Rohana Palliyaguru Director -Operations Sri Lanka CERT CC APCERT AGM and Conference, 24 th October 2018 Shanghai, China MINISTRY OF TELECOMMUNICATION

Transcription

1 Rohana Palliyaguru Director -Operations Sri Lanka CERT CC APCERT AGM and Conference, 24 th October 2018 Shanghai, China SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

2 Agenda o About Sri Lanka ostatistics on ICT readiness and Cyber Security Landscape o Approach for the development of the strategy othrust Areas of our Strategy and our plan SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

3 About Sri Lanka Population: 21 Million

4 ICT Readiness Computer Ownership 23.5% Urban: 39.9% Rural: 21% Estate: 5.1% Broadband Subscriptions Fixed 2.65 % Wireless 7.8 % Telephone Subscriptions Fixed 12.49% Mobile 103.1% Internet usage 21.3% usage 11% Devices use to Connect to Internet Desktop or Laptops 38.1% Smart Phones 56.9% Tablets 2.1% Mobile Phones 2.9% a. Computer Literacy 28.3% (A person could use computer by own) (Urban 41.1%, Rural 26.5%, Estate 9.5%) b. Digital Literacy 38.7% (A person use computer, laptop, tablet or smartphone by own) (Urban 54.5%, Rural 36.4%, Estate 16.4%)

5 Initiating Maturing Leading Cyber Security Landscape Evaluation Dimensions of GCI (As at 2017) 6 LEGAL: We are Initiating Legal dimension assessed with reference to the existence of legislation on cybercrime and cybersecurity, and legal training. TECHNICAL: We are Maturing Assessed with reference to the existence of technical institutions and frameworks for dealing with cybersecurity related issues. CAPACITY BUILDING: We are Maturing Measured based on the existence of research and development, education and training programs, certified professionals and public sector agencies fostering capacity building COOPERATION: We are Initiating Measured based on the existence of partnerships, cooperative frameworks and information sharing networks ORGANIZATIONAL: We are Maturing Assessed based on the existence of institutions for policy formulation and coordination, and strategies for cybersecurity development at the national level SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

6 Incidents Reported Incidents Types Phishing Abuse/Privacy Violation Scams Malicious Software/ Ransomware Financial Frauds Compromise of Websites Compromise of s IP Violation Unauthorized Access DoS/ DDoS SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

7 Social Media Related Incidents Social Media Related Incidents Reported fake social media accounts 785 hacking social media accounts 400 photo abuse threatening 53 involving misuse of phone numbers 17 pornographic videos 7 copyright violations Other SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

8 Approach for the Development of the Strategy Cabinet approval Public Consultation Launch the Strategy Literature Review Develop the Strategy (Draft) o Reviewed about 20 different strategies including Singapore, Australia, UK, India, Estonia, Malaysia o o ICT and Cyber Security Readiness in Sri Lanka Maturity of the Information Systems Stakeholder meetings ISPs, Academia, Critical Infrastructure, Law Enforcement Authorities, Ministries & Departments SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

9 Establishment of Governance Framework Establishment of a governance framework to implement national information and cyber security strategy. Our Strategy Enactment and Establishment of Legislation, Policies and Standards Formulation of legislation, policies, and standards to create a regulatory environment to protect individuals and organizations in the cyber space. Public-Private, Local- International Partnerships Establishment of Governance Framework Vision Legislations, Policies and Standards Resilient Digital Government and Infrastructure Work with public authorities to ensure that the digital government systems implement and operate by the them have the appropriate level of cyber security and resilience. Development of Competent Workforce Development of a skilled and competent workforce to meet future demands. Awareness and Empowerment of Citizens Resilient Digital Government and Infrastructure Raising Awareness and Empowerment of Citizens Make our citizens more competent in protecting their identity, privacy and economic assets in the cyber space. Competent Workforce Development of Public-Private, Local-International Partnerships Development of public-private, local-international partnerships to create a robust cybersecurity ecosystem. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

10 Thrust # 1 Establishment of the Governance Framework o Sri Lanka CERT was established as the National Center for Cyber Security in Sri Lanka in o It was mandated to protect the Sri Lanka's information infrastructure, and to take protective measures and respond to information and cyber security attacks in Sri Lanka. o Sri Lanka CERT was established under the ICTA, and now comes under the purview of the MTDI. o As the complexity of the cyber security ecosystem increases, the government of Sri Lanka recognizes the importance of introducing a national cyber security strategy to cope with emerging threats. o National Information and Cyber Security Agency is proposed. o The Agency shall be responsible for overseeing the implementation of the cyber security strategy SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

11 Cyber Security Experts for Government National Cyber Security Agency Sectoral CERTS Our strategy is to establish a powerful agency which oversees the overall implementation of the information and cyber security strategy of Sri Lanka, and to establish specialized subordinate agencies for effectively battling emerging cyber threats Forencis Labs Research Centre Establishment of the Governance Framework 24 x 7 Cyber Security Call Center National Certificate Authority National Security Operating Center SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

12 Our plan 1.1. Establishment of the National Information and Cyber Security Agency of Sri Lanka (NICSA): Agency will be established as the apex institution for all cyber security related affairs in Sri Lanka. Agency Shall, o Function as the command and control body to promote this strategy and play a leading role in implementing cyber security initiatives set forth in this strategy. o The Head of the Agency shall represent the National Security Council of Sri Lanka. o Provide technical support for law enforcement agencies in conducting digital forensic investigations. o Build the capacity of sectoral CERTs and coordinate with sectoral CERTs for sharing incident information. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

13 1.2. Institutions Under the NICSA o Set up a 24 X 7 Cyber Security Call Center with a focus on assisting citizens, government organizations, and private firms to respond to cyber security incidents. o Set up a National Cyber Security Alert System with the involvement of ISPs and Telcos to deliver targeted, timely, and actionable information to Sri Lankans. o Establish a Digital Forensic Lab to conduct digital forensic investigations and in the areas of computer forensics, mobile forensics, audio and video forensics. examinations o Establish the National Cyber Security Operating Centre (NCSOC) for monitoring threats to digital government applications, critical information infrastructure, and critical systems of private firms. o Establish the National Certification Authority (NCA) by addressing the limitations of the existing certificate authorities. o Establish a Research Unit for developing, coordinating and stimulating continuous research activities in the fields of Strategic Policy Research, Information Security Research, Cyber Security and Technology related research. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

14 1.3. Information Security Officers and Chief Information Security Officer We will appoint Information Security Officers for all layers of government organizations. We will work with the Public Service Commission to establish a Chief Information Security Officer position for government. We will empower Chief Innovation Officers (CIOs) with appropriate skills and knowledge on cyber security. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

15 Thrust # 2 Legislation, Policies, and Standards o To battle cybercrimes, it is necessary to have appropriate legislation, policies, and standards. o Sri Lanka has taken a number of steps in this regard. They are, o Legislations: Computer Crimes Act No 24 of 2007, Electronic Transactions Act No. 19 of 2006, Payment Devices Frauds Act No 30 of 2006, and Intellectual Property Rights Acts. o Sri Lanka ratified the Budapest Convention on Cybercrime in 2015 and became the first country in South Asia to join this convention. o Government security policy o Gaps in the existing policies and laws will be identified, and new legislation, policies, and standards will be drafted and implemented. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

16 Cyber Security Act Our strategy is to create an appropriate regulatory framework for securing individuals and organizations in the cyberspace and for strengthen prosecution support for modern cyber offences through the introduction of relevant legislation, policies and standards Data Sharing Policy Legislation, Policies and Standards Data Protection Act Security Policy for Oragnizations SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

17 Our plan 2.1. Introduce a New Cyber Security Act Government will introduce a new cybersecurity Act for the establishment of the NICSA and give necessary powers to effectively address cyber threats to the nation Data Protection and Privacy Laws, and Data Sharing Policy Sri Lanka lacks appropriate laws to protect customer data. We will, introduce a data privacy and protection law which governs the collection, use, and disclosure of citizens personal data by government and private organizations. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

18 Thrust # 3: Resilient Digital Government Systems and Infrastructure o Sri Lanka advanced from 101 st (2008) to 79 th position (2016) in the e-government Development Index. o To date there are about 500 government websites and more than 50 e-services. o Many organizations maintaining critical infrastructure also have developed e-administrative systems with the aim of increasing the organizational efficiency. o Lanka Government Network, and Lanka Government Cloud provide the digital infrastructure for e- services and e-administrative services. o These digital government systems expose to various cyberattacks such as malware attacks, unauthorized access, denial of service attacks, and so forth. o Our citizens will not embrace digital government if their information cannot be securely kept in the government systems. COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE SRI LANKA

19 Security Risk Assessments Our strategy is to ensure that our digital systems and digital infrastructure are more resilient to cyber threats, through implementing risk management processes, implementing appropriate security policies and strategies at the organizational level, increasing awareness and building the capacity of public staff at all levels Government CERT Readiness Assessments Resilient Digital Government Systems and Infrastrcture Security Policy Multi-sector Cyber Dirlls Awareness and Capacity Building Security-by- Design SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

20 Our plan 3.1. Awareness and Capacity Building of Staff Working with Digital Government Sri Lankan public officers awareness of information and cyber security is inadequate. We will, therefore, first conduct information and cyber security readiness surveys on public sector employees to assess their readiness to work in a digital government environment. We will, then, conduct information and cyber security awareness activities across all levels of government staff. COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE SRI LANKA

21 3.2. Information and Cyber Security Risk Assessments We will facilitate stakeholders to conduct information and cyber security risk assessments to identify weaknesses in digital government systems Security Policy for Organizations We will encourage government organizations to comply with baseline security standards (BSS) which will be developed based on ISO standards Digital Government Infrastructure Protection Unit/ Government CERT G-CERT will be responsible for detecting cyber threats, disseminating cyber threat alerts, and coordinating incident response activities Establishment of Joint Military Security Operation Centre/Defense CERT Sri Lankan Militaries, Police, and Intelligence Services all work separately in confronting malicious cyber actors. There is a lack of coordination among these organizations to share valuable information on cyber threats. We will establish a joint Cyber Security Operations Centre with a focus on strengthening our cyber defenses. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

22 Thrust # 4: Development of a Competent Workforce o Cyber-attacks and the disruptions to information systems caused by them are increasing exponentially. o Availability of a highly skilled professionals in this field is essential to protect, detect, defend and respond to cyberattacks. o A research done by ISACA in 2016 estimated a global shortage of 2 million cybersecurity professionals by o Women are globally underrepresented in the cybersecurity profession. In Asia-Pacific region, women participation is at 11% o In Sri Lanka, there is a lack of initiatives to address the domestic shortage of cybersecurity experts. It is revealed from the GCI. o We, therefore, aim to implement strategies to increase the supply of cyber security professionals, and facilitate our existing workforce to gain required competency for effectively work in the cyber environment. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

23 Our strategy is to create a virtuous circle of supply and demand of information and cyber security experts through continuous assessment of the gap between the supply and demand of cyber professionals, increasing learning opportunities to capitalize on cyber security knowledge, and educating youth for building a pool of future cybersecurity professionals. Specialized Trainings Up-skilling and Reskilling Opportunities Training Infrastructure across the Country Supply and Demand Gap Competent Workforce e-learning Modules Competancy Framework Expanding Tertiary and Vocational Education SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

24 Our plan 4.1. Assess Supply and Demand of Professionals We will conduct a national level survey to understand the gap between the supply and demand of cyber security professionals in Sri Lanka Competency Framework In collaboration with the academia, we will develop an Information and Cybersecurity Competency Framework which outlines the core competencies that both the government and private sector should possess to effectively work in the cyber environment Expanding Tertiary and Vocational Education We will facilitate local universities, and vocational training institutes to introduce industry oriented diplomas, undergraduate and post graduate programs to provide learning opportunities to students. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

25 4.4. Up-Skilling and Re-Skilling Opportunities for Public Sector With the financial and administrative assistance of the Line Ministry, we will roll out an information cyber security training program for staff at grass root level organizations. and 4.5. e-learning Modules We will encourage the Distance Learning Centre (DLC) to design and deliver e-learning modules on Information and Cyber Security which government staff can take up upon their convenience. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

26 Thrust # 5: Raising Awareness and Empowerment of Citizens o The Internet has become important for all aspects of daily life in our society. o A considerable segment of society is becoming more and more dependent on the internet thereby becoming more vulnerable to cybercrime. o A major reason for that is lack of awareness among citizens about possible cyber threats and their consequences. o Theft of identity, stealing of credit card numbers, and privacy violation and unauthorized access on social media for example are commonly caused due to the lack of awareness of citizens. o It is, therefore, essential to raise citizens awareness about emerging cyber threats and empower them with the knowledge and skills necessary to defend themselves against evolving cyber threats SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

27 Our strategy is to raise the awareness of citizens about the risks derived from cyberspace, and build their capacity to protect their identity, privacy and economic assets in the cyber space Security Features by Default Security Readiness Survey Raising Awareness and Empowerment Establish C-CERT Lifelong Learning Cyber Security Awareness for School Children Public Awareness on Cyber Security SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

28 Our plan 5.1. National Information and Cyber Security Readiness Survey In collaboration with the Department of Census and Statistics, we will conduct a National Baseline Survey to assess Sri Lankan citizens awareness, attitudes and behaviors on information and cyber security Public s Awareness of Social Media Security and Cyber Security We will pay special attention to most vulnerable communities in the society including youth, women and elderly people. We will use printed and electronic media to reach a broader population. The Government Call Center (GIC 1919) will be also enhanced to provide basic information on cyber security related matters. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

29 5.3. Introduction of Information and Cyber Security into Curriculums 5.5. Lifelong Learning Opportunities With the involvement of Open University of Sri Lanka and Vocational Training Institutes we will design of basic information and cyber security learning modules for adults. COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE SRI LANKA

30 Thrust # 6: Development of Public-Private, Local- International Partnerships Our strategy is to develop a mechanism for cooperation extending beyond government agencies to public-private collaboration, and local- international collaboration in developing a cybersecurity ecosystem Partner with Social Groups and NGOs Nature Startups Partner with Telcos and ISPs Public-Private, Local-International Parterships Partner with CI Owners Work with Militaries Research Culture Partner with Training Providers Stregnth Internation al Parterships SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

31 Our plan 6.1. Partner with Telecos and ISPs to Protect Internet Users o ISPs in Sri Lanka occupy a unique position as the gateway to Sri Lanka s cyberspace. o We will, set up an ISP-CERT with the involvement of Telcos and ISPs to effectively handle emerging cyber threats Promote Cooperation with Industry Sectors o We will partner with industry sectors in order to jointly improve detection, prevention, response and recovery capabilities. o We will develop a channel to share real-time sensitive information on cyber threats and potential consequences with industry sectors. o Special attention would be paid to small and medium size businesses, which are currently increasingly being victimized by malicious actors in the cyber space. Tailored alerts and advice will be generated for them. SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

32 6.3. Strengthening International Partnerships Through the links between countries, we will engage with the international community to build a system of cyberspace stability Increase our Presence at International level We will enhance our presence at the international level through participation in international forums and conferences on cyber security and through playing an active role in knowledge gaining and sharing exercises Partner with Businesses to Promote Security in Product and Services We will work with suppliers to bring products and services to the market with a high level of security to ensure the privacy and security of customer information Support of Social Groups and NGOs 6.7. Support Start-ups SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE

33 SRI LANKA COMPUTER EMERGENCY READINESS TEAM COORDINATION CENTRE Thank you