GOVCERT.NL symposium National Cybersecurity Strategies

Transcription

1 GOVCERT.NL symposium National Cybersecurity Strategies November Deloitte Belgium

2 Countries across the globe are focusing on cybersecurity as a critical factor in national and economic security...there must be no weak links in Europe's cyber security," --Viviane Reding, EU Commissioner for Information Society and Media, 30 March 2009 Australia s national security could potentially be compromised by cyber exploitation -- Mike Burgess, Deputy Director Cyber and Information Security Defence Signals Directorate, 26 February 2010 America's economic prosperity in the 21st century will depend on cybersecurity. -- Barack Obama, U.S. President, May 29, Deloitte & Touche LLP

3 Governments are facing a wide range of cybersecurity issues Dependence on the Internet is increasing By 2013, the Internet will be 4X larger than in 2009 By 2015, we expect15 billion devices to be connected to the Internet Attacks are increasing 240M new malicious programs in 2009 U.S. Agencies scanned >250,000x per hour >100 foreign intelligence organizations trying to break into U.S. systems US incidents in water control systems increased 300% in past 5 years The impact is profound Economy: intellectual property stolen Warfare: new front, asymmetry Espionage: weapons plans, classified data Mission may go beyond authority Protect individuals and infrastructure controlled by private sector Pursue miscreants across borders Solutions may pit security vs. privacy Deloitte & Touche LLP

4 National cybersecurity programs need to address many components National cybersecurity strategy Organization structures, government oversight and legal authorities Privacy and civil liberties considerations Awareness, research, education, and training Public-private partnerships Global cooperation Deloitte & Touche LLP

5 National strategy Deloitte Belgium

6 National Cyber Strategy: India Primary objectives for securing country's cyber space: Preventing cyber attacks against the country's critical infrastructures Reduce national vulnerability to cyber attacks Minimize damage and recovery time from cyber attacks Actions to secure cyberspace include: Forensics and attack attribution Protection of networks and systems critical to national security Early watch and warnings Protection against organized attacks capable of inflicting debilitating damage to the economy Research and technology development that will enable the critical infrastructure organizations to secure their IT assets To pursue the strategic objectives the following major initiatives have been identified: Security Policy, Compliance and Assurance Security Incident - Early Warning & Response Security training - skills/competence development & user end awareness. Security R&D for Securing the Infrastructure, meeting the domain specific needs and enabling technologies Security - Promotion & Publicity Deloitte & Touche LLP

7 National Cyber Strategy: U.S. Primary objectives for securing country's cyber space: Protect national security, citizens, businesses and critical infrastructure Work collaboratively with public, private and international entities to secure cyberspace and America s cyber assets Actions to secure cyberspace include: Build and maintain an effective national cyberspace response system Implement a cyber-risk management program for protection of critical infrastructure Centralize command of cyberspace operations, strengthen DoD cyberspace capabilities, and integrate and bolster DoD s cyber expertise To pursue the strategic objectives the following major initiatives have been identified: Framework for Public-Private partnership Cyber Risk Management Programs (Cyber Storm, Cybersecurity Awareness Month, campaign) National Cyberspace Response System (US-CERT, Cyber Cop Portal, etc.) USCYBERCOM and White House Cybersecurity Coordinator Deloitte & Touche LLP

8 Organization Oversight & Authority Deloitte Belgium

9 Cyber Organization: South Korea President National Security Council (NSC) Secretariat National Cyber Security Strategy Council Ministry of Public Administration and Security Ministry of National Defense National Intelligence Service (NIS) Broadcasting and Communications Commission (BCC) Ministry of Justice (MOJ) Informatization Strategy Office Information Protection Policy Division National Police Agency Cyber Terror Response Center Information Warfare Response Center Military Sector Military Units National Cyber Security Center Public Sector Central Administrative Agencies Public Organizations/ Local Autonomies Korea Internet Security Center Private Sector (ISP) Supreme Prosecutors Office Internet Crime Investigation Center Deloitte & Touche LLP

10 Cyber Organization: USA President CSIS Commission White House Cybersecurity Coordinator Department of Defense Intelligence Agencies Department of Homeland Security Civilian Agencies Defense of Military Networks National Security Defensive and Offensive Capabilities 10 USCYBERCOM ARCYBER Command (Army) US Marine Corps. Cyber Command US Fleet Cyber Command (Navy) Air Force Cyber Command Law Enforcement Counterterrorism Counter-Espionage Defense of Civilian Networks Intra-agency Information Sharing Critical Infrastructure Citizens Law Enforcement Fraud Prevention Citizen Data 2010 Deloitte Touche Tohmatsu

11 Privacy & Civil Liberties Deloitte Belgium. Private and confidential

12 Privacy Programs Australia Set to go into effect in December ISPs voluntarily act to limit damage from infected computers Warnings, restricting outbound or temporarily quarantining compromised machines, while providing customers with links to help fix the problem US National Strategy for Trusted Identities in Cyberspace (NSTIC) in review phase Leverages trusted third parties Individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential from a variety of service providers to authenticate themselves online for different types of transactions user will have more control of the private information they use to authenticate themselves on-line Deloitte & Touche LLP

13 Awareness & Education Deloitte Belgium

14 Awareness and Education Initiatives Korea Mass media campaigns targeting adults and children Formal middle school education Advertisements on public transportation Internet Ethics Camp OnNuRi Campaign to check security on computers in isolated facilities Use of celebrities, concerts, giveaways Australia Staysmartonline website (public and small and medium-sized businesses) Cybersmart website (children & parents) National Cyber Security Awareness Week US National Cyber Awareness Month DHS Cybersecurity Awareness Campaign Challenge Staysafeonline.org website UK Cyber Security Challenge to find and attract new talent to the IT security industry launched July Deloitte & Touche LLP

15 Public-Private Partnership "This country needs an increased capability to protect ourselves, not only against cyber attacks on the government but on businesses and on individuals," UK Foreign Secretary William Hague, October Deloitte Belgium. Private and confidential

16 Cyber Defense to Economic Offense: Areas for Opportunity Broadband US proposed National Broadband Strategy 2010 Telecom Korea HDTV and1gb to desktop by 2012 Smart Grid AU/US/China/EU/Korea E-Government EU leading online government services Healthcare Plans for bilateral agreement between the EU and US for sharing digital healthcare data Research & Development CYBERSECURITY: The Smart Grid will be more resistant to attack and natural disasters.it will also move us toward energy independence from foreign energy sources, which themselves may be targets for attack, outside of our protection and control. US Department of Energy Deloitte & Touche LLP

17 Critical Infrastructure Protection U.S. Smart Grid Cyber Security National Infrastructure Protection Plans Public-Private partnerships (Information sharing) The Stuxnet worm, targeting Grants / buying power SCADA controls, was found in New Smart Grid guidelines address: >45,000 systems Risk assessment and approach for identifying security requirements High-level architecture, logical interface architecture and security requirements Privacy issues regarding new types of information related to individual behavior within dwellings and electric vehicles Information sharing is a corner stone to improve the protection of critical information infrastructure-ciip, which is vital for Europe's economy and communications within Europe. -- Executive Director of ENISA, Dr Udo Helmbrecht, September Deloitte & Touche LLP

18 Global Cooperation Deloitte Belgium

19 Global Cooperation NATO - considering adding cyber warfare to Article 5 of its charter on mutual protection of members United Nations - Article 51 & ITU Global Cybersecurity Agenda International Multilateral Partnership Against Cyber Threats (IMPACT) Centre for Policy and International Cooperation East West Institute (EWI) - 6-party talks on Cyber Security Deloitte & Touche LLP

20 WFCSIRT MCIRT MSCERT BCERT Apple GIST CIAC Siebel SUN Cisco Systems SymCERT Foundstone ORACERT NAI Cisco-PSIRT SGI HPSSRT SUNSeT CAT Motorola Veridian AFCERT eforensics EDS MCIWorldCom UNAM-CERT 20 Re-Thinking Cyber Response CSE EWA-Canada RBCFG CSIRT DND CIRT CGI CERT BMO ISIRT Cdn CIRCC CERT/AQ AboveSecCERT OSU-IRT PCERT IU-CERT Uchicago Network Security DIRT NCSA-IRST NU-CERT MOREnet UGaCIRT ELN-FIRST ISS GT.CERT CERT-CC US-CERT TESIRT Brasil Telecom CTR/DPF CAIS/RNP CSIRT Unicamp CSIRT ABN AMRO REAL CSIRT Santander Banespa CSIRT USP NBSO/Brazilian CERT GSRT/INPE CEO/RedeRio EMBRATEL StarOnr CLCERT CERT-RS PSU Cornell Univ UCERT Guardent RADIANZ CERT-BUND Goldman sachs AMC-CERT IBM MSS CERT-KUN VISA-CIRT SURFnet-CERT MLCIRT GOVCERT.NL AT&T CERT-UU PruCERT CERT-RUG JPMC CIRT KPN-CERT UB-FIRST UVA-CERT FRS-CERT KCSIRT MIT Network Security NASIRC NIHIRT GE Rutgers CIRT ACIRT SBACERT NIST IT FCC CIRT ACERT IRS CIRT FedCIRC N-CIRT HOUSECIRT U.S. Coast Guard CIRT ARCcert DoD-CERT USPS GI REACT NAVCIRT SPRINT MARCERT K-State SIRT BE-CERT Citigroup CIRT DANTE HEANETCERT MODCERT OxCERT Q-CIRT UNIRAS JANET-CERT BT SBS AAB GCIRT DANCERT BTCERTCC E-CERT OGCBS EUCS-IRS LuxCERT CERT-Renater CERT-LEXSI NARIS CERT-IST CERTA CERT.PT IRIS-CERT SIAPI-CERT escert-upc CERN-CERT CC-SEC SWISS ReCERT SWITCH-CERT IP+CERT OS-CIRT SI-CERT ACOnet-CERT CERT-IT GARR-CERT CARNet CERT HUNGARNet-CERT Hun-CERT Micro-BIT DFN-CERT Siemens-CERT Telekom-CERT T-Com-CERT PRECERT ComCERT secu-cert RUS-CERT CERTBw CERTVW FSC-CERT IBM-ERS dbcert S-CERT dcert UNINETT CERT KMD IAC DK-CERT CSIRT.DK NORDUnet SITIC PAKCERT CERT-IN UU-IRT TeliaCERTCC SUNet-CERT FUNet CERT CERT-FI TRCERT CYPRUS ILSAN-CERT GRNET-CERT ThaiCERT MYCERT SingCERT NUSCERT IDCERT LITNET NOC-CERT POL24-CERT CERT Polska Abuse TP S.A. WebPlus ISP RU-CERT IS-SECT JPCERT/CC NIRT JSOC CIART KRCERT/CC CNCERT/CC CCERT TWCERT/CC TWCIRC HKCERT PHCERT AUSCERT Cyber Crime Military Espionage Economic Espionage Cyber Warfare 2010 Deloitte & Touche LLP

21 What is Next? Deloitte Belgium

22 Global Cyber Maturity Curve Collective action and milestones to secure cyberspace by Deloitte Touche Tohmatsu

23 Discussion Deloitte Belgium

24 2010 Deloitte & Touche LLP