Critical Information Infrastructure Protection - Essential during

advertisement

Critical Information Infrastructure Protection – essential during War times or Peace times or both?

Prof Basie von Solms

University of Johannesburg

Johannesburg basievs@uj.ac.za

AGENDA

• What is Critical Information Infrastructure (CII)?

• What does CIIs consist of?

• What are the risks related to CIIs?

• What is Critical Information Infrastructure Protection (CIIP)?

• When is CIIP needed/required – during war or during peace?

• Who is responsible for CIIP?

• What is the relationship between CIIP and Corporate Governance?

• The Estonia - Russia Cyber war of 2007

• The role of a CERT/CSIRT

• The position in SA and Africa

WARNING!!!!

• Nothing I will say is new!

• Most of you will be up to date on everything I am going to say!

• However, we must say it again to stimulate discussion!!

What is CII ?

Critical information infrastructures (CIIs) are communications and/or information services whose availability, reliability and resilience are essential to the functioning of a modern economy

Critical Information Infrastructure Protection , A Report of the 2005 Rueschlikon Conference on

Information Policy

• Telecommunications, power distribution, water supply, public health services, national defense (including the military’s warfighting capability), law enforcement, government services, and emergency services (are all part of a country’s CII)

INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges Remain to Protect Federal

Systems and the Nation’s Critical Infrastructures, 2003

What is CII ?

• Computers, networks, and network components are now essential to virtually all of (a) nation’s critical infrastructures

Cybersecurity

– A Crisis of Prioritization, Office of the Executive President of the USA, 2005

• CIIs are NOT infrastructures limited to the domains of defence, the military, intelligence services, police services etc – they are part of the daily modern economy and existence of any country

What does CII consist of?

(IT workers) work with the information technologies in many visible application areas every day

Less visible, and certainly less well understood, is the fact that these technologies – computers, mass storage devices, high-speed networks and network components such as routers and switches, systems and applications software, embedded and wireless devices, and the Internet itself

– are now also essential to virtually all of the Nation’s critical infrastructures

Cybersecurity – A Crisis of Prioritization, Office of the Executive President of the USA, 2005

What does CII consist of?

The growing use of the Internet in CIIs

What are the risks related to CII?

• ….. an increasing concern (is growing) about attacks from individuals and groups with malicious intent, such as crime, terrorism, foreign intelligence gathering, and acts of war.

INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal Systems and the Nation’s Critical Infrastructures, 2003

• Cybercrime to today the fastest growing form of crime in the world

What are the risks related to CII?

… concerns are well founded for a number of reasons, including

* the dramatic increases in reported computer security incidents,

* the ease of obtaining and using hacking tools,

* the steady advance in the sophistication and effectiveness of attack technology, and

* the dire warnings of new and more destructive attacks.

INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal

Systems and the Nation’s Critical Infrastructures, 2003

What are the risks related to CII?

The use of the Internet in CIIs!!!!

Information Warfare/National Security

(Estonia case study)

What is Critical Information Infrastructure Protection (CIIP)?

Ensuring the

• Confidentiality,

• Integrity and

• Availability

(CIA) of these infrastructures

When is CIIP needed/required – during war or during peace?

From the discussion above, it is absolutely clear that CIIP is required

• 24/7/365 ‘for ever’

• <CIIs are NOT infrastructures limited to the domains of defence, the military, intelligence services, police services etc – they are part of the daily modern economy and existence of any country>

• Protecting the computer systems that support our nation’s critical operations and infrastructures is a continuing concern

INFORMATION SECURITY, GAO 03-564, Progress Made, but Challenges remain to Protect Federal

Systems and the Nation’s Critical Infrastructures, 2003

When is CIIP needed/required – during war or during peace?

The challenge is to realize that CIIP is as essential during peace times as it is during war times –

In fact, failures of CIIs during peace times can result in riots and attacks and even war!!!

Who is responsible for CIIP?

About 85 percent of the United States' critical infrastructures, telecommunications, energy, finance, and transportation systems, are owned and operated by private companies

If our critical infrastructures are targets, it is the private sector that is on the front line.

Critical Infrastructure Information Security Act http://www.senate.gov/~bennett/press/record.cfm?id=226461

Who is responsible for CIIP?

Thus, we have to think differently about national security, as well as who is responsible for it.

In the past, the defense of the Nation was about geography and an effective military command-and-control structure.

However, now prevention and protection must shift from the command-control structure to partnerships that span private and government interests. (2)

Critical Infrastructure Information Security Act http://www.senate.gov/~bennett/press/record.cfm?id=226461

What is Corporate Governance?

‘Corporate Governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed.

Information security governance is a subset of organizations’ overall

(corporate) governance program.’

Information Security Governance – A Call to Action, National Cyber Security Summit Task Force, http://www.entrust.com/news/2004/corporategovernancetaskforce.pdf?entsrc=isgfullreport , accessed on 2 April 2008

What is the relationship between CIIP and Corporate Governance?

The final area where industry ought to act is in making CIIP a board-level matter, concomitant with general corporate governance activities.

CIIP is not a technical matter, but mainstream business matter.

Critical Information Infrastructure Protection , A Report of the 2005 Rueschlikon Conference on

Information Policy

• The Estonian Cyber war

The Estonian Cyberwar refers to a series of cyber attacks that began

April 27 2007 and swamped websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's row with Russia about relocation of a Soviet-era memorial to fallen soldiers, as well as war graves in

Tallinn

Wikipedia

• The Estonian Cyber war

Some observers reckoned that the onslaught on

Estonia was of a sophistication not seen before. The case is studied intensively by many countries and military planners, because, at the time it occurred, it may have been the second-largest instance of statesponsored cyberwarfare, following Titan Rain

Wikipedia

• The Estonian Cyber war

The main targets have been the websites of:

· the Estonian presidency and its parliament

· almost all of the country's government ministries

· political parties

· three of the country's six big news organisations

· two of the biggest banks and

• firms specializing in communications

Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

• The Estonian Cyber war

Influence on international military doctrines

The attacks triggered a number of military organisations around the world to reconsider the importance of network security to modern military doctrine.

On June 14 2007, defence ministers of NATO members held a meeting in

Brussels, issuing a joint communiqué promising immediate action.

On June 25, 2007, Estonian president met with the president of USA

Among the topics discussed were the attacks on Estonian infrastructure.

As to the placement of a newly planned NATO Cooperative Cyber Defence

Centre of Excellence (CCD COE) Bush proclaimed the policy of USA as supporting Estonia as this centre's location.

Russia accused of unleashing cyberwar to disable Estonia http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

Summary

CIIP is a coordinated synergistic effort including

• the Government

• the Private sector

• the Defence/Military/intelligence agencies

• Research agencies

• Academics and Universities

• all IT workers

• friendly countries

Summary

CIIP is a coordinated synergistic effort including

• the Government

• the Private sector

• the Defence/Military/intelligence agencies

• Research agencies

• Academics and Universities

• all IT workers

• friendly countries

Computer Security Incident Response Team (CSIRT)/

Computer Emergency Response Team (CERT)

The role of a CERT/CSIRT

The United States Computer Emergency Readiness Team

(USCERT) is …… intended to coordinate the respond to security threats from the Internet.

As such, it releases information about current security issues, vulnerabilities and exploits …….

The role of a CERT/CSIRT

A CSIRT can most easily be described by analogy with a fire department.

• reactive

• proactive

CSIRTs in SA

2005 – Cobus Venter & Bernard Taute

2007 – JCSE

2008 – No up to date info could be found (any inputs???)

The cost of cybercrime, http://www.polity.org.za/article.php?a_id=69510

SA takes first steps towards Computer Security Incident Response Team (CSIRT), http://cbr.co.za/news.aspx?pklNewsId=27281&pklCategoryID=378

CSIRTs in Africa

Why am I here:

I (on behalf of the international Cyber Security Incident Response Teams community) want National point of contact CSIRT at each of the African countries to be the focal point for the incident response coordination!

Yurie Ito, Director of Technical Operation, JPCERT/Coordination Center,

Japan, @CSIRT Training in AfNOG tutorial, Morocco. 1 June, 2008

Setting up CSIRTin the Africa Region, www.afnog.org/talks.html

CSIRTs in Africa

JPCERT/CC is a CSIRT established in Japan. It acts as a "CSIRT of the CSIRTs" in the Japanese community.

JPCERT/CC coordinates its activities with trusted CSIRTs worldwide.

The goal of AfNOG is to share experience of technical challenges in setting up, building and running IP networks on the African continent.

Summary

CIIP is essential for SA and Africa

CIIP is a Corporate Governance responsibility

CIIP involves a comprehensive set of role players

CIIP needs CSIRTs

CIIP need inter country cooperation

Where do we stand in SA and in Africa???

New journal

The scope of the journal includes, but is not limited to:

Information security challenges and implementation issues that are common (as well as unique) to infrastructure sectors.

Elucidation of the interdependencies existing between infrastructure sectors and their information security protection.

Core security principles and techniques that can be applied to address problems in information infrastructure protection.

Development of sophisticated information infrastructure protection solutions that blend scientific methods, engineering techniques and public policy.

Let’s talk!!!!

Thanks

Download