Cybersecurity Event 2010


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cybersecurity Event 2010

  1. 1. CYBERSECURITY A CTO FORUM 2010 EVENT REPORT 17 - 18 JUNE 2010, LONDONHosted by Organised by COMMONWEALTH BIS Department for Business Innovation & Skills TELECOMMUNICATIONS ORGANISATION Common Responses to a Global ChallengeSilver Sponsor Supporting Organisations Knowledge Transfer Network CMAI REPRESENTING THE UK TECHNOLOGY INDUSTRY Digital SystemsMedia Partners balancing act news AFRICA
  2. 2. CYBERSECURITY FORUM 2010EVENT REPORT17 - 18 JUNE 2010, LONDONDelegates participate at the CTO Cybersecurity 2010 Forum to discuss Common Responses to a Global ChallengeExecutive SummaryWith the exponential growth of internet, the increasing use The CTO, understanding the importance of Cybersecurity,of electronic channels for commerce, governance and not only to its members but to the entire Global IOCTrelationship and the use of ICTs in all forms of utilities, the community, plan to repeat this event as a platform to facilitatesafety and resilience of thee channels is increasingly becoming the flow of knowledge and to build stakeholder partnerships.a critical. Incidences of recent Cyber attacks and attemptsto breach the security of nuclear power proves howfragile Cybersecurity is and the need to safeguard vulnerablepeople, property and procedures.The CTO’s inaugural Cyberscurity Forum was aimed at raisingawareness of key stakeholders to the need to have robustand resilient Cybersecurity frameworks, building their capacityto implement such frameworks and facilitating dialogue andconsultation between the stakeholders. The event held overtwo days focused on the many facets of Cybersecurity includingthreats against state and threats against individuals andchildren together with possible responses including technicalmeasures, legal measure, organisational structures, capacitybuilding and international cooperation.The deliberations identified the difficulties of enforcingCybersecurity as the perpetrators tend to move aroundjurisdictions and use resources widely spread around theworld.Amongst many useful outcomes, the key theme that emergedduring the event was the need to foster internationalcooperation, in view of the ambiguities in jurisdiction, differentenforcement mechanisms, varying levels of competencies toface to the threats, difficulty in identifying and prosecuting Hon. Maj. Gen. Madut Biar Yel, Minister of Telecommunications and Postalperpetrators, for which the event provided an ideal platform Services, Government of Southern Sudan, Rt. Hon. Baroness Pauline Neville-through the partnership being formed by the UK Government Jones, UK Minister of State for Security and Counter-Terrorism, and Dr. Spio-and the CTO. Garbrah, CEO of the CTO at the CTO Cybersecurity 2010 Forum in London2 c Commonwealth Telecommunications Organisation 2010 June 2010
  3. 3. CYBERSECURITY FORUM 2010 EVENT REPORT 17 - 18 JUNE 2010, LONDONBackgroundThere are over 1.8 billion Internet users globally today and Considering the importance of Cybersecurity to the orderlysocial reworking has grown exponentially with Facebook and development of ICTs and the challenges faced by its members,Twitter leading the way. The convergence between the CTO decided to contribute to the global efforts of improvingTelecom, broadcasting and IT sectors has given rise to new Cybersecurity by holding a conference where experts wouldand innovative services such as IP Telephony and digital TV. share their knowledge, expertise and experiences with theFinancial services sector has benefitted from some novel delegates, paving the way for greater international cooperation,applications of ICTs such as mobile banking and mobile harmonised Cybersecurity frameworks and joint action. Themoney transfer that have broadened the reach of banking UK’s Department for Business, Innovation and Skills (BIS)and other financial services to people who have hitherto being and the Office of Cyber Security (OCS), having recognisedmarginalized. E-Government Services (E-Tax, E-Procurement, the value of the event joined the CTO to host this event onE-Education, E-Health) are making steady progress with 17 and 18 June 2010 in London at the BIS Conferencedeveloping countries, matching the pace of developed Centre.countries. The degree and scale of e-enabling society hasincreased the need to secure the integrity of electronicchannels and assure their due functioning. Indeed electronic Dr. Ekwow Spio-Garbrahchannels have become such a lifeline for the Governments Chief Executive Officer, CTOand societies today; security of these channels is critical tothe very survival of countries. The relevance of ICTs to economy and governance has been steadily growing with ICTs contributing to such diverse sectorsCommunications and information services whose availability, as agriculture and health. CTO’s role had primarily beenreliability and resilience are essential to the functioning of to work with other stakeholders including internationala modern economy, collectively called Critical Information organisations in helping set up appropriate policy and regulatoryInfrastructures (CII), includes telecommunications, power frameworks using best practices worldwide as a guide.distribution, water supply, public health services, national Cybersecurity is an integral part of the ICT world and thedefense, law enforcement, government services, and emergency CTO will play its role to promote international cooperation inservices. The World Economic Forum has estimated in 2008 Cybersecurity and to act as a platform to facilitate knowledge,that there is a 10% to 20% probability of a major Critical expertise, technology and investments.Information Infrastructure (CII) breakdown in the next 10years, with a potential global economic cost of approximately$250 billion. The US Business Roundtable in 2007 suggested Hon. Ms. Mmasekgoa Masire-Mwambathat the economic costs of a month-long Internet disruption Deputy Secretary General, Commonwealth Secretariatto the United States alone could be more than $200 billion.According to an OECD report, the estimated annual loss to ICTs have a transformational role which has brought aboutUnited States businesses caused by malware is USD 67.2 great benefits along with some undesirable side effects suchbillion. The costs of a major disruption to Switzerland are as Cybercrimes. The Commonwealth governments recognisingestimated to be 1.2% of its GDP. the importance of securing the safety of the Internet, granted a broad mandate to the Commonwealth Secretariat underCyber attack on the CII of Estonia in April 2007 is considered which a series of expert group meetings were held thatto be the first attack on national infrastructure. Since then culminated in a collection of model laws relating to Cybercrimethere had been several major Cyber attacks; in August and other computer related crimes. The Secretariat’s work2008 Georgia accused Russia of attacking its government in this area includes capacity building and facilitatingwebsites, in December 2009 Google detected a highly cooperation between Member Countries. Harare Scheme,sophisticated and targeted attack on their corporate facilitating cooperation in the area of criminal justice betweeninfrastructure originating from China and in 2008, Conficker Commonwealth countries, and the London Scheme whichsurfaced which attacks Microsoft Windows operating system. deals with the penalties, are due to be reviewed at the next meeting of Senior Officials of Law Ministers in October 2010The ITU launched the Global Cybersecurity Agenda in 2007 and at the Commonwealth Law Ministers meeting in Australiaaimed at examining the issues surrounding Cybersecurity and in 2011.promoting international cooperation by convening a panel ofinternational experts called the High Level Experts Group(HLEG) in which the CTO also took part.c Commonwealth Telecommunications Organisation 2010 June 2010 3
  4. 4. CYBERSECURITY FORUM 2010EVENT REPORT17 - 18 JUNE 2010, LONDONSession 1DDoS the problem? Coordinating Activity at an International Level in ResponseMr. John Crain, Senior Director, Security Stability Resiliency to Online ThreatsProgramme, ICANN Rt. Hon Alun Michael, MP, UKA number of instances (Estonia in 2007, Australian Parliament Cybersecurity is primarily a people’s issue and safety on thein 2010 etc) have been registered in the recent past of DDOS Internet requires the engagement of all stakeholders includingAttacks that use multiple hosts to focus traffic against the civil society, with cooperation taking place botha target at a scale it cannot handle. Though there are some at national and international levels.mechanisms to defend against low level attacks, a concertedattack using Botnets (hijacked machines) is almost impossible Though there had been suggestions to create an internationalto stop. The best option is to prevent machines from being agency for Cybersecurity, achievements up to date had beeninfected by improving user awareness and computer hygiene. the result of flexible frameworks of international cooperation. To be more effective these frameworks need to encompass people’s representation as well.Critical Information Infrastructure Protection: Threats &Challenges for Developing Countries The critical need today is multilateral, multi-stakeholderDr. Martin Koyabe, BT partnerships that bring together the civil society on a global scale, which is an area where the Commonwealth can playCIIP needs to be considered from the perspective of technical a lead role.issues (e.g increased dependencies leading to increasingvulnerability) and actors involved (e.g. politicalextremists and organised criminals). Funding, limited human Information Infrastructure Protection - Lessons from the UKand institutional resources, technical complexities, narrow Mr. Mark Oram, Centre for the Protection of Nationalpolicy and regulatory regimes remain challenges while threats Infrastructure (CPNI)to CII continue to grow through expansion of infrastructuresuch as international cable networks, failed states and Cyber CPNI is mandated to handle national security threats andcommunities. Coordination and cooperation amongst protect UK’s CII by working with the Government and thestakeholders is the key to improving CIIP while it is also industry. It focuses on critical services determined on theimportant to understand that though CIIP is expensive, failure basis of severity of impact if do so will be even more costly. In these sectors CPNI addresses physical security, information security and personnel security. In the sectors consideredHow is Mobile Security Different? Attacks, risks and mitigations critical and non-critical, CPNI promotes security throughin a brave new world Information Exchanges that bring together the stakeholdersMr. Nader Henein, Research In Motion to share learning.There are a number of important differences in ensuringsecurity in Mobiles. For example if encryption is added to a Decrypting Web Proxies - Corporate Compliance or SurveillanceBlackberry the power consumption will double. Yet the growth Stateof the smart phones and the fact that the largest market is Mr. RonWilliams, IBMthe public sector, makes it incumbent to ensure security onmobile devices. Strategies to ensure security include Transport Layer security (TLS) Proxy could authenticate eithercentralised management of security with strong policies, only the end point or both the end point and the server,limiting applications on devices and Government sponsored providing security in communication between a user and acertification regimes. server. TLS proxies have the full ability to modify and retain information transmitted in both directions and its operations are largely hidden from the server side.The EESC views on Critical Information InfrastructureProtection There are however legal and ethical implications of the useDr. Thomas McDonogh: European Economic and Social of TLS proxies, particularly in some untested jurisdictions.Committee There are business risks associated with decryption technology especially in respect of communications with third partiesEU Action Plan on CIIP is built on five pillars; preparedness such as banks, social networks and business partners.and prevention; detection and response; mitigation andrecovery; international cooperation; and support from the ICT In that context full disclosure to end users that decryptingsector. EESC has noted that though individual countries have web proxies are in use, is recommended while seeking approvaltheir own CIIP mechanisms, EU as an institution is limited in instances where the legal regimes so its responses, primarily due to lack of cooperation betweenEU countries, vulnerable systems, inadequate leadership andinadequate skill base.4 c Commonwealth Telecommunications Organisation 2010 June 2010
  5. 5. CYBERSECURITY FORUM 2010 EVENT REPORT 17 - 18 JUNE 2010, LONDONSession 1Pro-active engagement with public and private sectors at the Cyber Security ForumProtecting investors and industry - How Mauritius handles Key Note AddressCybersecurity Rt. Hon. Baroness Pauline Neville-Jones: Minister of StateMr. Trilok Dabeesing: Director IT, ICT Authority, Mauritius for Security and Counter-Terrorism, UKMauritius adopted a holistic approach in ensuring Cybersecurity Cyberspace presents vast potential and opportunities as wellas the country views ICT as a pillar of national development as threats. Interdependence in Cyberspace calls for aand plans to make the country a regional ICT hub. convergence of public and private sectors along with the civil society. Governance of the Cyber domain is becoming moreThe country’s National Information Security Strategy Plan is democratic and accountable with ICANN and IGF providinga part of the National Information Communication Technologies a voice for developing nations. Commonwealth has a uniqueStrategic Plan for 2007 to 2011 and Mauritius has set up role among the many international initiatives and organisationsa comprehensive legal framework along with an implementation working in the field of Cybersecurity.and institutional framework. Rather than an international treaty on Cybersecurity, thereEnforcement has been improved with the setting up of the are a number of interventions that would make a tangiblePolice Cybercrime Unit in 2000 and the Computer Emergency and positive contribution to improving Cybersecurity:Response Team (CERT-mu) in 2008. • Harmonising national criminal laws and developingMauritius plans to deploy a Content Security Monitoring frameworks for mutual legal assistance. The Council ofSolution which will filter illegal material while maintaining Europe’s Convention on Cybercrime is an example of bestquality. practice • Building common resources to fill gaps in capabilitiesKey discussion points: and skills needed to deal with Cyber threats• Innovation should be promoted while ensuring security, • Capacity building, sharing best practices and knowledge bearing in mind the risk of compromising security to through multilateral organisations manage costs. • Developing norms of behaviour internationally• Ideally security should be built at the time of manufacturing rather than attempting to add it later. Importantly if countries are more transparent about what would be regarded as a real threat, this would not only lead to the development of greater certainty about how Cyberspace is used but, over time, could also lead to the development of certain norms which if ignored could justify some form of punitive action.c Commonwealth Telecommunications Organisation 2010 June 2010 5
  6. 6. CYBERSECURITY FORUM 2010EVENT REPORT17 - 18 JUNE 2010, LONDONSession 2 - Individuals/children under threatSession chair: Mr. Richard Simpson, CanadaProtecting and Empowering Children On-Line ITU’s Child Online Protection InitiativeMr. Will Gardner: Chief Executive Officer, Childnet, UK Ms. Cristina Buetti, Policy Analyst, ITUCyber bullying is becoming a critical issue though it is not COP is a global initiative created by ITU, as part of the GCA,perceived quite as seriously as physical bullying. Inaccurate aimed at identifying risks and vulnerabilities to children inor harmful content, access to adult websites and illegal Cyberspace; creating awareness; developing practical toolsmaterial contribute to the dangers young people face on the to help minimize risk; and sharing knowledge and experience.Internet. When Internet is available through mobile channels, COP conducted a Survey of 50 countries in February 2010monitoring becomes even harder. Young people need to be which produced mixed results. Only 37 countries, whichequipped with the relevant information to enable them to constituted 58% of the Least Developing Countries, confirmedmake informed choices. In fact children need to be prepared that there are programmes within educational establishmentsfrom a very early stage to handle the challenges of the and youth bodies, to promote the safe and responsibleCyberworld. Moreover parents need assistance to understand use of the Internet to children and young people. Future COPthe technology, evaluate their benefits and negative effects initiatives will include raising awareness and lobbyingand be provided with strategies for safe and responsible use. telecommunications administrations around the world to consider the allocation of the number 116111 to give access to help lines run by organizations dedicated to the supportProtecting the Individual while Assuring Freedom of the Net and welfare of children. COP also seeks to provide assistanceMr. Paul Hoare, Head of Operations, Serious Organised Crime to developing countries in drafting legislation together withAgency, UK implementation guidance and promoting international cooperation among various stakeholders.An ICANN survey has found that 27% of domain names havebeen erroneously registered and the owners of 29 Milliondomain names are not known. Factors hampering the Key discussion points:prevention of Cybercrimes include enforcement challengesdue to the involvement of multiple jurisdictions; lack of • It is important to make legislation as technology proof ascommon legal definitions; and lack of accurate registration possibleprocesses and corruption. On a positive note social networkingsites are becoming a good resource for Law Enforcement • Jurisdiction becomes hard to define as the definition ofAuthorities. Though Global consensus is emerging on certain the Cyberspace is ambiguous; is it where the servers areissues such as child abuse, it should be broadened to cover or where the provider resides. This increases the need forother criminal activities. cross border cooperation • Voluntary measures may place industry in a difficultThe Internet - safety road for our children position, particularly when providing services in differentMr. Tomasz Czajkowski: The European Economic and Social jurisdictions where a specific measure may be treatedCommittee differently.EESC Opinion issued in May 2008 finds that children facesome serious risks as active users of online technologies andidentifies a number of factors that contribute to this threat.EESC has proposed harmonising legislation across EU MemberStates which at a minimum should address what constituteschild sexual abuse material, agree that children up to 18should be considered for protection and to make thepossession, viewing or downloading of online child sexualabuse material an offence which will warrant severe custodialpenalties. The programme proposed by EESC will have fouractions encouraging international cooperation as an integralpart of each of them:• reducing illegal content and tackling harmful conduct online• promoting a safer online environment• ensuring public awareness UK Minister of State for Security and Counter-Terrorism, Rt. Hon. Baroness• establishing a knowledge base Pauline Neville-Jones, gives a keynote address at the Cybersecurity 2010 Forum6 c Commonwealth Telecommunications Organisation 2010 June 2010
  7. 7. CYBERSECURITY FORUM 2010 EVENT REPORT 17 - 18 JUNE 2010, LONDONSession 3 - CERT: Successes, challenges and way forwardChair: Mr John Harrison, WARP (Warning, Advice and Reporting Points. DNS CERT - Business case for collaboration in security East Africa Communications Organizations (EACO) RegionMr. John Crain, Senior Director, Security Stability Resiliency Experienceprogramme, ICANN Mr. Michael Katundu, Assistant Director, Information Technology (IT), Communications Commission of Kenya (CCK)Growing risks such as the emergence of Conficker has madeit patent that a Global DNS CERT, with ISPs and domain The Cybersecurity Taskforce of the EACO, consisting of ICTname registrars as primary stakeholders, is a critical need, Regulators and operators of Kenya, Tanzania, Uganda, Rwandato provide DNS operators and supporting organisations with and Burundi, was formed in 2008 to coordinate thea security coordination centre with sufficient expertise and development of a Cybersecurity management framework forresources to enable timely and efficient responses to threats the EACO the security, stability and resiliency of the DNS. Still keyquestions remain such as where to house it, what should be It is tasked with facilitating the establishment of Nationalthe model, how to finance or even whether it should be a CERTs, coordinating responses to Cybersecurity incidents atseparate agency. ICANN is seeking the inputs of stakeholders the regional level; establishing regional and internationalat this stage. partnerships; and providing regional Cybersecurity Incident Reports annually to EACO member countries.ENISA & The CERT Community So far its achievements include forming a partnership withMr. Steve Purser, European Network and Information Security the ITU to deploy National Cybersecurity frameworks; capacityAgency building workshops; and Country Assessments by the ITU- IMPACT on the national CERT establishment needs for theENISA was formed in 2004 as a Centre of Expertise to support EACO member countries.the European Commission and EU Member States and todayit facilitates the exchange of information between EU Managing Cybersecurity in the EACO region is hampered byinstitutions, the public sector and the private sector. ENISA the lack of policy, legal and regulatory frameworks; lack ofsupports the Member States and other stakeholders to establish national Cybersecurity management frameworks; and limitedand operate CERTs by providing help with the establishment Cybersecurity Awareness among others.of new CERTs; identifying good practices on how to operateCERTs; supporting training and exercises; and recommendinga set of “baseline capabilities” for national/governmental Key discussion points:CERTs. From 2005 to 2010 the number of CERTs in EU hasgrown from 8 to 16 with further 9 planned. However • It is doubtful whether developing countries would havecapabilities of national CERTs still vary widely among the the means to set up and support both a CERT and a DNSMember States. WARPs (Warning, Advice and Reporting CERTPoints) could facilitate the exchange of security relatedinformation and be an alternative to CERTs for small, trusted • Creating National Points of Contact and building trustcommunities of users with similar levels of expertise. ENISA among them is a key to promoting international cooperationis tasked by Commission to facilitate the Pan-Europeanexercise on CIIP due to be first held in 2010 in 21 member • ITU has a great role to play by setting standards in aspectscountries. of Cybersecurity such as on information and encryption.Aims and Expectations of GibraltarMr. Joseph Torres, Radiocommunications & IT Manager,Gibraltar Regulatory AuthorityThough Gibraltar’s online gambling services attract Cybercriminals it does not have a CERT yet. The legislative frameworkof Gibraltar consist of Communications Act 2006 forProtecting the infrastructure (GRA), Data Protection Act 2004for Protecting the privacy of the individual (GRA) and Crimes(Computer Hacking) Act 2009 for Criminalising illicit use ofcomputers (Police). Gibraltar certainly needs a CERT tocoordinate resources both locally and internationally.c Commonwealth Telecommunications Organisation 2010 June 2010 7
  8. 8. CYBERSECURITY FORUM 2010EVENT REPORT17 - 18 JUNE 2010, LONDONSession 4 - Appropriate legal frameworks for CybersecuritySession chair: Mr. Stewart Room, Field Fisher WaterhouseChild Abuse Images on the Internet - a Commonwealth A model legislative and regulatory framework for CameroonResponse: Ms. Patricia Asognwe: University of Younde, CameroonMr. John Carr, Secretary, UK Childrens Charities Coalitionon Internet Safety MacAfee has detected Cameroon to be the home to the worlds riskiest Internet sites which reinforces the need for legislativeThe scale of offending through “Child abuse images”, (which and regulatory the preferred term over “child pornography”), together with Cameroon needs clearly defined laws including a strongother offenses such as grooming and Cyber bullying, deterrent for Cybercrime and must create robust andhave grown exponentially due to the growth of the Internet. interoperable laws by incorporating standard models into its own legislation while taking in to consideration its culturalIn 1995 Interpol knew of 4,000 images globally while in diversity. Potential models include the United Nation’s2009, one million images were being circulated, viewed and Convention On The Use Electronic Communication Indownloaded billions of times. International Contracts, and the Council of European Convention on Cybercrime. The new law should outlaw illegalA Global Survey in 2010 of laws relating to child pornography access, illegal interception, data interference. It also requiresfound that only 34 countries out of 196, have a framework appropriate procedural laws to cover computer related crimesof laws “deemed sufficient to combat child pornography that also addresses investigatory challenges and evidentialoffenses” and 29 Commonwealth countries did not meet the issues. Some achievements so far include the Bill onrequired standard. Commonwealth needs to aim for a common Cybercrimes and Cybersecurity and a draft billplatform given the shared legal values and common legal on the protection of ICT consumers.principles.A working group has been proposed to take forward an initiative Sri Lankan Cyber Crimes Legislation - a Developing Countryto encourage the adoption of a legal framework to deal with perspectiveonline child abuse images and create a hotline to receive Mr. Jayantha Fernando: Director/ Legal Advisor, Informationreports. and Communications Authority (ICTA), Sri Lanka/Vice Chairman ICANN – Governmental Advisory CommitteeTowards a modernised Network and Information Security The Sri Lankan legal framework is built primarily aroundpolicy for the European Union - The EU framework and its Computer Crimes Act No. 24 of 2007 that provides for therelevance to the rest of the world identification as well as Investigation and prevention ofMr. Andrea Glorioso, European Commission, DG INFSO Computer Crimes; Payment Devices Frauds Act No. 30 of 2006 that protects persons lawfully using payment devices,The EU Policy Framework for Network and Information Security criminalises and prevents the possession and use of(NIS) started with the establishment of ENISA in 2004. unauthorised or counterfeit payment devices and providesRecent developments include the EC proposal for an Action for investigation of offences; and Penal Code (Amendment)Plan on CIIP in March 2009 and the adoption of the European Act No. 16 of 2006 that prevents Computer based servicesDigital Agenda in May 2010. being used for child exploitation. However it should be noted that Criminal investigations may interfere with rights ofThe Commission’s proposal for a modernized NIS policy, subjects, and investigators need to ensure that actions arewhich is built on dialogue, partnership and empowerment justifiable and proportionate to the needs. One of the uniquethrough a multi-stakeholder approach, is expected in the features of investigation and enforcement is the provision tosummer of 2010. It requires service providers to prevent and designate “experts” to assist investigators.minimise impact of security incidents, to notify securitybreaches and to inform other EU authorities, ENISA and the However enforcement challenges remain, among them thepublic when needed. lack of understanding by victims, enforcement authorities and the wider legal community alike, as to what constitutesThe Commission Communication to the European Parliament, a Cybercrime, and lack of infrastructure to safeguardCOM(2009)149, sets the remit of CIIP as protecting Europe confidentiality of the victim. There are plans to establish afrom large scale Cyber attacks and disruptions including Digital Forensic Lab for the Computer Crimes Unit of Police,natural disasters; promoting security and resilience culture set up a hotline for reporting offences and implement ITand strategy; fostering cooperation and exchange of policy Usage and Information Securities Policies with both thepractices between EU members; and reinforcing international public sector and the private sector. The ICTA establishedcooperation, amongst other things. One of the seven priority Sri Lanka’s CERT as a subsidiary in November 2006areas for action on the Digital Agenda is enhancing trust and based on a public private partnership model. Sri Lanka issecurity. considering signing the Council of Europe Convention on Cyber Crime and promoting international dialogue by engaging with international organisations.8 c Commonwealth Telecommunications Organisation 2010 June 2010
  9. 9. CYBERSECURITY FORUM 2010 EVENT REPORT 17 - 18 JUNE 2010, LONDONSession 5 - Cybersecurity through international cooperationSession chair: Mr. Geoff Smith, BISGlobal Cybersecurity Agenda - Next Steps Strengthening Greater International Cooperation BetweenMs. Cristina Buetti: ITU Nations to Better Prevent, Defend Against Cyber Threats Ms. Daisy Francis: Manager, International Cooperation,WSIS entrusted ITU as the sole facilitator for WSIS Action International Multilateral Partnership Against Cyber ThreatsLine C5, “Building Confidence and Security in the use of (IMPACT)ICTs”. Both the ITU Plenipotentiary Conference in 2006 andthe ITU World Telecommunication Development Conference IMPACT brings together governments, industry and thein 2010 have placed Cybersecurity as a priority for ITU. The academia to operationalise Cybersecurity initiatives acrossITU Secretary General created GCA in 2007 to promote ITU’s 191 Member States. It is the physical home of thestakeholder collaboration and to avoid duplicating efforts by GCA based on a memorandum of understanding signed inbuilding upon five pillars legal measures; technical and 2008. So far 42 countries have agreed to receive Cybersecurityprocedural measures; organisational structures; capacity services from IMPACT. IMPACT houses the Global Responsebuilding; and international cooperation. Since its inception Centre which is the network early warning system inthe GCA has made some significant achievements. In legal collaboration with global industry partners andmeasures the ITU Toolkit for Cybercrime Legislation was Electronically Secure Collaborative Application Platform forcreated along with a Guide for Developing Countries on Experts (ESCAPE). The Centre for Training & SkillsCybercrimes. On Technical and Procedural Measures, ITU Development provides specialised training, conductscarried out Standardization Work and created an ICT Security certification courses and operates scholarship programs.Standards Roadmap. Under Organizational Structures ITU-IMPACT Collaboration was formed and National CIRTestablishment was undertaken. On Capacity Building ITU A Survey of International Efforts to Combat Cybercrimedeveloped the National Cybersecurity/CIIP Self-Assessment Mr. Richard Simpson, CanadaTool along with a Toolkit for Promoting a Culture ofCybersecurity. In the field of International Cooperation, ITU Rapid growth of online threats has increased the cost tocreated the High-Level Expert Group, the ITU Cybersecurity businesses and eroded trust and confidence on the Internet.Gateway and launched COP. ITU-T’s initiatives While criminal law and law enforcement are important,undertake security coordination both within ITU and with national and international frameworks in civil law remediesexternal stakeholders; creates and updates a security are critical for the security and trust on the Internet. A multi-compendium of approved security-related recommendations stakeholder approach is essential for developing voluntaryand definitions; and create the ICT Security Standards measures by the private sector to protect the Internet economy.Roadmap and ITU-T Security Manual. These measures work on three tiers; law enforcement and national security; ground rules for the Internet economy; and private sector self-protection. The Council of Europe seeksInternational & Regional Cyber Security Initiatives to harmonize national laws across signatories to the ConventionMr. Peter Burnett: Office of Cyber Security, Cabinet Office, on Cybercrime, to facilitate international cooperation andUK improve investigative techniques. The G8 High-Tech Crime Sub Group is an international framework that aims to assistThe strategic objectives of the OCS are to secure the UK’s law enforcement and industry to gather information onadvantage in Cyberspace by reducing risk, exploiting criminal and terrorist acts using computer networks. Anopportunities and by improving knowledge, capabilities and example of setting ground rules for the Internet economy isdecision-making. In the international arena the OCS coordinates the OECD Policy Instruments such as the Anti-Spam toolkitUK’s international engagement on Cyber issues, engages with of 2006. Some forms of actions are being formulated tointernational partners and provides guidance on facilitate private sector self protection, such as the Messaginginternational issues and acts as the contact point on Anti-Abuse Working Group (MAAWG) which produces datainternational Cyber policy. The UK, through CPNI has produced on threats, identifying threats, designing ways in which privatethe Telecommunications Resilience Guidance aimed at sector can respond.securing UK’s telecom networks. It has also created theInternational CIIP directory for connecting stakeholders. The In this regard the similarities of Commonwelth members,UK has identified facilitating communication between different though on different scales, are an advantage as it facilitatesstakeholders as a critical requirement in a crisis. OCS believes action at a scale and to a depth that larger groupings arethat a multi agency approach is critical as Cybersecurity is unable to, particularly by leveraging the strengths of memberstoo vast an area for a single agency to handle. for the benefit of each other.c Commonwealth Telecommunications Organisation 2010 June 2010 9
  10. 10. CYBERSECURITY FORUM 2010EVENT REPORT17 - 18 JUNE 2010, LONDONSession 5Speakers and attendees at the Cybersecurity ForumCommon Assurance Maturity Model (CAMM)Des Ward, ISSA, Information Systems Security AssociationBy its very nature information needs to be shared and the Responses against common control areas provide achallenge is managing and assuring security of third party measurement that indicates the level of maturity. A set ofaccess to information. ISSA proposes the Common Assurance common controls and guidance are planned to be completedMaturity Model (CAMM) as a new approach which is built on by the 4th quarter of 2010.existing standards that measures maturity against definedcontrols areas, with particular focus on key controls. Themodel is based on the individual entity setting the level of Key discussion points:risk it is willing to tolerate and communicating that to thebusiness partners. Evidence of compliance is captured in a • Due to the use of proxies it is almost impossible tocentral repository. The model applies existing standards to ascertain the origin of a Cyber attack6 domains, governance, HR, IT services, physical security,business continuity, incident management and evaluates • The better option is to address vulnerabilities than towhether the controls are complete, essential, auditable and attempt to respond to attacks.measurable.10 c Commonwealth Telecommunications Organisation 2010 June 2010
  11. 11. CYBERSECURITY FORUM 2010 EVENT REPORT 17 - 18 JUNE 2010, LONDONSession 6 - Cybersecurity through international cooperationSession chair: Mr. Geoff Smith, BISOrganisational capacity buildingMr. Philip Victor, Director, Training, Skills Development &Outreach, International Multilateral Partnership Against CyberThreats (IMPACT)IMPACT has identified the lack of Cybersecurity professionals Multipurpose Information Management and Exchange foras a principal challenge. IMPACT’s Centre for Training & Robustness is another PPP sponsored by the EU which is aSkills Development holds specialised training programs, technical platform for information exchange and supportsconducts seminars and workshops and also operates crisis management. National Computer Emergency Responsescholarship programs in partnership with global certification Team (SITIC), the Swedish national CERT, is tasked withbodies. IMPACT Security Core is the centre of its training incident responses and proactive measures. SITIC advisesand capacity building initiatives providing both technical and and supports government agencies, regions, municipalitiesmanagerial training which IMPACT plans to implement across and the private sector, on proactive measures in the area ofthe world. So far IMPACT has held several well attended network security while also cordinating actions. SITIC is thecourses in different subjects including Network Forensics & national point of contact for international incident responseInvestigation and IPv6. IMPACT also undertakes security cooperation and is a member of the Europeanassessment for countries of which assignments for East and Government’s CSIRT Group, and of FIRST, the Forum ofWest Africa have just been concluded and at the moment it Incident Response and Security Teams, and a member ofis carrying out assessments for Nepal and Maldives. This the International Watch & Warning Network, IWWN.activity is aimed at gauging the security status andunderstanding the needs as a prelude to developing CERTs. Fostering Collaboration in a Digital Society Mr. Anthony Dyhouse: Digital Systems - Knowledge TransferNational Cyber Security Management System Network, UKProfessor El Kettani Dafir, Ministry of Industry, Trade andNew Technologies, Morocco The Knowledge Transfer Network (KTN) was set up by the Technology Strategy Board to provide a focal point for UKMorocco is implementing a National Cybersecurity Management expertise in important future industries to facilitate knowledgeSystem (NCSecMS), which could become a global framework sharing and encourage collaboration as a multi-stakeholderthat will respond to the needs expressed by the GCA. partnership. Digital Systems KTN was created by theNCSecMS has four components, the National Cybersecurity amalgamation of three KTNs in view of the need for a holisticFramework, Maturity Model, Roles & Responsibilities and approach as a result of convergence of technology and todaythe Implementation Guide. It works through five domains; comprises of the Cyber Security Programme, the Scalablestrategy and policies; implementation and organisation; Computing Programme and the Location and Timingawareness and communication; compliance and coordination; Programme. KTN is a model for collaboration that facilitatesand evaluation & monitoring, each with a number of processes sharing knowledge, innovation and understanding byeach of which are built around applicable stakeholders such conducting events; manages funding calls; fosters specialas the Government, banking sector, citizens etc. Each process interest groups; and facilitates industry expected to go through a five stage maturity process,from the initial level when the process is in a disorganisedstage to the optimizing level when the process is constantlybeing improved after implementing by monitoring feedback.In Morocco, Cybersecurity is a part of the National ICT strategytogether with a regulatory framework and the organisationalstructures supported by awareness raising, communicationsand capacity building.To ensure resilience and security in e-communication networks,a PPP challengeMr. Anders Johanson: Director, Network Security Department,Swedish Post and Telecom AgencyThe Swedish regulator, the Swedish Post and Telecom Agency(PTS) facilitates PPP-projects to promote Cybersecurity tosecure vulnerable functions and in the last 8 years 300 PPPprojects have been implemented. One example is the NationalTelecommunications Coordination Group (NTCG) which wasformed by the eight largest telcos and ISPs togetherwith other stakeholders. It supports the restoration of national Dr. Ekwow Spio-Garbrah, Chief Executive Officer, CTO and Philip Victor, Director of Training Skills Development & Outreach, IMPACT, sign an MOUinfrastructures of ecommunications during critical disturbances. for multi-lateral co-operation against cyber crimesc Commonwealth Telecommunications Organisation 2010 June 2010 11
  12. 12. CYBERSECURITY FORUM 2010EVENT REPORT17 - 18 JUNE 2010, LONDONSession 6Emerging Organisational Structures; an EU PerspectiveMr. Ivailo Kalfin, MEP, Committee on Industry, Research andEnergyCybersecurity capabilities across the European Union (EU) Three critical actions needed to assure Cybersecurity acrossvary to a large degree which along with issues of financing Europe are: firstly a better understanding of the issues andmechanisms has hampered the development of a common facets of Cybersecurity; secondly European coordination ofapproach to Cybersecurity. ENISA is an instance where policies; and thirdly an EU strategy andcooperation has produced positive results but ENISA has modalities to implement the strategy.only a temporary mandate and it has to be renewed by theend of 2010. The absence of a sense of permanencycontributes to the instability of the system. One challenge Intellect’s Cyber Security Programmeto formulating a Europe wide response for Cybersecurity is Mr. Charles Ward: Chief Operating Officer, Intellectthe potential conflict with national laws such as personaldata protection. Secondly EU’s inability to take Intellect is an industry association that develop new thinking,part in international consultations as one entity, though influence policy, shape markets and improve its members’members take part in their individual capacity, is an performance focusing on digital communications andimpediment. Encouragingly the Heads of State of the EU convergence; ID and information management; and defencehave adopted the Digital Agenda recently though the focus and security, among other areas. Intellect’s Security &on Cybersecurity is limited. Resilience engagement map calls for linkages and coordination between various stakeholder groups drawing on the workings of the Defence and Security Board which has a dedicatedOn another positive note EU now has an official, in the form Cyber Security Group. This group was formed in 2009 toof Ms Neelie Kroes, Vice-President of the European provide a coherent voice for industry working in “high threat”Commission, responsible for the Digital Agenda, whose remit areas and carries out awareness raising while contributing tois developingdigital policies and addressing related problems. policy development.Lack of a single organisational structure is a key impedimentto respond to Cybersecurity on a Europe-wide basis. It produces position papers on improving mechanisms forCurrent practices are limited to coordination between various information sharing between Government and industry onbodies such as the National CERTs who unfortunately have Cyber threats. Its plans for the future include creating anvarying degrees of capabilities. industry charter or a code of conduct.12 c Commonwealth Telecommunications Organisation 2010 June 2010
  13. 13. CYBERSECURITY FORUM 2010 EVENT REPORT 17 - 18 JUNE 2010, LONDONSession 7 - Technical responses to CybersecuritySession Chair: Mr Mark Carvell, BISAn overview of the Cybersecurity Information ExchangeFramework - CYBEXMr. Mike Hird: BISThe basic CYBEX model facilitates the flow of information This model facilitates service to any numbers of endpointsfrom Cybersecurity Information acquisition to Cybersecurity in any combination of models or frameworks for interoperability,Information use by structuring information; identifying and which will enable safe online transactions, better use ofdiscovering objects; requesting and responding with resources and enhanced user convenience, among otherinformation; exchanging information over networks; and benefits.assuring Cybersecurity information exchanges. CYBEX hasthe means to identify and exchange knowledge aboutweaknesses, vulnerabilities and incidents and the Wireless World Research Forum - Security, Privacy, and Trusttrust assurance for information and parties involved. It will Agendadetermine Cyber-integrity of systems and services, detect Dr. Mario Hoffmann, Chair WWRF Working Group 7 “Securityand exchange incident information and provide forensics. & Trust”Importantly CYBEX can be extended to networks, servicesand platforms operating today or that may come in to being With the exponential growth of wireless devices (estimatedin future. The CYBEX Framework and some initial specifications to top 7 trillion by 2020) privacy, security and trust isare expected to be ready by December 2010 and becoming a key challenge. In its research WWRF has identifiedimplementation is due by 2011-12. It is a multistakeholder the potential threats to the Application Layer,initiative that brings together government agencies, vendors, Platforms/Middleware, Mobile Devices and Infrastructure, inservice providers and other bodies. addition to threats occurring Inter/Cross-Layer. WWRF recommends among other things multilateral securityHarmonizing identity management, privacy and security in approach for security and risk analyses by addressing privacy,the cloud and in the grid: Dynamic distributed key security and trust at the design stage and by taking all partiesinfrastructures and dynamic identity verification of a transaction into account considering each party’s securityand authentication seamless interoperability requirements and privacy concerns and by finding a reasonableMr. Andre Brisson, WNLabs, Canada balance between different interests.Dynamic identity verification and authentication allows achoice of credential providers and can be used with any Trust, Security, and Resiliency - Empowering the Informationexisting security technologies, any model or framework and Societyis scalable. In dynamic identity verification and authentication, Ms. Angela McKay, Senior Security Strategist, Microsoftboth the server and the endpoint have a copy of the accountidentity management key. The server sends a request Understanding Cyber threats require understandings the manyto the endpoint for an identification token of a specific length. challenges including the varying motives and actors. Ensuring trust in the Information Society involves addressingThe server authenticates user/device by comparing the received revocation (mechanisms for revoking claims), establishmenttoken to the token generated at the server for the (mechanisms to uniquely identify, authenticate, and establishperson or device. In this method cost is better managed as trust), broker-mediated disclosure (mechanismsthe requirement is simply to add an identity management enabling trusted 3rd parties to minimize data shared) andprotocol that can be called from any application at the point minimal disclosure (mechanisms to limit information revealedof network access. The system could be extended to a wider to only what is essential for the transaction).group by collating identities at a central location bringingtogether the stakeholders from both public and private sectors. The primary aim of a strategy to assure security and trustIn a wider scenario the Government can issue all citizens a should be to reduce the potential gains of an attacker whichunique identity management key which would allow people is the base on which the Microsoft Security Developmentto access all services with unique key segments without ever Lifecycle is built,where emergency responders, Government,exhausting the key. The government could also issue master media and private sector & NGOs partner with Microsoft. Itskeys to Tier 1 communication providers which can be used contributions to the initiative including training (ex. Securityby the carriers and communications providers to issue an Cooperation Program) and Policy Guidance through the Criticalunlimited number of keys/identities to access non-government Infrastructure Partner services.c Commonwealth Telecommunications Organisation 2010 June 2010 13
  14. 14. CYBERSECURITY FORUM 2010EVENT REPORT17 - 18 JUNE 2010, LONDONAbbreviation/Technical termsBotnets EUSoftware agents, or robots, that run autonomously and European Unionautomatically GCACII Global Cybersecurity AgendaCritical Information Infrastructures GDPCIIP Gross Domestic ProductCritical Information Infrastructure Protection G8COP Group of EightChild Online Protection ITUCPNI International Telecommunications UnionCentre for Protection of National Infrastructure, UK MalwareCERT Malicious softwareComputer Emergency Readiness/Response Team OECDDDOS Organisation for Economic Co-operation and DevelopmentDistributed Denial of Service attack PPPDNS Public Private PartnershipsDomain Name System WSISEESC World Summit on the Information SocietyEuropean Economic and Social Committee14 c Commonwealth Telecommunications Organisation 2010 June 2010
  15. 15. COMMONWEALTH TELECOMMUNICATIONS ORGANISATION64 - 66 Glenthorne Road Tel: +44 (0) 208 600 3800 London W6 0LR Fax: +44 (0) 208 600 3819 United Kingdom E-mail: