a National approach to Cyber security/CIIP:

Raising awareness

Objectives

• Propose a way of thinking about Cyber Security/CIIP

• A FRAMEWORK

• Identify key elements of the FRAMEWORK and relationships among them

• Suggest methods for building a national consensus on FRAMEWORK and on implementation actions.

10/18/1010/18/1022

cybersecurity:Why Worry?

• Nation is dependent on ICTs Economic wellbeing National security Social cohesion

• Risk is inherent in ICT use Vulnerabilities Threats Interdependences

• Conclusion: Action is required

10/18/1010/18/1033

cybersecurity:Who’s responsible?

“Government, business, other organizations, and individual users who develop, own, provide, manage, service and use information systems and networks”

- UNGA Resolution 57/239 Creation of a global culture of cybersecurity

Collectively known as The Participants

10/18/1010/18/1044

Participants:What should They do?

AWARENESS: Be aware of the need for security and what they can do to enhance it.

RESPONSIBILITY: Review their own security policies, practices, measures an procedures regularly and assess appropriateness.

RESPONSE: Act in a timely and cooperative manner to prevent, detect and respond to security incidents.

In a manner appropriate to their roles

See: UNGA Res 57/239.

10/18/1010/18/1055

cybersecurityresponsibility

It’s SHARED

All participants must be responsible

Each participant must take action -- appropriate to its role in the overall system

Government has responsibility to lead

10/18/1010/18/1066

Government lead: what Does it do?

1. Ensure all participants are aware of security

2. Promote responsibility, and

3. Assure coordinated response by participants; using

A common national vision Policy and institutional frameworks

10/18/1010/18/1077

Government lead how?

1. Conduct a national Cybersecurity Self-Assessment Take stock

2. Promulgate A National Cybersecurity Strategy Vision for action

10/18/1010/18/1088

Cyber securityscope

What is meant by cybersecurity?What is meant by cybersecurity?

• ITU documents speak of ITU documents speak of ““Enhancing security Enhancing security and building confidence in the use of ICT and building confidence in the use of ICT applications”applications”

• UNGA resolutions 57/239 and 58/199 speak of UNGA resolutions 57/239 and 58/199 speak of “a “a culture of cyber security in the application and culture of cyber security in the application and use of information technologies” and in the use of information technologies” and in the protection of critical information infrastructures.protection of critical information infrastructures.

• Others speak in terms such as cyberspace, the Others speak in terms such as cyberspace, the Internet and the information society.Internet and the information society.

10/18/1010/18/1099

Cyber securityscope

Recognizing there is no fixed definition, a Recognizing there is no fixed definition, a national approach to cybersecurity should national approach to cybersecurity should includeinclude

Physical security of the information Physical security of the information infrastructureinfrastructure

Virtual security, and Virtual security, and Human aspects of the use of ICTs, Human aspects of the use of ICTs,

including interactions among peopleincluding interactions among people

10/18/1010/18/101010

Key documents

UNGA Resolutions:UNGA Resolutions:• 64-211 Taking stock of cybersecurity needs and 64-211 Taking stock of cybersecurity needs and

strategies strategies • 58-199 Creation of a global culture of cybersecurity 58-199 Creation of a global culture of cybersecurity

and and the protection of critical information the protection of critical information infrastructuresinfrastructures

• 57-239 Creation of a global culture of cybersecurity57-239 Creation of a global culture of cybersecurity• 56-121 Combating the criminal misuse of information 56-121 Combating the criminal misuse of information

technologiestechnologies• 55-63 Combating the criminal misuse of information 55-63 Combating the criminal misuse of information

technologiestechnologies

See: http://www.un.org/documents/resga.htmSee: http://www.un.org/documents/resga.htm

10/18/1010/18/101111

Key documents

ITU National Cybersecurity/CIIP Self-Assessment ITU National Cybersecurity/CIIP Self-Assessment ToolTool

ITU Q.22/1 Report On Best Practices For A National ITU Q.22/1 Report On Best Practices For A National Approach To Cybersecurity: Building Blocks For Approach To Cybersecurity: Building Blocks For Organizing National Cybersecurity EffortsOrganizing National Cybersecurity Efforts

ITU Cybercrime Resources:  ITU Cybercrime Resources:  • ITU Toolkit For Cybercrime Legislation ITU Toolkit For Cybercrime Legislation • ITU Publication on Understanding Cybercrime – A ITU Publication on Understanding Cybercrime – A

Guide for Developing CountriesGuide for Developing Countries

See: http://www.itu.int/ITU-D/cyb/cybersecurity/index.htmlSee: http://www.itu.int/ITU-D/cyb/cybersecurity/index.html

10/18/1010/18/101212

Take Stock Self-Assessment - What is it?

• An identification and evaluation of existing An identification and evaluation of existing national approach to cyber security. national approach to cyber security. PoliciesPolicies ProceduresProcedures MechanismsMechanisms NormsNorms InstitutionsInstitutions RelationshipsRelationships

• What are we doing? What are we doing? • What should we be doing? What should we be doing?

• Input for a National Cybersecurity StrategyInput for a National Cybersecurity Strategy

10/18/1010/18/101313

VisionNational Strategy - What is it?

A Policy Document that Provides a National A Policy Document that Provides a National Vision:Vision:

Outlines the case for national actionOutlines the case for national action

Identifies participants and their rolesIdentifies participants and their roles

Elaborates organizational responsibilitiesElaborates organizational responsibilities

Establishes policy and operational structuresEstablishes policy and operational structures

Addresses key elements of cybersecurityAddresses key elements of cybersecurity

Lays out a plan of actionLays out a plan of action

10/18/1010/18/101414

Getting Started

• The AudienceThe Audience Who are they?Who are they? What is their level of awareness and response?What is their level of awareness and response? What decisions already taken?What decisions already taken?

• The ParticipantsThe Participants Those entities and persons whoThose entities and persons who

• Will prepare and comment on the Self-Assessment and the Will prepare and comment on the Self-Assessment and the National Strategy, National Strategy,

• Will implement the National StrategyWill implement the National Strategy They come from They come from

• GovernmentGovernment• Business and IndustryBusiness and Industry• Academia Academia • Civil SocietyCivil Society

10/18/1010/18/101515

Getting Started

• The Case for ActionThe Case for Action Role of ICTs in the nationRole of ICTs in the nation Vulnerabilities and threatsVulnerabilities and threats Risks to be managedRisks to be managed

• The stage for Cybersecurity: The stage for Cybersecurity: Relationship to other national goals and objectivesRelationship to other national goals and objectives

• Economic and Development goalsEconomic and Development goals• Industry goalsIndustry goals• Social goalsSocial goals• Security goalsSecurity goals

10/18/1010/18/101616

key elements

10/18/1010/18/101717

Legal Framework

Culture ofCybersecurity

IncidentManagement

Collaborationand Information

Exchange

Key Elements of a National Cybersecurity Strategy

objectives

For each key elementFor each key element

A statement of policyA statement of policy

Identify and prioritize goals to support Identify and prioritize goals to support policypolicy

Elaborate specific steps to reach goalsElaborate specific steps to reach goals

10/18/1010/18/101818

Other considerations

Other ConsiderationsOther Considerations ResourcesResources

• Budget and financingBudget and financing• Equipment and technologyEquipment and technology• Human capacitiesHuman capacities

Timeframes and milestonesTimeframes and milestones PrioritiesPriorities Reviews and reassessmentsReviews and reassessments

10/18/1010/18/101919

Output

Self-assessment provides: Input to a National Cybersecurity Strategy

A set of Findings and RecommendationsA set of Findings and Recommendations• With supporting documentationWith supporting documentation• Reviewed by all participantsReviewed by all participants

That provide the basis for policy decisions and a program of action to address cybersecurity• Promulgated at a level to ensure action by all

participants

10/18/1010/18/102020

Conclusion

Use of a Use of a National Cyber Security Self–Assessment National Cyber Security Self–Assessment to to produce a produce a National Cyber Security StrategyNational Cyber Security Strategy can can assist governments:assist governments:• Understand the existing national approachUnderstand the existing national approach• Develop “baseline” on best practicesDevelop “baseline” on best practices• Identify areas for attentionIdentify areas for attention• Prioritize national effortsPrioritize national efforts• Promote national actionPromote national action

and assist withand assist with regionally and internationally coordination and cross border cooperation

10/18/1010/18/102121

Final Observations

No nation starts at ZERO

No “right” answer

Continual review and revision needed

All “participants” must be involved Appropriate to their roles

10/18/1010/18/102222

Questions?

10/18/1010/18/102323