CISSA Cybersecurity capacity building workshop. May 2015

Transcription

1 CISSA Cybersecurity capacity building workshop Good Practices in Developing Cybersecurity and Cybercrime Strategies Prof Anthoni van Nieuwkerk Centre for Defence and Security Management University of the Witwatersrand, Johannesburg May 2015 This presentation looks at the contemporary cybersecurity environment as it impacts on the public sector in South Africa and elsewhere in the global South. It reflects on the broad trends without going into detail, and then reports on the evolving South African cybersecurity response landscape. It concludes with a brief overview of academic research, training and education responses to the challenges associated with cyberspace. Introduction With globalisation comes a paradox humanity benefits from information technology and the world wide web and at the same time is exploited by abusers of the same technology. Put differently, with the increase in internet usage comes an exponential increase in cybercrime. Who should manage these problems? Whose prime responsibility is this, and how should they go about it? These questions matter as it becomes evident to more and more public officials that the use of information technology in governance is increasing in all developing countries. The introduction of ICT in the public and private realm is forcing governments to face the realities of the security challenges that accompany such advancements. The sophistication and diversity of cyber- attacks are increasing and without proper cyber security measures the economic, political and social results of cybercrime and cyber espionage can be devastating. The majority of cyber- attacks can be mitigated with simpe security measures; however without coherent support from both private and public industries, awareness will remain a fundamental challenge. Public officials in developing countries with weak or non- existent cybersecurity frameworks and laws are in a unique position to set the foundation for increased cybersecurity both nationally and continentally. The nature of the cyber threat necessitates borderless cooperaion, fast moving policy adjustments, and requisite knowledge to confron emerging threats. Public officials must forge the path to a more secure cyberspace. What do we mean by the cyber threat? Defining what a cyber threat is requires defining cyber power. According to Joseph Nye, cyber power is the ability to obtain preferrred outcomes through use of electronically interconnected information resources of the cyber domain. Cyber power can be used to produce prefered outcomes within cyberspace or it can use cyber instruments to produce prefered outcomes outside cyberspace (Nye 2010). As Nye describes, cyber power can reach domains beyond cyberspace. Denial of services attacks can be 1

2 used to take out websites and manipulating industrial control systems can cause physical damage to plant equipment and people. Understanding the effects of cyber power in both the physical and virtual domain are essential to understanding policy options to deal with cyber threats. Minimal barriers to entry in the cyber domain allow for non- state actors and small states to play a significant role at low levels of cost. With the ability to easily conceal one s identity and the lack of international guidelines, the use of cyber technology for malicious purposes is attractive. In the case of Africa, despite exceptions, the lack of local and international laws create a safe haven for cyber criminals. The absence of assigned agencies in many African nations to address issues of cybersecurity makes it unlikely for coordinated policy decisions to be made. This is incidentally one of the real challenges relating to the implementation of the recently adopted AU Convention on Cyber Security and Personal Data Protection (Tamarkin 2015). The lack of frameworks in many nations will prevent both foreign and domestic investment in the private sector and stunt growth in an incredibly fast moving field. Continental and global cybersecurity There are important structural differences between developed and developing states in how cybercrime is addressed. Most developing economies are without laws that criminalise cybercrime, lack the means to enforce existing statutes, have few tools to investigate cybercrime, and a lack of infrastructure for information sharing and international cooperation. In the meantime, the cost of ICT continues to fall, yet the cost of anti- virus and network security software remains high. With over 60% of internet users in developing countries and rising the need for improved cyber security continentally and globally is imperative. Continentally, there has been effort to help address the emerging cybersecurity concerns in Africa. The AU has created the African Charter on the Values and Principles of Public Service and Administration that speaks to issues of access to information and the role of ICTs in service delivery. It has also adopted, in June 2014, the AU Convention in Cyber Security and Personal Data Protection a welcome development, although not without a range of implementation challenges (Tamarkin 2015). The UN African Institute for the Prevention of Crime and Treatment of Offenders (UNAFRI) has created the African Centre for Cyber Law and Cybercrime Prevention to help address cybersecurity concerns continentally. And similar to South Africa s CSIRT programme, there are eleven countries that have either a CSIRT or Computer Emergency Readiness Team (CERT) to address cybersecurity incidents and disseminate threat information: Botswana, Burkina Faso, Cote d Ivoire, Egypt, Ghana, Kenya, Mauritius, Morocco, South Sudan, Tunisia and South Africa. These teams are supported by AfricaCert based in Ghana. 2

3 Cybersecurity in South Africa South Africa being one of few African states to have enacted laws against cybercrime continues to face many challenges. There are three main statutes forming South Africa s cybersecurity framework: (a) interception and monitoring prohibition act of 1992 which focuses on telephonic and postal communication and its legal interception; (b) prevention of organised crime act of 1998 introduced measures to help combat organised crime, money laundering and gang activity; (c) electonic communications and transactions act of 2002 which aims to facilitate and regulate electronic communications and transactions. Though these laws exist their effectiveness has been diminished due to insufficient training given to functionaries and overall lack of implementation. According to one study South Africa suffers an annual loss of R2.65 billion due to cyber crime (Ward 2014). Due to the rapid development of cyber technology, national policies tend to lag behind making it difficult to implement effective strategies to combat cybercrime this is generally true for South Africa as well as many developing nations. South Africa s cybersecurity policy objectives According to the South African National Cybersecurity Policy Framework, the overall objective is to lay out strategic priorities regarding cybersecurity to encompass several areas of interest. This national framework was approved in One primary objective is to centralise coordination of cybersecurity activities through relevant structures, policy frameworks and strategies in support of cybersecurity in order ot combat cybercrime, address national security imperatives and enhance the information society abd knowledge based economy. A second objective is to anticipate and address developing cyber threats. The improvement of cooperation over several government agencies, private industry and civil society is an additional objective. Lastly, creating a culture of cybersecurity, promoting research and development in the field of cybersecurity and improvement in training are also policy objectives. Government established a Cybersecurity Response Committee (CRC) to set priorities and oversee implementation of policy. Roles and responsibilities of organs of state The South African government has many organs of state that play significant roles in the policy implementation of cybersecurity measures (Ward 2014). The department of justice and constitutional development and the National Prosecuting Authority share overall responsibility for the prosecution of cyber criminals. They are also responsible for requisite court processes. The State Security Agency is responsible for both local and international collection of intelligence, conducting necessary cybersecurity investigations, and coordination, accountability, and implementation of cybersecyrity measures in 3

4 South Africa. The South African Police Service is primarily responsible for prevention, investigation, and combating cybercrime. Additional responsibilities include further development of cybercrime policies, strategies, and investigative capacity. Outside of direct involvement from law enforecement and intelligence, South Africa s department of communications has responsibility in developing policies and industry standards involving communication. It is also responsible for providing direction and coordination involving local and international cybersecurity measures. The aim is to help build confidence and trust in ICT. The Department of Defence and Military Veterans is responsible for implementaion of cyber defence measures as it pertains to the national defence mandate. It is also responsible for developing policies that are pursuant to its core mandate. Lastly, the Department of Science and Technology is responsible for facilitating research and development in the realm of cybersecurity. In addition to these state structures South Africa has created a range of organisations to deal with aspects of cybersecurity. In 2006, the African Information Security Association (AISA) was established to promote awareness. The SSA was tasked to run the Electronic Communications Security Computer Security Incident Response Team (ECS- CSIRT) to respond to cyber incidents. In the banking sector, funding has been used to create the South African Banking Risk Information Centre (SABRIC). SABRIC closely coordinates with the South African Police Service, the Directorate for Priority Crime Investigation, and the Special Investigating Unit s Cyber Forensic Laboratory. Within academia, several organisations undertake research and training. For example, innovative public awareness programmes are offered by three universities via the South African Cyber Security Academic Alliance ( Challenges in South Africa The primary challenge South Africa faces is surmounting the lengthy development and implementation process for cybersecurity. Due to the swift evolution in cybercrime techniques and advancements in ICT, policymakers must be quick to shorten the gap between development and efficient implementation of policy. There is also lack of participation across government departments. Outdated policies and insufficient training given to functionaries prevent full and effective implementation of excisting policies. The link between academia, the private sector, and the public sector is growing but needs more work. Spreading cybersecurity awareness has also been a challenge, increasing the risk of negligent ICT use amongst consumers, citizens, public officials and producers. The challenges found in South Africa are not unique and many developing nations face similar problems. South African government reponses On Tuesday 5 May, the minister of state security presented his budget vote speech in parliament (Mahlobo 2015). 4

5 In his address, he identified the security of cyberspace as one of government s five strategic objectives his department is tasked with (the others speak to improved criminal justice, border management, domestic stability and reduced corruption). He identified a list of cybersecurity priorities, including: the need for better approaches to authenticate hardware, software, and data in computer systems and to verify user identities; methods of monitoring and detecting security compromises; the need for a holistic approach in the fight against cybercrime and cyberterrorism; an evaluation of the influence of laws and regulations on the use or abuse of e- information; increased cybersecurity awareness; understanding of social media networks; corporate espionage. He also highlighted the department s immediate priorities, including the enhancement of institutional cybersecurity capacity, finalisation of national cybersecurity policy and legislation, promotion of partnerships for public cybersecurity awareness campaigns, strengthening cooperation with SADC, AU and BRICS partners, and the establishment of a Cybersecurity Centre. Collaborative responses In 2014, a partnership between academia, and private and public sector interests resulted in an international colloquium that addressed the challenges of cybersecurity policy and implementation. Several recommendations flowed from this engagement (Moat 2014). Based on these, the University of the Witwatersrand through its Centre for Defence and Security Management (CDSM) established a cybersecurity management project with a focus on tertiary- level training and education programmes. Its research revealed pockets of academic and research excellence in South Africa but with a narrow intellectual base and with training focused on information security, with no institution offering postgraduate strategic management training and education in the field of cybersecurity (Moat 2014). A related neglected area in need of urgent attention is the need to build a new generation of cybersecurity researchers and educators for the public sector. This will serve as the backbone of a new cadre of cybersecurity managers. Africa simply has to enlarge this pool of intellectual capital. Innovative approaches may include government funding in line with strategic development plan imperatives, scholarship programmes (drawing on public and private sector sponsors) and exchange programmes with centres of excellence on the continent and globally. Pushing the envelope a bit, I would argue for the establishment of a centre of academic excellence at a university (or via a consortium of universities) to 5

6 service the continent, if not developing nations, with building a cohort of academic experts in cybersecurity, with an emphasis on strategic management. To this we can add the idea of establishing a knowledge hub that will serve as a data bank of research and knowledge pertaining to cybersecurity (UNECA, 2014). Returning to Wits university, the project undertook a needs analysis and interviews with students, academics and IT professionals and developed a curriculum for a Masters level course in managing cybersecurity for the public sector, as well as two spin- offs - a curriculum for a certificate in cybersecurity management, and a short course on cybersecurity awareness (Ward 2014). The Masters level course will be embedded in the university s Master of Management in the field of Security. This degree programme is designed to cater for security sector officers and officials and aims to equip participants with advanced conceptual and analytical capabilities needed for effective security sector governance. The programme contains taught modules drawn from three knowledge areas: policy and governance, socio- economic development, and service delivery and operations management. A methodology and research component rounds off the programme. The cybersecurity module builds on this foundation by providing participants with a basic understanding of cybercrime, the means and methods used by cybercriminals to exploit systems, the various governance challenges surrounding cybersecurity, policies in place at local, continental, and global level being used to combat cyber security threats, and the requirement for monitoring and evaluation systems to manage implementation. Finally the project s activities revealed that future coursework ought to cover the following three fields of activity: Cyber criminal operations (to cover organised crime in a detailed fashion) Strategic cybersecurity challenges for state actors (to cover themes relating to state level cyber threats) Cyber Criminal Investigation and Law (to cover legislation and the challenges of investigation)(ward 2014). Conclusion: the future of cybersecurity Cybersecurity is an increasingly important issue for the world with particular importance for the BRICS states and developing countries. The gains from cyber- attacks will continue to increase as the use of ICT for social, political, financial and commercial purposes increase. The low cost of entrance, anonimity, ineffective legislation, ineffective law enforcement, lack of boundaries, and continued problems of international cooperation will continue to contribute to the increase in cybercrime globally. Policy makers will be challenged as society becomes more interconnected and technologically advanced (witness the explosive growth of mobile connectivity in Africa). These challenges must be met systematically and effectively. Until the cost of committing various forms of 6

7 cybercrime outweigh the benefits of committing them, the global trend will increase. The role of government and private sector must include more cooperation and a culture of cyber awareness is needed to promote best practices. Other forms of cyber threats such as cyber warfare, cyber espionage, cyber terrorism and hacktivism will require political will and a great deal of international cooperation. Ideological disagreements regarding the fundamental purpose for the Internet and the dissemination of information are just a few points of contention preventing any serious discussion regarding cyber warfare and cyber espionage. The potential damage associated with cyber warfare may spark future discussion similar to those chemical, biological, and nuclear weapons. The likehood of any near future conventions on such a topic are slim, especially due to the strategic advantage of a handful of nations in the cyber warfare and espionage realm. Despite international differences, it is essential that cybersecurity be elevated to a status where global leaders will discuss its future implications for state and non- state actors alike. The role of cyber technology will only expand in the future, and consequently so must the role of cybersecurity. Developing countries are beneficiaries of the enormous growth in cyber technology but also on the back foot in terms of developing threat responses. There is much work to be done by state, private sector and civil society stakeholders, preferably working in teams, and preferably driven by a vision of securing the lives of all its citizens. As argued here, academia has a particular responsibility driven not by commercial interest but informed by the imperative of human development. Select sources Betz, D and T Stevens (2011) Cyberspace and the state: towards a strategy for cyber power. Abington: Routledge. Mahlobo, D (2015) Minister of State Security Budget speech. ( Mathabe, R and A van Nieuwkerk (2014) Capacity in the field of cybersecurity amongst South African Institutions of Higher Learning, Research Institutions and Business. Research Report. Johannesburg: Centre for Defence and Security Management, Wits School of Governance. Moat, C (2014) Colloquium on Cybersecurity for the Public Sector: Summary Report. Johannesburg: Wits School of Governance. Tamarkin, E (2015) The AU s cybercrime response. Policy brief 73. Pretoria: Institute for Security Studies. United Nations Economic Commission for Africa (2014) Tackling the challenges of cybersecurity in Africa. Policy Brief NTIS 002/002/2014 ( Ward, D (2014) Contemporary Cybersecurity Analysis for South African Public Officials. Johannesburg: Centre for Defence and Security Management, Wits School of Governance. 7