Panel 1 National CSIRT Experience

Transcription

1 Panel 1 National CSIRT Experience 2 nd Meeting of Government Cybersecurity Practitioners Sao Paulo, Brazil September 14-16, 2005 Andrew McAllister Senior Advisor, Cyber Security Public Safety and Emergency Preparedness Canada September 14, 2005

2 Lessons Learned Three Communities Questions A, B, C, D Summary

3 A cyber security incident may have many aspects or dimensions and will require concurrent and coordinated management for each of these aspects or dimensions.

4 The need for full cross government involvement in establishing a National CSIRT.

5 Requirement for National CSIRT to ensure: Government coordination Domestic collaboration International cooperation.

6 Importance of identifying national cyber security experts Different skill sets in different departments Who can you activate a resource? When (24/7?)? For how long?

7 Who coordinates the response internal to a national government? Departments will be busy recovering their own systems Need for coordinated response and allocation of specialized assets (experts and tools)

8 State/Provincial/Territories Governments within a nation Collaboration or Coordination Critical Infrastructure Owners & Operators Energy and Utilities / Communications and Information Technology / Finance / Health Care / Food / Water / Transportation / Safety / Government / Manufacturing Collaboration and value added Everyone else (?)

9 Other National CSIRTs Other CSIRTs Researchers, Expert Groups, etc. Cooperation and Information Sharing Vulnerability or Attack information Mitigation strategies

10 ! Where is the National Computer Security Incident Response Team (CSIRT) located within the Government and why?

11 " Government of Canada PSEPC Portfolio PSEPC Department Government Operations Center»CCIRC (National CSIRT)

12 #$%&$' PSEPC's Canadian Cyber Incident Response Centre (CCIRC) is Canada's national focal point for coordinating cyber security incident response and monitoring the cyber threat environment. CCIRC is an integrated part of PSEPC's Government Operations Centre and is a full member of the Forum of Incident Response and Security Teams.

13 $( ) CCIRC leverages the IT security capabilities of the federal government to provide the following services to critical infrastructure sectors: 24/7 incident response coordination and support 24/7 monitoring and analysis of the cyber threat environment 24/7 IT security-related technical advice national awareness and education (training, standards, best practices)

14 *+#,- PSEPC is under the Deputy Prime Minister PSEPC is responsible for the Government Operations Centre Coordinates Canada s response to Terrorist, Emergency Management or Cyber Incidents affecting the national interest PSEPC has provincial offices across Canada

15 .! What organizations belong? Government and Private Sector?

16 /# National Government Partners Law Enforcement (RCMP), National Security (CSIS), Military networks (DND), Technical Authority (CSE), Government Services (PWGSC), and Policy (TBS/CIOB) Clients All federal government departments/agencies Provincial, Territorial, and Municipal governments

17 # Direct and via lead department 2 of 10 sectors: Energy and Utilities / Communications and Information Technology / Finance / Health Care / Food / Water / Transportation / Safety / Government / Manufacturing

18 ! What are the authorities/responsibilities of the National CSIRT?

19 +0$( / Government Security Policy Departments must report incidents to CCIRC CCIRC to monitor and analyse cyber attacks Issuing Alerts, Advisories and other Information Coordinating a Federal response Responding to requests by departments

20 ! National CSIRT Service model and financing

21 #1 &' Designation of the national CSIRT by the respective government; Agreement on principles of information sharing among the cooperating teams; Responsibility for receiving information from other national CSIRTs and disseminating that information to appropriate entities within the country;

22 #1 &' Participation in information-sharing among the other national CSIRTs in the hemispheric network; Authorization to disseminate information to other national CSIRTs; and Provision of assistance to other national CSIRTs for incidents and threats.

23 23 Services of CCIRC considered part of Government Operations Centre operating costs.

24 # How best to respond to multiple aspects and multiple communities? Where to place a coordinating entity? Separate or combined entities for internal and external government stakeholders? (i.e. a Government CSIRT and a National CSIRT) Responders versus coordinators versus experts

25 CCIRC Canadian Cyber Incident Response Centre CSIRT Computer Security Incident Response Team CSIS Canadian Security Intelligence Service (National Security) DND Department of Defence (Military) PSEPC Public Safety and Emergency Preparedness Canada (Coordinating Department) PWGSC Public Works Government Services Canada RCMP Royal Canadian Mounted Police (Law Enforcement) TBS/CIO Treasury Board Secretariat / Chief Information Officer

26 Cyber Duty Officer