Caribbean regional Cybersecurity workshop

Similar documents
Commonwealth Telecommunications Organisation Proposal for IGF Open Forum 2017

Commonwealth Cyber Declaration

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

NATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Cyber Security Strategy

The UK s National Cyber Security Strategy

Principles for a National Space Industry Policy

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

G7 Bar Associations and Councils

Critical Information Infrastructure Protection Law

Cyber Security in Europe

The Australian Government s Approach to Critical Infrastructure Resilience

EU policy on Network and Information Security & Critical Information Infrastructures Protection

21ST OSCE ECONOMIC AND ENVIRONMENTAL FORUM

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Security and resilience in Information Society: the European approach

ENISA EU Threat Landscape

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

National Policy and Guiding Principles

13967/16 MK/mj 1 DG D 2B

Bradford J. Willke. 19 September 2007

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

Strategy for information security in Sweden

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Securing Europe's Information Society

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Joint Declaration by G7 ICT Ministers

RESOLUTION 130 (REV. BUSAN, 2014)

Cybersecurity & Digital Privacy in the Energy sector

European Union Agency for Network and Information Security

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

TO INSPIRE, CONNECT AND EMPOWER TO TURN BACK CRIME

Promoting Global Cybersecurity

Ms. Izumi Nakamitsu High Representative for Disarmament Affairs United Nations

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Itu regional workshop

Government-Industry Collaboration: 7 Steps for Resiliency in Critical Infrastructure Protection

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Cyber Security Issues and Responses. Andrew Rogoyski Head of Cyber Security Services CGI UK

DHS Cybersecurity: Services for State and Local Officials. February 2017

Cybersecurity for ALL

Society, the economy and the state depend on information and communications technology (ICT).

CHAIR S SUMMARY: G7 ENERGY MINISTERS MEETING

Valérie Andrianavaly European Commission DG INFSO-A3

H2020 WP Cybersecurity PPP topics

Package of initiatives on Cybersecurity

About Issues in Building the National Strategy for Cybersecurity in Vietnam

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

The NIS Directive and Cybersecurity in

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

NIS Standardisation ENISA view

WSIS Forum 2012-Identifying Emerging Trends and a Vision beyond 2015!

ENISA s Position on the NIS Directive

RESOLUTION 67 (Rev. Buenos Aires, 2017)

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Secure Societies Work Programme Call

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Implementing Executive Order and Presidential Policy Directive 21

Cybersecurity. Securely enabling transformation and change

Her Majesty the Queen in Right of Canada, Cat. No.: PS4-66/2014E-PDF ISBN:

Critical Infrastructure Resilience

Provisional Translation

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Securing Europe s IoT Devices and Services

Implementation Strategy for Cybersecurity Workshop ITU 2016

ehealth Ministerial Conference 2013 Dublin May 2013 Irish Presidency Declaration

UN General Assembly Resolution 68/243 GEORGIA. General appreciation of the issues of information security

Horizon 2020 Security

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

DG GROW meeting with Member States in preparation of Space Strategy 8 th July Working document#1: Vision and Goals

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

EUROPEAN ORGANISATION FOR SECURITY SUPPLY CHAIN SECURITY WHITE PAPER

H2020 Opportunities in the Area of Security and Critical Infrastructure Protection

RESOLUTION 45 (Rev. Hyderabad, 2010)

Sussex Police Business Crime Strategy

Cyber Security: Threat and Prevention

Research Infrastructures and Horizon 2020

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

First Session of the Asia Pacific Information Superhighway Steering Committee, 1 2 November 2017, Dhaka, Bangladesh.

Cybersecurity Strategy of the Republic of Cyprus

Transport and ICT Global Practice Smart Connections for All Sandra Sargent, Senior Operations Officer, Transport & ICT GP, The World Bank

UAE Space Policy Efforts Towards Long Term Sustainability of Space Activities Agenda Item 4; COPUOS June 2017 By: Space Policy and

Smart Sustainable Cities

Transcription:

Caribbean regional Cybersecurity workshop Barbados 17-18 November 2014 Mr Lasantha de Alwis Mr Mike StJohn-Green

Acknowledgements

Understanding CIIP & Challenges

IP address 208.67.222.222 IP address 208.67.220.220 TCP/IP standardized in 1982 Internet commercialised 1995 http://en.wikipedia.org/wiki/history_of_the_internet http://en.wikipedia.org/wiki/file:internet_map_1024.jpg Commonwealth Telecommunications Organisation www.cto.int

The paradox of cyberspace Digital technologies, commonly referred to as cyber systems, are a security paradox: even as they grant unprecedented powers, they also make users less secure. The Honourable Richard J. Danzig, U.S., July 2014

The paradox of cyberspace 1. Communicative capabilities... 2. Concentration of data and manipulative power... 3. The complexity of their hardware and software... 4. Cyber systems responsiveness to instruction... 5. These systems empowerment of users... In sum, cyber systems nourish us, but at the same time they weaken and poison us.

Critical Information Infrastructure Protection (CIIP) Hyperconnectivity of the network of people and things Loss of hierarchy Unbounded systems Unexpected properties Hard to model Image from http://exceljockey.com/2013/03/complexity-is-the-enemy-of-everything/

Interdependencies Understanding CIIP General definition Critical Resources Critical Infrastructure Critical Information Infrastructure

Critical Resources Water Energy Environment Defined by some national governments to include:- Natural & environmental resources (water, energy, environment etc) National monuments & icons, recognized nationally & internationally 10

Critical Infrastructure (1/3) Airports Power Grid Roads Defined by some national governments to include:- Nation s public works, e.g. bridges, roads, airports, dams etc Increasingly includes telecommunications, in particular major national and international switches and connections 11

Critical Infrastructure (2/3) the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Source: US Homeland Security the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government. Source: UK Centre for the Protection of National Infrastructure (CPNI) an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens. Source: European Union (EU) 12

Critical Infrastructure (3/3) those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia s ability to conduct national defense and ensure national security. Source: The Australian, State & Territory Government processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and Significant harm to public confidence. Source: Government of Canada those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation Source: National Critical Information Infrastructure Protection Centre (NCIIPC) 13

What about commonwealth member countries? Do they have a national critical infrastructure initiative or strategy? 14

Critical Infrastructure Sub-Sectors e.g. Germany has technical basic & social-economic services infrastructure 15

Critical Information Infrastructure (1/2) CII definition:- Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values. Rueschlikon Conference on Information Policy Report, 2005 16

Critical Information Infrastructure Protection (CIIP) The Internet has connected stand-alone systems and closed networks to form a global information infrastructure. This information infrastructure enables complex interactions among systems nationally and globally. Many of our critical services now depend on this information infrastructure. 17

Critical Information Infrastructure Protection (CIIP) Today Critical Information Infrastructure Protection (CIIP) Focuses on protection of the services Must consider IT systems and assets, people and the processes Ensures Confidentiality, Integrity and Availability of services Availability - some are required 24 hours / 7 days / 365 days per year Power Grid Water Supply Transport Telecom Network National Defence Public Health Law Enforcement

Changing environment Expanding Infrastructures Fibre optic connectivity o Africa s cable investment Mobile/Wireless Networks o Asia-Pacific accounts for 55% of ALL mobile phones in the world (2.2 billion) Cyber communities Social Networks o Attacker s gold mine

Global trends towards CIIP Increased awareness for CIIP Countries aware that risks to CIIP need to be managed whether at National, Regional or International level Cyber security & CIIP becoming essential tools For supporting national security & social-economic well-being At national level Increased need to share responsibilities & co-ordination among stakeholders in prevention, preparation, response & recovery At regional & international level Increased need for co-operation & co-ordination with partners in order to formulate and implement effective CIIP frameworks

Challenges for developing countries #1: Cost and lack of (limited) financial investment Funds required to establish a CIIP strategic framework can be a hindrance Limited human & institutional resources Source: GDP listed by IMF (2013)

Challenges for developing countries #2: Technical complexity understanding dependencies Especially vulnerabilities & how they cascade egovernment Public Transport Emergency care (Police, Firefighters, Ambulances) Banks & Trading Public Administration Online services, cloud computing Public ecomms Telco sites, switch areas, interconnections Emergency Calls Private Datacenters Public Datacenters Regional Power Supply Private D2D links (90%) 30 days outages are disastrous Regional network, cables, wires, trunks Powerplants Regional Power Grid (99%) 3 days outages are disastrous (99.9%) 8 hr outages are disastrous

Challenges for developing countries #3: Need for improved education & awareness Improve awareness about the importance of CIIP, share information on what works and successful best practices Create trust & confidence, stimulate secure usage, ensure protection of data and privacy

Challenges for developing countries #4: Lack of relevant CII strategies, policies & legal framework Needs Cybercrime legislation & enforcement mechanisms Setup policies to encourage co-operation among stakeholders o Especially through Public-Private-Partnerships (PPP) #5: Lack of information sharing & knowledge transfer It is important at ALL levels National, Regional & International Necessary to develop trust relationships among stakeholders o Including CERT teams

Session 1: Group Discussions Question What s the CII definition for your country? 25

Group Discussions What are the key services on which public safety and law and order depend? Do they depend on information systems? How long can you survive an interruption? Therefore, how would you define your critical information infrastructure? 26

CIIP Dependencies egovernment Public Transport Emergency care (Police, Firefighters, Ambulances) Banks & Trading Public Administration Online services, cloud computing Public ecomms Telco sites, switch areas, interconnections Emergency Calls Private Datacenters Public Datacenters Regional Power Supply Private D2D links (90%) 30 days outages are disastrous Regional network, cables, wires, trunks Powerplants Regional Power Grid (99%) 3 days outages are disastrous (99.9%) 8 hr outages are disastrous 27

Steps towards CI Protection

Steps towards CI Protection Establish CIP goals and define CIP Roles Government Define CIP goal and roles Public-Private Partnership Define what s critical Define Policy and Identify Roles Determine Acceptable Risks Levels Infrastructure Prioritize Risks Measure Effectiveness Assess Risks Operators & Service Providers Deploy best control solutions Implement Controls Identify Controls and Mitigations 29

Steps towards CI Protection The importance of the public-private relationship Sector Specific Agency Public Private Partnership Infrastructure owners and operators Law Enforcement CIP Coordinator (Executive Sponsor) Computer Emergency Response Team (CERT) IT vendors and solution providers Government Shared Private 30

Steps towards CI Protection Continuously Assess and Manage Risks Evaluate programme effectiveness Use findings to improve risk treatment Measure Effectiveness Assess Risks Identify key functions Assess risks Evaluate consequences A holistic approach Implement defence indepth Implement Controls Identify Controls and Mitigations Define functional requirements Evaluate controls Balance risk / cost benefit Select controls 31

IMPACT Very low Low Medium High Very High Steps towards CI Protection Assessing and mitigating risks 3 1 1. Bad place to be 2. Good place to be 3. Black Swan rare event 4. Commonplace failures 2 4 Very low Low Medium High Very High LIKELIHOOD 32

Steps towards CI Protection Continuously Assess and Manage Risks Evaluate programme effectiveness Use findings to improve risk treatment Measure Effectiveness Assess Risks Identify key functions Assess risks Evaluate consequences A holistic approach Implement defence indepth Implement Controls Identify Controls and Mitigations Define functional requirements Evaluate controls Balance risk / cost benefit Select controls 33

Steps towards CI Protection Mitigations there is no single standard Narrow focus, highly prescriptive, very detailed Universally applicable principles-based, sparse on detail Trained people Procedures Technology Prevention measures to stop bad things ever happening Detection measures to identify bad things happening to aid swift and effective recovery 34

Steps towards CI protection Establish & Exercise Emergency Plans Things will go wrong Develop joint plans for managing incidents including recovering critical functions Plans should be simple, short and easily tested Exercise plans to test them and create trust and understanding Review the risk register exercises can reveal hidden risks 35

Steps towards CII protection Establish Public Private Partnership (PPP) Promote trusted relationships needed for information sharing and collaborating on difficult problems Leverage the unique skills of government and private sector organisations Have the flexibility needed to address today s dynamic threat environment collaboratively 36

Steps towards CII protection Update & Innovate Technology and Processes Cyber threats are constantly evolving All CIP stakeholders need to prepare for changes in cyber threats Constantly monitor trends and changes in critical function dependencies Adopt smart & effective procedures and processes 37

Group Discussions Questions What should be the roles and responsibilities of the state? How should the private sector & government work on CIIP and build trust? 38

Threats, vulnerabilities, risks and issues

Threats, vulnerabilities, risks and issues Some risk management definitions: Asset: people, property, information, a service Vulnerability: a weakness in that asset Threat: anything that can exploit vulnerabilities Risk: the consequences if the threat uses the vulnerability to harm the asset 1 Issue: a risk that has happened 40

Threats, vulnerabilities, risks and issues (1) Cybersecurity is challenging to understand Many decision makers do not understand the messages Organisations don t have adequate expertise and resources Outsourcing reduces visibility and increases risks (2) Software has vulnerabilities The market rewards being first, not being correct Consumer software is released before it is fully tested Industrial systems are now based on consumer / corporate software Systems are too complex to understand and model 41

Vulnerabilities- even in the security software we must trust! ShellShock Allows security rules to be circumvented Heartbleed GotoFail Accepts fake credentials Leaks cryptographic keys Diginotar Comodo RSA Generates fake certificates to allow a masquerade 42

Threats, vulnerabilities, risks and issues (3) Cyberspace has helped the criminals too Information available online is valuable to criminals, hostile nations, terrorists and activists Cybercrime has become a sophisticated commodity market Geography and distance have become largely irrelevant in cyberspace but our laws are still based around physical nation states Anonymity supports our personal privacy but assists those who attack us (4) People are now often the weakest link The insider threat The well-meaning rule breaker The victim of a sophisticated socially-engineered attack 43

Threat Case study: Energetic Bear / Dragonfly / Havex Dragonfly initially targeted defence and aviation companies in the US and Canada before shifting its focus to US and European energy firms in early 2013. Image courtesy Worldpress at http://tbearbourges.files.wordpress.com/2014/01/fureur-de-lours.jpg The Dragonfly Group is technically adept and able to think strategically. Given the size of some of its targets, the group found a soft underbelly by compromising their suppliers, which are invariably smaller, less protected companies... From a Symantec report published in July 2014

Threats, vulnerabilities, risks and issues (5) Technology changing faster than the policy The blurring of personal and work life on-line Bring Your Own Device (BYOD), work data on personal devices Social media - staff revealing too much about their work on-line Cloud-based services bring new policy issues (6) Government & Regulators are only part of the solution Organisations are expected to manage their own risks Regulators are not keeping up with the pace of technology and demands from operators and service providers Regulation can have unintended consequences people play the system 45

Threats, vulnerabilities, risks and issues Any questions? 46

Commonwealth Approach to Cybergovernance

Trends in Cyberspace Cyberspace provides access to ICT-based services Bridging the digital divide and influencing social-economic activities Cyberspace is increasingly becoming a global system Anticipated to grow from 2-4 Billion users by 2020 (mostly from developing countries) Cyberspace is open, decentralised and empowering This has fostered innovation, collaboration and rapid development Cyberspace success depends on its infrastructure Infrastructure should be secure, resilient and available to users Cyberspace can also be used for criminal activities Cybercrimes, extremisms and other social crimes 48

Why a Commonwealth Model Contrasting views emerging across the world on governing the Cyberspace Harmonisation is critical to facilitate the growth and to realise the full potentials of Cyberspace Commonwealth family subscribes to common values and principles which are equally well applicable to Cyberspace CTO is the Commonwealth agency mandated in ICTs The project was launched at the 53 rd council meeting of the CTO in Abuja, Nigeria (9 th Oct 2013) Wide consultations with stakeholders Adopted at the Commonwealth ICT Ministers Forum on 3 rd and 4 th March 2014 in London 49

Objectives The Cybergovernance Model aims to guide Commonwealth members in:- Developing policies, legislation and regulations Planning and implementing practical technical measures Fostering cross-border collaboration Building capacity 50

Commonwealth Values in Cyberspace Based on Commonwealth Charter of March 2013 Democracy, human rights and rule of law The Charter expressed the commitment of member states to The development of free and democratic societies The promotion of peace and prosperity to improve the lives of all peoples Acknowledging the role of civil society in supporting Commonwealth activities Cyberspace today and tomorrow should respect and reflect the Commonwealth Values This has led to defining Commonwealth principles for use of Cyberspace 51

Commonwealth principles for use of Cyberspace Principle 1: We contribute to a safe and an effective global Cyberspace Principle 2: Our actions in Cyberspace support broader economic and social development Principle 3: We act individually and collectively to tackle cybercrime Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace 52

Commonwealth Principle for use of Cyberspace Principle 1: We contribute to a safe and an effective global Cyberspace as a partnership between public and private sectors, civil society and users, a collective creation; with multi-stakeholder, transparent and collaborative governance promoting continuous development of Cyberspace; where investment in the Cyberspace is encouraged and rewarded; by providing sufficient neutrality of the network as a provider of information services; by offering stability in the provision of reliable and resilient information services; by having standardisation to achieve global interoperability; by enabling all to participate with equal opportunity of universal access; as an open, distributed, interconnected internet; providing an environment that is safe for its users, particularly the young and vulnerable; made available to users at an affordable price. 53

Commonwealth Principle for use of Cyberspace Principle 2: Our actions in Cyberspace support broader economic and social development by enabling innovation and sustainable development, creating greater coherence and synergy, through collaboration and the widespread dissemination of knowledge; respecting cultural and linguistic diversity without the imposition of beliefs; promoting cross-border delivery of services and free flow of labour in a multi-lateral trading system; allowing free association and interaction between individuals across borders; supporting and enhancing digital literacy; providing everyone with information that promotes and protects their rights and is relevant to their interests, for example to support transparent and accountable government; enabling and promoting multi-stakeholder partnerships; facilitating pan-commonwealth consultations and international linkages in a single globally connected space that also serves local interests. 54

Commonwealth Principle for use of Cyberspace Principle 3: We act individually and collectively to tackle cybercrime nations, organisations and society work together to foster respect for the law; to develop relevant and proportionate laws to tackle Cybercrime effectively; to protect our critical national and shared infrastructures; meeting internationally-recognised standards and good practice to deliver security; with effective government structures working collaboratively within and between states; with governments, relevant international organisations and the private sector working closely to prevent and respond to incidents. 55

Commonwealth Principle for use of Cyberspace Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace we defend in Cyberspace the values of human rights, freedom of expression and privacy as stated in our Charter of the Commonwealth; individuals, organisations and nations are empowered through their access to knowledge; users benefit from the fruits of their labours; intellectual property is protected accordingly; users can benefit from the commercial value of their own information; accordingly, responsibility and liability for information lies with those who create it; responsible behaviour demands users all meet minimum Cyberhygiene requirements; we protect the vulnerable in society in their use of Cyberspace; we, individually and collectively, understand the consequences of our actions and our responsibility to cooperate to make the shared environment safe; our obligation is in direct proportion to culpability and capability. 56

Development of a Nation Cybersecurity Strategy Need support from highest levels of government Adopt a multi-stakeholder partnership (private sector, public sector & civil society) Draw on the expertise of the International Community Appoint a lead organisation or institution Be realistic and sympathetic to the commercial consideration of the private sector Add mechanisms to monitor & validate implementation 57

Main elements of a Cybersecurity Strategy Introduction and background Guiding principles Vision and strategic goals Specific objectives Stakeholders Strategy implementation 58

Introduction & Background Focuses on the broad context Sets the importance of Cybersecurity to national development Assess current state of Cybersecurity and challenges STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 1. Introduction / background This section provides a succinct background of the country s circumstances and the status of its Cybersecurity Explain the importance of Cybersecurity to economic and social development. Describe the use of Cyberspace and the nature of Cybersecurity challenges to justify the need for the Cybersecurity strategy Explain the relationship to existing national strategies and initiatives. Uganda s introduction covers: The definition of information security The justification for a strategy Country analysis of current state of information security framework. Strategy guiding principles Vision, mission, strategic objectives Note that this example covers the first three sections in this framework. 59

Guiding Principles (1/3) Based on Commonwealth Cybergovernance principles Balance security goals & privacy/protection of civil liberties Risk-based (threats, vulnerabilities, and consequences) Outcome-focused (rather than the means to achieve it) Prioritised (graduated approach focusing on critical issues) Practicable (optimise for the largest possible group) Globally relevant (harmonised with international standards) 60

Guiding Principles (2/3) Risk-based (threats, vulnerabilities, and consequences) Global and National context Important assets and services Cyberspace threats Assess Risk Set priorities and objectives Principles Monitor Implementation National strategic goals Strategy, Governance & Management Stakeholders 61

Guiding Principles (3/3) STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 2. Guiding principles This section identifies the guiding principles for addressing Cybersecurity within which the strategy is designed and delivered. Build from the principles of the Commonwealth Cybergovernance model. Include any relevant national principles. Describe the delivery principles that guide the design of the objectives goals, vision and objectives. In addition to the Commonwealth Cybergovernance principles and national principles the following delivery principles are recommended: Risk-based. Assess risk by identifying threats, vulnerabilities, and consequences, then manage the risk through mitigations, controls, costs, and similar measures. Outcome-focused. Focus on the desired end state rather than prescribing the means to achieve it, and measure progress towards that end state. Prioritised. Adopt a graduated approach and focus on what is critical, recognising that the impact of disruption or failure is not uniform among assets or sectors. Practicable. Optimise for adoption by the largest possible group of critical assets and realistic implementation across the broadest range of critical sectors. Globally relevant. Integrate international standards to the maximum extent possible, keeping the goal of harmonization in mind wherever possible. 62

Visions & Strategic Goals Promote economic development Provide national leadership Tackle cybercrime Strengthen the critical infrastructure Raise and maintain awareness Achieve shared responsibility Defend the value of Human Rights Develop national and international partnerships 63

Visions & Strategic Goals STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 3. Strategic goals and vision This section defines what success looks like in broad summary terms and reflects the country s priorities. Make a clear statement of the country s commitment to protecting the use of its Cyberspace Emphasise the breadth of the use of Cyberspace: covering social and economic activity Include text that can be quoted as part of the communication with wider stakeholders, e.g. a vision statement. Australia s vision: The maintenance of a secure, resilient and trusted electronic operating environment that supports Australia s national security and maximises the benefits of the digital economy Three pillars of the Australian strategy: All Australians are aware of cyber risks, secure their computers and take steps to protect their identities, privacy and finances online; Australian businesses operate secure and resilient information and communications technologies to protect the integrity of their own operations and the identity and privacy of their customers; The Australian Government ensures its information and communications technologies are secure and resilient. Four pillars of the UK strategy: Tackle cybercrime and be one of the most secure places in the world to do business in cyberspace; To be more resilient to cyber attacks and better able to protect our interests in cyberspace; To have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies; To have the cross-cutting knowledge, skills and capability it needs to underpin all our Cybersecurity objectives. 64

Specific Objectives Provide a national governance framework for securing Cyberspace Enhance the nation s preparedness to respond to the challenges of Cyberspace Strengthening Cyberspace and national critical infrastructure Securing national ICT systems to attract international businesses Building a secure, resilient and reliable Cyberspace Building relevant national and international partnerships and putting effective political-strategic measures in place to promote Cyber safety Developing a culture of Cybersecurity awareness among citizens Promoting a culture of self protection among businesses and citizens Creating a secure Cyber environment for protection of businesses and individuals Building skills and capabilities needed to address Cybercrime Becoming a world leader in Cybercrime-preparedness and Cybercrime-defence 65

Specific Objectives STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 4. Risk management (Risk based approach objectives) How the risk management process works, and then setting objectives and priorities This section describes how risk management is performed and provides a top-level analysis. It states specific and tangible targets and assigns relative priorities. How risk management is currently performed, for example for national security. Sources of threat information and of major vulnerabilities. How granular to make the outcomes and objectives. How frequently to repeat the risk assessment process. Source: Microsoft s guidance, listed in appendix 3: A clear structure for assessing and managing risk Understand national threats and major vulnerabilities Document and review risk acceptance and exceptions Set clear security priorities consistent with the principles Make national cyber risk assessment an on-going process 66

Stakeholders Policy makers and other government departments Independent agencies (security, emergency & Health/Safety) Private sector Civil society & Independent Practitioners Academia & Research Institutions International bodies 67

Specific Objectives STRATEGY COMPONENTS ASPECTS TO CONSIDER EXAMPLE TEXT FROM PUBLISHED STRATEGIES AND BEST PRACTICE 4. Stakeholders This section identifies key participants in the development and delivery of the strategy. Roles and responsibilities should be clearly defined using RACI terminology (see appendix 5). Identify all relevant key stakeholders taking into consideration, country objectives and focus areas Identify key international stakeholders and partners that could contribute effectively Draw stakeholders from governmental and nongovernmental organizations, civil societies, academia, public and private sectors of the economy. Should include but not limited to software and equipment vendors, owners and operators of CII, law enforcement institutions etc. In constructing the list of stakeholders, the following constituencies should be considered: ministers and other politicians; government departments concerned with ICT, telecommunications and information security; private sector organisations that provide ICT services; government departments whose responsibilities rely upon or who engage with Cyberspace, including: most economic activity, trade, tourism, law enforcement; providers of the critical national infrastructure whose vital communications are increasingly carried across the internet; companies across the economy that rely upon Cyberspace, often represented by trade associations; representatives of civil society, often in the form of groups that reflect broad public opinion and can advise on the best way to achieve outcomes involving the public; civil society organisations that represent particular parts of society or interest groups and can explain, for example, the needs of the young, of women, of rural communities and of the vulnerable; experts who understand how Cyberspace works, from a technical perspective, to ensure that government strategies are practical; Academia who can advise on R&D, international best practice, emerging issues; International bodies such as the Commonwealth Telecommunications Organisation Other countries, particularly regional countries. 68

Strategy Implementation Governance and management structure Legal and regulatory framework Capacity Development Awareness and outreach programmes Incident response Incentivize commercial competitors to cooperate Create national CERTs Stakeholder collaboration Research and Development Monitoring and evaluation 69

Strategy Implementation 70

Discussion Session Further Information Contact: Lasantha De Alwis Email: L.DeAlwis@cto.int Tel: +44 (0) 208 600 3814 (Office) Email: michael@stjohn-green.co.uk 71

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback