Security and Prosperity Steering Group Draft Report

Transcription

1 2015/SOM2/TEL51/PLEN/023 Agenda Item: 7.3 Security and Prosperity Steering Group Draft Report Purpose: Consideration Submitted by: SPSG Convenor 51 st Telecommunications and Information Working Group Meeting Boracay, Philippines May 2015

2 51 st APEC TEL WORKING GROUP MEETING SECURITY AND PROSPERITY STEERING GROUP MEETING 15th May 2015 Boracay, Philippines The Security and Prosperity Steering Group (SPSG) meeting was held on 15th May 2015 from 09:00 17:30 at the Mabuhay Convention Hall, Paradise Garden Hotel, Boracay, the Philippines. The meeting was convened by Convenor, Mr.Thongchai Sangsiri of Thailand with the assistance of Deputy Convenor, Dr. Pei-wen Liu of Chinese Taipei. 1. OPENING The SPSG Convenor welcomed all APEC member economies to the Security and Prosperity Steering Group (SPSG) meeting. He thanked the host country, the Philippines, for their hospitality and reminded the meeting that the steering group would meet for one day only and, therefore, needed to be efficient in order to complete the tabled agenda. There are noteworthy developments in a number of areas since the last SPSG meeting in Australia. These developments include the approval of the TEL Work Plan 2015 and the TEL Strategic Action Plan at the TELMIN 10 in Malaysia. The Convenor thanked Singapore for offering to brief the meeting of the current status of these developments. The meeting reviewed each agenda item and adopted the SPSG meeting agenda. 2. HOST ECONOMY BRIEFINGS ON CYBERSECURITY EFFORTS Mr. Nicholas D. Ojeda Jr., Deputy Executive Director, Information and Communications Technology Office, provided the host economy briefing on recent cybersecurity efforts in the Philippines. He explained that emphasis was placed on three essential components: people, process, and technology. Concerning the people, the government of the Philippines focuses on safe access to cyberspace and ensures that people accessing cyberspace do not harm other citizens. In addition, the right people must be able to access and provide the right information at the right time. Furthermore, the government also promotes cybersecurity capacity and competency development. As for process, prescribed policies, standards, operational procedures and guidelines have been established as well as the national computer emergency response team or CERT. There are currently two different categories: Government CERT, which is being operated by the police, and a national CERT, which is being created by a Presidential Order. In the area of technology, the government encourages the use of up-to-date and state-of-the art technology and ensures the use of licensed software. 3. OVERVIEW OF SPSG REPORT AT THE 50th APEC TEL WG The Convenor recapped the outcomes from the previous SPSG meeting at the 50th APEC TEL WG in Australia for the benefit of those who may not have been there. Australia provided the host economy briefing on current cybersecurity initiatives. Information about child safety initiatives was presented at the meeting. Emphasis was placed on providing children with positive examples of good online behavior. Australia also has continuing education programs for all citizens and businesses, such as the Stay Smart Online Alert Service ( It puts out notifications of various security threats and advice for businesses. Stay Smart Weeks and Anti-fraud Weeks have been regularly organized. The focus forward is to give businesses the tools to protect themselves from online threats. Two URLs were provided for further information.

3 The 2nd economy briefing was given by CERT Australia. This organization helps Australian business to prepare for, defend against and mitigate cyber security attacks. Its focus is on Australian systems of national interest, including critical infrastructure. In 2013, a cyber-crime and security survey was carried out and 135 CERT Australia partner organizations responded. Interesting statistics include: 61% had no cyber security provisions in business risk registers, 56% detected at least 1 incident in 2013, and 57% replied that they chose not to report detected incidents externally. The most surprising result was that IT security expenditure is decreasing. A full report is available for download from cert.gov.au website, At this TEL, SPSG organized one very successful workshop on awareness raising activities where experts were invited to give presentations. The workshop closed with a panel discussion comprised of four experts from 4 member economies. Two economies provided current project updates: Comparing Approaches to Combating Botnets (USA) and Security of Mobile Devices (Malaysia). Two concept notes were discussed and approved at the meeting. 1. Japan s Workshop on Development of a safe and secure ICT use environment as a self-funded project. It aims to invite expert policymakers and regulators as well as the business community to share challenges, case studies and the efforts of each economy to respond to issues related to new ICT services as a contribution to development of a safe and secure ICT use environment in the APEC region. Three topics will be covered: (1) development of youth Internet use environment, (2) appropriate handling of user information related to ICT services, and (3) countermeasures for spam. The project received co-sponsorship from four member economies, including Australia, Brunei, Singapore, and United States of America. Japan planned to hold a one-day workshop at the APEC TEL Thailand proposed a concept note on the APEC Cybersecurity Framework with the aim to develop a cybersecurity framework which will include a repository of cyber security resources for APEC economies. The contents will be drawn from existing sources. This project is self-funded. The meeting discussed possible activity themes for October 2015 and agreed on promoting cybersecurity top-tips. Member economies agreed to send their cybersecurity top-tips to the Convenor for circulation and also share them with the APEC secretariat. Toward the end of the meeting, three guests were invited to present: a. OECD-WPISP (Working Party on Information and Privacy) Mrs. Siegel gave a briefing of ongoing projects, which include improving international comparability of CSIRTs statistics and revising the 2002 Security Guidelines. b. ISOC Mrs. Chomprang gave an overview of ISOC s mission and objectives. She introduced ISOC s role in security, which includes the 2002 OECD Guidelines for the Security of Information Systems and Networks and the OECD Digital Economy Report Cybersecurity Policy Making at a Turning Point. She mentioned the Mutually Agreed Norms for Routing Security (MANRS), aka the Routing Resilience Manifesto project, which focuses on BGP filtering, anti-spoofing and coordination and collaboration. c. APCERT Australia CERT explained the structure and priorities of APCERT. Currently, JPCERT/CC is the Chair and KrCERT/CC is the Deputy Chair. There are 25 teams from 19 economies. There are a number of challenges, including finding an effective mechanism to share information among members and identifying economies in the region that are not yet represented in APCERT. APCERT collaborates with other Asia- Pacific entities and also national CERTs outside the region. 4. TEL WG WORK PLAN and TEL STRATEGIC ACTION PLAN 4.1. TEL Work Plan 2015

4 Singapore explained that Work Plan for 2015 was drafted and approved by the SOM at the 10th Telecommunications and Information Ministerial Meeting in Malaysia in March It subscribed to the APEC connectivity blueprint, carried forward tasks outlined in the APEC 2014 Tasking Statement, and continued to work toward the current TEL Strategic Action Plan The Work Plan for 2015 identified cross-cutting issues and explained how they will be coordinated across fora. The Deputy Convenor noted that the SPSG has already worked with APEC Emergency Preparedness Working Group (EPWG) during the workshop organized by the Philippines earlier this week. Furthermore, the SPSG could also approach the Small and Medium Enterprises Working Group (SMEWG) to promote a safe and secure environment that empowers the SMEs. The Convenor offered to clarify with the APEC Secretariat how to coordinate a cross-fora activity. The meeting discussed the list of expected outcomes/deliverables for 2015 for the SPSG. These include (1) a workshop on CSIRT indicators, (2) a Cyber Security Awareness Activity, (3) Development of a Safe and Secure ICT Use Environment, and (4) a workshop on ICT for Disaster Risk Reduction and Management. The US informed the meeting that they will not be able to host a workshop on CSIRT indicators in TEL Strategic Action Plan Singapore explained that the vision and objectives of the TEL Strategic Action Plan were to establish an ICT ecosystem, characterized by integrated, seamless, secure, trusted and innovative ICT infrastructure, services and applications, widespread use of ICT in all sectors, and improved ICT skills and digital literacy which will enable APEC to attain regional economic integration, economic transformation and growth, physical and institutional people-to-people connectivity, and other APEC goals. The scope of the TEL WG includes new components: the digital economy and the internet economy. Five priority areas were identified: (1) develop and support ICT innovation, (2) promote a secure, resilient and trusted ICT environment, (3) promote regional economic integration, (4) enhance the digital economy and the Internet economy, and (5) strengthen cooperation. Furthermore, objectives and actions were described to provide more details. During the HOD and ExComm meetings these objectives and actions were considered and marked for planning and prioritization. The SPSG was tasked with priority 2: promote a secure, resilient and trusted ICT environment. The meeting agreed that future SPSG activities will focus in this area. The Convenor encourages economies to plan ahead and utilize TEL Strategic Action Plan as a reference. 5. WORKSHOP OUTCOMES Three SPSG workshops were conducted between May Development of a Safe and Secure ICT Use Environment This workshop was a one-day workshop held by Japan. The moderator was Mr. Makoto Yokozawa from Nomura Research Institute, Ltd., Japan. About 50 people attended this workshop. This workshop had 3 sessions. The first session s theme was Countermeasures for Spam. Five speakers (from the Ministry of Internal Affairs and Communication, Japan, Softbank Mobile Corp, Internet Initiative Japan, Inc., Office of the Communications Authority, Hong Kong and the Australian Government Department of Communications) made presentations. In the wrap-up session, the role of the government sector and the private sector, effective measures on technology and regulations, future cooperation in the APEC region, etc. were discussed among participants.

5 The second session s theme was Development of Safe and Secure Internet Environment for Youth. Five speakers from KDDI R&D Labs., Inc., Yahoo Japan Corporation, Information and Communication Security Technology Center, Chinese Taipei, the Malaysian Communications and Multimedia Commission and Information and the Communication Technology Office, Philippines, made presentations. In the wrap-up session, hot issues, effective measures, etc. were discussed among participants. The third session s theme was Appropriate handling of user information related to ICT services. Four speakers from the Korea Communications Commission, the Ministry of Internal Affairs and Communications, Japan, AT&T Inc., and the Ministry of Industry and Information Technology of China made presentations. In the wrap-up session, law, police, and regulations concerning personal data were discussed among participants. Finally, the moderator concluded with the points below: Citizens, youth and users have to have awareness and proper knowledge Participants expect Governments/Providers/NGOs/Communities to establish and ensure an appropriate environment Asia and Pacific Regions are the CENTER of ICT. The Asia-Pacific style of Safety and Security is expected from all regions in the world. 5.2 ICT for Disaster Risk Reduction and Management (Philippines) The Philippines organized a half-day workshop on ICT for disaster risk reduction and management on the afternoon of 14 May The workshop was divided into two sessions: (1) disaster mitigation and preparedness and (2) disaster response and recovery. The primary goal for the first session, disaster mitigation and preparedness, was to prepare to alleviate disaster situations when they occur. There are three ICT projects related to disaster preparedness and mitigation: project (1) NOAH, (2) Project DINA (Disaster Information for Nationwide Awareness), and (3) Weather Forecasting system. This workshop emphasized the NOAH project, which is related to the APEC TEL action plan to enhance the effectiveness of disaster response by strengthening disaster management networks. At the moment, the Philippines is testing two systems used for managing disasters: the Cloudbased Disaster Management System and the Emergency Warning Broadcasting System (EWBS). There is a future plan to establish Cloud-based Disaster Management at the Intelligent Operation Center (IOC) of the Office of Civil Defense. During the second session, disaster response and recovery, the Philippines showed that they are responding to and recovering from the impacts of disasters by strengthening ICT. They are also providing ICT resource support to improve response and coordination among rescue organizations. Moreover, the Philippines introduced the Intelligent Operation Center (IOC), which was established to consolidate databases related to health, weather and analysis of weather reports. It also provides information to other government agencies to share impact analyses and hourly updates during extreme weather disturbances. Apart from that, the Philippines has established the Emergency Telecom Cluster (ETC), which will be activated and operationalized in times of disaster. There are also other applications which will contribute to the process of disaster response and recovery, such as Project DINA and the Batingaw application. 5.3 Cybersecurity Framework (Thailand) Thailand organized a half-day Cybersecurity Framework workshop on the afternoon of 12 May A total of 31 economy representatives attended the workshop. Thailand provided a number of basic concepts based on research and suggestions from relevant stakeholders from a seminar organized in Thailand. The objective of the workshop was to share those basic concepts and seek member economies' input and suggestions to build a solid fundamental cybersecurity framework. Thailand introduced three areas of

6 interest, including: (1) NIST Cybersecurity Framework 1.0, (2) Multi-stakeholder model, and (3) other concepts and technologies. The workshop has produced useful and constructive suggestions which Thailand will use to further research from information sources before starting the drafting process. Thailand planned to inform the Plenary that it would not be able to complete the project at TEL WG 52 as planned. Furthermore, Thailand planned to request one full-day workshop at the TEL WG CURRENT PROJECT UPDATES 6.1. Comparing Approaches to Combating Botnets (USA) The US reported that they had distributed a questionnaire set about botnets to member economies last year, but received a very low response rate and therefore did not have enough information to make a proper assessment. The meeting discussed ways to improve the result and recommended a re-distribution through the HODs and s from the SPSG sign-in sheet that was being circulated in the meeting. 6.2 CSIRT Indicators (USA) The US provided a brief explanation of its CSIRT Indicators project which was launched in 2012 as a joint APEC-OECD initiative. The project aims to improve the status quo of CSIRT statistics. The US informed the meeting that it was unable to organize a CSIRT Indicators workshop at the current APEC TEL meeting as planned nor did it schedule one for the next APEC TEL. However, the US still intends to organize such workshop in the future. 7. DISCUSSION AND APPROVAL OF NEW PROJECT PROPOSALS No new projects were proposed by SPSG member economies 8. ECONOMY REPORTS 8.1 Japan Japan gave a briefing on the Japan Cybersecurity Basic Act which includes a cybersecurity strategy and a cybersecurity strategy headquarters which is under cabinet and has the NISC (National Center of Incident Readiness and Strategy for Cybersecurity) as its secretariat. The Representative also explained Japan s CIIP (Critical Information Infrastructure Protection) to ensure business continuity for critical infrastructure and prevent ICT outages in cased of a cyber-attack or natural disaster. The Representative then provided a briefing concerning several security projects run by the Japanese government, such as PRACTICE, ACTIVE and CYDER, projects which simulate real attacks to improve the skills of IT administrators in government agencies. 8.2 Thailand Thailand provided a brief introduction of ThaiCERT (Thailand Computer Emergency Response Team) and then provided information regarding their cybersecurity activities, such as organizing a local certification program called isec with TISA, GCIH training with SANS, mobile forensics training, incident drills for the financial sector and ISPs, a Malware analysis competition in 2014 with JPCERT and organizing various seminars. ThaiCERT also published alerts and organized a press conference to warn of heartbleed vulnerability.

7 8.3 The US The US representative, Ben Goldsmith, provided a briefing on cybersecurity activities in the US including new legislation, such as the Cybersecurity Enhancement Act of 2014, the National Cybersecurity Protection Act of 2014, the Cybersecurity Workforce Assessment Act of 2014, and the Federal Information Security Modernization Act (FISMA) of Several executive orders were issued, such as Promoting Private Sector Cybersecurity Information Sharing, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities and establishing the Cyber Threat Intelligence Integration Center (CTIIC) to warn relevant departments and agencies of the threats as close to real time as possible. He also explained about US cybersecurity awareness month to raise awareness and educate Americans about cybersecurity. 8.4 Chinese Taipei The Chinese Taipei representative gave an update on activities including "Cyber Development Trend Workshop" to train ministers and high officials. There were activities such as a prime ministerial meeting, broadcasted via Youtube, and broadcasting a meeting to solicit civil opinions via internet so that internet users can express their opinions in real-time. He also explained draft strategies of cybersecurity and privacy which consist of 6 concepts: (1) Build a Sound Basis for Cyber Security Legal Standards, (2) Strengthen Cyber Crimes Enforcement, (3) Implement Cross-discipline Practitioner Training Programs, (4) Elevate Trust and Security of Smart Commerce and Business, (5) Expand Scope of Public-Private Partnership, (6) Improve Allocation of Government Resources, (7) Build a Security Living Lab for Next Generation ICT and 8. Connect Domestic Best Practices with international standards. 9. CYBERSECURITY AWARENESS RAISING ACTIVITIES USA briefed the meeting on past activities related to cybersecurity awareness raising and noted the continual collaboration among the APEC member economies. Last year s activity involved the creation and distribution of safety tip for mobile devices. USA then propose four options to choose from for this s awareness raising activities. They are (1) Develop and distribute tip-sheet on a new topic, (2) Coordinated social media campaign such as Twitter chat, and (3) invite economies to join Cybersecurity Awareness Coalition. The meeting discussed and agreed that the Convenor should coordinate and distribute cybersecurity awareness raising activity via for all organization to review. 10. WORK COLLABORATION 10.1 Cyber Green by APCERT The APCERT representative explained the structure and priorities of APCERT. There are 27 teams from 20 economies. A few challenges include finding an effective mechanism to share information among members and identifying economies in the region that are not yet represented in APCERT. APCERT collaborates with other Asia-pacific entities and also national CERTs outside the region. Cyber green is about finding way to clean up the Asia-pacific region including malware eradication (not just combating). APCERT also participated in various forms of training: online and face-to-face. The focus is on CERT/CSIRT training, but is open to collaboration with non-cert partners such as APNIC and APTLDs.

8 10.2 OECD-Working Party on Security and Privacy in the Digital Economy (SPDE) USA gave a briefing of ongoing projects at OECD, which include improving international comparability of CSIRTs statistics and revising the 2002 Security Guidelines. He then mentioned CSIRTs statistics project, which was launched in 2012, as a joint APEC-OECD initiative. The project aims to improve the status quo of CSIRT statistics. Draft Preliminary Guidance will be circulated soon for comments and feedback ISOC The Representative from the Internet Society gave a presentation on "Collaborative Security" that explained the organization's objective to promote the open development, evolution, and use of the Internet with 190 chapters around the world. Then she explained 5 elements that should be included in a cybersecurity framework: (1) fostering confidence and protecting opportunities, (2) collective responsibility, (3) fundamental properties and values, (4) evolution and consensus, and (5) think globally, act locally. Finally, she expressed the opinion that there's no absolute security. It's about reducing risk APNIC The APNIC Representative explained its vision. Currently, APNIC is promoting 4 best practices in security: 1. Resource Public Key Infrastructure (RPKI), 2. DNSSEC, Source Address Validation (SAVE) 3. Everywhere, and 4. Updating IRT References in the APNIC Whois Database. The Representative explained more details on RPKI 101 via ROA (Route Object Authorisations) Campaign which helped to address issues such as route hijacking and mis-origination and encouraged APNIC members to create Route Origin Authorizations for their network prefixes. APNIC also collaborates with various stakeholders and supports training such as internet investigation training. APNIC will continue to support APEC and APEC TEL to achieve Strategic Action Plans. 11. OTHER BUSINESS The Convenor asked the meeting if any economy plans to request a time slot at the next APEC TEL meeting. Only Thailand requested to have a one full day workshop at APEC TEL CLOSING The Convenor thanked all member economies for a successful SPSG meeting and closed the meeting