Challenges in Developing National Cyber Security Policy Frameworks Regional Workshop on Frameworks for Cybersecurity and Critical Information Infrastructure Protection William McCrum Deputy Director General Telecom Engineering Industry Canada 28 August 2007 1
Millions of users 2500 2000 1500 1000 500 0 546 572 16 23 4.4 7 A global information society Growth of the information society 1991-2006 Main Telephone Lines Internet Users Mobile Subscribers 1405 1263 1162 1207 1140 1053 983 846 905 955 1086 738 792 643 689 964 604 740 863 490 724 318 619 215 502 145 34 56 91 399 10 21 40 74 277 117 183 emerging 1752 2137 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 1093 Sources: ITU, 2006, Internet World Statistics, January 11, 2007 Notes: Internet Users data 1991-2005 (ITU), 2006 estimate (Internet World Statistics) 2
ICTs at the centre the global information society Power/ Electricity Retail / Service Industries Banking and Finance National Defence Biotech / Life Sciences Automotive and Manufacturing Water/Sewage Information and Communication Technologies (ICTs) Healthcare Education Transportation Air Traffic Control Home / Work Oil and Gas Public Safety / Law Enforcement Information and and Communication Technologies (ICTs) power the the global information society 3
Critical infrastructures dependent on ICT infrastructure Retail Finance Mfg. Transport Energy Public Safety ICT Infrastructure Trust and and confidence demands strict protection of of critical information by by means of of secure access, distribution, and and transmission 4
We are moving to an XoIP world Top-down: What the network thinks you want, when they think you want it and in the format they want TV content on cable or over the air Radio show on radio Books in the bookstore or library Snail mail rain or shine Voice by monopoly phone provider Choice: What you want, when you want it, from anywhere All content and services available online Choice of receptors: computers, cell-phones, blackberry, ipods October 12, 2005 First TV network show available for download through itunes 45 million downloads to date (as of Sept 2006, USA only) Consumer pull and and freedom of of choice --rather than than technology push 5
where everyone and everything is connected Internet Things Ecosystem of the Internet of Things Source: ITU, 2005 Smart tech Human Body Wireless sensors 2G mobile 3G+ mobile Human Being Satellite RFID Nanotech xdsl WiMAN WiLAN Cable A world of of inter-connected devices and and objects 6
The wireless revolution is here Wireless technologies and and the the mobile Internet is is revolutionizing communications globally 7
ICT infrastructure in transition Past Future PSTN VoIP CATV Internet Broadband VoD WWW, Corporate Intranets Converged IP Network Wireless & Satellite CDMA, GSM Convergence leads to to network complexity; the the network becomes inherently less less secure 8
Trust and confidence in ICT infrastructure Privacy and online security concerns Privacy and security fears discouraging e-commerce in Canada Users changing their online behaviour due to security concerns Consumers losing trust in online banking Online threats continue to evolve Spam is clogging the networks and increasing costs Spyware, adware and zombies Identity theft and cybercrime E-mail fraud, e-commerce attacks and extortion Malicious attacks on networks Virus, worms, denial of service attacks, malware Maintaining trust trust and and confidence in in the the ICT ICT infrastructure is is a challenge 9
Changing security environment Natural Disasters Malware Vulnerabilities Identity Theft Phishing Worms / Viruses Pandemics Terrorism ICT Infrastructure BotNets Spam Privacy Accidental Sophistication Social Interdependencies Outcome Communications Economic Manmade Magnitude Trust & Confidence Exacerbating Factors National Security 10
New breed of cyber attackers Disorganized attacker Challenge/pride motivated Individuals or small groups Hacks (e.g., DoS, disruptions, defacements) Cyber criminals Profit motivated Extend fraud/theft activities White collar crime Cyber-extortion Jurisdictional arbitrage Money-laundering New New breed of of cyber attackers with with different motivations 11
More sophisticated threats Evolving trojans Morphing trojans Targeted trojans More sophisticated botnets Evolving spam Wireless messaging spam Image spam Number of new TrojWare programs Jan 2003-Nov 2006 (Kaspersky Lab) Detecting threats/attacks and and mitigating their their impacts presents many challenges, particularly where multiple files, files, processes and and registry components are are involved 12
New vulnerabilities Percentage 25.00 20.00 15.00 10.00 5.00 0.00 Vulnerability Trends 2001 2002 2003 2004 2005 2006 Year XSS sql-inject php-include buf dot Over last 5 years, 75% of exploited vulnerabilities were in web application and clients Vulnerabilities that could be exploited remotely topped 88% in 2006 Vulnerability exploits have shifted away from from networks and and operating systems towards web web applications and and clients 13
Challenges in securing the ICT infrastructure Increased service and device complexity More services, new means of service delivery Overlap between fixed and mobile services; Overlap between telecommunications, broadcasting and Internet domains Complex interconnections needed between distributed intelligent devices Multi-vendor product interoperability New competitors and more complex relationships between competitors Globalization impacts and pressures Global mobility Internet governance National security and public safety concerns and its impact in international setting Maintaining trust and confidence in changing security environment New threats and vulnerabilities such as malware, viruses, spam, spit, spim, phishing, spoofing, denial of service cyber-terrorism, fraud The The most important issue is is to to assure the the cyber security of of the the ICT ICT infrastructure 14
Stakeholders Public Policy Regulation Government establishes public policy and sets regulation to safeguard ICT infrastructures Users (both enterprises and individuals) implement policies to secure their portion of the ICT infrastructure User Application / Content Providers Service Provider Vendors Network Provider Application and content providers deliver tools and products to end users to help safeguard the ICT infrastructure Service and network providers typically own the bulk of the ICT infrastructure assets and take steps to secure and safeguard the network Vendors build tools and products to help secure the ICT infrastructure Continual dialogue between all all stakeholders required to to secure ICT ICT infrastructure 15
Access and adoption National cyber security policy frameworks Encourage all stakeholders to use and deploy secure ICT infrastructure Marketplace and business environments Improve marketplace and promote business environments that foster secure ICT infrastructures Innovation Enable innovation to improve the security of the ICT infrastructures Key Key elements of of national cyber security frameworks address the the challenges of of securing critical infrastructures 16
Access and adoption Provide incentives for secure access infrastructure to be developed and deployed Provide computer support and training Helps users to take advantage of emerging opportunities in the new global knowledgebased economy Promote e-commerce and electronic access to government services Secure universal access is is a bridge to to economic and and social inclusion 17
Access and adoption Other policy framework elements Protect users and safeguard the ICT infrastructure Establish national Cyber Security Emergency Response Team (CERT) Establish cyber security best practices for all application, service and network providers Adopt guidelines for securing ICT infrastructures Promote cyber security information sharing between stakeholders Organize round table exchanges and communities of interest Raise awareness of cyber risks and cyber security protection strategies Develop advertising campaigns that alert users to risk and mitigation Establish hotlines for users to deal with cyber security threats, attacks, fraud National policies help help protect both both users and and the the ICT ICT infrastructure 18
Security awareness education essential for all And And still still Social Engineering is is a major challenge for for all all 19
Marketplace and business environment Improve marketplace environment for secure ICT infrastructures Develop expertise to analyse policy and regulatory impacts of new competitive environments, new service offerings, and new spectrum needs Establish government procurement policies that promote secure ICT infrastructures Consider regulatory requirements for minimum cyber security levels Evaluate use of Common Criteria standards Promote secure ICT infrastructure business environment Encourage ICT infrastructure security standards development Global standards have key key role role in in securing ICT ICT infrastructure 20
Importance of standards development In an increasingly open free-market economy, the role of standards become key Accelerate adoption of new technology Ensure interoperability between competing platforms and technology Link supply chains Increase market efficiency Facilitate regulatory compliance Examples ITU-T Study group 17 is lead Study Group on telecommunications security International standard (ISO/IEC 15408) sets a framework for specification and evaluation of security requirements Security standardization objectives: responsive, efficient, productive, inclusive 21
Example national cyber security policy frameworks Canada (National Security Policy, 2004) United Kingdom (Protecting our Information Systems, 2003) US (National Strategy to Secure Cyber Space, 2003) Common element: focus on on discrete cyber security initiatives Australia (E-Security National Agenda, 2001) 22
Summary Critical infrastructures are dependent on a secure ICT infrastructure The ICT infrastructure itself is evolving into a converged network, leading to challenges of interoperability and security An ever changing security environment makes it difficult to maintain users trust and confidence in critical infrastructures Continual dialogue between all stakeholders users, provider, vendors, governments is required to meet these challenges National cyber security policy frameworks contain elements that Encourage access and adoption of secure ICT assets Improve marketplace and promote business environments that help secure ICT infrastructures Enable innovation to improve the security of the ICT infrastructures International collaboration and and sharing of of national cyber security frameworks help help strengthen global ICT ICT infrastructure 23
Contact Bill McCrum Telecommunications Engineering and Certification Industry Canada +1 613 990-4493 mccrum.william@ic.gc.ca 24