CONE 2019 Project Proposal on Cybersecurity Project title: Comprehensive Cybersecurity Platform for Bangladesh and its Corporate Environments Sector or area: Cybersecurity for IT, Communications, Transportation, Manufacturing, Energy, Health Care, Financial Sectors, Defense, Energy, Agriculture and all other government agencies Short description: The development of a meaningful Information Assurance and Cyber Security Plan for an organization is a key component of a viable strategy of any large enterprise. The protection and safeguarding of information must be integrated with the long-term corporate vision and plan to ensure resiliency against emerging cyber threats. The vision for the future begins with the existing computing infrastructure and Information Technology assets. The primary focus then is to develop requirements to drive a robust, responsive and scalable approach to using IT as a strategic asset. One of the key challenges facing the government and private enterprise is the need to ensure business continuity in the face of natural and man-made disasters. A comprehensive and enterprise level cyber security plan is a corner stone of building resiliency in the IT Infrastructure. This effort requires infrastructure development, a cyber security system, processes and standards as well as strong frameworks for compliance and governance. The cybersecurity threats are becoming more complex and sophisticated. In order to effectively protect organizations, tools and processes will also need to evolve. In many ways, this field is still in its infancy and presents opportunities for new ideas and products. The nature and scale of the cybersecurity threats to the government data centers and individual computing facilities continue to remain high. The threats range from individual hacking, virus and other malware attacks, targeted foreign intelligence gathering, sabotage to unpredictable but recurring natural and manmade disasters. The impacts of these threats include loss of critical assets, compromised national security and loss of commercial competitiveness in the marketplace. The United States has determined that threat of Cyber Warfare is the next big challenge to be confronted by American forces. This threat has recently evolved from direct attack on Civilian and Defense Government Agencies to private sector enterprises that are supporting the wide-ranging use of the Internet Infrastructure. This has become a recent priority on the same footing as defense military spending on arms and weapons. Figure 1: National Critical Infrastructure Sectors 1
Likewise, as shown in figure 1 above, we need to think about the security infrastructure in Bangladesh for all sectors such as IT, Communications, Transportation, Manufacturing, Energy, Health Care, Financial Sectors, Defense, Energy, Agriculture and all other government agencies. We need to look at a comprehensive view of the IT infrastructure for an agency and provide guidance to safeguard vulnerabilities in the security framework. This paper will provide a cook book to checkup the health of the cybersecurity environment for an agency and the steps to mitigate any risks and vulnerabilities. We will also provide case studies from the world s largest financial institutes (IRS) and show how we secure their IT infrastructure. Expected outcomes: Expected outcome is a comprehensive approach to cybersecurity. In order to protect the enterprise, the organization must take this holistic view that addresses the entire range of threats, vulnerabilities and associated remediation. The following diagram illustrates the typical technology solution mapped to the corresponding cybersecurity components. Impact on Bangladesh: Figure 2: Technology Solutions Mapped to Cybersecurity Components The impact on Bangladesh is tremendous as follows: Protecting the National Interest: Cyber-threats are pervasive and persistence. It is opportunistic in the sense that it exploits perceived and actual vulnerabilities. There are significant weaknesses in the country s cyber security posture to be able to adequately defend against sophisticated series of attacks targeted to both 2
commercial and public infrastructures. The potential impact of successful attacks may cripple the country s telecommunication infrastructure, major data centers and even the defense establishment. Protecting the National Security: Each organization will need to evaluate its current vulnerabilities in the area of security assets and determine the level of investment that would be necessary to harden the information and communication infrastructure (ICT). Personnel entrusted with information do not often have the tools or the infrastructure to perform the mandate to provide the highest level of security in protecting the organization assets. Protecting Government Information: Government recognizes the need to protect its information that is vital to its operation and to the national security. The defense sector has implemented much more rigorous methodology to support the insertion of advanced technology to protect its data. However, the data centers that contain government Sensitive but Unclassified (SBU) plans on roads and highways projects, international relationship management, RFP and bidding process, taxation data and national bank transactions are all vulnerable and can be compromised. Protecting Citizens Information: In this regard, government holds some of the largest databases of its citizens amongst all countries. The taxation, driver license and motor vehicle, health care and the voters registration database have resulted in large scale personally identifiable information (PII) to be hosted in the government care. The government recognizes much of this threat and have in the recent years have begun to develop enterprise level initiatives to protect this information from the technologically savvy cyber criminals and foreign intelligence gathering agencies. The health care sectors in the recent years have been aggressively introducing electronic record systems to keep track of individual health record, emphasizing the need for establishing robust security framework for protecting this information. Protecting from Fraud and Other Abuse: The private banking industry has been in the forefront of adoption curve for the latest information technology, accumulating massive amount of data on both domestic and foreign financial transactions. As it begins to roll out convenience features, such as Automated Teller Machines (ATM) and Internet Banking, the need for hardening its data centers becomes even more paramount. There are several agencies with specialized systems monitoring possible fraud with advanced fraud detection and remediation solution. This level of sophistication, however, will need to be adopted across the agencies as the frequency of the incidence and the nature of these abuses increase. Needed resources: Project/Program Manager, Business Analysists, Architects, CISSP certified Subject Matter Experts (SME), Software Engineers, QA Engineers, Hardware, Software, COTS Solutions Business plan: A detailed business plan will be furnished in the subsequent phase. The overall strategy is to provide a comprehensive step-by-step process for securing IT infrastructure with the most cost effective and optimized way. This project should create local talents within Bangladesh to secure its own environments as well as providing cybersecurity support elsewhere around the world as an outsourcing capability. If pilot project is needed, what will be the cost? A pilot or a proof of concept lab environment will be established as part of the cybersecurity center of excellence knowledge center. A prototype of world class cybersecurity solutions will be stood up for hands on 3
knowledge sharing in Cybersecurity field of study. The actual cost for developing this environment will be available in the next phase. Expected ROI: The ROI would be to safeguard different sectors of both government and commercial agencies from all sorts of cyber threats. This would enable Bangladesh to produce an exponential return on investment by eliminating data loss and privacy. 250 ROI Forecast: Polynomial Trendline 200 $10k 150 100 50 0 Jan-19 Mar-19 May-19 Expected timeline: Figure 3: ROI Forecast At a very high level, it will take about a year to establish a Cybersecurity lab to demonstrate the solutions to security professionals and the stakeholders. The detailed implementation and its overall timeline will be provided in the subsequent phase. Project sustainability plan: Jul-19 Sep-19 Nov-19 Jan-20 Mar-20 May-20 Jul-20 Sep-20 Nov-20 Jan-21 Mar-21 May-21 Jul-21 Sep-21 Nov-21 Sustainability plan for this project will furnished using the following key action items: Develop Goals and Objectives Research and identify potential stakeholders Jan-22 Mar-22 Period May-22 Jul-22 Sep-22 Nov-22 Jan-23 Mar-23 May-23 Jul-23 Sep-23 Nov-23 Jan-24 Mar-24 May-24 Jul-24 Sep-24 Nov-24 4
Initiate relationship with potential stakeholders Analyze Program Cost Continue to cultivate stakeholders and create buy in Concise and distinct ROI Follow-up Be a Good Steward Create and execute a sustainable plan List of NRB experts in this field: Cybersecurity Analyst, Cybersecurity SME, Architect, Software Engineer and Data Scientists Principal project contact: Name: Faisal Quader Designation: President at Technuf LLC Email Address: Faisal.quader@technuf.com Phone: 301-526-7888 Please insert the author s picture. 5