What legal aspects are needed to address specific ICT related issues?

Transcription

1 What legal aspects are needed to address specific ICT related issues? Belhassen ZOUARI CEO, National Agency for Computer Security, Tunisia Head of the Tunisian Cert (tuncert), b.zouari@ansi.tn Workshop on Building Trust and Confidence in Arabic E-Services Beirut, May 2010 Agenda Universal Legal Cyber Security Framework The Need of a Legal Framework Clarifying/Defining Cyber concepts (crime, evidence, etc.) What Institutions, What Responsibilities? Operational Measures and Role of CERTs Practical & Application issues International Cooperation Tunisia as a Case of Study Cyber Security Laws & Regulation Texts Application & Cyber-safety Measures Security progress for most important National Institutions Lessons learned from experimented cases 1

2 The Need of a Legal Framework ICTs : new technologies but new Threats Confidence and Trust in ICTs are vital for e-services Lack of clarity & Uncontrollable technology are enablers for malicious activities and then, obstacles to confidence in e-services Defining a Legal Framework is the first step in the cyber security process Involvement of the government in a prerequisite Globality call for International Cooperation Clarifying/Defining Cyber concepts Creating Laws & Regulation texts related to: Cyber crime and Digital evidence Privacy Protection, Intellectual property Data protection, IS Access, Spam Digital Signature/ Archive Securing IS Borders for institutions (Security Audits, IS Management System Implementation) Avoiding re-defining crimes : Traditional vs. Cyber Fraude, Theft, Phishing, Identity theft, 2

3 Which Institutions, What Responsibilities? Multi-stakeholders/ Multi-actors : The User, beneficiary of an e-service The e-service provider, The Application Developer, (error programming) Internet Provider (DNS, routing functions) The web site hoster (Internet Server/ OS functions) Telecom Operator (infrastructure disruptions) Third parties (Certification/Registration Authorities) Trans-border access Operational Measures & Role of CERTs A Trust point of contact / A cyber security Authority Responsible of implementing a cyber security strategy Main Missions : Cyber space protection Watch & Warning (product vulnerabilities, viruses, ) Incident Detection / Incident Handling Incident Analysis / Forensics Vulnerability assessment Information sharing & coordination center (massive attacks) International Cooperation (FIRST, regional groups) 3

4 Practical & Application issues Raising Awareness / Training : Users (Domestic, Children, Office, ) Decision makers Professionals Teachers Students Journalists Lawyers Assistance / Communication International Cooperation FIRST : Forum of Incident Response Teams ITU ; ESCWA ; UNCTAD ; OECD TF-CERT; ENISA ; AP-CERT ; OIC- CERT ; Council of Europe INTERPOL Bilateral Conventions 4

5 Tunisia as a Case of Study NACS : National Agency for Computer Security (also known as tuncert ) Created by Law in 2004 under the Ministry of Communication Technologies) Introduction of Mandatory and Periodic Security Audits (Pillar of our strategy) The creation of a body of certified Auditors in IT Security Launch of tuncert in 2005 Full Member of FIRST in 2007 Center of excellence of UNCTAD in 2008 Main Sponsor and Partner of E-ComSec (SA) for establishing a CERT and introduction to FIRST in 2008 Tunisian Cyber Security Legal Framework Computer crime law: Law No Laws regarding the respect for intellectual property: Act No , Act No , Act No , Act No , Electronic Certification Act: Act No Computer Security Act: Law No Privacy Protection Act : Law No Act on Cyber Terrorism: Law No Defining the position of CISO (Chief Information Security Officer) within all public institutions : Prime Minister note,

6 Tunisian Cyber Security Laws Tunisian law: Article 10, 11 of Law No of February 3, 2004, relating to computer security (JORT published February 3, 2004) and Mandatory Audits Tunisian Cyber Security Laws 6

7 Tunisian Incident Declaration Law Tunisian Law: Article 9 of Law No of February 3, 2004, relating to computer security: Mandating incident declaration to NACS & Keeping the Incident details private as well as any information related to Auditing or assisting company systems Tunisian Cyber Security Law Privacy protection Law Law No of July 27, 2004, concerning the protection of personal data. 7

8 Tunisian Cyber Security Laws The law specificities: General provisions on personal data protection Personal data treatment conditions: procedures for processing such data Data obligations and Control The rights of the concerned person (consent, right of access, right opposition) Personal data protection Measures etc... Tunisian Cyber-safety Measures Technical Vulnerability Assessment Providing services informing about discovering vulnerabilities AVO which consists in alerting the first website responsible about the serious vulnerability discovered in the system, and this is before it can be exploited by attackers, with a full description and information about this vulnerability accompanied with a proof of concept. Analyzing data about suspicious activities in the cyberspace which can be detected using the Saher system by a honeypot model and some global structures and institutions (like Shadowserver, CERT Brazil,..), to understand and control new malicious software development. 8

9 SAHER : monitoring the cyber space System developed based on a set of Open Source tools Saher Web: DotTN Web Sites monitoring Saher SRV: Internet services availability monitoring (Mail server, DNS, ) SAHER IDS: Massive attack detection SAHER HONEYNET: Malware gathering Web defacement DoS Web Deterioration of web access Mail Bombing Breakdown of DNS servers DNS POISONING Viral attack Intrusion DDoS Viral attack Scan Possible attacks Credit Card Cybercrime Cases 9

10 A famous Phishing Case Albert Gonzalez Hacker behind the largest credit and debit card data breach in U.S. history Stealing data from more than 130 million accounts. costing companies, banks and insurers nearly $200 million sentenced to 20 years in prison. Some social network Cybercrimes In 2009 Social networking sites are used by around 80% of all Internet users, the equivalent of more than one billion people. (According to Kaspersky Lab). Malicious code distributed via social networking sites is 10 times more effective than malware spread via . Stolen names and passwords belonging to the users of social networking sites can be used to send links to infected sites, spam or fraudulent messages such as a seemingly innocent request for an urgent money transfer. 10

11 Conclusion Today it is clear that no country can independently solve the electronic communication problem. If we consider that the cyber security are a way to be assured than it should be in place as a priority for each country Hackers should be aware that even the harmless computer intrusions can be classified under a crime. Cooperation is the only weapon to deal with Cyber crime There is a great need for a common criminal policy to protect the society against cyber crime Thank you B.Zouari@ansi.tn 11