Why the Private Sector is Key to Cyber Defence

Why the Private Sector is Key to Cyber Defence Gareth Niblett, Chairman, BCS ISSG 18th May 2010

About your Speaker Overview Chairman of the BCS ISSG, a security specialist group Recent Collaborative Efforts: with over 3,500 members from BCS, the Chartered BCS Security Community of Expertise Institute for IT, where he is involved in a number of British Business Federation Authority initiatives focused on improving security and safety. (BBFA) Currently working as a managing consultant providing Centre for the Protection of National business advisory services and solutions focussed on Infrastructure (CPNI) sponsored UK security, privacy and compliance, especially in relation Network Security Information to communications and online services. Exchange (NSIE) Electronic Communications Resilience Previously Chief Information Security Officer (CISO) of & Response Group (EC-RRG) a national communications and IT services company EURIM e-Crime Working Group where he had group wide responsibility for all aspects of information security, participating in government and Internet Watch Foundation (IWF) Funding Council industry forums focussed on infrastructure protection, emergency services, resilience and response, internet Network Interconnection Consultative safety, next generation network assurance and secure Committee (NICC) Security Group network interoperability. 999/112 Liaison Committee Presentation to Cyber Defence 2010 2

01 Critical National Infrastructure (CNI) What is critical and why

What is Critical National Infrastructure? Critical National Infrastructure (CNI) is the Overview of CNI Sectors collective term for those services that are Communications essential to the economic, social and Critical National Infrastructure political wellbeing of a country. Emergency Services CNI can be categorised into 10 sectors: Energy communications, emergency services, Finance energy, finance, food, government and Food public services, health, public safety, transport and water. Gov. & Public Services Health  Not everything is critical Public Safety  Each sector is different Transport  Many sectors privately held Water Presentation to Cyber Defence 2010 4

Why are these Sector Critical? Without Communications, your telephones (fixed and mobile) and Internet access stops working properly; you become unable to call, fax, text, e-mail, browse or otherwise transfer information. Without Energy, your home goes dark, you can’t get online, although your telephone may work (while the telcos’ batteries / generator hold out), you can’t get fuel for your vehicle or home, business start shutting down. Without Finance, your bank account and card stops working, so you can’t withdraw cash, buy groceries, pay for fuel / travel, or pay bills. Finance relies on Communications for transfers, online & phone banking. And so on… Critical National Infrastructure is a complex web of vital interdependent services, which are all dependent on technology, creating new risks. Presentation to Cyber Defence 2010 5

02 Why the Private Sector is Critical Or, why governments can’t just do it themselves

Why rely on the Private Sector? Governments no longer own and control significant portions of their country’s critical national infrastructure. This varies by country but is a growing trend, due to consolidation and globalisation. Also, critical infrastructure now crosses borders and may be under foreign control. Companies once government owned may have been privatised and are now outside of direct government control; or companies that may never have been under government control in the past, being independent commercial venture, have become critical to a nation’s infrastructure. As with every rule there are exceptions and complications. Even with partial government control of a business, such as when there has been a financial bailout or the sector is strictly regulated, governments may still struggle to deal with CNI issues without clear rules and co-operation. Presentation to Cyber Defence 2010 7

Private Sector is Key to Cyber Defence If online government & banking services start collapsing under a deluge of sustained access attempts coming from thousands of worldwide sources, it would take international co-ordinated effort, between finance, government and communications to identify and mitigate the threat. If a leading global search engine and dozens of other leading businesses are extensively compromised, possibly by a foreign intelligence service, exposing sensitive company and customer information, including trade secrets and source code, surely governments might be interested. If a national power grid uses legacy SCADA systems, now connected internally via IP, that may be susceptible to exploitation via the Internet by foreign nationals then this exposure is of interest not only to government but to all the other sectors of critical national infrastructure. And so on… Presentation to Cyber Defence 2010 8

03 Information Sharing Government, industry and cross-sector collaboration

Why is Information Sharing Important? Sharing information about the risks facing critical national infrastructure is beneficial to both government and industry. If each parties can privately learn from the experiences, mistakes, and successes of each other, then they can all improve their level of assurance. No government, sector or company can operate in isolation in the modern, interconnected and dependent world. Without information sharing, it may not be possible to find out about risks whose impacts may affect you; therefore you are unable to adequately protect or prepare. Companies will be reticent in sharing commercially sensitive information without a similar reciprocal arrangement. If government does not engage in a positive two-way dialogue with the private sectors that form part of CNI then they are likely to be unaware of all the risks facing the country. Presentation to Cyber Defence 2010 10

How does Information Sharing occur? Public Education – publication of information security standards, user awareness, education campaigns, threat assessments (warning levels) Private Advice – restricted information on physical, personnel and electronic threats and vulnerabilities along with mitigation approaches Information Exchanges – trusted government & sector representatives sharing sensitive info on threats, vulnerabilities, incidents and intelligence Standards Development – collaborative working to define standards for information assurance, e.g. in Next Generation Networks (NGNs) Policy Development – arrangements to help ensure security, such as staff vetting and procurement rules for critical components and services Planning Exercises – joint government / industry crisis workshop looking at complex scenarios, e.g. loss of power and / or communications Presentation to Cyber Defence 2010 11

04 Private Sector Support How assistance is given to cyber defence & investigations

What Support does Private Sector give? Example: in many countries the communications sector has been privatised and opened up to competition, but it regulated and is generally co-operative to lawful requests and supporting CNI. It is often best placed to support efforts in cyber defence through a variety of routes, such as: Lawful Interception – targeting content of voice & data communications Data Retention & Disclosure – communications related data records Filtering Illegal Content – blocking or removing child sexual abuse images, terrorism material, defamatory or inciting statements etc. Filtering Unwanted Content – spam, phishing, malware, DDoS etc. Online Investigations – hacking, botnets, copyright infringement etc. Infrastructure Protection – building and operating to secure standards Resilience & Response – robust networks but responsive to incidents Presentation to Cyber Defence 2010 13

05 Lessons Learned What events have taught us about improving collaboration

How can we Improve Things? Countries need to recognise that government does not own all of CNI and that they cannot provide adequate cyber defence in isolation. More effort required to establish effective Public-Private Partnerships, both nationally and internationally – with a focus on consistency. Information sharing must be two-way and include information that is not, and should not be, in the public domain to be of significant benefit. Joint exercises simulating response to realistic scenarios with a large scale impact on CNI – business continuity plan testing at a national scale. Planning will not highlight all the things that will occur in a real event, be it a physical terrorist attack, or an online cyber attack – a flexible and agile defence is needed. This can only be achieved through collaboration between governments and the private sector that forms much of CNI. Presentation to Cyber Defence 2010 15

And Finally… Questions welcome, either now or later. More of me: Blog: http://www.infosecmaven.org/ Twitter: http://twitter.com/INFOSEC_Maven LinkedIn: http://uk.linkedin.com/in/garethniblett If you want direct contact details, please ask… Presentation to Cyber Defence 2010 16

http://www.infosecmaven.org	21
http://www.slideshare.net	11
http://www.lmodules.com	2

Why the Private Sector is Key to Cyber Defence

by INFOSEC_Maven on May 23, 2010

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 34

Statistics

Why the Private Sector is Key to Cyber Defence — Presentation Transcript