Cyber Defence East Africa 2018 - Cyber Security · Cyber Defence East Africa 2018 conference was...
Transcript of Cyber Defence East Africa 2018 - Cyber Security · Cyber Defence East Africa 2018 conference was...
1
Cyber Defence East Africa 2018 Preparing for Cyber Crisis
Conference report
6-7th August 2018
Kampala, Uganda
2
Contents:
Cyber Defence East Africa conference – the idea 3
Executive Summary 4
Policy Day 5
Practical Sessions 13
Uganda’s Cyber Threat Landscape 16
The Organizers 17
3
Cyber Defence East Africa conference – the idea
Cyber-attacks, targeting both private and public sectors, are becoming
bigger and more aggressive in terms of the effect and cost they have.
2017 saw one of the greatest cyber-attacks of all times that affected
organizations in various countries all around the world, including East
Africa Region. Therefore, nations should be ready to deal with large scale
cyber-attacks and have effective crisis management mechanisms at
organizational, national and international level to reduce the damage
and spill-over effects across national borders.
Cyber Defence East Africa (CDEA) conference has been organized for the
6th time in East Africa region and for the 3rd time in Uganda. The annual
event is intended to work both as a meeting point for key cyber security
stakeholders as well as the platform for collaboration and new
initiatives. During the 2017 event the Declaration on strengthening cyber
security in financial sector was signed among key cyber security
stakeholders in financial sector. The act infused the urge for
collaboration and as a result continuous cooperation among Uganda’s
banking sector representatives has started.
2013, Tanzania 2014, Tanzania 2015, Tanzania
2016, Uganda 2017, Uganda
4
Executive Summary
Cyber Defence East Africa 2018 conference was co-organized in Uganda
by NRD Cyber Security and NITA-U and was dedicated to effective
preparation for cyber crisis. The event focused on readiness (i.e. how to
ensure maximum cyber incident visibility, training and preparation, etc.)
and reaction (i.e. immediate actions, incident handling, crisis
communication, etc.).
Once again it gathered CEOs, CIOs, CTOs, heads of IT departments, IT
managers, Infosec professionals together with policy-makers, law
enforcement officers, CERT and Central Bank representatives. In this
report you will find the main ideas, issues and suggestions that were
raised and shared during the Cyber Defence East Africa 2018 conference.
CDEA 2018 conference took place in Kampala, Uganda
5
Policy Day
The Policy Day was aimed at those closer to the strategy and policy
making with an emphasis that cyber security is first and foremost – a
management issue. Therefore, the day featured high-level keynote
speeches and panel sessions on cyber security threats and focused on
strategic aspects of cyber crisis management- how to prepare for and
handle cyber crisis so that it does not lead to national crisis. The day was
concluded by reviewing the effects of the Declaration on strengthening
cyber security in financial sector which was signed during the 2017
conference.
The Policy Day sessions was opened by Peter Kahiigi, head of E-
Government Services at NITA-U. In his welcoming speech, Mr. Kahiigi
highlighted the importance of continuous effort to prepare for cyber
crisis:
“As Uganda and the whole East Africa Region advances with technological
development, more people are using mobile money and online services -
we all become interconnected and as we know cyber threats have no
boundaries or borders. Hence, cyber-attacks can only be handled if we
prepare for them in synergy.”
6
Policy Day
Keynote by Dr. Vilius Benetis
The first keynote of the conference was delivered by NRD Cyber Security
CEO Dr. Vilius Benetis who shared his company’s experience and
knowledge of cyber security threats around the world and gave an
overview of cyber threat landscape, especially focusing on East Africa
Region. He compared the speed at which the attacks are spreading with
the average response and reaction time and put particular emphasis on
critical infrastructure:
„Then it comes to a sector that is in particularly vulnerable to any cyber
incident, like energy, finance, public health care, etc., the line between
cyber and national crisis can be really thin. The attacks are becoming more
sophisticated in both method and scale.”
He also highlighted the attackers are motivated both by financial gain
incentives as well as idea of creating chaos and disruption (which come
both from personal and political motives).
7
Policy Day
Effective cyber crisis management by Akvilė Giniotienė
Mrs. Akvilė Giniotienė, NRD Security Governance Expert, in her
presentation reviewed the roles and responsibilities for effective cyber
crisis management. Mrs. Giniotienė said that nations should really
evaluate the scale the organizational disruptions affect a country or even
a region as disruption inside the body can jeopardize economical,
infrastructural or political situation. Hence, it is vital to know what to
watch out for:
„For a country to have a clearer picture of how a national crisis would look
like, it is essential to know what constitutes national level risks. A National
Risk Assessment where a number of risks is reviewed and evaluated as
threatening country‘s stability, can help to have a more constructive view
of the most significant, yet vulnerable areas. This exercise enables the
country to identify what type of crisis should be dealt with at national level,
and which should be the responsibility of certain organizations or their
clusters. “
Mrs. Giniotienė also drew attention to how important it is to consider
cyber-attacks as a national threat, especially when thinking about
objects that belong to critical infrastructure:
“Contingency planning is the key and there are many stakeholders involved
as crisis usually doesn’t have borders. Many bodies, organizations and
disciplines need to be involved in national crisis handling. Preparation for
crisis should be taken as a unified approach as the vulnerable organizations
should be building their resilience capacity – in cyber security area this
could be done by establishing cyber security incident response teams,
training and establishing knowledge sharing practices to access the latest
information about cyber threats and their effective handling.”
8
Policy Day
Panel discussion: Effective cyber crisis management –
who needs to be involved and how?
The presentation Akvilė Giniotienė delivered worked as an intro to a
panel discussion with Emmanuel Mugabi, Information Security
Operations Manager at NITA-U, Noah Baalessanvu, Chairman at National
Information Security Advisory Group and Andrew Walusimbi, Lead
Implementer at Uganda Bankers Association. The discussion explored
how could cyber incident response team should prepare and be
prepared. Mr. Emmanuel Mughabi said that an effective CSIRT should be
prepared both at technological and staff level:
“Great tools and equipment are just one part of the puzzle, but skilled
people and continuous training is a must.”
Mr. Andrew Walusimbi added that it is great to see that Uganda’s
banking sector is treating cyber security seriously, but there are still
great challenges ahead:
“Financial services are amongst most heavily targeted and the awareness
level about cyber threats and their potential damage in many financial
institutions is high – most of them are already budgeting for cyber security.
However, a great issue continues to be skilled cyber security professionals
– the budget allows to acquire great tools, but the competencies to use
them properly in many cases are just not there. Hence, it could be of value
to outsource the skillset.”
Mrs. Giniotienė encouraged the participants to consider whether in
Uganda cyber security is seen as a shared responsibility amongst
different organizations and what is a fair share. Mr. Baalessanvu
highlighted the importance of collaboration amongst organization that
are part of critical infrastructure:
“It is vital not only to have reliable measures for threat intelligence in
individual organizations but approach it as a common issue – i.e. share
knowledge, information, insights and sometimes - even resources.
Currently this is not done enough. Harmonizing the use of same tools and
equipment can bring economic benefit.”
Mr. Walusimbi, representing Uganda Bankers Association, added:
“In theory many organizations know that they should be establishing cyber
security measures and have a way to monitor, analyze and handle cyber
incidents, yet still there is a lot of reliance on government.”
9
Policy Day
Communication during cyber crisis by Živilė
Nečejauskaitė
This year the conference explored the topic of communication and its
role in preparation for and handling cyber crisis – the presentation was
delivered by NRD Cyber Security Marketing and Communications Expert
Živilė Nečejauskaitė.
• Very few organizations have PR crisis management plans and if they
do, rarely it is updated regularly to reflect changes in organizational
structure;
• If PR crisis management plan is absent, a formula could be used to
prevent cyber security crisis evolving into public relations (PR) crisis;
• In preparation for cyber crisis the organization should consider the
three ingredients:
o Clarity – putting a mechanism in place that allows to gather the
facts and figures as soon as possible;
o Core team – who should be notified about the crisis first;
o Speed – knowing the communication chain, i.e. having a clear
overview of all the layers of people involved in passing on
information from top management to casual staff and vice versa.
• When the crisis strikes, first the organization should acknowledge it.
Clear signs of a crisis are when the situation can have any of the
following consequences:
o Damage organization’s functional and/or financial
performance;
o Harm the health and well-being of customers;
o Employees, surrounding community and environment;
o Destroy public’s trust in the organization.
10
Policy Day
Panel discussion: Communications during cyber crisis:
What to communicate?
Mrs. Nečejauskaitė was later joined on stage by Steven Kirenga,
Marketing and Communications Lead at NITA-U, and Danny Craig, a
Consultant at Summit Consulting. They explored how to avoid
disinformation and confusion during cyber crisis. Mr. Craig stressed the
importance of stakeholder management:
“During a crisis it is essential to avoid wasting energy on false enquiries that
result due to incorrect communication choices. Identification and mapping
out of key stakeholders, drafting the messages they should get and
agreeing which channels to choose for communication can significantly
improve the effectiveness of crisis management.”
Mr. Kirenga added that avoiding communication can have disastrous
effects:
“The worst of all is to say nothing at all, especially to your internal
stakeholders. This way the organization is only encouraging rumours and
distortion of the facts.”
11
Policy Day
Cybercrime trends in East Africa by Joseph Mathenge
Mr. Joseph Mathenge, Chief Operating Officer at Serianu, reviewed
„Africa‘s Cyber Security Report for 2017“ which was conducted in
collaboration with 850 African organizations in both public and private
sectors. The report findings suggest that organization’s vulnerability to
cyber-attacks is increasingly dependent on internal factors. As more
organization in Africa automate their processes and more data is
accessible by various stakeholders from different devices, more security
measures must be in place to protect both the organization and the end-
user. Hence, it is important to have a holistic approach towards cyber
security.
Mr. Mathenge once again stressed that financial institutions and
organizations remain one of the most targeted and especially drew
attention to Uganda’s banking sector which suffers from the highest
number of cyber threats in the country.
Panel discussion: EAC efforts to address cybercrime
Mr. Mathenge was later joined on stage by panel discussion participants
Jimmy Haguma, IT Commissioner at Uganda Police Force, Herculs Bizure,
President at ISACA Kampala Chapter and Martin Karungi, Analyst at
Uganda National CERT/CC – NITA. The participants shared the
collaboration methods that are currently used by various organization in
Africa, especially in East Africa region. Mr. Haguma highlighted how
collaboration amongst interconnected organizations can simplify
processes:
“Prosecution and police already do training sessions together and we are
trying to bring other jurisdictions on board. It helps to ensure that cyber
threats are handled with the same manner and common issues are
promptly resolved.”.
Other speakers
During the conference, Goran Oparnica, general manager of INsig2, the
leading European company in the field of digital forensics, gave an
overview of the latest trends on handling modern cybercrime.
12
Policy Day
Mrs. Giniotienė addressed the Declaration on strengthening cyber
security in financial sector which, on behalf of all participants, was signed
by Permanent Secretary at Ministry of ICT & NG, NITA-U, Bankers
Association and Financial Intelligence Authority in 2017.
2017 Declaration
Every financial organization needs to establish effective governance structures with clear responsibilities for cyber security. Cyber security is Management issue and not a technological one. Effective response to cyber incidents is paramount to the stability of financial sector across East Africa. Board of directors of every financial institution must act without delay:
• Cyber-conscious organizations are to update their org-charts identifying a role, responsible for cyber secure operations of the organization, entrusted with clear mandate, responsibilities and budget.
• Cyber-conscious organizations are to ensure that the member of staff appointed to Cyber security role will report directly to the top management. Reporting to Head of IT keeps cybersecurity as purely technological issue and is not sufficient.
• Cyber-conscious organizations are to develop an actionable cybersecurity roadmaps approved and monitored by the top management.
• Financial, law enforcement and other public institutions must embrace the availability of digital data to enhance their decision making and address the threats.
Mr. Walusibi from Uganda Bank Association stated that the declaration
first infused the urge for collaboration. Straight after the 2017
conference a meeting of bank representatives took place to discuss the
common issues and approaches and is being done on continuous basis
ever since. Mr. Emmanuel Mughabi, Information Security Operations
Manager at NITA-U added that a great progress in information sharing.
The conference concluded with remarks about the role and inclusion of
the organizations that are important to country’s cyber security
ecosystem, yet do not belong to critical infrastructure or are not
classifying themselves as part of any sector. Mr. Walusabi said:
„We have already started categorizing small organizations that are
carrying out financial transactions as microfinance and started treating
them as part of the financial sector. Although their impact may not seem
significant, they are part of cyber security ecosystem and are playing a
role.”
13
Practical Sessions
The second day of the conference focused on practical solutions and was
split in two parts:
1. Uganda Cyber Security Assessment and Defining Cyber Landscape for Uganda;
2. Interactive crisis simulation exercise based on role-play.
14
Practical Sessions
Together with key cybersecurity stakeholders National Cyber Security
Index (NCSI) update session was performed. NCSI, developed by the e-
Governance Academy (eGA), works on one hand as a systematic
guidance for the development of trustworthy information society, and
on the other hand as an index, which describes the current situation in
different countries and lets countries to compare themselves with each
other.
After reviewing and submitting missing legal documentation which
proves Uganda’s efforts to create strong legal base for cyber security, in
NCSI ranking the country has risen from 75th to 41st place and now is the
leader in the African region.
15
Practical Sessions
The second session on the Practical Session Day of the conference was
designed to give the participants the taster of the real case scenario. An
interactive crisis simulation exercise, based on role-play was moderated
by Dr. Vilius Benetis, CEO at NRD Cyber Security. Based on a scenario of
a potential cyber-attack in a finance sector, the exercise encouraged the
participants to think how they should deal with various stakeholders,
how they should manage the information flow and how they should
react under pressure.
The participants were split into groups where they all shared the same
issue but had different responsibilities. Some participants acted as
independent stakeholders (such as police, press, central bank, etc.). The
exercise was timed, and the particularities of each group’s decisions
were discussed.
16
Uganda’s Cyber Threat Landscape
During the conference, Uganda’s cyber threat landscape was defined by performing cyber security assessment with all the participants in the conference. A survey was conducted on the frequency of threat-related incidents and their impact on UGANDA. The workshop generated a report which have been shared with the authorities in UGANDA and can be used:
• For national cyber security strategy and CIIP strategy development;
• For cyber risk assessment framework for CIIs;
• By executives, risk managers, auditors and security managers in Uganda.
17
The Organizers
For the third year in the row, the conference is co-organized by NRD Cyber Security and NITA-U. It was endorsed by NRD Companies that have been organizing the conference in East Africa since 2013, together with NRD Cyber Security, NITA-U in Uganda and other partners in Tanzania. NRD Cyber Security is a cybersecurity technology consulting, incident response and applied research company. The Company focuses on the services to specialized public services providers, such as Law enforcement, National Cyber Incident Response Teams (CSIRTs), Security Operating Centers (SOCs), Telecom, National communication Regulators, National Critical Infrastructure, Finance industry and corporates with high data sensitivity. Our mission is creating a secure digital environment for states, governments, corporations and citizens in Central and Eastern Europe, SubSaharan Africa, South Asia and other regions via technology platforms, workflows and processes.
All conference attendees were accredited 14 CPE hours as well as received a certificate of attendance.
18
Gynėjų str. 14, Vilnius, LT-01109, Lithuania Phone: +370 5 219 1919 E-mail: [email protected]