Challenges in Developing National Cyber Security Policy Frameworks

Transcription

1 Challenges in Developing National Cyber Security Policy Frameworks Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection William McCrum Deputy Director General Telecom Engineering Industry Canada 28 August

2 Millions of users A global information society Growth of the information society Main Telephone Lines Internet Users Mobile Subscribers emerging Sources: ITU, 2006, Internet World Statistics, January 11, 2007 Notes: Internet Users data (ITU), 2006 estimate (Internet World Statistics) 2

3 ICTs at the centre the global information society Power/ Electricity Retail / Service Industries Banking and Finance National Defence Biotech / Life Sciences Automotive and Manufacturing Water/Sewage Information and Communication Technologies (ICTs) Healthcare Education Transportation Air Traffic Control Home / Work Oil and Gas Public Safety / Law Enforcement Information and and Communication Technologies (ICTs) power the the global information society 3

4 Critical infrastructures dependent on ICT infrastructure Retail Finance Mfg. Transport Energy Public Safety ICT Infrastructure Trust and and confidence demands strict protection of of critical information by by means of of secure access, distribution, and and transmission 4

5 We are moving to an XoIP world Top-down: What the network thinks you want, when they think you want it and in the format they want TV content on cable or over the air Radio show on radio Books in the bookstore or library Snail mail rain or shine Voice by monopoly phone provider Choice: What you want, when you want it, from anywhere All content and services available online Choice of receptors: computers, cell-phones, blackberry, ipods October 12, 2005 First TV network show available for download through itunes 45 million downloads to date (as of Sept 2006, USA only) Consumer pull and and freedom of of choice --rather than than technology push 5

6 where everyone and everything is connected Internet Things Ecosystem of the Internet of Things Source: ITU, 2005 Smart tech Human Body Wireless sensors 2G mobile 3G+ mobile Human Being Satellite RFID Nanotech xdsl WiMAN WiLAN Cable A world of of inter-connected devices and and objects 6

7 The wireless revolution is here Wireless technologies and and the the mobile Internet is is revolutionizing communications globally 7

8 ICT infrastructure in transition Past Future PSTN VoIP CATV Internet Broadband VoD WWW, Corporate Intranets Converged IP Network Wireless & Satellite CDMA, GSM Convergence leads to to network complexity; the the network becomes inherently less less secure 8

9 Trust and confidence in ICT infrastructure Privacy and online security concerns Privacy and security fears discouraging e-commerce in Canada Users changing their online behaviour due to security concerns Consumers losing trust in online banking Online threats continue to evolve Spam is clogging the networks and increasing costs Spyware, adware and zombies Identity theft and cybercrime fraud, e-commerce attacks and extortion Malicious attacks on networks Virus, worms, denial of service attacks, malware Maintaining trust trust and and confidence in in the the ICT ICT infrastructure is is a challenge 9

10 Changing security environment Natural Disasters Malware Vulnerabilities Identity Theft Phishing Worms / Viruses Pandemics Terrorism ICT Infrastructure BotNets Spam Privacy Accidental Sophistication Social Interdependencies Outcome Communications Economic Manmade Magnitude Trust & Confidence Exacerbating Factors National Security 10

11 New breed of cyber attackers Disorganized attacker Challenge/pride motivated Individuals or small groups Hacks (e.g., DoS, disruptions, defacements) Cyber criminals Profit motivated Extend fraud/theft activities White collar crime Cyber-extortion Jurisdictional arbitrage Money-laundering New New breed of of cyber attackers with with different motivations 11

12 More sophisticated threats Evolving trojans Morphing trojans Targeted trojans More sophisticated botnets Evolving spam Wireless messaging spam Image spam Number of new TrojWare programs Jan 2003-Nov 2006 (Kaspersky Lab) Detecting threats/attacks and and mitigating their their impacts presents many challenges, particularly where multiple files, files, processes and and registry components are are involved 12

13 New vulnerabilities Percentage Vulnerability Trends Year XSS sql-inject php-include buf dot Over last 5 years, 75% of exploited vulnerabilities were in web application and clients Vulnerabilities that could be exploited remotely topped 88% in 2006 Vulnerability exploits have shifted away from from networks and and operating systems towards web web applications and and clients 13

14 Challenges in securing the ICT infrastructure Increased service and device complexity More services, new means of service delivery Overlap between fixed and mobile services; Overlap between telecommunications, broadcasting and Internet domains Complex interconnections needed between distributed intelligent devices Multi-vendor product interoperability New competitors and more complex relationships between competitors Globalization impacts and pressures Global mobility Internet governance National security and public safety concerns and its impact in international setting Maintaining trust and confidence in changing security environment New threats and vulnerabilities such as malware, viruses, spam, spit, spim, phishing, spoofing, denial of service cyber-terrorism, fraud The The most important issue is is to to assure the the cyber security of of the the ICT ICT infrastructure 14

15 Stakeholders Public Policy Regulation Government establishes public policy and sets regulation to safeguard ICT infrastructures Users (both enterprises and individuals) implement policies to secure their portion of the ICT infrastructure User Application / Content Providers Service Provider Vendors Network Provider Application and content providers deliver tools and products to end users to help safeguard the ICT infrastructure Service and network providers typically own the bulk of the ICT infrastructure assets and take steps to secure and safeguard the network Vendors build tools and products to help secure the ICT infrastructure Continual dialogue between all all stakeholders required to to secure ICT ICT infrastructure 15

16 Access and adoption National cyber security policy frameworks Encourage all stakeholders to use and deploy secure ICT infrastructure Marketplace and business environments Improve marketplace and promote business environments that foster secure ICT infrastructures Innovation Enable innovation to improve the security of the ICT infrastructures Key Key elements of of national cyber security frameworks address the the challenges of of securing critical infrastructures 16

17 Access and adoption Provide incentives for secure access infrastructure to be developed and deployed Provide computer support and training Helps users to take advantage of emerging opportunities in the new global knowledgebased economy Promote e-commerce and electronic access to government services Secure universal access is is a bridge to to economic and and social inclusion 17

18 Access and adoption Other policy framework elements Protect users and safeguard the ICT infrastructure Establish national Cyber Security Emergency Response Team (CERT) Establish cyber security best practices for all application, service and network providers Adopt guidelines for securing ICT infrastructures Promote cyber security information sharing between stakeholders Organize round table exchanges and communities of interest Raise awareness of cyber risks and cyber security protection strategies Develop advertising campaigns that alert users to risk and mitigation Establish hotlines for users to deal with cyber security threats, attacks, fraud National policies help help protect both both users and and the the ICT ICT infrastructure 18

19 Security awareness education essential for all And And still still Social Engineering is is a major challenge for for all all 19

20 Marketplace and business environment Improve marketplace environment for secure ICT infrastructures Develop expertise to analyse policy and regulatory impacts of new competitive environments, new service offerings, and new spectrum needs Establish government procurement policies that promote secure ICT infrastructures Consider regulatory requirements for minimum cyber security levels Evaluate use of Common Criteria standards Promote secure ICT infrastructure business environment Encourage ICT infrastructure security standards development Global standards have key key role role in in securing ICT ICT infrastructure 20

21 Importance of standards development In an increasingly open free-market economy, the role of standards become key Accelerate adoption of new technology Ensure interoperability between competing platforms and technology Link supply chains Increase market efficiency Facilitate regulatory compliance Examples ITU-T Study group 17 is lead Study Group on telecommunications security International standard (ISO/IEC 15408) sets a framework for specification and evaluation of security requirements Security standardization objectives: responsive, efficient, productive, inclusive 21

22 Example national cyber security policy frameworks Canada (National Security Policy, 2004) United Kingdom (Protecting our Information Systems, 2003) US (National Strategy to Secure Cyber Space, 2003) Common element: focus on on discrete cyber security initiatives Australia (E-Security National Agenda, 2001) 22

23 Summary Critical infrastructures are dependent on a secure ICT infrastructure The ICT infrastructure itself is evolving into a converged network, leading to challenges of interoperability and security An ever changing security environment makes it difficult to maintain users trust and confidence in critical infrastructures Continual dialogue between all stakeholders users, provider, vendors, governments is required to meet these challenges National cyber security policy frameworks contain elements that Encourage access and adoption of secure ICT assets Improve marketplace and promote business environments that help secure ICT infrastructures Enable innovation to improve the security of the ICT infrastructures International collaboration and and sharing of of national cyber security frameworks help help strengthen global ICT ICT infrastructure 23

24 Contact Bill McCrum Telecommunications Engineering and Certification Industry Canada