A Framework for an African Policy Towards Creating Cyber Security Awareness IST-Africa 2011, Gaborone, Botswana 11-13 May 2011 Zama Dlamini - CSIR Barend Taute - CSIR Jabu Radebe – Dept. of Communications, South Africa Imagine Sipho, a small business owner from Mussina, wants to register his business (selling goods to Zimbabwean visitors on behalf of Makro SA) with Revenue Service and the Department of Labour using the newly available online system. A friend of a friend encouraged Sipho to use the online system in order to avoid the queues and delays. As a first time internet user (now that broadband internet is available 24h a day) he goes to the Revenue Service website on his mobile phone and enters all his personal information as asked (not realising that it was a phishing website and not aware of the potential risks). He even enters his bank account number and PIN to pay his value added tax. × He pays VAT for a year, at the end of which he submits his Tax Return, only to discover that he was never registered and that his money is lost. × Not knowing who to ask for help, Sipho eventually loses his business Purpose and Approach • Purpose ― To highlight the importance of an African Cyber Security Strategy that will specifically increase Cyber Security Awareness • Approach 1. Review of the cyber security landscape in Africa 2. Review of Cyber Security Policies from developed countries (USA, UK, Estonia, Korea) 3. Conceptual framework for an African Cyber Security Strategy 4. Framework for Cyber Security Awareness Outline • • • • • • • • • Introduction and Background Cyber Security Landscape in Africa Cyber Security Policies in Africa Examples of Implementation in Africa Cyber Security Policies from the Developed Countries Learning from Developed Countries Framework for African Cyber Security Policy African Cyber Security Awareness Recommendations & Conclusion Introduction and background… • Global concern on Cyber Security • Cyber security has become a GLOBAL issue of concern, judging from the increase in importance in the developed world (USA, UK, EU, Estonia, Korea, etc.) • Unique Challenges in African continent – The digital divide – Dealing with low levels of IT literacy – Dominant use of mobile devices and wireless networks (security solutions less advanced or not used) – Roll-out of broadband internet access in Africa (vulnerable and open to exploitation) – African Cyber Security policy lacking at this stage • How do we address the challenges to get to the desired future? Cyber Security Landscape in Africa: Key player organizations on African cyber security • United Nations Economic Commission for Africa (UNECA) — addresses CS as African Information Society Initiative (AISI) • International Telecommunication Union (ITU) — builds confidence and security in the use of ICTs internationally • International Criminal Police Organization (Interpol) — has its ISRT, recommends IS awareness at ALL levels • African Network Information Centre (AfriNIC) — has AfWG-tasked with raising Cyber Security awareness in Africa • Information Security Group of Africa (ISG-Africa) — Wide membership, partnered with different companies, eCrime Portal • Others that we have not identified? Cyber Security Policies in Africa… • Draft South African National Cyber Security Policy ― ― ― ― ― ― Legislative Framework Policy Objectives Creating Institutional Capacity to Respond to Cyber Crime and Threats Reducing Cyber Security Threats and Vulnerabilities (CSIRT) Coordinate Local and International Partnerships Continuous Innovation, Skills Development and Compliance • Mauritius National Cyber Security Policy ― National Awareness Programs and Tools ― Good Governance of Cyber Security & Privacy ― Harnessing the Future to Secure the Present ― Personal Cyber Security ― A holistic approach integrates many elements CSIRT/CERT = Computer Security Incident Response Team/ Computer Emergency Response Team …Cyber Security Policies in Africa • Kenyan National Cyber Security Policy ― ― ― ― ― ― ― Collaboration between stakeholders Develop relevant Policies, Legal and Regulatory frameworks Establish national CERT thus providing a Trusted Point of Contact Build Capacity: technical, legal and policy Awareness creation is key Research and development Harmonization of Cyber Security management frameworks at the regional level • Tunisian National Cyber Security Policy ― ― ― ― ― ― ― Defining Legal Cyber security Framework Cyberspace protection Training and Education Research and Development Raising Awareness International Cooperation Creating Execution and Implementation mechanisms Some Examples of Implementation in Africa CSIRTs provide a means for detecting and responding to cyber security incidents and collaboration on issues such as cyber security awareness – locally, continentally and internationally • Mauritius: Emergency Response Team (CERT-MU) ― Computer Incident Response Team (CIRT) ― Cyber Security Awareness Portal ― National Cybercrime Prevention Committee (NCPC) • Tunisia: Tunisian Computer Emergency Response Team (tunCERT) ― Computer Emergency Response Team – Tunisian Coordination Center (CERT-TCC). • South Africa : Electronic Communications Security - Computer Security Incident Response Team (SA- ECS-CSIRT) • Kenya: Kenya Computer Security Incidence Response Team (KE-CSIRT) Learning from Developed Countries… • UK National Cyber Security Policy ― ― ― ― ― ― ― ― Safe, Secure and Resilient System Policy, Doctrine, Legal and Regulatory issue Awareness and Culture Change Skills and Education Technical Capabilities and Research and Development Exploitation International Engagement Governance, Roles and Responsibilities • USA National Cyber Security Policy ― ― ― ― ― ― Leading from the Top Building Capacity for a Digital Nation Sharing Responsibility for Cybersecurity Creating Effective Information Sharing and Incident Response Encouraging Innovation Action Plans Learning from Developed Countries… • Estonian Cyber Security Policy ― ― ― ― Threats in cyberspace Fields of activity supporting cyber security: Description and analysis Enhancing cyber security in Estonia Implementation of the Strategy • Malaysian Cyber Security Policy ― ― ― ― ― ― ― ― Effective Governance Legislative and Regulatory Framework Cyber Security Technology Framework Culture of security and Capacity Building Research and Development Towards Self-Reliance Compliance and Enforcement Cyber Security Emergency Readiness International Cooperation Framework for African Cyber Security Policy… • The goal for cyber security in Africa should be to enable the full benefits of cyber space to all African countries • The proposed framework (combining key points from other strategies) includes: 1. 2. 3. 4. 5. 6. 7. Improved and Effective ICT Governance Cyber Security Awareness Formal Training Improve and Maintain Response to Crime and Security Incidents Technological Governance Research, Development and Innovation on Cyber Security Globalisation …Framework for African Cyber Security Policy ... 1. Improved and Effective ICT Governance ― Leadership, laws and policies, partnerships (EU Convention on Cyber Crime), cyber security standards and best practices 2. Cyber Security Awareness ― support public, business and government cyber security awareness programs 3. Formal Training ― cyber security skills training at universities with African cooperation 4. Improve and Maintain Response to Crime and Security Incidents ― National and sector-based CSIRTs/CERTs, crime intelligence, crime investigation and forensics, international cooperation …Framework for African Cyber Security Policy ... 5. Technological Governance ― digital device use, exploitation and cyber space 6. Research, Development and Innovation on Cyber Security ― Grow R&D capability for reactive and proactive security ― Promote growth in the ICT security industry 7. Globalisation ― Participation continentally and globally on cyber security initiatives African Cyber Security Awareness • Awareness is used to stimulate, motivate, and remind the audience what is expected of them. Needed in Africa. • Components for a Cyber Security Awareness Programmes (according to Peltier): ― ― ― ― ― ― ― ― ― ― ― Security Awareness Goals and Objectives Identify Current Training Needs Obtain Support Identify Intended Audience Define Topics to be covered Establish Security Policy Define Delivery Methods to be used Develop a Strategy for Implementation Design Awareness Strategy Design Training Strategy Develop Evaluation Methods Recommendations & Conclusion • Awareness campaigns should not wait for continental strategies • Cyber Security awareness should reach and inform all internet users • Collaborate with existing initiatives- the proverbial weakest link can affect all countries. • Coordinate better across Africa to learn / support each other • This will enhance resilience against cyber crimes and attacks and inform African policy development ---- and now back to Sipho, the small business owner in Mussina ... The Future – our small business owner is now fully aware of cyber security risks and has access to good advice: Sipho uses his smart ID card to access e-Government services via his cellphone. The certificate on his ID card is issued and recognised by the South African Government. He completes the transaction in 5 minutes This includes confirmation of the company name and verification of his data already on record (address and tax status). In order to protect his private information, he knows that the interaction with the back-end system is encrypted. He receives a signed certificate for his business registration and uses this to open a business bank account. After 5 years Sipho changes his company into a listed company and then retired a wealthy man in 30 years later ...Thank You?? Other Cyber Security Structures from Developed Countries International CERTs • Global- CERT — — — — — — US- USCERT Australia- AusCERT UK- UKCERT Canada- CanCERT Japan- JPCERT Hong Kong- HKCERT • Sector specific UK CERTs — Academic — Military — Governmental • Sector specific US CERTs — Energy — NASA — Military • Other CERTs — — — — — — — — — — — — — — — — — — CERT-China CERT-Croatia CERT-France CERT-Germany CERT-Italy CERT-Denmark CERT-Finland CERT-Korea CERT-Lithuania CERT-Mexico CERT-Netherland CERT-Norway CERT-Poland CERT-Russia CERT-Slovenia CERT-Spain CERT-Sweden CERT-Switzerland