ITU Workshop on “ICT Security Standardizationfor Developing Countries” Critical Information Infrastructure ProtectionACommonwealth Perspective Geneva, Switzerland 15-16th September 2014 Dr Martin Koyabe Head of Research & Consultancy Commonwealth Telecommunications Organization (CTO) E-mail: firstname.lastname@example.org
Understanding CIIP General definition • Critical Resources • Interdependencies • Critical Infrastructure • Critical Information Infrastructure
Critical Resources Energy Forests Water Defined by some national governments to include:- • Natural & environmental resources (water, energy, forests etc) • National monuments & icons, recognized nationally & internationally
Critical Infrastructure (1/3) Power Grid Roads Airports Defined by some national governments to include:- • Nation’s public works, e.g. bridges, roads, airports, dams etc • Increasingly includes telecommunications, in particular major national and international switches and connections
Critical Infrastructure (2/3) “ an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.” Source: European Union (EU) “ the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Source: US Homeland Security “ the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government.” Source: UK Centre for the Protection of National Infrastructure (CPNI)
Critical Infrastructure (3/3) “ those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defense and ensure national security.” Source: The Australian, State & Territory Government “ processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and Significant harm to public confidence. Source: Government of Canada “those facilities, systems, orfunctions, whoseincapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation” Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
Critical Infrastructure Sub-Sectors e.g. Germany has technical basic & social-economic services infrastructure
What about the 53 commonwealth member countries? Do they have a national critical infrastructure initiative or strategy?
Critical Information Infrastructure (1/2) CII definition:- “ Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values.” Rueschlikon Conference on Information Policy Report, 2005
Critical Information Infrastructure (2/2) Critical Information Infrastructure Cross-cutting ICT interdependencies among all sectors Energy Transportation Telecoms Critical Infrastructures Non-essential IT Systems Finance/Banking Government Services Essential IT Systems Cyber security Practices and procedures that enable the secure use and operation of cyber tools and technologies Large Enterprises End-users
Critical Information Infrastructure Protection (CIIP) • Widespread use of Internet has transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity. • ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks. • ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks; and many of the critical services that are essential to the well-being of the economy are increasingly becoming dependent on IT.
Critical Information Infrastructure Protection (CIIP) • Today Critical Information Infrastructure Protection (CIIP) • Focuses on protection of IT systems and assets • Telecoms, computers/software, Internet, interconnections & networks services • Ensures Confidentiality, Integrity and Availability • Required 27/4 (365 days) • Part of the daily modern economy and the existence of any country Power Grid Water Supply National Defence Telecom Network National Defence Public Health Law Enforcement
CII Attack Scenarios Health Services Cloud Services Telecoms Finance/Banking eGovernment Natural disaster, power outage, or hardware failure Resource exhaustion (due to DDoS attack) Cyber attack (due to a software flaw) Critical Information Infrastructure (CII) Cross-cutting ICT interdependencies among all sectors
Future CII Attack Vectors • Expanding Infrastructures • Fiber optic connectivity • TEAMS/SEACOM/EASSy/LION/ACE • Mobile phones • Mobile/Wireless Networks • Asia-Pacific – accounts for 55% of ALL mobile phones in the world (2.2 billion) • SIM card fraud • Existence of failed states • Cyber warfare platforms • Doesn’t need troops or military hardware • Social Networks • “Gold mine” for social engineering • Hactivism creates fear, uncertainty & doubt • Cloud Computing • Increased dependency • Attacks on cloud services have high impact
Desired global trends towards CIIP • Increased awareness for CIIP & cyber security • Countries aware that risks to CIIP need to be managed • Whether at National, Regional or International level • Cyber security & CIIP becoming essential tools • For supporting national security & social-economic well-being • At national level • Increased need to share responsibilities & co-ordination • Among stakeholders in prevention, preparation, response & recovery • At regional & international level • Increased need for co-operation & co-ordination with partners • In order to formulate and implement effective CIIP frameworks
Challenges for developing countries #1: Cost and lack of (limited) financial investment • Funds required to establish a CIIP strategic framework can be a hindrance • Limited human & institutional resources Source: GDP listed by IMF (2013)
Challenges for developing countries Emergency care (Police, Firefighters, Ambulances) Public Transport eGovernment #2: Technical complexity in deploying CIIP • Need to understand dependencies & interdependencies • Especially vulnerabilities & how they cascade Public eComms Banks & Trading Online services, cloud computing Public Administration Emergency Calls Telco sites, switch areas, interconnections Private Datacenters Public Datacenters Regional Power Supply Private D2D links Powerplants Regional Power Grid Regional network, cables, wires, trunks (90%) 30 days outages are disastrous (99%) 3 days outages are disastrous (99.9%) 8 hr outages are disastrous
Challenges for developing countries #3: Identify & prioritize critical functions • Understand the critical functions, infrastructure elements, and key resources necessary for • Delivering essential services • Maintaining the orderly operations if the economy • Ensure public safety. Interdependencies Understand requirements & complexity
Challenges for developing countries #4: Need for Cybersecurity education & culture re-think • Create awareness on importance of Cybersecurity & CIIP • By sharing information on what works & successful best practices • Creating a Cybersecurity culture can promote trust & confidence • It will stimulate secure usage, ensure protection of data and privacy
Challenges for developing countries #5: Lack of relevant CII strategies, policies & legal framework • Needs Cybercrime legislation & enforcement mechanisms • Setup policies to encourage co-operation among stakeholders • Especially through Public-Private-Partnerships (PPP) #6: Lack of information sharing & knowledge transfer • It is important at ALL levels National, Regional & International • Necessary for developing trust relationships among stakeholders • Including CERT teams
Why a Commonwealth Model • Contrasting views emerging across the world on governing the Cyberspace • Harmonisation is critical to facilitate the growth and to realise the full potentials of Cyberspace • Commonwealth family subscribes to common values and principles which are equally well applicable to Cyberspace • CTO is the Commonwealth agency mandated in ICTs • The project was launched at the 53rd council meeting of the CTO in Abuja, Nigeria (9th Oct 2013) • Wide consultations with stakeholders • Adopted at the Commonwealth ICT Ministers Forum on 3rd and 4th March 2014 in London
Objectives The Cybergovernance Model aims to guide Commonwealth members in:- • Developing policies, legislation and regulations • Planning and implementing practical technical measures • Fostering cross-border collaboration • Building capacity
Commonwealth Values in Cyberspace • Based on Commonwealth Charter of March 2013 • Democracy, human rights and rule of law • The Charter expressed the commitment of member states to • The development of free and democratic societies • The promotion of peace and prosperity to improve the lives of all peoples • Acknowledging the role of civil society in supporting Commonwealth activities • Cyberspace today and tomorrow should respect and reflect the Commonwealth Values • This has led to defining Commonwealth principles for use of Cyberspace
Commonwealth Principle for use of Cyberspace Principle 1: We contribute to a safe and an effective global Cyberspace • as a partnership between public and private sectors, civil society and users, a collective creation; • with multi-stakeholder, transparent and collaborative governance promoting continuous development of Cyberspace; • where investment in the Cyberspace is encouraged and rewarded; • by providing sufficient neutrality of the network as a provider of information services; • by offering stability in the provision of reliable and resilient information services; • by having standardisation to achieve global interoperability; • by enabling all to participate with equal opportunity of universal access; • as an open, distributed, interconnected internet; • providing an environment that is safe for its users, particularly the young and vulnerable; • made available to users at an affordable price.
Commonwealth Principle for use of Cyberspace Principle 2: Our actions in Cyberspace support broader economic and social development • by enabling innovation and sustainable development, creating greater coherence and synergy, through collaboration and the widespread dissemination of knowledge; • respecting cultural and linguistic diversity without the imposition of beliefs; • promoting cross-border delivery of services and free flow of labour in a multi-lateral trading system; • allowing free association and interaction between individuals across borders; • supporting and enhancing digital literacy; • providing everyone with information that promotes and protects their rights and is relevant to their interests, for example to support transparent and accountable government; • enabling and promoting multi-stakeholder partnerships; • facilitating pan-Commonwealth consultations and international linkages in a single globally connected space that also serves local interests.
Commonwealth Principle for use of Cyberspace Principle 3: We act individually and collectively to tackle cybercrime • nations, organisations and society work together to foster respect for the law; • to develop relevant and proportionate laws to tackle Cybercrime effectively; • to protect our critical national and shared infrastructures; • meeting internationally-recognised standards and good practice to deliver security; • with effective government structures working collaboratively within and between states; • with governments, relevant international organisations and the private sector working closely to prevent and respond to incidents.
Commonwealth Principle for use of Cyberspace Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace • we defend in Cyberspace the values of human rights, freedom of expression and privacy as stated in our Charter of the Commonwealth; • individuals, organisations and nations are empowered through their access to knowledge; • users benefit from the fruits of their labours; intellectual property is protected accordingly; • users can benefit from the commercial value of their own information; accordingly, responsibility and liability for information lies with those who create it; • responsible behaviour demands users all meet minimum Cyberhygiene requirements; • we protect the vulnerable in society in their use of Cyberspace; • we, individually and collectively, understand the consequences of our actions and our responsibility to cooperate to make the shared environment safe; our obligation is in direct proportion to culpability and capability.
Development of a Nation Cybersecurity Strategy • Need support from highest levels of government • Adopt a multi-stakeholder partnership (private sector, public sector & civil society) • Draw on the expertise of the International Community • Appoint a lead organisation or institution • Be realistic and sympathetic to the commercial consideration of the private sector • Add mechanisms to monitor & validate implementation
Main elements of a Cybersecurity Strategy • Introduction and background • Guiding principles • Vision and strategic goals • Specific objectives • Stakeholders • Strategy implementation
Introduction & Background • Focuses on the broad context • Sets the importance of Cybersecurity to national development • Assess current state of Cybersecurity and challenges
Guiding Principles (1/2) • Based on Commonwealth Cybergovernanceprinciples • Balance security goals &privacy/protection of civil liberties • Risk-based (threats, vulnerabilities, and consequences) • Outcome-focused (rather than the means to achieve it) • Prioritised (graduated approach focusing on critical issues) • Practicable (optimise for the largest possible group) • Globally relevant (harmonised with international standards)
Visions & Strategic Goals • Promote economic development • Provide national leadership • Tackle cybercrime • Strengthen the critical infrastructure • Raise and maintain awareness • Achieve shared responsibility • Defend the value of Human Rights • Develop national and international partnerships
Specific Objectives • Provide a national governance framework for securing Cyberspace • Enhance the nation’s preparedness to respond to the challenges of Cyberspace • Strengthening Cyberspace and national critical infrastructure • Securing national ICT systems to attract international businesses • Building a secure, resilient and reliable Cyberspace • Building relevant national and international partnerships and putting effective political-strategic measures in place to promote Cyber safety • Developing a culture of Cybersecurity awareness among citizens • Promoting a culture of “self protection” among businesses and citizens • Creating a secure Cyber environment for protection of businesses and individuals • Building skills and capabilities needed to address Cybercrime • Becoming a world leader in Cybercrime-preparedness and Cybercrime-defence
Stakeholders Government Shared Private
Strategy Implementation • Governance and management structure • Legal and regulatory framework • Capacity Development • Awareness and outreach programmes • Incident response • Incentivize commercial competitors to cooperate • Create national CERTs (include sector based CERTs) • Stakeholder collaboration • Research and Development • Monitoring and evaluation
What Next? Upcoming CIIP Workshops CTO CIIP Workshops Colombo, Sri Lanka/Dhaka, Bangladesh Aug-Sep 2014 Accra, Ghana Jan-Feb 2015 Successfully completed Port Vila, Vanuatu Sep-Oct 2014 Scheduled to take place Nairobi, Kenya Nov 2014 To be confirmed
Q & A Session Further Information Contact: Dr Martin Koyabe Email: email@example.com Tel: +44 (0) 208 600 3815 (Off) +44 (0) 791 871 2490 (Mob)