Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed

Critical Information Infrastructure Protection
Perspective on Cloud Computing Services
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015
Presenter
Dr Martin Koyabe (CTO)

Acknowledgement
Ministry of Transport &
Communications
Botswana

Table of Content
Session 1: Understanding CIIP & Challenges
Session 2: Cloud Computing Today
Session 3: CIIP Perspective of Cloud Computing
Session 4: Cloud Computing CIIP Scenarios
Session 5: Steps Towards a CI Protection
Session 6: Cybersecurity Threat Horizon
Session 7: Commonwealth Cybergovernance model

Session 1:
Understanding CIIP & Challenges
Presenter
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015

© Commonwealth Telecommunications Organisation | www.cto.int
Understanding CIIP
•  Critical Resources
General definition
•  Critical Infrastructure
•  Critical Information
Infrastructure
Interdependencies

Critical Resources
7
Water Energy Forests
Defined by some national governments to include:-
•  Natural & environmental resources (water, energy, forests etc)
•  National monuments & icons, recognized nationally & internationally

Critical Infrastructure (1/3)
8
Airports Power Grid Roads
Defined by some national governments to include:-
•  Nation’s public works, e.g. bridges, roads, airports, dams etc
•  Increasingly includes telecommunications, in particular major
national and international switches and connections

9
“ the assets, systems, and networks, whether physical or virtual, so vital to the United States
that their incapacitation or destruction would have a debilitating effect on security, national
economic security, national public health or safety, or any combination thereof.”
Source: US Homeland Security
“ the (CNI) comprises those assets, services and systems that support the economic, political
and social life of the UK whose importance is such that loss could either, cause large-scale
loss of life; have a serious impact on the national economy; have other grave social
consequences for the community; or be of immediate concern to the national government.”
Source: UK Centre for the Protection of National Infrastructure (CPNI)
“ an asset or system which is essential for the maintenance of vital societal functions. The
damage to a critical infrastructure, its destruction or disruption by natural disasters,
terrorism, criminal activity or malicious behaviour, may have a significant negative impact for
the security of the EU and the well-being of its citizens.”
Source: European Union (EU)

10
“ those physical facilities, supply chains, information technologies and communication
networks which, if destroyed, degraded or rendered unavailable for an extended period,
would significantly impact on the social or economic wellbeing of the nation or affect
Australia’s ability to conduct national defense and ensure national security.”
Source: The Australian, State & Territory Government
“ processes, systems, facilities, technologies, networks, assets and services essential to the
health, safety, security or economic well-being of Canadians and the effective functioning of
government. Critical infrastructure can be stand-alone or interconnected and interdependent
within and across provinces, territories and national borders. Disruptions of critical
infrastructure could result in catastrophic loss of life, adverse economic effects, and
Significant harm to public confidence.
Source: Government of Canada
“those facilities, systems, or functions, whose incapacity or destruction would cause a
debilitating impact on national security, governance, economy and social well-being of a
nation”
Source: National Critical Information Infrastructure Protection Centre (NCIIPC)

What about developing countries?
11
Q) Does your country have a critical
infrastructure framework?

Critical Infrastructure Sectors (1/2)
12
•  European Commission (EC) provides an indicative list of 11
critical sectors
Energy

ICT

Water

Food
Health

Financial

Public
&
Legal

Order
and

Safety

Civil

AdministraBon

Transport

Chemical
and

Nuclear

Industry

Space
&

Research

Critical Infrastructure Sectors (2/2)
13
•  Provisional Critical Infrastructure list for Bangladesh
Energy

(Oil/Gas)

Telecoms

Transport

(Roads)

Monuments/
Buildings

Water

Financial
ICT

Source: CTO CIIP Workshop, Dhaka, Bangladesh (Sep 2014)

Critical Information Infrastructure (1/2)
14
CII definition:-
“ Communications and/or information service whose
availability, reliability and resilience are essential to
the functioning of a modern economy, security, and
other essential social values.”
Rueschlikon Conference on Information Policy Report, 2005

Critical Information Infrastructure (2/2)
15
Cri$cal
Infrastructures

Telecoms

Energy

Transporta$on

Finance/Banking

Government
Services

Large
Enterprises

End-‐users

Critical Information Infrastructure
Cross-cutting ICT interdependencies among
all sectors
Cyber security
Practices and procedures that enable the
secure use and operation of cyber tools
and technologies
Non-essential IT Systems
Essential IT Systems

Critical Information Infrastructure Protection (CIIP)
16
•  Widespread use of Internet have transformed stand-alone systems and
predominantly closed networks into a virtually seamless fabric of
interconnectivity.
•  ICT or Information infrastructure enables large scale processes
throughout the economy, facilitating complex interactions among systems
across global networks.
•  ICT or Information infrastructure enables large scale processes
throughout the economy, facilitating complex interactions among systems
across global networks; and many of the critical services that are
essential to the well-being of the economy are increasingly becoming
dependent on IT.

•  Today Critical Information Infrastructure Protection (CIIP)
–  Focuses on protection of IT systems and assets
o  Telecoms, computers/software, Internet, interconnections & networks services
–  Ensures Confidentiality, Integrity and Availability
o  Required 27/4 (365 days)
o  Part of the daily modern economy and the existence of any country
Critical Information Infrastructure Protection (CIIP)
Telecom

Network

Power

Grid

Water

Supply

Public

Health

NaBonal

Defence

NaBonal

Defence

Law

Enforcement

CII Attack Scenarios
Telecoms

Health
Services

Cloud
Services

Finance/Banking

eGovernment

Critical Information Infrastructure (CII)
Cross-cutting ICT interdependencies among all sectors
Natural disaster,
power outage, or
hardware failure
Resource
exhaustion (due
to DDoS attack)
Cyber attack
(due to a
software flaw)

•  Expanding Infrastructures
–  Fiber optic connectivity
o  TEAMS/Seacom/EASSy
–  Mobile/Wireless Networks
o  Kenya has 11.6 million Internet
users and 31.3 million mobile
network subscribers (CAK, 2014)
•  Existence of failed states
–  Increased ship piracy
o  To fund other activities
–  Cyber warfare platforms
o  Doesn’t need troops or military hardware
•  Cyber communities
–  Social Networks – Attacker’s “gold
mine”
Future CII Attack Vectors

•  Increased awareness for CIIP & cyber security
–  Countries aware that risks to CIIP need to be managed
o  Whether at National, Regional or International level
•  Cyber security & CIIP becoming essential tools
–  For supporting national security & social-economic well-being
•  At national level
–  Increased need to share responsibilities & co-ordination
o  Among stakeholders in prevention, preparation, response & recovery
•  At regional & international level
–  Increased need for co-operation & co-ordination with partners
o  In order to formulate and implement effective CIIP frameworks
Global trends towards CIIP

Challenges for developing countries
#1: Cost and lack of (limited) financial investment
–  Funds required to establish a CIIP strategic framework can be a hindrance
–  Limited human & institutional resources
Source:
GDP
listed
by
IMF
(2013)

#2: Technical complexity in deploying CIIP
–  Need to understand dependencies & interdependencies
o  Especially vulnerabilities & how they cascade
Powerplants

Regional

Power
Grid

Regional

Power

Supply

Private
D2D

links

Private

Datacenters

Banks
&

Trading

Public

AdministraBon

Public

Datacenters

eGovernment

Online
services,

cloud

compuBng
Telco
sites,

switch
areas,

interconnecBons

Public

eComms

Regional

network,
cables,

wires,
trunks

Public

Transport

Emergency
care

(Police,
Fireﬁghters,

Ambulances)

Emergency

Calls

(99.9%) 8 hr outages are disastrous
(99%) 3 days outages are disastrous

#3: Limited knowledge on how to identify and classify critical infrastructure
–  Need to consider business value, scope of population & technical dependency
CriBcal
FuncBon

Infrastructure

Element

Supply

Chain

Supply

Chain

Key

Resource

Supply

Chain

CriBcal
FuncBon

Infrastructure
Element

Supply

Chain

Supply

Chain

Key

Resource

Supply

Chain
CriBcal
FuncBon

Infrastructure

Element

Supply

Chain

Supply

Chain

Key

Resource

Supply

Chain

Interdependencies
Understand requirements &
complexity

#4: Need for Cybersecurity education & culture re-think
–  Create awareness on importance of Cybersecurity & CIIP
o  By sharing information on what works & successful best practices
–  Creating a Cybersecurity culture can promote trust & confidence
o  It will stimulate secure usage, ensure protection of data and privacy

#5: Lack of relevant CII strategies, policies & framework
–  Needs Cybercrime legislation & enforcement mechanisms
–  Setup policies to encourage co-operation among stakeholders
o  Especially through Public-Private-Partnerships (PPP)
#6: Lack of information sharing & knowledge transfer
–  It is important at ALL levels National, Regional & International
–  Necessary for developing trust relationships among stakeholders
o  Including CERT teams

Session 1: Group Discussions
26
Question
What’s the CII definition for your country?

Session 2:
Cloud Computing Today
Presenter
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015

Cloud Computing
28
Should Cloud Computing be considered a Critical
Information Infrastructure?

Concentration of ICT Resources
29
•  Earlier approach not scalable and costly
High capacity link
Between organizations or operators
IT
IT
Information Technology Resources
Per each organizations or operatorsIT
IT
IT
Organization or Operator

30
•  Spread associated costs among users
Organizations or operators
Access resources in the same area
Information Technology Resources
Consolidated in data centers
IT IT
Data Centre

Cloud Computing Deployment Models
31
Private Cloud
(Hosted Internally or
Externally)
Hybrid Cloud
Public Cloud
Community Cloud
(Hosted Internally by
Member or Externally)

Some of the benefits of Cloud Computing
32
Reduced Capital & Operational Cost
•  Less up-front capital investment
•  Allow companies to increase resource needs
gradually (pay-as-you-go)
Simplify application deployment & management
•  Common programming model across platforms
•  Access to ecosystem of widely deployed applications
•  Integration with existing IT assets

Cloud Computing
33
Simple definition
Cloud Computing = Software as a Service (SaaS)
+ Platform as a Service (PaaS)
+ Infrastructure as a Service (IaaS)
+ Data as a Service (DaaS)
+ * as a Service (*aaS)

Software as a Service (SaaS)
34
SaaS characteristics:-
•  From end user’s point of view
•  Application are located in the cloud
•  Software experiences are delivered online (Internet)

Platform as a Service (PaaS)
35
PaaS characteristics:-
•  From developer’s point of view (i.e. cloud users)
•  Cloud providers offer an Internet-based platform
•  Developers use the platform to create services

Infrastructure as a Service (IaaS)
36
IaaS characteristics:-
•  Cloud providers build datacentres
–  Power, scale, hardware, networking, storage, distributed system etc
•  Datacentre as a service
•  Users rent storage, computation & maintenance

Data as a Service (DaaS)
37
DaaS characteristics:-
•  Data->Information->Knowledge->Intelligence
•  Infrastructure for web data mining & knowledge
•  Empower people with knowledge
•  Enrich apps & services with intelligence

Uptake of Cloud Computing
38
MicrosoS's
Data
Center,
San
Antonio,
Texas
Google's
Data
Centre,
Georgia

•  Western Europe market to grow to €15B by 2015
•  Amazon AWS carries 1% of all Internet consumer traffic in North America
•  Data centre growth estimated to be in excess of €30B
•  Facebook server farm (Oregon) measures 14000 m2, cost ~ $200M

Who is leading the cloud market today?

40
Question
What is the level of Cloud Computing
uptake in your country? Is it increasing?

Session 3:
CIIP Perspective of Cloud Computing
Presenter
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015

42
Large cloud providers
can deploy security and
business continuity
measures and spread
the associated cost
among the customers.
Can be a “Double Edged Sword”
If an outage or security
breach occurs, the the
consequences can be
catastrophic affecting
large number of users
and organisations at
once.

43
Japan Earthquake 2011
•  Cloud computing was resilient
•  Cloud services survived power outages
by using emergency fuel
•  Data connections over mobile networks
and fixed networks held up
•  Traditional IT deployments went offline
•  Cloud computing used to get
organizations up and running

44
Lightening Strike Dublin 2011
•  Took down Amazon & Microsoft
services. Outage lasted for 2 days
•  Amazon’s other customers
(Foursquare, Reddit & Netflix) were
badly affected
•  Amazon’s Elastic Computer Cloud
(EC2) and Relational Database Service
(RDS) experienced disruption in North
Virginia.
•  Amazon US-EAST data centers were
cut-off the Internet

Cloud and CIIP
45
Critical in themselves
Cloud Computing services can be critical in two ways
Critical for other critical
services

Cloud and CIIP
46
e.g. Cloud based eHealth Record Platform
Critical in itself
•  But needed for other
emergency health operations,
which are also critical
Critical to other systems
•  Critical to other systems that
depend on the data records

Cloud and CIIP
47
Most CIIP action plans address two major issues:
(1) Cyber disruptions (or outage) with large impact
12M
Pakistan
6M
Egypt 4.7M
Saudi Arabia
1.7M
UAE
0.8M
Kuwait
0.3M
Qatar
12M
India
Outage caused by undersea cable cut near Alexandria, Egypt (2008)

Cloud and CIIP
48
(2) Cyber attacks with a large impact
•  Influenced mainly by interdependencies
Snapshot
of
the
Internet
before
an
aVack
on
Facebook

Source:
NORSE

CIIP Dependencies (1/4)
49
Continuity of services & infrastructure dependencies

50
Powerplants

Regional

Power
Grid

Regional

Power

Supply

Private
D2D

links

Private

Datacenters

Banks
&

Trading

Public

AdministraBon

Public

Datacenters

eGovernment

Online

services,
cloud

compuBng
Telco
sites,

switch
areas,

interconnecBons

Public
eComms

Regional

network,
cables,

wires,
trunks

Public

Transport

Emergency
care

(Police,
Fireﬁghters,

Ambulances)

Emergency
Calls

(99.9%) 8 hr outages are disastrous

51
Software as a service dependencies

52
Hospitals

Power
plant

Air
traﬃc

controllers
IT
vendor
for
Oﬃce

soSware

Banks

Public

administraBon

53
Question
List (at least 3) known incidents/cases of
CII related attacks in the recent past in
your country? Discuss any remedies taken
(if known).

Session 4:
Cloud Computing CIIP Scenarios
Presenter
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015

55
CII attack vectors
Telecoms

Health
Services

Cloud
Services

Finance/Banking

eGovernment

Critical Information Infrastructure (CII)
Cross-cutting ICT interdependencies among all sectors
Natural disaster,
power outage, or
hardware failure
Resource
exhaustion (due
to DDoS attack)
Cyber attack
(due to a
software flaw)

56
Four (4) scenarios where Cloud Computing is critical
(1) Financial Services
Source: New York Stock Exchange (NYSE)

57
Datacenter
Datacenter

Operator

Datacenter

Trader
Trader

Private network, Dedicated links
Duplicated connection between datacenters
Public Internet or telephony
Connecting traders to datacenters
Data Centers
All systems are duplicated
Traders platform
Web-interface access
Trading Platform (SaaS)

58
Key Points:
•  Software flaw can impact wide range of organisations directly
•  Consider creating ‘logical redundancy’ in addition to ‘physical
redundancy’

59
(2) Health Services
•  By 2016 about 30% of IT budget of healthcare organisation
would be devoted for cloud computing based expenses
•  73% plan to make greater use of cloud-based technologies
in the future
Source: Accenture

60
Datacenter
Datacenter
Datacenter

Hospital
Hospital

Connecting hospital to datacenters
Data Centers
eHealth platform
Web-interface access
eHealth Record Platform (SaaS)

61
Key Point:
•  Cloud computing is expected to bring additional efficiency gains
in health care service provision
“APT 18” launched the attack
Said to have links with Chinese government and
behind targeted attack on companies in
aerospace and defense, construction and
engineering, technology, financial services and
healthcare industry.
Source: FireEye Inc
TDoS Attack
Telephony Denial of Service (TDoS) attack targets
emergency response services in critical services
such as health care

62
(3) e-Government Services
•  UK Gov Cloud app store “GovStore” has over
1,700 information & communication services
available to the UK public sector
Source: http://govstore.service.gov.uk

63
Datacenter
Datacenter
Datacenter

eGov

Website

eGov

Website

Connecting eGov to datacenters
Data Centers
eGovernment platform
Web-interface access (SaaS)
Gov cloud app store (PaaS)

64
Key Point:
•  eGovernment services need to be resilient at all levels of attacks
VS

VS

65
(4) Cloud Services

66
Datacenter
Datacenter
Datacenter

Webmail

provider
(SaaS)

Online
backup

service
(SaaS)

Connecting eGov to datacenters
Data Centers
eGovernment
applications (SaaS)
Running on a government app
store (PaaS)
Infrastructure or platform as a service (PaaS)

67
Key Point:
•  The impact of failure at an IaaS/PaaS provider can have an
impact across a range of organisations, affecting many end-
users.

68
Question
What practical measures need to be taken
to enhance CII resilience, especially the
Cloud Infrastructure?

Session 5:
Steps towards CI Protection
Presenter
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015

70
(1) Establish CIP Goals, e.g.
Critical infrastructures (CI) provide the essential services that support modern information
societies and economies. Some CI support critical functions and essential services so vital
that the incapacitation, exploitation, or destruction, through natural disaster, technological
failure, accidents or intentional attacks could have a debilitating effect on national security
and economic well-being.
•  Critical
Infrastructure (CI)
CI exploitation, or destruction, through natural disaster, technological failure, accidents or
intentional attacks could have a debilitating effect on national security and economic well-
being.
•  Understand Critical
Infrastructure (CI)
Risks
Prevent or minimize disruptions to critical information infrastructures, no matter the source,
and thereby protect the people, the economy, the essential human and government services,
and the national security. In the event disruptions do occur, they should be infrequent, of
minimal duration and manageable.
•  Articulate CIP
policy/goals
National CIP framework includes relevant government entities, as well as, establishing public
private partnerships involving corporate and non-governmental organizations.
•  Establish Public-
Private Partnerships

71
(2) Define CIP Roles
Define Policy and Identify RolesGovernment
Define CIP goal and roles
Determine Acceptable Risks LevelsPublic-Private Partnership
Define what’s critical
Assess
Risks

IdenBfy

Controls
and

MiBgaBons

Implement

Controls

Measure

EﬀecBveness

Infrastructure
Prioritize Risks
Operators & Service Providers
Deploy best control solutions

72
CIP
Coordinator

(ExecuBve

Sponsor)

Law

Enforcement

Sector
Speciﬁc

Agency

Computer

Emergency

Response
Team

(CERT)

Public

Private

Partnership

Infrastructure

owners
and

operators

IT
vendors

and

soluBon

providers

Shared PrivateGovernment

73
(3) Identify & Prioritize Critical Functions
CriBcal
FuncBon

Infrastructure

Element

Supply

Chain

Supply

Chain

Key

Resource

Supply

Chain

CriBcal
FuncBon

Infrastructure
Element

Supply

Chain

Supply

Chain

Key

Resource

Supply

Chain
CriBcal
FuncBon

Infrastructure

Element

Supply

Chain

Supply

Chain

Key

Resource

Supply

Chain

Interdependencies
Understand requirements &
complexity
•  Understand the critical functions,
infrastructure elements, and key resources
necessary for
–  Delivering essential services
–  Maintaining the orderly operations if the
economy
–  Ensure public safety.

74
(4) Continuously Assess and Mange Risks
Assess Risks
Identify
Controls and
Mitigations
Implement
Controls
Measure
Effectiveness
•  Based on holistic approach
•  Implement defense in-depth
•  Organize by control effectiveness
•  Evaluate program effectiveness
•  Leverage findings to improve risk
management
•  Identify key functions
•  Assess risks
•  Evaluate consequences
•  Define functional requirements
•  Evaluate proposed controls
•  Estimate risk reduction/cost
benefit
•  Select mitigation strategy

Steps towards CI protection
75
•  Develop joint PPP plans for managing emergencies – including recovering
critical functions in the event of significant incidents, including but limited to
natural disasters, terrorist attacks, technological failures or accidents.
•  Create emergency response plans to mitigate damage and promote resiliency.
•  Create effective emergency response plans that are generally short and highly
actionable so they can be readily tested, evaluated, and implemented.
•  Testing and exercising emergency plans to promote trust, understanding and
greater operational coordination among public and private sector organizations.
•  Exercises also provide an important opportunity by identifying new risk factors
that can be addressed in response plans or controlled through regular risk
management functions.
(5) Establish & Exercise Emergency Plans

Steps towards CII protection
76
•  Promote trusted relationships
needed for information sharing and
collaborating on difficult problems
•  Leverage the unique skills of
government and private sector
organizations
•  Provide the flexibility needed to
collaboratively address today’s
dynamic threat environment
(5) Establish Public Private Partnership (PPP)

77
•  Ability to prepare for and adapt to
changing conditions, and withstand
and recover rapidly from disruptions
•  Implement contingency frameworks
that will enable critical functions to
withstand and recover from
deliberate attacks, accidents, or
naturally occurring threats or
incidents
(6) Build Security & Resiliency into Operations

78
•  Cyber threats are constantly evolving
•  All CIP stakeholders need to prepare
for changes in cyber threats
•  Constantly monitor trends and changes
in critical function dependencies
•  Keep systems patched and maintain
the latest software versions
•  Adopt smart & effective procedures
and processes
(7) Update & Innovate Technology and Processes

79
Question
•  What should be the additional roles and
responsibilities of the state?
•  What investment is required to address CIIP
vulnerabilities & threats?
•  How should the private sector & government
work on CIIP and build trust?

Session 6:
Cybersecurity Threat Horizon
Presenter
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015

•  Increased penetration of smart phones
–  Lower costs (~$80) have increased user uptake
–  Other models Tecno (China), Wiko (France) & Infinix (Hong Kong)
–  Will increase from 17% (2014) to 34% (2018)
•  Africa leads mobile subscriptions
–  55% (1.3 billion) from developing countries
•  Rapid growth of eCommerce
–  Websites such as Jumia, Cheki & OLX
Relevant trends in Africa today (1/2)
45%
55%

Developed
Countries

Developing
Countries

•  Expanding Infrastructure
–  SAT3/GLO/WACS/ACE etc
e.g. 6Km of Fibre in Cameroon
•  Mobile money transfer
–  Increasingly growing e.g. M-Pesa
has 16.8 Million customers
–  Handles >$1 Billion transactions
per month in Kenya alone
–  Nigeria – introduced digital ID and
transaction card
•  Social media
–  78% of internet usage in Africa is
for social media
–  Estimated will $230 Billion to
Africa’s growth by 2025
Relevant trends in Africa today (2/2)

•  2014 global cyber attacks assessment shows
–  Africa accounted for 4% security incidents worldwide
–  Every 1 second, 18 adults are victims of cyberscrime
–  1.5 million victims globally per day
•  Financial fraud
–  Africa’s major cities like Cairo, Johannesburg, Lagos and
Nairobi experience many cases of financial fraud
–  African countries are becoming targets & source of malicious
Internet activities
•  Software piracy and lack of updated software
–  Home user PCs remain vulnerable to cyber attacks
Emerging Cyber Threats (1/3)

•  Use of ICT to commit acts of terrorism
–  Planning, co-ordination, implementation and promotion. For
example Boko Harum, ISIS, Al-Shabaab & Al-Qaida etc
–  Creates social-economical problem. For example, the Westgate
Mall in Kenya – 67 people killed and nearly $200 Million lost
tourism revenue.
Teenage girls in the UK who flew to Syria via Turkey

•  Cyber attacks targeting government websites
–  Defacement of websites, motivated by individual reasons
o  Nigeria defence HQ attacked for fighting Boko Haram
o  Ghana (gov.gh) portal attacked (11 out of 58 sites attacked)
o  Senegalese ICT agency site attacked, linked to Charle Hebdo
•  Social media
–  Reputation and defamation is a new form of cyber attack
–  Anonymity on social networks – could tools such as Yik Yak be used
for Cyber bullying?

•  Low level of security provisions
–  Inadequate control and lack of information risk assessment
•  Lack of technical know-how
–  inability to monitor and defend national networks
•  Need to develop necessary legal frameworks
–  21 countries in Africa have proposed legislation
•  Cross boundary challenges of Cybersecurity
–  inability to prosecute and apprehend at source
•  Limited levels of awareness
–  Regulators, military, law-enforcement, judiciary, legislators
Cybersecurity challenges facing Africa

Success of above needs full government support
•  Legal framework
–  Lack of Cybersecurity legislation affects businesses
–  Needs technology to support enforcement
•  Regional harmonization of policy & legal frameworks
–  Global good, needs national, regional & international actions
•  Co-ordination and corporation is a MUST
–  Cybersecurity is a cross-boundary issue
–  Needed to combat ICT fraud, hacking, child pornography
and copyright infringement
–  Creates uniformity in procedures and processes
Policy, Legal & Regulatory Considerations

•  Development of infrastructure
–  Develop reliable, resilient and available connectivity
•  Need to establish & enhance national CERTs
–  Create sectorial CERTs
o  Finance, Energy, Transport, Military, Maritime, SMEs etc
–  Harmonize regional CERTs or CIRTs
•  Best practice in Cyber governance
–  Encourage use of country Top Level Domain (TLD) names
Technology Considerations

•  Cybersecurity is complex & challenging
–  Develop technical skills through training & collaborations
–  Use expertise from the Diaspora
•  Cultivate a culture of Cybersecurity awareness
–  CERTs must be proactive other than reactive
–  Engage in capacity building initiatives with ALL stakeholders
•  Best practice in Cyber governance
–  Encourage use of country Top Level Domain (TLD) names
–  Have effective data protection act
Capacity building, Research & Innovation Considerations

Session 7:
Commonwealth Cybergovernance Model
Presenter
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015

Trends in Cyberspace
•  Cyberspace provides access to ICT
–  Bridging the digital divide and influencing social-economic activities
•  Cyberspace is increasingly becoming a global system
–  Anticipated to grow from 2-4 Billion users by 2020 (mostly from developing
countries)
•  Cyberspace is open, decentralised and empowering
–  This has fostered innovation, collaboration and rapid development
•  Cyberspace success depends on it’s infrastructure
–  Infrastructure should be secure, resilient and available to users
•  Cyberspace can also be used for criminal activities
–  Cybercrimes, extremisms and other social crimes
91

Why a Commonwealth Model
•  Contrasting views emerging across the world on governing the
Cyberspace
•  Harmonisation is critical to facilitate the growth and to realise the
full potentials of Cyberspace
•  Commonwealth family subscribes to common values and principles
which are equally well applicable to Cyberspace
•  CTO is the Commonwealth agency mandated in ICTs
•  The project was launched at the 53rd council meeting of the
CTO in Abuja, Nigeria (9th Oct 2013)
•  Wide consultations with stakeholders
•  Adopted at the Commonwealth ICT Ministers Forum on 3rd and 4th
March 2014 in London
92

Objectives
The Cybergovernance Model aims to guide Commonwealth
members in:-
–  Developing policies, legislation and regulations
–  Planning and implementing practical technical
measures
–  Fostering cross-border collaboration
–  Building capacity
93

Commonwealth Values in Cyberspace
•  Based on Commonwealth Charter of March 2013
–  Democracy, human rights and rule of law
•  The Charter expressed the commitment of member states to
–  The development of free and democratic societies
–  The promotion of peace and prosperity to improve the lives of all peoples
–  Acknowledging the role of civil society in supporting Commonwealth
activities
•  Cyberspace today and tomorrow should respect and reflect the
Commonwealth Values
–  This has led to defining Commonwealth principles for use of Cyberspace
94

Commonwealth Principle for use of Cyberspace
Principle 1: We contribute to a safe and an effective global
Cyberspace
•  as a partnership between public and private sectors, civil society and
users, a collective creation;
•  with multi-stakeholder, transparent and collaborative governance
promoting continuous development of Cyberspace;
•  where investment in the Cyberspace is encouraged and rewarded;
•  by providing sufficient neutrality of the network as a provider of
information services;
•  by offering stability in the provision of reliable and resilient information
services;
•  by having standardisation to achieve global interoperability;
•  by enabling all to participate with equal opportunity of universal access;
•  as an open, distributed, interconnected internet;
•  providing an environment that is safe for its users, particularly the young
and vulnerable;
•  made available to users at an affordable price.
95

Principle 2: Our actions in Cyberspace support broader economic
and social development
•  by enabling innovation and sustainable development, creating greater
coherence and synergy, through collaboration and the widespread
dissemination of knowledge;
•  respecting cultural and linguistic diversity without the imposition of beliefs;
•  promoting cross-border delivery of services and free flow of labour in a
multi-lateral trading system;
•  allowing free association and interaction between individuals across
borders;
•  supporting and enhancing digital literacy;
•  providing everyone with information that promotes and protects their
rights and is relevant to their interests, for example to support transparent
and accountable government;
•  enabling and promoting multi-stakeholder partnerships;
•  facilitating pan-Commonwealth consultations and international linkages in
a single globally connected space that also serves local interests.
96

Principle 3: We act individually and collectively to tackle
cybercrime
•  nations, organisations and society work together to foster respect for
the law;
•  to develop relevant and proportionate laws to tackle Cybercrime
effectively;
•  to protect our critical national and shared infrastructures;
•  meeting internationally-recognised standards and good practice to
deliver security;
•  with effective government structures working collaboratively within and
between states;
•  with governments, relevant international organisations and the private
sector working closely to prevent and respond to incidents.
97

Principle 4: We each exercise our rights and meet our responsibilities in
Cyberspace
•  we defend in Cyberspace the values of human rights, freedom of expression and
privacy as stated in our Charter of the Commonwealth;
•  individuals, organisations and nations are empowered through their access to
knowledge;
•  users benefit from the fruits of their labours; intellectual property is protected
accordingly;
•  users can benefit from the commercial value of their own information; accordingly,
responsibility and liability for information lies with those who create it;
•  responsible behaviour demands users all meet minimum Cyberhygiene
requirements;
•  we protect the vulnerable in society in their use of Cyberspace;
•  we, individually and collectively, understand the consequences of our actions and
our responsibility to cooperate to make the shared environment safe; our obligation
is in direct proportion to culpability and capability.
98

Commonwealth Approach
for Developing
National Cybersecurity
Strategies

Development of a Nation Cybersecurity Strategy
•  Need support from highest levels of government
•  Adopt a multi-stakeholder partnership (private sector,
public sector & civil society)
•  Draw on the expertise of the International Community
•  Appoint a lead organisation or institution
•  Be realistic and sympathetic to the commercial
consideration of the private sector
•  Add mechanisms to monitor & validate implementation
100

Main elements of a Cybersecurity Strategy
•  Introduction and background
•  Guiding principles
•  Vision and strategic goals
•  Specific objectives
•  Stakeholders
•  Strategy implementation
101

Introduction & Background
•  Focuses on the broad context
•  Sets the importance of Cybersecurity to national
development
•  Assess current state of Cybersecurity and challenges
102
STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES

AND
BEST
PRACTICE
1.  Introduc$on
/
background

This
secBon
provides
a
succinct
background
of

the
country’s
circumstances
and
the
status
of
its

Cybersecurity
•  Explain
the
importance
of
Cybersecurity

to
economic
and
social
development.

•  Describe
the
use
of
Cyberspace
and
the

nature
of
Cybersecurity
challenges
to

jusBfy
the
need
for
the
Cybersecurity

strategy

•  Explain
the
relaBonship
to
exisBng

naBonal
strategies
and
iniBaBves.
Uganda’s
introducBon
covers:

•  The
definiBon
of
informaBon
security

•  The
jusBficaBon
for
a
strategy

•  Country
analysis
of
current
state
of

informaBon
security
framework.

•  Strategy
guiding
principles

•  Vision,
mission,
strategic
objecBves

Note
that
this
example
covers
the
first
three

secBons
in
this
framework.

•  Based on Commonwealth Cybergovernance principles
•  Balance security goals & privacy/protection of civil liberties
•  Risk-based (threats, vulnerabilities, and consequences)
•  Outcome-focused (rather than the means to achieve it)
•  Prioritised (graduated approach focusing on critical issues)
•  Practicable (optimise for the largest possible group)
•  Globally relevant (harmonised with international standards)
103
Guiding Principles (1/2)

Guiding Principles (2/2)
104
STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND

BEST
PRACTICE
2.  Guiding
principles

This
secBon
idenBﬁes
the
guiding
principles

for
addressing
Cybersecurity
within
which

the
strategy
is
designed
and
delivered.

•  Build
from
the
principles
of
the

Commonwealth
Cybergovernance

model.

•  Include
any
relevant
naBonal
principles.

•  Describe
the
delivery
principles
that

guide
the
design
of
the
objecBves
goals,

vision
and
objecBves.

In
addiBon
to
the
Commonwealth
Cybergovernance

principles
and
naBonal
principles
the
following

delivery
principles
are
recommended:

Risk-‐based.
Assess
risk
by
idenBfying
threats,

vulnerabiliBes,
and
consequences,
then
manage

the
risk
through
miBgaBons,
controls,
costs,
and

similar
measures.

Outcome-‐focused.
Focus
on
the
desired
end
state

rather
than
prescribing
the
means
to
achieve
it,
and

measure
progress
towards
that
end
state.

PrioriBsed.
Adopt
a
graduated
approach
and
focus

on
what
is
criBcal,
recognising
that
the
impact
of

disrupBon
or
failure
is
not
uniform
among
assets
or

sectors.

PracBcable.
OpBmise
for
adopBon
by
the
largest

possible
group
of
criBcal
assets
and
realisBc

implementaBon
across
the
broadest
range
of

criBcal
sectors.

Globally
relevant.
Integrate
internaBonal
standards

to
the
maximum
extent
possible,
keeping
the
goal

of
harmonizaBon
in
mind
wherever
possible.

•  Promote economic development
•  Provide national leadership
•  Tackle cybercrime
•  Strengthen the critical infrastructure
•  Raise and maintain awareness
•  Achieve shared responsibility
•  Defend the value of Human Rights
•  Develop national and international partnerships
105
Visions & Strategic Goals

© Commonwealth Telecommunications Organisation | www.cto.int 106
STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND
BEST
PRACTICE
3.  Strategic
goals
and
vision

This
secBon
defines
what

success
looks
like
in
broad

summary
terms
and
reflects
the

country’s
prioriBes.

•  Make
a
clear
statement
of
the

country’s
commitment
to
protecBng

the
use
of
its
Cyberspace

•  Emphasise
the
breadth
of
the
use
of

Cyberspace:
covering
social
and

economic
acBvity

•  Include
text
that
can
be
quoted
as

part
of
the
communicaBon
with
wider

stakeholders,
e.g.
a
vision
statement.

Australia’s
vision:
“The
maintenance
of
a
secure,
resilient
and
trusted

electronic
operaBng
environment
that
supports
Australia’s
naBonal

security
and
maximises
the
benefits
of
the
digital
economy”

Three
pillars
of
the
Australian
strategy:

•  All
Australians
are
aware
of
cyber
risks,
secure
their
computers

and
take
steps
to
protect
their
idenBBes,
privacy
and
finances

online;

•  Australian
businesses
operate
secure
and
resilient
informaBon
and

communicaBons
technologies
to
protect
the
integrity
of
their
own

operaBons
and
the
idenBty
and
privacy
of
their
customers;

•  The
Australian
Government
ensures
its
informaBon
and

communicaBons
technologies
are
secure
and
resilient.”

Four
pillars
of
the
UK
strategy:

•  Tackle
cybercrime
and
be
one
of
the
most
secure
places
in
the

world
to
do
business
in
cyberspace;

•  To
be
more
resilient
to
cyber
aVacks
and
beVer
able
to
protect
our

interests
in
cyberspace;

•  To
have
helped
shape
an
open,
stable
and
vibrant
cyberspace

which
the
UK
public
can
use
safely
and
that
supports
open

socieBes;

•  To
have
the
cross-‐cuing
knowledge,
skills
and
capability
it
needs

to
underpin
all
our
Cybersecurity
objecBves.

Visions & Strategic Goals

•  Provide a national governance framework for securing Cyberspace
•  Enhance the nation’s preparedness to respond to the challenges of Cyberspace
•  Strengthening Cyberspace and national critical infrastructure
•  Securing national ICT systems to attract international businesses
•  Building a secure, resilient and reliable Cyberspace
•  Building relevant national and international partnerships and putting effective
political-strategic measures in place to promote Cyber safety
•  Developing a culture of Cybersecurity awareness among citizens
•  Promoting a culture of “self protection” among businesses and citizens
•  Creating a secure Cyber environment for protection of businesses and individuals
•  Building skills and capabilities needed to address Cybercrime
•  Becoming a world leader in Cybercrime-preparedness and Cybercrime-defence
107
Specific Objectives

STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND
BEST
PRACTICE
4.  Risk
management
(Risk

based
approach
objec$ves)

How
the
risk
management

process
works,
and
then
seing

objecBves
and
prioriBes

This
secBon
describes
how
risk

management
is
performed
and

provides
a
top-‐level
analysis.

It
states
speciﬁc
and
tangible

targets
and
assigns
relaBve

prioriBes.

•  How
risk
management
is
currently

performed,
for
example
for
naBonal

security.

•  Sources
of
threat
informaBon
and
of

major
vulnerabiliBes.

•  How
granular
to
make
the
outcomes

and
objecBves.

•  How
frequently
to
repeat
the
risk

assessment
process.

Source:
MicrosoY’s
guidance,
listed
in
appendix
3:

•  A
clear
structure
for
assessing
and
managing
risk

•  Understand
naBonal
threats
and
major
vulnerabiliBes

•  Document
and
review
risk
acceptance
and
excepBons

•  Set
clear
security
prioriBes
consistent
with
the
principles

•  Make
naBonal
cyber
risk
assessment
an
on-‐going
process

Specific Objectives

Stakeholders
CIP
Coordinator

(ExecuBve

Sponsor)

Law

Enforcement

Sector
Speciﬁc

Agency

Computer

Emergency

Response
Team

(CERT)

Public

Private

Partnership
InternaBonal

OrganisaBons

Infrastructure

owners
and

operators

IT
vendors

and

soluBon

providers

Shared PrivateGovernment

STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND
BEST
PRACTICE
4.  Stakeholders

This
secBon
idenBfies
key

parBcipants
in
the

development
and
delivery
of

the
strategy.

Roles
and
responsibiliBes

should
be
clearly
defined

using
RACI
terminology
(see

appendix
5).

•  IdenBfy
all
relevant
key

stakeholders
taking
into

consideraBon,
country

objecBves
and
focus
areas

•  IdenBfy
key
internaBonal

stakeholders
and
partners

that
could
contribute

effecBvely

•  Draw
stakeholders
from

governmental
and
non-‐
governmental

organizaBons,
civil
socieBes,

academia,
public
and

private
sectors
of
the

economy.
Should
include

but
not
limited
to
soSware

and
equipment
vendors,

owners
and
operators
of
CII,

law
enforcement

insBtuBons
etc.

In
construcBng
the
list
of
stakeholders,
the
following
consBtuencies
should
be

considered:

•  ministers
and
other
poliBcians;

•  government
departments
concerned
with
ICT,
telecommunicaBons
and

informaBon
security;

•  private
sector
organisaBons
that
provide
ICT
services;

•  government
departments
whose
responsibiliBes
rely
upon
or
who
engage
with

Cyberspace,
including:
most
economic
acBvity,
trade,
tourism,
law
enforcement;

•  providers
of
the
criBcal
naBonal
infrastructure
whose
vital
communicaBons
are

increasingly
carried
across
the
internet;

•  companies
across
the
economy
that
rely
upon
Cyberspace,
oSen
represented
by

trade
associaBons;

•  representaBves
of
civil
society,
oSen
in
the
form
of
groups
that
reflect
broad

public
opinion
and
can
advise
on
the
best
way
to
achieve
outcomes
involving
the

public;

•  civil
society
organisaBons
that
represent
parBcular
parts
of
society
or
interest

groups
and
can
explain,
for
example,
the
needs
of
the
young,
of
women,
of
rural

communiBes
and
of
the
vulnerable;

•  experts
who
understand
how
Cyberspace
works,
from
a
technical
perspecBve,
to

ensure
that
government
strategies
are
pracBcal;

•  Academia
who
can
advise
on
R&D,
internaBonal
best
pracBce,
emerging
issues;

•  InternaBonal
bodies
such
as
the
Commonwealth
TelecommunicaBons

OrganisaBon

•  Other
countries,
parBcularly
regional
countries.

Specific Objectives

•  Governance and management structure
•  Legal and regulatory framework
•  Capacity Development
•  Awareness and outreach programmes
•  Incident response
–  Incentivize commercial competitors to cooperate
–  Create national CERTs (include sector based CERTs)
•  Stakeholder collaboration
•  Research and Development
•  Monitoring and evaluation
111
Strategy Implementation

Strategy Implementation

What Next? Upcoming CIIP Workshops
113
Yaounde, Cameroon
Jan-Feb 2015
Nairobi, Kenya
Nov 2014
Colombo, Sri Lanka/Dhaka, Bangladesh
Aug-Sep 2014
Port Vila, Vanuatu
Sep-Oct 2014
Successfully completed
Scheduled to take place
To be confirmed
CTO CIIP Workshops

Further Information Contact:
Dr Martin Koyabe
Email: m.koyabe@cto.int
Tel: +44 (0) 208 600 3815 (Off)
+44 (0) 791 871 2490 (Mob)
114
Q & A Session

Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed

Similaire à Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed (20)

Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed