Lao PDR Practice for Information Security

Size: px

Start display at page:

Download "Lao PDR Practice for Information Security"

Sybil Ramsey
5 years ago
Views:

PhD EU-SEA Workshop International Cooperation on Cyber Security: Towards the

1 Lao PDR Practice for Information Security Ministry of Science and Technology (MOST) Department of Information and Technology (DIT) Daovalath Phommalath PhD EU-SEA Workshop International Cooperation on Cyber Security: Towards the New Avenues December 02-03, 2015 Vietnam National University, Hanoi, Vietnam

2 Country profile Lao Pepple s Democratic Republic (LPDR) Capital city: Vientiane Area: 236,800 Km 2 Population(2014 Jul): 6,803,699 Currency: Lao Kip Official languages : Lao

3 Department Background In 2008 Department of Informatics has established, was assigned to NAST During 2011, the Government of Lao PDR has established MOST and the DIT is a division of the social structure apparatus of the Ministry DIT plays role a secretariat to manage the macro management on information policy, strategic planning, promotion and development of the IT across the country

4 Department Organisation Structure Ministry of Science and technology Administrative devision Privacy and Strategy devision Department of Information and Technology IT management devision Promote and development devision Information devision Library Center IT service Center

5 Back ground

6 Internet subscribers ADSL 13,200 15,600 18,800 25,000 40,000 FTTH Leased line 3.5G (HSDPA) >10,000 >20,000 >50,000 There internet penetration in Laos is about 5% of population with 5 provider company : ETL, Lao Telecommunication, Unitel, Beeline, Sky Telecom Reference: LaoCERT, 2013

7 PSTN and mobile statistic Reference: LaoCERT, 2013

8 Cyber Threats Lao PDR has experienced similar kinds of cyber-attacks affecting other countries in the region and other parts of the world. These include: Malicious software DDoS attacks, port scanning, huge spamming attacks, phishing scams, web defacement, web server hacking and account hacking Attack against E-government website Attack against DNS server Attack against bank website Attack against mail server of NOUL Internal threat when using USB (memory stick) Reference: LaoCERT, 2013

9 Cyber threats counts Reference: LaoCERT, 2013

10 Reference: LaoCERT, 2013 Web defacement

11 Reference: LaoCERT, 2013 Web Phishing

12 Related work

13 Government policy According to strategic development of science and technology of Laos during To make a sector science and technology becoming viable substitutes for develop an efficient, accelerating the economic development, social as promoting the growing steadily, hold sustainable Establish legislations for governing and managing the development and usage of ICT such as Cyber Crime and etc Establishment ICT Standardization Policy and Framework in Laos base on Standardization policy of ASEAN

14 The related work for cybersecurity For responding to the policy we are focus on created Electronics Transaction Law (ETL) The subject is for using ICT to connect rural and underserved citizens The ETL start discussing since early 2012

15 The law provides the foundation other legislation is also needed for a sound legal regime for electronic transactions Body Instrument Type Objectives & Purpose National Assembly Law on E- Transactions!States basic principles!establishes legal norms for all e-transactions!lists exclusions!addresses conflicts with other laws to remove barriers!assigns administrative roles Prime Minister Prime Minister s Decree!Addresses use of e-transactions by government!establishes e-government coordination roles!assigns standards-setting role!sets roles and duties and timelines to establish e-government MOST Line Ministry Regulations!Provides detail to implement the Law (especially in sectors like banking, tax, and customs)!sets minimum standards!establishes rules and processes for regulation

16 Electronic Transection Law ETL cover 5 tasks which MOST management : 1. Administrative state electronics (Electronic Government) or Electronic Transactions Used by the State Organizations 2. Electronic Signature 3. Electronic commerce 4. Intermediary 5. Conflict resolution

The draft Electronic Transactions Law prepared by the MOST addresses all these issues The draft law contains basic rules that apply to the formation, use, and recognition of electronic transactions,

17 The draft Electronic Transactions Law prepared by the MOST addresses all these issues The draft law contains basic rules that apply to the formation, use, and recognition of electronic transactions, electronic documents, and electronic signatures It applies to all sectors, including private e-commerce and e- government It sets minimum standards that all electronic transactions must meet -- Security, Data Formats, Confidentiality, E-signatures, Data Storage, etc. Specific details that are unique to a specific sector e.g., banking, customs, courts are left to sector regulations, provided that the sector rules do not conflict with the general law It defines a regulatory regime for the use of secure digital signatures and the provision of digital signature services

18 The MOST based its work on the draft law on the UNCITRAL Model Law to ensure Laos could enter the e-trade world The UNCITRAL Model Law is the product of years of negotiations and legal work by lawyers from many different countries under the sponsorship of the United Nations Most all of the national laws on electronic transactions use terms and concepts defined in the UNCITRAL Model Law Trading partners from other countries will recognize these terms and concepts and are familiar with their use International trade involving electronic transactions now relies upon the best practices expressed in the Model Law to establish the validity of electronic transactions, electronic documents and electronic signatures The common norms and standards in the UNCITRAL Model Law are important for a modern trade regime, especially in the area of customs administration where electronic transactions are increasingly used This reliance leads to equal treatment for paper-based and electronic transactions

19 The key features of the Model Law are included in the Lao draft Law on Electronic Transactions (1 of 5) Genuineness and Reliability - Rules that guarantee the genuineness and reliability of transactions conducted electronically that are equivalent to the traditional rules that guarantee the genuineness and reliability of paper transactions Technology Neutrality - Technology neutrality between different techniques and methods used in electronic transaction (EDI, e- mail, Internet, telegram, telex, fax, etc.) a specific technology is not required, but the technology must meet the standards Recognition - If the standards are met, transactions completed electronically and evidenced only by electronic data have the same level of recognition as information on paper

20 The key features of the Model Law are included in the Lao draft Law on Electronic Transactions (2 of 5) Electronic Signature - Words, letters, numbers, symbols, sounds, or other forms established by electronic means, logically attached or associated with a data message and capable of certifying the person who has signed it and that person s approval of the content of the message Signature Validity A data message meets the legal requirement of a signature if: (a) a method is used to identify the signatory and to indicate his approval of the information contained in the data message; and (b) that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated Secure Digital Signature - An electronic signature is secure if it is verified by a security verifying process agreed to by the parties, and if (1) the e-signature creation data is attached only to the signatory, (2) the data is under the control of the signatory when the signature is created, (3) all changes can be identified, and (4) and all changes to the data message can be identified

21 The key features of the Model Law are included in the Lao draft Law on Electronic Transactions (3 of 5) Non-Repudiation Using a secure digital signature provides document integrity, non-repudiation and accountability Digital Signature Certification Services Most secure digital signatures are created using certificates (i.e., data that helps create the signature) provided by trusted third parties. These services are called digital electronic signature certification services Regulatory Oversight - The law establishes the government oversight body that will (1) issue regulations to register certification services providers, (2) recognize certificates provided for foreign providers, and (3) define the minimum standards for secure digital signatures

22 A secure digital signature is the most secure e-signature EXAMPLE SECURE DIGITAL SIGNATURE USING PUBLIC/ PROVATE KEY ENCRYPTION

23 The key features of the Model Law are included in the Lao draft Law on Electronic Transactions (4 of 5) Electronic Formation of Contracts - Offer and acceptance of a contract may be expressed in an electronic communication. When automated messages are used, the formation of a contract shall not be denied validity solely by virtue of the fact that the messages are automated Place of Sending and Receiving - Data messages are deemed to be sent at the place where the originator has its place of business and received at the place where the addressee has its place of business Time of Sending and Receiving A data message is deemed to be sent when it enters an information system outside the control of the originator A data message is deemed to be received when it enters the information system designated by the addressee or, if the message is sent to a different system than the designated system, a data message is deemed to be received when the addressee retrieves the message. If the addressee has not designated an information system, the message is deemed to be received when it enters an information system of the addressee

24 The key features of the Model Law are included in the Lao draft Law on Electronic Transactions (5 of 5) Original Documents - A data message meets the legal requirement for an original document if a reliable assurance exists as to the integrity of the information from the time when it was first generated in its final form, as a data message or otherwise and the information is capable of being displayed to the person to whom it is to be presented Evidence - In any legal proceedings, nothing in the rules of evidence shall apply so as to deny the admissibility of a document in evidence solely because it is in electronic form Retention of Documents Documents, messages and data may be stored electronically i.e., in databases if they are stored in a manner that allows them to be retrieved, shows their date of creation, the origin and destination and the date and time they were sent or received, and stored in a format that demonstrates the accuracy of the message

25 Cyber security promote event 26 Nov 2015 cyber security briefings and ISO standard ISMS

26 Summary Lao PDR also face with cyber crime problem is not new problem in the world, but it still be new problem for us and many people starting concern about this problem For promoting about using ICT and support about security we are working on making legislations about information security Promote the legislation which is established to make the related organizations to understand well The ETL was enforce since 17 January

27 Future plan

28 Our research on legislation Legislation under the law of electronic transactions that we are studying: 1. Guidelines for effective ETL. 2. Agreement with the digital signature certificate is protected 3. Strategy development e-governance services. 4. Legislation for management e-government. 5. Agreement for supporting e-commerce

29 Thank you Q & A Contact daotouty@gmail.com LinkedIn: Daovalath Phommalath

CYBERSECURITY INITIATIVES IN VANUATU

CYBERSECURITY INITIATIVES IN VANUATU OUTLINE COUNTRY OVERVIEW TELECOMMUNICATIONS/ICT SECTOR REFORM PROGRAM MODERN BUSINESS ENABLING ENVIRONMENT POLICIES RELATING TO TELECOMMS POLICIES RELATING TO ICT LESSONS