Public & Legal Order and Safety
Civil AdministraBon Transport
Chemical and Nuclear Industry
Space & Research
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sectors (2/2)
13
• Provisional Critical Infrastructure list for Bangladesh
Energy (Oil/Gas)
Telecoms
Transport (Roads)
Monuments/Buildings
Water
Financial ICT
Source: CTO CIIP Workshop, Dhaka, Bangladesh (Sep 2014)
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (1/2)
14
CII definition:-
“ Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values.”
Rueschlikon Conference on Information Policy Report, 2005
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (2/2)
15
Cri$cal Infrastructures
Telecoms
Energy
Transporta$on
Finance/Banking
Government Services
Large Enterprises
End-‐users
Critical Information Infrastructure Cross-cutting ICT interdependencies among all sectors
Cyber security Practices and procedures that enable the secure use and operation of cyber tools and technologies
Non-essential IT Systems
Essential IT Systems
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure Protection (CIIP)
16
• Widespread use of Internet have transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity.
• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks.
• ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks; and many of the critical services that are essential to the well-being of the economy are increasingly becoming dependent on IT.
© Commonwealth Telecommunications Organisation | www.cto.int
• Today Critical Information Infrastructure Protection (CIIP) – Focuses on protection of IT systems and assets
o Telecoms, computers/software, Internet, interconnections & networks services
– Ensures Confidentiality, Integrity and Availability
o Required 27/4 (365 days) o Part of the daily modern economy and the existence of any country
Critical Information Infrastructure Protection (CIIP)
Telecom Network
Power Grid
Water Supply
Public Health
NaBonal Defence
NaBonal Defence
Law Enforcement
© Commonwealth Telecommunications Organisation | www.cto.int
CII Attack Scenarios
Telecoms
Health Services
Cloud Services
Finance/Banking
eGovernment
Critical Information Infrastructure (CII) Cross-cutting ICT interdependencies among all sectors
Natural disaster, power outage, or hardware failure
Resource exhaustion (due to DDoS attack)
Cyber attack (due to a software flaw)
© Commonwealth Telecommunications Organisation | www.cto.int
• Expanding Infrastructures – Fiber optic connectivity
o TEAMS/Seacom/EASSy
– Mobile/Wireless Networks o Kenya has 11.6 million Internet
users and 31.3 million mobile network subscribers (CAK, 2014)
• Existence of failed states – Increased ship piracy
o To fund other activities
– Cyber warfare platforms o Doesn’t need troops or military hardware
• Cyber communities – Social Networks – Attacker’s “gold
mine”
Future CII Attack Vectors
© Commonwealth Telecommunications Organisation | www.cto.int
• Increased awareness for CIIP & cyber security – Countries aware that risks to CIIP need to be managed
o Whether at National, Regional or International level
• Cyber security & CIIP becoming essential tools – For supporting national security & social-economic well-being
• At national level – Increased need to share responsibilities & co-ordination
o Among stakeholders in prevention, preparation, response & recovery
• At regional & international level – Increased need for co-operation & co-ordination with partners
o In order to formulate and implement effective CIIP frameworks
Global trends towards CIIP
© Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
#1: Cost and lack of (limited) financial investment – Funds required to establish a CIIP strategic framework can be a hindrance – Limited human & institutional resources
Source: GDP listed by IMF (2013)
© Commonwealth Telecommunications Organisation | www.cto.int
#2: Technical complexity in deploying CIIP – Need to understand dependencies & interdependencies
o Especially vulnerabilities & how they cascade
Challenges for developing countries
Powerplants Regional Power Grid
Regional Power Supply
Private D2D links
Private Datacenters
Banks & Trading
Public AdministraBon
Public Datacenters
eGovernment
Online services, cloud
compuBng Telco sites, switch areas,
interconnecBons
Public eComms
Regional network, cables, wires, trunks
Public Transport
Emergency care (Police, Firefighters,
Ambulances)
Emergency Calls
(99.9%) 8 hr outages are disastrous
(99%) 3 days outages are disastrous
(90%) 30 days outages are disastrous
© Commonwealth Telecommunications Organisation | www.cto.int
#3: Limited knowledge on how to identify and classify critical infrastructure – Need to consider business value, scope of population & technical dependency
Challenges for developing countries
CriBcal FuncBon Infrastructure
Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
CriBcal FuncBon
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain CriBcal FuncBon
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
Interdependencies Understand requirements &
complexity
© Commonwealth Telecommunications Organisation | www.cto.int
#4: Need for Cybersecurity education & culture re-think – Create awareness on importance of Cybersecurity & CIIP
o By sharing information on what works & successful best practices
– Creating a Cybersecurity culture can promote trust & confidence o It will stimulate secure usage, ensure protection of data and privacy
Challenges for developing countries
© Commonwealth Telecommunications Organisation | www.cto.int
#5: Lack of relevant CII strategies, policies & framework – Needs Cybercrime legislation & enforcement mechanisms – Setup policies to encourage co-operation among stakeholders
o Especially through Public-Private-Partnerships (PPP)
#6: Lack of information sharing & knowledge transfer – It is important at ALL levels National, Regional & International – Necessary for developing trust relationships among stakeholders
o Including CERT teams
Challenges for developing countries
© Commonwealth Telecommunications Organisation | www.cto.int
Session 1: Group Discussions
26
Question
What’s the CII definition for your country?
Session 2: Cloud Computing Today
Presenter Dr Martin Koyabe (CTO)
CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing
28
Should Cloud Computing be considered a Critical Information Infrastructure?
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
29
• Earlier approach not scalable and costly
High capacity link Between organizations or operators
IT
IT Information Technology Resources Per each organizations or operators IT
IT
IT Organization or Operator
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
30
• Spread associated costs among users
Organizations or operators Access resources in the same area
Information Technology Resources Consolidated in data centers
IT IT
Data Centre
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing Deployment Models
31
Private Cloud (Hosted Internally or
Externally)
Hybrid Cloud
Public Cloud
Community Cloud (Hosted Internally by
Member or Externally)
© Commonwealth Telecommunications Organisation | www.cto.int
Some of the benefits of Cloud Computing
32
Reduced Capital & Operational Cost • Less up-front capital investment • Allow companies to increase resource needs
gradually (pay-as-you-go)
Simplify application deployment & management • Common programming model across platforms • Access to ecosystem of widely deployed applications • Integration with existing IT assets
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing
33
Simple definition
Cloud Computing = Software as a Service (SaaS) + Platform as a Service (PaaS) + Infrastructure as a Service (IaaS) + Data as a Service (DaaS) + * as a Service (*aaS)
© Commonwealth Telecommunications Organisation | www.cto.int
Software as a Service (SaaS)
34
SaaS characteristics:-
• From end user’s point of view • Application are located in the cloud • Software experiences are delivered online (Internet)
© Commonwealth Telecommunications Organisation | www.cto.int
Platform as a Service (PaaS)
35
PaaS characteristics:-
• From developer’s point of view (i.e. cloud users) • Cloud providers offer an Internet-based platform • Developers use the platform to create services
© Commonwealth Telecommunications Organisation | www.cto.int
Infrastructure as a Service (IaaS)
36
IaaS characteristics:-
• Cloud providers build datacentres – Power, scale, hardware, networking, storage, distributed system etc
• Datacentre as a service • Users rent storage, computation & maintenance
© Commonwealth Telecommunications Organisation | www.cto.int
Data as a Service (DaaS)
37
DaaS characteristics:-
• Data->Information->Knowledge->Intelligence • Infrastructure for web data mining & knowledge • Empower people with knowledge • Enrich apps & services with intelligence
© Commonwealth Telecommunications Organisation | www.cto.int
Uptake of Cloud Computing
38
MicrosoS's Data Center, San Antonio, Texas Google's Data Centre, Georgia
• Western Europe market to grow to €15B by 2015 • Amazon AWS carries 1% of all Internet consumer traffic in North America • Data centre growth estimated to be in excess of €30B • Facebook server farm (Oregon) measures 14000 m2, cost ~ $200M
© Commonwealth Telecommunications Organisation | www.cto.int
Session 2: Group Discussions
40
Question
What is the level of Cloud Computing uptake in your country? Is it increasing?
Session 3: CIIP Perspective of Cloud Computing
Presenter Dr Martin Koyabe (CTO)
CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
42
Large cloud providers can deploy security and business continuity measures and spread the associated cost among the customers.
Can be a “Double Edged Sword”
If an outage or security breach occurs, the the consequences can be catastrophic affecting large number of users and organisations at once.
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
43
Japan Earthquake 2011 • Cloud computing was resilient
• Cloud services survived power outages by using emergency fuel
• Data connections over mobile networks and fixed networks held up
• Traditional IT deployments went offline
• Cloud computing used to get organizations up and running
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
44
Lightening Strike Dublin 2011 • Took down Amazon & Microsoft
services. Outage lasted for 2 days
• Amazon’s other customers (Foursquare, Reddit & Netflix) were badly affected
• Amazon’s Elastic Computer Cloud (EC2) and Relational Database Service (RDS) experienced disruption in North Virginia.
• Amazon US-EAST data centers were cut-off the Internet
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
45
Critical in themselves
Cloud Computing services can be critical in two ways
Critical for other critical services
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
46
e.g. Cloud based eHealth Record Platform
Critical in itself • But needed for other
emergency health operations, which are also critical
Critical to other systems • Critical to other systems that
depend on the data records
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
47
Most CIIP action plans address two major issues:
(1) Cyber disruptions (or outage) with large impact
12M Pakistan
6M Egypt 4.7M
Saudi Arabia
1.7M UAE
0.8M Kuwait
0.3M Qatar
12M India
Outage caused by undersea cable cut near Alexandria, Egypt (2008)
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
48
(2) Cyber attacks with a large impact • Influenced mainly by interdependencies
Snapshot of the Internet before an aVack on Facebook Source: NORSE
© Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (1/4)
49
Continuity of services & infrastructure dependencies
© Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (2/4)
50
Powerplants Regional Power Grid
Regional Power Supply
Private D2D links
Private Datacenters
Banks & Trading
Public AdministraBon
Public Datacenters
eGovernment
Online services, cloud compuBng Telco sites,
switch areas, interconnecBons
Public eComms
Regional network, cables, wires, trunks
Public Transport
Emergency care (Police, Firefighters,
Ambulances)
Emergency Calls
(99.9%) 8 hr outages are disastrous
(99%) 3 days outages are disastrous
(90%) 30 days outages are disastrous
© Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (3/4)
51
Software as a service dependencies
© Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (4/4)
52
Hospitals
Power plant
Air traffic controllers IT vendor for Office
soSware
Banks
Public administraBon
© Commonwealth Telecommunications Organisation | www.cto.int
Session 3: Group Discussions
53
Question
List (at least 3) known incidents/cases of CII related attacks in the recent past in your country? Discuss any remedies taken (if known).
Session 4: Cloud Computing CIIP Scenarios
Presenter Dr Martin Koyabe (CTO)
CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
55
CII attack vectors
Telecoms
Health Services
Cloud Services
Finance/Banking
eGovernment
Critical Information Infrastructure (CII) Cross-cutting ICT interdependencies among all sectors
Natural disaster, power outage, or hardware failure
Resource exhaustion (due to DDoS attack)
Cyber attack (due to a software flaw)
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
56
Four (4) scenarios where Cloud Computing is critical
(1) Financial Services
Source: New York Stock Exchange (NYSE)
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
57
Datacenter Datacenter
Operator
Datacenter
Trader Trader
Private network, Dedicated links Duplicated connection between datacenters
Public Internet or telephony Connecting traders to datacenters
Data Centers All systems are duplicated
Traders platform Web-interface access
Trading Platform (SaaS)
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
58
Key Points: • Software flaw can impact wide range of organisations directly • Consider creating ‘logical redundancy’ in addition to ‘physical
redundancy’
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
59
(2) Health Services
• By 2016 about 30% of IT budget of healthcare organisation would be devoted for cloud computing based expenses
• 73% plan to make greater use of cloud-based technologies in the future
Source: Accenture
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
60
Datacenter Datacenter Datacenter
Hospital Hospital
Private network, Dedicated links Duplicated connection between datacenters
Public Internet or telephony Connecting hospital to datacenters
Data Centers All systems are duplicated
eHealth platform Web-interface access
eHealth Record Platform (SaaS)
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
61
Key Point: • Cloud computing is expected to bring additional efficiency gains
in health care service provision
“APT 18” launched the attack Said to have links with Chinese government and behind targeted attack on companies in aerospace and defense, construction and engineering, technology, financial services and healthcare industry.
Source: FireEye Inc
TDoS Attack Telephony Denial of Service (TDoS) attack targets emergency response services in critical services such as health care
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
62
(3) e-Government Services
• UK Gov Cloud app store “GovStore” has over 1,700 information & communication services available to the UK public sector
Source: http://govstore.service.gov.uk
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
63
Datacenter Datacenter Datacenter
eGov Website
eGov Website
Private network, Dedicated links Duplicated connection between datacenters
Public Internet or telephony Connecting eGov to datacenters
Data Centers All systems are duplicated
eGovernment platform Web-interface access (SaaS)
Gov cloud app store (PaaS)
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
64
Key Point: • eGovernment services need to be resilient at all levels of attacks
VS
VS
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
65
(4) Cloud Services
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
66
Datacenter Datacenter Datacenter
Webmail provider (SaaS)
Online backup service (SaaS)
Private network, Dedicated links Duplicated connection between datacenters
Public Internet or telephony Connecting eGov to datacenters
Data Centers All systems are duplicated
eGovernment applications (SaaS)
Running on a government app store (PaaS)
Infrastructure or platform as a service (PaaS)
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
67
Key Point: • The impact of failure at an IaaS/PaaS provider can have an
impact across a range of organisations, affecting many end-users.
© Commonwealth Telecommunications Organisation | www.cto.int
Session 4: Group Discussions
68
Question
What practical measures need to be taken to enhance CII resilience, especially the Cloud Infrastructure?
Session 5: Steps towards CI Protection
Presenter Dr Martin Koyabe (CTO)
CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
70
(1) Establish CIP Goals, e.g.
Critical infrastructures (CI) provide the essential services that support modern information societies and economies. Some CI support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.
• Critical Infrastructure (CI)
CI exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being.
• Understand Critical Infrastructure (CI) Risks
Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable.
• Articulate CIP policy/goals
National CIP framework includes relevant government entities, as well as, establishing public private partnerships involving corporate and non-governmental organizations.
• Establish Public-Private Partnerships
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
71
(2) Define CIP Roles
Define Policy and Identify Roles Government Define CIP goal and roles
Determine Acceptable Risks Levels Public-Private Partnership Define what’s critical
Assess Risks
IdenBfy Controls and MiBgaBons
Implement Controls
Measure EffecBveness
Infrastructure Prioritize Risks
Operators & Service Providers Deploy best control solutions
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
72
CIP Coordinator (ExecuBve Sponsor)
Law Enforcement
Sector Specific Agency
Computer Emergency
Response Team (CERT)
Public Private
Partnership
Infrastructure owners and operators
IT vendors and
soluBon providers
Shared Private Government
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
73
(3) Identify & Prioritize Critical Functions
CriBcal FuncBon Infrastructure
Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
CriBcal FuncBon
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain CriBcal FuncBon
Infrastructure Element
Supply Chain
Supply Chain
Key Resource
Supply Chain
Interdependencies Understand requirements &
complexity
• Understand the critical functions, infrastructure elements, and key resources necessary for
– Delivering essential services – Maintaining the orderly operations if the
economy – Ensure public safety.
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
74
(4) Continuously Assess and Mange Risks
Assess Risks
Identify Controls and Mitigations
Implement Controls
Measure Effectiveness
• Based on holistic approach
• Implement defense in-depth
• Organize by control effectiveness
• Evaluate program effectiveness
• Leverage findings to improve risk management
• Identify key functions
• Assess risks
• Evaluate consequences
• Define functional requirements
• Evaluate proposed controls
• Estimate risk reduction/cost benefit
• Select mitigation strategy
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI protection
75
• Develop joint PPP plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents.
• Create emergency response plans to mitigate damage and promote resiliency.
• Create effective emergency response plans that are generally short and highly actionable so they can be readily tested, evaluated, and implemented.
• Testing and exercising emergency plans to promote trust, understanding and
greater operational coordination among public and private sector organizations.
• Exercises also provide an important opportunity by identifying new risk factors that can be addressed in response plans or controlled through regular risk management functions.
(5) Establish & Exercise Emergency Plans
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
76
• Promote trusted relationships needed for information sharing and collaborating on difficult problems
• Leverage the unique skills of government and private sector organizations
• Provide the flexibility needed to collaboratively address today’s dynamic threat environment
(5) Establish Public Private Partnership (PPP)
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
77
• Ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions
• Implement contingency frameworks that will enable critical functions to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents
(6) Build Security & Resiliency into Operations
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
78
• Cyber threats are constantly evolving
• All CIP stakeholders need to prepare for changes in cyber threats
• Constantly monitor trends and changes in critical function dependencies
• Keep systems patched and maintain the latest software versions
• Adopt smart & effective procedures and processes
(7) Update & Innovate Technology and Processes
© Commonwealth Telecommunications Organisation | www.cto.int
Session 5: Group Discussions
79
Question
• What should be the additional roles and responsibilities of the state?
• What investment is required to address CIIP vulnerabilities & threats?
• How should the private sector & government work on CIIP and build trust?
Session 6: Cybersecurity Threat Horizon
Presenter Dr Martin Koyabe (CTO)
CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
• Increased penetration of smart phones – Lower costs (~$80) have increased user uptake
– Other models Tecno (China), Wiko (France) & Infinix (Hong Kong)
– Will increase from 17% (2014) to 34% (2018)
• Africa leads mobile subscriptions
– 55% (1.3 billion) from developing countries
• Rapid growth of eCommerce – Websites such as Jumia, Cheki & OLX
Relevant trends in Africa today (1/2)
45% 55%
Developed Countries Developing Countries
© Commonwealth Telecommunications Organisation | www.cto.int
• Expanding Infrastructure
– SAT3/GLO/WACS/ACE etc e.g. 6Km of Fibre in Cameroon
• Mobile money transfer – Increasingly growing e.g. M-Pesa
has 16.8 Million customers – Handles >$1 Billion transactions
per month in Kenya alone – Nigeria – introduced digital ID and
transaction card
• Social media – 78% of internet usage in Africa is
for social media – Estimated will $230 Billion to
Africa’s growth by 2025
Relevant trends in Africa today (2/2)
© Commonwealth Telecommunications Organisation | www.cto.int
• 2014 global cyber attacks assessment shows – Africa accounted for 4% security incidents worldwide – Every 1 second, 18 adults are victims of cyberscrime – 1.5 million victims globally per day
• Financial fraud
– Africa’s major cities like Cairo, Johannesburg, Lagos and Nairobi experience many cases of financial fraud
– African countries are becoming targets & source of malicious Internet activities
• Software piracy and lack of updated software – Home user PCs remain vulnerable to cyber attacks
Emerging Cyber Threats (1/3)
© Commonwealth Telecommunications Organisation | www.cto.int
• Use of ICT to commit acts of terrorism – Planning, co-ordination, implementation and promotion. For
example Boko Harum, ISIS, Al-Shabaab & Al-Qaida etc – Creates social-economical problem. For example, the Westgate
Mall in Kenya – 67 people killed and nearly $200 Million lost tourism revenue.
Emerging Cyber Threats (2/3)
Teenage girls in the UK who flew to Syria via Turkey
© Commonwealth Telecommunications Organisation | www.cto.int
• Cyber attacks targeting government websites – Defacement of websites, motivated by individual reasons
o Nigeria defence HQ attacked for fighting Boko Haram
o Ghana (gov.gh) portal attacked (11 out of 58 sites attacked)
o Senegalese ICT agency site attacked, linked to Charle Hebdo
• Social media
– Reputation and defamation is a new form of cyber attack
– Anonymity on social networks – could tools such as Yik Yak be used for Cyber bullying?
Emerging Cyber Threats (3/3)
© Commonwealth Telecommunications Organisation | www.cto.int
• Low level of security provisions – Inadequate control and lack of information risk assessment
• Lack of technical know-how – inability to monitor and defend national networks
• Need to develop necessary legal frameworks – 21 countries in Africa have proposed legislation
• Cross boundary challenges of Cybersecurity – inability to prosecute and apprehend at source
• Limited levels of awareness – Regulators, military, law-enforcement, judiciary, legislators
Cybersecurity challenges facing Africa
© Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support • Legal framework
– Lack of Cybersecurity legislation affects businesses
– Needs technology to support enforcement
• Regional harmonization of policy & legal frameworks – Global good, needs national, regional & international actions
• Co-ordination and corporation is a MUST – Cybersecurity is a cross-boundary issue
– Needed to combat ICT fraud, hacking, child pornography and copyright infringement
– Creates uniformity in procedures and processes
Policy, Legal & Regulatory Considerations
© Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support • Development of infrastructure
– Develop reliable, resilient and available connectivity
• Need to establish & enhance national CERTs – Create sectorial CERTs
o Finance, Energy, Transport, Military, Maritime, SMEs etc – Harmonize regional CERTs or CIRTs
• Best practice in Cyber governance – Encourage use of country Top Level Domain (TLD) names
Technology Considerations
© Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support • Cybersecurity is complex & challenging
– Develop technical skills through training & collaborations
– Use expertise from the Diaspora
• Cultivate a culture of Cybersecurity awareness – CERTs must be proactive other than reactive – Engage in capacity building initiatives with ALL stakeholders
• Best practice in Cyber governance – Encourage use of country Top Level Domain (TLD) names
– Have effective data protection act
Capacity building, Research & Innovation Considerations
Session 7: Commonwealth Cybergovernance Model
Presenter Dr Martin Koyabe (CTO)
CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
Trends in Cyberspace
• Cyberspace provides access to ICT – Bridging the digital divide and influencing social-economic activities
• Cyberspace is increasingly becoming a global system – Anticipated to grow from 2-4 Billion users by 2020 (mostly from developing
countries)
• Cyberspace is open, decentralised and empowering – This has fostered innovation, collaboration and rapid development
• Cyberspace success depends on it’s infrastructure – Infrastructure should be secure, resilient and available to users
• Cyberspace can also be used for criminal activities – Cybercrimes, extremisms and other social crimes
91
© Commonwealth Telecommunications Organisation | www.cto.int
Why a Commonwealth Model
• Contrasting views emerging across the world on governing the Cyberspace
• Harmonisation is critical to facilitate the growth and to realise the full potentials of Cyberspace
• Commonwealth family subscribes to common values and principles which are equally well applicable to Cyberspace
• CTO is the Commonwealth agency mandated in ICTs • The project was launched at the 53rd council meeting of the
CTO in Abuja, Nigeria (9th Oct 2013) • Wide consultations with stakeholders • Adopted at the Commonwealth ICT Ministers Forum on 3rd and 4th
March 2014 in London
92
© Commonwealth Telecommunications Organisation | www.cto.int
Objectives
The Cybergovernance Model aims to guide Commonwealth members in:-
– Developing policies, legislation and regulations – Planning and implementing practical technical
measures – Fostering cross-border collaboration – Building capacity
93
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Values in Cyberspace
• Based on Commonwealth Charter of March 2013 – Democracy, human rights and rule of law
• The Charter expressed the commitment of member states to – The development of free and democratic societies – The promotion of peace and prosperity to improve the lives of all peoples – Acknowledging the role of civil society in supporting Commonwealth
activities
• Cyberspace today and tomorrow should respect and reflect the Commonwealth Values – This has led to defining Commonwealth principles for use of Cyberspace
94
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 1: We contribute to a safe and an effective global Cyberspace • as a partnership between public and private sectors, civil society and
users, a collective creation; • with multi-stakeholder, transparent and collaborative governance
promoting continuous development of Cyberspace; • where investment in the Cyberspace is encouraged and rewarded; • by providing sufficient neutrality of the network as a provider of
information services; • by offering stability in the provision of reliable and resilient information
services; • by having standardisation to achieve global interoperability; • by enabling all to participate with equal opportunity of universal access; • as an open, distributed, interconnected internet; • providing an environment that is safe for its users, particularly the young
and vulnerable; • made available to users at an affordable price.
95
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 2: Our actions in Cyberspace support broader economic and social development • by enabling innovation and sustainable development, creating greater
coherence and synergy, through collaboration and the widespread dissemination of knowledge;
• respecting cultural and linguistic diversity without the imposition of beliefs; • promoting cross-border delivery of services and free flow of labour in a
multi-lateral trading system; • allowing free association and interaction between individuals across
borders; • supporting and enhancing digital literacy; • providing everyone with information that promotes and protects their
rights and is relevant to their interests, for example to support transparent and accountable government;
• enabling and promoting multi-stakeholder partnerships; • facilitating pan-Commonwealth consultations and international linkages in
a single globally connected space that also serves local interests.
96
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 3: We act individually and collectively to tackle cybercrime • nations, organisations and society work together to foster respect for
the law; • to develop relevant and proportionate laws to tackle Cybercrime
effectively; • to protect our critical national and shared infrastructures; • meeting internationally-recognised standards and good practice to
deliver security; • with effective government structures working collaboratively within and
between states; • with governments, relevant international organisations and the private
sector working closely to prevent and respond to incidents.
97
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace • we defend in Cyberspace the values of human rights, freedom of expression and
privacy as stated in our Charter of the Commonwealth; • individuals, organisations and nations are empowered through their access to
knowledge; • users benefit from the fruits of their labours; intellectual property is protected
accordingly; • users can benefit from the commercial value of their own information; accordingly,
responsibility and liability for information lies with those who create it; • responsible behaviour demands users all meet minimum Cyberhygiene
requirements; • we protect the vulnerable in society in their use of Cyberspace; • we, individually and collectively, understand the consequences of our actions and
our responsibility to cooperate to make the shared environment safe; our obligation is in direct proportion to culpability and capability.
98
© Commonwealth Telecommunications Organisation | www.cto.int
Development of a Nation Cybersecurity Strategy
• Need support from highest levels of government • Adopt a multi-stakeholder partnership (private sector,
public sector & civil society) • Draw on the expertise of the International Community • Appoint a lead organisation or institution • Be realistic and sympathetic to the commercial
consideration of the private sector • Add mechanisms to monitor & validate implementation
100
© Commonwealth Telecommunications Organisation | www.cto.int
Main elements of a Cybersecurity Strategy
• Introduction and background • Guiding principles • Vision and strategic goals • Specific objectives • Stakeholders • Strategy implementation
101
© Commonwealth Telecommunications Organisation | www.cto.int
Introduction & Background
• Focuses on the broad context • Sets the importance of Cybersecurity to national
development • Assess current state of Cybersecurity and challenges
102
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
1. Introduc$on / background
This secBon provides a succinct background of the country’s circumstances and the status of its Cybersecurity
• Explain the importance of Cybersecurity to economic and social development.
• Describe the use of Cyberspace and the nature of Cybersecurity challenges to jusBfy the need for the Cybersecurity strategy
• Explain the relaBonship to exisBng naBonal strategies and iniBaBves.
Uganda’s introducBon covers: • The definiBon of informaBon security • The jusBficaBon for a strategy • Country analysis of current state of
informaBon security framework. • Strategy guiding principles • Vision, mission, strategic objecBves
Note that this example covers the first three secBons in this framework.
© Commonwealth Telecommunications Organisation | www.cto.int
• Based on Commonwealth Cybergovernance principles • Balance security goals & privacy/protection of civil liberties • Risk-based (threats, vulnerabilities, and consequences) • Outcome-focused (rather than the means to achieve it) • Prioritised (graduated approach focusing on critical issues) • Practicable (optimise for the largest possible group) • Globally relevant (harmonised with international standards)
103
Guiding Principles (1/2)
© Commonwealth Telecommunications Organisation | www.cto.int
Guiding Principles (2/2)
104
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
2. Guiding principles This secBon idenBfies the guiding principles for addressing Cybersecurity within which the strategy is designed and delivered.
• Build from the principles of the Commonwealth Cybergovernance model.
• Include any relevant naBonal principles. • Describe the delivery principles that
guide the design of the objecBves goals, vision and objecBves.
In addiBon to the Commonwealth Cybergovernance principles and naBonal principles the following delivery principles are recommended: Risk-‐based. Assess risk by idenBfying threats, vulnerabiliBes, and consequences, then manage the risk through miBgaBons, controls, costs, and similar measures.
Outcome-‐focused. Focus on the desired end state rather than prescribing the means to achieve it, and measure progress towards that end state.
PrioriBsed. Adopt a graduated approach and focus on what is criBcal, recognising that the impact of disrupBon or failure is not uniform among assets or sectors.
PracBcable. OpBmise for adopBon by the largest possible group of criBcal assets and realisBc implementaBon across the broadest range of criBcal sectors.
Globally relevant. Integrate internaBonal standards to the maximum extent possible, keeping the goal of harmonizaBon in mind wherever possible.
© Commonwealth Telecommunications Organisation | www.cto.int
• Promote economic development • Provide national leadership • Tackle cybercrime • Strengthen the critical infrastructure • Raise and maintain awareness • Achieve shared responsibility • Defend the value of Human Rights • Develop national and international partnerships
105
Visions & Strategic Goals
© Commonwealth Telecommunications Organisation | www.cto.int 106
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
3. Strategic goals and vision This secBon defines what success looks like in broad summary terms and reflects the country’s prioriBes.
• Make a clear statement of the country’s commitment to protecBng the use of its Cyberspace
• Emphasise the breadth of the use of Cyberspace: covering social and economic acBvity
• Include text that can be quoted as part of the communicaBon with wider stakeholders, e.g. a vision statement.
Australia’s vision: “The maintenance of a secure, resilient and trusted electronic operaBng environment that supports Australia’s naBonal security and maximises the benefits of the digital economy” Three pillars of the Australian strategy: • All Australians are aware of cyber risks, secure their computers
and take steps to protect their idenBBes, privacy and finances online;
• Australian businesses operate secure and resilient informaBon and communicaBons technologies to protect the integrity of their own operaBons and the idenBty and privacy of their customers;
• The Australian Government ensures its informaBon and communicaBons technologies are secure and resilient.”
Four pillars of the UK strategy: • Tackle cybercrime and be one of the most secure places in the
world to do business in cyberspace; • To be more resilient to cyber aVacks and beVer able to protect our
interests in cyberspace; • To have helped shape an open, stable and vibrant cyberspace
which the UK public can use safely and that supports open socieBes;
• To have the cross-‐cuing knowledge, skills and capability it needs to underpin all our Cybersecurity objecBves.
Visions & Strategic Goals
© Commonwealth Telecommunications Organisation | www.cto.int
• Provide a national governance framework for securing Cyberspace • Enhance the nation’s preparedness to respond to the challenges of Cyberspace • Strengthening Cyberspace and national critical infrastructure • Securing national ICT systems to attract international businesses • Building a secure, resilient and reliable Cyberspace • Building relevant national and international partnerships and putting effective
political-strategic measures in place to promote Cyber safety • Developing a culture of Cybersecurity awareness among citizens • Promoting a culture of “self protection” among businesses and citizens • Creating a secure Cyber environment for protection of businesses and individuals • Building skills and capabilities needed to address Cybercrime • Becoming a world leader in Cybercrime-preparedness and Cybercrime-defence
107
Specific Objectives
© Commonwealth Telecommunications Organisation | www.cto.int 108
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
4. Risk management (Risk based approach objec$ves)
How the risk management process works, and then seing objecBves and prioriBes This secBon describes how risk management is performed and provides a top-‐level analysis. It states specific and tangible targets and assigns relaBve prioriBes.
• How risk management is currently performed, for example for naBonal security.
• Sources of threat informaBon and of major vulnerabiliBes.
• How granular to make the outcomes and objecBves.
• How frequently to repeat the risk assessment process.
Source: MicrosoY’s guidance, listed in appendix 3: • A clear structure for assessing and managing risk • Understand naBonal threats and major vulnerabiliBes • Document and review risk acceptance and excepBons • Set clear security prioriBes consistent with the principles • Make naBonal cyber risk assessment an on-‐going process
Specific Objectives
© Commonwealth Telecommunications Organisation | www.cto.int 109
Stakeholders
CIP Coordinator (ExecuBve Sponsor)
Law Enforcement
Sector Specific Agency
Computer Emergency
Response Team (CERT)
Public Private
Partnership InternaBonal OrganisaBons
Infrastructure owners and operators
IT vendors and
soluBon providers
Shared Private Government
© Commonwealth Telecommunications Organisation | www.cto.int 110
STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE
4. Stakeholders This secBon idenBfies key parBcipants in the development and delivery of the strategy. Roles and responsibiliBes should be clearly defined using RACI terminology (see appendix 5).
• IdenBfy all relevant key stakeholders taking into consideraBon, country objecBves and focus areas
• IdenBfy key internaBonal stakeholders and partners that could contribute effecBvely
• Draw stakeholders from governmental and non-‐governmental organizaBons, civil socieBes, academia, public and private sectors of the economy. Should include but not limited to soSware and equipment vendors, owners and operators of CII, law enforcement insBtuBons etc.
In construcBng the list of stakeholders, the following consBtuencies should be considered: • ministers and other poliBcians; • government departments concerned with ICT, telecommunicaBons and
informaBon security; • private sector organisaBons that provide ICT services; • government departments whose responsibiliBes rely upon or who engage with
Cyberspace, including: most economic acBvity, trade, tourism, law enforcement; • providers of the criBcal naBonal infrastructure whose vital communicaBons are
increasingly carried across the internet; • companies across the economy that rely upon Cyberspace, oSen represented by
trade associaBons; • representaBves of civil society, oSen in the form of groups that reflect broad
public opinion and can advise on the best way to achieve outcomes involving the public;
• civil society organisaBons that represent parBcular parts of society or interest groups and can explain, for example, the needs of the young, of women, of rural communiBes and of the vulnerable;
• experts who understand how Cyberspace works, from a technical perspecBve, to ensure that government strategies are pracBcal;
• Academia who can advise on R&D, internaBonal best pracBce, emerging issues; • InternaBonal bodies such as the Commonwealth TelecommunicaBons
OrganisaBon • Other countries, parBcularly regional countries.
Specific Objectives
© Commonwealth Telecommunications Organisation | www.cto.int
• Governance and management structure • Legal and regulatory framework • Capacity Development • Awareness and outreach programmes • Incident response
– Incentivize commercial competitors to cooperate – Create national CERTs (include sector based CERTs)
• Stakeholder collaboration • Research and Development • Monitoring and evaluation
111
Strategy Implementation
© Commonwealth Telecommunications Organisation | www.cto.int
What Next? Upcoming CIIP Workshops
113
Yaounde, Cameroon Jan-Feb 2015
Nairobi, Kenya Nov 2014
Colombo, Sri Lanka/Dhaka, Bangladesh Aug-Sep 2014
Port Vila, Vanuatu Sep-Oct 2014
Successfully completed
Scheduled to take place
To be confirmed
CTO CIIP Workshops
© Commonwealth Telecommunications Organisation | www.cto.int
Further Information Contact:
Dr Martin Koyabe Email: [email protected] Tel: +44 (0) 208 600 3815 (Off) +44 (0) 791 871 2490 (Mob)
114
Q & A Session