About Issues in Building the National Strategy for Cybersecurity in Vietnam

Transcription

1 Vietnam Computer Emergency Response Team - VNCERT About Issues in Building the National Strategy for Cybersecurity in Vietnam Vu Quoc Khanh Director General

2 Outline Internet abundance Security situation National Strategy

3 Fast-growing Internet Usage Million Internet exchange service Providers: 4 Internet access Service providers: 21 Internet Online Service Providers: 19 Year Internet users Population

4 Fast-growing Internet Usage High speed Internet subscribers 600, , , , , , , ,024 52,705 9, Year

5 Some statistics Internet Usage Statistic (12/2006) Number of convert subscribers Internet Users Penetration Ratio % Total Internet bandwidth Total flow volume exchanged by VNIX (IPX) Mbps Gbytes Total number of.vn domains Total number IP addresses issued Number of high speed internet subscribers

6 Trends in near future New technologies: Broadband, Wireless and Wimax, NGN, IP-Phone, Phone, IP-TV TV Convergent services E-Government E-Business, E-commerceE

7 Internet security situation Network security Incidents Attack incidents: virus, web hacking, DoS & Ddos attack, spam Computer crimes: ATM & credit cards thieft, Mobile phone account robbery, Attack to competitive company, Slander Trends: statistics follow the common rule in the developed countries. Network security environment Information Security Services Changes in legal environment

8 Network security incidents Serious reported incidents: 29 Types of serious incidents 7% 17% 14% DDoS Disperse virus Deface website 38% Fraud 24% Phishing

9 Attacks from overseas Total Gov

10 Computer virus booming New viruses appear in 6-11/ New viruses Month

11 Existing legal environment Legislation Electronic Transaction Law had been passed by the National Assembly on 29/11/2005. This Law regulates electronic transactions within government agencies, civil and business activities. Law on Information Technology were promulgated at 9th Session of the National Assembly's Legislature XI on 29 June 2006, became effective from 1st January A series of Decrees for both these Laws is continuing to be promulgated. To prepare some directives on network security. Lask of Laws applicable to cybersecurity Civil Code of Vietnam don t consider practically many types of cybercrimes. Other laws concern cybersecurity only in general, so some additional degrees or regulations for explaining are required.

12 Main Problems Cyberspace and Internet today are full of Threats and Vulnerabilities. Main Problems today are to: Define critical infrastructures. Intensify legislation and update the legal environment. Establish the National Strategy for Cybersecurity. Set up all necessary conditions for implementation of the National Strategy.

13 Information critical infrastructures Example from the US definition Sector Sector-specific agencies 1 Agriculture Department of Agriculture 2 Banking and finance Department of the Treasury 3 Chemicals and hazardous materials Department of Homeland Security 4 Defense industrial base Department of Defense 5 Emergency services Department of Homeland Security 6 Energy Department of Energy 7 Food Department of Agriculture and Department of Health and Human Services 8 Government Department of Homeland Security 9 Information technology and telecommunications Department of Homeland Security 10 Postal and shipping Department of Homeland Security 11 Public health and healthcare Department of Health and Human Services 12 Transportation Department of Homeland Security 13 Drinking water and water treatment systems Environmental Protection Agency

14 Information critical infrastructures in Viet Nam What are criteria to help defining a National critical infrastructure to be critical in cyberspace? What is in Viet Nam? All have to be defined? The answers are open. Sector 1 Banking and finance? 2 Government? 3 Information and telecommunications? 4 Defense? 5 Transportation? 6 Energy? 7 What else?

15 National Strategy for CyberSecurity Viet Nam needs to develop it s s own strategy for cybersecurity. There are many issues concerning the national strategy for cybersecurity need to be discussed for working out it s s frameworks. Strategic Objectives Prevent cyber attacks against national critical infrastructures; Reduce national vulnerability to cyber attacks; Minimize damage and recovery time from cyber attacks.

16 National Strategy for CyberSecurity (2) The Government Role and Public-private partnerships? The industries and private sector are best equipped and structured to respond to an evolving cyber threat. A government role in cybersecurity is warranted in cases: Requiring ensuring the safety of its own cyber infrastructure government essential missions and services high transaction costs or legal barriers lead to significant coordination problems; Operating in the absence of private sector forces; raising awareness.

17 National Strategy for CyberSecurity (3) Government actions are warranted for purposes: forensics and attack attribution, protection of networks and systems critical to national security, indications and warnings, protection against organized attacks capable of inflicting debilitating damage to the economy. Public-private partnerships can usefully confront coordination problems, take a variety of forms and will address awareness, training, technological improvements, vulnerability remediation, and recovery operations. Government activities should also support research and technology development.

18 National Strategy for CyberSecurity (4) Department of CyberSecurity (DCS) The Viet Nam government consider establishing in MIC a department playing role of DCS with important responsibilities in cybersecurity: Developing a comprehensive national plan for securing the critical infrastructure of the country; Providing crisis management for critical information systems; Providing technical assistance to the private sector and other government entities with respect to emergency recovery plans; Coordinating with other agencies of the government to provide warning information and advice about protective measures & countermeasures Performing and Promoting research and development A national center of excellence for cybersecurity and provide a focal point for outreach to government & nongovernmental organizations. A national POC with oversea cyberresponse forces.

19 National Strategy for CyberSecurity (5) Six Critical Priorities for Cybersecurity I. A National Cybersecurity Response System; II. A National Cybersecurity Threat and Vulnerability Reduction Program; III. A National Cybersecurity Awareness and Training Program; IV. Securing Governments Cyberspace; V. National and International Cybersecurity Cooperation. VI: Improving National legal environment and policy for cybersecurity

20 National Strategy for CyberSecurity (6) Priority I: A National Cyberspace Security Response System Needs a partnership between government and industry Major actions for cyberspace security response: 1. Establish a public-private private architecture for responding to national-level level cyber incidents; 2. Provide for the analysis of cyber attacks and vulnerability assessments; a 3. Promote CERT/CSIRT network establishment in the country (the policy, standards, conditions for this CSIRT Network). 4.. Expand the cyber warning and information network to support coordinating crisis management for cybersecurity; 5. Improve national incident management; 6. Coordinate processes for development of national public-private private continuity and contingency plans; 7. Exercise cybersecurity continuity plans for national systems; 8. Improve and enhance public-private private information sharing involving cyber attacks, threats, and vulnerabilities.

21 National Strategy for CyberSecurity (7) Priority II: A National Cybersecurity Threat and Vulnerability Reduction Program Vulnerabilities result from weaknesses in technology and because of improper implementation and oversight of technological products. Major actions to reduce threats and related vulnerabilities: 1. Enhance law enforcement s s capabilities; 2. Create a process for national vulnerability assessments; 3. Apply the secured mechanisms of the Internet and appropriate standards; 4. Foster the use of trusted digital control systems/supervisory control and data acquisition systems; 5. Reduce and remediate software vulnerabilities; 6. Understand infrastructure interdependencies and improve the physical p security; 7. Prioritize cybersecurity research and development agendas; 8. Assess and secure emerging systems.

22 National Strategy for CyberSecurity (8) Priority III: A National Cyberspace Security Awareness and Training Program Major actions and initiatives for awareness, education, and training: 1. Promote a comprehensive national awareness program to empower all organizations, businesses, the general workforce, and the general population - to secure their own parts of cyberspace; 2. Foster adequate training and education programs to support the cybersecurity needs; 3. Promote government and private-sector (Public-private partnerships) support for well-coordinated, widely recognized professional cybersecurity certifications.

23 National Strategy for CyberSecurity (9) Priority IV: Securing Governments Cyberspace Major actions for the securing of governments cyberspace: 1. Continuously assess threats and vulnerabilities to government cyber systems; 2. Authenticate and maintain authorized users of cyber systems; 3. Secure government networks, especially wireless LANs; 4. Improve security in government procurement and outsourcing; 5. Encourage governments to consider establishing information technology security programs and participate in information sharing and analysis centers with governments- partners.

24 National Strategy for CyberSecurity (10) Priority V: National and International Cybersecurity Cooperation Major actions to strengthen the national and international cooperation: 1. Strengthen cyber-related related counterintelligence efforts; 2. Improve capabilities for attack attribution and response; 3. Improve coordination for responding to cyber attacks within the t national security community; 4. Facilitate dialogue and partnerships among international public and private sectors focused on protecting information infrastructures and promoting a culture of security ; 5. Foster the establishment of national watch-and and-warning networks and international information sharing 6. Encourage international drills, conference, workshop

25 National Strategy for CyberSecurity (11) Priority VI: Improving National legal environment and policy for cybersecurity Major actions to improve the national legal environment and policy for securing cyberspace: 1. Ensure the laws and procedures are comprehensive. - Update or approve new laws with respect to cybersecurity (especially in Civil Codes) - Intensify legislation process by promulgating new acts and degrees ees concretizing existing laws. 2. Promote application of well-nationally nationally-coordinated cybersecurity policies widely among all organizations and businesses in country. 3. Strengthen S standardization process Intensify information security standard building (firstly, apply the general ISO standards as important as standards about Information security management system and Information security management implementation)

26 Thank You for attention! Vietnam Computer Emergency Response Team 18 Nguyen Du, Hanoi Vietnam Phone: Fax : vncert@mpt.gov.vn, office@vncert.vn