Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Critical Information Infrastructure Protection
Perspective on Cloud Computing Services
CIIP Workshop
Gaborone, Botswana
23...
Acknowledgement
Ministry of Transport &
Communications
Botswana
Table of Content
Session 1: Understanding CIIP & Challenges
Session 2: Cloud Computing Today
Session 3: CIIP Perspective o...
Session 1:
Understanding CIIP & Challenges
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 March...
© Commonwealth Telecommunications Organisation | www.cto.int
Understanding CIIP
•  Critical Resources
General definition
•...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Resources
7
Water Energy Forests
Defined by some nat...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (1/3)
8
Airports Power Grid Roads
Def...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (2/3)
9
“ the assets, systems, and ne...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure (3/3)
10
“ those physical facilities,...
© Commonwealth Telecommunications Organisation | www.cto.int
What about developing countries?
11
Q) Does your country have...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sectors (1/2)
12
•  European Commissi...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Infrastructure Sectors (2/2)
13
•  Provisional Criti...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (1/2)
14
CII definition:-...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure (2/2)
15
Cri$cal	
  Infra...
© Commonwealth Telecommunications Organisation | www.cto.int
Critical Information Infrastructure Protection (CIIP)
16
•  W...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Today Critical Information Infrastructure Protection (CIIP...
© Commonwealth Telecommunications Organisation | www.cto.int
CII Attack Scenarios
Telecoms	
  
Health	
  Services	
  	
  
...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Expanding Infrastructures
–  Fiber optic connectivity
o  T...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Increased awareness for CIIP & cyber security
–  Countries...
© Commonwealth Telecommunications Organisation | www.cto.int
Challenges for developing countries
#1: Cost and lack of (lim...
© Commonwealth Telecommunications Organisation | www.cto.int
#2: Technical complexity in deploying CIIP
–  Need to underst...
© Commonwealth Telecommunications Organisation | www.cto.int
#3: Limited knowledge on how to identify and classify critica...
© Commonwealth Telecommunications Organisation | www.cto.int
#4: Need for Cybersecurity education & culture re-think
–  Cr...
© Commonwealth Telecommunications Organisation | www.cto.int
#5: Lack of relevant CII strategies, policies & framework
–  ...
© Commonwealth Telecommunications Organisation | www.cto.int
Session 1: Group Discussions
26
Question
What’s the CII defin...
Session 2:
Cloud Computing Today
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing
28
Should Cloud Computing be considered a Cri...
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
29
•  Earlier approach not sca...
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
30
•  Spread associated costs ...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing Deployment Models
31
Private Cloud
(Hosted In...
© Commonwealth Telecommunications Organisation | www.cto.int
Some of the benefits of Cloud Computing
32
Reduced Capital & ...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing
33
Simple definition
Cloud Computing = Softwa...
© Commonwealth Telecommunications Organisation | www.cto.int
Software as a Service (SaaS)
34
SaaS characteristics:-
•  Fro...
© Commonwealth Telecommunications Organisation | www.cto.int
Platform as a Service (PaaS)
35
PaaS characteristics:-
•  Fro...
© Commonwealth Telecommunications Organisation | www.cto.int
Infrastructure as a Service (IaaS)
36
IaaS characteristics:-
...
© Commonwealth Telecommunications Organisation | www.cto.int
Data as a Service (DaaS)
37
DaaS characteristics:-
•  Data->I...
© Commonwealth Telecommunications Organisation | www.cto.int
Uptake of Cloud Computing
38
MicrosoS's	
  Data	
  Center,	
 ...
© Commonwealth Telecommunications Organisation | www.cto.int
Who is leading the cloud market today?
© Commonwealth Telecommunications Organisation | www.cto.int
Session 2: Group Discussions
40
Question
What is the level of...
Session 3:
CIIP Perspective of Cloud Computing
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 M...
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
42
Large cloud providers
can d...
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
43
Japan Earthquake 2011
•  Cl...
© Commonwealth Telecommunications Organisation | www.cto.int
Concentration of ICT Resources
44
Lightening Strike Dublin 20...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
45
Critical in themselves
Cloud Computing serv...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
46
e.g. Cloud based eHealth Record Platform
Cr...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
47
Most CIIP action plans address two major is...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud and CIIP
48
(2) Cyber attacks with a large impact
•  In...
© Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (1/4)
49
Continuity of services & infrastru...
© Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (2/4)
50
Powerplants	
  
Regional	
  
Power...
© Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (3/4)
51
Software as a service dependencies
© Commonwealth Telecommunications Organisation | www.cto.int
CIIP Dependencies (4/4)
52
Hospitals	
  
Power	
  plant	
  
A...
© Commonwealth Telecommunications Organisation | www.cto.int
Session 3: Group Discussions
53
Question
List (at least 3) kn...
Session 4:
Cloud Computing CIIP Scenarios
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 March ...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
55
CII attack vectors
Telecoms...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
56
Four (4) scenarios where Cl...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
57
Datacenter	
  Datacenter	
 ...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
58
Key Points:
•  Software fla...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
59
(2) Health Services
•  By 2...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
60
Datacenter	
  Datacenter	
 ...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
61
Key Point:
•  Cloud computi...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
62
(3) e-Government Services
•...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
63
Datacenter	
  Datacenter	
 ...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
64
Key Point:
•  eGovernment s...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
65
(4) Cloud Services
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
66
Datacenter	
  Datacenter	
 ...
© Commonwealth Telecommunications Organisation | www.cto.int
Cloud Computing CIIP Scenarios
67
Key Point:
•  The impact of...
© Commonwealth Telecommunications Organisation | www.cto.int
Session 4: Group Discussions
68
Question
What practical measu...
Session 5:
Steps towards CI Protection
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 March 2015
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
70
(1) Establish CIP Goals, e.g.
...
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
71
(2) Define CIP Roles
Define Po...
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
72
CIP	
  Coordinator	
  
(ExecuB...
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
73
(3) Identify & Prioritize Crit...
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI Protection
74
(4) Continuously Assess and Ma...
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CI protection
75
•  Develop joint PPP plans for...
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
76
•  Promote trusted relationsh...
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
77
•  Ability to prepare for and...
© Commonwealth Telecommunications Organisation | www.cto.int
Steps towards CII protection
78
•  Cyber threats are constant...
© Commonwealth Telecommunications Organisation | www.cto.int
Session 5: Group Discussions
79
Question
•  What should be th...
Session 6:
Cybersecurity Threat Horizon
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 March 20...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Increased penetration of smart phones
–  Lower costs (~$80...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Expanding Infrastructure
–  SAT3/GLO/WACS/ACE etc
e.g. 6Km...
© Commonwealth Telecommunications Organisation | www.cto.int
•  2014 global cyber attacks assessment shows
–  Africa accou...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Use of ICT to commit acts of terrorism
–  Planning, co-ord...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Cyber attacks targeting government websites
–  Defacement ...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Low level of security provisions
–  Inadequate control and...
© Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support
•  Legal frame...
© Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support
•  Development...
© Commonwealth Telecommunications Organisation | www.cto.int
Success of above needs full government support
•  Cybersecuri...
Session 7:
Commonwealth Cybergovernance Model
Presenter
Dr Martin Koyabe (CTO)
CIIP Workshop
Gaborone, Botswana
23 – 24 Ma...
© Commonwealth Telecommunications Organisation | www.cto.int
Trends in Cyberspace
•  Cyberspace provides access to ICT
–  ...
© Commonwealth Telecommunications Organisation | www.cto.int
Why a Commonwealth Model
•  Contrasting views emerging across...
© Commonwealth Telecommunications Organisation | www.cto.int
Objectives
The Cybergovernance Model aims to guide Commonweal...
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Values in Cyberspace
•  Based on Commonwealth Ch...
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 1: We ...
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 2: Our...
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 3: We ...
© Commonwealth Telecommunications Organisation | www.cto.int
Commonwealth Principle for use of Cyberspace
Principle 4: We ...
Commonwealth Approach
for Developing
National Cybersecurity
Strategies
© Commonwealth Telecommunications Organisation | www.cto.int
Development of a Nation Cybersecurity Strategy
•  Need suppor...
© Commonwealth Telecommunications Organisation | www.cto.int
Main elements of a Cybersecurity Strategy
•  Introduction and...
© Commonwealth Telecommunications Organisation | www.cto.int
Introduction & Background
•  Focuses on the broad context
•  ...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Based on Commonwealth Cybergovernance principles
•  Balanc...
© Commonwealth Telecommunications Organisation | www.cto.int
Guiding Principles (2/2)
104
STRATEGY	
  COMPONENTS ASPECTS	
...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Promote economic development
•  Provide national leadershi...
© Commonwealth Telecommunications Organisation | www.cto.int 106
STRATEGY	
  COMPONENTS ASPECTS	
  TO	
  CONSIDER EXAMPLE	...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Provide a national governance framework for securing Cyber...
© Commonwealth Telecommunications Organisation | www.cto.int 108
STRATEGY	
  COMPONENTS ASPECTS	
  TO	
  CONSIDER EXAMPLE	...
© Commonwealth Telecommunications Organisation | www.cto.int 109
Stakeholders
CIP	
  Coordinator	
  
(ExecuBve	
  
Sponsor...
© Commonwealth Telecommunications Organisation | www.cto.int 110
STRATEGY	
  COMPONENTS ASPECTS	
  TO	
  CONSIDER EXAMPLE	...
© Commonwealth Telecommunications Organisation | www.cto.int
•  Governance and management structure
•  Legal and regulator...
© Commonwealth Telecommunications Organisation | www.cto.int 112
Strategy Implementation
© Commonwealth Telecommunications Organisation | www.cto.int
What Next? Upcoming CIIP Workshops
113
Yaounde, Cameroon
Jan-...
© Commonwealth Telecommunications Organisation | www.cto.int
Further Information Contact:
Dr Martin Koyabe
Email: m.koyabe...
Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed
Upcoming SlideShare
Loading in …5
×

Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed

369 views

Published on

  • Be the first to comment

  • Be the first to like this

Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed

  1. 1. Critical Information Infrastructure Protection Perspective on Cloud Computing Services CIIP Workshop Gaborone, Botswana 23 – 24 March 2015 Presenter Dr Martin Koyabe (CTO)
  2. 2. Acknowledgement Ministry of Transport & Communications Botswana
  3. 3. Table of Content Session 1: Understanding CIIP & Challenges Session 2: Cloud Computing Today Session 3: CIIP Perspective of Cloud Computing Session 4: Cloud Computing CIIP Scenarios Session 5: Steps Towards a CI Protection Session 6: Cybersecurity Threat Horizon Session 7: Commonwealth Cybergovernance model
  4. 4. Session 1: Understanding CIIP & Challenges Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
  5. 5. © Commonwealth Telecommunications Organisation | www.cto.int Understanding CIIP •  Critical Resources General definition •  Critical Infrastructure •  Critical Information Infrastructure Interdependencies
  6. 6. © Commonwealth Telecommunications Organisation | www.cto.int Critical Resources 7 Water Energy Forests Defined by some national governments to include:- •  Natural & environmental resources (water, energy, forests etc) •  National monuments & icons, recognized nationally & internationally
  7. 7. © Commonwealth Telecommunications Organisation | www.cto.int Critical Infrastructure (1/3) 8 Airports Power Grid Roads Defined by some national governments to include:- •  Nation’s public works, e.g. bridges, roads, airports, dams etc •  Increasingly includes telecommunications, in particular major national and international switches and connections
  8. 8. © Commonwealth Telecommunications Organisation | www.cto.int Critical Infrastructure (2/3) 9 “ the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Source: US Homeland Security “ the (CNI) comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could either, cause large-scale loss of life; have a serious impact on the national economy; have other grave social consequences for the community; or be of immediate concern to the national government.” Source: UK Centre for the Protection of National Infrastructure (CPNI) “ an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.” Source: European Union (EU)
  9. 9. © Commonwealth Telecommunications Organisation | www.cto.int Critical Infrastructure (3/3) 10 “ those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defense and ensure national security.” Source: The Australian, State & Territory Government “ processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and Significant harm to public confidence. Source: Government of Canada “those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation” Source: National Critical Information Infrastructure Protection Centre (NCIIPC)
  10. 10. © Commonwealth Telecommunications Organisation | www.cto.int What about developing countries? 11 Q) Does your country have a critical infrastructure framework?
  11. 11. © Commonwealth Telecommunications Organisation | www.cto.int Critical Infrastructure Sectors (1/2) 12 •  European Commission (EC) provides an indicative list of 11 critical sectors Energy   ICT   Water   Food   Health   Financial   Public  &  Legal   Order  and   Safety   Civil   AdministraBon   Transport   Chemical  and   Nuclear   Industry   Space  &   Research  
  12. 12. © Commonwealth Telecommunications Organisation | www.cto.int Critical Infrastructure Sectors (2/2) 13 •  Provisional Critical Infrastructure list for Bangladesh Energy   (Oil/Gas)   Telecoms   Transport   (Roads)   Monuments/ Buildings   Water   Financial   ICT   Source: CTO CIIP Workshop, Dhaka, Bangladesh (Sep 2014)
  13. 13. © Commonwealth Telecommunications Organisation | www.cto.int Critical Information Infrastructure (1/2) 14 CII definition:- “ Communications and/or information service whose availability, reliability and resilience are essential to the functioning of a modern economy, security, and other essential social values.” Rueschlikon Conference on Information Policy Report, 2005
  14. 14. © Commonwealth Telecommunications Organisation | www.cto.int Critical Information Infrastructure (2/2) 15 Cri$cal  Infrastructures   Telecoms   Energy   Transporta$on   Finance/Banking   Government  Services   Large  Enterprises   End-­‐users   Critical Information Infrastructure Cross-cutting ICT interdependencies among all sectors Cyber security Practices and procedures that enable the secure use and operation of cyber tools and technologies Non-essential IT Systems Essential IT Systems
  15. 15. © Commonwealth Telecommunications Organisation | www.cto.int Critical Information Infrastructure Protection (CIIP) 16 •  Widespread use of Internet have transformed stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity. •  ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks. •  ICT or Information infrastructure enables large scale processes throughout the economy, facilitating complex interactions among systems across global networks; and many of the critical services that are essential to the well-being of the economy are increasingly becoming dependent on IT.
  16. 16. © Commonwealth Telecommunications Organisation | www.cto.int •  Today Critical Information Infrastructure Protection (CIIP) –  Focuses on protection of IT systems and assets o  Telecoms, computers/software, Internet, interconnections & networks services –  Ensures Confidentiality, Integrity and Availability o  Required 27/4 (365 days) o  Part of the daily modern economy and the existence of any country Critical Information Infrastructure Protection (CIIP) Telecom   Network   Power     Grid   Water   Supply   Public   Health   NaBonal   Defence   NaBonal   Defence   Law   Enforcement  
  17. 17. © Commonwealth Telecommunications Organisation | www.cto.int CII Attack Scenarios Telecoms   Health  Services     Cloud  Services   Finance/Banking   eGovernment   Critical Information Infrastructure (CII) Cross-cutting ICT interdependencies among all sectors Natural disaster, power outage, or hardware failure Resource exhaustion (due to DDoS attack) Cyber attack (due to a software flaw)
  18. 18. © Commonwealth Telecommunications Organisation | www.cto.int •  Expanding Infrastructures –  Fiber optic connectivity o  TEAMS/Seacom/EASSy –  Mobile/Wireless Networks o  Kenya has 11.6 million Internet users and 31.3 million mobile network subscribers (CAK, 2014) •  Existence of failed states –  Increased ship piracy o  To fund other activities –  Cyber warfare platforms o  Doesn’t need troops or military hardware •  Cyber communities –  Social Networks – Attacker’s “gold mine” Future CII Attack Vectors
  19. 19. © Commonwealth Telecommunications Organisation | www.cto.int •  Increased awareness for CIIP & cyber security –  Countries aware that risks to CIIP need to be managed o  Whether at National, Regional or International level •  Cyber security & CIIP becoming essential tools –  For supporting national security & social-economic well-being •  At national level –  Increased need to share responsibilities & co-ordination o  Among stakeholders in prevention, preparation, response & recovery •  At regional & international level –  Increased need for co-operation & co-ordination with partners o  In order to formulate and implement effective CIIP frameworks Global trends towards CIIP
  20. 20. © Commonwealth Telecommunications Organisation | www.cto.int Challenges for developing countries #1: Cost and lack of (limited) financial investment –  Funds required to establish a CIIP strategic framework can be a hindrance –  Limited human & institutional resources Source:  GDP  listed  by  IMF  (2013)    
  21. 21. © Commonwealth Telecommunications Organisation | www.cto.int #2: Technical complexity in deploying CIIP –  Need to understand dependencies & interdependencies o  Especially vulnerabilities & how they cascade Challenges for developing countries Powerplants   Regional   Power  Grid   Regional   Power   Supply   Private  D2D   links   Private   Datacenters   Banks  &   Trading   Public   AdministraBon   Public   Datacenters   eGovernment   Online  services,   cloud   compuBng   Telco  sites,   switch  areas,   interconnecBons   Public   eComms   Regional   network,  cables,   wires,  trunks   Public   Transport   Emergency  care   (Police,  Firefighters,   Ambulances)   Emergency   Calls   (99.9%) 8 hr outages are disastrous (99%) 3 days outages are disastrous (90%) 30 days outages are disastrous
  22. 22. © Commonwealth Telecommunications Organisation | www.cto.int #3: Limited knowledge on how to identify and classify critical infrastructure –  Need to consider business value, scope of population & technical dependency Challenges for developing countries CriBcal  FuncBon   Infrastructure   Element   Supply   Chain   Supply   Chain   Key   Resource   Supply   Chain   CriBcal  FuncBon   Infrastructure  Element   Supply   Chain   Supply   Chain   Key   Resource   Supply   Chain  CriBcal  FuncBon   Infrastructure   Element   Supply   Chain   Supply   Chain   Key   Resource   Supply   Chain   Interdependencies Understand requirements & complexity
  23. 23. © Commonwealth Telecommunications Organisation | www.cto.int #4: Need for Cybersecurity education & culture re-think –  Create awareness on importance of Cybersecurity & CIIP o  By sharing information on what works & successful best practices –  Creating a Cybersecurity culture can promote trust & confidence o  It will stimulate secure usage, ensure protection of data and privacy Challenges for developing countries
  24. 24. © Commonwealth Telecommunications Organisation | www.cto.int #5: Lack of relevant CII strategies, policies & framework –  Needs Cybercrime legislation & enforcement mechanisms –  Setup policies to encourage co-operation among stakeholders o  Especially through Public-Private-Partnerships (PPP) #6: Lack of information sharing & knowledge transfer –  It is important at ALL levels National, Regional & International –  Necessary for developing trust relationships among stakeholders o  Including CERT teams Challenges for developing countries
  25. 25. © Commonwealth Telecommunications Organisation | www.cto.int Session 1: Group Discussions 26 Question What’s the CII definition for your country?
  26. 26. Session 2: Cloud Computing Today Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
  27. 27. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing 28 Should Cloud Computing be considered a Critical Information Infrastructure?
  28. 28. © Commonwealth Telecommunications Organisation | www.cto.int Concentration of ICT Resources 29 •  Earlier approach not scalable and costly High capacity link Between organizations or operators IT IT Information Technology Resources Per each organizations or operatorsIT IT IT Organization or Operator
  29. 29. © Commonwealth Telecommunications Organisation | www.cto.int Concentration of ICT Resources 30 •  Spread associated costs among users Organizations or operators Access resources in the same area Information Technology Resources Consolidated in data centers IT IT Data Centre
  30. 30. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing Deployment Models 31 Private Cloud (Hosted Internally or Externally) Hybrid Cloud Public Cloud Community Cloud (Hosted Internally by Member or Externally)
  31. 31. © Commonwealth Telecommunications Organisation | www.cto.int Some of the benefits of Cloud Computing 32 Reduced Capital & Operational Cost •  Less up-front capital investment •  Allow companies to increase resource needs gradually (pay-as-you-go) Simplify application deployment & management •  Common programming model across platforms •  Access to ecosystem of widely deployed applications •  Integration with existing IT assets
  32. 32. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing 33 Simple definition Cloud Computing = Software as a Service (SaaS) + Platform as a Service (PaaS) + Infrastructure as a Service (IaaS) + Data as a Service (DaaS) + * as a Service (*aaS)
  33. 33. © Commonwealth Telecommunications Organisation | www.cto.int Software as a Service (SaaS) 34 SaaS characteristics:- •  From end user’s point of view •  Application are located in the cloud •  Software experiences are delivered online (Internet)
  34. 34. © Commonwealth Telecommunications Organisation | www.cto.int Platform as a Service (PaaS) 35 PaaS characteristics:- •  From developer’s point of view (i.e. cloud users) •  Cloud providers offer an Internet-based platform •  Developers use the platform to create services
  35. 35. © Commonwealth Telecommunications Organisation | www.cto.int Infrastructure as a Service (IaaS) 36 IaaS characteristics:- •  Cloud providers build datacentres –  Power, scale, hardware, networking, storage, distributed system etc •  Datacentre as a service •  Users rent storage, computation & maintenance
  36. 36. © Commonwealth Telecommunications Organisation | www.cto.int Data as a Service (DaaS) 37 DaaS characteristics:- •  Data->Information->Knowledge->Intelligence •  Infrastructure for web data mining & knowledge •  Empower people with knowledge •  Enrich apps & services with intelligence
  37. 37. © Commonwealth Telecommunications Organisation | www.cto.int Uptake of Cloud Computing 38 MicrosoS's  Data  Center,  San  Antonio,  Texas   Google's  Data  Centre,  Georgia   •  Western Europe market to grow to €15B by 2015 •  Amazon AWS carries 1% of all Internet consumer traffic in North America •  Data centre growth estimated to be in excess of €30B •  Facebook server farm (Oregon) measures 14000 m2, cost ~ $200M
  38. 38. © Commonwealth Telecommunications Organisation | www.cto.int Who is leading the cloud market today?
  39. 39. © Commonwealth Telecommunications Organisation | www.cto.int Session 2: Group Discussions 40 Question What is the level of Cloud Computing uptake in your country? Is it increasing?
  40. 40. Session 3: CIIP Perspective of Cloud Computing Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
  41. 41. © Commonwealth Telecommunications Organisation | www.cto.int Concentration of ICT Resources 42 Large cloud providers can deploy security and business continuity measures and spread the associated cost among the customers. Can be a “Double Edged Sword” If an outage or security breach occurs, the the consequences can be catastrophic affecting large number of users and organisations at once.
  42. 42. © Commonwealth Telecommunications Organisation | www.cto.int Concentration of ICT Resources 43 Japan Earthquake 2011 •  Cloud computing was resilient •  Cloud services survived power outages by using emergency fuel •  Data connections over mobile networks and fixed networks held up •  Traditional IT deployments went offline •  Cloud computing used to get organizations up and running
  43. 43. © Commonwealth Telecommunications Organisation | www.cto.int Concentration of ICT Resources 44 Lightening Strike Dublin 2011 •  Took down Amazon & Microsoft services. Outage lasted for 2 days •  Amazon’s other customers (Foursquare, Reddit & Netflix) were badly affected •  Amazon’s Elastic Computer Cloud (EC2) and Relational Database Service (RDS) experienced disruption in North Virginia. •  Amazon US-EAST data centers were cut-off the Internet
  44. 44. © Commonwealth Telecommunications Organisation | www.cto.int Cloud and CIIP 45 Critical in themselves Cloud Computing services can be critical in two ways Critical for other critical services
  45. 45. © Commonwealth Telecommunications Organisation | www.cto.int Cloud and CIIP 46 e.g. Cloud based eHealth Record Platform Critical in itself •  But needed for other emergency health operations, which are also critical Critical to other systems •  Critical to other systems that depend on the data records
  46. 46. © Commonwealth Telecommunications Organisation | www.cto.int Cloud and CIIP 47 Most CIIP action plans address two major issues: (1) Cyber disruptions (or outage) with large impact 12M Pakistan 6M Egypt 4.7M Saudi Arabia 1.7M UAE 0.8M Kuwait 0.3M Qatar 12M India Outage caused by undersea cable cut near Alexandria, Egypt (2008)
  47. 47. © Commonwealth Telecommunications Organisation | www.cto.int Cloud and CIIP 48 (2) Cyber attacks with a large impact •  Influenced mainly by interdependencies Snapshot  of  the  Internet  before  an  aVack  on  Facebook     Source:  NORSE    
  48. 48. © Commonwealth Telecommunications Organisation | www.cto.int CIIP Dependencies (1/4) 49 Continuity of services & infrastructure dependencies
  49. 49. © Commonwealth Telecommunications Organisation | www.cto.int CIIP Dependencies (2/4) 50 Powerplants   Regional   Power  Grid   Regional   Power   Supply   Private  D2D   links   Private   Datacenters   Banks  &   Trading   Public   AdministraBon   Public   Datacenters   eGovernment   Online   services,  cloud   compuBng   Telco  sites,   switch  areas,   interconnecBons   Public  eComms   Regional   network,  cables,   wires,  trunks   Public   Transport   Emergency  care   (Police,  Firefighters,   Ambulances)   Emergency  Calls   (99.9%) 8 hr outages are disastrous (99%) 3 days outages are disastrous (90%) 30 days outages are disastrous
  50. 50. © Commonwealth Telecommunications Organisation | www.cto.int CIIP Dependencies (3/4) 51 Software as a service dependencies
  51. 51. © Commonwealth Telecommunications Organisation | www.cto.int CIIP Dependencies (4/4) 52 Hospitals   Power  plant   Air  traffic   controllers   IT  vendor  for  Office   soSware   Banks   Public   administraBon  
  52. 52. © Commonwealth Telecommunications Organisation | www.cto.int Session 3: Group Discussions 53 Question List (at least 3) known incidents/cases of CII related attacks in the recent past in your country? Discuss any remedies taken (if known).
  53. 53. Session 4: Cloud Computing CIIP Scenarios Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
  54. 54. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 55 CII attack vectors Telecoms   Health  Services     Cloud  Services   Finance/Banking   eGovernment   Critical Information Infrastructure (CII) Cross-cutting ICT interdependencies among all sectors Natural disaster, power outage, or hardware failure Resource exhaustion (due to DDoS attack) Cyber attack (due to a software flaw)
  55. 55. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 56 Four (4) scenarios where Cloud Computing is critical (1) Financial Services Source: New York Stock Exchange (NYSE)
  56. 56. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 57 Datacenter  Datacenter   Operator   Datacenter   Trader   Trader   Private network, Dedicated links Duplicated connection between datacenters Public Internet or telephony Connecting traders to datacenters Data Centers All systems are duplicated Traders platform Web-interface access Trading Platform (SaaS)
  57. 57. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 58 Key Points: •  Software flaw can impact wide range of organisations directly •  Consider creating ‘logical redundancy’ in addition to ‘physical redundancy’
  58. 58. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 59 (2) Health Services •  By 2016 about 30% of IT budget of healthcare organisation would be devoted for cloud computing based expenses •  73% plan to make greater use of cloud-based technologies in the future Source: Accenture
  59. 59. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 60 Datacenter  Datacenter   Datacenter   Hospital   Hospital   Private network, Dedicated links Duplicated connection between datacenters Public Internet or telephony Connecting hospital to datacenters Data Centers All systems are duplicated eHealth platform Web-interface access eHealth Record Platform (SaaS)
  60. 60. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 61 Key Point: •  Cloud computing is expected to bring additional efficiency gains in health care service provision “APT 18” launched the attack Said to have links with Chinese government and behind targeted attack on companies in aerospace and defense, construction and engineering, technology, financial services and healthcare industry. Source: FireEye Inc TDoS Attack Telephony Denial of Service (TDoS) attack targets emergency response services in critical services such as health care
  61. 61. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 62 (3) e-Government Services •  UK Gov Cloud app store “GovStore” has over 1,700 information & communication services available to the UK public sector Source: http://govstore.service.gov.uk
  62. 62. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 63 Datacenter  Datacenter   Datacenter   eGov   Website   eGov   Website   Private network, Dedicated links Duplicated connection between datacenters Public Internet or telephony Connecting eGov to datacenters Data Centers All systems are duplicated eGovernment platform Web-interface access (SaaS) Gov cloud app store (PaaS)
  63. 63. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 64 Key Point: •  eGovernment services need to be resilient at all levels of attacks VS   VS  
  64. 64. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 65 (4) Cloud Services
  65. 65. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 66 Datacenter  Datacenter   Datacenter   Webmail   provider  (SaaS)     Online  backup   service  (SaaS)   Private network, Dedicated links Duplicated connection between datacenters Public Internet or telephony Connecting eGov to datacenters Data Centers All systems are duplicated eGovernment applications (SaaS) Running on a government app store (PaaS) Infrastructure or platform as a service (PaaS)
  66. 66. © Commonwealth Telecommunications Organisation | www.cto.int Cloud Computing CIIP Scenarios 67 Key Point: •  The impact of failure at an IaaS/PaaS provider can have an impact across a range of organisations, affecting many end- users.
  67. 67. © Commonwealth Telecommunications Organisation | www.cto.int Session 4: Group Discussions 68 Question What practical measures need to be taken to enhance CII resilience, especially the Cloud Infrastructure?
  68. 68. Session 5: Steps towards CI Protection Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
  69. 69. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CI Protection 70 (1) Establish CIP Goals, e.g. Critical infrastructures (CI) provide the essential services that support modern information societies and economies. Some CI support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being. •  Critical Infrastructure (CI) CI exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well- being. •  Understand Critical Infrastructure (CI) Risks Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby protect the people, the economy, the essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration and manageable. •  Articulate CIP policy/goals National CIP framework includes relevant government entities, as well as, establishing public private partnerships involving corporate and non-governmental organizations. •  Establish Public- Private Partnerships
  70. 70. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CI Protection 71 (2) Define CIP Roles Define Policy and Identify RolesGovernment Define CIP goal and roles Determine Acceptable Risks LevelsPublic-Private Partnership Define what’s critical Assess  Risks   IdenBfy   Controls  and   MiBgaBons   Implement   Controls   Measure   EffecBveness   Infrastructure Prioritize Risks Operators & Service Providers Deploy best control solutions
  71. 71. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CI Protection 72 CIP  Coordinator   (ExecuBve   Sponsor)   Law   Enforcement   Sector  Specific   Agency   Computer   Emergency   Response  Team   (CERT)   Public   Private   Partnership   Infrastructure   owners  and   operators   IT  vendors   and   soluBon   providers   Shared PrivateGovernment
  72. 72. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CI Protection 73 (3) Identify & Prioritize Critical Functions CriBcal  FuncBon   Infrastructure   Element   Supply   Chain   Supply   Chain   Key   Resource   Supply   Chain   CriBcal  FuncBon   Infrastructure  Element   Supply   Chain   Supply   Chain   Key   Resource   Supply   Chain  CriBcal  FuncBon   Infrastructure   Element   Supply   Chain   Supply   Chain   Key   Resource   Supply   Chain   Interdependencies Understand requirements & complexity •  Understand the critical functions, infrastructure elements, and key resources necessary for –  Delivering essential services –  Maintaining the orderly operations if the economy –  Ensure public safety.
  73. 73. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CI Protection 74 (4) Continuously Assess and Mange Risks Assess Risks Identify Controls and Mitigations Implement Controls Measure Effectiveness •  Based on holistic approach •  Implement defense in-depth •  Organize by control effectiveness •  Evaluate program effectiveness •  Leverage findings to improve risk management •  Identify key functions •  Assess risks •  Evaluate consequences •  Define functional requirements •  Evaluate proposed controls •  Estimate risk reduction/cost benefit •  Select mitigation strategy
  74. 74. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CI protection 75 •  Develop joint PPP plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents. •  Create emergency response plans to mitigate damage and promote resiliency. •  Create effective emergency response plans that are generally short and highly actionable so they can be readily tested, evaluated, and implemented. •  Testing and exercising emergency plans to promote trust, understanding and greater operational coordination among public and private sector organizations. •  Exercises also provide an important opportunity by identifying new risk factors that can be addressed in response plans or controlled through regular risk management functions. (5) Establish & Exercise Emergency Plans
  75. 75. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CII protection 76 •  Promote trusted relationships needed for information sharing and collaborating on difficult problems •  Leverage the unique skills of government and private sector organizations •  Provide the flexibility needed to collaboratively address today’s dynamic threat environment (5) Establish Public Private Partnership (PPP)
  76. 76. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CII protection 77 •  Ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions •  Implement contingency frameworks that will enable critical functions to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents (6) Build Security & Resiliency into Operations
  77. 77. © Commonwealth Telecommunications Organisation | www.cto.int Steps towards CII protection 78 •  Cyber threats are constantly evolving •  All CIP stakeholders need to prepare for changes in cyber threats •  Constantly monitor trends and changes in critical function dependencies •  Keep systems patched and maintain the latest software versions •  Adopt smart & effective procedures and processes (7) Update & Innovate Technology and Processes
  78. 78. © Commonwealth Telecommunications Organisation | www.cto.int Session 5: Group Discussions 79 Question •  What should be the additional roles and responsibilities of the state? •  What investment is required to address CIIP vulnerabilities & threats? •  How should the private sector & government work on CIIP and build trust?
  79. 79. Session 6: Cybersecurity Threat Horizon Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
  80. 80. © Commonwealth Telecommunications Organisation | www.cto.int •  Increased penetration of smart phones –  Lower costs (~$80) have increased user uptake –  Other models Tecno (China), Wiko (France) & Infinix (Hong Kong) –  Will increase from 17% (2014) to 34% (2018) •  Africa leads mobile subscriptions –  55% (1.3 billion) from developing countries •  Rapid growth of eCommerce –  Websites such as Jumia, Cheki & OLX Relevant trends in Africa today (1/2) 45%  55%   Developed  Countries   Developing  Countries  
  81. 81. © Commonwealth Telecommunications Organisation | www.cto.int •  Expanding Infrastructure –  SAT3/GLO/WACS/ACE etc e.g. 6Km of Fibre in Cameroon •  Mobile money transfer –  Increasingly growing e.g. M-Pesa has 16.8 Million customers –  Handles >$1 Billion transactions per month in Kenya alone –  Nigeria – introduced digital ID and transaction card •  Social media –  78% of internet usage in Africa is for social media –  Estimated will $230 Billion to Africa’s growth by 2025 Relevant trends in Africa today (2/2)
  82. 82. © Commonwealth Telecommunications Organisation | www.cto.int •  2014 global cyber attacks assessment shows –  Africa accounted for 4% security incidents worldwide –  Every 1 second, 18 adults are victims of cyberscrime –  1.5 million victims globally per day •  Financial fraud –  Africa’s major cities like Cairo, Johannesburg, Lagos and Nairobi experience many cases of financial fraud –  African countries are becoming targets & source of malicious Internet activities •  Software piracy and lack of updated software –  Home user PCs remain vulnerable to cyber attacks Emerging Cyber Threats (1/3)
  83. 83. © Commonwealth Telecommunications Organisation | www.cto.int •  Use of ICT to commit acts of terrorism –  Planning, co-ordination, implementation and promotion. For example Boko Harum, ISIS, Al-Shabaab & Al-Qaida etc –  Creates social-economical problem. For example, the Westgate Mall in Kenya – 67 people killed and nearly $200 Million lost tourism revenue. Emerging Cyber Threats (2/3) Teenage girls in the UK who flew to Syria via Turkey
  84. 84. © Commonwealth Telecommunications Organisation | www.cto.int •  Cyber attacks targeting government websites –  Defacement of websites, motivated by individual reasons o  Nigeria defence HQ attacked for fighting Boko Haram o  Ghana (gov.gh) portal attacked (11 out of 58 sites attacked) o  Senegalese ICT agency site attacked, linked to Charle Hebdo •  Social media –  Reputation and defamation is a new form of cyber attack –  Anonymity on social networks – could tools such as Yik Yak be used for Cyber bullying? Emerging Cyber Threats (3/3)
  85. 85. © Commonwealth Telecommunications Organisation | www.cto.int •  Low level of security provisions –  Inadequate control and lack of information risk assessment •  Lack of technical know-how –  inability to monitor and defend national networks •  Need to develop necessary legal frameworks –  21 countries in Africa have proposed legislation •  Cross boundary challenges of Cybersecurity –  inability to prosecute and apprehend at source •  Limited levels of awareness –  Regulators, military, law-enforcement, judiciary, legislators Cybersecurity challenges facing Africa
  86. 86. © Commonwealth Telecommunications Organisation | www.cto.int Success of above needs full government support •  Legal framework –  Lack of Cybersecurity legislation affects businesses –  Needs technology to support enforcement •  Regional harmonization of policy & legal frameworks –  Global good, needs national, regional & international actions •  Co-ordination and corporation is a MUST –  Cybersecurity is a cross-boundary issue –  Needed to combat ICT fraud, hacking, child pornography and copyright infringement –  Creates uniformity in procedures and processes Policy, Legal & Regulatory Considerations
  87. 87. © Commonwealth Telecommunications Organisation | www.cto.int Success of above needs full government support •  Development of infrastructure –  Develop reliable, resilient and available connectivity •  Need to establish & enhance national CERTs –  Create sectorial CERTs o  Finance, Energy, Transport, Military, Maritime, SMEs etc –  Harmonize regional CERTs or CIRTs •  Best practice in Cyber governance –  Encourage use of country Top Level Domain (TLD) names Technology Considerations
  88. 88. © Commonwealth Telecommunications Organisation | www.cto.int Success of above needs full government support •  Cybersecurity is complex & challenging –  Develop technical skills through training & collaborations –  Use expertise from the Diaspora •  Cultivate a culture of Cybersecurity awareness –  CERTs must be proactive other than reactive –  Engage in capacity building initiatives with ALL stakeholders •  Best practice in Cyber governance –  Encourage use of country Top Level Domain (TLD) names –  Have effective data protection act Capacity building, Research & Innovation Considerations
  89. 89. Session 7: Commonwealth Cybergovernance Model Presenter Dr Martin Koyabe (CTO) CIIP Workshop Gaborone, Botswana 23 – 24 March 2015
  90. 90. © Commonwealth Telecommunications Organisation | www.cto.int Trends in Cyberspace •  Cyberspace provides access to ICT –  Bridging the digital divide and influencing social-economic activities •  Cyberspace is increasingly becoming a global system –  Anticipated to grow from 2-4 Billion users by 2020 (mostly from developing countries) •  Cyberspace is open, decentralised and empowering –  This has fostered innovation, collaboration and rapid development •  Cyberspace success depends on it’s infrastructure –  Infrastructure should be secure, resilient and available to users •  Cyberspace can also be used for criminal activities –  Cybercrimes, extremisms and other social crimes 91
  91. 91. © Commonwealth Telecommunications Organisation | www.cto.int Why a Commonwealth Model •  Contrasting views emerging across the world on governing the Cyberspace •  Harmonisation is critical to facilitate the growth and to realise the full potentials of Cyberspace •  Commonwealth family subscribes to common values and principles which are equally well applicable to Cyberspace •  CTO is the Commonwealth agency mandated in ICTs •  The project was launched at the 53rd council meeting of the CTO in Abuja, Nigeria (9th Oct 2013) •  Wide consultations with stakeholders •  Adopted at the Commonwealth ICT Ministers Forum on 3rd and 4th March 2014 in London 92
  92. 92. © Commonwealth Telecommunications Organisation | www.cto.int Objectives The Cybergovernance Model aims to guide Commonwealth members in:- –  Developing policies, legislation and regulations –  Planning and implementing practical technical measures –  Fostering cross-border collaboration –  Building capacity 93
  93. 93. © Commonwealth Telecommunications Organisation | www.cto.int Commonwealth Values in Cyberspace •  Based on Commonwealth Charter of March 2013 –  Democracy, human rights and rule of law •  The Charter expressed the commitment of member states to –  The development of free and democratic societies –  The promotion of peace and prosperity to improve the lives of all peoples –  Acknowledging the role of civil society in supporting Commonwealth activities •  Cyberspace today and tomorrow should respect and reflect the Commonwealth Values –  This has led to defining Commonwealth principles for use of Cyberspace 94
  94. 94. © Commonwealth Telecommunications Organisation | www.cto.int Commonwealth Principle for use of Cyberspace Principle 1: We contribute to a safe and an effective global Cyberspace •  as a partnership between public and private sectors, civil society and users, a collective creation; •  with multi-stakeholder, transparent and collaborative governance promoting continuous development of Cyberspace; •  where investment in the Cyberspace is encouraged and rewarded; •  by providing sufficient neutrality of the network as a provider of information services; •  by offering stability in the provision of reliable and resilient information services; •  by having standardisation to achieve global interoperability; •  by enabling all to participate with equal opportunity of universal access; •  as an open, distributed, interconnected internet; •  providing an environment that is safe for its users, particularly the young and vulnerable; •  made available to users at an affordable price. 95
  95. 95. © Commonwealth Telecommunications Organisation | www.cto.int Commonwealth Principle for use of Cyberspace Principle 2: Our actions in Cyberspace support broader economic and social development •  by enabling innovation and sustainable development, creating greater coherence and synergy, through collaboration and the widespread dissemination of knowledge; •  respecting cultural and linguistic diversity without the imposition of beliefs; •  promoting cross-border delivery of services and free flow of labour in a multi-lateral trading system; •  allowing free association and interaction between individuals across borders; •  supporting and enhancing digital literacy; •  providing everyone with information that promotes and protects their rights and is relevant to their interests, for example to support transparent and accountable government; •  enabling and promoting multi-stakeholder partnerships; •  facilitating pan-Commonwealth consultations and international linkages in a single globally connected space that also serves local interests. 96
  96. 96. © Commonwealth Telecommunications Organisation | www.cto.int Commonwealth Principle for use of Cyberspace Principle 3: We act individually and collectively to tackle cybercrime •  nations, organisations and society work together to foster respect for the law; •  to develop relevant and proportionate laws to tackle Cybercrime effectively; •  to protect our critical national and shared infrastructures; •  meeting internationally-recognised standards and good practice to deliver security; •  with effective government structures working collaboratively within and between states; •  with governments, relevant international organisations and the private sector working closely to prevent and respond to incidents. 97
  97. 97. © Commonwealth Telecommunications Organisation | www.cto.int Commonwealth Principle for use of Cyberspace Principle 4: We each exercise our rights and meet our responsibilities in Cyberspace •  we defend in Cyberspace the values of human rights, freedom of expression and privacy as stated in our Charter of the Commonwealth; •  individuals, organisations and nations are empowered through their access to knowledge; •  users benefit from the fruits of their labours; intellectual property is protected accordingly; •  users can benefit from the commercial value of their own information; accordingly, responsibility and liability for information lies with those who create it; •  responsible behaviour demands users all meet minimum Cyberhygiene requirements; •  we protect the vulnerable in society in their use of Cyberspace; •  we, individually and collectively, understand the consequences of our actions and our responsibility to cooperate to make the shared environment safe; our obligation is in direct proportion to culpability and capability. 98
  98. 98. Commonwealth Approach for Developing National Cybersecurity Strategies
  99. 99. © Commonwealth Telecommunications Organisation | www.cto.int Development of a Nation Cybersecurity Strategy •  Need support from highest levels of government •  Adopt a multi-stakeholder partnership (private sector, public sector & civil society) •  Draw on the expertise of the International Community •  Appoint a lead organisation or institution •  Be realistic and sympathetic to the commercial consideration of the private sector •  Add mechanisms to monitor & validate implementation 100
  100. 100. © Commonwealth Telecommunications Organisation | www.cto.int Main elements of a Cybersecurity Strategy •  Introduction and background •  Guiding principles •  Vision and strategic goals •  Specific objectives •  Stakeholders •  Strategy implementation 101
  101. 101. © Commonwealth Telecommunications Organisation | www.cto.int Introduction & Background •  Focuses on the broad context •  Sets the importance of Cybersecurity to national development •  Assess current state of Cybersecurity and challenges 102 STRATEGY  COMPONENTS ASPECTS  TO  CONSIDER EXAMPLE  TEXT  FROM  PUBLISHED  STRATEGIES   AND  BEST  PRACTICE 1.  Introduc$on  /  background         This  secBon  provides  a  succinct  background  of   the  country’s  circumstances  and  the  status  of  its   Cybersecurity •  Explain  the  importance  of  Cybersecurity   to  economic  and  social  development.   •  Describe  the  use  of  Cyberspace  and  the   nature  of  Cybersecurity  challenges  to   jusBfy  the  need  for  the  Cybersecurity   strategy   •  Explain  the  relaBonship  to  exisBng   naBonal  strategies  and  iniBaBves. Uganda’s  introducBon  covers:   •  The  definiBon  of  informaBon  security     •  The  jusBficaBon  for  a  strategy   •  Country   analysis   of   current   state   of   informaBon  security  framework.   •  Strategy  guiding  principles     •  Vision,  mission,  strategic  objecBves       Note   that   this   example   covers   the   first   three   secBons  in  this  framework.    
  102. 102. © Commonwealth Telecommunications Organisation | www.cto.int •  Based on Commonwealth Cybergovernance principles •  Balance security goals & privacy/protection of civil liberties •  Risk-based (threats, vulnerabilities, and consequences) •  Outcome-focused (rather than the means to achieve it) •  Prioritised (graduated approach focusing on critical issues) •  Practicable (optimise for the largest possible group) •  Globally relevant (harmonised with international standards) 103 Guiding Principles (1/2)
  103. 103. © Commonwealth Telecommunications Organisation | www.cto.int Guiding Principles (2/2) 104 STRATEGY  COMPONENTS ASPECTS  TO  CONSIDER EXAMPLE  TEXT  FROM  PUBLISHED  STRATEGIES  AND   BEST  PRACTICE 2.  Guiding  principles       This  secBon  idenBfies  the  guiding  principles   for   addressing   Cybersecurity   within   which   the  strategy  is  designed  and  delivered.     •  Build  from  the  principles  of  the   Commonwealth  Cybergovernance   model.   •  Include  any  relevant  naBonal  principles.   •  Describe  the  delivery  principles  that   guide  the  design  of  the  objecBves  goals,   vision  and  objecBves.   In  addiBon  to  the  Commonwealth  Cybergovernance   principles  and  naBonal  principles  the  following   delivery  principles  are  recommended:   Risk-­‐based.  Assess  risk  by  idenBfying  threats,   vulnerabiliBes,  and  consequences,  then  manage   the  risk  through  miBgaBons,  controls,  costs,  and   similar  measures.   Outcome-­‐focused.  Focus  on  the  desired  end  state   rather  than  prescribing  the  means  to  achieve  it,  and   measure  progress  towards  that  end  state.   PrioriBsed.  Adopt  a  graduated  approach  and  focus   on  what  is  criBcal,  recognising  that  the  impact  of   disrupBon  or  failure  is  not  uniform  among  assets  or   sectors.   PracBcable.  OpBmise  for  adopBon  by  the  largest   possible  group  of  criBcal  assets  and  realisBc   implementaBon  across  the  broadest  range  of   criBcal  sectors.   Globally  relevant.  Integrate  internaBonal  standards   to  the  maximum  extent  possible,  keeping  the  goal   of  harmonizaBon  in  mind  wherever  possible.    
  104. 104. © Commonwealth Telecommunications Organisation | www.cto.int •  Promote economic development •  Provide national leadership •  Tackle cybercrime •  Strengthen the critical infrastructure •  Raise and maintain awareness •  Achieve shared responsibility •  Defend the value of Human Rights •  Develop national and international partnerships 105 Visions & Strategic Goals
  105. 105. © Commonwealth Telecommunications Organisation | www.cto.int 106 STRATEGY  COMPONENTS ASPECTS  TO  CONSIDER EXAMPLE  TEXT  FROM  PUBLISHED  STRATEGIES  AND  BEST  PRACTICE 3.  Strategic  goals  and  vision     This  secBon  defines  what   success  looks  like  in  broad   summary  terms  and  reflects  the   country’s  prioriBes.       •  Make  a  clear  statement  of  the   country’s  commitment  to  protecBng   the  use  of  its  Cyberspace   •  Emphasise  the  breadth  of  the  use  of   Cyberspace:  covering  social  and   economic  acBvity   •  Include  text  that  can  be  quoted  as   part  of  the  communicaBon  with  wider   stakeholders,  e.g.  a  vision  statement.     Australia’s  vision:  “The  maintenance  of  a  secure,  resilient  and  trusted   electronic  operaBng  environment  that  supports  Australia’s  naBonal   security  and  maximises  the  benefits  of  the  digital  economy”       Three  pillars  of  the  Australian  strategy:   •  All  Australians  are  aware  of  cyber  risks,  secure  their  computers   and  take  steps  to  protect  their  idenBBes,  privacy  and  finances   online;   •  Australian  businesses  operate  secure  and  resilient  informaBon  and   communicaBons  technologies  to  protect  the  integrity  of  their  own   operaBons  and  the  idenBty  and  privacy  of  their  customers;   •  The  Australian  Government  ensures  its  informaBon  and   communicaBons  technologies  are  secure  and  resilient.”       Four  pillars  of  the  UK  strategy:   •  Tackle  cybercrime  and  be  one  of  the  most  secure  places  in  the   world  to  do  business  in  cyberspace;   •  To  be  more  resilient  to  cyber  aVacks  and  beVer  able  to  protect  our   interests  in  cyberspace;   •  To  have  helped  shape  an  open,  stable  and  vibrant  cyberspace   which  the  UK  public  can  use  safely  and  that  supports  open   socieBes;   •  To  have  the  cross-­‐cuing  knowledge,  skills  and  capability  it  needs   to  underpin  all  our  Cybersecurity  objecBves.       Visions & Strategic Goals
  106. 106. © Commonwealth Telecommunications Organisation | www.cto.int •  Provide a national governance framework for securing Cyberspace •  Enhance the nation’s preparedness to respond to the challenges of Cyberspace •  Strengthening Cyberspace and national critical infrastructure •  Securing national ICT systems to attract international businesses •  Building a secure, resilient and reliable Cyberspace •  Building relevant national and international partnerships and putting effective political-strategic measures in place to promote Cyber safety •  Developing a culture of Cybersecurity awareness among citizens •  Promoting a culture of “self protection” among businesses and citizens •  Creating a secure Cyber environment for protection of businesses and individuals •  Building skills and capabilities needed to address Cybercrime •  Becoming a world leader in Cybercrime-preparedness and Cybercrime-defence 107 Specific Objectives
  107. 107. © Commonwealth Telecommunications Organisation | www.cto.int 108 STRATEGY  COMPONENTS ASPECTS  TO  CONSIDER EXAMPLE  TEXT  FROM  PUBLISHED  STRATEGIES  AND  BEST  PRACTICE 4.  Risk   management   (Risk   based  approach  objec$ves)     How  the  risk  management   process  works,  and  then  seing   objecBves  and  prioriBes       This  secBon  describes  how  risk   management  is  performed  and   provides  a  top-­‐level  analysis.     It  states  specific  and  tangible   targets  and  assigns  relaBve   prioriBes.       •  How  risk  management  is  currently   performed,  for  example  for  naBonal   security.   •  Sources  of  threat  informaBon  and  of   major  vulnerabiliBes.   •  How  granular  to  make  the  outcomes   and  objecBves.   •  How  frequently  to  repeat  the  risk   assessment  process.   Source:  MicrosoY’s  guidance,  listed  in  appendix  3:   •  A  clear  structure  for  assessing  and  managing  risk     •  Understand  naBonal  threats  and  major  vulnerabiliBes   •  Document  and  review  risk  acceptance  and  excepBons   •  Set  clear  security  prioriBes  consistent  with  the  principles   •  Make  naBonal  cyber  risk  assessment  an  on-­‐going  process   Specific Objectives
  108. 108. © Commonwealth Telecommunications Organisation | www.cto.int 109 Stakeholders CIP  Coordinator   (ExecuBve   Sponsor)   Law   Enforcement   Sector  Specific   Agency   Computer   Emergency   Response  Team   (CERT)   Public   Private   Partnership   InternaBonal   OrganisaBons   Infrastructure   owners  and   operators   IT  vendors   and   soluBon   providers   Shared PrivateGovernment
  109. 109. © Commonwealth Telecommunications Organisation | www.cto.int 110 STRATEGY  COMPONENTS ASPECTS  TO  CONSIDER EXAMPLE  TEXT  FROM  PUBLISHED  STRATEGIES  AND  BEST  PRACTICE 4.  Stakeholders     This  secBon  idenBfies  key   parBcipants  in  the   development  and  delivery  of   the  strategy.       Roles  and  responsibiliBes   should  be  clearly  defined   using  RACI  terminology  (see   appendix  5).     •  IdenBfy  all  relevant  key   stakeholders  taking  into   consideraBon,  country   objecBves  and  focus  areas   •  IdenBfy  key  internaBonal   stakeholders  and  partners   that  could  contribute   effecBvely   •  Draw  stakeholders  from   governmental  and  non-­‐ governmental   organizaBons,  civil  socieBes,   academia,  public  and   private  sectors  of  the   economy.  Should  include   but  not  limited  to  soSware   and  equipment  vendors,   owners  and  operators  of  CII,   law  enforcement   insBtuBons  etc.     In  construcBng  the  list  of  stakeholders,  the  following  consBtuencies  should  be   considered:   •  ministers  and  other  poliBcians;   •  government  departments  concerned  with  ICT,  telecommunicaBons  and   informaBon  security;   •  private  sector  organisaBons  that  provide  ICT  services;   •  government  departments  whose  responsibiliBes  rely  upon  or  who  engage  with   Cyberspace,  including:  most  economic  acBvity,  trade,  tourism,  law  enforcement;   •  providers  of  the  criBcal  naBonal  infrastructure  whose  vital  communicaBons  are   increasingly  carried  across  the  internet;   •  companies  across  the  economy  that  rely  upon  Cyberspace,  oSen  represented  by   trade  associaBons;   •  representaBves  of  civil  society,  oSen  in  the  form  of  groups  that  reflect  broad   public  opinion  and  can  advise  on  the  best  way  to  achieve  outcomes  involving  the   public;   •  civil  society  organisaBons  that  represent  parBcular  parts  of  society  or  interest   groups  and  can  explain,  for  example,  the  needs  of  the  young,  of  women,  of  rural   communiBes  and  of  the  vulnerable;   •  experts  who  understand  how  Cyberspace  works,  from  a  technical  perspecBve,  to   ensure  that  government  strategies  are  pracBcal;   •  Academia  who  can  advise  on  R&D,  internaBonal  best  pracBce,  emerging  issues;     •  InternaBonal  bodies  such  as  the  Commonwealth  TelecommunicaBons   OrganisaBon   •  Other  countries,  parBcularly  regional  countries.   Specific Objectives
  110. 110. © Commonwealth Telecommunications Organisation | www.cto.int •  Governance and management structure •  Legal and regulatory framework •  Capacity Development •  Awareness and outreach programmes •  Incident response –  Incentivize commercial competitors to cooperate –  Create national CERTs (include sector based CERTs) •  Stakeholder collaboration •  Research and Development •  Monitoring and evaluation 111 Strategy Implementation
  111. 111. © Commonwealth Telecommunications Organisation | www.cto.int 112 Strategy Implementation
  112. 112. © Commonwealth Telecommunications Organisation | www.cto.int What Next? Upcoming CIIP Workshops 113 Yaounde, Cameroon Jan-Feb 2015 Nairobi, Kenya Nov 2014 Colombo, Sri Lanka/Dhaka, Bangladesh Aug-Sep 2014 Port Vila, Vanuatu Sep-Oct 2014 Successfully completed Scheduled to take place To be confirmed CTO CIIP Workshops
  113. 113. © Commonwealth Telecommunications Organisation | www.cto.int Further Information Contact: Dr Martin Koyabe Email: m.koyabe@cto.int Tel: +44 (0) 208 600 3815 (Off) +44 (0) 791 871 2490 (Mob) 114 Q & A Session

×