MEMORANDUM Date Our reference Page Measures based on the action plan for improved Internet security

Transcription

1 MEMORANDUM Date Our reference Page 13 Feb File ref: (12) Network Security Department Björn Scharin +46(0) Ministry of Enterprise, Energy and Communications SE Stockholm Measures based on the action plan for improved Internet security The present memorandum accounts for the work of the National Post and Telecom Agency () being carried out on the basis of the action plan for improved Internet security. 1 Assignment no. 2 in the Terms of Reference for the year 2007 For the budget year 2007, the Terms of Reference state the following: 2. The National Post and Telecom Agency shall report on the measures which the Agency has undertaken based on the Agency s proposed action plan for improved Internet security in Sweden, which was submitted to the Government in July 2006, and assess the results of these measures. This assignment shall be reported upon to the Government (Ministry of Enterprise, Energy and Communications) no later than in connection with the annual accounts for On 4 July 2006, presented a report to the Swedish Government entitled Strategy to improve Internet Security in Sweden. This report contains strategic positions adopted 2, an action plan for implementing the strategy and a management plan. The 2006 action plan contained activities presented in the form of a table, see Appendix 1. The table is presented below with an updated status for February Below this table, describes the activities the Agency has undertaken within the framework of each respective measure of the action plan. 1 This action plan is described in the report Strategy to improve Internet Security in Sweden -ER-2006:12 2 The strategy was established following minor amendments by the Government dated 7 December 2006 in the document Strategy for Improved Security in the Internet Infrastructure, N2006/5335/ITFoU

2 Measure Party responsible Status Measures to protect the Internet's physical and logical infrastructure Produce recommendations to providers of content services for increased accessibility and advice for ordering Internet Services Promote the use of DNSSEC in name servers Produce recommendations for more secure traffic exchange between Internet operators Measures for information to users Provide information about vulnerabilities /Sitic Develop advice for ordering Internet services Coordinate and intensify information initiatives towards users Educate trainee teachers in Internet security Further develop 's website for Internet security Universities and colleges This measure is included in the abovementioned assignment regarding recommendations to providers of content services for increased accessibility Presupposes separate assignment and financing Important/not commenced Presupposes separate financing Measures to enhance the assumption of responsibility for user security Work with specified requirements for good function and technical security Follow up the Internet operators' functional capacity Provide the Internet operators with a legal possibility of impeding the dissemination of harmful traffic Government Very important/not commenced

3 Investigate the requirements for increased responsibility for providers of software and equipment Government Very important/not commenced Measures to promote the improvement of knowledge Inform stakeholders about the financing sources available Work to ensure that funds are allocated within the framework of the EU's research programmes relating to the Internet infrastructure Relevant authorities Government Very important/not commenced Important/not commenced Measures to enhance Swedish participation in international work Increase Swedish coordination and participation in international fora Clarify Swedish distribution of responsibility in conjunction with international contexts concerning security of the Internet infrastructure Further develop operative international networks for incident management Continued active participation in review of EU directives Increase participation in standardisation work Government /Sitic Government Presupposes separate financing Very important/not commenced Presupposes separate financing Measures to improve capacity for crisis management Increase exchange of experience, follow-up and learn from major disruptions /Sitic Produce a coordinated continuity plan for the Internet infrastructure in Sweden Planned to commence in spring of 2008 Investigate alternative forms of communication for operations managers during crises Investigate alternative information channels from Sitic to users concerning the status of the Internet in conjunction with disruptions to the Internet /Sitic Has not commenced

4 Measures to protect the Internet s physical and logical infrastructure Produce recommendations to providers of content services for increased accessibility is currently running a project together with Verva, the Swedish Administrative Development Agency, and SEMA, the Swedish Emergency Management Agency, with the aim of producing a guide. 3. This guidance document has the title Guide so users can retain or achieve the required level of robustness in electronic communications and create awareness as to why robustness is a matter for parties to consider in an agreement. This guide is intended to be used in contacts between a purchaser and an operator and other suppliers of electronic communications. This project should be concluded in the spring of This measure is also being implemented as a part of s tasks in the area of robustness in terms of encouraging increased user responsibility within electronic communications from s strategy for robust electronic communications for the years 2003 to 2005 and 2006 to The area of the strategies encompasses electronic communications in a wider perspective and contributes to the improved security of Internet infrastructure. The strategy for the period encompasses the following areas for measures: The areas for measures include: 1. The promotion of increased user responsibility within electronic communications 2. Increased redundancy and flexibility in networks 3. Improved protection against both physical and electromagnetic threats 4. Increased awareness about information security 5. More robust electricity supply for electronic communications and improved collaboration between the areas of power supply and telecommunications 6. Improved collaboration 7. Enhanced international collaboration 8. Improved capacity for crisis management within electronic communications 9. Increased robustness in networks Promote the use of DNSSEC in name servers has produced a report concerning the implementation of DNSSEC 5 and testing of how this works for a domain administrator. In conjunction with this, has, together with.se and other parties, presented and promoted the use of DNSSEC during a seminar held in Sweden, a seminar in connection with the ICANN meeting in Lisbon held in the spring of 2007, and also put DNSSEC on the agenda in connection with various EU-level meetings, e.g. ENISA. Sweden has come very far in terms of DNSSEC, which was implemented in the Swedish national top domain.se as early as the autumn of DNSSEC has been offered as a service for domains in.se since February 2007; e.g. Swedbank is in the midst of implementing DNSSEC. Today three of the major ISP:s in Sweden have support 3 File ref Robust electronic communications Strategy for the years (-ER-2003:13) and Robust electronic communications Strategy for the years (-ER-2006:19) 5 Improved security of the Domain Name System, -ER-2006:36

5 for DNSSEC in their DNS resolver servers. Together with its operator, is currently in the process of preparing for the implementation of DNSSEC for the domain, pts.se. Produce recommendations for more secure traffic exchange between Internet operators has produced a report describing tests of vulnerabilities present in border routing, i.e. the function that routes traffic between operators. Simulations of how disruptions in the protocol for border routing (BGP) spread in a model of the Swedish part of the Internet 6 have improved the insight into how end users in Sweden would be affected. The report contains a number of recommendations concerning protective measures against disruptions and attacks which are mainly directed at Internet operators. The intention is for operators to be invited to in 2008 in order to discuss the proposed measures in the report and other possible remedies in order to improve protection for the critical border routing function. Measures for information to users Information about vulnerabilities During the year, the IT Incident Centre published 152 security noteables, 199 vulnerability alerts and 5 flash messages. These messages have the aim of informing interested parties about vulnerabilities and technical circumstances in systems that may affect their stability. The different channels are used in a sequence reflecting the increased level of seriousness of vulnerabilities in order to give the interested parties a straightforward opportunity to choose which level of problem they wish to monitor. The IT Incident Centre is currently investigating requests and the need for monitoring of vulnerabilities that is more adapted to the interested parties. Develop advice for ordering Internet services This measure has been combined with and is being implemented in connection with the measure Produce recommendations for providers of content services for improved availability. Coordinate and intensify information initiatives towards users Implementation of this measure presupposes a Government Assignment and separate financing. During the year, actively contributed to the Surf Calmly campaign as one of the financiers but also in the steering group, the Surf Calmly expert web panel and by means of competence in connection with regional meetings. In 2008, Surf Calmly will initiate measures to improve the security of e-transactions directed at small businesses. Educate trainee teachers in Internet security Implementation of this measure is being carried out by the respective college and university. only has limited resources to exert influence in this area. Within the framework of the Surf Calmly campaign, has held lectures on Internet security at regional seminars for teachers and other parties. Further develop 's website for Internet security During the year, managed and updated its website for security information directed toward Internet users, in particular content from the report about security in wireless local area networks 6 Threats to security in the exchange of traffic between Internet service providers -ER-2007:14

6 which was published during the year. 7 However, in order to carry out major initiatives and develop the website, separate financing is needed. Measures to enhance the assumption of responsibility for user security Work with specified requirements for good function and technical security has specified requirements on good function and technical security mainly in terms of the preventive security work containing requirements on risk analysis, risk management and planning, and routines for dealing with interruptions and interference. has carried this out in the form of general advice for providers of public communications networks and electronic communications services, which include Internet operators. 8 Follow up the Internet operators' functional capacity has initiated a supervisory initiative in order to monitor compliance with the provisions of the Electronic Communications Act (LEK), Chapter 5, Section 6a covering, among other things, Internet operators. 9 The supervisory initiative is directed at 55 providers of public electronic communications networks and services. Besides this supervisory initiative, has informed all 450 operators having been reported to about the obligations contained in this Act and the general advice. Provide the Internet operators with a legal possibility of impeding the dissemination of harmful traffic In connection with the report entitled Strategy to improve Internet Security in Sweden, submitted a proposal to the Government concerning an amendment to the Electronic Communications Act (LEK), which would give Internet operators a legal possibility to undertake emergency measures such as filtering of electronic messages jeopardising such service or the function of the network, such as denial of service attacks. Internet operators have limited potential to undertake measures against subscribers in a situation where they have been affected by a Trojan or a program that sends mass s or overloads web services. This type of legal possibility should be associated with a requirement concerning information about the measures being undertaken. The proposed legislative amendment is currently being considered by the Ministry of Enterprise, Energy and Communications. As far as is aware, no amendment to LEK is being planned in accordance with s proposal. Investigate the requirements for increased responsibility for providers of software and equipment In the action plan to improve Internet security in Sweden, proposed that an investigation should be made concerning the requirement for increased responsibility for providers of software and equipment. This type of investigation is mainly outside the mandate of. has noted the positive development that Internet operators are to an increasing extent bundling security software with the services being delivered and that hardware, such as modems with wireless functionality, has preset security mechanisms when purchased. It would be desirable with a similar development on the part of other providers of software and equipment. 7 Security in wireless local area networks advice to users for improved security, -ER-2007:16 8 s General Advice on good function and technical security in addition to reliability and availability during extraordinary events in peacetime 9 Thematic supervision of general advice on good function and technical security, file ref

7 Measures to promote the improvement of knowledge Inform stakeholders about the financing sources available The primary responsibility for this activity rests with the authorities having responsibility for the respective area of research. has noted that SEMA has actively commenced information efforts concerning research grants from the EU in the area of the protection of critical infrastructure. Work to ensure that funds are allocated within the framework of the EU's research programmes relating to the Internet infrastructure The action plan activities are difficult for to influence, but has noted an increase in such funding, for example through an EU research programme called EPCIP (European Programme for Critical Infrastructure Protection). Measures to enhance Swedish participation in international work Increase Swedish coordination and participation in international fora This measure encompasses international work related to Internet security and is a part of the area of Internet Governance, or international management of the Internet. has commenced the work on enhancing Swedish participation in such international work. Together with the Ministry of Enterprise, Energy and Communications, has set up a Swedish reference group for issues concerning the international management of the Internet, and which encompasses Internet security. participates actively in several bodies and fora working with these issues, e.g. Internet Governance Forum (IGF), GAC/ICANN (the Internet Corporation for Assigned Names and Numbers), RIPE, the International Telecommunication Union (ITU), the European Network and Information Security Agency (ENISA), where is the Swedish point of contact, and the international networks participated in by Sitic (IT Incident Centre), see below. Increased responsibility for coordination and participation in international fora presupposes separate financing. Clarify Swedish distribution of responsibility in conjunction with international contexts concerning security of the Internet infrastructure The primary responsibility for this activity rests with the Government Offices of Sweden. Further develop operative international networks for incident management Sitic, the IT Incident Centre is a member of the networks FIRST, TF-CSIRT and EGC, which all have a growing number of members. Furthermore, the IT Incident Centre is active within NCF, IWWN and participates in ENISA projects. These networks have proven to be effective for both the dissemination of information and coordination during operational initiatives in 2007, for instance during the DDoS attacks in Estonia. Continued active participation in review of EU directives The primary responsibility for this activity rests with the Government Offices of Sweden. has actively contributed with documentation. Increase participation in standardisation work has carried out a pilot study concerning standardisation organisations and groups within this area. However, increased participation in standardisation work is demanding in terms of resources and would require separate financing. No decisions have been made as to whether participation should be increased in different groups.

8 Measures to improve capacity for crisis management Increase exchange of experience, follow-up and learn from major disruptions The substantial disruptions that took place in 2007 can be divided into disruptions related to technology or content. The technical disruptions that arose, mainly as a result of the weather situation, cables damaged during excavation, equipment failures, for example due to inadequate program updates, etc., were dealt with within the framework of s robustness work and supervisory work. Disruptions which arose due to the traffic content of the Internet were dealt with by the Sitic, which during the year continued to publish information related to lessons learned and analyses. Publications state that a secure Internet is largely something that users will themselves need to lay the foundation for through their behaviour, and changing behaviour requires both information and motivation. By quickly providing accurate information, without exaggeration or alarmism, has, through the Sitic, enabled users to identify reasons for improving their security awareness. Produce a coordinated continuity plan for the Internet infrastructure in Sweden This activity will be commenced in This activity will take place through collaboration with the industry. Investigate alternative forms of communication for operations managers during crises The intention of this activity is that, in the event of substantial disruptions or crises, those who maintain crucial components of Internet infrastructure may need to be able to communicate concerning the disruption or crisis via a channel other than the one affected by a disruption in order to jointly deal with the situation. This activity has been carried out for many years within the framework of the National Telecommunications Coordination Group (NTSG). This work affects the Internet since it utilises the networks of these operators and several of the members are Internet operators. An application for linking the operational management centres of these operators to the telecommunications network of the Swedish Armed Forces (FTN) has been submitted to the Swedish Armed Forces. Investigate alternative information channels from Sitic to users concerning the status of the Internet in conjunction with disruptions to the Internet This activity has not commenced. Proposed activities for 2008 In 2008, will commence activities which have not yet been implemented and which is capable of carrying out. intends to further develop its collaboration with other organisations in order to carry out the activities contained in the action plan. will also produce a renewed action plan in accordance with the management plan contained in the report Strategy to improve Internet Security in Sweden (-ER-2006:12). Measures which require a separate assignment or financing intends to provide additional information in March 2008 pertaining to the measures in the action plan which has been appointed as responsible for but which require a separate assignment or financing. These measures include: - Coordinating and intensifying information initiatives to users

9 - Further developing 's website for Internet security - Increasing Swedish coordination and participation in international fora - Increasing participation in standardisation work Marianne Treschow Director-General This memorandum was approved by Director-General Marianne Treschow. The final administration of this matter was also participated in by acting departmental head Christoffer Karsberg and administrator Björn Scharin (who submitted the report).

10 Appendix 1 Summary of the original action plan from Strategy to improve Internet Security, 4 July 2006 The party responsible states the stakeholder(s) responsible for the measure in question being implemented and performed in the manner intended. The level of importance states whether a measure is ongoing, planned or proposed. If it is proposed, it is weighted as important or very important. The precondition for the implementation of a proposed measure may be a decision at government level. The measures that is prepared to implement involve a separate assignment and, when appropriate, funding may be required to implement the measure. The timeframe states the period within which a measure is planned to be implemented: within one year, two years, three years or four years. Otherwise, it is expressed as continuous. Costs state the estimated cost of the proposed measures, that is to say those that are not ongoing or planned. The estimation of cost has been made within the following intervals: Low: Below SEK Medium: SEK High: Above SEK Costs for continuous measures are estimated on an annual basis. Measure Party responsible Level of importance Timeframe Costs 6.1 Measures to protect the Internet's physical and logical infrastructure Produce recommendations to providers of content services for increased accessibility Promote the use of DNSSEC in name servers Produce recommendations for more secure traffic exchange between Internet operators Planned < 2 years - Planned < 2 years - < 2 years Measures for information to users Provide information about vulnerabilities Develop advice for ordering Internet services Coordinate and intensify information initiatives towards users /Sitic Continuous - II Foundation < 2 years - Very important Continuous High Educate trainee teachers in Internet security Universities and colleges Important < 2 years High

11 Further develop 's website for Internet security Important < 2 years Medium 6.3 Measures to enhance the assumption of responsibility for user security Work with specified requirements for good function and technical security < 1 year - Follow up the Internet operators' functional capacity Planned < 2 years, thereafter continuous - Provide the Internet operators with a legal possibility of impeding the dissemination of harmful traffic Investigate the requirements for increased responsibility for providers of software and equipment Government Very important < 2 years Low Government Very important < 3 years High 6.4 Measures to promote the improvement of knowledge Inform stakeholders about the financing sources available Relevant authorities Important Continuous Low Work to ensure that funds are allocated within the framework of the EU's research programmes relating to the Internet infrastructure Government Important Continuous Low 6.5 Measures to enhance Swedish participation in international work Increase Swedish coordination and participation in international fora Clarify Swedish distribution of responsibility in conjunction with international contexts concerning security of the Internet infrastructure Further develop operative international networks for incident management Continued active participation in review of EU directives Increase participation in standardisation work Very important Continuous High Government Very important < 1 year Low /Sitic Continuous - Government < 2 years - Important Continuous High 6.6 Measures to improve capacity for crisis management Increase exchange of experience, follow-up and learn from major disruptions /Sitic Continuous - Produce a coordinated continuity Very important < 4 years High

12 plan for the Internet infrastructure in Sweden Investigate alternative forms of communication for operations managers during crises Investigate alternative information channels from Sitic to users concerning the status of the Internet in conjunction with disruptions to the Internet Important < 4 years Medium /Sitic Planned < 2 years -