Kim AndreassonManaging DirectorDAKA advisory AB

Indonesia Information Security Forum (IISF)

Hotel Hilton Bandung, 10 October 2012

Cybersecurity: Public Sector Threats and Responses

Presentation overview

An introduction to cyber security in the public sector Cyber threats Public sector responses Steps towards a more resilient organizational cyber

security strategy Conclusion

Understanding cyber security in the public sectorA convergence of three trends:1. Globalization2. Connectivity3. E-government

1. Globalization ICTs contribute strongly

to economic growth and better social outcomes

Benchmarking the information society is important in order for policy-makers to understand the factors behind it and how to achieve improved outcomes

Most benchmarks include a component of e-government

2. Connectivity

The world will go from 2bn Internet users in 2010 to 5bn in 2015

An opportunity to improve service delivery

An opportunity to leapfrog

114.2

70.1

0

20

40

60

80

100

120

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

Per 1

00 in

habi

tant

s

Mobi le subscriptions :Developed countries

Mobi le subscriptions :Developing countries

The developed/developing country classifications are based on the UN M49, see: http://www.itu.int/ITU-D/ict/definitions/regions/index.htmlSource: ITU World Telecommunication /ICT Indicators database

3. E-government

Information and service delivery

Transparency and accountability

Link to broader development objectives

Digital by default

3.1. Supply of e-government

Benchmarking global e-government development since 2003 to “inform and improve the understanding of policy makers’ choices to shape their e-government programs” (UN 2004)

The survey measures “the willingness and capacity of countries to use online and mobile technology in the execution of government functions” (UN 2010)

3.2. E-government progress

http://www.archive.org

3.3. Demand for e-government

In 1990, the American tax authority, the IRS, said 4m people used online tax filing (the first year such service was available)

In 2000, the number filing their taxes online had risen to 35m

In 2010, 100m Americans used e-file

Enter cyber security

An increase in usage means an increase in dependency

About 75% of organizations suffer from a cyber attack every year

Attacks can compromise trust in e-government

Categorizing cyber threatsPolitically motivated threats:

cyber warfare, cyber terrorism, espionage and hacktivism

Non-politically motivated threats: typically financially motivated, such as cyber crime, intellectual property theft, and fraud, but also hacking for fun or retribution, for example, from a disgruntled employee

Understanding cyber threats

“When we first started this process… agencies didn’t know what they didn’t know.”

-Karen S. Evans Administrator for E-Government and Information Technology in testimony before the House Committee on Homeland Security, February 28, 2008

What is the risk? Is there control?Can you live with the residual risk?What is your response plan when services become

compromised?

Public sector responses

The public sector is different as it must consider, for example:Tension between transparency and privacyCost optimization; agencies often only seek to meet minimum

standardsBuild closer relations with other stakeholders, including the

private sectorKey performance indicators (KPIs)But one thing remains the same: Cyber security is a global

phenomenon and a challenge for every organization. It must be dealt with at all levels, from the international arena to the regional, national and local levels

Global cyber security agenda

1. Legal measures

2. Technical and procedural measures

3. Organizational structures

4. Capacity building

5. International cooperation

The problem for organizational cyber securityPeople!According to the Data Breach

Investigations Report from Verizon, an American telecommunications firm, 85% of confirmed cyber breaches were not considered very difficult and 96% were avoidable

More work is needed to create and maintain comprehensive yet clearly communicated cyber security policies that are enforced

Steps towards a more resilient organizational cyber security strategy

1. Close the gap between IT and management2. Improve awareness and education3. Capture technology trends, including the

move from e-government to m-government

Step #1: Close the gap between IT and managementAssess underlying factor(s), e.g.

user awareness based on an internal survey

Translate results into KPIs, e.g. average user awareness

Communicate key message to management, e.g. the meaning of score(s) and their importance related to other issue(s)

Step #2: Improve awareness and education

Make people SMART:SpecificMeasurableAttainableRelevantTime-bound

ICT skills divide Governments cannot go it

alone; a role for the private sector and NGOs

Step #3: Track trends, such as mobility New threats: from spam to spim

and mobile malware New challenges: insecure

wireless connections, missing (stolen) devices, data loss, “always on” connections

Same answers: comprehensive and clearly communicated policies that are measurable

Conclusion: measure cyber security at all levelsCompared with just a decade ago, governments have made

significant progress in expanding ICT access But just as crime have always been part of history, cyber

security is likely to continue well into the future, especially since the two are increasingly intertwined

There is a demand for measurement at all levels in order to give policy-makers and public sector managers data, tools and benchmarks to better understand cyber security from a policy perspective and to communicate that message

Every case is different, yet fundamentally the same

Thank you

www.DAKAADVISORY.com