Cyber Security Roadmap

Transcription

1 Cyber Security Roadmap The Hague, 25 May 2011

2 Security: Developing a Secure Cyberspace Protecting the 5 th Domain As with land, sea, air and space, a safe Cyberspace is crucial for our societies. Different Threats, Different Response Cyber criminals have differing motivations including protest, crime, espionage or terrorism. Non-Traditional Issues Affects our Economics, Politics, Psychology & Technology. National & Economic Security Response requires international coordination, across industries and geographies. Cyber Global Commons Need global dialogue resulting in an international roadmap for Cyber. Roadmap Actionable solutions for key Cyber issues by

3 What is Cyber, what is Cybersecurity? Cyber is: All around us Effecting virtually all Transport, finance, medical, healthcare, government, justice, law & order, media, education, military, energy, industry, culture etc. Cybersecurity is about: Global Network Threats National Security Economic Security 3

4 The New Cyber Landscape National & Economic Security Cyber Threats next STUXNET? Cyber Opportunities 4

5 The scale of Cyberspace is vast and growing exponentially In 2008: 1.2 billion laptops and 3 billion people connected to the Internet 2 trillion texts are sent per day worldwide 247 billion s are sent per day (90% spam) By 2013 the Internet will be 4X larger than in 2009 Mobile data traffic will increase 66X By 2015, we expect 15 billion devices to be connected to the Internet The U.S. is the 3 rd largest country globally with a population of 310 million people Facebook has more than 500 million active users Currently, the most popular vector for attacking users is through social networking sites Average un-patched computer survival time on the internet: 4 minutes 5

6 Key Cyber Issues Cyberspace is borderless, enforcement not Some governments approach Cyberspace as a sovereign issue, leading to global fragmentation Anonymity makes attribution difficult Shortage of multi-skilled Cyber individuals creates a discrepancy between threat and response capability Legislation does not keep pace with technology change The seams or handoffs between networks or organizations are vulnerable targets Systemic underreporting and need for metrics Asymmetric problem that make centralized response challenging massive attacks able to be launched from the desktop Human behavior consistently being exploited to defeat technology-centric approach to Cyber defense Lack of awareness of the global scale of security problem 6

7 Secure Cyber Environment: What is it? everyone can live and work online with confidence and safety Networks seen as safe and reputable Intellectual property of businesses, universities and other institutions, which underpins a knowledge economy, are better protected Citizens have greater confidence in public service transactions Source: UK s Digital Britain Report... a secure, resilient and trusted electronic operating environment Citizens are aware of cyber risks, secure their computers and take steps to protect their identities, privacy and finances online. Businesses operate secure and resilient information and communications technologies to protect the integrity of their own operations and the identity and privacy of their customers. Government ensures its information and communications technologies are secure and resilient. Source: Australian Government s cyber security policy The risk-return tradeoff for cybercrime needs to be made unfavorable 7

8 Fast Forward To 2020: We did it! How did we get there, what did we do between now and 2020? Questions: Governance How did we agree on a global coordinated approach and improve cooperation and networks? How did we agree on Cyber Treaties? Legal How did we address Cyber safe-havens (criminal, terror, etc)? What did we do to have international bodies coordinate the necessary steps (EU, UN, Europol, Interpol)? Technical How did we agree on technical standards? Resources How did we train enough Cyber Professionals? Awareness How did we create a self-financing public-private ecosystem that works? How did we restore confidence in cyberspace? 8

9 Cyber Stakeholders: five levels Current debate is not coordinated and focused on the middle three levels Type Example United Nations G 20 WTO UN Article 41 & 42 ITU / ICANN / ISO / FIRST Global Regional NATO European Union National Security Strategies NATO Article 5 US Partner discussions National Organizational Individual Central government Agencies GovCert s Military organizations Healthcare organizations Financial institutions Citizens Employees Consumers Nation specific CERT s China Internet Network Information Center (CNNIC) US CYBERCOMMAND Australian Internet Security Initiative Software developers Hardware developers Social media 9

10 Capabilities and attributes Global Cyber Maturity Curve: Collective action and milestones Attention areas Governance Legal Technical Resources Awareness Coordination between global response centers for coordinated response, exercises and predictive research Global workshops on cyber policy, economics and technology National awareness program to educate individuals from childhood and onward Legal reviews of country laws & regulations to determine common principles Leverage existing global bodies for cyber agenda setting Designation of critical infrastructure, cyber security coordinator and national protection plans Global law enforcement and intelligence cooperation to interdict cyber criminal safe havens Certification of resilient systems defined for key global infrastructure International protocol for pre-coordinated response across industry / geography for cyber security incidents Member states implementation of national cyber security strategy Global construct for anonymity and attribution are defined, harmonized and implemented Enhanced standards and guidelines for built-in security, including consumer products Specialized cyber offices and liaisons established at key international institutions Normalized reporting processes on cyber attacks and consequences across public and private sectors Global cyber fusion center(s) share data across commercial, government and law enforcement to support predictive analytics and response Specialized governing body established to act as a coordinating authority on international cyber security Supranational legal structure in place to enforce cyber security (by-) laws International cyber tribunal established Self-financing ecosystem created to enhance publicprivate information sharing and cooperation Military forces operate in accordance to defined cyber laws for deterrence and response Standardized education and specialized credentialing in place for cyber security specialists and workers International-accepted framework for normative action in cyber space and protocol for harmonized security and privacy Level 3 Level 4 Level Protecting cyberspace Many governments understand that protecting cyberspace is critical to the economic and national security of their countries. But unlike other domains of global relations, few rules govern interactions in cyberspace. Fast forward to 2020: A secure cyber environment Imagine that, by the year 2020, we are operating in a secure cyber environment where the challenges we are experiencing today have been addressed. How did we get here? What did we do between 2010 and 2020? This global cyber framework seeks to address some of these questions by proposing a maturity curve model as a guide for the international community to work together better to solve cyber security issues such as addressing gaps in international law for pursuing criminals across borders, sharing information, and collaborating on incident response. The framework describes some of the steps that we believe may need to happen to develop a more secure cyberspace by 2020, addressing key areas like the following. Governance Governance for cyberspace includes global rules, treaties and protocols, similar to those in place for national defense, trade, and human rights. Legal Much cyber crime is transnational, and fighting it may require an international legal framework. Technical The rapid introduction of new technologies and increasing interdependencies across technologies, networks and applications underscores the need for tightening security for new technologies and establishing worldwide standards for security. Many organizations (commercial and government) may disagree. Resources The technology and managerial expertise of the workforce including specialists who can address diverse issues including legal, intellectual property, and diplomatic challenges and the pipeline of potential new talent will need to be increased, particularly with highly technical skill sets. In addition, information sharing and research and development resources will need to be put into place and funded. Awareness Cyber security cannot be achieved through technology alone; it requires a cultural understanding and a widespread willingness to demonstrate secure behaviors consistently. Governance Legal Technical Resources Awareness Global & Regional Organizatio ns Establish a coordinating agency Develop an international policy framework Coordinate international approach and efforts on deterrence and incident response Define global and regional responsibilities and alignment Formulate a structure to enforce cyber laws Define normative action in cyberspace Establish proactive and preemptive cyber practices and protocols Address the privacy issues associated with attribution Develop and establish technical standards and guidelines for secure products Form public-private partnerships Address the technical issues associated with attribution Set qualification standards for cyber security professionals Make funding arrangements Stimulate exchange of information Build commitment Promote development of capacities Sponsor cyber security programs National Governmen ts Private sector & Appoint a national coordinator and prepare a strategy Incent (critical) industry security Enforce information sharing on incidents Establish consultative structure to agree on sector/industry standards Reexamine statutes governing investigations Designate a privacy and liberties official Create legal standards for securing critical cyber infrastructure Sector/industry agrees on legal standards for services and products Improve market incentives for secure and resilient hardware and software products Establish standard certification metrics Sector/industry agree on security standards for cyber security products Incorporate education programs from early education on to expand and train workforce Expand on research and development programs Conduct initiatives to attract people to cyber security as a career Participate in national initiatives Initiate public awareness and education program for children, adults, elderly, and others Initiate national helpdesk for companies Stimulate research and development Stimulate industries to educate the workforce, particularly in critical sectors

11 Key governance recommendations for a Cyber secure world Awareness Governance Resources Legal Global / Establish a coordinating agency (World Cyber Organization?) Develop international policy framework Coordinate international approach and efforts on deterrence and incident response Define global and regional responsibilities and alignment Level 4 Level 5 Level 5 Technology Regional National Appoint a national coordinator and prepare a strategy Incent (critical) industry security Enforce information sharing on incidents Level 3 Organizational Establish consultative structure to agree on sector / industry standards Level 4 Individual

12 Key legal recommendations for a Cyber secure world Awareness Governance Resources Legal Formulate a structure to enforce Cyber laws Technology Define normative behavior in Cyberspace Level 4 Global / Regional Establish proactive and preemptive cyber practices and protocols Address the privacy issues associated with attribution Level 3 Reexamine statutes governing investigations National Designate a privacy and liberties official Create legal standards for securing critical Cyber infrastructure Level 3 Organizational Sector / Industry agrees on legal standards for services / product Level 4 Individual

13 Key technical recommendations for a Cyber secure world Awareness Governance Resources Legal Global / Regional National Organizational Develop and establish technical standards and guidelines for secure products Form public-private partnerships Address the technical issues associated with attribution Improve market incentives for secure and resilient hardware and software products Establish standard certification metrics Sector / industry agree on security standards for cyber security products ISPs play active role in solving spam and botnet issues Coordinate security around seams and handoffs Technology Individual

14 Key resource recommendations for a Cyber secure world Awareness Governance Resources Legal Global / Regional Set qualification standards for cyber security professionals Make finance arrangements Stimulate exchange of information Level 3 Technology National Incorporate education programs to expand and train workforce Expand on research and development programs Organizational Participate in national initiatives Retool existing workforce Individual

15 Key awareness recommendations for a Cyber secure world Awareness Governance Resources Legal Build commitment Promote development of capacities Technology Global / Regional Sponsor cyber security programs Level 3 Initiate public awareness and education program for children, adults, elderly, etc. National Initiate national helpdesk for companies Stimulate research and development Organizational Stimulate industries to educate the workforce, particularly critical sectors Individual Know the rules of the road

16 A holistic approach is required to address the cybersecurity challenges Governance Mission Mission Support Strategy & Planning Compliance Judicial Acquisition Enterprise Risk Management Ethics Legislative Assets Operational Planning Intragovernment Coordination Program / PMO Finance Performance Management Laws & Regulations Programs & Services Human Resources Strategy, Policy & Planning Reporting Programs & Services Development Information Technology Public Relations & Communications 16

17