1 / 35

Towards a Cybersecurity “Roadmap” for Indonesia: Role of ‘id-FIRST’ in coordinating effective response and stakeholder

IT & Network Security Seminar of S ECURE -I NDONESIA -FIRST.or.id (“id-FIRST”) Jakarta, March 19, 2003. Towards a Cybersecurity “Roadmap” for Indonesia: Role of ‘id-FIRST’ in coordinating effective response and stakeholder engagement. By Idris F Sulaiman PhD USAID ICT Advisor /Economist

britannia
Télécharger la présentation

Towards a Cybersecurity “Roadmap” for Indonesia: Role of ‘id-FIRST’ in coordinating effective response and stakeholder

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT & Network Security Seminar of SECURE-INDONESIA-FIRST.or.id (“id-FIRST”) Jakarta, March 19, 2003 Towards a Cybersecurity “Roadmap” for Indonesia:Role of ‘id-FIRST’ in coordinating effective responseand stakeholder engagement By Idris F Sulaiman PhD USAID ICT Advisor /Economist State Ministry of Communications and Information and Partnership for Economic Development (USAID-Government of Indonesia) Project The views expressed in this presentation are those of the authors and not necessarily those of USAID, the U.S. Government or the Government of Indonesia.

  2. 1) Introduction: Some lessons best learnt without experience Need for a comprehensive approach: USAID, APECTEL & various National Strategies 2) Building blocks of Cybersecurity “Roadmap”: Legal & Policy Framework Law Enforcement Agency (LEA) Capacity Building IT Security Teams and CERT Capacity Building Creation of IT Employment Opportunities, Facilitation of Secure Investment Climate and Risk Reduction: * Unemployment -- Cybercrime link?* Hacker outreach -- work on IT development 3) Summing up Topics

  3. Heed Warnings! Some lessons are best learned without the experience! CELL PHONE + GAS PUMP A DANGEROUS COMBO !

  4. Cell Phones & Gasoline Do Not Mix ! The key pad or ringer apparently, produces a small electric spark …. 3 incidents reported at gas stations: While pumping fuel a car caught fire from fumes emitted from the tank – a cell phone placed on the trunk of the car rang. A man got his face burnt while talking on the phone, when refuelling his car. A cell phone burnt a man’s trousers - the phone in his pocket rang, while refuelling his car. Tragic ! Not Funny!! Laughing stock ex-post Don’t let it happen to you!

  5. These incidents could be avoided. Keep your cell phone switched off at gas stations. If expecting an urgent call and phone cannot be switched off - KEEP IT IN THE CAR - Do not answer a cell phone when fuelling up. Reference: HSE Warning from Society of Petroleum Engineers – Dated : 2nd November 2001 Your cell phone could ignite a fire!

  6. BETTER BE SAFE THAN SORRY !! Be Cautious - Be Safe !!

  7. Get policy right first, telecom/Internet build-out will follow Framework used in ICT assessment of 20 countries: see “USAID Indonesia-ICT Assessment 2001” (IIA2001) Report: Policies (Telecom & E-Commerce Regimes) Pipes (Infrastructure) Private Sector (Fostering Entrepreneurship and Removal of Impediments) People (E-leadership, HRD & Applications Development) The 4 “P’s” is a comprehensive approach to ICT development a tool which can be used at global, national and local levels to prioritize development initiatives the interaction between them has the potential to create significant multiplier & network effects (comprehensive approach). 1. INTRO- DUCTION USAID Indonesia approach

  8. 2. On-going Work USAID-PEG Project’s ICT activities • Continue to facilitate the implementation of the National ICT Action Plan (Indonesian Presidential Executive Order, InPres No:6/2001) • (1) E-Government : Egov.Task Force, meeting challenges of governance reform at national and regional levels • (2) Wartel, Warnet and Tele-Center (Warnet+ + +) development • (3) Improve ICT use by Small and Medium-sized Businesses • (4) Improve telecommunications regulatory framework: facilitate the establishment of modern licensing, frequency mgt, • telecom independent regulatory body & other policy innovations • adoption of e-Commerce and Cyber laws, anti-monopoly enforc’t • (5) Cybersecurity:Facilitate legal and technical capacity building and other policies and activities to promote cybersecurities

  9. 26th Meeting of the Telecommunications and Information Working Group of the Asia Pacific Economic Cooperation (APEC) Members and observer economies Legal Workshop to Combat Cybercrime(Aug 17-18, 2002) sponsored by US-Dept of Justice, US-State Dept & USAID APECTEL’s sessions (Aug 19-23,’02) European Electronic Standard Signatures Initiatives (EESSI) part of E-Security Task Group (ETG) part of Business Facilitation Steering Group (BFSG) Development Cooperation SG (DCSG) 2. LEGAL- ISSUES REGIONAL CYBERSECURITY EFFORT- APECTEL 26, MOSCOW

  10. Aim: for members to take steps towards harmonizing (1) substantive laws to deter criminal misuse of and attacks on computer networks; (2) procedural laws to regulate government access to information in order to investigate and deter all sorts of crime facilitated by computer networks; and (3) laws to assure effective international coordination International Framework used: United Nations General Assembly (UNGA) Resolution 55/63 Combating the Criminal Misuse of Information Technologies Council of Europe Cybercrime Convention (Nov. 2001, signed by 30 countries including APEC members) “APEC Cybersecurity Strategy” proposals (adopted by the APECTEL26 Plenary Session) Legal Framework to Counter Cyber Crime

  11. Comprehensive approach: 5 initiatives, with action items - basis of the country’s efforts on cybercrime and critical infrastructure protection (eSecurity Task Group part of Business Facilitation Steering Group, APECTel 26, Moscow, Aug 19-23, 2002) Legal developments Information sharing and cooperation Security and technical guidelines Public awareness and education Wireless security Economic Security - Development Cooperation on job-creation to bridge the digital divide (Development Cooperation Steering Group for TEL26) Major result: Digital Divide Blueprint for Action, Supporting Micro/SMEs, and Considering Next-Generation Technologies and their role in Infrastructure Development APEC Cyber Security Strategy

  12. Adoption of laws is costly and the choice of law cannot be taken lightly because it would require institutional and resource preconditions Legal reform by itself will not result in a better business and investment climate because enforcement and public trust are the decisive factors A comprehensive approach needed to remove barriers and constraints What are the drivers and constraints? Examples: draft cyberlaw & e-signature law Developing legal framework to combat cybercrime in Indonesia

  13. (1) Limited Resources of Law Enforcement: IT Cybercrime Unit, National Police (POLRI) is staffed only with handful senior investigators for a country of 220 million; Training has started by International Law Enforcement Academy, Bangkok, Thailand but only for 2 officers per year. Local training is an alternative to overcome shortage in forensic and investigator specialists. (POLRI) is seeking further assistance (2) Transparency and trust buildingbetween law enforcement and the business community is essential; Indonesia’s police to work together with businesses in dealing with crime. Improved privacy/rights protection are needed if Indonesian businesses and the police are to cooperate effectively (slow progress in the implementation of Freedom of Information Law). (3) Courts:There are deeper problems associated with Indonesian court system but there are some improvements (e.g. Manulife case) (4) ID-FIRST - new forum for stakeholders and constituency building for ISPs, universities, banks, energy&power, telecom & others through their industry associations. Each to build their own Warning And Response Points (WARPs) and Computer Emergency Response Teams (CERTs)ID-FIRST is to facilitate CERTs and WARPS to obtain assistance (5) The government to build a National Critical Infrastructure Protection Coordination Task Force (NCIPC Task Force) Without coordinating all (1-5), cyber security will be inadequate 3. TECH- ISSUES BUILDING ON TECHNICAL CAPABILITIES and TRANSPARENCY

  14. Forum for ICT-incident Response andSecurity Teams (id-FIRST Foundation) Supervisory Board: Forum of industry associations (APJII, ASPILUKI, APKOMINDO, ANIMA, INDO-WLI and others in FTII, MASTEL AKKI, ICT Watch) Task Force of IT Security Teams (ID-CERT, ID-ISP-CERT, each industry WARPs/CERTs Commissioner Board: Authoritative persons Executive Board: Staffed by professional All boards will be elected annually coordinated by Founding Board based on industry volunteers Current services Mailing list abuse@apjii.or.id - statistics collected Responding to inquiries from in&outside Indonesia Clearing house for information on IT & net security id-FIRST Background

  15. Alternatives inComputer Emergency Responseor E-Security: US: CERT/CC-Carnegie-Mellon Univ., Pittsburgh (established November 1988) UK: NISCC -UK government, UK CIP Programme (established 1992) AU: AusCERT- Queensland University, Brisbane (established October 1992) NL: CERT-RO - runs Dutch Alerting Service, est. by ICTU(test run Sep. 2002) AP-CERT Task Force: proposed in Tokyo, Japan (March 2002); formal est. date March 2003 APECTEL 27th Meeting in Kuala Lumpur, Malaysia EU: EuroCERT (97-99), now CSIRT Task Force - 79 European CERTs Workshop 1: CERTs and Critical Infrastructure Protection (CIP) - establishing effective information sharing and cooperative agreements - national and regional level initiatives Workshop 2: Pragmatic analysis of what is working and what is still needed in cooperation & coordination International Symposium CERT-RO, August 27-28, 2002 Amsterdam, the Netherlands

  16. Asia: ideal for cybersecurity regionalization because there are many emerging CERTs and there is often only one per country. Trust relationships are not easy to establish but APCERT/APEC initiative receives strong support Europe: regionalization started in 1992 & has been quite successful but all CERTs combined is yet to cover all critical infrastructure - there are blind spots still. Exchange of information about security incidents works well. A standard for incident reporting and exchange is being developed. Alternatives in cybersecurity initiatives (business models): Academic-sector organizationswith premium service to the private sector US CERT-CC-US Electronic Industry Alliance, Au-CERT and others Public-private Partnershipswith private and public financing UK Action 2000/Y2K private company, Min of Telecom owned, Belgian e-Security Platform (BIPT) & Austria’s CIRCA (MoT and ISPs owned), VDI Norway Government managed org’s: with civil service and/or military personnel UK’s National Infrastructure Security Coordination Centre (NISCC) France’s CERT-A, Netherlands’ CERT-RO, Germany’s CERT-BUND US National Infrastructure Protection Centre (NIPC) and Information Sharing and Analysis Centers (ISACs), USG Sector Liaisons - banking, power & telecom US Presidential Decision Directive 63, 2002 - Homeland Security The Netherlands Symposium CONCLUSIONS:

  17. European strategy or “Roadmap for Securing the Information Society”- key aspects: Warning and Information Sharing (on electronic attacks i.e. Hacking, Viruses, Trojan, DDoS, etc) Public/private Partnerships and R&D Program (using dependability as an approach) Government Mechanisms (US, the Netherlands, UK’s Information Assurance Advisory Council) and International Approaches (EU, OECD and others) Dependability (Security, Reliability and Safety) in: Architecture: An open or closed network? Principle: A small central organization and build upon existing sharing networks Business Model: Hybrid funding model - mix of public and private sectorfunding for European capability to retain its objectivity. EU investment should be targeted to stimulate the development of a sustainable marketfor network security information Legal consideration: must operate in conformance with Community andnational commercial codes and privacy legislation Dependability Development Support Initiative (DDSI) Conference, Belgium, Oct 10, 2002

  18. Draft strategy document “The National Strategy to Secure Cyberspace” (Sept 2002) Key coordinators: Mr. Richard Clark and Mr. Howard A. Schmidt; respectively Chairman and VC of President’s Critical Infrastructure Protection Board (CIPB) Out for comments from the public, due date: November 18, 2002. See http://www.whitehouse.gov/pcipb/ or www.securecyberspace.gov Key elements of US strategy to secure cyberspace- Case for Action: Cyberspace Threats and Vulnerabilities; Policies and Principles Guiding the Strategy; Highlights of the Strategy; and Five levels of the National Strategy Home users and small businesses Large enterprises Critical sectors (Federal, State & Local governments, Higher Education, and the Private Sector) The National Priorities (Certification, Info Sharing, Cybercrime,Market Forces, Privacy and Civil Liberties, Cyber space analysis,Continuity of operations, Recovery and Reconstitution) The Global Issues (Coordination through APEC, 24/7 Coord Centers) Dependability Development Support Initiative (DDSI) Conference (2): US Strategy

  19. Key Elements: 6 major tools to secure cyberspace- Awareness raising and information dissemination Technology tools Training and education Partnership between private sector, academia and government Federal government leadership role Coordination and crisis management Partnership for Critical Infrastructure Protection this is a US public/private initiative in cybersecurity ( see http://www.pcis.org/ ) Headed by Mr. Kenneth C. Watson, Manager of theCritical Infrastructure Assurance Group, CISCO Dept of Commerce Critical Infrastructure Assurance Office (CIAO) Initiated a series of public cybersecurity meetings in several US cities( see http://www.ciao.org ) Sponsored meetings with US State and local governments from several States including a national-level held in Austin, Texas (Feb 12-13, 2002)and Princeton, New Jersey, April 23-24, 2002 Dependability Development Support Initiative (DDSI) Conference (3): US Strategy

  20. Information Sharing Network: Loose voluntary linkage (not a technical comms network) of entities includingCERTs, WARPs, ISACs and other organizations interested in sharing warnings,vulnerabilities, threats and incident reports, and providing advice to each otherand their own communities UK’s “Neighbourhood Watch” - Warning, Advice and Reporting Point (WARP) Provides warning, advice and reporting services on Internet security-related matters Similar to a CERT but without a capability for responding to incidents (other than providing advice) Information Sharing & Analysis Center (ISAC): Conceived in US under PDD63 (1998) for coordination between organizations in each CNI sector (Energy, Banking/Finance, Telecommunications, Transport and others) IT ISAC, Telecom ISAC Predictive ISACs do not normally share reports outside their own (paying) membership FIRST: Forum of Incidence Response and Security Teams - the globalorganization to which most major CERTs subscribe (www. first.org) Dependability Development Support Initiative (DDSI) Conference (4)

  21. Worsening educated unemployed, most official figures underestimate true situation; mainly heavily concentrated in the cities of Jakarta, Bandung, Jogyakarta, Semarang and Surabaya which accounted for over 40% of all senior high and nearly half of all graduate unemployed in urban areas in 1999 (no recent statistics are collected) Unemployment rates were also highest in these cities: 19 % and over versus a 14% unemployment rate among high school graduates in all Indonesia in 1999. For many unemployed graduates: many Internet cafes or Warnets provide heaven for “carding” (credit card fraud), hacking and other cybercrime activities; few convictions but lightly punished - no deterrent in the existing laws (even Warnet operators are allegedly involved) Improving employment by providing opportunities for IT/ software development SMEs - scale up successes of the development of software incubation Balicamp to Balige Tobacamp, Batu (Malang) Camp, Bogorcamp, Bandung High Tech Valley and others 4. INVESTMENT- ISSUES Improve Investment Environment and Unemployment Alleviation

  22. Workshops/seminars for awareness raising and capacity building: Indon Infocosm Bus. Community (I2BC): Seminar to raise awareness aimed at I2BC members, namely IT services, media & security firms, Sep 25, 2002 “Indonesia’s readiness and response to the threat of cybercrime” Seminar, Showcase and Workshop and Launch of “Secure-Indonesia-FIRST (Forum for ICT-incidents and Security Teams), March 19-22, 2003, Jakarta Policy work on ‘Public Sector Cybersecurity Readiness’ within Min of Comm& Info and towards a ‘Critical Infrastructure Protection (CIP)’ national coordination body involving others: Min of Comm& Transport, Coord Min of Political and Security Affairs, Min of Industry and Trade, Coord Min of Economic Affairs, National Planning Agency and others. Support APEC’s Cybersecurity strategy work; Japan, China, Singapore, NZ, Canada, US and Australia have indicated particular interest and support for AP-CERT Support APEC Telecom & IT Working Group (APECTEL) 27th Meeting in Kuala Lumpur, Malaysia as a focus on cybersecurity issues (with a special additional workshop), 22-28 March 2003 (see: www.apectel27.org.my) Past & Future activities

  23. Further activities: Generate building blocks for “Cybersecurity Roadmap” process Overviews- collect info/statistics about incidents cybercrime and electronic attack, existing warning and information sharing initiatives by selected end-users and stakeholder identification Preparation of background issues and options paper Set up trust-building forum to share information Improve cybersecurity readiness in legal framework Capability building in computer emergency & law enforcement agencies but with “buffer-zone” in between Capability building in IT incubation & economic growth response Towards a Cybersecurity Roadmap...

  24. In order to respond effectively to possible attacks or problems one has to know what’s really going on. Is a “script kiddie” at work here, a foreign security agency, a terrorist, etc.? Who should respond? Systems by themselves (usually) don’t respond to attacks. In most cases an incident is only identified after the fact. APCERT and most countries are still trying to come up with a good definition of who are the stakeholders/constituents of Critical Infrastructure Protection (CIP). Probably the definition will be very similar to the one that was applied in solving the Y2K problem. Key question is: who decides what CIP consists of, and how can this definition be determined? Setting up CERT/CSIRT - private sector or government-lead - would be a way to concentrate security issues and responsibility. MORE NEXT STEPS- Lessons from European Regionalization of CERT/CSIRT Efforts

  25. If the Private Sector turns out to be the most significant owners of CIP or critical computer systems, then operations of industrial parties are usually based on level service agreements (LSAs) which may be difficult to influence Legislation can be helpful in CIP but doesn’t provide answers as to who should act in the case of a security incidence Business continuity and damage minimization usually get a higher priority than tracing/capturing/prosecuting the perpetrator Trust relationships built on personal contact do not scale. In the long term another method needs to be found, e.g. using certification and accreditation methods Commercial and governmental concerns may clash. In some cases a party may try to deny the occurrence of an incident or deliberately underrate its significance define who, what and how: concise definitions are needed! MORE NEXT STEPS -Lessons from Euro Regionalization Efforts (2)

  26. Don’t expect one agency or one group to solve the whole CIP problem. Define roles and responsibilities; establish partnerships to tackle CIP. A national coordination group of CIP elements needs to be convened to develop “Cybersecurity CIP Roadmap” on: ARCHITECTURE - Central facilitation body and networks Principle: Any initiative should comprise of a small central organization and build upon existing sharing networks BUSINESS MODEL - added-value services for specific category of potential customer Principle: A hybrid/mix of public-private sector funding model LEGAL- challenges for CIP implementation must be identified, e.g Competition law, data protection, confidentiality and liability Principle: Must operate in conformance with Community and national commercial codes and privacy legislation MORE NEXT STEPS -Lessons from Euro Regionalization Efforts (3)

  27. To review and consider the whole CIP issue, distinguish the following five tasks: Definition phase Task 1: Define CIP (and what are its goals)? • What it means in the national context, in terms of impact? • Who should be involved? Effectiveness of arrangements onexisting CERT (include virus alert systems) in preventing, detecting,and reacting efficiently at national level against network and information system disruption and attack? Task 2: Define roles and responsibilities: Who does what? What is the role for CERTs and National CIP Coordination? The layers of responsibility: Political and policy vs. the operational day-to-day MORE NEXT STEPS -Lessons from Euro Regionalization Efforts (4)

  28. Pre-operational phaseTask 3: Organise the participation of the parties involved Operational phaseTask 4: Define the structure in which CIP should be organised e.g., a joint task force? Use overseas examples, approaches and lessons learned Task 5: How to implement CIP by defining and developing measures? Awareness building Risk management Consequence management Information sharing MORE NEXT STEPS - Lessons from Euro Regionalization Efforts (5)

  29. Integrate national teams into APCERT community Establish more CERT/WARPs near to the end users Implementation of national schemes of cooperation Bottom-up approach in accordance with CIP structures CERT of last resort, National CIP/CSIRT Coordination From trust to expectations (trust relationship build on personal contact do not scale) - longer term alternatives: Standardization Accreditation Certification Actively involving new CERTs and helping themset an appropriate level of expectations for their service MORE NEXT STEPS- Asia Pacific Regionalization Effort: APCERT-APECTEL26 Initiative (6)

  30. MORE NEXT STEPS (7) : Proposed Relationships APCERT-Task Force and AP Security Incidents Response Coordination TH SG NZ US MY RU PH AU VN MX PR KH CA ID KR JP TW HK CN APCERT JP-ISP CERT ID-Vendor CERT APSIRC ID-Gov CERT JP-Gov CERT ID-ISP CERT JP-Vendor CERT

  31. “Cybersecurity Roadmap” needed on: Define Architure, Roles and Responsibilities Business Model, Funding and Contributions Facilitating Technical Assistance Work on Legal Framework and New Guidelines Day-to-day Operational Advisories (email & web) www.cert.or.id, www.secure-indonesia-first.or.id Document translation (in Indonesian & English) Ticketing system for incident handling Scrubbing of ‘sensitive’ incidents data Support from others: Indonesia Internet Business Community (I2BC), Info-comm (MASTEL) Society, MCI and Donors ICT Group for Indonesia Future direction in combating cybercrime

  32. Building blocks of cyber security strategy - legal, technical and investment issues - must be seriously considered by both private sector and government - BEFORE - cyber attacks gets worse. There are some late-comer advantages for Indonesia and other developing countries on policy preparations work because: There are emerging global and regional efforts (UN-General Assembly, Council of Europe, APEC, European Union) Possible initial support from donor organizations through the Donor ICT Group for Indonesia (World Bank - formally leading the group) Cybersecurity preparation is less costly if private and public sector work together, minimize risk and share cost Outcome of cybersecurity strategy will depend on Trust-building & focus - both private and public sectors Private sector (e-security/ICT ind) lead & public input in debate Private sector, government and donors effective cooperation Concluding comments

  33. JOIN ID-FIRST NOW, Fight Cybercrime Together !!

  34. APECTEL: http://www.apectel.org; OECD: http://www.oecd.org European CERT discussions: http://www.ddsi.org, http:// www.iaac.org.uk, http://ewis.jrc.int United States: http://www.cert.org, http://www.cybercrime.gov, http://www.usdoj.go Australia: http://www.aucert.org.au, http:// www.cript.org.au, http://www. noie.gov.au Netherlands: http://www.cert-ro.nl United Kingdom : http://www.niscc.gov.uk International forum for CERTs: http://www.first.org Canada: http://www.CanCERT.org.ca Mexico: http://www.MxCERT.mx Japan: http://www.JpCERT.or.jp Malaysia: http://www.mycert.org.my Singapore: http:// www.singcert.org.sg Thailand: http://thaicert.nectec.or.th/ Taiwan: http://www.cert.org.tw URL addresses

  35. Please provide feedback to:Idris F. SulaimanTel: +62 21 520 1047 Fax: +62 21 521 0311Email: idris@pegasus.or.id Websites:Partnership for Economic Growth (PEG) Project: www.pegasus.or.id Related USAID ICT Projects/Activities:Economic, Law, Institutional & Professional Strengthening (ELIPS) Project : www.elips.or.idThe Asia Foundation, Indonesia: www.tafindo.org USAID Indonesia : www.usaid.gov/id Thank You

More Related