a National approach to Cyber security/CIIP:
Raising awareness
Objectives
• Propose a way of thinking about Cyber Security/CIIP
• A FRAMEWORK
• Identify key elements of the FRAMEWORK and relationships among them
• Suggest methods for building a national consensus on FRAMEWORK and on implementation actions.
10/18/1010/18/1022
cybersecurity:Why Worry?
• Nation is dependent on ICTs Economic wellbeing National security Social cohesion
• Risk is inherent in ICT use Vulnerabilities Threats Interdependences
• Conclusion: Action is required
10/18/1010/18/1033
cybersecurity:Who’s responsible?
“Government, business, other organizations, and individual users who develop, own, provide, manage, service and use information systems and networks”
- UNGA Resolution 57/239 Creation of a global culture of cybersecurity
Collectively known as The Participants
10/18/1010/18/1044
Participants:What should They do?
AWARENESS: Be aware of the need for security and what they can do to enhance it.
RESPONSIBILITY: Review their own security policies, practices, measures an procedures regularly and assess appropriateness.
RESPONSE: Act in a timely and cooperative manner to prevent, detect and respond to security incidents.
In a manner appropriate to their roles
See: UNGA Res 57/239.
10/18/1010/18/1055
cybersecurityresponsibility
It’s SHARED
All participants must be responsible
Each participant must take action -- appropriate to its role in the overall system
Government has responsibility to lead
10/18/1010/18/1066
Government lead: what Does it do?
1. Ensure all participants are aware of security
2. Promote responsibility, and
3. Assure coordinated response by participants; using
A common national vision Policy and institutional frameworks
10/18/1010/18/1077
Government lead how?
1. Conduct a national Cybersecurity Self-Assessment Take stock
2. Promulgate A National Cybersecurity Strategy Vision for action
10/18/1010/18/1088
Cyber securityscope
What is meant by cybersecurity?What is meant by cybersecurity?
• ITU documents speak of ITU documents speak of ““Enhancing security Enhancing security and building confidence in the use of ICT and building confidence in the use of ICT applications”applications”
• UNGA resolutions 57/239 and 58/199 speak of UNGA resolutions 57/239 and 58/199 speak of “a “a culture of cyber security in the application and culture of cyber security in the application and use of information technologies” and in the use of information technologies” and in the protection of critical information infrastructures.protection of critical information infrastructures.
• Others speak in terms such as cyberspace, the Others speak in terms such as cyberspace, the Internet and the information society.Internet and the information society.
10/18/1010/18/1099
Cyber securityscope
Recognizing there is no fixed definition, a Recognizing there is no fixed definition, a national approach to cybersecurity should national approach to cybersecurity should includeinclude
Physical security of the information Physical security of the information infrastructureinfrastructure
Virtual security, and Virtual security, and Human aspects of the use of ICTs, Human aspects of the use of ICTs,
including interactions among peopleincluding interactions among people
10/18/1010/18/101010
Key documents
UNGA Resolutions:UNGA Resolutions:• 64-211 Taking stock of cybersecurity needs and 64-211 Taking stock of cybersecurity needs and
strategies strategies • 58-199 Creation of a global culture of cybersecurity 58-199 Creation of a global culture of cybersecurity
and and the protection of critical information the protection of critical information infrastructuresinfrastructures
• 57-239 Creation of a global culture of cybersecurity57-239 Creation of a global culture of cybersecurity• 56-121 Combating the criminal misuse of information 56-121 Combating the criminal misuse of information
technologiestechnologies• 55-63 Combating the criminal misuse of information 55-63 Combating the criminal misuse of information
technologiestechnologies
See: http://www.un.org/documents/resga.htmSee: http://www.un.org/documents/resga.htm
10/18/1010/18/101111
Key documents
ITU National Cybersecurity/CIIP Self-Assessment ITU National Cybersecurity/CIIP Self-Assessment ToolTool
ITU Q.22/1 Report On Best Practices For A National ITU Q.22/1 Report On Best Practices For A National Approach To Cybersecurity: Building Blocks For Approach To Cybersecurity: Building Blocks For Organizing National Cybersecurity EffortsOrganizing National Cybersecurity Efforts
ITU Cybercrime Resources: ITU Cybercrime Resources: • ITU Toolkit For Cybercrime Legislation ITU Toolkit For Cybercrime Legislation • ITU Publication on Understanding Cybercrime – A ITU Publication on Understanding Cybercrime – A
Guide for Developing CountriesGuide for Developing Countries
See: http://www.itu.int/ITU-D/cyb/cybersecurity/index.htmlSee: http://www.itu.int/ITU-D/cyb/cybersecurity/index.html
10/18/1010/18/101212
Take Stock Self-Assessment - What is it?
• An identification and evaluation of existing An identification and evaluation of existing national approach to cyber security. national approach to cyber security. PoliciesPolicies ProceduresProcedures MechanismsMechanisms NormsNorms InstitutionsInstitutions RelationshipsRelationships
• What are we doing? What are we doing? • What should we be doing? What should we be doing?
• Input for a National Cybersecurity StrategyInput for a National Cybersecurity Strategy
10/18/1010/18/101313
VisionNational Strategy - What is it?
A Policy Document that Provides a National A Policy Document that Provides a National Vision:Vision:
Outlines the case for national actionOutlines the case for national action
Identifies participants and their rolesIdentifies participants and their roles
Elaborates organizational responsibilitiesElaborates organizational responsibilities
Establishes policy and operational structuresEstablishes policy and operational structures
Addresses key elements of cybersecurityAddresses key elements of cybersecurity
Lays out a plan of actionLays out a plan of action
10/18/1010/18/101414
Getting Started
• The AudienceThe Audience Who are they?Who are they? What is their level of awareness and response?What is their level of awareness and response? What decisions already taken?What decisions already taken?
• The ParticipantsThe Participants Those entities and persons whoThose entities and persons who
• Will prepare and comment on the Self-Assessment and the Will prepare and comment on the Self-Assessment and the National Strategy, National Strategy,
• Will implement the National StrategyWill implement the National Strategy They come from They come from
• GovernmentGovernment• Business and IndustryBusiness and Industry• Academia Academia • Civil SocietyCivil Society
10/18/1010/18/101515
Getting Started
• The Case for ActionThe Case for Action Role of ICTs in the nationRole of ICTs in the nation Vulnerabilities and threatsVulnerabilities and threats Risks to be managedRisks to be managed
• The stage for Cybersecurity: The stage for Cybersecurity: Relationship to other national goals and objectivesRelationship to other national goals and objectives
• Economic and Development goalsEconomic and Development goals• Industry goalsIndustry goals• Social goalsSocial goals• Security goalsSecurity goals
10/18/1010/18/101616
key elements
10/18/1010/18/101717
Legal Framework
Culture ofCybersecurity
IncidentManagement
Collaborationand Information
Exchange
Key Elements of a National Cybersecurity Strategy
objectives
For each key elementFor each key element
A statement of policyA statement of policy
Identify and prioritize goals to support Identify and prioritize goals to support policypolicy
Elaborate specific steps to reach goalsElaborate specific steps to reach goals
10/18/1010/18/101818
Other considerations
Other ConsiderationsOther Considerations ResourcesResources
• Budget and financingBudget and financing• Equipment and technologyEquipment and technology• Human capacitiesHuman capacities
Timeframes and milestonesTimeframes and milestones PrioritiesPriorities Reviews and reassessmentsReviews and reassessments
10/18/1010/18/101919
Output
Self-assessment provides: Input to a National Cybersecurity Strategy
A set of Findings and RecommendationsA set of Findings and Recommendations• With supporting documentationWith supporting documentation• Reviewed by all participantsReviewed by all participants
That provide the basis for policy decisions and a program of action to address cybersecurity• Promulgated at a level to ensure action by all
participants
10/18/1010/18/102020
Conclusion
Use of a Use of a National Cyber Security Self–Assessment National Cyber Security Self–Assessment to to produce a produce a National Cyber Security StrategyNational Cyber Security Strategy can can assist governments:assist governments:• Understand the existing national approachUnderstand the existing national approach• Develop “baseline” on best practicesDevelop “baseline” on best practices• Identify areas for attentionIdentify areas for attention• Prioritize national effortsPrioritize national efforts• Promote national actionPromote national action
and assist withand assist with regionally and internationally coordination and cross border cooperation
10/18/1010/18/102121
Final Observations
No nation starts at ZERO
No “right” answer
Continual review and revision needed
All “participants” must be involved Appropriate to their roles
10/18/1010/18/102222
Questions?
10/18/1010/18/102323
Top Related