Contenu connexe Similaire à Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed (20) Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed4. Table of Content
Session 1: Understanding CIIP & Challenges
Session 2: Cloud Computing Today
Session 3: CIIP Perspective of Cloud Computing
Session 4: Cloud Computing CIIP Scenarios
Session 5: Steps Towards a CI Protection
Session 6: Cybersecurity Threat Horizon
Session 7: Commonwealth Cybergovernance model
6. © Commonwealth Telecommunications Organisation | www.cto.int
Understanding CIIP
• Critical Resources
General definition
• Critical Infrastructure
• Critical Information
Infrastructure
Interdependencies
7. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Resources
7
Water Energy Forests
Defined by some national governments to include:-
• Natural & environmental resources (water, energy, forests etc)
• National monuments & icons, recognized nationally & internationally
8. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (1/3)
8
Airports Power Grid Roads
Defined by some national governments to include:-
• Nation’s public works, e.g. bridges, roads, airports, dams etc
• Increasingly includes telecommunications, in particular major
national and international switches and connections
9. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (2/3)
9
“ the assets, systems, and networks, whether physical or virtual, so vital to the United States
that their incapacitation or destruction would have a debilitating effect on security, national
economic security, national public health or safety, or any combination thereof.”
Source: US Homeland Security
“ the (CNI) comprises those assets, services and systems that support the economic, political
and social life of the UK whose importance is such that loss could either, cause large-scale
loss of life; have a serious impact on the national economy; have other grave social
consequences for the community; or be of immediate concern to the national government.”
Source: UK Centre for the Protection of National Infrastructure (CPNI)
“ an asset or system which is essential for the maintenance of vital societal functions. The
damage to a critical infrastructure, its destruction or disruption by natural disasters,
terrorism, criminal activity or malicious behaviour, may have a significant negative impact for
the security of the EU and the well-being of its citizens.”
Source: European Union (EU)
10. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (3/3)
10
“ those physical facilities, supply chains, information technologies and communication
networks which, if destroyed, degraded or rendered unavailable for an extended period,
would significantly impact on the social or economic wellbeing of the nation or affect
Australia’s ability to conduct national defense and ensure national security.”
Source: The Australian, State & Territory Government
“ processes, systems, facilities, technologies, networks, assets and services essential to the
health, safety, security or economic well-being of Canadians and the effective functioning of
government. Critical infrastructure can be stand-alone or interconnected and interdependent
within and across provinces, territories and national borders. Disruptions of critical
infrastructure could result in catastrophic loss of life, adverse economic effects, and
Significant harm to public confidence.
Source: Government of Canada
“those facilities, systems, or functions, whose incapacity or destruction would cause a
debilitating impact on national security, governance, economy and social well-being of a
nation”
Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
12. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sectors (1/2)
12
• European Commission (EC) provides an indicative list of 11
critical sectors
Energy
ICT
Water
Food
Health
Financial
Public
&
Legal
Order
and
Safety
Civil
AdministraBon
Transport
Chemical
and
Nuclear
Industry
Space
&
Research
13. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sectors (2/2)
13
• Provisional Critical Infrastructure list for Bangladesh
Energy
(Oil/Gas)
Telecoms
Transport
(Roads)
Monuments/
Buildings
Water
Financial
ICT
Source: CTO CIIP Workshop, Dhaka, Bangladesh (Sep 2014)
14. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (1/2)
14
CII definition:-
“ Communications and/or information service whose
availability, reliability and resilience are essential to
the functioning of a modern economy, security, and
other essential social values.”
Rueschlikon Conference on Information Policy Report, 2005
15. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (2/2)
15
Cri$cal
Infrastructures
Telecoms
Energy
Transporta$on
Finance/Banking
Government
Services
Large
Enterprises
End-‐users
Critical Information Infrastructure
Cross-cutting ICT interdependencies among
all sectors
Cyber security
Practices and procedures that enable the
secure use and operation of cyber tools
and technologies
Non-essential IT Systems
Essential IT Systems
16. © Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure Protection (CIIP)
16
• Widespread use of Internet have transformed stand-alone systems and
predominantly closed networks into a virtually seamless fabric of
interconnectivity.
• ICT or Information infrastructure enables large scale processes
throughout the economy, facilitating complex interactions among systems
across global networks.
• ICT or Information infrastructure enables large scale processes
throughout the economy, facilitating complex interactions among systems
across global networks; and many of the critical services that are
essential to the well-being of the economy are increasingly becoming
dependent on IT.
17. © Commonwealth Telecommunications Organisation | www.cto.int
• Today Critical Information Infrastructure Protection (CIIP)
– Focuses on protection of IT systems and assets
o Telecoms, computers/software, Internet, interconnections & networks services
– Ensures Confidentiality, Integrity and Availability
o Required 27/4 (365 days)
o Part of the daily modern economy and the existence of any country
Critical Information Infrastructure Protection (CIIP)
Telecom
Network
Power
Grid
Water
Supply
Public
Health
NaBonal
Defence
NaBonal
Defence
Law
Enforcement
18. © Commonwealth Telecommunications Organisation | www.cto.int
CII Attack Scenarios
Telecoms
Health
Services
Cloud
Services
Finance/Banking
eGovernment
Critical Information Infrastructure (CII)
Cross-cutting ICT interdependencies among all sectors
Natural disaster,
power outage, or
hardware failure
Resource
exhaustion (due
to DDoS attack)
Cyber attack
(due to a
software flaw)
19. © Commonwealth Telecommunications Organisation | www.cto.int
• Expanding Infrastructures
– Fiber optic connectivity
o TEAMS/Seacom/EASSy
– Mobile/Wireless Networks
o Kenya has 11.6 million Internet
users and 31.3 million mobile
network subscribers (CAK, 2014)
• Existence of failed states
– Increased ship piracy
o To fund other activities
– Cyber warfare platforms
o Doesn’t need troops or military hardware
• Cyber communities
– Social Networks – Attacker’s “gold
mine”
Future CII Attack Vectors
20. © Commonwealth Telecommunications Organisation | www.cto.int
• Increased awareness for CIIP & cyber security
– Countries aware that risks to CIIP need to be managed
o Whether at National, Regional or International level
• Cyber security & CIIP becoming essential tools
– For supporting national security & social-economic well-being
• At national level
– Increased need to share responsibilities & co-ordination
o Among stakeholders in prevention, preparation, response & recovery
• At regional & international level
– Increased need for co-operation & co-ordination with partners
o In order to formulate and implement effective CIIP frameworks
Global trends towards CIIP
21. © Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
#1: Cost and lack of (limited) financial investment
– Funds required to establish a CIIP strategic framework can be a hindrance
– Limited human & institutional resources
Source:
GDP
listed
by
IMF
(2013)
22. © Commonwealth Telecommunications Organisation | www.cto.int
#2: Technical complexity in deploying CIIP
– Need to understand dependencies & interdependencies
o Especially vulnerabilities & how they cascade
Challenges for developing countries
Powerplants
Regional
Power
Grid
Regional
Power
Supply
Private
D2D
links
Private
Datacenters
Banks
&
Trading
Public
AdministraBon
Public
Datacenters
eGovernment
Online
services,
cloud
compuBng
Telco
sites,
switch
areas,
interconnecBons
Public
eComms
Regional
network,
cables,
wires,
trunks
Public
Transport
Emergency
care
(Police,
Firefighters,
Ambulances)
Emergency
Calls
(99.9%) 8 hr outages are disastrous
(99%) 3 days outages are disastrous
(90%) 30 days outages are disastrous
23. © Commonwealth Telecommunications Organisation | www.cto.int
#3: Limited knowledge on how to identify and classify critical infrastructure
– Need to consider business value, scope of population & technical dependency
Challenges for developing countries
CriBcal
FuncBon
Infrastructure
Element
Supply
Chain
Supply
Chain
Key
Resource
Supply
Chain
CriBcal
FuncBon
Infrastructure
Element
Supply
Chain
Supply
Chain
Key
Resource
Supply
Chain
CriBcal
FuncBon
Infrastructure
Element
Supply
Chain
Supply
Chain
Key
Resource
Supply
Chain
Interdependencies
Understand requirements &
complexity
24. © Commonwealth Telecommunications Organisation | www.cto.int
#4: Need for Cybersecurity education & culture re-think
– Create awareness on importance of Cybersecurity & CIIP
o By sharing information on what works & successful best practices
– Creating a Cybersecurity culture can promote trust & confidence
o It will stimulate secure usage, ensure protection of data and privacy
Challenges for developing countries
25. © Commonwealth Telecommunications Organisation | www.cto.int
#5: Lack of relevant CII strategies, policies & framework
– Needs Cybercrime legislation & enforcement mechanisms
– Setup policies to encourage co-operation among stakeholders
o Especially through Public-Private-Partnerships (PPP)
#6: Lack of information sharing & knowledge transfer
– It is important at ALL levels National, Regional & International
– Necessary for developing trust relationships among stakeholders
o Including CERT teams
Challenges for developing countries
29. © Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
29
• Earlier approach not scalable and costly
High capacity link
Between organizations or operators
IT
IT
Information Technology Resources
Per each organizations or operatorsIT
IT
IT
Organization or Operator
30. © Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
30
• Spread associated costs among users
Organizations or operators
Access resources in the same area
Information Technology Resources
Consolidated in data centers
IT IT
Data Centre
31. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing Deployment Models
31
Private Cloud
(Hosted Internally or
Externally)
Hybrid Cloud
Public Cloud
Community Cloud
(Hosted Internally by
Member or Externally)
32. © Commonwealth Telecommunications Organisation | www.cto.int
Some of the benefits of Cloud Computing
32
Reduced Capital & Operational Cost
• Less up-front capital investment
• Allow companies to increase resource needs
gradually (pay-as-you-go)
Simplify application deployment & management
• Common programming model across platforms
• Access to ecosystem of widely deployed applications
• Integration with existing IT assets
33. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing
33
Simple definition
Cloud Computing = Software as a Service (SaaS)
+ Platform as a Service (PaaS)
+ Infrastructure as a Service (IaaS)
+ Data as a Service (DaaS)
+ * as a Service (*aaS)
34. © Commonwealth Telecommunications Organisation | www.cto.int
Software as a Service (SaaS)
34
SaaS characteristics:-
• From end user’s point of view
• Application are located in the cloud
• Software experiences are delivered online (Internet)
35. © Commonwealth Telecommunications Organisation | www.cto.int
Platform as a Service (PaaS)
35
PaaS characteristics:-
• From developer’s point of view (i.e. cloud users)
• Cloud providers offer an Internet-based platform
• Developers use the platform to create services
36. © Commonwealth Telecommunications Organisation | www.cto.int
Infrastructure as a Service (IaaS)
36
IaaS characteristics:-
• Cloud providers build datacentres
– Power, scale, hardware, networking, storage, distributed system etc
• Datacentre as a service
• Users rent storage, computation & maintenance
37. © Commonwealth Telecommunications Organisation | www.cto.int
Data as a Service (DaaS)
37
DaaS characteristics:-
• Data->Information->Knowledge->Intelligence
• Infrastructure for web data mining & knowledge
• Empower people with knowledge
• Enrich apps & services with intelligence
38. © Commonwealth Telecommunications Organisation | www.cto.int
Uptake of Cloud Computing
38
MicrosoS's
Data
Center,
San
Antonio,
Texas
Google's
Data
Centre,
Georgia
• Western Europe market to grow to €15B by 2015
• Amazon AWS carries 1% of all Internet consumer traffic in North America
• Data centre growth estimated to be in excess of €30B
• Facebook server farm (Oregon) measures 14000 m2, cost ~ $200M
40. © Commonwealth Telecommunications Organisation | www.cto.int
Session 2: Group Discussions
40
Question
What is the level of Cloud Computing
uptake in your country? Is it increasing?
41. Session 3:
CIIP Perspective of Cloud Computing
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015
42. © Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
42
Large cloud providers
can deploy security and
business continuity
measures and spread
the associated cost
among the customers.
Can be a “Double Edged Sword”
If an outage or security
breach occurs, the the
consequences can be
catastrophic affecting
large number of users
and organisations at
once.
43. © Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
43
Japan Earthquake 2011
• Cloud computing was resilient
• Cloud services survived power outages
by using emergency fuel
• Data connections over mobile networks
and fixed networks held up
• Traditional IT deployments went offline
• Cloud computing used to get
organizations up and running
44. © Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
44
Lightening Strike Dublin 2011
• Took down Amazon & Microsoft
services. Outage lasted for 2 days
• Amazon’s other customers
(Foursquare, Reddit & Netflix) were
badly affected
• Amazon’s Elastic Computer Cloud
(EC2) and Relational Database Service
(RDS) experienced disruption in North
Virginia.
• Amazon US-EAST data centers were
cut-off the Internet
45. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
45
Critical in themselves
Cloud Computing services can be critical in two ways
Critical for other critical
services
46. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
46
e.g. Cloud based eHealth Record Platform
Critical in itself
• But needed for other
emergency health operations,
which are also critical
Critical to other systems
• Critical to other systems that
depend on the data records
47. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
47
Most CIIP action plans address two major issues:
(1) Cyber disruptions (or outage) with large impact
12M
Pakistan
6M
Egypt 4.7M
Saudi Arabia
1.7M
UAE
0.8M
Kuwait
0.3M
Qatar
12M
India
Outage caused by undersea cable cut near Alexandria, Egypt (2008)
48. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
48
(2) Cyber attacks with a large impact
• Influenced mainly by interdependencies
Snapshot
of
the
Internet
before
an
aVack
on
Facebook
Source:
NORSE
50. © Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (2/4)
50
Powerplants
Regional
Power
Grid
Regional
Power
Supply
Private
D2D
links
Private
Datacenters
Banks
&
Trading
Public
AdministraBon
Public
Datacenters
eGovernment
Online
services,
cloud
compuBng
Telco
sites,
switch
areas,
interconnecBons
Public
eComms
Regional
network,
cables,
wires,
trunks
Public
Transport
Emergency
care
(Police,
Firefighters,
Ambulances)
Emergency
Calls
(99.9%) 8 hr outages are disastrous
(99%) 3 days outages are disastrous
(90%) 30 days outages are disastrous
52. © Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (4/4)
52
Hospitals
Power
plant
Air
traffic
controllers
IT
vendor
for
Office
soSware
Banks
Public
administraBon
53. © Commonwealth Telecommunications Organisation | www.cto.int
Session 3: Group Discussions
53
Question
List (at least 3) known incidents/cases of
CII related attacks in the recent past in
your country? Discuss any remedies taken
(if known).
54. Session 4:
Cloud Computing CIIP Scenarios
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015
55. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
55
CII attack vectors
Telecoms
Health
Services
Cloud
Services
Finance/Banking
eGovernment
Critical Information Infrastructure (CII)
Cross-cutting ICT interdependencies among all sectors
Natural disaster,
power outage, or
hardware failure
Resource
exhaustion (due
to DDoS attack)
Cyber attack
(due to a
software flaw)
56. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
56
Four (4) scenarios where Cloud Computing is critical
(1) Financial Services
Source: New York Stock Exchange (NYSE)
57. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
57
Datacenter
Datacenter
Operator
Datacenter
Trader
Trader
Private network, Dedicated links
Duplicated connection between datacenters
Public Internet or telephony
Connecting traders to datacenters
Data Centers
All systems are duplicated
Traders platform
Web-interface access
Trading Platform (SaaS)
58. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
58
Key Points:
• Software flaw can impact wide range of organisations directly
• Consider creating ‘logical redundancy’ in addition to ‘physical
redundancy’
59. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
59
(2) Health Services
• By 2016 about 30% of IT budget of healthcare organisation
would be devoted for cloud computing based expenses
• 73% plan to make greater use of cloud-based technologies
in the future
Source: Accenture
60. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
60
Datacenter
Datacenter
Datacenter
Hospital
Hospital
Private network, Dedicated links
Duplicated connection between datacenters
Public Internet or telephony
Connecting hospital to datacenters
Data Centers
All systems are duplicated
eHealth platform
Web-interface access
eHealth Record Platform (SaaS)
61. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
61
Key Point:
• Cloud computing is expected to bring additional efficiency gains
in health care service provision
“APT 18” launched the attack
Said to have links with Chinese government and
behind targeted attack on companies in
aerospace and defense, construction and
engineering, technology, financial services and
healthcare industry.
Source: FireEye Inc
TDoS Attack
Telephony Denial of Service (TDoS) attack targets
emergency response services in critical services
such as health care
62. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
62
(3) e-Government Services
• UK Gov Cloud app store “GovStore” has over
1,700 information & communication services
available to the UK public sector
Source: http://govstore.service.gov.uk
63. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
63
Datacenter
Datacenter
Datacenter
eGov
Website
eGov
Website
Private network, Dedicated links
Duplicated connection between datacenters
Public Internet or telephony
Connecting eGov to datacenters
Data Centers
All systems are duplicated
eGovernment platform
Web-interface access (SaaS)
Gov cloud app store (PaaS)
64. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
64
Key Point:
• eGovernment services need to be resilient at all levels of attacks
VS
VS
66. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
66
Datacenter
Datacenter
Datacenter
Webmail
provider
(SaaS)
Online
backup
service
(SaaS)
Private network, Dedicated links
Duplicated connection between datacenters
Public Internet or telephony
Connecting eGov to datacenters
Data Centers
All systems are duplicated
eGovernment
applications (SaaS)
Running on a government app
store (PaaS)
Infrastructure or platform as a service (PaaS)
67. © Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
67
Key Point:
• The impact of failure at an IaaS/PaaS provider can have an
impact across a range of organisations, affecting many end-
users.
68. © Commonwealth Telecommunications Organisation | www.cto.int
Session 4: Group Discussions
68
Question
What practical measures need to be taken
to enhance CII resilience, especially the
Cloud Infrastructure?
69. Session 5:
Steps towards CI Protection
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015
70. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
70
(1) Establish CIP Goals, e.g.
Critical infrastructures (CI) provide the essential services that support modern information
societies and economies. Some CI support critical functions and essential services so vital
that the incapacitation, exploitation, or destruction, through natural disaster, technological
failure, accidents or intentional attacks could have a debilitating effect on national security
and economic well-being.
• Critical
Infrastructure (CI)
CI exploitation, or destruction, through natural disaster, technological failure, accidents or
intentional attacks could have a debilitating effect on national security and economic well-
being.
• Understand Critical
Infrastructure (CI)
Risks
Prevent or minimize disruptions to critical information infrastructures, no matter the source,
and thereby protect the people, the economy, the essential human and government services,
and the national security. In the event disruptions do occur, they should be infrequent, of
minimal duration and manageable.
• Articulate CIP
policy/goals
National CIP framework includes relevant government entities, as well as, establishing public
private partnerships involving corporate and non-governmental organizations.
• Establish Public-
Private Partnerships
71. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
71
(2) Define CIP Roles
Define Policy and Identify RolesGovernment
Define CIP goal and roles
Determine Acceptable Risks LevelsPublic-Private Partnership
Define what’s critical
Assess
Risks
IdenBfy
Controls
and
MiBgaBons
Implement
Controls
Measure
EffecBveness
Infrastructure
Prioritize Risks
Operators & Service Providers
Deploy best control solutions
72. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
72
CIP
Coordinator
(ExecuBve
Sponsor)
Law
Enforcement
Sector
Specific
Agency
Computer
Emergency
Response
Team
(CERT)
Public
Private
Partnership
Infrastructure
owners
and
operators
IT
vendors
and
soluBon
providers
Shared PrivateGovernment
73. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
73
(3) Identify & Prioritize Critical Functions
CriBcal
FuncBon
Infrastructure
Element
Supply
Chain
Supply
Chain
Key
Resource
Supply
Chain
CriBcal
FuncBon
Infrastructure
Element
Supply
Chain
Supply
Chain
Key
Resource
Supply
Chain
CriBcal
FuncBon
Infrastructure
Element
Supply
Chain
Supply
Chain
Key
Resource
Supply
Chain
Interdependencies
Understand requirements &
complexity
• Understand the critical functions,
infrastructure elements, and key resources
necessary for
– Delivering essential services
– Maintaining the orderly operations if the
economy
– Ensure public safety.
74. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
74
(4) Continuously Assess and Mange Risks
Assess Risks
Identify
Controls and
Mitigations
Implement
Controls
Measure
Effectiveness
• Based on holistic approach
• Implement defense in-depth
• Organize by control effectiveness
• Evaluate program effectiveness
• Leverage findings to improve risk
management
• Identify key functions
• Assess risks
• Evaluate consequences
• Define functional requirements
• Evaluate proposed controls
• Estimate risk reduction/cost
benefit
• Select mitigation strategy
75. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI protection
75
• Develop joint PPP plans for managing emergencies – including recovering
critical functions in the event of significant incidents, including but limited to
natural disasters, terrorist attacks, technological failures or accidents.
• Create emergency response plans to mitigate damage and promote resiliency.
• Create effective emergency response plans that are generally short and highly
actionable so they can be readily tested, evaluated, and implemented.
• Testing and exercising emergency plans to promote trust, understanding and
greater operational coordination among public and private sector organizations.
• Exercises also provide an important opportunity by identifying new risk factors
that can be addressed in response plans or controlled through regular risk
management functions.
(5) Establish & Exercise Emergency Plans
76. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
76
• Promote trusted relationships
needed for information sharing and
collaborating on difficult problems
• Leverage the unique skills of
government and private sector
organizations
• Provide the flexibility needed to
collaboratively address today’s
dynamic threat environment
(5) Establish Public Private Partnership (PPP)
77. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
77
• Ability to prepare for and adapt to
changing conditions, and withstand
and recover rapidly from disruptions
• Implement contingency frameworks
that will enable critical functions to
withstand and recover from
deliberate attacks, accidents, or
naturally occurring threats or
incidents
(6) Build Security & Resiliency into Operations
78. © Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
78
• Cyber threats are constantly evolving
• All CIP stakeholders need to prepare
for changes in cyber threats
• Constantly monitor trends and changes
in critical function dependencies
• Keep systems patched and maintain
the latest software versions
• Adopt smart & effective procedures
and processes
(7) Update & Innovate Technology and Processes
79. © Commonwealth Telecommunications Organisation | www.cto.int
Session 5: Group Discussions
79
Question
• What should be the additional roles and
responsibilities of the state?
• What investment is required to address CIIP
vulnerabilities & threats?
• How should the private sector & government
work on CIIP and build trust?
81. © Commonwealth Telecommunications Organisation | www.cto.int
• Increased penetration of smart phones
– Lower costs (~$80) have increased user uptake
– Other models Tecno (China), Wiko (France) & Infinix (Hong Kong)
– Will increase from 17% (2014) to 34% (2018)
• Africa leads mobile subscriptions
– 55% (1.3 billion) from developing countries
• Rapid growth of eCommerce
– Websites such as Jumia, Cheki & OLX
Relevant trends in Africa today (1/2)
45%
55%
Developed
Countries
Developing
Countries
82. © Commonwealth Telecommunications Organisation | www.cto.int
• Expanding Infrastructure
– SAT3/GLO/WACS/ACE etc
e.g. 6Km of Fibre in Cameroon
• Mobile money transfer
– Increasingly growing e.g. M-Pesa
has 16.8 Million customers
– Handles >$1 Billion transactions
per month in Kenya alone
– Nigeria – introduced digital ID and
transaction card
• Social media
– 78% of internet usage in Africa is
for social media
– Estimated will $230 Billion to
Africa’s growth by 2025
Relevant trends in Africa today (2/2)
83. © Commonwealth Telecommunications Organisation | www.cto.int
• 2014 global cyber attacks assessment shows
– Africa accounted for 4% security incidents worldwide
– Every 1 second, 18 adults are victims of cyberscrime
– 1.5 million victims globally per day
• Financial fraud
– Africa’s major cities like Cairo, Johannesburg, Lagos and
Nairobi experience many cases of financial fraud
– African countries are becoming targets & source of malicious
Internet activities
• Software piracy and lack of updated software
– Home user PCs remain vulnerable to cyber attacks
Emerging Cyber Threats (1/3)
84. © Commonwealth Telecommunications Organisation | www.cto.int
• Use of ICT to commit acts of terrorism
– Planning, co-ordination, implementation and promotion. For
example Boko Harum, ISIS, Al-Shabaab & Al-Qaida etc
– Creates social-economical problem. For example, the Westgate
Mall in Kenya – 67 people killed and nearly $200 Million lost
tourism revenue.
Emerging Cyber Threats (2/3)
Teenage girls in the UK who flew to Syria via Turkey
85. © Commonwealth Telecommunications Organisation | www.cto.int
• Cyber attacks targeting government websites
– Defacement of websites, motivated by individual reasons
o Nigeria defence HQ attacked for fighting Boko Haram
o Ghana (gov.gh) portal attacked (11 out of 58 sites attacked)
o Senegalese ICT agency site attacked, linked to Charle Hebdo
• Social media
– Reputation and defamation is a new form of cyber attack
– Anonymity on social networks – could tools such as Yik Yak be used
for Cyber bullying?
Emerging Cyber Threats (3/3)
86. © Commonwealth Telecommunications Organisation | www.cto.int
• Low level of security provisions
– Inadequate control and lack of information risk assessment
• Lack of technical know-how
– inability to monitor and defend national networks
• Need to develop necessary legal frameworks
– 21 countries in Africa have proposed legislation
• Cross boundary challenges of Cybersecurity
– inability to prosecute and apprehend at source
• Limited levels of awareness
– Regulators, military, law-enforcement, judiciary, legislators
Cybersecurity challenges facing Africa
87. © Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support
• Legal framework
– Lack of Cybersecurity legislation affects businesses
– Needs technology to support enforcement
• Regional harmonization of policy & legal frameworks
– Global good, needs national, regional & international actions
• Co-ordination and corporation is a MUST
– Cybersecurity is a cross-boundary issue
– Needed to combat ICT fraud, hacking, child pornography
and copyright infringement
– Creates uniformity in procedures and processes
Policy, Legal & Regulatory Considerations
88. © Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support
• Development of infrastructure
– Develop reliable, resilient and available connectivity
• Need to establish & enhance national CERTs
– Create sectorial CERTs
o Finance, Energy, Transport, Military, Maritime, SMEs etc
– Harmonize regional CERTs or CIRTs
• Best practice in Cyber governance
– Encourage use of country Top Level Domain (TLD) names
Technology Considerations
89. © Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support
• Cybersecurity is complex & challenging
– Develop technical skills through training & collaborations
– Use expertise from the Diaspora
• Cultivate a culture of Cybersecurity awareness
– CERTs must be proactive other than reactive
– Engage in capacity building initiatives with ALL stakeholders
• Best practice in Cyber governance
– Encourage use of country Top Level Domain (TLD) names
– Have effective data protection act
Capacity building, Research & Innovation Considerations
91. © Commonwealth Telecommunications Organisation | www.cto.int
Trends in Cyberspace
• Cyberspace provides access to ICT
– Bridging the digital divide and influencing social-economic activities
• Cyberspace is increasingly becoming a global system
– Anticipated to grow from 2-4 Billion users by 2020 (mostly from developing
countries)
• Cyberspace is open, decentralised and empowering
– This has fostered innovation, collaboration and rapid development
• Cyberspace success depends on it’s infrastructure
– Infrastructure should be secure, resilient and available to users
• Cyberspace can also be used for criminal activities
– Cybercrimes, extremisms and other social crimes
91
92. © Commonwealth Telecommunications Organisation | www.cto.int
Why a Commonwealth Model
• Contrasting views emerging across the world on governing the
Cyberspace
• Harmonisation is critical to facilitate the growth and to realise the
full potentials of Cyberspace
• Commonwealth family subscribes to common values and principles
which are equally well applicable to Cyberspace
• CTO is the Commonwealth agency mandated in ICTs
• The project was launched at the 53rd council meeting of the
CTO in Abuja, Nigeria (9th Oct 2013)
• Wide consultations with stakeholders
• Adopted at the Commonwealth ICT Ministers Forum on 3rd and 4th
March 2014 in London
92
93. © Commonwealth Telecommunications Organisation | www.cto.int
Objectives
The Cybergovernance Model aims to guide Commonwealth
members in:-
– Developing policies, legislation and regulations
– Planning and implementing practical technical
measures
– Fostering cross-border collaboration
– Building capacity
93
94. © Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Values in Cyberspace
• Based on Commonwealth Charter of March 2013
– Democracy, human rights and rule of law
• The Charter expressed the commitment of member states to
– The development of free and democratic societies
– The promotion of peace and prosperity to improve the lives of all peoples
– Acknowledging the role of civil society in supporting Commonwealth
activities
• Cyberspace today and tomorrow should respect and reflect the
Commonwealth Values
– This has led to defining Commonwealth principles for use of Cyberspace
94
95. © Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 1: We contribute to a safe and an effective global
Cyberspace
• as a partnership between public and private sectors, civil society and
users, a collective creation;
• with multi-stakeholder, transparent and collaborative governance
promoting continuous development of Cyberspace;
• where investment in the Cyberspace is encouraged and rewarded;
• by providing sufficient neutrality of the network as a provider of
information services;
• by offering stability in the provision of reliable and resilient information
services;
• by having standardisation to achieve global interoperability;
• by enabling all to participate with equal opportunity of universal access;
• as an open, distributed, interconnected internet;
• providing an environment that is safe for its users, particularly the young
and vulnerable;
• made available to users at an affordable price.
95
96. © Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 2: Our actions in Cyberspace support broader economic
and social development
• by enabling innovation and sustainable development, creating greater
coherence and synergy, through collaboration and the widespread
dissemination of knowledge;
• respecting cultural and linguistic diversity without the imposition of beliefs;
• promoting cross-border delivery of services and free flow of labour in a
multi-lateral trading system;
• allowing free association and interaction between individuals across
borders;
• supporting and enhancing digital literacy;
• providing everyone with information that promotes and protects their
rights and is relevant to their interests, for example to support transparent
and accountable government;
• enabling and promoting multi-stakeholder partnerships;
• facilitating pan-Commonwealth consultations and international linkages in
a single globally connected space that also serves local interests.
96
97. © Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 3: We act individually and collectively to tackle
cybercrime
• nations, organisations and society work together to foster respect for
the law;
• to develop relevant and proportionate laws to tackle Cybercrime
effectively;
• to protect our critical national and shared infrastructures;
• meeting internationally-recognised standards and good practice to
deliver security;
• with effective government structures working collaboratively within and
between states;
• with governments, relevant international organisations and the private
sector working closely to prevent and respond to incidents.
97
98. © Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 4: We each exercise our rights and meet our responsibilities in
Cyberspace
• we defend in Cyberspace the values of human rights, freedom of expression and
privacy as stated in our Charter of the Commonwealth;
• individuals, organisations and nations are empowered through their access to
knowledge;
• users benefit from the fruits of their labours; intellectual property is protected
accordingly;
• users can benefit from the commercial value of their own information; accordingly,
responsibility and liability for information lies with those who create it;
• responsible behaviour demands users all meet minimum Cyberhygiene
requirements;
• we protect the vulnerable in society in their use of Cyberspace;
• we, individually and collectively, understand the consequences of our actions and
our responsibility to cooperate to make the shared environment safe; our obligation
is in direct proportion to culpability and capability.
98
100. © Commonwealth Telecommunications Organisation | www.cto.int
Development of a Nation Cybersecurity Strategy
• Need support from highest levels of government
• Adopt a multi-stakeholder partnership (private sector,
public sector & civil society)
• Draw on the expertise of the International Community
• Appoint a lead organisation or institution
• Be realistic and sympathetic to the commercial
consideration of the private sector
• Add mechanisms to monitor & validate implementation
100
101. © Commonwealth Telecommunications Organisation | www.cto.int
Main elements of a Cybersecurity Strategy
• Introduction and background
• Guiding principles
• Vision and strategic goals
• Specific objectives
• Stakeholders
• Strategy implementation
101
102. © Commonwealth Telecommunications Organisation | www.cto.int
Introduction & Background
• Focuses on the broad context
• Sets the importance of Cybersecurity to national
development
• Assess current state of Cybersecurity and challenges
102
STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND
BEST
PRACTICE
1. Introduc$on
/
background
This
secBon
provides
a
succinct
background
of
the
country’s
circumstances
and
the
status
of
its
Cybersecurity
• Explain
the
importance
of
Cybersecurity
to
economic
and
social
development.
• Describe
the
use
of
Cyberspace
and
the
nature
of
Cybersecurity
challenges
to
jusBfy
the
need
for
the
Cybersecurity
strategy
• Explain
the
relaBonship
to
exisBng
naBonal
strategies
and
iniBaBves.
Uganda’s
introducBon
covers:
• The
definiBon
of
informaBon
security
• The
jusBficaBon
for
a
strategy
• Country
analysis
of
current
state
of
informaBon
security
framework.
• Strategy
guiding
principles
• Vision,
mission,
strategic
objecBves
Note
that
this
example
covers
the
first
three
secBons
in
this
framework.
103. © Commonwealth Telecommunications Organisation | www.cto.int
• Based on Commonwealth Cybergovernance principles
• Balance security goals & privacy/protection of civil liberties
• Risk-based (threats, vulnerabilities, and consequences)
• Outcome-focused (rather than the means to achieve it)
• Prioritised (graduated approach focusing on critical issues)
• Practicable (optimise for the largest possible group)
• Globally relevant (harmonised with international standards)
103
Guiding Principles (1/2)
104. © Commonwealth Telecommunications Organisation | www.cto.int
Guiding Principles (2/2)
104
STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND
BEST
PRACTICE
2. Guiding
principles
This
secBon
idenBfies
the
guiding
principles
for
addressing
Cybersecurity
within
which
the
strategy
is
designed
and
delivered.
• Build
from
the
principles
of
the
Commonwealth
Cybergovernance
model.
• Include
any
relevant
naBonal
principles.
• Describe
the
delivery
principles
that
guide
the
design
of
the
objecBves
goals,
vision
and
objecBves.
In
addiBon
to
the
Commonwealth
Cybergovernance
principles
and
naBonal
principles
the
following
delivery
principles
are
recommended:
Risk-‐based.
Assess
risk
by
idenBfying
threats,
vulnerabiliBes,
and
consequences,
then
manage
the
risk
through
miBgaBons,
controls,
costs,
and
similar
measures.
Outcome-‐focused.
Focus
on
the
desired
end
state
rather
than
prescribing
the
means
to
achieve
it,
and
measure
progress
towards
that
end
state.
PrioriBsed.
Adopt
a
graduated
approach
and
focus
on
what
is
criBcal,
recognising
that
the
impact
of
disrupBon
or
failure
is
not
uniform
among
assets
or
sectors.
PracBcable.
OpBmise
for
adopBon
by
the
largest
possible
group
of
criBcal
assets
and
realisBc
implementaBon
across
the
broadest
range
of
criBcal
sectors.
Globally
relevant.
Integrate
internaBonal
standards
to
the
maximum
extent
possible,
keeping
the
goal
of
harmonizaBon
in
mind
wherever
possible.
105. © Commonwealth Telecommunications Organisation | www.cto.int
• Promote economic development
• Provide national leadership
• Tackle cybercrime
• Strengthen the critical infrastructure
• Raise and maintain awareness
• Achieve shared responsibility
• Defend the value of Human Rights
• Develop national and international partnerships
105
Visions & Strategic Goals
106. © Commonwealth Telecommunications Organisation | www.cto.int 106
STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND
BEST
PRACTICE
3. Strategic
goals
and
vision
This
secBon
defines
what
success
looks
like
in
broad
summary
terms
and
reflects
the
country’s
prioriBes.
• Make
a
clear
statement
of
the
country’s
commitment
to
protecBng
the
use
of
its
Cyberspace
• Emphasise
the
breadth
of
the
use
of
Cyberspace:
covering
social
and
economic
acBvity
• Include
text
that
can
be
quoted
as
part
of
the
communicaBon
with
wider
stakeholders,
e.g.
a
vision
statement.
Australia’s
vision:
“The
maintenance
of
a
secure,
resilient
and
trusted
electronic
operaBng
environment
that
supports
Australia’s
naBonal
security
and
maximises
the
benefits
of
the
digital
economy”
Three
pillars
of
the
Australian
strategy:
• All
Australians
are
aware
of
cyber
risks,
secure
their
computers
and
take
steps
to
protect
their
idenBBes,
privacy
and
finances
online;
• Australian
businesses
operate
secure
and
resilient
informaBon
and
communicaBons
technologies
to
protect
the
integrity
of
their
own
operaBons
and
the
idenBty
and
privacy
of
their
customers;
• The
Australian
Government
ensures
its
informaBon
and
communicaBons
technologies
are
secure
and
resilient.”
Four
pillars
of
the
UK
strategy:
• Tackle
cybercrime
and
be
one
of
the
most
secure
places
in
the
world
to
do
business
in
cyberspace;
• To
be
more
resilient
to
cyber
aVacks
and
beVer
able
to
protect
our
interests
in
cyberspace;
• To
have
helped
shape
an
open,
stable
and
vibrant
cyberspace
which
the
UK
public
can
use
safely
and
that
supports
open
socieBes;
• To
have
the
cross-‐cuing
knowledge,
skills
and
capability
it
needs
to
underpin
all
our
Cybersecurity
objecBves.
Visions & Strategic Goals
107. © Commonwealth Telecommunications Organisation | www.cto.int
• Provide a national governance framework for securing Cyberspace
• Enhance the nation’s preparedness to respond to the challenges of Cyberspace
• Strengthening Cyberspace and national critical infrastructure
• Securing national ICT systems to attract international businesses
• Building a secure, resilient and reliable Cyberspace
• Building relevant national and international partnerships and putting effective
political-strategic measures in place to promote Cyber safety
• Developing a culture of Cybersecurity awareness among citizens
• Promoting a culture of “self protection” among businesses and citizens
• Creating a secure Cyber environment for protection of businesses and individuals
• Building skills and capabilities needed to address Cybercrime
• Becoming a world leader in Cybercrime-preparedness and Cybercrime-defence
107
Specific Objectives
108. © Commonwealth Telecommunications Organisation | www.cto.int 108
STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND
BEST
PRACTICE
4. Risk
management
(Risk
based
approach
objec$ves)
How
the
risk
management
process
works,
and
then
seing
objecBves
and
prioriBes
This
secBon
describes
how
risk
management
is
performed
and
provides
a
top-‐level
analysis.
It
states
specific
and
tangible
targets
and
assigns
relaBve
prioriBes.
• How
risk
management
is
currently
performed,
for
example
for
naBonal
security.
• Sources
of
threat
informaBon
and
of
major
vulnerabiliBes.
• How
granular
to
make
the
outcomes
and
objecBves.
• How
frequently
to
repeat
the
risk
assessment
process.
Source:
MicrosoY’s
guidance,
listed
in
appendix
3:
• A
clear
structure
for
assessing
and
managing
risk
• Understand
naBonal
threats
and
major
vulnerabiliBes
• Document
and
review
risk
acceptance
and
excepBons
• Set
clear
security
prioriBes
consistent
with
the
principles
• Make
naBonal
cyber
risk
assessment
an
on-‐going
process
Specific Objectives
109. © Commonwealth Telecommunications Organisation | www.cto.int 109
Stakeholders
CIP
Coordinator
(ExecuBve
Sponsor)
Law
Enforcement
Sector
Specific
Agency
Computer
Emergency
Response
Team
(CERT)
Public
Private
Partnership
InternaBonal
OrganisaBons
Infrastructure
owners
and
operators
IT
vendors
and
soluBon
providers
Shared PrivateGovernment
110. © Commonwealth Telecommunications Organisation | www.cto.int 110
STRATEGY
COMPONENTS ASPECTS
TO
CONSIDER EXAMPLE
TEXT
FROM
PUBLISHED
STRATEGIES
AND
BEST
PRACTICE
4. Stakeholders
This
secBon
idenBfies
key
parBcipants
in
the
development
and
delivery
of
the
strategy.
Roles
and
responsibiliBes
should
be
clearly
defined
using
RACI
terminology
(see
appendix
5).
• IdenBfy
all
relevant
key
stakeholders
taking
into
consideraBon,
country
objecBves
and
focus
areas
• IdenBfy
key
internaBonal
stakeholders
and
partners
that
could
contribute
effecBvely
• Draw
stakeholders
from
governmental
and
non-‐
governmental
organizaBons,
civil
socieBes,
academia,
public
and
private
sectors
of
the
economy.
Should
include
but
not
limited
to
soSware
and
equipment
vendors,
owners
and
operators
of
CII,
law
enforcement
insBtuBons
etc.
In
construcBng
the
list
of
stakeholders,
the
following
consBtuencies
should
be
considered:
• ministers
and
other
poliBcians;
• government
departments
concerned
with
ICT,
telecommunicaBons
and
informaBon
security;
• private
sector
organisaBons
that
provide
ICT
services;
• government
departments
whose
responsibiliBes
rely
upon
or
who
engage
with
Cyberspace,
including:
most
economic
acBvity,
trade,
tourism,
law
enforcement;
• providers
of
the
criBcal
naBonal
infrastructure
whose
vital
communicaBons
are
increasingly
carried
across
the
internet;
• companies
across
the
economy
that
rely
upon
Cyberspace,
oSen
represented
by
trade
associaBons;
• representaBves
of
civil
society,
oSen
in
the
form
of
groups
that
reflect
broad
public
opinion
and
can
advise
on
the
best
way
to
achieve
outcomes
involving
the
public;
• civil
society
organisaBons
that
represent
parBcular
parts
of
society
or
interest
groups
and
can
explain,
for
example,
the
needs
of
the
young,
of
women,
of
rural
communiBes
and
of
the
vulnerable;
• experts
who
understand
how
Cyberspace
works,
from
a
technical
perspecBve,
to
ensure
that
government
strategies
are
pracBcal;
• Academia
who
can
advise
on
R&D,
internaBonal
best
pracBce,
emerging
issues;
• InternaBonal
bodies
such
as
the
Commonwealth
TelecommunicaBons
OrganisaBon
• Other
countries,
parBcularly
regional
countries.
Specific Objectives
111. © Commonwealth Telecommunications Organisation | www.cto.int
• Governance and management structure
• Legal and regulatory framework
• Capacity Development
• Awareness and outreach programmes
• Incident response
– Incentivize commercial competitors to cooperate
– Create national CERTs (include sector based CERTs)
• Stakeholder collaboration
• Research and Development
• Monitoring and evaluation
111
Strategy Implementation
113. © Commonwealth Telecommunications Organisation | www.cto.int
What Next? Upcoming CIIP Workshops
113
Yaounde, Cameroon
Jan-Feb 2015
Nairobi, Kenya
Nov 2014
Colombo, Sri Lanka/Dhaka, Bangladesh
Aug-Sep 2014
Port Vila, Vanuatu
Sep-Oct 2014
Successfully completed
Scheduled to take place
To be confirmed
CTO CIIP Workshops
114. © Commonwealth Telecommunications Organisation | www.cto.int
Further Information Contact:
Dr Martin Koyabe
Email: m.koyabe@cto.int
Tel: +44 (0) 208 600 3815 (Off)
+44 (0) 791 871 2490 (Mob)
114
Q & A Session