230 likes | 405 Vues
a National approach to Cyber security/CIIP: Raising awareness. Presented to: Workshop on Capacity Building for Computer Emergency Readiness Team (CERT) for Africa November 1-2, 2010 By Joseph Richardson Senior Fellow, GMU-ICC. Objectives.
E N D
a National approach to Cyber security/CIIP: Raising awareness Presented to: Workshop on Capacity Building for Computer Emergency Readiness Team (CERT) for Africa November 1-2, 2010 By Joseph Richardson Senior Fellow, GMU-ICC
Objectives • Propose a way of thinking about Cyber Security/CIIP • A FRAMEWORK • Identify key elements of the FRAMEWORK and relationships among them • Suggest methods for building a national consensus on FRAMEWORK and on implementation actions.
cybersecurity:Why Worry? • Nation is dependent on ICTs • Economic wellbeing • National security • Social cohesion • Risk is inherent in ICT use • Vulnerabilities • Threats • Interdependences • Conclusion: Action is required
cybersecurity:Who’s responsible? “Government, business, other organizations, and individual users who develop, own, provide, manage, service and use information systems and networks” - UNGA Resolution 57/239 Creation of a global culture of cybersecurity • Collectively known as The Participants
Participants:What should They do? AWARENESS: Be aware of the need for security and what they can do to enhance it. RESPONSIBILITY: Review their own security policies, practices, measures an procedures regularly and assess appropriateness. RESPONSE: Act in a timely and cooperative manner to prevent, detect and respond to security incidents. • In a manner appropriate to their roles See: UNGA Res 57/239.
cybersecurityresponsibility It’s SHARED All participants must be responsible Each participant must take action -- appropriate to its role in the overall system • Government has responsibility to lead
Government lead: what Does it do? • Ensure all participants are aware of security • Promote responsibility, and • Assure coordinated response by participants; using • A common national vision • Policy and institutional frameworks
Government lead how? • Conduct a national Cybersecurity Self-Assessment • Take stock • Promulgate A National Cybersecurity Strategy • Vision for action
Cyber securityscope What is meant by cybersecurity? • ITU documents speak of “Enhancing security and building confidence in the use of ICT applications” • UNGA resolutions 57/239 and 58/199 speak of “a culture of cyber security in the application and use of information technologies” and in the protection of critical information infrastructures. • Others speak in terms such as cyberspace, the Internet and the information society.
Cyber securityscope Recognizing there is no fixed definition, a national approach to cybersecurity should include • Physical security of the information infrastructure • Virtual security, and • Human aspects of the use of ICTs, including interactions among people
Key documents UNGA Resolutions: • 64-211 Taking stock of cybersecurity needs and strategies • 58-199 Creation of a global culture of cybersecurity and the protection of critical information infrastructures • 57-239 Creation of a global culture of cybersecurity • 56-121 Combating the criminal misuse of information technologies • 55-63 Combating the criminal misuse of information technologies See: http://www.un.org/documents/resga.htm
Key documents ITU National Cybersecurity/CIIP Self-Assessment Tool ITU Q.22/1 Report On Best Practices For A National Approach To Cybersecurity: Building Blocks For Organizing National Cybersecurity Efforts ITU Cybercrime Resources: • ITU Toolkit For Cybercrime Legislation • ITU Publication on Understanding Cybercrime – A Guide for Developing Countries See: http://www.itu.int/ITU-D/cyb/cybersecurity/index.html
Take Stock Self-Assessment - What is it? • An identification and evaluation of existing national approach to cyber security. • Policies • Procedures • Mechanisms • Norms • Institutions • Relationships • What are we doing? • What should we be doing? • Input for a National Cybersecurity Strategy
VisionNational Strategy - What is it? A Policy Document that Provides a National Vision: • Outlines the case for national action • Identifies participants and their roles • Elaborates organizational responsibilities • Establishes policy and operational structures • Addresses key elements of cybersecurity • Lays out a plan of action
Getting Started • The Audience • Who are they? • What is their level of awareness and response? • What decisions already taken? • The Participants • Those entities and persons who • Will prepare and comment on the Self-Assessment and the National Strategy, • Will implement the National Strategy • They come from • Government • Business and Industry • Academia • Civil Society
Getting Started • The Case for Action • Role of ICTs in the nation • Vulnerabilities and threats • Risks to be managed • The stage for Cybersecurity: • Relationship to other national goals and objectives • Economic and Development goals • Industry goals • Social goals • Security goals
key elements Collaboration and Information Exchange IncidentManagement Legal Framework Culture ofCybersecurity Key Elements of a National Cybersecurity Strategy
objectives For each key element • A statement of policy • Identify and prioritize goals to support policy • Elaborate specific steps to reach goals
Other considerations Other Considerations • Resources • Budget and financing • Equipment and technology • Human capacities • Timeframes and milestones • Priorities • Reviews and reassessments
Output Self-assessment provides: Input to a National Cybersecurity Strategy • A set of Findings and Recommendations • With supporting documentation • Reviewed by all participants • That provide the basis for policy decisions and a program of action to address cybersecurity • Promulgated at a level to ensure action by all participants
Conclusion Use of a National Cyber Security Self–Assessment to produce a National Cyber Security Strategy can assist governments: • Understand the existing national approach • Develop “baseline” on best practices • Identify areas for attention • Prioritize national efforts • Promote national action and assist with • regionally and internationally coordination and • cross border cooperation
Final Observations No nation starts at ZERO No “right” answer Continual review and revision needed All “participants” must be involved • Appropriate to their roles
Questions? Joseph Richardson Senior Fellow GMU-ICC