Critical Information Infrastructure Protection – essential during War times or Peace times or both?
Prof Basie von Solms
University of Johannesburg
Johannesburg basievs@uj.ac.za

• What is Critical Information Infrastructure (CII)?
• What does CIIs consist of?
• What are the risks related to CIIs?
• What is Critical Information Infrastructure Protection (CIIP)?
• When is CIIP needed/required – during war or during peace?
• Who is responsible for CIIP?
• What is the relationship between CIIP and Corporate Governance?
• The Estonia - Russia Cyber war of 2007
• The role of a CERT/CSIRT
• The position in SA and Africa

• Nothing I will say is new!
• Most of you will be up to date on everything I am going to say!
• However, we must say it again to stimulate discussion!!

What is CII ?
•
Critical information infrastructures (CIIs) are communications and/or information services whose availability, reliability and resilience are essential to the functioning of a modern economy
Critical Information Infrastructure Protection , A Report of the 2005 Rueschlikon Conference on
Information Policy
• Telecommunications, power distribution, water supply, public health services, national defense (including the military’s warfighting capability), law enforcement, government services, and emergency services (are all part of a country’s CII)
INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges Remain to Protect Federal
Systems and the Nation’s Critical Infrastructures, 2003

What is CII ?
• Computers, networks, and network components are now essential to virtually all of (a) nation’s critical infrastructures
Cybersecurity
– A Crisis of Prioritization, Office of the Executive President of the USA, 2005
• CIIs are NOT infrastructures limited to the domains of defence, the military, intelligence services, police services etc – they are part of the daily modern economy and existence of any country

What does CII consist of?
(IT workers) work with the information technologies in many visible application areas every day
Less visible, and certainly less well understood, is the fact that these technologies – computers, mass storage devices, high-speed networks and network components such as routers and switches, systems and applications software, embedded and wireless devices, and the Internet itself
– are now also essential to virtually all of the Nation’s critical infrastructures
Cybersecurity – A Crisis of Prioritization, Office of the Executive President of the USA, 2005

What does CII consist of?
The growing use of the Internet in CIIs

What are the risks related to CII?
• ….. an increasing concern (is growing) about attacks from individuals and groups with malicious intent, such as crime, terrorism, foreign intelligence gathering, and acts of war.
INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal Systems and the Nation’s Critical Infrastructures, 2003
• Cybercrime to today the fastest growing form of crime in the world

What are the risks related to CII?
… concerns are well founded for a number of reasons, including
* the dramatic increases in reported computer security incidents,
* the ease of obtaining and using hacking tools,
* the steady advance in the sophistication and effectiveness of attack technology, and
* the dire warnings of new and more destructive attacks.
INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal
Systems and the Nation’s Critical Infrastructures, 2003

What are the risks related to CII?

What is Critical Information Infrastructure Protection (CIIP)?
Ensuring the
• Confidentiality,
• Integrity and
• Availability
(CIA) of these infrastructures

When is CIIP needed/required – during war or during peace?
From the discussion above, it is absolutely clear that CIIP is required
• 24/7/365 ‘for ever’
• <CIIs are NOT infrastructures limited to the domains of defence, the military, intelligence services, police services etc – they are part of the daily modern economy and existence of any country>
• Protecting the computer systems that support our nation’s critical operations and infrastructures is a continuing concern
INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal
Systems and the Nation’s Critical Infrastructures, 2003

When is CIIP needed/required – during war or during peace?
The challenge is to realize that CIIP is as essential during peace times as it is during war times –
In fact, failures of CIIs during peace times can result in riots and attacks and even war!!!

Who is responsible for CIIP?
About 85 percent of the United States' critical infrastructures, telecommunications, energy, finance, and transportation systems, are owned and operated by private companies
If our critical infrastructures are targets, it is the private sector that is on the front line.
Critical Infrastructure Information Security Act http://www.senate.gov/~bennett/press/record.cfm?id=226461

Who is responsible for CIIP?
Thus, we have to think differently about national security, as well as who is responsible for it.
In the past, the defense of the Nation was about geography and an effective military command-and-control structure.
However, now prevention and protection must shift from the command-control structure to partnerships that span private and government interests. (2)
Critical Infrastructure Information Security Act http://www.senate.gov/~bennett/press/record.cfm?id=226461

What is Corporate Governance?
‘Corporate Governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed.
Information security governance is a subset of organizations’ overall
(corporate) governance program.’
Information Security Governance – A Call to Action, National Cyber Security Summit Task Force, http://www.entrust.com/news/2004/corporategovernancetaskforce.pdf?entsrc=isgfullreport , accessed on 2 April 2008

What is the relationship between CIIP and Corporate Governance?
The final area where industry ought to act is in making CIIP a board-level matter, concomitant with general corporate governance activities.
CIIP is not a technical matter, but mainstream business matter.
Critical Information Infrastructure Protection , A Report of the 2005 Rueschlikon Conference on
Information Policy

• The Estonian Cyber war
The Estonian Cyberwar refers to a series of cyber attacks that began
April 27 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's row with Russia about relocation of a Soviet-era memorial to fallen soldiers, as well as war graves in
Tallinn
Wikipedia

• The Estonian Cyber war
Some observers reckoned that the onslaught on
Estonia was of a sophistication not seen before. The case is studied intensively by many countries and military planners, because, at the time it occurred, it may have been the second-largest instance of statesponsored cyberwarfare, following Titan Rain
Wikipedia

• The Estonian Cyber war
The main targets have been the websites of:
· the Estonian presidency and its parliament
· almost all of the country's government ministries
· political parties
· three of the country's six big news organisations
· two of the biggest banks and
• firms specializing in communications
Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

• The Estonian Cyber war
Influence on international military doctrines
The attacks triggered a number of military organisations around the world to reconsider the importance of network security to modern military doctrine.
On June 14 2007, defence ministers of NATO members held a meeting in
Brussels, issuing a joint communiqué promising immediate action.
On June 25, 2007, Estonian president met with the president of USA
Among the topics discussed were the attacks on Estonian infrastructure.
As to the placement of a newly planned NATO Cooperative Cyber Defence
Centre of Excellence (CCD COE) Bush proclaimed the policy of USA as supporting Estonia as this centre's location.
Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

CIIP is a coordinated synergistic effort including
• the Government
• the Private sector
• the Defence/Military/intelligence agencies
• Research agencies
• Academics and Universities
• all IT workers
• friendly countries

CIIP is a coordinated synergistic effort including
• the Government
• the Private sector
• the Defence/Military/intelligence agencies
• Research agencies
• Academics and Universities
• all IT workers
• friendly countries
Computer Security Incident Response Team (CSIRT)/
Computer Emergency Response Team (CERT)

The United States Computer Emergency Readiness Team
(USCERT) is …… intended to coordinate the respond to security threats from the Internet.
As such, it releases information about current security issues, vulnerabilities and exploits …….

A CSIRT can most easily be described by analogy with a fire department.
• reactive
• proactive

2005 – Cobus Venter & Bernard Taute
2007 – JCSE
2008 – No up to date info could be found (any inputs???)
The cost of cybercrime, http://www.polity.org.za/article.php?a_id=69510
SA takes first steps towards Computer Security Incident Response Team (CSIRT), http://cbr.co.za/news.aspx?pklNewsId=27281&pklCategoryID=378

Why am I here:
I (on behalf of the international Cyber Security Incident Response Teams community) want National point of contact CSIRT at each of the African countries to be the focal point for the incident response coordination!
Yurie Ito, Director of Technical Operation, JPCERT/Coordination Center,
Japan, @CSIRT Training in AfNOG tutorial, Morocco. 1 June, 2008
Setting up CSIRTin the Africa Region, www.afnog.org/talks.html

JPCERT/CC is a CSIRT established in Japan. It acts as a "CSIRT of the CSIRTs" in the Japanese community.
JPCERT/CC coordinates its activities with trusted CSIRTs worldwide.
The goal of AfNOG is to share experience of technical challenges in setting up, building and running IP networks on the African continent.

CIIP is essential for SA and Africa
CIIP is a Corporate Governance responsibility
CIIP involves a comprehensive set of role players
CIIP needs CSIRTs
CIIP need inter country cooperation
Where do we stand in SA and in Africa???

The scope of the journal includes, but is not limited to:
Information security challenges and implementation issues that are common (as well as unique) to infrastructure sectors.
Elucidation of the interdependencies existing between infrastructure sectors and their information security protection.
Core security principles and techniques that can be applied to address problems in information infrastructure protection.
Development of sophisticated information infrastructure protection solutions that blend scientific methods, engineering techniques and public policy.